Analysis Date2015-05-07 02:43:27
MD53921cb85a2874efcf9e91cdeab12d4ea
SHA14ae5922e327297166fca92d94306d2b1f0c0df72

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 20fd75afe42c66ebdbb1406a8e3adbcd sha1: f0bf20ff40c4f232db8562a766f1b3d1e8ec470c size: 40960
Sectioncode md5: 427b1fe57b3b0a37a8fc4c3247916ebe sha1: 7a15c53e18e12606cb0964672e4fef51487d7aaa size: 8192
Section.rdata md5: 145c1f1f37a4183ea2e13ae76e18b6ba sha1: 4a3864e26c94a83a5f767dd2da31e46bd78169ee size: 20480
Section.data md5: 9e4175921ca258102e0496c8cb5e454c sha1: f4a69a514ad853c9152ab0cb12fb33f0af0fb408 size: 28672
Section.reloc md5: ecdd79c2c54c59bd8944bb9cf5359e0e sha1: 6d9fc4db7c22c8073179d0672e7dddd18ad648a8 size: 8192
Section.imports md5: 004a110efb52649ee38f8f5e6c5d73a2 sha1: 1a535ab431bbff55cdb0727a47ebaa5f705f08ea size: 4096
Timestamp2015-04-29 21:05:41
PackerBorland Delphi 3.0 (???)
PEhash0a362d298f26b71968e1984d3705f667765c8a7d
IMPhash59454ce37a8cfe9cf66e24b93f50f7da
AVAd-AwareGen:Variant.Kazy.590541
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Gen:Variant.Kazy.590541
AVAuthentiumW32/S-d37a73f3!Eldorado
AVAvira (antivir)TR/ATRAPS.Gen
AVBitDefenderGen:Variant.Kazy.590541
AVBullGuardGen:Variant.Kazy.590541
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebDLOADER.Trojan
AVEmsisoftGen:Variant.Kazy.590541
AVEset (nod32)Win32/Dorkbot.J worm
AVFortinetW32/Dorkbot.J!worm
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.590541
AVGrisoft (avg)BackDoor.SmallX.BRV
AVIkarusWorm.Win32.Dorkbot
AVK7Trojan ( 004bd58c1 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesno_virus
AVMcafeeRDN/Generic.dx!dqq
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Kazy.590541
AVPadvishno_virus
AVRisingno_virus
AVSophosMal/Behav-010
AVSymantecno_virus
AVTrend MicroMal_DLDER
AVTwisterno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Network Details:


Raw Pcap

Strings
.
.
le
\*.*
4ZBR19116-NNIF
82z2z2s2d2g4j6k4l62d
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
Adobe
\advapi32.dll
advapi32.dll
alFSVWJB
alg.exe
\apiSoftCA
\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
\AppData\Roaming\Microsoft\Windows\Themes
\AppData\Roaming\Windows Live
\AppData\Roaming\Windows Live\jsfhklqveq.exe
\AppData\Roaming\WindowsUpdate
BCDEFGHIJKLMNOPQRSTUVWXYZ
bett2f002
\bett2f002
bfsvc.exe
calc.exe
.cmd
.com
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
CreativeAudio
\CreativeAudio
crypt32.dll
csrss.exe
/c "start %%cd%%%s & attrib -s -h %%cd%%%s & xcopy /F /S /Q /H /R /Y %%cd%%%s %%temp%%\%s\ & attrib +s +h %%cd%%%s & start %%temp%%\%s\%s & exit"
