Xylitol's files are vawtrak.
Unfortunately, securelist "neverquest" article is poorly researched.
Bot URL structure:
Unfortunately, securelist "neverquest" article is poorly researched.
Bot URL structure:
Code: Select all
Vawtrak strings:/forumdisplay.php?fid=%u
/post.aspx?forumID=%u
/post.aspx?messageID=%u
Code: Select all
"aPLib v1.01 - the smaller the better :)"
"Copyright (c) 1998-2009 by Joergen Ibsen, All Rights Reserved."
"More information: http://www.ibsensoftware.com/"
b-o
HzS
OLEACC.dll
COMDLG32.dll
@J7<
8CRYPT32.dll
NETAPI32.dll
MODU
@@@@
@@@@
@@@@
@@@@
@@@@
@@@@
@@@@
@@@@
!!!!!!!!!!!!!!!!ADAA@@@@@@@@@@@@
@@AD
@@@@
@@@@@@@@!!!!
@@@@@@
A@@@@@@@@@
@@@@P
@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@AAAA@@@
@@@@$$$$$$$$$$$$$$$$@@@@@@@@@@@@@@@@
@A@
@A@@@@@@@@@@@@@A@@@@@@@A@AAA@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
"x ATAUAVAWE3"
HcQ<H
:PE
RPH
"P E"
X$E;
ruH;
spL;
rkL;
sfL;
raL;
s\3
tUE
tPM
@:;u
t<I
8@:<
\$(H
l$0H
t$8H
|$@A_A^A]A\
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
#+3;CScs
!1Aa
K6\
K6\
K6\
K6\
user_id%
version_id%
framework_key%
framework%
"function EQFramework(g){this._Key=g;this._LastAsync=null;this.Version=1;this.GetXHR=function(){""undefined""===typeof XMLHttpRequ"
random%
text/html
text/plain
text/javascript
text/css
text/xml
application/json
application/x-javascript
application/x-json
application/javascript
application/atom+xml
application/rss+xml
TrustedPeople
TrustedPublisher
Root
Disallowed
CertificateAuthority
AuthRoot
AddressBook
1234
%s.pfx
"\Macromedia\Flash Player\"
cookies.sqlite
\Mozilla\Firefox\Profiles\
cookies.sqlite-journal
ff/
sol/
ie/
.txt
client_32.dll
c.dll
"Content-Type: application/octet-stream"
Status
Software\df5a3418-685e-4e1f-a26a-aabf17af39b8
"[%s - X32 EQ PID: %u TID: %u] "
DebugMEssage
Transfer-Encoding
chunked
Content-Length
Content-Encoding
ntCoent-Length
X-Content-Security-Policy
X-Frame-Options
X-WebKit-CSP
gzip
Content-Type
"HTTP/1.1 200 OK"
"Content-Length: %u"
"Connection: close"
"GET /robots.txt HTTP/1.1"
"Connection: close"
Authorization
ocsp
NSPR4.DLL
nss3.dll
PR_GetError
PR_GetOSError
PR_SetError
OpenInputDesktop
USER32.DLL
SwitchDesktop
GetKeyState
GetKeyboardState
GetAsyncKeyState
GetMessagePos
GetCursorPos
SetCursorPos
SetCapture
ReleaseCapture
GetCapture
GetMessageA
GetMessageW
PeekMessageA
PeekMessageW
iexplore.exe
firefox.exe
outlook.exe
127.0.0.1
POST
POST
"[VNC] New Client"
"[VNC] Fail init BC"
"[VNC] Fail addr proto BC"
"[VNC] Fail connect BC"
"[VNC] Fail init work: %u"
"[VNC] Start Sever"
"VNC Already started"
"[VNC] Parse param error: %s"
_hrc
\regsvr32.exe
"[VNC] Fail create process: %u"
"[VNC] Fail inject to process: %u"
*.*
All
*.*
open
"user_pref(""layers.acceleration.disabled"", true);"
"user_pref(""gfx.direct2d.disabled"", true);"
prefs.js
IEXPLORE.EXE
about:blank
"-extoff about:blank"
"-private about:blank"
FIREFOX.EXE
OUTLOOK.EXE
EXPLORER.EXE
CMD.EXE
TASKMGR.EXE
#32768
SysShadow
ToolbarWindow32
DirectUIHWND
%0.8x:%0.8x
application/octet-stream
"HTTP/1.1 200 OK"
"Content-Length: %u"
