sub_outside(): MSVCRT.strcpy |
sub_40D53F(0509): MSVCRT._vsnprintf "NOTICE %s :" "PRIVMSG %s :" "\r\n" |
sub_4043E9(05b8): MSVCRT.strcpy "80" |
sub_409DD0(060f): "ICMP.DLL" "IcmpCreateFile" "IcmpSendEcho" "IcmpCloseHandle" "Could not resolve name" |
sub_41673F(09bb): "rb" |
sub_40A1A7(0b5b): MSVCRT.strcpy |
sub_4093B6(0cc7): "btg" "thread" |
sub_40D871(0ed7): MSVCRT.strcpy "PING" "PONG %s" "PONG" "MODE" "PRIVMSG" "SEND" "eggdrop v1.6.16" "433" "UNK" "B" "A" "G" "%c%s%c%c%u%c%u%s%c%c%c" "ERROR" "JOIN" "MODE %s +smntu" "001" "MODE %s +xi" "USERHOST %s" "USERHOST %s" "451" "302" "@" "NICK" "332" "][" "link!link@link PRIVMSG %s :%s" "][" "PRIVMSG" "NOTICE" "*" |
sub_40D4AB(1035): MSVCRT._vsnprintf "PRIVMSG %s :" "\r\n" |
sub_407ACA(11fc): MSVCRT._strnicmp |
sub_40732D(1413): MSVCRT._itoa |
sub_415AF0(1472): "Internet explorer password stealer" |
sub_406D90(1503): MSVCRT.strcpy ".bat" "@echo off\r\n:deleteagain\r\ndel /A:H /F %s"... "open" |
sub_4088FC(152c): MSVCRT.strcpy "80" "GET /%s HTTP/1.0\r\nHost: %s\r\n\r\n" |
sub_41349C(174d): MSVCRT.strcpy |
sub_4143B0(1a5b): MSVCRT._itoa |
sub_42B42C(2509): USER32.MessageBoxA KERNEL32.GetModuleFileNameA KERNEL32.VirtualAlloc KERNEL32.VirtualFree KERNEL32.VirtualProtect KERNEL32.GetModuleHandleA KERNEL32.LoadLibraryExA KERNEL32.GetProcAddress KERNEL32.ExitProcess "Info" "This application was packed with an Unr"... |
sub_409C36(3457): KERNEL32.InitializeCriticalSectionAndSpinCount |
sub_412F07(34bf): MSVCRT._itoa |
sub_407E0C(37d0): MSVCRT._itoa MSVCRT.strcpy |
sub_40A8AD(3823): "abcdef" |
sub_40764D(3944): MSVCRT.strcpy |
sub_4044F7(3f01): WS2_32.getnameinfo |
sub_412E04(4474): MSVCRT.strcpy |
sub_416EAF(4878): MSVCRT._CxxThrowException |
sub_40F040(4949): MSVCRT.memmove MSVCRT._rotr |
sub_406C51(4aab): "Software\\Microsoft\\Windows\\CurrentVersi"... |
sub_4038BA(4c15): MSVCRT._itoa MSVCRT.strcpy "udp" |
sub_414052(4fa7): MSVCRT.strcpy "Exploit statistics - " |
sub_40D043(5675): MSVCRT.strcpy "PASS %s" "USER %s %s %s :%s" "UNK" "B" "A" "G" "%c%s%c%c%u%c%u%s%c%c%c" |
sub_411BBC(5919): MSVCRT._itoa "127.0.0.1" |
sub_4017AA(5a0a): "Listing" "Killing" |
sub_414A1E(5a21): "rb" "\r\n\r\n[" "\r\nIP=" "\r\nPort=" "\r\nUser=" "\r\nPass=" "[%[^]]]\r\n" "\r\nIP=%127s\r\n" "\r\nPort=%127s\r\n" "\r\nUser=%127s\r\n" "\r\nPass=%127s\r\n" |
sub_416711(5c60): "rb" |
sub_413FE7(5e87): "Attempting to exploit IP's in list." |
sub_401000(60e1): MSVCRT.strcpy |
sub_407148(629b): "QUIT :%s uninstalled." "Windows DLL Loader" "QUIT :%s uninstalled." |
sub_40EF59(6597): MSVCRT._rotl |
sub_4091E2(65f1): "Driveinfo thread" |
sub_404552(67ed): MSVCRT._itoa |
sub_4097A7(69ab): "*%s*" |
