Analysis Date2015-05-06 12:00:50
MD50a3b0ee4b7dac6cee045d24ef8c1d9b1
SHA155369333ffe3c48e6dbf8d9cbc5d98979ad935f5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5298345e18626211e07a0f7ffe940b93 sha1: d163eb79c51a65b68910c1b3bbe272f29a260520 size: 40960
Sectioncode md5: 427b1fe57b3b0a37a8fc4c3247916ebe sha1: 7a15c53e18e12606cb0964672e4fef51487d7aaa size: 8192
Section.rdata md5: b34598f5a77c5338cb608aec7266cc9b sha1: 19b9d06c707cffb330ae25f57f0d7bed047e6e7c size: 20480
Section.data md5: a594151322ecbfbbe30d3e575b621b69 sha1: c1b9b8462e616408fc9eaf394cdf181d14e974ba size: 28672
Section.reloc md5: 054cf5d3df71c2d40dcf7e7f91027c3a sha1: 331ba285498defa6aa0e3943d14ba7fd34ba58ec size: 8192
Section.imports md5: f4f95b67df6eb8367aab40c07bdd0d2f sha1: fd09968d0239121bbf628dded20aecc648601127 size: 4096
Timestamp2015-05-08 19:26:39
PackerBorland Delphi 3.0 (???)
PEhash0a362d298f26b71968e1984d3705f667765c8a7d
IMPhashca51c1947fb451ad1977c0d11dafb35b
AVAd-AwareGen:Variant.Kazy.590541
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Gen:Variant.Kazy.590541
AVAuthentiumW32/S-d37a73f3!Eldorado
AVAvira (antivir)TR/Dropper.Gen
AVBitDefenderGen:Variant.Kazy.590541
AVBullGuardGen:Variant.Kazy.590541
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebDLOADER.Trojan
AVEmsisoftGen:Variant.Kazy.590541
AVEset (nod32)Win32/Dorkbot.J worm
AVFortinetW32/Dorkbot.HX!worm
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.590541
AVGrisoft (avg)Generic_r.EQJ
AVIkarusWorm.Win32.Dorkbot
AVK7Trojan ( 003db13d1 )
AVKasperskyno_virus
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Kazy.590541
AVPadvishno_virus
AVRisingno_virus
AVSophosMal/Zbot-HX
AVSymantecno_virus
AVTrend MicroMal_DLDER
AVTwisterno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Network Details:


Raw Pcap

Strings
.
.
l
\*.*
4ZBR19116-NNIF
82z2z2s2d2g4j6k4l62d
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
Adobe
\advapi32.dll
advapi32.dll
alFSVWJB
alg.exe
\apiSoftCA
BCDEFGHIJKLMNOPQRSTUVWXYZ
bett2f00
bett2f002
\bett2f002
bfsvc.exe
calc.exe
.cmd
\cmd.exe
.com
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
CreativeAudio
\CreativeAudio
crypt32.dll
csrss.exe
/c "start %%cd%%%s & attrib -s -h %%cd%%%s & xcopy /F /S /Q /H /R /Y %%cd%%%s %%temp%%\%s\ & attrib +s +h %%cd%%%s & start %%temp%%\%s\%s & exit"
/c "%%SystemRoot%%\explorer.exe %%cd%%%s & attrib -s -h %%cd%%%s & xcopy /F /S /Q /H /R /Y %%cd%%%s %%temp%%\%s\ & attrib +s +h %%cd%%%s & start %%temp%%\%s\%s & exit"
/c taskkill /F /IM Explorer.exe
C:\Users\M\AppData\Local\Temp\temp41.tmp
C:\Users\M\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
C:\Users\M\AppData\Roaming\Microsoft\Windows\Themes