"Content-Type: application/octet-stream"
"Content-Type: application/x-www-form-urlencoded"
id=%0.8X%0.8X%0.8X%0.4X%0.4X
&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X
"Query Config"
%0.8x
ADVAPI32.DLL
PR_Read
PR_Write
PR_Close
SOFTWARE\AppDataLow\
InternetConnectA
WININET.DLL
InternetConnectW
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
InternetCloseHandle
InternetReadFile
InternetReadFileExA
InternetQueryDataAvailable
HttpQueryInfoA
HttpOpenRequestA
HttpOpenRequestW
InternetWriteFile
HttpEndRequestA
HttpEndRequestW
InternetQueryOptionA
InternetQueryOptionW
InternetSetOptionA
InternetSetOptionW
CreateProcessW
kernel32.dll
CreateProcessA
CreateProcessAsUserW
CreateProcessAsUserA
SeCreateGlobalPrivilege
SeShutdownPrivilege
SeDebugPrivilege
"Init in Browser = %u"
"Init in Shell = %u"
"[Socks] New Client"
"[Socks] Failt Init BC"
"[Socks] Fail add proto BC"
"[Socks] Failt connect BC [%s:%u]"
_proxy
"[Socks] Fail parse param: %s"
"Install Update"
%ws
Software\Microsoft\Windows\CurrentVersion\Run
.dat
"Update Installed"
"[Pony] Fail Get Pass"
.exe
"DL_EXEC Status [Pipe]: %u-%u-%u"
"DL_EXEC Status[Local]: %u"
"%u "
PROCESS_LIST
LOG
"Start Socks addr: %s"
"Start Socks Status[Pipe]: %u-%u-%u"
"Start Socks Status[Local]: %u"
"Start VNC addr: %s"
"Start VNC Status[Pipe]: %u-%u-%u"
"Start VNC Status[Local]: %u"
msvcrt.dll
vsprintf
%0.8X%0.8X0
"COMMAND: %s"
%0.8X%0.8X%c
"URL: %s"
"INFO: %s"
%0.8X%0.8X2
"URL: %s"
%0.8X%0.8X1
"URL: %s"
"LOGIN: %s"
"PASS: %s"
%0.8X%0.8X5
"URL: %s"
"KEYWORD: %s"
%0.8X%0.8X6
"URL: %s"
%0.8X%0.8X7
%0.8X%0.8X8
%0.8X%0.8X9
%0.8X%0.8XA
/forumdisplay.php?fid=%u
/post.aspx?forumID=%u
/post.aspx?messageID=%u
"Software\Microsoft\Internet Explorer\Main"
NoProtectedModeBanner
TabProcGrowth
"Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3"
2500
http://
https://
"Software\Microsoft\Windows\CurrentVersion\Internet Settings"
"User Agent"
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)"
GET
%0.4X%0.4X-%0.4X-%0.4X-%0.4X-%0.4X%0.4X%0.4X
{%0.4X%0.4X-%0.4X-%0.4X-%0.4X-%0.4X%0.4X%0.4X}
\\.\pipe\
"000000 "
"000755 "
" "
%0.11u
"ustar "
%0.7u
././@LongLink
dbghelp.dll
MiniDumpWriteDump
.tmp
Host
User-Agent
iexplore.exe
firefox.exe
explorer.exe
chrome.exe
"PID: %u [%0.2u:%0.2u:%0.2u] "
"[BC] Cmd Ver Error"
"[BC] Wait Ping error %u[%u]"
"[BC] Fail Connect"
"[BC] Fail send auth"
"[BC] Fail read cmd"
"[BC] cmd error: %u"
"[BC] Cmd need disconnect"
S:(ML;;NW;;;LW)
D:(A;OICI;GA;;;WD)
ntdll.dll
LdrLoadDll
NtGetContextThread
NtProtectVirtualMemory
\System32\kernel32.dll
\System32\kernelbase.dll
CreateRemoteThread
"regsvr32.exe /s ""%s"""
"regsvr32.exe /s ""%s"""
"Microsoft Base Cryptographic Provider v1.0"
NtWow64ReadVirtualMemory64
NtWow64WriteVirtualMemory64
IsWow64Process
gdiplus.dll
GdiplusStartup
GdipCreateBitmapFromHBITMAP
GdipSaveImageToFile
GdipDisposeImage
GdiplusShutdown
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
UninstallString
DisplayName
<HTTPMail_Password2
<IMAP_Password2
<SMTP_Password2
<POP3_Password2
account.cfg
account.cfn
"Working Directory"
"Software\RIT\The Bat!"
