Download Link: hxxp://kazaap.org/download/setup.exe Rogue AntiSpyware Application: File Name: setup.exe VirusTotal Result: 13/32 (40.63%) AntiVir 7.6.0.81 2008.04.08 DR/FraudTool.Kazaap.A Avast 4.8.1169.0 2008.04.08 Win32:Trojan-gen {Other} BitDefender 7.2 2008.04.08 Adware.Kazaap.B Ewido 4.0 2008.04.08 Adware.Kazaap F-Prot 4.4.2.54 2008.04.08 W32/HackToolX.AGC FileAdvisor 1 2008.04.08 High threat detected Fortinet 3.14.0.0 2008.04.08 W32/Kazaap Ikarus T3.1.1.26.0 2008.04.08 Win32.SuspectCrc Kaspersky 7.0.0.125 2008.04.08 not-a-virus:FraudTool.Win32.Kazaap.a Panda 9.0.0.4 2008.04.07 Application/Kazaap Sunbelt 3.0.1032.0 2008.04.08 Kazaap Symantec 10 2008.04.08 Kazaap Webwasher-Gateway 6.6.2 2008.04.08 Trojan.Dropper.FraudTool.Kazaap.A File Info: File size: 1003432 bytes MD5...: 288a4f358f5b9cf0b34a397bb955273c SHA1..: 4c08c4e3164d5b52895fc7cbf1f8633d67450bde SHA256: bd1028bdf1d31e6c253acb7670631e296bb9a2a1810d302002535755a85e877f SHA512: 5c848e60a0d31655759cc7a8d55d44974d297be6fb11251e1167a12e9e6f62b1 0d9c3fb2f408968a392720dc4c105f34cf48bd74093c1ffec14f7feb6d4b365c .text:00401000 ; Format : Portable executable for 80386 (PE) .text:00401000 ; Imagebase : 400000 .text:00401000 ; Section 1. (virtual address 00001000) .text:00401000 ; Virtual size : 000059CC ( 22988.) .text:00401000 ; Section size in file : 00005A00 ( 23040.) .text:00401000 ; Offset to raw data for section: 00000400 .text:00401000 ; Flags 60000020: Text Executable Readable PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0005 Time/Date stamp: 430F5D1A Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 010F Magic: 010B Linker version (major): 06 Linker version (minor): 00 Size of code: 00005A00 Size of initialized data: 0001DA00 Size of uninitialized data: 00000400 Address of entry point: 00003335 Base of code: 00001000 Base of data: 00007000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 00035000 Size of headers: 00000400 Checksum: 00000000 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00001000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Sections Section VirtSize VirtAddr PhysSize PhysAddr Flags .text 000059CC 00001000 00005A00 00000400 60000020 .rdata 000010CC 00007000 00001200 00005E00 40000040 .data 0001B414 00009000 00000400 00007000 C0000040 .ndata 00009000 00025000 00000000 00000000 C0000080 .rsrc 00007000 0002E000 00006E00 00007400 40000040 Import table (libraries: 8) KERNEL32.dll (imports: 63) CompareFileTime SearchPathA GetShortPathNameA GetFullPathNameA MoveFileA SetCurrentDirectoryA GetFileAttributesA GetLastError CreateDirectoryA SetFileAttributesA Sleep CreateFileA GetFileSize GetModuleFileNameA GetTickCount GetCurrentProcess CopyFileA ExitProcess lstrcpynA GetCommandLineA SetFileTime GetTempPathA GetUserDefaultLangID GetDiskFreeSpaceA GlobalUnlock GlobalLock GlobalAlloc CreateThread CreateProcessA RemoveDirectoryA GetTempFileNameA SetEndOfFile UnmapViewOfFile MapViewOfFile CreateFileMappingA lstrcpyA lstrlenA lstrcatA GetSystemDirectoryA CloseHandle lstrcmpiA GetEnvironmentVariableA ExpandEnvironmentStringsA GlobalFree WaitForSingleObject GetExitCodeProcess SetErrorMode GetModuleHandleA LoadLibraryA GetProcAddress FreeLibrary MultiByteToWideChar WritePrivateProfileStringA MulDiv GetPrivateProfileStringA WriteFile ReadFile SetFilePointer FindClose FindNextFileA FindFirstFileA DeleteFileA GetWindowsDirectoryA USER32.dll (imports: 60) SystemParametersInfoA RegisterClassA EndDialog ScreenToClient GetWindowRect SetClassLongA IsWindowEnabled SetWindowPos GetSysColor GetWindowLongA LoadCursorA SetCursor CheckDlgButton GetMessagePos LoadBitmapA CallWindowProcA IsWindowVisible CloseClipboard SetClipboardData CreateWindowExA OpenClipboard TrackPopupMenu AppendMenuA CreatePopupMenu GetSystemMetrics SetDlgItemTextA GetDlgItemTextA MessageBoxA CharPrevA SetTimer SetWindowTextA PostQuitMessage SetForegroundWindow ShowWindow wsprintfA SendMessageTimeoutA FindWindowExA IsWindow GetClassInfoA DialogBoxParamA CharNextA ExitWindowsEx CreateDialogParamA EmptyClipboard DestroyWindow SetWindowLongA LoadImageA GetDC EnableWindow PeekMessageA DispatchMessageA InvalidateRect SendMessageA DefWindowProcA BeginPaint GetClientRect FillRect DrawTextA EndPaint GetDlgItem GDI32.dll (imports: 8) SetBkColor GetDeviceCaps DeleteObject CreateBrushIndirect CreateFontIndirectA SetBkMode SetTextColor SelectObject SHELL32.dll (imports: 6) SHGetMalloc SHGetPathFromIDListA SHBrowseForFolderA ShellExecuteA SHFileOperationA SHGetSpecialFolderLocation ADVAPI32.dll (imports: 9) RegQueryValueExA RegSetValueExA RegEnumKeyA RegEnumValueA RegOpenKeyExA RegDeleteKeyA RegDeleteValueA RegCloseKey RegCreateKeyExA COMCTL32.dll (imports: 4) ImageList_AddMasked ImageList_Destroy #17 ImageList_Create ole32.dll (imports: 3) OleInitialize OleUninitialize CoCreateInstance VERSION.dll (imports: 3) GetFileVersionInfoSizeA GetFileVersionInfoA VerQueryValueA Function Calls: .text:004069BA ; [00000006 BYTES: COLLAPSED FUNCTION VerQueryValueA. PRESS KEYPAD "+" TO EXPAND] .text:004069C0 ; [00000006 BYTES: COLLAPSED FUNCTION GetFileVersionInfoA. PRESS KEYPAD "+" TO EXPAND] .text:004069C6 ; [00000006 BYTES: COLLAPSED FUNCTION GetFileVersionInfoSizeA. PRESS KEYPAD "+" TO EXPAND] .text:004069CC align 40h .text:004069CC _text ends .text:004069CC .idata:00407000 ; Section 2. (virtual address 00007000) .idata:00407000 ; Virtual size : 000010CC ( 4300.) .idata:00407000 ; Section size in file : 00001200 ( 4608.) .idata:00407000 ; Offset to raw data for section: 00005E00 .idata:00407000 ; Flags 40000040: Data Readable .idata:00407000 ; Alignment : default .idata:00407000 ; .idata:00407000 ; Imports from ADVAPI32.dll .idata:00407000 ; .idata:00407000 ; --------------------------------------------------------------------------- .idata:00407000 .idata:00407000 ; Segment type: Externs .idata:00407000 ; _idata .idata:00407000 ; LONG __stdcall RegQueryValueExA(HKEY hKey,LPCSTR lpValueName,LPDWORD lpReserved,LPDWORD lpType,LPBYTE lpData,LPDWORD lpcbData) .idata:00407000 extrn RegQueryValueExA:dword ; DATA XREF: sub_401444+103Dr .idata:00407000 ; sub_405A3D+3Dr .idata:00407004 ; LONG __stdcall RegSetValueExA(HKEY hKey,LPCSTR lpValueName,DWORD Reserved,DWORD dwType,const BYTE *lpData,DWORD cbData) .idata:00407004 extrn RegSetValueExA:dword ; DATA XREF: sub_401444+FF8r .idata:00407008 ; LONG __stdcall RegEnumKeyA(HKEY hKey,DWORD dwIndex,LPSTR lpName,DWORD cbName) .idata:00407008 extrn RegEnumKeyA:dword ; DATA XREF: sub_401444+10B6r .idata:00407008 ; sub_402AFF+25r .idata:0040700C ; LONG __stdcall RegEnumValueA(HKEY hKey,DWORD dwIndex,LPSTR lpValueName,LPDWORD lpcbValueName,LPDWORD lpReserved,LPDWORD lpType,LPBYTE lpData,LPDWORD lpcbData) .idata:0040700C extrn RegEnumValueA:dword ; DATA XREF: sub_401444+10C9r .idata:00407010 ; LONG __stdcall RegOpenKeyExA(HKEY hKey,LPCSTR lpSubKey,DWORD ulOptions,REGSAM samDesired,PHKEY phkResult) .idata:00407010 extrn RegOpenKeyExA:dword ; DATA XREF: sub_402AFF+1Br .idata:00407010 ; sub_402B9B+22r ... .idata:00407014 ; LONG __stdcall RegDeleteKeyA(HKEY hKey,LPCSTR lpSubKey) .idata:00407014 extrn RegDeleteKeyA:dword ; DATA XREF: sub_402AFF+6Cr .idata:00407018 ; LONG __stdcall RegDeleteValueA(HKEY hKey,LPCSTR lpValueName) .idata:00407018 extrn RegDeleteValueA:dword ; DATA XREF: sub_401444+F2Cr .idata:0040701C ; LONG __stdcall RegCloseKey(HKEY hKey) .idata:0040701C extrn RegCloseKey:dword ; DATA XREF: sub_401444+F35r .idata:0040701C ; sub_401444:loc_402522r ... .idata:00407020 ; LONG __stdcall RegCreateKeyExA(HKEY hKey,LPCSTR lpSubKey,DWORD Reserved,LPSTR lpClass,DWORD dwOptions,REGSAM samDesired,LPSECURITY_ATTRIBUTES lpSecurityAttributes,PHKEY phkResult,LPDWORD lpdwDisposition) .idata:00407020 extrn RegCreateKeyExA:dword ; DATA XREF: sub_401444+F9Fr .idata:00407024 .idata:00407028 ; .idata:00407028 ; Imports from COMCTL32.dll .idata:00407028 ; .idata:00407028 ; int __stdcall ImageList_AddMasked(HIMAGELIST himl,HBITMAP hbmImage,COLORREF crMask) .idata:00407028 extrn ImageList_AddMasked:dword ; DATA XREF: sub_404800+BAr .idata:0040702C ; BOOL __stdcall ImageList_Destroy(HIMAGELIST himl) .idata:0040702C extrn ImageList_Destroy:dword ; DATA XREF: sub_404800+44Er .idata:00407030 ; void InitCommonControls(void) .idata:00407030 extrn InitCommonControls:dword ; DATA XREF: start+1Br .idata:00407034 ; HIMAGELIST __stdcall ImageList_Create(int cx,int cy,UINT flags,int cInitial,int cGrow) .idata:00407034 extrn ImageList_Create:dword ; DATA XREF: sub_404800+A8r .idata:00407038 .idata:0040703C ; .idata:0040703C ; Imports from GDI32.dll .idata:0040703C ; .idata:0040703C ; COLORREF __stdcall SetBkColor(HDC,COLORREF) .idata:0040703C extrn SetBkColor:dword ; DATA XREF: sub_403FBB+74r .idata:00407040 ; int __stdcall GetDeviceCaps(HDC,int) .idata:00407040 extrn GetDeviceCaps:dword ; DATA XREF: sub_401444+958r .idata:00407044 ; BOOL __stdcall DeleteObject(HGDIOBJ) .idata:00407044 extrn DeleteObject:dword ; DATA XREF: sub_401000+68r .idata:00407044 ; sub_401000+EDr ... .idata:00407048 ; HBRUSH __stdcall CreateBrushIndirect(const LOGBRUSH *) .idata:00407048 extrn CreateBrushIndirect:dword ; DATA XREF: sub_401000+CFr .idata:00407048 ; sub_403FBB+98r .idata:0040704C ; HFONT __stdcall CreateFontIndirectA(const LOGFONTA *) .idata:0040704C extrn CreateFontIndirectA:dword ; DATA XREF: sub_401000+105r .idata:0040704C ; sub_401444+9B9r .idata:00407050 ; int __stdcall SetBkMode(HDC,int) .idata:00407050 extrn SetBkMode:dword ; DATA XREF: sub_401000+126r .idata:00407050 ; sub_403FBB+51r .idata:00407054 ; COLORREF __stdcall SetTextColor(HDC,COLORREF) .idata:00407054 extrn SetTextColor:dword ; DATA XREF: sub_401000+130r .idata:00407054 ; sub_403FBB+45r .idata:00407058 ; HGDIOBJ __stdcall SelectObject(HDC,HGDIOBJ) .idata:00407058 extrn SelectObject:dword ; DATA XREF: sub_401000+139r .idata:00407058 ; sub_401000+140r ... .idata:0040705C .idata:00407060 ; .idata:00407060 ; Imports from KERNEL32.dll .idata:00407060 ; .idata:00407060 ; LONG __stdcall CompareFileTime(const FILETIME *lpFileTime1,const FILETIME *lpFileTime2) .idata:00407060 extrn CompareFileTime:dword ; DATA XREF: sub_401444+3C8r .idata:00407064 ; DWORD __stdcall SearchPathA(LPCSTR lpPath,LPCSTR lpFileName,LPCSTR lpExtension,DWORD nBufferLength,LPSTR lpBuffer,LPSTR *lpFilePart) .idata:00407064 extrn SearchPathA:dword ; DATA XREF: sub_401444+339r .idata:00407068 ; DWORD __stdcall GetShortPathNameA(LPCSTR lpszLongPath,LPSTR lpszShortPath,DWORD cchBuffer) .idata:00407068 extrn GetShortPathNameA:dword ; DATA XREF: sub_401444+31Ar .idata:00407068 ; sub_405887:loc_4058BFr ... .idata:0040706C ; DWORD __stdcall GetFullPathNameA(LPCSTR lpFileName,DWORD nBufferLength,LPSTR lpBuffer,LPSTR *lpFilePart) .idata:0040706C extrn GetFullPathNameA:dword ; DATA XREF: sub_401444+2D5r .idata:00407070 ; BOOL __stdcall MoveFileA(LPCSTR lpExistingFileName,LPCSTR lpNewFileName) .idata:00407070 extrn MoveFileA:dword ; DATA XREF: sub_401444+284r .idata:00407074 ; BOOL __stdcall SetCurrentDirectoryA(LPCSTR lpPathName) .idata:00407074 extrn SetCurrentDirectoryA:dword .idata:00407074 ; DATA XREF: sub_401444+209r .idata:00407078 ; DWORD __stdcall GetFileAttributesA(LPCSTR lpFileName) .idata:00407078 extrn GetFileAttributesA:dword ; DATA XREF: sub_401444+1DAr .idata:00407078 ; sub_401444+3EBr ... .idata:0040707C ; DWORD GetLastError(void) .idata:0040707C