C:\Users\M\AppData\Roaming\Windows Live
C:\Users\M\AppData\Roaming\Windows Live\yensrubbud.exe
C:\Users\M\AppData\Roaming\WindowsUpdate
dnsapi.dll
explorer.exe
.gonewiththewings
*.gonewiththewings
helppane.exe
hh.exe
Identities
\Identities
iexplore.exe
\Internet Explorer\
iphlpapi.dll
jjjj
jjjjjj
KOPWELERGKR23930DW
\Live.exe
.lnk
lsass.exe
\Microsoft
\Microsoft\Windows
\Microsoft\Windows\Themes
msiexec.exe
netapi32.dll
netutils.dll
notepad.exe
\ntdll.dll
ole32.dll
OLLYDBG.EXE
open
petools.exe
.pif
%rand%
Reader_sl.exe
regedit.exe
rpcrt4.dll
rstrui.exe
rundll32.exe
%s\*
%s\*.*
samcli.dll
.scr
"%s" /CREATE /SC ONLOGON /TN "Windows Live" /TR "%s" /RL HIGHEST
%s\Documents and Settings\All users\Start Menu\Programs\Startup
secur32.dll
SeDebugPrivilege
services.exe
shell32.dll
shlwapi.dll
smsniff.exe
smss.exe
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Uazi Soft
spoolsv.exe
%s\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
"%s" /query /tn "Windows Live"
%s\Recycler
%s\%s
%s\%s.lnk
--startup
svchost.exe
System
\system32
\System32
\System32\schtasks.exe
[System Process]
%SystemRoot%\system32\cmd.exe
%SystemRoot%\system32\SHELL32.dll
temp41.tmp
tjjj
twunk_16.exe
twunk_32.exe
UaziVer
%uniq%
%uniq%.exe
update
urlmon.dll
user32.dll
userenv.dll
w.exe
\Windows Live
\Windows Live\
Windows Live
Windows Live Installer
\WindowsUpdate
\WindowsUpdate\Live.exe
\WindowsUpdate\Updater.exe
winhelp.exe
winhlp32.exe
wininet.dll
winlogon.exe
wireshark.exe
write.exe
ws2_32.dll
wtsapi32.dll
ZBR-JNSEXOBM
:Zone.Identifier
0 0&0,02080>0D0J0P0V0\0b0h0n0t0z0
0"0(0.040:0@0F0L0R0X0^0d0j0p0v0|0
0"0(050<0G0[0o0u0
0040<0@0X0\0p0x0
02373=3D3
< <$<(<,<0<4<8<<<@<D<H<L<P<T<X<\<`<d<
: :$:(:,:0:4:8:<:@:D:l:p:t:x:|:
<$<*<0<6<<<B<H<N<T<Z<`<f<l<r<x<~<
;$;*;0;6;<;B;H;N;T;Z;`;f;l;r;x;~;
:$:*:0:6:<:B:H:N:T:Z:`:f:l:r:x:~:
?$?*?0?6?<?B?H?N?T?Z?`?f?l?r?x?~?
;%;*;0;B;I;P;W;_;f;l;|;
0c0h0u0
;";);0;E;L;
<$<0<l<p<x<|<
?"?*?0?:?L?T?Z?d?v?~?
0R031>1S1]1g1
1$1*10161<1B1H1N1T1Z1`1f1l1r1x1~1
1"1(1.141:1@1F1L1R1X1^1d1j1p1v1|1
1$1.121=1B1L1U1_1c1n1s1}1
1$1:1D1I1T1^1c1
1*13181>1T1\1b1h1p1
1!1A1e1j1w1
1'1N1[1r1
1'212@2
1%222A2J2Q2W2d2m2t2
171j1|1
1z2z3reas34534543233245x6
2$2*20262<2B2H2N2T2Z2`2f2l2r2x2~2
2 2$2(2,2024282<2@2D2H2L2P2T2X2\2`2d2
2 2&2,22282>2D2J2P2V2\2b2h2n2t2z2
2)2:2G2\2i2p2
2/2O2s2
2	3"3G3Z3v3
253U3t4
< <&<,<2<8<><D<J<P<V<\<b<h<n<t<z<
= =&=,=2=8=>=D=J=P=V=\=b=h=n=t=z=
; ;&;,;2;8;>;D;J;P;V;\;b;h;n;t;z;
: :&:,:2:8:>:D:J:P:V:\:b:h:n:t:z:
? ?&?,?2?8?>?D?J?P?V?\?b?h?n?t?z?
?2?;?A?M?}?
323D3K3Z3p3v3
3!303f3
3 3&3,32383>3D3J3P3V3\3b3h3n3t3z3
3"3(3.343:3@3F3L3R3X3^3d3j3p3v3|3
3&3-353<3B3I3N3U3[3
344A4V4k4u4
3!4.4I4V4h4
345:5\5b5
374K4P4]4b4o4t4
>3?B?V?q?~?