ProgramDir
Default
"Software\RIT\The Bat!\Users depot"
Count
"Dir #%u"
\BatMail
"\The Bat!"
.oeaccount
Salt
"Software\Microsoft\Windows Live Mail"
"\Microsoft\Windows Live Mail"
"Software\Microsoft\Windows Mail"
"\Microsoft\Windows Mail"
EmailAddress
Technology
PopServer
PopPort
PopAccount
PopPassword
SmtpServer
SmtpPort
SmtpAccount
SmtpPassword
Software\IncrediMail
abe2869f-9b47-4cd9-a358-c22904dba7f7
"Software\Microsoft\Internet Explorer\IntelliForms\Storage2"
Microsoft_WinInet_*
"Internet Explorer"
WininetCacheCredentials
"MS IE FTP Passwords"
"DPAPI: "
PWDFILE0
1.0
PKDFILE0
"Last Server Type"
"Last Server Path"
"Last Server Port"
"Last Server User"
"Last Server Host"
"Last Server Pass"
Server.Port
Server.User
Server.Host
Server.Pass
"Server Type"
Line
Password
HostName
User
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
"Software\Far Manager\Plugins\FTP\Hosts"
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
"Software\Far Manager\SavedDialogHistory\FTPHost"
Sites\
.ini
\win.ini
DIR
WS_FTP
DEFDIR
\Ipswitch\WS_FTP
\Ipswitch
QCHistory
\GlobalSCAPE\CuteFTP
sm.dat
"\GlobalSCAPE\CuteFTP Pro"
"\GlobalSCAPE\CuteFTP Lite"
\CuteFTP
CUTEFTP
"Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar"
"Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar"
"Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar"
"Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar"
"Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar"
"Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar"
\Sites.dat
\Quick.dat
\History.dat
\FlashFXP\3
\FlashFXP\4
InstallerDathPath
Software\FlashFXP\3
path
Software\FlashFXP
"Install Path"
DataFolder
Software\FlashFXP\4
"\BulletProof Software"
.dat
.bps
LastSessionFile
"Software\BPFTP\Bullet Proof FTP\Main"
"Software\BulletProof Software\BulletProof FTP Client\Main"
SitesDir
"Software\BPFTP\Bullet Proof FTP\Options"
"Software\BulletProof Software\BulletProof FTP Client\Options"
InstallDir1
Software\BPFTP
\SmartFTP
.xml
Favorites.dat
History.dat
installpath
Software\TurboFTP
\TurboFTP
addrbk.dat
quick.dat
Port
Username
HostDirName
"Software\CoffeeCup Software\Internet\Profiles"
Login
InitialPath
PasswordType
profiles.xml
"\FTP Explorer"
Buttons
"Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224"
"Software\FTP Explorer\Profiles"
FtpSite.xml
\Frigate3
\VanDyke\Config\Sessions
"Config Path"
Software\VanDyke\SecureFX
\Sessions
RushSite.xml
\FTPRush
bitkinex.ds
\BitKinex
NDSites.ini
\NetDrive
AppDir
Software\LeechFTP
bookmark.dat
LocalDir
CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
sites.db
servers.xml
\FTPGetter
ESTdb2.dat
\Estsoft\ALFTP
QData.dat
SM.arch
"\Global Downloader"
FTP++.Link\shell\open\command
.fpl
.xfp
\NetSarang
NppFTP.xml
\Notepad++
DataDir
Software\MAS-Soft\FTPInfo\Setup
ServerList.xml
\FTPInfo
NovaFTP.db
\INSoftware\NovaFTP
UltraFXP
\sites.xml
"\GPSoftware\Directory Opus"
.oxc
.oll
ftplast.osd
\SharedSettings.ccs
\SharedSettings.sqlite
\SharedSettings_1_0_5.ccs
\SharedSettings_1_0_5.sqlite
"\CoffeeCup Software"
\32BitFtp.ini
FTPCON
"FTP CONTROL"
