Avatar Rootkit NETbotnet strings - CRIME

File: Avatar_Rootkit_NETbotnet_32d6644c5ea66e390070d3dc3401e54b_unpacked
MD5:  32d6644c5ea66e390070d3dc3401e54b
Size: 129024





Ascii Strings:
---------------------------------------------------------------------------
DchS
!This program cannot be run in DOS mode.
.text
`.rdata
@.data
.rsrc
@.reloc
RWV3
h`;@
P<VW
t}VhXD@
5(@@
hPD@
QhHD@
h&+@
Qh`D@
E_.\
7PFV
SSQP
CF;]
t$Ht
Hu-Q
_^[]
h`;@
,SVW
jZjA
jzja
j9j0
 t7;
SQRVW
>MZun
_^ZY[
RhxS-&
VC20XC00U
SVWU
tYVU
t?xH
]_^[
SVWUj
]_^[
;t$(v(
UQPXY]Y[
t+@;
Global\{%s}`000000000000000000000000000000017
Global\{%s}`000000000000000000000000000000016
Global\{%s}`000000000000000000000000000000015
Global\{%s}`000000000000000000000000000000014
Global\{%s}`000000000000000000000000000000013
Global\{%s}`000000000000000000000000000000012
Global\{%s}`000000000000000000000000000000011
Global\{%s}`000000000000000000000000000000010
Global\{%s}`000000000000000000000000000000009
Global\{%s}`000000000000000000000000000000008
Global\{%s}`000000000000000000000000000000007
Global\{%s}`000000000000000000000000000000006
Global\{%s}`000000000000000000000000000000005
Global\{%s}`000000000000000000000000000000004
Global\{%s}`000000000000000000000000000000003
Global\{%s}`000000000000000000000000000000002
Global\{%s}`000000000000000000000000000000001
ComSpec
 >> NUL
/c del
ntdll.dll
%#*+@|~
LocalAlloc
LocalFree
RtlUnwind
LoadLibraryA
GetModuleHandleA
CloseHandle
ReadFile
GetFileSize
CreateFileW
GetEnvironmentVariableA
lstrcatA
lstrcpyA
GetShortPathNameA
GetModuleFileNameA
InterlockedExchange
WaitForSingleObject
CreateEventA
GetModuleFileNameW
VirtualProtect
IsWow64Process
GetCurrentProcess
HeapCreate
HeapFree
HeapAlloc
KERNEL32.dll
memcpy
wcsrchr
wcsstr
NtProtectVirtualMemory
NtTerminateProcess
_snwprintf
_wcslwr
memset
strrchr
sprintf
RtlCompareMemory
ntdll.dll
NtQueryVirtualMemory
RpcStringFreeA
UuidToStringA
RPCRT4.dll
ShellExecuteA
SHELL32.dll
yore
%w):,
rere ]-
`,o'5
Mplor
@xplo
jrere
iore
`xplo
rere ]
`,o'5
Mplor
@xplo
lore
oxpl
*3re
jrere
sere
ulore
gxpl
lrer
erex(Auc%r
<}/r0"
Elore
]plorjMbs
jrere
vere
ulore
Vw.6{,3b9
&&UB
KNNx
|_Q|
@n'qr
`X@t&
Z0<.3
)5WI
[oU;c
Rri8
)Uma%
dO%,
**)^!
3"h9
IylY
,SHc
_8j9
XO?Y
BaPg
w-*M
Vu7-
w,`h(
$ Zh
75'\E
a+SbM
\z,D
`D9n
7Nrc
ssUp
U,NCx
K(gIWV}
K#QL
7AXnB
+}AH
FWAQ
tAT&
2U%B
@6W@
wkO3
\Z[W
%j|7'yS
ur-S
Fk$XQ
4)a]
^8Mdn
xWc6
-Pev
Acw$
:uFE
v+)#
"75]z1 E]
,6Dm
=oMuM8'
NKD/
\%%B


--------------------------------------------------------snip
ZF3f
Y0yZ
<#<)<5<;<A<G<a<g<q<
<:=E={>
g0m0
2I2O2U2[2e2
263;3@3\3
6(7=8g9
=5=Q=
>B>t>{>
>c?h?
f1k1
1|2S3@;F;L;R;d<j<p<
<K=e=n=
>Z>n>~>
><?H?U?{?
1$1,141<1D1

Unicode Strings:
---------------------------------------------------------------------------
\KernelObjects\%SCondition`0000000000000
%S`00001
 %suxtheme.dll;%scryptbase.dll
system32