sub_outside(): MSVCRT._CxxThrowException KERNEL32.CreateFileA NTDLL.RtlGetLastWin32Error KERNEL32.CreateFileMappingA KERNEL32.MapViewOfFile KERNEL32.UnmapViewOfFile KERNEL32.CloseHandle KERNEL32.ReadFile NTDLL.RtlSetLastWin32Error MSVCRT.memset SHELL32.SHFileOperationA KERNEL32.GetCurrentDirectoryA KERNEL32.RemoveDirectoryA KERNEL32.SetFileAttributesA KERNEL32.GetFileAttributesA MSVCRT.fopen MSVCRT.malloc MSVCRT.fread MSVCRT.fclose MSVCRT.free ADVAPI32.RegCreateKeyExA ADVAPI32.RegSetValueExA ADVAPI32.RegCloseKey MSVCRT.strlen MSVCRT.strncpy MSVCRT.strcpy MSVCRT.__set_app_type MSVCRT.__p__fmode MSVCRT.__p__commode MSVCRT.__setusermatherr MSVCRT._initterm MSVCRT.__getmainargs KERNEL32.GetStartupInfoA KERNEL32.GetModuleHandleA MSVCRT.exit MSVCRT._XcptFilter MSVCRT._exit |
sub_42E71B(054d): KERNEL32.CloseHandle |
sub_427270(0932): ADVAPI32.RegCreateKeyExA ADVAPI32.RegSetValueExA ADVAPI32.RegCloseKey |
sub_431BD4(09e7): MSVCRT.wcslen KERNEL32.WideCharToMultiByte NTDLL.RtlGetLastWin32Error |
sub_42692B(0aef): "\\" "\\" "\\" "\\" |
sub_42522A(0d44): KERNEL32.Sleep |
sub_424606(0f3d): MSVCRT._EH_prolog MSVCRT.strlen MSVCRT.strcpy MSVCRT.strstr MSVCRT.strncpy MSVCRT.strcat KERNEL32.Sleep |
sub_43093B(13d8): MSVCRT.strcpy MSVCRT.strcat KERNEL32.CreateDirectoryA |
sub_4259AE(1435): MSVCRT._EH_prolog KERNEL32.Sleep "W" "R" "i" "," |
sub_422BB1(1645): MSVCRT._EH_prolog |
sub_422680(1652): MSVCRT._mbsnbcpy |
sub_429039(1b44): KERNEL32.lstrcpyA KERNEL32.lstrlenA USER32.wsprintfA MSVCRT.strcpy MSVCRT.memset MSVCRT._strnicmp "old" |
sub_42852F(1b7f): MSVCRT.sprintf KERNEL32.lstrcpyA KERNEL32.Sleep KERNEL32.lstrcatA KERNEL32.lstrcpynA NTDLL.RtlGetLastWin32Error MSVCRT.malloc MSVCRT.memset MSVCRT.free "%d" "&x=" "&i=" "&p=" "&cmd=" "&GUID=" "&version=" "htt" "p://" "wr.mc" "bo" "o" ".co" "m/r" "eta" "dpu." "ph" "p?" |
sub_42EB91(2398): MSVCRT.malloc MSVCRT.free |
sub_430A42(2439): MSVCRT.strcpy KERNEL32.CreateFileA KERNEL32.WriteFile KERNEL32.GetFileType KERNEL32.SetFileTime KERNEL32.CloseHandle "../" "..\\" |
sub_427761(25ef): ADVAPI32.RegCreateKeyExA ADVAPI32.RegSetValueExA ADVAPI32.RegCloseKey |
sub_42678F(25ef): ADVAPI32.RegCreateKeyExA ADVAPI32.RegSetValueExA ADVAPI32.RegCloseKey |
sub_431B5F(2992): KERNEL32.lstrlenA KERNEL32.MultiByteToWideChar NTDLL.RtlGetLastWin32Error |
sub_427B23(2c3b): ADVAPI32.RegOpenKeyExA ADVAPI32.RegQueryValueExA ADVAPI32.RegCloseKey |
