| sub_outside():
	KERNEL32.GlobalFindAtomA
	KERNEL32.GlobalDeleteAtom
 | 
| sub_405AAC(033b):
	KERNEL32.GetTickCount
	KERNEL32.DeleteFileA
	KERNEL32.CreateFileA
	KERNEL32.GetFileSize
	KERNEL32.CloseHandle
	KERNEL32.GetSystemDirectoryA
	KERNEL32.GetWindowsDirectoryA
	KERNEL32.WinExec
	KERNEL32.LocalFree
	"C:\\WINDOWS\\system32"
	"%s\\%s.dat"
	"http://%s"
	"/"
	"/wres.php"
	"ifc"
	"Software\\Microsoft\\Windows"
	"?ifc=%u"
	"q"
	"KKQHOOK"
	"ifc"
	"Software\\Microsoft\\Windows"
	"wpst	"
	"ofstkkq"
	"Software\\Microsoft\\Windows"
	"q"
	"KKQHOOK"
	"ofstkkq"
	"Software\\Microsoft\\Windows"
	"ofstkkqc"
	"Software\\Microsoft\\Windows"
	"C:\\WINDOWS\\system32"
	"%s\\%s.tmp"
	"q"
	"KKQHOOK"
	"ofstkkqc"
	"Software\\Microsoft\\Windows"
	"?dmp=2"
	"q"
	"KKQHOOK"
	":%02u"
	"%s\\cmd.pif"
	"\\cmd.exe"
	"%s\\command.pif"
	"\\command.com"
	"%s /C %s"
	"wupd	"
	"C:\\WINDOWS\\system32"
	"%s\\%s.dat"
	"q"
	"xd2"
	"newver"
 | 
| sub_404117(05e9):
	KERNEL32.lstrlenW
	KERNEL32.WideCharToMultiByte
 | 
| sub_40251A(0c86):
	KERNEL32.GlobalFindAtomA
	KERNEL32.GlobalDeleteAtom
	":F"
 | 
| sub_402AAB(1307):
	ADVAPI32.RegCreateKeyExA
	ADVAPI32.RegSetValueExA
	ADVAPI32.RegCloseKey
 | 
| sub_4054DD(1787):
	USER32.GetWindow
	USER32.GetClassNameA
 | 
| sub_404FCE(1b1a):
	KERNEL32.CreateFileA
	KERNEL32.SetFilePointer
	KERNEL32.WriteFile
	KERNEL32.CloseHandle
	"\r\n"
 | 
| sub_401A00(2155):
	ADVAPI32.GetSecurityInfo
	ADVAPI32.SetEntriesInAclA
	ADVAPI32.SetSecurityInfo
	KERNEL32.CloseHandle
	"\\device\\physicalmemory"
	"CURRENT_USER"
 | 
| sub_40530C(2405):
	KERNEL32.VirtualAlloc
 | 
| sub_4014E2(24c3):
	KERNEL32.CreateFileA
	KERNEL32.GetFileSize
	KERNEL32.LocalAlloc
	KERNEL32.ReadFile
	KERNEL32.CloseHandle
 | 
| sub_403659(2c36):
	KERNEL32.LocalFree
	KERNEL32.lstrlenA
	KERNEL32.LocalAlloc
	KERNEL32.GetTempPathA
	KERNEL32.CreateFileA
	KERNEL32.WriteFile
	KERNEL32.CloseHandle
	".htm"
	""
	""
	"%s%u"
	""
	""
	"f%.3u"
	""
	""
	""
	""
 | 
| sub_40523F(3e50):
	KERNEL32.GetVersion
	KERNEL32.CreateFileA
	KERNEL32.WriteFile
	KERNEL32.CloseHandle
	KERNEL32.GetSystemDirectoryA
	KERNEL32.DeleteFileA
	KERNEL32.WinExec
	"c:\\boot.sys"
	"%s\\cmd.pif"
	"\\cmd.exe /C	start c:\\boot.sys"
 | 
| sub_404F53(3f2c):
	KERNEL32.CreateThread
	KERNEL32.CloseHandle
 | 
| sub_405350(3f78):
	NTDLL.RtlZeroMemory
 | 
| sub_4026EE(4366):
	KERNEL32.GetSystemDirectoryA
	KERNEL32.GetVolumeInformationA
	"%08X"
 | 
| sub_401326(4a10):
	ADVAPI32.RegOpenKeyExA
	ADVAPI32.RegQueryValueExA
	ADVAPI32.RegCloseKey
 | 
| sub_402D21(5902):
	"/*	"
	"%s%c"
	" */"
	"var %c%c%c =	%u;"
	"//%c%c%c\r\n"
	"\r\n"
 | 
| sub_4024E0(59bc):
	KERNEL32.GlobalAddAtomA
	":F"
 | 
| sub_40553F(5a7a):
	USER32.ShowWindow
	USER32.GetWindowRect
	USER32.CreateWindowExA
	GDI32.CreateFontA
	USER32.SendMessageA
	USER32.GetWindowLongA
	USER32.SetWindowLongA
	USER32.SetFocus
	"DocObject"
	"Explorer"
	"KKQHOOK"
	"\n   Authorization Failed."