\Profiles
.prf
FTPVoyager.ftp
\RhinoSoft.com
FTPVoyager.qc
FTPVoyager.Archive
\RhinoSoft
SiteInfo.QFP
Odin
WinFTP
DeluxeFTP
sites.xml
Staff-FTP
sites.ini
FreshFTP
.SMF
Software\FlashPeak\BlazeFtp\Settings
LastPassword
LastAddress
LastUser
LastPort
BlazeFtp
site.dat
\BlazeFtp
GoFTP
Connections.txt
3D-FTP
\3D-FTP
\SiteDesigner
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
EasyFTP
FTPNow
"FTP Now"
FTPShell
ftpshell.fsi
NexusFile
ftpsite.ini
"FastStone Browser"
FTPList.db
"My FTP"
project.ini
Software\RimArts\B2\Settings
Mailbox.ini
DataDirBak
"FTP Navigator"
"FTP Commander"
ftplist.txt
HostAddr
UserName
RemoteDir
CredentialSalt
Software\Sota\FFFTP
CredentialCheck
Software\Sota\FFFTP\Options
PthR
SSH
Software\FTPWare\COREFTP\Sites
Server
FtpPort
Software\Cryer\WebSitePublisher
_Password
Directory
"Software\NCH Software\ClassicFTP\FTPAccounts"
FtpPassword
_FtpPassword
FtpServer
FtpUserName
FtpDirectory
"SOFTWARE\NCH Software\Fling\Accounts"
Software\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
RemoteDirectory
PortNumber
FSProtocol
"Software\Martin Prikryl"
PassWord
Url
RootDirectory
ServerType
"Software\South River Technologies\WebDrive\Connections"
Pass
"Remote Dir"
"Software\LinasFTP\Site Manager"
TerminalType
Software\SimonTatham\PuTTY\Sessions
"FTP destination password"
"FTP destination server"
"FTP destination port"
"FTP destination user"
"FTP destination catalog"
"FTP profiles"
"Software\CoffeeCup Software"
Msi.dll
MsiGetComponentPathA
{74FF1730-B1F2-4D88-926B-1568FAE61DB7}
Path
\PocoSystem.ini
DataPath
Program
accounts.ini
"Software\Poco Systems Inc"
\Pocomail
InstallPath
sites.dat
\LeapWare\LeapFTP
unleap.exe
leapftp
SOFTWARE\LeapWare
FtpIniName
"Software\Ghisler\Windows Commander"
"Software\Ghisler\Total Commander"
wcx_ftp.ini
\GHISLER
InstallDir
\sitemanager.xml
\recentservers.xml
\filezilla.xml
\FileZilla
Software\FileZilla
Install_Dir
"Software\FileZilla Client"
Hostname
"""password"" : """
"""password"":"""
Software\ExpanDrive\Sessions
ExpanDrive_Home
Software\ExpanDrive
\drives.js
\ExpanDrive\favorites.js
\ExpanDrive\drives.js
MRU
wiseftpsrvs.ini
wiseftp.ini
wiseftpsrvs.bin
\AceBIT
Software\AceBIT
SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
Settings
\Sites
.ftp
"\Visicom Media"
ServerName
UserID
InitialDirectory
"FTP Count"
"FTP File%u"
SOFTWARE
Robo-FTP
SOFTWARE\%s\FTPServers
\Scripts
"<setting name="""
"value="""
\Cyberduck
user.config
.duck
"SiteServer %u\Host"
"SiteServer %u\WebUrl"
"SiteServer %u\Remote Directory"
"SiteServer %u-User"
"SiteServer %u-User PW"
"SiteServer %u\SFTP"
Keychain
SiteServers
Software\Adobe\Common
"winex="""
"""/>"
Site
xflags
Folder
.wjf
"Software\Nico Mak Computing\WinZip\FTP"
"Software\Nico Mak Computing\WinZip\mru\jobs"
NSS_Init
NSS_Shutdown
NSSBase64_DecodeBuffer
SECITEM_FreeItem
PK11_GetInternalKeySlot
PK11_Authenticate
PK11SDR_Decrypt
PK11_FreeSlot
sqlite3.dll
mozsqlite3.dll
sqlite3_open
sqlite3_close
sqlite3_prepare
sqlite3_step
sqlite3_column_bytes
sqlite3_column_blob
"SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins"
ftp.