sub_42B1FD(2f12): MSVCRT.memcpy "invalid block type" "invalid stored block lengths" "too many length or distance symbols" "invalid bit length repeat" |
sub_4226DB(338e): KERNEL32.CreateFileA KERNEL32.WriteFile KERNEL32.CloseHandle KERNEL32.GlobalFree |
sub_430867(356f): MSVCRT.memset |
sub_426584(3845): "\\" "\\" "\\" "\\" |
sub_4224B5(39db): MSVCRT.ftell MSVCRT.fseek |
sub_423489(3b5d): MSVCRT._EH_prolog MSVCRT.sprintf MSVCRT.atol MSVCRT.time KERNEL32.lstrcpyA MSVCRT.atoi MSVCRT._strnicmp MSVCRT.strcpy MSVCRT.strcat "ParseXML()\n" "%s" "configversion" "WR\\configversion" "paid" "WR\\p" "nextupdate" "WR\\nextupdate" "download" "%s" "rootkey" "key" "keyvalue" "requiredfile" "filename" "parameters" "SaveAs" "SavePath" "hide" "execute" "wait" "newupdater" "version" "identifier" "crc" "windows" "%s" |
sub_42146A(3c3c): MSVCRT._CxxThrowException KERNEL32.CreateFileA NTDLL.RtlGetLastWin32Error KERNEL32.ReadFile KERNEL32.CloseHandle |
sub_42DC35(3cf8): MSVCRT.calloc |
sub_42DD45(3ea0): "1.1.3" |
sub_42948F(4060): MSVCRT.time KERNEL32.Sleep |
sub_4230F8(4085): MSVCRT._EH_prolog KERNEL32.Sleep KERNEL32.lstrcpynA MSVCRT.sprintf MSVCRT.strcat MSVCRT.strcpy |
sub_42527B(410c): KERNEL32.Sleep |
sub_42ED22(459c): MSVCRT.malloc |
sub_425D94(4766): MSVCRT._EH_prolog KERNEL32.lstrcpyA KERNEL32.lstrlenA USER32.wsprintfA MSVCRT.strcpy MSVCRT.memset MSVCRT._strnicmp MSVCRT.strlen KERNEL32.Sleep "affID" |
sub_421ACF(48e4): MSVCRT.memset MSVCRT.sprintf KERNEL32.lstrcatA "8B" "8B" "8B" |
sub_425B2E(4fe3): MSVCRT._EH_prolog KERNEL32.Sleep MSVCRT._mbscmp "W" "R" "cmd" "0" |
sub_422F1F(52c2): KERNEL32.lstrcpyA MSVCRT.sprintf KERNEL32.lstrcatA KERNEL32.Sleep "&retry=%d" |
sub_424485(5608): MSVCRT._EH_prolog "download" |
sub_424B41(5af9): MSVCRT._EH_prolog KERNEL32.Sleep KERNEL32.lstrcpyA KERNEL32.lstrlenA KERNEL32.lstrcatA KERNEL32.GetWindowsDirectoryA KERNEL32.GetVolumeInformationA USER32.wsprintfA USER32.CharUpperA KERNEL32.GetSystemDefaultLCID KERNEL32.GetLocaleInfoA "67F9158B" "39" "67F9198B" "0A887397A5F240675EEF4D35019B6883A6FA5D6"... "67F9158B" "-" "-" "0A887397A5F240675EEF4D35019B6883A6FA5D6"... "-000" "0-00" "-" "-" "0A887397A5F240675EEF4D35019B6883A6FA5D6"... "000" "001" "}" |
sub_42A2DE(605a): "invalid literal/length code" "invalid distance code" |
sub_4227A4(638c): KERNEL32.GlobalFree KERNEL32.LoadLibraryA KERNEL32.GetProcAddress KERNEL32.GlobalAlloc KERNEL32.GlobalReAlloc MSVCRT.memcpy KERNEL32.FreeLibrary "wininet.dll" "InternetOpenUrlA" "InternetCloseHandle" "InternetReadFile" |