3N3\3b3
4'404;4R4X4c4w4
4$4*40464<4B4H4N4T4Z4`4f4l4r4x4~4
4"4(4.444:4@4F4L4R4X4^4d4j4p4v4|4
4 4$4T4X4`4d4|4
4-4J4j4t4
?$?(?,?4?8?<?@?D?H?L?P?T?X?
<!<'<.<4<;<A<J<P<X<k<}<
=4=b=o=
<$<4<B<o<|<
="=(=.=4=:=@=F=L=R=X=^=d=j=p=v=|=
>">(>.>4>:>@>F>L>R>X>^>d>j>p>v>|>
;";(;.;4;:;@;F;L;R;X;^;d;j;p;v;|;
:":(:.:4:::@:F:L:R:X:^:d:j:p:v:|:
>">(>.>4>:>H>L>P>T>X>\>`>d>h>l>p>t>x>
;$<4<J<f<
= =4=;=T=[=a=h=|=
515>5E5}5
5$5*50565<5B5H5N5T5Z5`5f5l5r5x5~5
5$5+525:5A5G5W5b5i5o5v5{5
5!5.53585E5J5O5\5a5j5p5
5"5/545:5J5Q5c5h5n5u5z5
5 5&5,52585>5D5J5P5V5\5b5h5n5t5z5
5"5(5.545:5@5F5L5R5X5^5d5j5p5v5|5
5'585F5{5
:!:5:;:B:V:]:
<"<5<<<C<X<_<
;+;5;?;V;f;t;
60;0Q0[0
637@7i7x7
6$6*60666<6B6H6N6T6Z6`6f6l6r6x6~6
6%6+636F6X6c6m6y6
6"6(6.646:6@6F6L6R6X6^6d6j6p6v6|6
6 6*686=6G6Z6
6<6@6D6H6L6P6T6X6\6`6d6h6l6t6x6|6
6[6b6w6
6G6T6q6|6
747n7u7
7$7*70767<7B7H7N7T7Z7`7f7l7r7x7~7
7 7&7,72787>7D7J7P7V7\7b7h7n7t7z7
7 7&7-74797@7F7M7S7]7c7n7u7|7
7#797L7T7`7k7|7
787=7J7^7c7p7~7
7	888=8J8j8u8
7<8S8m8
7A7J7P7
<#<7<s<
809F9\9r9
8#848:8Q8l8v8{8
8(8,8084888<8@8D8H8L8P8T8X8`8d8h8l8p8t8x8|8
8 8&8,82888>8D8J8P8V8\8b8h8n8t8z8
8"8(8.848:8@8F8L8R8X8^8d8j8p8v8|8
8 8`8e8t8y8~8
8<8@8H8L8d8h8|8
8 8O8c8h8u8
8 9)9.9@9Z9c9i9z9
=8>r>}>
="=8===S=z=
?>'8'y00; =0-y%"
?>'8'y0-"0;$$$/y48:
?>'8'y&:0!18/49y48:
?>'8'y"0;<1>:.?y48:
?>'8'y0-=='%<"1y48:
?>'8'y0"2'4!-$%y48:
?>'8'y"0: <=2>8y48:
?>'8'y 046'$>82y48:
?>'8'y0?5-151#&y48:
?>'8'y<05&1<%y%"
?>'8'y=. 0.5!?2y48:
?>'8'y-%/#"05y%"
?>'8'y.05#-%? >y48:
?>'8'y##<'"095"y48:
?>'8'y;&#:0= y%"
?>'8'y&"= ;0#y%"
?>'8'y#!"0##;y%"
?>'8'y'1-0>81y%"
?>'8'y!1"<0$"8'6!y%"
?>'8'y= 1$;0?y%"
?>'8'y;;#>"10y%"
?>'8'y$%'1%0!!:y48:
?>'8'y>1-$%;12 y48:
?>'8'y1:1:;9<1-y48:
?>'8'y>#1"#"%24;"5y%"
?>'8'y1&4.">#:6y48:
?>'8'y<14&..?<$y48:
?>'8'y!>!14':-=y48:
?>'8'y!$>1=4?-"y48:
?>'8'y#-$15>4y%"
?>'8'y"?$">15.>y48:
?>'8'y16//%#%4<y48:
?>'8'y1&6.-60y%"
?>'8'y1#;6;>#-<y48:
