sub_outside(): KERNEL32.GetModuleHandleA KERNEL32.DeleteFileA NTDLL.RtlGetLastWin32Error KERNEL32.ExitProcess KERNEL32.Sleep WININET.InternetGetConnectedState MSVCRT._EH_prolog MSVCRT.rand KERNEL32.lstrcatA KERNEL32.lstrlenA KERNEL32.lstrcpyA |
sub_31501D96(0337): KERNEL32.CreateEventA KERNEL32.LoadLibraryA KERNEL32.Sleep ADVAPI32.AbortSystemShutdownA "u13.2ix" "u10x" "u11x" "u12x" "u13x" "u13ix" "u8" "u9" "u10" "u11" "u12" "u13" "u13i" "u14" "ws2_32" "wininet" "msvcrt" "advapi32" "user32" "uterm13.2i" |
sub_31501962(09ff): MSVCRT.memset KERNEL32.CreateProcessA KERNEL32.CloseHandle |
sub_3150243D(12a2): ADVAPI32.RegCreateKeyExA ADVAPI32.RegSetValueExA ADVAPI32.RegCloseKey |
sub_31501911(1a20): KERNEL32.CreateThread KERNEL32.CloseHandle |
sub_315023AF(2057): ADVAPI32.RegOpenKeyExA ADVAPI32.RegDeleteValueA ADVAPI32.RegCloseKey |
sub_315020C4(2d0f): MSVCRT.rand KERNEL32.Sleep |
sub_31501A62(3338): WS2_32.recv MSVCRT.strstr WS2_32.send USER32.wsprintfA MSVCRT.strlen KERNEL32.Sleep KERNEL32.InterlockedIncrement WS2_32.shutdown WS2_32.closesocket KERNEL32.ExitThread "GET" ".exe" "HTTP/1.1 200 OK\r\nContent-Type: applicat"... "Content-Length: %u\r\n\r\n" "HTTP/1.1 200 OK\r\n\r\n\r\n" |
sub_315018F7(336c): KERNEL32.CreateThread |
sub_31502800(3cd5): KERNEL32.VirtualAlloc |
sub_31501F3A(4795): MSVCRT.strlen |
sub_31501727(4891): KERNEL32.LoadLibraryA KERNEL32.GetProcAddress KERNEL32.GetCurrentProcess "advapi32" "OpenProcessToken" "LookupPrivilegeValueA" "AdjustTokenPrivileges" "SeDebugPrivilege" |
sub_31502CB7(48f8): MSVCRT.strchr "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" |
sub_31501A48(502b): KERNEL32.OpenEventA KERNEL32.SetEvent |
sub_315019B8(518e): WS2_32.inet_addr WS2_32.gethostbyname |
sub_31501BA8(52a4): KERNEL32.CreateFileA KERNEL32.ExitThread KERNEL32.GetFileSize KERNEL32.ReadFile KERNEL32.CloseHandle WS2_32.socket MSVCRT.memset MSVCRT.rand WS2_32.ntohs WS2_32.bind WS2_32.listen WS2_32.accept "System Update" "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"... |
sub_31503608(531a): WININET.InternetOpenA KERNEL32.GetSystemDirectoryA KERNEL32.lstrcatA KERNEL32.lstrlenA KERNEL32.CreateFileA WININET.InternetOpenUrlA KERNEL32.CloseHandle WININET.InternetReadFile KERNEL32.WriteFile "Mozilla/4.0 (compatible; MSIE 6.0; Wind"... "\\" ".exe" |
sub_315032FA(6253): KERNEL32.lstrlenA USER32.wsprintfA KERNEL32.Sleep WS2_32.send "PRIVMSG %s %s\r\n" |
sub_315023E4(75ba): ADVAPI32.RegOpenKeyExA ADVAPI32.RegQueryValueExA ADVAPI32.RegCloseKey |
sub_31502128(7a74): MSVCRT.rand KERNEL32.InterlockedIncrement KERNEL32.Sleep |
sub_31503183(7aa2): MSVCRT.rand USER32.wsprintfA KERNEL32.lstrlenA WS2_32.send WS2_32.closesocket "QUIT %s\r\n" |
sub_31502548(7c2b): "Windows Security Manager" "Disk Defragmenter" "System Restore Service" "Bot Loader" "WinUpdate" "Windows Update Service" "avserve.exe" "avserve2.exeUpdate Service" "MS Config v13" "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"... |
sub_315017AF(7e12): KERNEL32.GetModuleHandleA KERNEL32.GetProcAddress USER32.FindWindowA USER32.GetForegroundWindow USER32.GetWindowThreadProcessId KERNEL32.OpenProcess KERNEL32.WriteProcessMemory KERNEL32.CloseHandle "kernel32" "VirtualAllocEx" "CreateRemoteThread" "uterm13.2i" |
sub_315029C7(81ab): KERNEL32.GetSystemDirectoryA KERNEL32.SetCurrentDirectoryA KERNEL32.lstrcpynA KERNEL32.CreateFileA WS2_32.send WS2_32.recv KERNEL32.WriteFile KERNEL32.CloseHandle |
sub_31501A32(81da): WININET.InternetGetConnectedState |
sub_31501D82(82c5): KERNEL32.WaitForSingleObject |