sub_424AAF(6792): MSVCRT._EH_prolog |
sub_4221DB(6c26): MSVCRT.memset KERNEL32.FindFirstFileA KERNEL32.FindNextFileA KERNEL32.FindClose |
sub_429672(70c5): KERNEL32.Sleep |
sub_42FF37(741f): MSVCRT.free |
sub_426B19(7482): ADVAPI32.RegOpenKeyExA ADVAPI32.RegQueryValueExA ADVAPI32.RegCloseKey |
sub_42DEC5(74b1): "unknown compression method" "invalid window size" "incorrect header check" "need dictionary" "incorrect data check" |
sub_424152(792e): MSVCRT._EH_prolog |
sub_42F59A(7c4d): MSVCRT.strlen MSVCRT.strcpy |
sub_42E77F(7f88): KERNEL32.SetFilePointer |
sub_424348(7fd1): MSVCRT._EH_prolog |
sub_4301DC(858e): MSVCRT.memcpy MSVCRT.strcpy KERNEL32.DosDateTimeToFileTime MSVCRT.strcmp "UT" |
sub_42DC5F(86fe): MSVCRT.free |
sub_428380(87ee): USER32.EqualRect |
sub_425642(8c0e): MSVCRT._EH_prolog KERNEL32.Sleep MSVCRT.time "WR" "nex" "tup" "date" |
sub_424217(8cac): KERNEL32.InterlockedDecrement |
sub_422296(8f2d): KERNEL32.GetCurrentDirectoryA MSVCRT.strlen MSVCRT.strcpy KERNEL32.SetCurrentDirectoryA |
sub_42578F(955b): MSVCRT._EH_prolog KERNEL32.Sleep "WR" "p" |
sub_422ECA(95e7): MSVCRT._EH_prolog |
sub_42EF38(963d): MSVCRT.free |
sub_422199(968a): KERNEL32.CreateDirectoryA |
sub_425C67(9860): MSVCRT._EH_prolog KERNEL32.Sleep "W" "R" "c" "md" |
sub_426022(9c51): MSVCRT._EH_prolog KERNEL32.Sleep MSVCRT._mbscmp MSVCRT.atoi "\\m" "ro" "finu" ".ex" "e" "mr" "of" "inu" ".exe.tmp" "defaultvalue" "11866787A5F240675EE6610530A652BC94C74E7"... "WR" "\\version" |
sub_431A90(9c9a): MSVCRT._controlfp |
sub_421C92(9f30): NTDLL.RtlSetLastWin32Error MSVCRT.memset KERNEL32.Sleep SHELL32.SHFileOperationA |
sub_43012E(a03c): KERNEL32.GetCurrentDirectoryA MSVCRT.strcat KERNEL32.GetFileType "\\" |
sub_429A20(a21d): KERNEL32.InterlockedIncrement |
sub_42640B(a5b4): MSVCRT._EH_prolog KERNEL32.LoadLibraryA KERNEL32.GetProcAddress KERNEL32.Sleep KERNEL32.lstrcpyA KERNEL32.FreeLibrary "shell32.dll" "ShellExecuteEx" "sei \n" |
sub_425746(af01): KERNEL32.CreateMutexA NTDLL.RtlGetLastWin32Error KERNEL32.CloseHandle |
sub_42552A(b058): MSVCRT._EH_prolog KERNEL32.Sleep "WR" "confi" "gversion" |
sub_425896(b058): MSVCRT._EH_prolog KERNEL32.Sleep "W" "R" "i" |
sub_427610(b267): ADVAPI32.RegOpenKeyExA ADVAPI32.RegQueryValueExA ADVAPI32.RegCloseKey |
sub_42D0E6(b45b): "invalid distance code" "invalid literal/length code" |