?>'8'y%>.186 '/y48:
?>'8'y?%18:>8y%"
?>'8'y18>95.:6>y48:
?>'8'y1"#94#>4>y48:
?>'8'y1:9=61'y%"
?>'8'y19.$ 9<!<y48:
?>'8'y-1-?''$y%"
?>'8'y:1.>#;>y%"
?>'8'y/-%%;1/y%"
?>'8'y#.1%>.;y%"
?>'8'y#'2;'0/1"y48:
?>'8'y-?%2;1<y%"
?>'8'y'=2'2$=/0y48:
?>'8'y"!>220'"-y48:
?>'8'y22500?1$y%"
?>'8'y22=8!0> 'y48:
?>'8'y2.2.81"y%"
?>'8'y":2$2=/y%"
?>'8'y22: ?">.&y48:
?>'8'y245$'20y%"
?>'8'y2#.%:46>9y48:
?>'8'y24</.!/"8y48:
?>'8'y2=4!&9?&&y48:
?>'8'y2!.&-;4y%"
?>'8'y2"/'4#?y%"
?>'8'y2.51>#12!y48:
?>'8'y26>>24 y%"
?>'8'y!>=!$26'6y48:
?>'8'y-.:<2;6y%"
?>'8'y:$ #26:y%"
?>'8'y#?2;8!2`cgy%"
?>'8'y<! < //28y48:
?>'8'y<2#9/%$4<y48:
?>'8'y2>9;5-'6 y48:
?>'8'y=2"">9;84y48:
?>'8'y2<>&."9y%"
?>'8'y2#!9-$ <#y48:
?>'8'y>"2-?<&y%"
?>'8'y'=?-"%2y%"
?>'8'y"<:$$<2y%"
?>'8'y%-??2>;y%"
?>'8'y2!-."?-=#y48:
?>'8'y;4&&?<0-=y48:
?>'8'y>&#-4?1y%"
?>'8'y4'209='y%"
?>'8'y;449'%>y%"
?>'8'y!<4&52$-:y48:
?>'8'y#-4.&%5y%"
?>'8'y.'&4#=5 <y48:
?>'8'y?#46?0 y%"
?>'8'y ?/ 46!!0y48:
?>'8'y%4"%66&=2y48:
?>'8'y!%4=?!68!y48:
?>'8'y=4>"-6:y%"
?>'8'y4#"> $;/6y48:
?>'8'y>;48.15y%"
?>'8'y489$";#>90>94y%"
?>'8'y489924#cy%"
?>'8'y<4 ;8&'y%"
?>'8'y$&48<%>y%"
?>'8'y;&4;8. &:y48:
?>'8'y?;-%48?/<y48:
?>'8'y"4969%-=9y48:
?>'8'y=&49865y%"
?>'8'y/''&49==%y48:
?>'8'y ='&'"4y%"
?>'8'y--"/&4 y%"
?>'8'y? %4:$%y%"
?>'8'y4# ;=-&y%"
?>'8'y $?4&!=-!y48:
?>'8'y4';#%:?! y48:
?>'8'y"5=0;=6;0y48:
?>'8'y'%5:0/<;%y48:
?>'8'y50=# ;#=:y48:
?>'8'y5-%2#' 5>y48:
?>'8'y/;?5/28%"y48:
?>'8'y$<5&%#4y%"
?>'8'y $?/-:;54y48:
?>'8'y%5'&!529.y48:
?>'8'y!5$##?/54y48:
?>'8'y5"$.-588%y48:
?>'8'y->:55#?y%"
?>'8'y:>5=<>5y%"
?>'8'y?5.&!=-?6y48:
?>'8'y/5->>6$:y48:
?>'8'y#"!/"584$y48:
?>'8'y>;?5.#8y%"
?>'8'y&->5904y%"
?>'8'y59/&&.=2.y48:
?>'8'y 5";#9>;>y48:
?>'8'y$%-5.##y%"
?>'8'y5'<?'&&y%"
?>'8'y=<<=.:#5y48:
?>'8'y/?: :;"5$y48:
?>'8'y#:"5<!'.<y48:
?>'8'y#5.%-?%<!y48:
?>'8'y$/6-0'%;-y48:
?>'8'y6/#;;12y%"
