sub_outside(): MSVCRT.strlen MSVCRT.strncpy MSVCRT.strtok MSVCRT._stricmp MSVCRT.strstr MSVCRT.memset MSVCRT.strcpy WS2_32.closesocket MSVCRT.free KERNEL32.ExitThread WS2_32.WSASocketA WS2_32.ntohs WS2_32.connect WS2_32.send WS2_32.recv MSVCRT.memcpy KERNEL32.GetTickCount KERNEL32.Sleep WS2_32.socket MSVCRT.sprintf MSVCRT._snprintf NTDLL.RtlDeleteCriticalSection KERNEL32.InitializeCriticalSectionAndSpinCount NTDLL.RtlEnterCriticalSection KERNEL32.TerminateThread NTDLL.RtlLeaveCriticalSection KERNEL32.GetModuleFileNameA MSVCRT.fopen MSVCRT.fread MSVCRT.fclose WS2_32.accept WS2_32.select WS2_32.recvfrom WS2_32.inet_ntoa MSVCRT.fseek WS2_32.sendto WS2_32.__WSAFDIsSet MSVCRT.sscanf MSVCRT.strcmp MSVCRT.atoi MSVCRT.strtoul |
sub_4085AE(0306): WS2_32.getpeername WS2_32.gethostbyaddr WS2_32.inet_ntoa MSVCRT.sprintf MSVCRT.strcpy |
sub_409002(0591): WS2_32.WSAStartup |
sub_408D7F(0c9c): KERNEL32.GetTempPathA MSVCRT._snprintf KERNEL32.CreateFileA MSVCRT.strlen KERNEL32.WriteFile KERNEL32.CloseHandle KERNEL32.GetFileAttributesA KERNEL32.SetFileAttributesA KERNEL32.ExpandEnvironmentStringsA KERNEL32.WinExec WS2_32.WSACleanup KERNEL32.ExitProcess "FAT Defragmentation" "%sdestroy.cmd" "@echo off\r\n:repeat\r\ndel \"%%1\"\r\nif exist"... "%%comspec%% /c %s %s %s" |
sub_409314(16f8): KERNEL32.Sleep |
sub_406595(1a73): MSVCRT.strlen |
sub_40785C(1d82): MSVCRT.memcpy |
sub_40645B(2142): MSVCRT.malloc MSVCRT.memset MSVCRT.memcpy MSVCRT.free |
sub_40960A(2482): MSVCRT.realloc KERNEL32.CreateThread KERNEL32.SetThreadPriority |
sub_4064E7(25b4): MSVCRT.malloc MSVCRT.memset MSVCRT.memcpy |
sub_4094D4(27b4): KERNEL32.GetVersionExA MSVCRT._snprintf "95" "NT" "98" "ME" "2000" "XP" "2003" "???" |
sub_406A02(2898): WS2_32.ntohl WS2_32.send |
sub_408C39(2cc7): ADVAPI32.RegisterServiceCtrlHandlerA ADVAPI32.SetServiceStatus KERNEL32.CreateEventA KERNEL32.WaitForSingleObject KERNEL32.CloseHandle "FAT Defragmentation" |
sub_408EAE(2f69): KERNEL32.GetModuleFileNameA KERNEL32.GetSystemDirectoryA KERNEL32.lstrlenA KERNEL32.lstrcatA MSVCRT.strncpy KERNEL32.SetFileAttributesA KERNEL32.CreateFileA KERNEL32.CloseHandle KERNEL32.CopyFileA KERNEL32.WinExec "\\" |
sub_405D60(326a): MSVCRT.sprintf MSVCRT.memcpy MSVCRT.strlen MSVCRT.memset WS2_32.send WS2_32.recv "\r\n\\_/." "\\\\%s\\ipc$" |
sub_4063ED(4892): MSVCRT.malloc MSVCRT.memset MSVCRT.memcpy |
sub_4077DF(4b09): MSVCRT.memcpy WS2_32.ntohs |
sub_409957(4f88): KERNEL32.GetTickCount MSVCRT.srand MSVCRT.rand MSVCRT._ftol |
sub_4098BE(506a): MSVCRT.malloc MSVCRT.memset MSVCRT.rand MSVCRT.strcat |
sub_4089F7(5308): ADVAPI32.OpenSCManagerA ADVAPI32.CreateServiceA ADVAPI32.ChangeServiceConfig2A ADVAPI32.CloseServiceHandle ADVAPI32.RegOpenKeyExA ADVAPI32.RegCreateKeyExA MSVCRT.strlen ADVAPI32.RegSetValueExA ADVAPI32.RegCloseKey "Defragmentation Management Handler" "FAT Defragmentation" "Monitoring the defragmentating process."... "SYSTEM\\CurrentControlSet\\Control\\SafeBo"... "Minimal" "Service" "FAT Defragmentation" "Network" "FAT Defragmentation" |
sub_40924C(555a): WS2_32.gethostname WS2_32.gethostbyname MSVCRT._snprintf WS2_32.inet_addr MSVCRT.strncpy "%d.%d.%d.%d" |
sub_40860A(5940): WS2_32.ntohs WS2_32.setsockopt WS2_32.bind WS2_32.listen |
sub_40959B(630e): MSVCRT.memset KERNEL32.GlobalMemoryStatus MSVCRT._snprintf "xLegion/0x029" |
sub_407EAB(6357): WS2_32.socket WS2_32.inet_addr WS2_32.ntohs WS2_32.connect |