ftp://
signons.sqlite
\profiles.ini
Profile
IsRelative
PathToExe
\Mozilla\Firefox\
Firefox
Software\Mozilla
fireFTPsites.dat
\Mozilla\SeaMonkey\
SeaMonkey
\Flock\Browser\
Flock
\Mozilla\Profiles\
Mozilla
\K-Meleon
K-Meleon
\Epic\Epic
Epic
\Thunderbird
Thunderbird
TERMSRV/
TERMSRV/*
username:s:
"password 51:b:"
"full address:s:"
.rdp
"SMTP Password"
"HTTPMail Password"
"NNTP Password"
"IMAP Password"
"POP3 Password"
"SMTP Password2"
"HTTPMail Password2"
"NNTP Password2"
"IMAP Password2"
"POP3 Password2"
"IMAP Port"
"SMTP Port"
"POP3 Port"
"SMTP User"
"HTTPMail Server"
"HTTPMail User Name"
"IMAP User"
"POP3 User"
"HTTP Server URL"
"HTTP User"
Email
"IMAP User Name"
"IMAP Server"
"NNTP Server"
"NNTP User Name"
"NNTP Email Address"
"SMTP User Name"
"POP3 User Name"
"POP3 Server"
"SMTP Server"
"SMTP Email Address"
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
identification
identitymgr
"inetcomm server passwords"
"outlook account manager passwords"
identities
"Software\Microsoft\Internet Account Manager\Accounts"
"\Software\Microsoft\Internet Account Manager\Accounts"
Identities
Outlook
"Software\Microsoft\Internet Account Manager"
\Accounts
"Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts"
"Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings"
"Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook"
%2.2X
Pstorec.dll
PStoreCreateInstance
RSDS
T:\Develop\EQ2\bin\tmp\client_32.pdb
wsprintfA
wvsprintfA
MessageBoxA
OpenDesktopA
GetWindowThreadProcessId
PostMessageA
IsWindow
SendMessageA
CreateDesktopA
GetThreadDesktop
GetUserObjectInformationA
IsRectEmpty
PrintWindow
SetWindowPos
ReleaseDC
IntersectRect
GetDC
GetWindowInfo
GetClassNameA
MapWindowPoints
GetSystemMetrics
SendMessageTimeoutW
GetWindowLongA
GetAncestor
GetWindowLongW
GetClassLongW
GetParent
PostMessageW
GetWindowRect
CloseDesktop
wsprintfW
GetForegroundWindow
CreateCompatibleDC
SelectObject
GdiFlush
DeleteDC
SetViewportOrgEx
DeleteObject
RegNotifyChangeKeyValue
RegCloseKey
SHGetFolderPathA
ShellExecuteA
CoInitializeEx
StrStrIA
StrCmpNIA
StrToIntA
StrChrA
PathFindFileNameA
StrCmpIW
StrStrA
InternetSetStatusCallbackA
InternetQueryOptionA
InternetSetOptionA
InternetAttemptConnect
DeleteUrlCacheEntry
AccessibleObjectFromPoint
SetClipboardData
OpenClipboard
EmptyClipboard
GetClipboardData
CloseClipboard
GetWindow
SendMessageTimeoutA
SetWindowLongA
WindowFromPoint
GetTopWindow
GetCursorPos
GetWindowDC
CreateCompatibleBitmap
GetDIBits
CreateDIBSection
GetStockObject
CreatePen
Ellipse
BitBlt
GetSaveFileNameA
GetOpenFileNameA
IsTextUnicode
RegSetValueExA
RegQueryValueExA
RegEnumKeyExA
RegCreateKeyA
RegOpenKeyExA
RegDeleteValueA
RegSetValueExW
OpenProcessToken
GetUserNameW