/c "%%SystemRoot%%\explorer.exe %%cd%%%s & attrib -s -h %%cd%%%s & xcopy /F /S /Q /H /R /Y %%cd%%%s %%temp%%\%s\ & attrib +s +h %%cd%%%s & start %%temp%%\%s\%s & exit"
C:\Users\
C:\Users\C523~1\AppData\Local\Temp\temp41.tmp
dnsapi.dll
explorer.exe
.gonewiththewings
*.gonewiththewings
helppane.exe
hh.exe
Identities
\Identities
iexplore.exe
\Internet Explorer\
iphlpapi.dll
	jjj
jjjj
jjjjjj
KOPWELERGKR23930DW
.lnk
lsass.exe
\Microsoft
\Microsoft\Windows
\Microsoft\Windows\Themes
msiexec.exe
netapi32.dll
netutils.dll
notepad.exe
\ntdll.dll
ole32.dll
OLLYDBG.EXE
petools.exe
.pif
%rand%
Reader_sl.exe
regedit.exe
rpcrt4.dll
rstrui.exe
rundll32.exe
%s\*
%s\*.*
samcli.dll
.scr
%s\Documents and Settings\All users\Start Menu\Programs\Startup
secur32.dll
SeDebugPrivilege
services.exe
shell32.dll
shlwapi.dll
smsniff.exe
smss.exe
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Uazi Soft
spoolsv.exe
%s\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
%s\Recycler
%s\%s
%s\%s.lnk
--startup
svchost.exe
Svchost.exe
System
[System Process]
%SystemRoot%\system32\cmd.exe
%SystemRoot%\system32\SHELL32.dll
temp41.tmp
twunk_16.exe
twunk_32.exe
UaziVer
%uniq%
%uniq%.exe
urlmon.dll
user32.dll
userenv.dll
w.exe
\Windows Live
\Windows Live\
Windows Live
\WindowsUpdate
\WindowsUpdate\Updater.exe
winhelp.exe
winhlp32.exe
wininet.dll
winlogon.exe
wireshark.exe
write.exe
ws2_32.dll
wtsapi32.dll
ZBR-JNSEXOBM
:Zone.Identifier
0 0&0,02080>0D0J0P0V0\0b0h0n0t0z0
0"0(0.040:0@0F0L0R0X0^0d0j0p0v0|0
0$0+0G0P0[0r0x0
0040<0@0X0\0p0x0
0&0A0N0c0p0
,010>0
02373=3D3
< <$<(<,<0<4<8<<<@<D<H<L<P<T<X<\<`<d<
: :$:(:,:0:4:8:<:@:D:l:p:t:x:|:
050Y0^0k0
<$<*<0<6<<<B<H<N<T<Z<`<f<l<r<x<~<
;$;*;0;6;<;B;H;N;T;Z;`;f;l;r;x;~;
:$:*:0:6:<:B:H:N:T:Z:`:f:l:r:x:~:
?$?*?0?6?<?B?H?N?T?Z?`?f?l?r?x?~?
&070M0j0
<$<0<l<p<x<|<
>0>U>b>q>z>
1$1*10161<1B1H1N1T1Z1`1f1l1r1x1~1
1"1(1.141:1@1F1L1R1X1^1d1j1p1v1|1
1 1(1.1B1O1T1Z1j1q1
1"1*171<1A1N1S1X1e1j1o1|1
1!1+1X1d1j1o1t1z1
171[1`1m1
>1>Y>f>|>
1z2z3reas34534543233245x6
;2;?;^;
212>2E2}2
2$2*20262<2B2H2N2T2Z2`2f2l2r2x2~2
2 2$2(2,2024282<2@2D2H2L2P2T2X2\2`2d2
2 2&2,22282>2D2J2P2V2\2b2h2n2t2z2
2%2/232>2C2M2V2`2d2o2t2~2
2+2B2e2
232W2w2
2"3'343T3p3
254>4C4T4Z4q4
< <&<,<2<8<><D<J<P<V<\<b<h<n<t<z<
= =&=,=2=8=>=D=J=P=V=\=b=h=n=t=z=
; ;&;,;2;8;>;D;J;P;V;\;b;h;n;t;z;
: :&:,:2:8:>:D:J:P:V:\:b:h:n:t:z:
? ?&?,?2?8?>?D?J?P?V?\?b?h?n?t?z?
<2<;<A<M<}<
2K3q3v3
3 3&3,32383>3D3J3P3V3\3b3h3n3t3z3
3"3(3.343:3@3F3L3R3X3^3d3j3p3v3|3
?3?S?v?
<3<W<\<i<
434T4a4x4
4$4*40464<4B4H4N4T4Z4`4f4l4r4x4~4
4"4(4.444:4@4F4L4R4X4^4d4j4p4v4|4
4 4$4T4X4`4d4|4
4!454B4J4P4
4*4F4[4o4t4
4@5I5N5`5z5
464h4|4
?$?(?,?4?8?<?@?D?H?L?P?T?X?