sub_404360(6bab): MSVCRT.strtok MSVCRT._stricmp WS2_32.WSACleanup KERNEL32.ExitProcess KERNEL32.GetTickCount MSVCRT._ftol MSVCRT.atoi MSVCRT.strncpy MSVCRT.strstr MSVCRT._snprintf WS2_32.inet_addr MSVCRT.free KERNEL32.Sleep MSVCRT.strncat " " ".bot.die" "QUIT :god hates us all\r\n" ".bot.uptime" ".bot.os" ".bot.ip" ".bot.sysinfo" ".ftpd.status" ".irc.join" "JOIN %s\r\n" ".irc.part" "PART %s\r\n" ".irc.jump" ".download.http" "-exec" "-upd" ".scan.start" "Scanner" "-e" "-s" "." "%s%d.%d" "-x" "-r" "-x" "-l" "Scanner" ".scan.stop" "Scanner" ".scan.infected" "%s %s :%s\r\n" ".shellcode.status" |
sub_408B74(6c0f): ADVAPI32.OpenSCManagerA ADVAPI32.OpenServiceA MSVCRT._snprintf ADVAPI32.RegOpenKeyExA ADVAPI32.RegSetValueExA ADVAPI32.RegCloseKey ADVAPI32.CloseServiceHandle "SYSTEM\\CurrentControlSet\\Services\\%s" "Start" |
sub_40899E(6de2): ADVAPI32.OpenSCManagerA ADVAPI32.OpenServiceA ADVAPI32.DeleteService ADVAPI32.CloseServiceHandle "ServicesActive" |
sub_406983(6e81): WS2_32.select WS2_32.__WSAFDIsSet WS2_32.recv |
sub_4063B3(770a): MSVCRT.malloc MSVCRT.memset MSVCRT.memcpy |
sub_407381(84cf): MSVCRT.rand |
sub_408C25(8667): ADVAPI32.SetServiceStatus |
sub_4097C4(8a54): MSVCRT.fopen MSVCRT.fclose |
sub_409995(8bd0): MSVCRT.rand |
sub_407367(8e23): WS2_32.ntohl |
sub_4091CA(8fa9): MSVCRT.strcpy WS2_32.gethostbyname WS2_32.inet_ntoa WS2_32.inet_addr WS2_32.gethostbyaddr |
sub_408D57(92f8): ADVAPI32.StartServiceCtrlDispatcherA "FAT Defragmentation" |
sub_408956(9ae8): ADVAPI32.OpenSCManagerA ADVAPI32.OpenServiceA ADVAPI32.CloseServiceHandle "ServicesActive" |
sub_404D6D(9af9): WS2_32.socket WS2_32.inet_addr WS2_32.ntohs WS2_32.connect MSVCRT.strlen WS2_32.recv "IrcRead" "SUVW" "PASS %s\r\n" "xLegion/0x029" |
sub_4073A9(9fab): WS2_32.inet_ntoa |
sub_406B21(a2f7): WS2_32.send |
sub_409237(abc1): WININET.InternetGetConnectedState |
sub_409783(adba): MSVCRT._stricmp |
sub_4093DC(b17f): KERNEL32.QueryPerformanceCounter KERNEL32.QueryPerformanceFrequency MSVCRT.ceil MSVCRT._ftol KERNEL32.GetTickCount MSVCRT._snprintf "days" "day" "hours" "hour" "minutes" "minute" |
sub_40867A(b51e): WS2_32.shutdown WS2_32.closesocket |
sub_407F03(bb14): KERNEL32.GetModuleFileNameA MSVCRT.fopen MSVCRT.fread WS2_32.send KERNEL32.Sleep MSVCRT.fclose |
sub_40971A(c7b8): KERNEL32.TerminateThread |
sub_408691(cd67): MSVCRT._strnicmp MSVCRT.strchr MSVCRT.strlen MSVCRT.strcpy MSVCRT.memcpy "http://" |
sub_4097E5(cd75): MSVCRT.malloc MSVCRT.memset MSVCRT.rand MSVCRT.sprintf "0123456789abcdefghijklmnopqrstuvwxyz" "%c%c%c%c%c%c%c" |
sub_406442(d44b): MSVCRT.free |
sub_408939(d78f): KERNEL32.CreateMutexA NTDLL.RtlGetLastWin32Error |
sub_404C8D(e325): MSVCRT.vsprintf KERNEL32.GetTickCount KERNEL32.Sleep MSVCRT.strlen WS2_32.send MSVCRT.free |
sub_4073B4(e7c6): WS2_32.socket WS2_32.ntohs WS2_32.ioctlsocket WS2_32.connect WS2_32.select WS2_32.closesocket |
sub_409022(ea76): KERNEL32.Sleep MSVCRT._stricmp KERNEL32.ExitProcess MSVCRT.rand USER32.GetMessageA USER32.TranslateMessage USER32.DispatchMessageA WS2_32.WSACleanup KERNEL32.SetErrorMode KERNEL32.GetTickCount MSVCRT.srand "FTPDaemon" "ShellcodeDaemon" "TFTPDaemon" |
sub_408FA5(ee5d): "FAT Defragmentation" |
sub_40870A(f00b): WININET.InternetOpenA WININET.InternetConnectA WININET.HttpOpenRequestA WININET.HttpSendRequestA MSVCRT.fopen WININET.InternetQueryDataAvailable WININET.InternetReadFile MSVCRT.fwrite MSVCRT.free KERNEL32.Sleep WININET.InternetCloseHandle MSVCRT.fclose KERNEL32.WinExec KERNEL32.GetModuleFileNameA "dETOX" "wb" |
sub_40661D(f1cc): MSVCRT.memset "BBBB" "CCCC" |
sub_406A47(fcdc): MSVCRT.malloc MSVCRT.memset MSVCRT.memcpy MSVCRT.free |