extrn GetLastError:dword ; DATA XREF: sub_401444+1CCr .idata:00407080 ; BOOL __stdcall CreateDirectoryA(LPCSTR lpPathName,LPSECURITY_ATTRIBUTES lpSecurityAttributes) .idata:00407080 extrn CreateDirectoryA:dword ; DATA XREF: sub_401444+1C2r .idata:00407080 ; sub_403301+21r ... .idata:00407084 ; BOOL __stdcall SetFileAttributesA(LPCSTR lpFileName,DWORD dwFileAttributes) .idata:00407084 extrn SetFileAttributesA:dword ; DATA XREF: sub_401444+183r .idata:00407084 ; sub_401444+3F5r ... .idata:00407088 ; void __stdcall Sleep(DWORD dwMilliseconds) .idata:00407088 extrn Sleep:dword ; DATA XREF: sub_401444+EDr .idata:0040708C ; HANDLE __stdcall CreateFileA(LPCSTR lpFileName,DWORD dwDesiredAccess,DWORD dwShareMode,LPSECURITY_ATTRIBUTES lpSecurityAttributes,DWORD dwCreationDisposition,DWORD dwFlagsAndAttributes,HANDLE hTemplateFile) .idata:0040708C extrn CreateFileA:dword ; DATA XREF: sub_402C83+249r .idata:0040708C ; sub_405810+26r ... .idata:00407090 ; DWORD __stdcall GetFileSize(HANDLE hFile,LPDWORD lpFileSizeHigh) .idata:00407090 extrn GetFileSize:dword ; DATA XREF: sub_402C83+68r .idata:00407090 ; sub_405887+ECr .idata:00407094 ; DWORD __stdcall GetModuleFileNameA(HMODULE hModule,LPSTR lpFilename,DWORD nSize) .idata:00407094 extrn GetModuleFileNameA:dword ; DATA XREF: sub_402C83+36r .idata:00407094 ; start+244r .idata:00407098 ; DWORD GetTickCount(void) .idata:00407098 extrn GetTickCount:dword ; DATA XREF: sub_402C83+11r .idata:00407098 ; sub_402C83+13Dr ... .idata:0040709C ; HANDLE GetCurrentProcess(void) .idata:0040709C extrn GetCurrentProcess:dword ; DATA XREF: start+350r .idata:004070A0 ; BOOL __stdcall CopyFileA(LPCSTR lpExistingFileName,LPCSTR lpNewFileName,BOOL bFailIfExists) .idata:004070A0 extrn CopyFileA:dword ; DATA XREF: start+26Cr .idata:004070A4 ; void __stdcall ExitProcess(UINT uExitCode) .idata:004070A4 extrn ExitProcess:dword ; DATA XREF: start+1E1r .idata:004070A4 ; start+3B0r .idata:004070A8 ; LPSTR __stdcall lstrcpynA(LPSTR lpString1,LPCSTR lpString2,int iMaxLength) .idata:004070A8 extrn lstrcpynA:dword ; DATA XREF: start+90r .idata:004070A8 ; sub_404068+15r ... .idata:004070AC ; LPSTR GetCommandLineA(void) .idata:004070AC extrn GetCommandLineA:dword ; DATA XREF: start+88r .idata:004070B0 ; BOOL __stdcall SetFileTime(HANDLE hFile,const FILETIME *lpCreationTime,const FILETIME *lpLastAccessTime,const FILETIME *lpLastWriteTime) .idata:004070B0 extrn SetFileTime:dword ; DATA XREF: sub_401444+4DCr .idata:004070B4 ; DWORD __stdcall GetTempPathA(DWORD nBufferLength,LPSTR lpBuffer) .idata:004070B4 extrn GetTempPathA:dword ; DATA XREF: start+48r .idata:004070B8 ; LANGID GetUserDefaultLangID(void) .idata:004070B8 extrn GetUserDefaultLangID:dword .idata:004070B8 ; DATA XREF: sub_403987:loc_4039A6r .idata:004070BC ; BOOL __stdcall GetDiskFreeSpaceA(LPCSTR lpRootPathName,LPDWORD lpSectorsPerCluster,LPDWORD lpBytesPerSector,LPDWORD lpNumberOfFreeClusters,LPDWORD lpTotalNumberOfClusters) .idata:004070BC extrn GetDiskFreeSpaceA:dword ; DATA XREF: sub_4043AF+20Fr .idata:004070C0 ; BOOL __stdcall GlobalUnlock(HGLOBAL hMem) .idata:004070C0 extrn GlobalUnlock:dword ; DATA XREF: sub_40503A+35Cr .idata:004070C4 ; LPVOID __stdcall GlobalLock(HGLOBAL hMem) .idata:004070C4 extrn GlobalLock:dword ; DATA XREF: sub_40503A+323r .idata:004070C8 ; HGLOBAL __stdcall GlobalAlloc(UINT uFlags,DWORD dwBytes) .idata:004070C8 extrn GlobalAlloc:dword ; DATA XREF: sub_40503A+319r .idata:004070C8 ; sub_405499+6r .idata:004070CC ; HANDLE __stdcall CreateThread(LPSECURITY_ATTRIBUTES lpThreadAttributes,DWORD dwStackSize,LPTHREAD_START_ROUTINE lpStartAddress,LPVOID lpParameter,DWORD dwCreationFlags,LPDWORD lpThreadId) .idata:004070CC extrn CreateThread:dword ; DATA XREF: sub_40503A+1C5r .idata:004070D0 ; BOOL __stdcall CreateProcessA(LPCSTR lpApplicationName,LPSTR lpCommandLine,LPSECURITY_ATTRIBUTES lpProcessAttributes,LPSECURITY_ATTRIBUTES lpThreadAttributes,BOOL bInheritHandles,DWORD dwCreationFlags,LPVOID lpEnvironment,LPCSTR lpCurrentDirectory,LPSTARTUPINFOA lpStartupInfo,LPPROCESS_INFORMATION lpProcessInformation) .idata:004070D0 extrn CreateProcessA:dword ; DATA XREF: sub_4053DF+3Cr .idata:004070D4 ; BOOL __stdcall RemoveDirectoryA(LPCSTR lpPathName) .idata:004070D4 extrn RemoveDirectoryA:dword ; DATA XREF: sub_4054A8+174r .idata:004070D8 ; UINT __stdcall GetTempFileNameA(LPCSTR lpPathName,LPCSTR lpPrefixString,UINT uUnique,LPSTR lpTempFileName) .idata:004070D8 extrn GetTempFileNameA:dword ; DATA XREF: sub_40583F+2Dr .idata:004070DC ; BOOL __stdcall SetEndOfFile(HANDLE hFile) .idata:004070DC extrn SetEndOfFile:dword ; DATA XREF: sub_405887+16Fr .idata:004070E0 ; BOOL __stdcall UnmapViewOfFile(LPCVOID lpBaseAddress) .idata:004070E0 extrn UnmapViewOfFile:dword ; DATA XREF: sub_405887+152r .idata:004070E4 ; LPVOID __stdcall MapViewOfFile(HANDLE hFileMappingObject,DWORD dwDesiredAccess,DWORD dwFileOffsetHigh,DWORD dwFileOffsetLow,DWORD dwNumberOfBytesToMap) .idata:004070E4 extrn MapViewOfFile:dword ; DATA XREF: sub_405887+113r .idata:004070E8 ; HANDLE __stdcall CreateFileMappingA(HANDLE hFile,LPSECURITY_ATTRIBUTES lpFileMappingAttributes,DWORD flProtect,DWORD dwMaximumSizeHigh,DWORD dwMaximumSizeLow,LPCSTR lpName) .idata:004070E8 extrn CreateFileMappingA:dword ; DATA XREF: sub_405887+FFr .idata:004070EC ; LPSTR __stdcall __imp_lstrcpyA(LPSTR lpString1,LPCSTR lpString2) .idata:004070EC extrn __imp_lstrcpyA:dword ; DATA XREF: lstrcpyAr .idata:004070F0 ; int __stdcall __imp_lstrlenA(LPCSTR lpString) .idata:004070F0 extrn __imp_lstrlenA:dword ; DATA XREF: lstrlenAr .idata:004070F4 ; LPSTR __stdcall __imp_lstrcatA(LPSTR lpString1,LPCSTR lpString2) .idata:004070F4 extrn __imp_lstrcatA:dword ; DATA XREF: lstrcatAr .idata:004070F8 ; UINT __stdcall GetSystemDirectoryA(LPSTR lpBuffer,UINT uSize) .idata:004070F8 extrn GetSystemDirectoryA:dword ; DATA XREF: sub_405B5B+118r .idata:004070FC ; BOOL __stdcall CloseHandle(HANDLE hObject) .idata:004070FC extrn CloseHandle:dword ; DATA XREF: sub_401444+4E5r .idata:004070FC ; sub_401444:loc_401F38r ... .idata:00407100 ; int __stdcall lstrcmpiA(LPCSTR lpString1,LPCSTR lpString2) .idata:00407100 extrn lstrcmpiA:dword ; DATA XREF: sub_401444+60Dr .idata:00407100 ; start+256r ... .idata:00407104 ; DWORD __stdcall GetEnvironmentVariableA(LPCSTR lpName,LPSTR lpBuffer,DWORD nSize) .idata:00407104 extrn GetEnvironmentVariableA:dword .idata:00407104 ; DATA XREF: sub_401444+634r .idata:00407108 ; DWORD __stdcall ExpandEnvironmentStringsA(LPCSTR lpSrc,LPSTR lpDst,DWORD nSize) .idata:00407108 extrn ExpandEnvironmentStringsA:dword .idata:00407108 ; DATA XREF: sub_401444:loc_401A80r .idata:0040710C ; HGLOBAL __stdcall GlobalFree(HGLOBAL hMem) .idata:0040710C extrn GlobalFree:dword ; DATA XREF: sub_401444:loc_401BE9r .idata:0040710C ; sub_401444+13A9r ... .idata:00407110 ; DWORD __stdcall WaitForSingleObject(HANDLE hHandle,DWORD dwMilliseconds) .idata:00407110 extrn WaitForSingleObject:dword ; DATA XREF: sub_401444+A86r .idata:00407110 ; sub_401444+ABBr .idata:00407114 ; BOOL __stdcall GetExitCodeProcess(HANDLE hProcess,LPDWORD lpExitCode) .idata:00407114 extrn GetExitCodeProcess:dword ; DATA XREF: sub_401444+ACFr .idata:00407118 ; UINT __stdcall SetErrorMode(UINT uMode) .idata:00407118 extrn SetErrorMode:dword ; DATA XREF: sub_401444+BC8r .idata:00407118 ; sub_401444+C7Cr ... .idata:0040711C ; HMODULE __stdcall GetModuleHandleA(LPCSTR lpModuleName) .idata:0040711C extrn GetModuleHandleA:dword ; DATA XREF: sub_401444+BF2r .idata:0040711C ; start+99r ... .idata:00407120 ; HMODULE __stdcall LoadLibraryA(LPCSTR lpLibFileName) .idata:00407120 extrn LoadLibraryA:dword ; DATA XREF: sub_401444+BFFr .idata:00407120 ; sub_403728+1AFr ... .idata:00407124 ; FARPROC __stdcall GetProcAddress(HMODULE hModule,LPCSTR lpProcName) .idata:00407124 extrn GetProcAddress:dword ; DATA XREF: sub_401444+C0Fr .idata:00407124 ; start+317r ... .idata:00407128 ; BOOL __stdcall FreeLibrary(HMODULE hLibModule) .idata:00407128 extrn FreeLibrary:dword ; DATA XREF: sub_401444+C68r .idata:0040712C ; int __stdcall MultiByteToWideChar(UINT CodePage,DWORD dwFlags,LPCSTR lpMultiByteStr,int cchMultiByte,LPWSTR lpWideCharStr,int cchWideChar) .idata:0040712C extrn MultiByteToWideChar:dword ; DATA XREF: sub_401444+D96r .idata:00407130 ; BOOL __stdcall WritePrivateProfileStringA(LPCSTR lpAppName,LPCSTR lpKeyName,LPCSTR lpString,LPCSTR lpFileName) .idata:00407130 extrn WritePrivateProfileStringA:dword .idata:00407130 ; DATA XREF: sub_401444+EC2r .idata:00407134 ; int __stdcall MulDiv(int nNumber,int nNumerator,int nDenominator) .idata:00407134 extrn MulDiv:dword ; DATA XREF: sub_401378+78r .idata:00407134 ; sub_401444+967r ... .idata:00407138 ; DWORD __stdcall GetPrivateProfileStringA(LPCSTR lpAppName,LPCSTR lpKeyName,LPCSTR lpDefault,LPSTR lpReturnedString,DWORD nSize,LPCSTR lpFileName) .idata:00407138 extrn GetPrivateProfileStringA:dword .idata:00407138 ; DATA XREF: sub_401444+EFDr .idata:0040713C ; BOOL __stdcall WriteFile(HANDLE hFile,LPCVOID lpBuffer,DWORD nNumberOfBytesToWrite,LPDWORD lpNumberOfBytesWritten,LPOVERLAPPED lpOverlapped) .idata:0040713C extrn WriteFile:dword ; DATA XREF: sub_401444+115Cr .idata:0040713C ; sub_401444+13BBr ... .idata:00407140 ; BOOL __stdcall ReadFile(HANDLE hFile,LPVOID lpBuffer,DWORD nNumberOfBytesToRead,LPDWORD lpNumberOfBytesRead,LPOVERLAPPED lpOverlapped) .idata:00407140 extrn ReadFile:dword ; DATA XREF: sub_401444+11B3r .idata:00407140 ; sub_402F89+41r ... .idata:00407144 ; DWORD __stdcall SetFilePointer(HANDLE hFile,LONG lDistanceToMove,PLONG lpDistanceToMoveHigh,DWORD dwMoveMethod) .idata:00407144 extrn SetFilePointer:dword ; DATA XREF: sub_401444+1217r .idata:00407144 ; sub_401444+1247r ... .idata:00407148 ; BOOL __stdcall FindClose(HANDLE hFindFile) .idata:00407148 extrn FindClose:dword ; DATA XREF: sub_401444+126Ar .idata:00407148 ; sub_4054A8+13Er ... .idata:0040714C ; BOOL __stdcall FindNextFileA(HANDLE hFindFile,LPWIN32_FIND_DATAA lpFindFileData) .idata:0040714C extrn FindNextFileA:dword ; DATA XREF: sub_401444+1287r .idata:0040714C ; sub_4054A8+12Fr .idata:00407150 ; HANDLE __stdcall FindFirstFileA(LPCSTR lpFileName,LPWIN32_FIND_DATAA lpFindFileData) .idata:00407150 extrn FindFirstFileA:dword ; DATA XREF: sub_401444+12AEr .idata:00407150 ; sub_4054A8+92r ... .idata:00407154 ; BOOL __stdcall DeleteFileA(LPCSTR lpFileName) .idata:00407154 extrn DeleteFileA:dword ; DATA XREF: sub_401444+13F1r .idata:00407154 ; start+81r ... .idata:00407158 ; UINT __stdcall GetWindowsDirectoryA(LPSTR lpBuffer,UINT uSize) .idata:00407158 extrn GetWindowsDirectoryA:dword ; DATA XREF: start+5Dr .idata:00407158 ; sub_405887+B6r ... .idata:0040715C .idata:00407160 ; .idata:00407160 ; Imports from SHELL32.dll .idata:00407160 ; .idata:00407160 ; HRESULT __stdcall SHGetMalloc(LPMALLOC *ppMalloc) .idata:00407160 extrn SHGetMalloc:dword ; DATA XREF: sub_4053B4+8r .idata:00407160 ; Retrieve a pointer to the shell's IMalloc interface .idata:00407164 ; BOOL __stdcall SHGetPathFromIDListA(LPCITEMIDLIST pidl,LPSTR pszPath) .idata:00407164 extrn SHGetPathFromIDListA:dword ; DATA XREF: sub_404689+38r .idata:00407164 ; sub_405B5B+16Fr .idata:00407168 ; LPITEMIDLIST __stdcall SHBrowseForFolderA(LPBROWSEINFOA lpbi) .idata:00407168 extrn SHBrowseForFolderA:dword ; DATA XREF: sub_4043AF+108r .idata:0040716C ; HINSTANCE __stdcall