sub_4083AD(6a7b): "?" "no SP" "95" "NT" "98" "ME" "2000" "XP" "2003" "Yes" "No" "HARDWARE\\DESCRIPTION\\System\\CentralProc"... "ProcessorNameString" |
sub_41308F(6de7): MSVCRT._strnicmp "OPTIONS / HTTP/1.0\r\n\r\n" "Server:" "Microsoft-IIS" "Microsoft-IIS/%u.%u" "Apache" |
sub_414EB0(6e80): "FlashFXP password stealer" |
sub_4147E5(6ee3): "yA36zA48dEhfrvghGRg57h5UlDv3" "yA36zA48dEhfrvghGRg57h5UlDv3" |
sub_408B30(70db): MSVCRT.strcpy WS2_32.getaddrinfo WS2_32.getnameinfo WS2_32.freeaddrinfo WININET.InternetGetConnectedStateExA "Unknown" "Unknown" "Modem" "LAN" "Yes" "No" "Yes" "No" "Bad" "Avarage" "Good" |
sub_404FE7(7226): WS2_32.getaddrinfo WS2_32.freeaddrinfo |
sub_41417D(726a): "Listing exploit statistics" |
sub_4142BF(74ca): "80" |
sub_4020C2(7599): MSVCRT.strcpy WS2_32.getnameinfo MSVCRT._itoa "rb" "DCC Send %s (%s)" |
sub_404612(76e6): WS2_32.getaddrinfo WS2_32.getnameinfo MSVCRT.strcpy WS2_32.freeaddrinfo |
sub_404193(7992): MSVCRT._itoa |
sub_40D734(7c17): "mIRC" |
sub_411DC5(819f): "rb" "octet" "octet" "wormride" |
sub_401D6E(859f): "open" "Remote cmd thread" "\r\n" "Error while executing command." |
sub_4050EA(87ab): WS2_32.getaddrinfo WS2_32.freeaddrinfo |
sub_40A50E(88d5): MSVCRT.strcpy |
sub_41113B(8dbe): "%u,%u,%u,%u,%u,%u" "rb" "150 -\r\n" "rb" "-x 3 2000 fh 1024 Jan 1 0:00 .\r\ndrwxr-x"... "150 -\r\n" "ftp" "221 -\r\n" "231 -\r\n" |
sub_414EF4(8f0e): "%x" "%ws" "220d5cc1" "5e7e8100" ":" ":" ":" "b9819c52" "e161255a" "StringIndex" |
sub_4094E6(8f32): MSVCRT.strcpy "thread" |
sub_40CF2F(913e): MSVCRT.strcpy "6667" |
sub_4055E5(93f0): "%u\r\n" "%u.%u.%u.%u:%u\r\n" "%u\r\n" "%u.%u.%u.%u:%u\r\n" "%u\r\n" "%u.%u.%u.%u:%u\r\n" "%u\r\n" "%u.%u.%u.%u:%u\r\n" |
sub_407928(94bd): MSVCRT.strcpy |
sub_405E45(94e4): "LG flooder" |
sub_40CEB0(975e): "Executing command(s): %s" |
sub_408808(983f): MSVCRT.strcpy "80" |
sub_42B344(983f): KERNEL32.VirtualAlloc KERNEL32.VirtualFree |
sub_415DFD(9871): "Listing interesting processes" |
sub_41331E(9eb7): MSVCRT.strcpy MSVCRT._itoa |
sub_40D420(a5e3): MSVCRT._vsnprintf "NOTICE %s :" "\r\n" |
sub_412720(a6d1): MSVCRT.strcpy |
sub_408F2E(ab4d): "Drive information - " "removable" "fixed" "remote" "cd-rom" "ramdisk" "unknown" |
sub_401981(ac1d): "cmd.exe" "Could not read data from process." "Cmd.exe process has terminated." |
sub_4127D0(aca4): "rb" |
sub_40449C(aeb4): WS2_32.getnameinfo |
sub_415B60(af11): MSVCRT._strnicmp "Unreal3" "World Of Warcraft" "[Conquer]" "SOFTWARE\\Microsoft\\VisualStudio\\6.0\\Set"... "Software\\Valve\\Steam" "Yes" "No" "Yes" "No" "Yes" "No" "Yes" "No" "Yes" "No" |
sub_403DF3(b5a9): MSVCRT.strcpy " : USERID : UNIX : " "\r\n" |
sub_413AB0(b5b6): MSVCRT.strcpy |