?>'8'y6!-2299y%"
?>'8'y6/$2$8;y%"
?>'8'y#'6;294y%"
?>'8'y:65#:&0y%"
?>'8'y!#6#55/y%"
?>'8'y6#5:5&.y%"
?>'8'y>6#.5<<6%y48:
?>'8'y >%&>!65;y48:
?>'8'y;! :65?/"y48:
?>'8'y6'6!4";y%"
?>'8'y6.6-$$>y%"
?>'8'y6.:<85>&/y48:
?>'8'y<#&&68 &#y48:
?>'8'y%%';!>68.y48:
?>'8'y%/ 692#08y48:
?>'8'y#$=!#6=y%"
?>'8'y6/&>>#%y%"
?>'8'y;?8004&y%"
?>'8'y80><0/&y%"
?>'8'y8.$=$<0y%"
?>'8'y-80$ >'%>y48:
?>'8'y.'=%:8>0-y48:
?>'8'y.818'4 .4y48:
?>'8'y/8$24=/>4y48:
?>'8'y;%;82.5y%"
?>'8'y>826=;<y%"
?>'8'y>"!826"-.y48:
?>'8'y?8/-/2"-<y48:
?>'8'y842$"2=y%"
?>'8'y;8=46=$y%"
?>'8'y>#85?68y%"
?>'8'y86!0-81&"y48:
?>'8'y8=69#;=y%"
?>'8'y<'8/6!-y%"
?>'8'y'%&8#89y%"
?>'8'y/89'&>0 y%"
?>'8'y%89=.1=y%"
?>'8'y&8'9#-!-4y48:
?>'8'y''8?9&65y48:
?>'8'y?8>!998y%"
?>'8'y=>8:&9<y%"
?>'8'y-% 8;&'y%"
?>'8'y:&" <&8y%"
?>'8'y!8=-&:$y%"
?>'8'y?=.$./8y%"
?>'8'y&$#8'$>y%"
?>'8'y<;?%$=?8%y48:
?>'8'y-.8<-- !>y48:
?>'8'y$8< /%-.%y48:
?>'8'y: !#?90y%"
?>'8'y91%.1;<;#y48:
?>'8'y'9/1"60y%"
?>'8'y.9<1';89&y48:
?>'8'y9".1#/9y%"
?>'8'y%9#%> 1y%"
?>'8'y9!"25-8y%"
?>'8'y9.">2=<9=y48:
?>'8'y:/92/##y%"
?>'8'y#>9."'36#2$y%"
?>'8'y!>93"$#%.y%"
?>'8'y<9;$4 .y%"
?>'8'y&9&4 ;=y%"
?>'8'y951.$"?y%"
?>'8'y9. <'>5y%"
?>'8'y96#9#5"8y%"
?>'8'y9'=6? =y%"
?>'8'y!?9954&. y48:
?>'8'y&9&:9>-9:y48:
?>'8'y99-% :#y%"
?>'8'y?>-99!:!"y48:
?>'8'y>9&:-&!//y48:
?>'8'y9'?!=:;?;y48:
?>'8'y o$#6%#y%"
?>'8'y= -".=.<y%"
?>'8'y>:!???#y%"
?>'8'y;<//!./y%"
?>'8'y;;>->.%y%"
?>'8'y;/$%! <y%"
?>'8'y:?.#$ ?y%"
?>'8'y#%%''/ y%"
?>'8'y>. =>./"%y48:
?>'8'y.'<' <.%'y48:
?>'8'y"&"<;%/!&y48:
?>'8'y&;:</&;/y48:
90969<9B9H9N9T9Z9`9f9l9r9x9~9
91989C9N9u9
9$9*90969<9B9H9N9T9Z9`9f9l9r9x9~9
9 9&9,92989>9D9J9P9V9\9b9h9n9t9z9
9"9(9.949:9@9F9L9R9X9^9d9j9p9v9|9
9%9.9;9X9
9+9<9i9
9!9u9{9
99:]:z:
>#>,>9>B>O>X>e>v>
:%:/:9:C:M:W:a:k:u:
AdjustTokenPrivileges
advapi32.dll
ADVAPI32.dll
<!<.<:<@<a<k<}<
=<=A=K=h=
>!>A>n>
B.imports
?>?b?i?v?