ShellExecuteA(HWND hwnd,LPCSTR lpOperation,LPCSTR lpFile,LPCSTR lpParameters,LPCSTR lpDirectory,INT nShowCmd) .idata:0040716C extrn ShellExecuteA:dword ; DATA XREF: sub_401444+A44r .idata:0040716C ; sub_40409C+214r .idata:0040716C ; Opens or prints a specified file .idata:00407170 ; int __stdcall SHFileOperationA(LPSHFILEOPSTRUCTA lpFileOp) .idata:00407170 extrn SHFileOperationA:dword ; DATA XREF: sub_401444+E3Fr .idata:00407174 ; HRESULT __stdcall SHGetSpecialFolderLocation(HWND hwndOwner,int nFolder,LPITEMIDLIST *ppidl) .idata:00407174 extrn SHGetSpecialFolderLocation:dword .idata:00407174 ; DATA XREF: sub_405B5B+161r .idata:00407178 .idata:0040717C ; .idata:0040717C ; Imports from USER32.dll .idata:0040717C ; .idata:0040717C ; BOOL __stdcall SystemParametersInfoA(UINT uiAction,UINT uiParam,PVOID pvParam,UINT fWinIni) .idata:0040717C extrn SystemParametersInfoA:dword .idata:0040717C ; DATA XREF: sub_403728+13Ar .idata:00407180 ; ATOM __stdcall RegisterClassA(const WNDCLASSA *lpWndClass) .idata:00407180 extrn RegisterClassA:dword ; DATA XREF: sub_403728+122r .idata:00407180 ; sub_403728+1FAr .idata:00407184 ; BOOL __stdcall EndDialog(HWND hDlg,int nResult) .idata:00407184 extrn EndDialog:dword ; DATA XREF: sub_403A6C+48Ar .idata:00407188 ; BOOL __stdcall ScreenToClient(HWND hWnd,LPPOINT lpPoint) .idata:00407188 extrn ScreenToClient:dword ; DATA XREF: sub_403A6C+42Cr .idata:00407188 ; sub_4047B4+22r .idata:0040718C ; BOOL __stdcall GetWindowRect(HWND hWnd,LPRECT lpRect) .idata:0040718C extrn GetWindowRect:dword ; DATA XREF: sub_403A6C+420r .idata:0040718C ; sub_40503A+2A6r .idata:00407190 ; DWORD __stdcall SetClassLongA(HWND hWnd,int nIndex,LONG dwNewLong) .idata:00407190 extrn SetClassLongA:dword ; DATA XREF: sub_403A6C+1CFr .idata:00407194 ; BOOL __stdcall IsWindowEnabled(HWND hWnd) .idata:00407194 extrn IsWindowEnabled:dword ; DATA XREF: sub_403A6C+B6r .idata:00407194 ; sub_403A6C+103r .idata:00407198 ; BOOL __stdcall SetWindowPos(HWND hWnd,HWND hWndInsertAfter,int X,int Y,int cx,int cy,UINT uFlags) .idata:00407198 extrn SetWindowPos:dword ; DATA XREF: sub_403A6C+3Cr .idata:00407198 ; sub_403A6C+447r .idata:0040719C ; DWORD __stdcall GetSysColor(int nIndex) .idata:0040719C extrn GetSysColor:dword ; DATA XREF: sub_403FBB+30r .idata:0040719C ; sub_403FBB+39r ... .idata:004071A0 ; LONG __stdcall GetWindowLongA(HWND hWnd,int nIndex) .idata:004071A0 extrn GetWindowLongA:dword ; DATA XREF: sub_403FBB+1Dr .idata:004071A0 ; sub_404800+22Er .idata:004071A4 ; HCURSOR __stdcall LoadCursorA(HINSTANCE hInstance,LPCSTR lpCursorName) .idata:004071A4 extrn LoadCursorA:dword ; DATA XREF: sub_40409C+1C3r .idata:004071A4 ; sub_40409C+1FEr ... .idata:004071A8 ; HCURSOR __stdcall SetCursor(HCURSOR hCursor) .idata:004071A8 extrn SetCursor:dword ; DATA XREF: sub_40409C+1BDr .idata:004071A8 ; sub_40409C+201r ... .idata:004071AC ; BOOL __stdcall CheckDlgButton(HWND hDlg,int nIDButton,UINT uCheck) .idata:004071AC extrn CheckDlgButton:dword ; DATA XREF: sub_40409C+8Br .idata:004071AC ; Change the check state of a button control .idata:004071B0 ; DWORD GetMessagePos(void) .idata:004071B0 extrn GetMessagePos:dword ; DATA XREF: sub_4047B4+6r .idata:004071B0 ; Return a long value that gives .idata:004071B0 ; the cursor position in screen coordinates .idata:004071B4 ; HBITMAP __stdcall LoadBitmapA(HINSTANCE hInstance,LPCSTR lpBitmapName) .idata:004071B4 extrn LoadBitmapA:dword ; DATA XREF: sub_404800+83r .idata:004071B8 ; LRESULT __stdcall CallWindowProcA(WNDPROC lpPrevWndFunc,HWND hWnd,UINT Msg,WPARAM wParam,LPARAM lParam) .idata:004071B8 extrn CallWindowProcA:dword ; DATA XREF: sub_404E18+DBr .idata:004071BC ; BOOL __stdcall IsWindowVisible(HWND hWnd) .idata:004071BC extrn IsWindowVisible:dword ; DATA XREF: sub_404E18+4Cr .idata:004071C0 ; BOOL CloseClipboard(void) .idata:004071C0 extrn CloseClipboard:dword ; DATA XREF: sub_40503A+36Dr .idata:004071C4 ; HANDLE __stdcall SetClipboardData(UINT uFormat,HANDLE hMem) .idata:004071C4 extrn SetClipboardData:dword ; DATA XREF: sub_40503A+367r .idata:004071C8 ; HWND __stdcall CreateWindowExA(DWORD dwExStyle,LPCSTR lpClassName,LPCSTR lpWindowName,DWORD dwStyle,int X,int Y,int nWidth,int nHeight,HWND hWndParent,HMENU hMenu,HINSTANCE hInstance,LPVOID lpParam) .idata:004071C8 extrn CreateWindowExA:dword ; DATA XREF: sub_403728+173r .idata:004071CC ; BOOL __stdcall OpenClipboard(HWND hWndNewOwner) .idata:004071CC extrn OpenClipboard:dword ; DATA XREF: sub_40503A+30Ar .idata:004071D0 ; BOOL __stdcall TrackPopupMenu(HMENU hMenu,UINT uFlags,int x,int y,int nReserved,HWND hWnd,const RECT *prcRect) .idata:004071D0 extrn TrackPopupMenu:dword ; DATA XREF: sub_40503A+2C8r .idata:004071D4 ; BOOL __stdcall AppendMenuA(HMENU hMenu,UINT uFlags,UINT uIDNewItem,LPCSTR lpNewItem) .idata:004071D4 extrn AppendMenuA:dword ; DATA XREF: sub_40503A+293r .idata:004071D8 ; HMENU CreatePopupMenu(void) .idata:004071D8 extrn CreatePopupMenu:dword ; DATA XREF: sub_40503A+27Er .idata:004071DC ; int __stdcall GetSystemMetrics(int nIndex) .idata:004071DC extrn GetSystemMetrics:dword ; DATA XREF: sub_40503A+B3r .idata:004071E0 ; BOOL __stdcall __imp_SetDlgItemTextA(HWND hDlg,int nIDDlgItem,LPCSTR lpString) .idata:004071E0 extrn __imp_SetDlgItemTextA:dword .idata:004071E0 ; DATA XREF: SetDlgItemTextAr .idata:004071E4 ; UINT __stdcall GetDlgItemTextA(HWND hDlg,int nIDDlgItem,LPSTR lpString,int nMaxCount) .idata:004071E4 extrn GetDlgItemTextA:dword ; DATA XREF: sub_40543B+13r .idata:004071E8 ; int __stdcall MessageBoxA(HWND hWnd,LPCSTR lpText,LPCSTR lpCaption,UINT uType) .idata:004071E8 extrn MessageBoxA:dword ; DATA XREF: sub_405457+39r .idata:004071EC ; LPSTR __stdcall CharPrevA(LPCSTR lpszStart,LPCSTR lpszCurrent) .idata:004071EC extrn CharPrevA:dword ; DATA XREF: sub_40564B+Fr .idata:004071EC ; sub_405692+14r ... .idata:004071EC ; Return a pointer to the preceding character in a string .idata:004071F0 ; UINT __stdcall SetTimer(HWND hWnd,UINT nIDEvent,UINT uElapse,TIMERPROC lpTimerFunc) .idata:004071F0 extrn SetTimer:dword ; DATA XREF: DialogFunc+22r .idata:004071F4 ; BOOL __stdcall SetWindowTextA(HWND hWnd,LPCSTR lpString) .idata:004071F4 extrn SetWindowTextA:dword ; DATA XREF: DialogFunc+72r .idata:004071F4 ; sub_403987+B0r ... .idata:004071F4 ; Change the text of the window's title bar .idata:004071F8 ; void __stdcall PostQuitMessage(int nExitCode) .idata:004071F8 extrn PostQuitMessage:dword ; DATA XREF: sub_401444+78r .idata:004071FC ; BOOL __stdcall SetForegroundWindow(HWND hWnd) .idata:004071FC extrn SetForegroundWindow:dword ; DATA XREF: sub_401444+FBr .idata:00407200 ; BOOL __stdcall ShowWindow(HWND hWnd,int nCmdShow) .idata:00407200 extrn ShowWindow:dword ; DATA XREF: sub_401444+150r .idata:00407200 ; sub_401444+15Cr ... .idata:00407204 ; int wsprintfA(LPSTR,LPCSTR,...) .idata:00407204 extrn wsprintfA:dword ; DATA XREF: sub_401444+728r .idata:00407204 ; sub_401444+A16r ... .idata:00407208 ; LRESULT __stdcall SendMessageTimeoutA(HWND hWnd,UINT Msg,WPARAM wParam,LPARAM lParam,UINT fuFlags,UINT uTimeout,LPDWORD lpdwResult) .idata:00407208 extrn SendMessageTimeoutA:dword ; DATA XREF: sub_401444+83Cr .idata:0040720C ; HWND __stdcall FindWindowExA(HWND,HWND,LPCSTR,LPCSTR) .idata:0040720C extrn FindWindowExA:dword ; DATA XREF: sub_401444+882r .idata:00407210 ; BOOL __stdcall IsWindow(HWND hWnd) .idata:00407210 extrn IsWindow:dword ; DATA XREF: sub_401444+8A3r .idata:00407214 ; BOOL __stdcall GetClassInfoA(HINSTANCE hInstance,LPCSTR lpClassName,LPWNDCLASSA lpWndClass) .idata:00407214 extrn GetClassInfoA:dword .idata:00407214 ; DATA XREF: sub_403728:loc_4038F5r .idata:00407214 ; sub_403728+1DBr ... .idata:00407218 ; int __stdcall DialogBoxParamA(HINSTANCE hInstance,LPCSTR lpTemplateName,HWND hWndParent,DLGPROC lpDialogFunc,LPARAM dwInitParam) .idata:00407218 extrn DialogBoxParamA:dword ; DATA XREF: sub_403728+219r .idata:00407218 ; Create a modal dialog box from a .idata:00407218 ; dialog box template resource .idata:0040721C ; LPSTR __stdcall CharNextA(LPCSTR lpsz) .idata:0040721C extrn CharNextA:dword ; DATA XREF: start+C4r .idata:0040721C ; sub_405676+Dr ... .idata:0040721C ; Return a pointer to the next character in a string .idata:00407220 ; BOOL __stdcall ExitWindowsEx(UINT uFlags,DWORD dwReserved) .idata:00407220 extrn ExitWindowsEx:dword ; DATA XREF: start+38Dr .idata:00407220 ; Logoff/Restart/Shut down .idata:00407224 ; HWND __stdcall CreateDialogParamA(HINSTANCE hInstance,LPCSTR lpTemplateName,HWND hWndParent,DLGPROC lpDialogFunc,LPARAM dwInitParam) .idata:00407224 extrn CreateDialogParamA:dword ; DATA XREF: sub_402C83+15Br .idata:00407224 ; sub_4030B4+11Cr ... .idata:00407224 ; Create a modeless dialog box from .idata:00407224 ; a dialog box template resource .idata:00407228 ; BOOL EmptyClipboard(void) .idata:00407228 extrn EmptyClipboard:dword ; DATA XREF: sub_40503A+310r .idata:0040722C ; BOOL __stdcall DestroyWindow(HWND hWnd) .idata:0040722C extrn DestroyWindow:dword ; DATA XREF: sub_402C83+1BAr .idata:0040722C ; sub_402C83+1CDr ... .idata:00407230 ; LONG __stdcall SetWindowLongA(HWND hWnd,int nIndex,LONG dwNewLong) .idata:00407230 extrn SetWindowLongA:dword ; DATA XREF: sub_401444+8E5r .idata:00407230 ; sub_403A6C+8Br ... .idata:00407234 ; HANDLE __stdcall LoadImageA(HINSTANCE,LPCSTR,UINT,int,int,UINT) .idata:00407234 extrn LoadImageA:dword ; DATA XREF: sub_401444+922r .idata:00407234 ; sub_403728+DBr .idata:00407238 ; HDC __stdcall GetDC(HWND hWnd) .idata:00407238 extrn GetDC:dword ; DATA XREF: sub_401444+951r .idata:0040723C ; BOOL __stdcall EnableWindow(HWND hWnd,BOOL bEnable) .idata:0040723C extrn EnableWindow:dword ; DATA XREF: sub_401444:loc_401E29r .idata:0040723C ; sub_403A6C+2F6r ... .idata:0040723C ; Enable/disable mouse and keyboard input .idata:00407240 ; BOOL __stdcall PeekMessageA(LPMSG lpMsg,HWND hWnd,UINT wMsgFilterMin,UINT wMsgFilterMax,UINT wRemoveMsg) .idata:00407240 extrn PeekMessageA:dword ; DATA XREF: sub_401444+A93r .idata:00407240 ; sub_402C83+1A2r ... .idata:00407244 ; LONG __stdcall DispatchMessageA(const MSG *lpMsg) .idata:00407244 extrn DispatchMessageA:dword ; DATA XREF: sub_401444+A9Fr .idata:00407244 ; sub_402C83+193r ... .idata:00407248 ; BOOL __stdcall InvalidateRect(HWND hWnd,const RECT *lpRect,BOOL bErase) .idata:00407248 extrn InvalidateRect:dword ; DATA XREF: sub_401444+150Ar .idata:0040724C ; LRESULT __stdcall SendMessageA(HWND hWnd,UINT Msg,WPARAM wParam,LPARAM lParam) .idata:0040724C extrn SendMessageA:dword ; DATA XREF: sub_401378+88r .idata:0040724C ; sub_401444+854r ... .idata:00407250 ; LRESULT __stdcall DefWindowProcA(HWND hWnd,UINT Msg,WPARAM wParam,LPARAM lParam) .idata:00407250 extrn DefWindowProcA:dword ; DATA XREF: sub_401000+2Cr .idata:00407254 ; HDC __stdcall BeginPaint(HWND hWnd,LPPAINTSTRUCT lpPaint) .idata:00407254 extrn BeginPaint:dword ; DATA XREF: sub_401000+47r .idata:00407258 ; BOOL __stdcall GetClientRect(HWND hWnd,LPRECT lpRect) .idata:00407258 extrn GetClientRect:dword ; DATA XREF: sub_401000+5Br .idata:00407258 ; sub_401444+901r ... .idata:00407258 ; Get the coordinates of a window's client area .idata:0040725C ; int __stdcall FillRect(HDC hDC,const RECT *lprc,HBRUSH hbr) .idata:0040725C extrn FillRect:dword ; DATA XREF: sub_401000+E4r .idata:00407260 ; int __stdcall DrawTextA(HDC hDC,LPCSTR lpString,int nCount,LPRECT