sub_40CA29(b7e9): ")" "&&" "%32s %16s %32s" "$uptime" "$version" "$free" "$latency" "$firewall" "$ipv6" "$uptime" "$version" "$free" "$latency" "$firewall" "$ipv6" "==" "!=" ">" ">=" "<=" "&&" |
sub_4148CE(b829): MSVCRT.strcpy "SOFTWARE\\Classes\\Applications\\FlashFXP."... "sites.dat" "ProgramFiles" "\\FlashFXP\\sites.dat" "rb" "%sFlashFXP\\sites.dat" "rb" |
sub_40806A(b9eb): MSVCRT.strcpy |
sub_40D6CB(ba86): MSVCRT._vsnprintf "\r\n" |
sub_4046BC(bcec): WS2_32.getaddrinfo WS2_32.freeaddrinfo |
sub_411D68(bd90): "FTP wormride thread" |
sub_4123F6(bf6b): "TFTP wormride thread" |
sub_40E618(c143): "302" "PRIVMSG" "NOTICE" |
sub_406041(c2bf): MSVCRT.strcpy "system" |
sub_409CB1(c41b): IPHLPAPI.IcmpCreateFile IPHLPAPI.IcmpSendEcho IPHLPAPI.IcmpCloseHandle "Could not get a valid ICMP handle\n" |
sub_406A23(c753): MSVCRT.strcpy |
sub_406E8E(c805): "Windows DLL Loader" |
sub_402A32(c93b): MSVCRT.strcpy MSVCRT._strnicmp "http://" "80" "ftp://" "21" "anonymous" "anonymous" "tftp://" "69" ":" "/" "open" |
sub_40332B(d6d5): "EXCEPTION_OTHER" "EXCEPTION_ACCESS_VIOLATION" "EXCEPTION_BREAKPOINT" "EXCEPTION_ILLEGAL_INSTRUCTION" "EXCEPTION_INT_DIVIDE_BY_ZERO" "EXCEPTION_NONCONTINUABLE_EXCEPTION" "EXCEPTION_STACK_OVERFLOW" "EXCEPTION_FLT" "Restarting" "Continuing" "open" "QUIT :exitting" "QUIT :restarting" "QUIT :restarting" |
sub_4098F3(d7a4): "*%s*" |
sub_405FA3(d81a): "psapi.dll" "EnumProcessModules" "GetModuleFileNameExA" "GetModuleInformation" |
sub_4077DD(d893): MSVCRT._itoa MSVCRT.strcpy |
sub_4045B2(db0b): MSVCRT._itoa |
sub_40C93C(dd51): ";" "link!link@link PRIVMSG %s :%s" ";" |
sub_402698(e10f): "GET /%s HTTP/1.0\r\nHost: %s\r\n\r\n" "\r\n\r\n" "Content-Length: %u\r\n" |
sub_41102F(e43a): "rb" |
sub_406722(e784): MSVCRT._strnicmp MSVCRT.strcpy "HKCR" "HKCU" "HKLM" "HKUS" |
sub_406AE7(f004): MSVCRT.strcpy "rb" |
sub_40A9CF(f341): MSVCRT.strcpy WS2_32.getaddrinfo WS2_32.getnameinfo WS2_32.freeaddrinfo MSVCRT.memcmp MSVCRT._strnicmp "ܹϗ؆ܥ" "This build is fully functional" "This build is broken and will not funct"... "It took me %ums." "on" "off" "on" "QUIT :exitting" "open" "QUIT :restarting" "QUIT :changing server" "2002" "9252" "id" "username" |
sub_403BD3(f523): "kernel32.dll" "InitializeCriticalSectionAndSpinCount" "netapi32.dll" "NetUseAdd" "NetUseDel" "NetUserEnum" "NetShareEnum" "NetRemoteTOD" "NetApiBufferFree" "NetScheduleJobAdd" "NetAddAlternateComputerName" "mpr.dll" "WNetAddConnection2A" "WNetAddConnection2W" "WNetCancelConnection2A" "WNetCancelConnection2W" "ws2_32.dll" "getaddrinfo" "getnameinfo" "freeaddrinfo" "pstorec.dll" "PStoreCreateInstance" "wininet.dll" "InternetGetConnectedStateExA" |
sub_40D74D(f68e): "mIRC" |
sub_4129CA(f764): MSVCRT.strcpy "unknown" |