sub_42E7CB(b76e): KERNEL32.SetFilePointer |
sub_426496(b982): KERNEL32.lstrcatA |
sub_42CE8E(ba1a): "oversubscribed dynamic bit lengths tree"... "incomplete dynamic bit lengths tree" |
sub_42A0B0(bae0): MSVCRT.memcpy |
sub_422A1E(bc98): MSVCRT._EH_prolog KERNEL32.GetWindowsDirectoryA KERNEL32.GetModuleFileNameA KERNEL32.Sleep MSVCRT.sprintf "%d" |
sub_42F940(beac): MSVCRT.malloc MSVCRT.free |
sub_422435(bf61): MSVCRT.strlen MSVCRT.toupper |
sub_4318D6(c12a): MSVCRT._onexit MSVCRT.__dllonexit |
sub_429CF0(c143): KERNEL32.LocalFree |
sub_424A2E(c8e0): KERNEL32.SetCurrentDirectoryA |
sub_4270ED(cb50): ADVAPI32.RegOpenKeyExA ADVAPI32.RegQueryValueExA ADVAPI32.RegCloseKey |
sub_4300B2(cc4c): MSVCRT.gmtime KERNEL32.SystemTimeToFileTime |
sub_428360(cc75): USER32.CopyRect |
sub_42239F(d371): MSVCRT.strlen MSVCRT.toupper |
sub_42EB64(d803): MSVCRT.strcmp |
sub_4233A8(d83f): KERNEL32.lstrcpyA |
sub_431CA4(dc43): MSVCRT._CxxThrowException |
sub_42CF36(dd13): "oversubscribed literal/length tree" "incomplete literal/length tree" "oversubscribed distance tree" "incomplete distance tree" "empty distance tree with lengths" |
sub_42E8A0(dd1e): KERNEL32.ReadFile MSVCRT.memcpy |
sub_421D8A(de74): NTDLL.RtlSetLastWin32Error MSVCRT.memset SHELL32.SHFileOperationA |
sub_422FB0(e014): MSVCRT._EH_prolog MSVCRT.sprintf MSVCRT.strcat "%02X" |
sub_425353(e07b): MSVCRT._EH_prolog KERNEL32.Sleep MSVCRT._mbscmp "SOFTWARE\\Microso" "ft\\Windows\\Curren" "tVersion\\R" "un\\ru" "nner1" "defaultvalue" " " |
sub_431730(ebb0): MSVCRT._mbsstr |
sub_428300(ebb0): MSVCRT._mbscmp |
sub_42E589(ec84): KERNEL32.GetCurrentProcess KERNEL32.DuplicateHandle KERNEL32.CreateFileA KERNEL32.GetFileType KERNEL32.SetFilePointer |
sub_427C84(f016): ADVAPI32.RegCreateKeyExA ADVAPI32.RegSetValueExA ADVAPI32.RegCloseKey |
sub_426CC3(f016): ADVAPI32.RegCreateKeyExA ADVAPI32.RegSetValueExA ADVAPI32.RegCloseKey |
sub_421109(f546): KERNEL32.GetFileSize NTDLL.RtlGetLastWin32Error |
sub_4266E9(f6ae): ADVAPI32.RegOpenKeyExA ADVAPI32.RegQueryValueExA ADVAPI32.RegCloseKey |
sub_428069(f6ae): ADVAPI32.RegOpenKeyExA ADVAPI32.RegQueryValueExA ADVAPI32.RegCloseKey |
sub_423288(f880): MSVCRT._strdup MSVCRT._mbsupr MSVCRT.free |
sub_422C48(fc12): KERNEL32.lstrcpyA KERNEL32.lstrcatA KERNEL32.Sleep MSVCRT.memset KERNEL32.WaitForSingleObject ".bin" "InstallZip()\n" "crc failed:" ".old" "crc ok, Install(" ")" "OPEN" |