="=(=.=4=:=@=F=L=R=X=^=d=j=p=v=|=
>">(>.>4>:>@>F>L>R>X>^>d>j>p>v>|>
;";(;.;4;:;@;F;L;R;X;^;d;j;p;v;|;
:":(:.:4:::@:F:L:R:X:^:d:j:p:v:|:
>">(>.>4>:>H>L>P>T>X>\>`>d>h>l>p>t>x>
;$<4<J<f<
= =4=;=T=[=a=h=|=
505K5U5f5p5
506F6\6r6
50U0t1
545:5Q5X5c5n5
5(505:5D5N5T5]5j5
5$5*50565<5B5H5N5T5Z5`5f5l5r5x5~5
5$5+525:5A5G5W5b5i5o5v5{5
5 5-525?5D5Q5V5c5v5
5 5&5,52585>5D5J5P5V5\5b5h5n5t5z5
5"5(5.545:5@5F5L5R5X5^5d5j5p5v5|5
5&585Q5q5
5'6C6Y6
5!6u6{6
?(?5?F?
=5=Y=^=k=
6$6*60666<6B6H6N6T6Z6`6f6l6r6x6~6
6%6+636F6X6c6m6y6
6"6(6.646:6@6F6L6R6X6^6d6j6p6v6|6
6<6@6D6H6L6P6T6X6\6`6d6h6l6t6x6|6
6/6A6U6[6b6v6}6
?.?6?<?F?[?c?i?s?
7$7*70767<7B7H7N7T7Z7`7f7l7r7x7~7
7 7&7,72787>7D7J7P7V7\7b7h7n7t7z7
7 7&7-74797@7F7M7S7]7c7n7u7|7
7$7)7:7?7P7U7f7k7|7
7,7\7 8Z8
7/7B7I7P7e7l7
;*;7;p;y;
=7=S=Y=o=y=~=
8+858?8V8f8t8
8(8,8084888<8@8D8H8L8P8T8X8`8d8h8l8p8t8x8|8
8%8*808B8I8P8W8_8f8l8|8
8%8,828B8U8\8c8x8
8 8&8,82888>8D8J8P8V8\8b8h8n8t8z8
8"8(8.848:8@8F8L8R8X8^8d8j8p8v8|8
8$8*8/858:8L8Q8^8j8p8
8<8@8H8L8d8h8|8
8 8O8c8h8u8
8&909^9
>8>I>Z>g>|>
?>'8'y00; =0-y%"
?>'8'y0-"0;$$$/y48:
?>'8'y&:0!18/49y48:
?>'8'y"0;<1>:.?y48:
?>'8'y0-=='%<"1y48:
?>'8'y0"2'4!-$%y48:
?>'8'y"0: <=2>8y48:
?>'8'y 046'$>82y48:
?>'8'y0?5-151#&y48:
?>'8'y<05&1<%y%"
?>'8'y=. 0.5!?2y48:
?>'8'y.05#-%? >y48:
?>'8'y##<'"095"y48:
?>'8'y;&#:0= y%"
?>'8'y'1-0>81y%"
?>'8'y= 1$;0?y%"
?>'8'y;;#>"10y%"
?>'8'y$%'1%0!!:y48:
?>'8'y>1-$%;12 y48:
?>'8'y1:1:;9<1-y48:
?>'8'y1&4.">#:6y48:
?>'8'y<14&..?<$y48:
?>'8'y!>!14':-=y48:
?>'8'y!$>1=4?-"y48:
?>'8'y"?$">15.>y48:
?>'8'y16//%#%4<y48:
?>'8'y1#;6;>#-<y48:
?>'8'y%>.186 '/y48:
?>'8'y18>95.:6>y48:
?>'8'y1"#94#>4>y48:
?>'8'y1:9=61'y%"
?>'8'y19.$ 9<!<y48:
?>'8'y-1-?''$y%"
?>'8'y:1.>#;>y%"
?>'8'y/-%%;1/y%"
?>'8'y#.1%>.;y%"
?>'8'y#'2;'0/1"y48:
?>'8'y-?%2;1<y%"
?>'8'y'=2'2$=/0y48:
?>'8'y"!>220'"-y48:
?>'8'y22=8!0> 'y48:
?>'8'y2.2.81"y%"
?>'8'y":2$2=/y%"
?>'8'y22: ?">.&y48:
?>'8'y2#.%:46>9y48:
?>'8'y24</.!/"8y48:
?>'8'y2=4!&9?&&y48:
?>'8'y2!.&-;4y%"
?>'8'y2"/'4#?y%"
?>'8'y2.51>#12!y48:
?>'8'y26>>24 y%"
?>'8'y!>=!$26'6y48:
?>'8'y:$ #26:y%"
?>'8'y<! < //28y48:
?>'8'y<2#9/%$4<y48:
?>'8'y2>9;5-'6 y48:
