| sub_outside(): KERNEL32.GetModuleHandleA KERNEL32.DeleteFileA NTDLL.RtlGetLastWin32Error KERNEL32.ExitProcess KERNEL32.Sleep WININET.InternetGetConnectedState | 
| sub_3143A017(0031): KERNEL32.LoadLibraryA | 
| sub_31421FA3(09ff): MSVCRT.memset KERNEL32.CreateProcessA KERNEL32.CloseHandle | 
| sub_314228DB(12a2): ADVAPI32.RegCreateKeyExA ADVAPI32.RegSetValueExA ADVAPI32.RegCloseKey | 
| sub_31421F52(1a20): KERNEL32.CreateThread KERNEL32.CloseHandle | 
| sub_3142284D(2057): ADVAPI32.RegOpenKeyExA ADVAPI32.RegDeleteValueA ADVAPI32.RegCloseKey | 
| sub_3142172F(23eb): ADVAPI32.CryptAcquireContextA ADVAPI32.CryptImportKey | 
| sub_3142177E(2986): ADVAPI32.CryptDestroyKey ADVAPI32.CryptReleaseContext | 
| sub_31432017(3054): KERNEL32.LoadLibraryA | 
| sub_3142207E(3338): WS2_32.recv MSVCRT.strstr WS2_32.send USER32.wsprintfA MSVCRT.strlen KERNEL32.Sleep KERNEL32.InterlockedIncrement WS2_32.shutdown WS2_32.closesocket KERNEL32.ExitThread "GET" "HTTP/1.1 200 OK\r\nContent-Type: applicat"... "Content-Length: %u\r\n\r\n" "HTTP/1.1 200 OK\r\n\r\n\r\n" | 
| sub_31421F38(336c): KERNEL32.CreateThread | 
| sub_31422CA5(3cd5): KERNEL32.VirtualAlloc | 
| sub_31421D68(4891): KERNEL32.LoadLibraryA KERNEL32.GetProcAddress KERNEL32.GetCurrentProcess "advapi32" "OpenProcessToken" "LookupPrivilegeValueA" "AdjustTokenPrivileges" "SeDebugPrivilege" | 
| sub_31421316(48f8): MSVCRT.strchr "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" | 
| sub_314221C4(52a4): KERNEL32.CreateFileA KERNEL32.ExitThread KERNEL32.GetFileSize KERNEL32.ReadFile KERNEL32.CloseHandle WS2_32.socket MSVCRT.memset MSVCRT.rand WS2_32.ntohs WS2_32.bind WS2_32.listen WS2_32.accept "Cryptographic Service" "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"... | 
| sub_314211A0(531a): WININET.InternetOpenA KERNEL32.GetSystemDirectoryA KERNEL32.lstrcatA KERNEL32.lstrlenA KERNEL32.CreateFileA WININET.InternetOpenUrlA KERNEL32.CloseHandle WININET.InternetReadFile KERNEL32.WriteFile "Mozilla/4.0 (compatible; MSIE 6.0; Wind"... | 
| sub_314223B2(6c65): KERNEL32.CreateEventA KERNEL32.LoadLibraryA ADVAPI32.AbortSystemShutdownA KERNEL32.Sleep "u10x" "u11x" "u12x" "u13x" "u14x" "u15x" "u16x" "u17x" "u18x" "u8" "u9" "u10" "u11" "u12" "u13" "u13i" "u14" "u15" "u16" "u17" "u18" "u19" "u19x" "ws2_32" "wininet" "msvcrt" "advapi32" "user32" "uterm19" | 
| sub_3142179A(7512): ADVAPI32.CryptCreateHash ADVAPI32.CryptHashData ADVAPI32.CryptVerifySignatureA ADVAPI32.CryptDestroyHash | 
| sub_314229E6(7561): "Windows Security Manager" "Disk Defragmenter" "System Restore Service" "Bot Loader" "WinUpdate" "Windows Update Service" "avserve.exe" "avserve2.exeUpdate Service" "MS Config v13" "Windows Update" "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"... | 