	"STATIC"
	"STATIC"
	"COMBOBOX"
	"COMBOBOX"
	"%.2u"
	"20%.2u"
	"Your card number"
	"STATIC"
	"Expiration date"
	"STATIC"
	"ATM PIN-Code"
	"STATIC"
	"Unable to authorize. ATM PIN-Code is re"...
	"STATIC"
	"Please make corrections and try again."
	"STATIC"
	"EDIT"
	"EDIT"
	"Click	Once To	Continue"
	"BUTTON"
 | 
| sub_404184(5b96):
	"{9BA05972-F6A8-11CF-A442-00A0C90A8F39}"
 | 
| sub_40129C(5c76):
	KERNEL32.CreateFileA
	KERNEL32.ReadFile
	KERNEL32.CloseHandle
 | 
| sub_401565(5d48):
	KERNEL32.lstrlenA
 | 
| sub_403459(69bd):
	KERNEL32.CreateFileA
	KERNEL32.SetFilePointer
	KERNEL32.WriteFile
	KERNEL32.CloseHandle
 | 
| sub_40519A(6af3):
	KERNEL32.GetSystemDirectoryA
	KERNEL32.CreateFileA
	KERNEL32.GetFileTime
	KERNEL32.SetFileTime
	KERNEL32.CloseHandle
	"\\kernel32.dll"
 | 
| sub_40107A(6c44):
	NTDLL.RtlUnwind
 | 
| sub_403BC5(7c83):
	KERNEL32.GetVersion
	"SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
	"1601"
	"1601"
	"SOFTWARE\\Policies\\Microsoft\\Windows\\Cur"...
	"1601"
	"1601"
	"yes"
	"BrowseNewProcess"
	".DEFAULT\\SOFTWARE\\Microsoft\\Windows\\Cur"...
	"%s\\Software\\Microsoft\\Internet Explorer"...
	"iexplore.exe"
	"GlobalUserOffline"
	"Software\\Microsoft\\Windows\\CurrentVersi"...
	"AppEvents\\Schemes\\Apps\\Explorer\\Navigat"...
	"AppEvents\\Schemes\\Apps\\Explorer\\Activat"...
 | 
| sub_406316(8045):
	KERNEL32.OpenMutexA
	KERNEL32.CloseHandle
	"KKQHOOK_28"
 | 
| sub_40409C(8306):
	KERNEL32.LocalFree
	KERNEL32.DeleteFileA
	KERNEL32.TerminateProcess
	KERNEL32.CloseHandle
 | 
| sub_402638(834b):
	KERNEL32.GlobalAddAtomA
	"#P0"
 | 
| sub_40284A(84d7):
	KERNEL32.CreateFileA
	KERNEL32.WriteFile
	KERNEL32.CloseHandle
	"{%04X%04X-%04X-%04X-%04X-%04X%04X%04X}"
	"C:\\WINDOWS\\system32"
	"%s\\%s.dll"
	"CLSID\\%s\\InProcServer32"
	"Apartment"
	"ThreadingModel"
	"Software\\Microsoft\\Windows\\CurrentVersi"...