?>'8'y=2"">9;84y48:
?>'8'y2#!9-$ <#y48:
?>'8'y>"2-?<&y%"
?>'8'y%-??2>;y%"
?>'8'y2!-."?-=#y48:
?>'8'y;4&&?<0-=y48:
?>'8'y;449'%>y%"
?>'8'y!<4&52$-:y48:
?>'8'y#-4.&%5y%"
?>'8'y.'&4#=5 <y48:
?>'8'y?#46?0 y%"
?>'8'y ?/ 46!!0y48:
?>'8'y%4"%66&=2y48:
?>'8'y!%4=?!68!y48:
?>'8'y4#"> $;/6y48:
?>'8'y>;48.15y%"
?>'8'y<4 ;8&'y%"
?>'8'y$&48<%>y%"
?>'8'y;&4;8. &:y48:
?>'8'y?;-%48?/<y48:
?>'8'y"4969%-=9y48:
?>'8'y/''&49==%y48:
?>'8'y ='&'"4y%"
?>'8'y4# ;=-&y%"
?>'8'y $?4&!=-!y48:
?>'8'y4';#%:?! y48:
?>'8'y"5=0;=6;0y48:
?>'8'y'%5:0/<;%y48:
?>'8'y50=# ;#=:y48:
?>'8'y5-%2#' 5>y48:
?>'8'y/;?5/28%"y48:
?>'8'y$<5&%#4y%"
?>'8'y $?/-:;54y48:
?>'8'y%5'&!529.y48:
?>'8'y!5$##?/54y48:
?>'8'y5"$.-588%y48:
?>'8'y?5.&!=-?6y48:
?>'8'y#"!/"584$y48:
?>'8'y>;?5.#8y%"
?>'8'y59/&&.=2.y48:
?>'8'y 5";#9>;>y48:
?>'8'y$%-5.##y%"
?>'8'y5'<?'&&y%"
?>'8'y/?: :;"5$y48:
?>'8'y#:"5<!'.<y48:
?>'8'y#5.%-?%<!y48:
?>'8'y$/6-0'%;-y48:
?>'8'y6/#;;12y%"
?>'8'y6!-2299y%"
?>'8'y6/$2$8;y%"
?>'8'y:65#:&0y%"
?>'8'y!#6#55/y%"
?>'8'y6#5:5&.y%"
?>'8'y>6#.5<<6%y48:
?>'8'y >%&>!65;y48:
?>'8'y;! :65?/"y48:
?>'8'y6'6!4";y%"
?>'8'y6.6-$$>y%"
?>'8'y6.:<85>&/y48:
?>'8'y<#&&68 &#y48:
?>'8'y%%';!>68.y48:
?>'8'y%/ 692#08y48:
?>'8'y#$=!#6=y%"
?>'8'y6/&>>#%y%"
?>'8'y;?8004&y%"
?>'8'y80><0/&y%"
?>'8'y8.$=$<0y%"
?>'8'y-80$ >'%>y48:
?>'8'y.'=%:8>0-y48:
?>'8'y.818'4 .4y48:
?>'8'y/8$24=/>4y48:
?>'8'y;%;82.5y%"
?>'8'y>826=;<y%"
?>'8'y>"!826"-.y48:
?>'8'y?8/-/2"-<y48:
?>'8'y842$"2=y%"
?>'8'y;8=46=$y%"
?>'8'y>#85?68y%"
?>'8'y86!0-81&"y48:
?>'8'y8=69#;=y%"
?>'8'y<'8/6!-y%"
?>'8'y'%&8#89y%"
?>'8'y%89=.1=y%"
?>'8'y&8'9#-!-4y48:
?>'8'y?8>!998y%"
?>'8'y=>8:&9<y%"
?>'8'y-% 8;&'y%"
?>'8'y!8=-&:$y%"
?>'8'y?=.$./8y%"
?>'8'y&$#8'$>y%"
?>'8'y<;?%$=?8%y48:
?>'8'y-.8<-- !>y48:
?>'8'y$8< /%-.%y48:
?>'8'y: !#?90y%"
?>'8'y91%.1;<;#y48:
?>'8'y'9/1"60y%"
?>'8'y.9<1';89&y48:
?>'8'y9".1#/9y%"
?>'8'y%9#%> 1y%"
?>'8'y9.">2=<9=y48:
?>'8'y:/92/##y%"
?>'8'y<9;$4 .y%"
?>'8'y&9&4 ;=y%"
?>'8'y9. <'>5y%"
?>'8'y9'=6? =y%"
?>'8'y!?9954&. y48:
?>'8'y&9&:9>-9:y48:
?>'8'y99-% :#y%"
?>'8'y?>-99!:!"y48:
?>'8'y>9&:-&!//y48:
?>'8'y9'?!=:;?;y48:
?>'8'y;;>->.%y%"