lpRect,UINT uFormat) .idata:00407260 extrn DrawTextA:dword ; DATA XREF: sub_401000+156r .idata:00407264 ; BOOL __stdcall EndPaint(HWND hWnd,const PAINTSTRUCT *lpPaint) .idata:00407264 extrn EndPaint:dword ; DATA XREF: sub_401000+16Er .idata:00407268 ; HWND __stdcall GetDlgItem(HWND hDlg,int nIDDlgItem) .idata:00407268 extrn GetDlgItem:dword ; DATA XREF: sub_401444+8C9r .idata:00407268 ; sub_401444+8F4r ... .idata:0040726C .idata:00407270 ; .idata:00407270 ; Imports from VERSION.dll .idata:00407270 ; .idata:00407270 ; DWORD __stdcall __imp_GetFileVersionInfoSizeA(LPSTR lptstrFilename,LPDWORD lpdwHandle) .idata:00407270 extrn __imp_GetFileVersionInfoSizeA:dword .idata:00407270 ; DATA XREF: GetFileVersionInfoSizeAr .idata:00407274 ; BOOL __stdcall __imp_GetFileVersionInfoA(LPSTR lptstrFilename,DWORD dwHandle,DWORD dwLen,LPVOID lpData) .idata:00407274 extrn __imp_GetFileVersionInfoA:dword .idata:00407274 ; DATA XREF: GetFileVersionInfoAr .idata:00407274 ; Get version information about a specified file .idata:00407278 ; BOOL __stdcall __imp_VerQueryValueA(const LPVOID pBlock,LPSTR lpSubBlock,LPVOID *lplpBuffer,PUINT puLen) .idata:00407278 extrn __imp_VerQueryValueA:dword .idata:00407278 ; DATA XREF: VerQueryValueAr .idata:00407278 ; Get selected version information from .idata:00407278 ; the specified version-information resource .idata:0040727C .idata:00407280 ; .idata:00407280 ; Imports from ole32.dll .idata:00407280 ; .idata:00407280 ; HRESULT __stdcall OleInitialize(LPVOID pvReserved) .idata:00407280 extrn OleInitialize:dword ; DATA XREF: start+22r .idata:00407280 ; StartAddress+10r .idata:00407284 ; void OleUninitialize(void) .idata:00407284 extrn OleUninitialize:dword ; DATA XREF: start+1C6r .idata:00407284 ; StartAddress+55r .idata:00407288 ; HRESULT __stdcall CoCreateInstance(const CLSID *const rclsid,LPUNKNOWN pUnkOuter,DWORD dwClsContext,const IID *const riid,LPVOID *ppv) .idata:00407288 extrn CoCreateInstance:dword ; DATA XREF: sub_401444+CDAr .idata:0040728C .idata:0040728C On Execution: Registry Creation: CreateKey HKLM\SOFTWARE\Microsoft\Cryptography\RNG SUCCESS Access: 0x2 CreateKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings SUCCESS Access: 0x2001F CreateKey HKCU\Software\Microsoft\Multimedia\Audio SUCCESS Access: 0x20007 CreateKey HKCU\Software\Microsoft\Multimedia\Audio Compression Manager\ SUCCESS Access: 0x20006 CreateKey HKCU\Software\Microsoft\Multimedia\Audio Compression Manager\MSACM SUCCESS Access: 0x2001F CreateKey HKCU\Software\Microsoft\Multimedia\Audio Compression Manager\Priority v4.00 SUCCESS Access: 0x2001F CreateKey HKLM\SOFTWARE\Microsoft\Cryptography\RNG SUCCESS Access: 0x2 CreateKey Software\Microsoft\Windows\CurrentVersion\ThemeManager "Compositing" CreateKey Control Panel\Desktop "LameButtonText" CreateKey HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion "ProgramFilesDir" Registry Vanues Changed: SetValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi1 SUCCESS SetValue HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed SUCCESS DLL Handling: c:\temp\setup.exe C:\WINDOWS\System32\ntdll.dll C:\WINDOWS\system32\kernel32.dll C:\WINDOWS\system32\USER32.dll C:\WINDOWS\system32\GDI32.dll C:\WINDOWS\system32\ADVAPI32.dll C:\WINDOWS\system32\RPCRT4.dll C:\WINDOWS\system32\SHELL32.dll C:\WINDOWS\system32\msvcrt.dll C:\WINDOWS\system32\SHLWAPI.dll C:\WINDOWS\WinSxS\X86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1612_x-ww_7c379b08\ C:\WINDOWS\system32\ole32.dll C:\WINDOWS\system32\VERSION.dll C:\WINDOWS\system32\oleaut32.dll C:\WINDOWS\System32\wsock32.dll C:\WINDOWS\System32\WS2_32.dll C:\WINDOWS\System32\WS2HELP.dll C:\WINDOWS\System32\Wship6.dll C:\WINDOWS\System32\iphlpapi.dll C:\WINDOWS\System32\pstorec.dll C:\WINDOWS\System32\ATL.DLL C:\WINDOWS\System32\mswsock.dll C:\WINDOWS\System32\DNSAPI.dll C:\WINDOWS\System32\winrnr.dll C:\WINDOWS\system32\WLDAP32.dll C:\WINDOWS\System32\Secur32.dll .\UxTheme.dll RichEd20.dll UxTheme.dll C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\InstallOptions.dll File System Activity: Delete File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsi4.tmp Get File Attributes: c:\temp\setup.exe Flags: (SECURITY_ANONYMOUS) Open File: c:\temp\setup.exe (OPEN_EXISTING) Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsi6.tmp Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp Delete File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp Get File Attributes: C:\DOCUME~1 Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\DOCUME~1\ADMINI~1 Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1 Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini Flags: (SECURITY_ANONYMOUS) Set File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini Flags: (FILE_ATTRIBUTE_ARCHIVE,FILE_ATTRIBUTE_COMPRESSED,FILE_ATTRIBUTE_HIDDEN,FILE_ATTRIBUTE_NORMAL,FILE_ATTRIBUTE_OFFLINE,FILE_ATTRIBUTE_SYSTEM,FILE_ATTRIBUTE_TEMPORARY,FILE_ATTRIBUTE_SPARSE_FILE,FILE_ATTRIBUTE_REPARSE_POINT,FILE_ATTRIBUTE_COMPRESSED,FILE_ATTRIBUTE_OFFLINE,FILE_ATTRIBUTE_NOT_CONTENT_INDEXED,FILE_ATTRIBUTE_ENCRYPTED,SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini Set File Time: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\modern-wizard.bmp Flags: (SECURITY_ANONYMOUS) Set File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\modern-wizard.bmp Flags: (FILE_ATTRIBUTE_ARCHIVE,FILE_ATTRIBUTE_COMPRESSED,FILE_ATTRIBUTE_HIDDEN,FILE_ATTRIBUTE_NORMAL,FILE_ATTRIBUTE_OFFLINE,FILE_ATTRIBUTE_SYSTEM,FILE_ATTRIBUTE_TEMPORARY,FILE_ATTRIBUTE_SPARSE_FILE,FILE_ATTRIBUTE_REPARSE_POINT,FILE_ATTRIBUTE_COMPRESSED,FILE_ATTRIBUTE_OFFLINE,FILE_ATTRIBUTE_NOT_CONTENT_INDEXED,FILE_ATTRIBUTE_ENCRYPTED,SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\modern-wizard.bmp