sub_315028AE(8398): KERNEL32.GetSystemTime KERNEL32.SystemTimeToFileTime WS2_32.recv MSVCRT.memcpy ADVAPI32.CryptCreateHash ADVAPI32.CryptHashData ADVAPI32.CryptVerifySignatureA NTDLL.RtlGetLastWin32Error ADVAPI32.CryptDestroyHash MSVCRT.rand WS2_32.send |
sub_31502490(87a6): KERNEL32.lstrlenA KERNEL32.CreateToolhelp32Snapshot MSVCRT.memset KERNEL32.Process32First MSVCRT.strstr KERNEL32.OpenProcess KERNEL32.TerminateProcess KERNEL32.Process32Next |
sub_31503722(9195): MSVCRT.strstr KERNEL32.GetTickCount USER32.wsprintfA KERNEL32.lstrlenA MSVCRT.strchr KERNEL32.lstrcmpA KERNEL32.lstrcpyA MSVCRT.atoi MSVCRT.rand KERNEL32.lstrcatA "-1,%d" "e" "|" "i" "%d,%d,13%s,%d" "q" "JOIN" |
sub_31502893(9445): ADVAPI32.CryptDestroyKey ADVAPI32.CryptReleaseContext |
sub_315026C2(99c3): KERNEL32.GetModuleFileNameA MSVCRT.rand KERNEL32.lstrlenA KERNEL32.lstrcpyA KERNEL32.lstrcmpiA "Software\\Microsoft\\Wireless" "ID" "dfashnzdsdl" "ID" "dfashnzdsdl" "System Update" "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"... "1" "Client" "Client" |
sub_315025F6(9d42): KERNEL32.DeleteFileA KERNEL32.GetSystemDirectoryA MSVCRT.rand KERNEL32.lstrcatA KERNEL32.CopyFileA KERNEL32.lstrlenA KERNEL32.CloseHandle KERNEL32.WinExec KERNEL32.Sleep KERNEL32.ExitProcess ".exe" "\\" "System Update" "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"... |
sub_31502277(a67f): WS2_32.inet_ntoa KERNEL32.lstrcpyA USER32.wsprintfA KERNEL32.lstrlenA "http://%s:%d/x.exe" |
sub_31502814(a71a): KERNEL32.VirtualFree |
sub_315018E8(a71a): KERNEL32.CreateMutexA |
sub_315011C0(abb0): WS2_32.socket WS2_32.inet_ntoa KERNEL32.lstrcpynA USER32.wsprintfA MSVCRT.memcpy MSVCRT.strlen MSVCRT.memset WS2_32.ntohs WS2_32.connect KERNEL32.Sleep WS2_32.send WS2_32.recv KERNEL32.lstrlenA WS2_32.shutdown WS2_32.closesocket |
sub_315019F3(b95f): WS2_32.gethostname WS2_32.WSAGetLastError WS2_32.gethostbyname |
sub_315018BA(bc62): KERNEL32.GetTickCount MSVCRT.srand |
sub_31502DB6(bca3): KERNEL32.lstrcpynA |
sub_3150302E(bf8d): MSVCRT.strstr KERNEL32.lstrlenA KERNEL32.lstrcpynA USER32.wsprintfA WS2_32.send "PING" "PONG%s\r\n" |
sub_31503371(d1c9): KERNEL32.GetSystemTime MSVCRT.atan MSVCRT.sin MSVCRT.cos MSVCRT.srand MSVCRT.rand |
sub_3150283F(d285): ADVAPI32.CryptAcquireContextA ADVAPI32.CryptImportKey |
sub_315030B1(d435): USER32.wsprintfA KERNEL32.Sleep KERNEL32.lstrlenA WS2_32.send WS2_32.recv MSVCRT.strstr KERNEL32.lstrcpynA "JOIN %s\r\n" "451" "PING" |
sub_31502DEC(e24b): WS2_32.socket WS2_32.ntohs WS2_32.connect WS2_32.recv USER32.wsprintfA KERNEL32.Sleep KERNEL32.lstrlenA WS2_32.send MSVCRT.strstr WS2_32.closesocket "PASS %s\r\n" "NICK %s\r\n" "already" "NICK %s\r\n" "USER %s 8 * :%s\r\n" |
sub_31502BE8(e562): WS2_32.socket MSVCRT.memset WS2_32.ntohs WS2_32.bind WS2_32.listen WS2_32.accept KERNEL32.CreateEventA KERNEL32.CreateThread KERNEL32.CloseHandle KERNEL32.WaitForSingleObject |
sub_31501932(e56c): MSVCRT.rand |
sub_31501CEC(e965): WS2_32.WSAStartup |
sub_315021B0(ed82): MSVCRT.rand KERNEL32.InterlockedIncrement KERNEL32.Sleep KERNEL32.ExitThread |
sub_315031EC(f228): MSVCRT._EH_prolog KERNEL32.GetTickCount WS2_32.select KERNEL32.ExitThread WS2_32.recv KERNEL32.Sleep WS2_32.closesocket |
sub_31502826(fa42): KERNEL32.lstrcpyA "cont" |
sub_31502B4C(fd6d): KERNEL32.SetEvent WS2_32.recv WS2_32.closesocket KERNEL32.ExitThread |
sub_31501F6B(fda7): MSVCRT.rand MSVCRT.strcpy WS2_32.socket WS2_32.ntohl WS2_32.ntohs WS2_32.bind WS2_32.listen WS2_32.accept KERNEL32.Sleep WS2_32.recv WS2_32.closesocket MSVCRT.strcat MSVCRT.strlen WS2_32.send " : USERID : UNIX : " "\r\n" |