| sub_31422882(75ba): ADVAPI32.RegOpenKeyExA ADVAPI32.RegQueryValueExA ADVAPI32.RegCloseKey | 
| sub_314225C3(7a74): MSVCRT.rand KERNEL32.InterlockedIncrement KERNEL32.Sleep | 
| sub_31421DF0(7e12): KERNEL32.GetModuleHandleA KERNEL32.GetProcAddress USER32.FindWindowA USER32.GetForegroundWindow USER32.GetWindowThreadProcessId KERNEL32.OpenProcess KERNEL32.WriteProcessMemory KERNEL32.CloseHandle "kernel32" "VirtualAllocEx" "CreateRemoteThread" "uterm19" | 
| sub_31422038(81da): WININET.InternetGetConnectedState | 
| sub_3142239E(82c5): KERNEL32.WaitForSingleObject | 
| sub_31422068(85d4): MSVCRT.rand | 
| sub_3142292E(87a6): KERNEL32.lstrlenA KERNEL32.CreateToolhelp32Snapshot MSVCRT.memset KERNEL32.Process32First MSVCRT.strstr KERNEL32.OpenProcess KERNEL32.TerminateProcess KERNEL32.Process32Next | 
| sub_31422B67(99c3): KERNEL32.GetModuleFileNameA MSVCRT.rand KERNEL32.lstrlenA KERNEL32.lstrcpyA KERNEL32.lstrcmpiA "Software\\Microsoft\\Wireless" "ID" "fgnsdrjyrsert" "ID" "Cryptographic Service" "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"... "1" "Client" "Client" | 
| sub_31422712(a67f): WS2_32.inet_ntoa KERNEL32.lstrcpyA USER32.wsprintfA KERNEL32.lstrlenA "http://%s:%d/x.exe" | 
| sub_31421F29(a71a): KERNEL32.CreateMutexA | 
| sub_31422CB9(a71a): KERNEL32.VirtualFree | 
| sub_31421801(abb0): WS2_32.socket WS2_32.inet_ntoa KERNEL32.lstrcpynA USER32.wsprintfA MSVCRT.memcpy MSVCRT.strlen MSVCRT.memset WS2_32.ntohs WS2_32.connect KERNEL32.Sleep WS2_32.send WS2_32.recv KERNEL32.lstrlenA WS2_32.shutdown WS2_32.closesocket | 
| sub_3142A017(b158): KERNEL32.LoadLibraryA | 
| sub_314215C7(b40f): KERNEL32.GetLocaleInfoA USER32.wsprintfA WININET.InternetOpenA WININET.InternetOpenUrlA WININET.InternetReadFile WININET.InternetCloseHandle "http://%s/index.php?id=%s&scn=%d&inf=%d"... "http://%s" "Mozilla/4.0 (compatible; MSIE 6.0; Wind"... | 
| sub_31421FF9(b95f): WS2_32.gethostname WS2_32.WSAGetLastError WS2_32.gethostbyname | 
| sub_31421EFB(bc62): KERNEL32.GetTickCount MSVCRT.srand | 
| sub_31422A9B(bff8): KERNEL32.DeleteFileA KERNEL32.GetSystemDirectoryA MSVCRT.rand KERNEL32.lstrcatA KERNEL32.CopyFileA KERNEL32.lstrlenA KERNEL32.CloseHandle KERNEL32.WinExec KERNEL32.Sleep KERNEL32.ExitProcess "Cryptographic Service" "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"... | 
| sub_31421422(df51): MSVCRT.strstr KERNEL32.lstrlenA MSVCRT.strchr "zer0" | 
| sub_31421F73(e56c): MSVCRT.rand | 
| sub_31422308(e965): WS2_32.WSAStartup | 
| sub_3142255F(eaaa): MSVCRT.rand KERNEL32.Sleep | 
| sub_3142264B(ed82): MSVCRT.rand KERNEL32.InterlockedIncrement KERNEL32.Sleep KERNEL32.ExitThread | 
| sub_3142204E(eebf): KERNEL32.OpenEventA KERNEL32.SetEvent | 
| sub_314216A2(f36a): KERNEL32.InterlockedExchange MSVCRT.rand KERNEL32.Sleep |