 | 
| sub_402D13(898f):
	"blind_user"
 | 
| sub_403D8E(8aec):
	KERNEL32.InterlockedIncrement
	KERNEL32.LocalFree
	KERNEL32.ExpandEnvironmentStringsA
	KERNEL32.CreateProcessA
	KERNEL32.CloseHandle
	USER32.FindWindowA
	KERNEL32.Sleep
	USER32.GetWindowTextA
	KERNEL32.CopyFileA
	KERNEL32.DeleteFileA
	KERNEL32.lstrlenA
	"Path"
	"Software\\Microsoft\\IE Setup\\Setup"
	"\\Iexplore.exe "
	"%s%u - Microsoft Internet Explorer"
	"IEFrame"
	"X-okRecv11"
	" "
	"%s%c"
	"%s%c"
	"%s%c"
	""
	""
	""
	""
	""
	""
	""
	""
	""
	""
	"\r\n"
 | 
| sub_4032E2(920d):
	ADVAPI32.GetSidIdentifierAuthority
	ADVAPI32.GetSidSubAuthorityCount
	USER32.wsprintfA
	ADVAPI32.GetSidSubAuthority
	"S-%lu-"
	"0x%02hx%02hx%02hx%02hx%02hx%02hx"
	"%lu"
	"-%lu"
 | 
| sub_401EAF(9730):
	KERNEL32.GetVersion
	KERNEL32.LoadLibraryA
	KERNEL32.GetProcAddress
	KERNEL32.IsBadReadPtr
	KERNEL32.GlobalMemoryStatus
	KERNEL32.CloseHandle
	KERNEL32.GetModuleHandleA
	NTDLL.RtlZeroMemory
	KERNEL32.VirtualQuery
	KERNEL32.IsBadWritePtr
	"kernel32.dll"
 | 
| sub_4019A1(9d47):
	KERNEL32.GetModuleHandleA
	KERNEL32.GetProcAddress
	"ntdll.dll"
	"RtlInitUnicodeString"
	"NtUnmapViewOfSection"
	"NtMapViewOfSection"
	"RtlNtStatusToDosError"
 | 
| sub_4034AD(a442):
	WININET.FindFirstUrlCacheEntryA
	WININET.FindNextUrlCacheEntryA
	"?"
	"*.*"
 | 
| sub_4067EE(a840):
	USER32.SetFocus
	USER32.CallWindowProcA
 | 
| sub_404BA0(a9e0):
	" %X:"
	":"
	" "
	".google."
	".google.adware"
 | 
| sub_40479E(acb5):
	"|"
 | 
| sub_4033E8(b268):
	KERNEL32.GetCurrentProcessId
	KERNEL32.OpenProcess
	ADVAPI32.OpenProcessToken
	KERNEL32.CloseHandle
	KERNEL32.LocalAlloc
	ADVAPI32.GetTokenInformation
	KERNEL32.LocalFree
 | 
| sub_402613(b558):
	KERNEL32.GlobalAddAtomA
 | 
| sub_401379(b976):
	ADVAPI32.RegCreateKeyExA
	ADVAPI32.RegSetValueExA
	ADVAPI32.RegCloseKey
 | 
| sub_4043B0(bd79):
	USER32.GetForegroundWindow
	"value"
	"name"
 | 
| sub_404211(bdd4):
	USER32.GetWindowTextA
	"Microsoft Internet Explorer"
 | 
| sub_402CB2(cedc):
	KERNEL32.GetCurrentThreadId
	USER32.GetThreadDesktop
	USER32.CreateDesktopA
	USER32.SetThreadDesktop
	"blind_user"
 | 
| sub_401B3E(d6a3):
	KERNEL32.GetModuleHandleA
	KERNEL32.GetProcAddress
	KERNEL32.GetCurrentProcessId
 | 
| sub_4035B2(dfca):
	KERNEL32.lstrlenA
	KERNEL32.LocalAlloc
	"%s%c%c"
 | 
| sub_405322(e092):
	KERNEL32.VirtualFree
 | 
| sub_4068A8(e0aa):
	USER32.GetWindowRect
	USER32.MoveWindow
	USER32.PostQuitMessage
	USER32.DestroyWindow
	GDI32.SetTextColor
	GDI32.SetBkColor
	GDI32.CreateBrushIndirect
	USER32.GetWindowTextA
	USER32.MessageBoxA
	USER32.SetFocus
	KERNEL32.CreateFileA
	KERNEL32.SetFilePointer
	KERNEL32.WriteFile
	KERNEL32.CloseHandle
	USER32.ShowWindow
	USER32.DefWindowProcA
	"DocObject"
	"Explorer"
	"%s"
	"Please, select Expiration Month"
	"%s %s"
	"Please, select Expiration Year"
	"%s-%s"
	"Unable to authorize"
	"Unable to authorize -	INCORRECT PIN. Pl"...
	"%s %s"
	"\r\n"
 | 
| sub_402B0D(e378):
	KERNEL32.GetModuleFileNameA
	KERNEL32.GetVersionExA
	KERNEL32.GetSystemDirectoryA
	KERNEL32.GetWindowsDirectoryA
	KERNEL32.DeleteFileA
	KERNEL32.CreateFileA
	KERNEL32.WriteFile
	KERNEL32.CloseHandle
	KERNEL32.WinExec
	"%s\\cmd.pif"
	"\\cmd.exe"
	"%s\\command.pif"
	"\\command.com"
	":loop\r\n@del	%s>nul\r\n@if exist %s goto l"...
	"%s /C %s"
 | 
| sub_402F2F(e79e):
	" |