>b>k>p>|>
CharLowerW
=?=c=h=u=
CloseHandle
closesocket
CoCreateGuid
CoCreateInstance
CoInitializeEx
CopyFileW
CoUninitialize
CreateDirectoryW
CreateEventA
CreateEventW
CreateFileA
CreateFileMappingA
CreateFileW
CreateIoCompletionPort
CreateMutexA
CreateProcessW
CreateRemoteThread
CreateThread
CreateToolhelp32Snapshot
@.data
debug_cache_dump_2384394.dmp
DeleteFileW
<@>D>L>P>h>l>
%dMutex%dExplorer%dMutex%d
dnsapi.dll
DNSAPI.dll
DnsQuery_A
DnsRecordListFree
downloader 
downloader2 
DuplicateHandle
E#+E/^ZY
EnterCriticalSection
ExitProcess
ExitThread
FindClose
FindFirstFileW
FindNextFileW
=>=f=p=
GetComputerNameW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetDriveTypeW
GetExitCodeProcess
GetFileAttributesExW
GetFileAttributesW
GetFileSize
GetLastError
GetLongPathNameW
GetModuleFileNameW
GetModuleHandleA
GetProcAddress
GetProcessImageFileNameW
GetProcessVersion
GetQueuedCompletionStatus
GetShellWindow
GetSystemTimeAsFileTime
GetSystemWow64DirectoryW
GetTempPathW
GetTickCount
GetUserNameW
GetVersionExA
GetVersionExW
GetVolumeInformationW
GetWindowsDirectoryW
GetWindowThreadProcessId
>;>G>T>b>
HttpAddRequestHeadersA
HttpOpenRequestA
HttpQueryInfoA
HttpSendRequestA
<:<i<|<
InitializeCriticalSection
InternetCloseHandle
InternetConnectA
InternetCrackUrlA
InternetOpenA
InternetReadFile
InternetSetOptionA
;\;i;o;u;~;
IsWoW64Process
;";/;j;
='===J=a=
j hd=t
>%>:>J>T>c>
?'?<?J?T?Y?d?
:#:(:.:j:w:|:
kernel32.dll
KERNEL32.dll
kernelbase.dll
:*:^:k:v:
LeaveCriticalSection
LoadLibraryA
LoadLibraryW
LockFile
LookupPrivilegeValueW
lopqfvftjcoqcvcrroakiqnhpmhehvmmlsh
lstrcatA
lstrcatW
lstrcmpiA
lstrcmpiW
lstrcmpW
lstrcpyA
lstrcpyW
lstrlenA
lstrlenW
>,>M>}>
MapViewOfFile
MessageBoxA
MoveFileExW
MoveFileW
MultiByteToWideChar
MUTEX_NAME_
ntdll.dll
NtQueryDirectoryFile
NtQueryInformationThread
NtQueueApcThread
NtResumeThread
ObtainUserAgentString
ole32.dll
?+?O?o?
OpenProcess
OpenProcessToken
PathFindFileNameW
PathRemoveArgsW
Process32FirstW
Process32NextW
psapi.dll
:$:):::?:P:U:f:k:|:
Qkkbal
QueryPerformanceCounter
Range: bytes=%d-%d
`.rdata
ReadFile
reboot
RegCloseKey
RegCreateKeyExW
RegDeleteValueW
RegEnumValueW
RegFlushKey
RegNotifyChangeKeyValue
RegOpenKeyExW
RegOpenKeyW
RegQueryInfoKeyW
RegQueryValueA
RegQueryValueExW
RegSetValueExW
.reloc
ResetEvent
SetCurrentDirectoryW
SetEvent
SetFileAttributesW
SetFilePointer
SetHandleContext
SetLastError
SetUnhandledExceptionFilter
SHCreateDirectoryExW
shell32.dll
SHELL32.dll
ShellExecuteW
SHFileOperationW
SHGetFolderPathW
SHGetSpecialFolderPathW
shlwapi.dll
SHLWAPI.dll
StrChrW
StrCmpNIW
StrRChrW
StrStrW
TerminateProcess
TerminateThread
!This program cannot be run in DOS mode.
uninstall
UnlockFile
UnmapViewOfFile
update 
update2 
urlmon.dll
user32.dll
USER32.dll
User Agent
VirtualAlloc
VirtualAllocEx
VirtualFree
VirtualFreeEx
VirtualProtect
VirtualQuery
WaitForMultipleObjects
WaitForSingleObject
WideCharToMultiByte
wininet.dll
WININET.dll
WriteFile
WriteProcessMemory
ws2_32.dll
WS2_32.dll
WSAGetLastError
WSARecvFrom
WSASendTo
WSASocketW
WSAStartup
wsprintfA
	wsprintfA
wsprintfW
	wsprintfW
wWXZOlIzwOwzIlOZXWw
ZwQueryDirectoryFile
ZwQueryInformationThread
ZwQueueApcThread
ZwResumeThread
ZwSetLdtEntries