?>'8'y:?.#$ ?y%"
?>'8'y#%%''/ y%"
?>'8'y>. =>./"%y48:
?>'8'y.'<' <.%'y48:
?>'8'y"&"<;%/!&y48:
90969<9B9H9N9T9Z9`9f9l9r9x9~9
9#909B9i9
9$949B9o9|9
9$9*90969<9B9H9N9T9Z9`9f9l9r9x9~9
9 9&9,92989>9D9J9P9V9\9b9h9n9t9z9
9"9(9.949:9@9F9L9R9X9^9d9j9p9v9|9
9!9'9.949;9A9J9P9X9k9}9
9+9<9i9
9.9B9X9]9s9
:%:/:9:C:M:W:a:k:u:
?#?*?9?R?d?k?z?
AdjustTokenPrivileges
advapi32.dll
ADVAPI32.dll
:<:A:K:h:
B.imports
;b;k;p;|;
>#>C>g>
CharLowerW
CloseHandle
closesocket
CoCreateGuid
CoCreateInstance
CoInitializeEx
CopyFileW
CoUninitialize
CreateDirectoryW
CreateEventA
CreateEventW
CreateFileA
CreateFileMappingA
CreateFileW
CreateIoCompletionPort
CreateMutexA
CreateProcessW
CreateRemoteThread
CreateThread
CreateToolhelp32Snapshot
@.data
debug_cache_dump_2384394.dmp
DeleteFileW
<@>D>L>P>h>l>
%dMutex%dExplorer%dMutex%d
dnsapi.dll
DNSAPI.dll
DnsQuery_A
DnsRecordListFree
downloader 
downloader2 
DuplicateHandle
E#+E/^ZY
EnterCriticalSection
<.<?<E<R<W<]<j<q<|<
ExitProcess
ExitThread
:':E:Z:j:t:
FindClose
FindFirstFileW
FindNextFileW
?$?F?M?U?\?b?i?n?u?{?
GetComputerNameW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetDriveTypeW
GetFileAttributesExW
GetFileAttributesW
GetFileSize
GetLastError
GetLongPathNameW
GetModuleFileNameW
GetModuleHandleA
GetProcAddress
GetProcessImageFileNameW
GetProcessVersion
GetQueuedCompletionStatus
GetShellWindow
GetSystemTimeAsFileTime
GetSystemWow64DirectoryW
GetTempPathW
GetTickCount
GetUserNameW
GetVersionExA
GetVersionExW
GetVolumeInformationW
GetWindowThreadProcessId
;;;G;T;b;
HttpAddRequestHeadersA
HttpOpenRequestA
HttpQueryInfoA
HttpSendRequestA
InitializeCriticalSection
InternetCloseHandle
InternetConnectA
InternetCrackUrlA
InternetOpenA
InternetReadFile
InternetSetOptionA
IsWoW64Process
j hd=	
<%=+===J=S=X=^=t=|=
:#:(:.:j:w:|:
kernel32.dll
KERNEL32.dll
kernelbase.dll
LeaveCriticalSection
LoadLibraryA
LoadLibraryW
LockFile
LookupPrivilegeValueW
</<<<l<r<
lstrcatA
lstrcatW
lstrcmpiA
lstrcmpiW
lstrcmpW
lstrcpyA
lstrcpyW
lstrlenA
lstrlenW
;:<_<l<x<
MapViewOfFile
MessageBoxA
MoveFileExW
MoveFileW
@mRich
MultiByteToWideChar
MUTEX_NAME_
?!?'?n?|?