Set File Time: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\modern-wizard.bmp Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\modern-header.bmp Flags: (SECURITY_ANONYMOUS) Set File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\modern-header.bmp Flags: (FILE_ATTRIBUTE_ARCHIVE,FILE_ATTRIBUTE_COMPRESSED,FILE_ATTRIBUTE_HIDDEN,FILE_ATTRIBUTE_NORMAL,FILE_ATTRIBUTE_OFFLINE,FILE_ATTRIBUTE_SYSTEM,FILE_ATTRIBUTE_TEMPORARY,FILE_ATTRIBUTE_SPARSE_FILE,FILE_ATTRIBUTE_REPARSE_POINT,FILE_ATTRIBUTE_COMPRESSED,FILE_ATTRIBUTE_OFFLINE,FILE_ATTRIBUTE_NOT_CONTENT_INDEXED,FILE_ATTRIBUTE_ENCRYPTED,SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\modern-header.bmp Set File Time: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\modern-header.bmp Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\InstallOptions.dll Flags: (SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\InstallOptions.dll Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\InstallOptions.dll Read INI Files: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Settings] Title = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Settings] CancelButtonText = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Settings] NextButtonText = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Settings] BackButtonText = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Settings] NumFields = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Settings] Rect = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Settings] BackEnabled = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Settings] CancelEnabled = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Settings] CancelShow = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Settings] RTL = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 1] TYPE = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 1] Flags = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 1] State = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 1] ListItems = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 1] TEXT = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 1] ROOT = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 1] ValidateText = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 1] Filter = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 1] LEFT = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 1] TOP = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 1] RIGHT = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 1] BOTTOM = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 1] MinLen = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 1] MaxLen = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 1] TxtColor = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 2] TYPE = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 2] Flags = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 2] State = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 2] ListItems = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 2] TEXT = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 2] ROOT = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 2] ValidateText = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 2] Filter = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 2] LEFT = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 2] TOP = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 2] RIGHT = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 2] BOTTOM = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 2] MinLen = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 2] MaxLen = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 2] TxtColor = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 3] TYPE = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 3] Flags = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 3] State = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 3] ListItems = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 3] TEXT = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 3] ROOT = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 3] ValidateText = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 3] Filter = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 3] LEFT = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 3] TOP = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 3] RIGHT = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 3] BOTTOM = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 3] MinLen = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 3] MaxLen = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 3] TxtColor = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Settings] RTL = 0 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 1] Text = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\modern-wizard.bmp C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Settings] NumFields = 3 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Settings] NextButtonText = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Settings] CancelEnabled = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 2] Text = Welcome to Kazaap Adware and Spyware Remover C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 2] Bottom = 38 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 3] Top = 45 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 3] Bottom = 185 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nst8.tmp\ioSpecial.ini [Field 3] Text = You are about to install Kazaap Adware and Spyware Remover.