GetTokenInformation
LookupPrivilegeValueA
ConvertStringSecurityDescriptorToSecurityDescriptorA
AdjustTokenPrivileges
InitiateSystemShutdownExA
CryptReleaseContext
CryptAcquireContextA
CryptImportKey
CryptCreateHash
CryptDestroyKey
CryptVerifySignatureA
CryptDestroyHash
CryptHashData
CredFree
CredEnumerateA
RegEnumValueA
RegOpenKeyA
CryptGetHashParam
SHGetFolderPathW
CoCreateInstance
OleInitialize
CoTaskMemFree
StgOpenStorage
CertOpenSystemStoreA
CertCloseStore
CertEnumCertificatesInStore
PFXExportCertStoreEx
CryptUnprotectData
NetUserGetInfo
StrStrIW
StrRChrIA
PathFindFileNameW
HttpSendRequestExA
HttpQueryInfoA
InternetConnectA
InternetQueryDataAvailable
InternetReadFile
InternetWriteFile
HttpOpenRequestA
HttpEndRequestA
HttpAddRequestHeadersA
HttpSendRequestA
InternetOpenA
InternetCloseHandle
FindNextUrlCacheEntryW
FindFirstUrlCacheEntryW
FindCloseUrlCache
InterlockedExchange
lstrcmpiA
DeleteFileA
lstrlenA
lstrcatA
lstrcpyA
ExitProcess
GetModuleHandleA
lstrcpyW
GetLastError
SetLastError
GetModuleFileNameA
GetCurrentThreadId
GetCurrentProcessId
IsBadReadPtr
GetProcAddress
LoadLibraryA
TlsGetValue
TlsSetValue
GetModuleFileNameW
TlsAlloc
TlsFree
TerminateThread
Sleep
loseHandle
CreateThread
IsBadWritePtr
OpenProcess
TerminateProcess
OpenEventA
IsBadCodePtr
SetEvent
GetSystemDirectoryA
CreateFileA
GetWindowsDirectoryA
lstrcmpA
WaitForSingleObject
SignalObjectAndWait
GetTickCount
CreateEventA
ResetEvent
SetInformationJobObject
CreateJobObjectA
MoveFileExA
GetTempPathA
ResumeThread
WinExec
KERNEL32.dll
_except_handler3
MSVCRT.dll
LocalAlloc
LocalFree
FreeLibrary
RaiseException
InitializeCriticalSection
WideCharToMultiByte
LeaveCriticalSection
MultiByteToWideChar
lstrlenW
EnterCriticalSection
DeleteCriticalSection
HeapReAlloc
HeapAlloc
HeapFree
VirtualFree
HeapCreate
VirtualAlloc
SetFilePointer
ExpandEnvironmentStringsA
lstrcatW
GetFileSize
WriteFile
ReadFile
CreateFileW
FindFirstFileA
RemoveDirectoryA
FindClose
FindNextFileA
SetUnhandledExceptionFilter
GetCurrentProcess
Process32First
GetModuleHandleW
ReadProcessMemory
VirtualProtectEx
Process32Next
lstrcmpiW
CreateToolhelp32Snapshot
WriteProcessMemory
SetErrorMode
GetVolumeInformationA
GetSystemInfo
GetVersionExA
MapViewOfFile
UnmapViewOfFile
CreateFileMappingA
InterlockedIncrement
InterlockedDecrement
VirtualProtect
GetLocalTime
GlobalSize
GlobalLock
GlobalAlloc
GlobalUnlock
GlobalFree
GetCurrentDirectoryA
VirtualFreeEx
VirtualAllocEx
SuspendThread
GetThreadContext
CreateRemoteThread
GetWindowsDirectoryW
allNamedPipeA
onnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
FlushFileBuffers
CreateNamedPipeA
GetPrivateProfileStringA
GetPrivateProfileIntA
SetCurrentDirectoryA
GetPrivateProfileSectionNamesA