ntdll.dll
NtQueryDirectoryFile
NtQueryInformationThread
NtQueueApcThread
NtResumeThread
ObtainUserAgentString
ole32.dll
OpenProcess
OpenProcessToken
P0e0z0
PathFindFileNameW
PathRemoveArgsW
?>pop.connect4.ru
?>pop.consultinginc.ru
?>pop.cpegnjp.ru
?>pop.ecbspeg.ru
?>pop.eebgghfs.ru
?>pop.ekiqyun.ru
?>pop.fqayzag.ru
?>pop.hrfomio.ru
?>pop.hwrcmsr.ru
?>pop.imvhhht.ru
?>pop.iqtzchf.ru
?>pop.itfutureclub.ru
?>pop.jciuzam.ru
?>pop.jkkjymtb.com
?>pop.jqcnoab.ru
?>pop.jwzuyjyk.ru
?>pop.lkxxvyx.ru
?>pop.lxsrvwk.ru
?>pop.mibjkib.ru
?>pop.mquwkqo.ru
?>pop.natntbuo.ru
?>pop.nbfysuh.ru
?>pop.nvuebzo.ru
?>pop.pjhzure.ru
?>pop.ppohnqab.com
?>pop.qlmkxqlx.com
?>pop.qujwlgt.ru
?>pop.qzibngc.ru
?>pop.thelove740.ru
?>pop.tinyupdates.ru
?>pop.tpalenc.ru
?>pop.tvugttl.ru
?>pop.tzsfbic.ru
?>pop.ukmsske.ru
?>pop.vfukgsuopav.ru
?>pop.vindustry.ru
?>pop.w8start.ru
?>pop.xbziiasm.com
?>pop.xonpqigw.ru
?>pop.zimbbth.ru
?>pop.zrxtugb.ru
?>pop.zymkela.ru
?>pop.zzuxqcw.ru
Process32FirstW
Process32NextW
psapi.dll
;.;;;\;q;
Qkkbal
QueryPerformanceCounter
Range: bytes=%d-%d
`.rdata
ReadFile
reboot
RegCloseKey
RegCreateKeyExW
RegDeleteValueW
RegEnumValueW
RegFlushKey
RegNotifyChangeKeyValue
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryValueA
RegQueryValueExW
RegSetValueExW
.reloc
ResetEvent
;$<r<S=^=s=}=
SetCurrentDirectoryW
SetEvent
SetFileAttributesW
SetFilePointer
SetLastError
SetUnhandledExceptionFilter
shell32.dll
SHELL32.dll
SHFileOperationW
SHGetFolderPathW
SHGetSpecialFolderPathW
shlwapi.dll
SHLWAPI.dll
StrChrW
StrCmpNIW
StrRChrW
StrStrW
T1Z1|1
:&:T:a:
TerminateProcess
TerminateThread
!This program cannot be run in DOS mode.
uninstall
UnlockFile
UnmapViewOfFile
update 
update2 
urlmon.dll
user32.dll
USER32.dll
User Agent
VirtualAlloc
VirtualAllocEx
VirtualFree
VirtualFreeEx
VirtualProtect
VirtualQuery
<+=?=W=
WaitForMultipleObjects
WaitForSingleObject
WideCharToMultiByte
wininet.dll
WININET.dll
WriteFile
WriteProcessMemory
ws2_32.dll
WS2_32.dll
WSAGetLastError
WSARecvFrom
WSASendTo
WSASocketW
WSAStartup
wsprintfA
	wsprintfA
wsprintfW
	wsprintfW
wWXZOlIzwOwzIlOZXWw
ZwSetLdtEntries