sub_outside(): ADVAPI32.StartServiceCtrlDispatcherA ADVAPI32.RegisterServiceCtrlHandlerA ADVAPI32.SetServiceStatus KERNEL32.GetTickCount KERNEL32.GetCurrentThreadId KERNEL32.Sleep WS2_32.socket WS2_32.setsockopt WS2_32.inet_addr WS2_32.getsockname WS2_32.htons WS2_32.sendto WS2_32.closesocket USER32.wsprintfA WS2_32.bind WS2_32.WSAIoctl KERNEL32.GlobalAlloc WS2_32.recv WS2_32.inet_ntoa KERNEL32.lstrcpyn KERNEL32.GlobalFree WS2_32.connect WS2_32.send |
sub_403E5B(14b7): USER32.CharUpperA |
sub_4034DF(198c): KERNEL32.GetCurrentProcess ADVAPI32.SetSecurityInfo ADVAPI32.RegCreateKeyA ADVAPI32.RegSetValueExA ADVAPI32.RegCloseKey KERNEL32.GetWindowsDirectoryA USER32.wsprintfA KERNEL32._lcreat KERNEL32._lclose KERNEL32.SetFileAttributesA ADVAPI32.OpenSCManagerA ADVAPI32.OpenServiceA ADVAPI32.ControlService ADVAPI32.ChangeServiceConfigA ADVAPI32.CloseServiceHandle "n" "software\\microsoft\\ole" "enabledcom" "system\\currentcontrolset\\control\\lsa" "restrictanonymous" "restrictanonymoussam" "system\\currentcontrolset\\services\\lanma"... "autoshareserver" "autosharewks" "software\\microsoft\\security center" "antivirusdisablenotify" "antivirusoverride" "firewalldisablenotify" "firewalldisableoverride" "software\\policies\\microsoft\\windowsfire"... "enablefirewall" "software\\policies\\microsoft\\windowsfire"... "enablefirewall" "%s\\debug\\dcpromo.log" "sharedaccess" |
sub_4026D6(2c69): ADVAPI32.OpenSCManagerA ADVAPI32.OpenServiceA ADVAPI32.CreateServiceA ADVAPI32.ChangeServiceConfig2A KERNEL32.lstrcpyn ADVAPI32.StartServiceA "wgareg" "C:\\WINDOWS\\System32\\wgareg.exe" "Windows Genuine Advantage Registration "... "wgareg" "Ensures that your copy of Microsoft Win"... |
sub_403F1F(2c9d): KERNEL32.lstrcpyn KERNEL32.CreateThread KERNEL32.Sleep KERNEL32.GetLogicalDriveStringsA KERNEL32.lstrlen KERNEL32.GetDriveTypeA |
sub_402C53(3041): USER32.wsprintfA WS2_32.send "PRiVMSG %.16s :%.480s\n" |
sub_40587E(3449): WS2_32.socket WS2_32.connect WS2_32.closesocket KERNEL32.GetTickCount KERNEL32.Sleep |
sub_405728(39ae): USER32.FindWindowExA USER32.SendMessageA USER32.GetMenu "Instant Message" "AIM_IMessage" "CBClass" "Ate32Class" "_Oscar_IconBtn" |
sub_402C9E(41b1): KERNEL32.lstrcmp USER32.wsprintfA WS2_32.send KERNEL32.lstrcpyn WS2_32.inet_addr WS2_32.gethostbyname "PING" "PoNG %.500s\r\n" "PRIVMSG" "433" "NiCK %.24s\n" "332" "302" "001" "USeRHOST %.16s\n" "nert4mp1" "JOiN %.16s %.16s\n" |
sub_40284B(44c9): KERNEL32.CreateThread KERNEL32.IsDebuggerPresent KERNEL32.ExitProcess KERNEL32.Sleep |
sub_404C51(47c2): "*:*.* 332 * #* :?* *" "*PRIVMSG * :?* *" "* :?login * *" "* :?set * * *" "* :?*scan* *" "* :?*syn* *" "* :?*udp* *" "* :?*ddos* *" "USER ?* " "PASS ?* " "OPER ?* ?* *" "JOIN #* *" |
sub_4025F4(47c5): KERNEL32.CreateMutexA NTDLL.RtlGetLastWin32Error KERNEL32.ExitProcess WS2_32.WSAStartup KERNEL32.Sleep "wgareg" |
sub_402650(4986): KERNEL32.GetSystemDirectoryA USER32.wsprintfA KERNEL32.SetFileAttributesA KERNEL32.CopyFileA KERNEL32.Sleep "C:\\WINDOWS\\System32\\wgareg.exe" "wgareg.exe" "C:\\WINDOWS\\System32\\wgareg.exe" "C:\\WINDOWS\\System32\\wgareg.exe" "C:\\WINDOWS\\System32\\wgareg.exe" "C:\\WINDOWS\\System32\\wgareg.exe" "C:\\m_unpacker\\packed.exe" |
sub_404CE7(55a9): KERNEL32.lstrcpyn KERNEL32.GetTempFileNameA KERNEL32.CreateThread KERNEL32.Sleep KERNEL32.LoadLibraryA KERNEL32.GetProcAddress KERNEL32.GetCurrentThreadId USER32.wsprintfA KERNEL32.CreateProcessA "." "urlmon.dll" "URLDownloadToFileA" "[dl:%08x] %.180s to %.180s" "D" "[dl:%08x] :)" "[dl:%08x] :( exec" "[dl:%08x] :( dl" |
sub_404F02(573c): KERNEL32.lstrcpyn KERNEL32.CreateThread KERNEL32.Sleep |
sub_4043B4(5cc1): KERNEL32.lstrcpyn KERNEL32.CreateThread KERNEL32.Sleep |
sub_405BB6(5d26): WS2_32.socket WS2_32.connect WS2_32.closesocket KERNEL32.CreateFileA KERNEL32.CloseHandle "C:\\m_unpacker\\packed.exe" |
sub_40414F(6969): KERNEL32.lstrcpyn KERNEL32.CreateThread KERNEL32.Sleep WS2_32.inet_addr WS2_32.htons WS2_32.WSASocketA WS2_32.bind WS2_32.listen WS2_32.accept WS2_32.closesocket WS2_32.connect KERNEL32.ExpandEnvironmentStringsA KERNEL32.CreateProcessA "\"%comspec%\" /Q" |
sub_403062(6c1b): WS2_32.send WS2_32.closesocket USER32.wsprintfA WS2_32.inet_ntoa KERNEL32.lstrcpyn KERNEL32.CreateProcessA "QUiT\n" "%.500s\n" "[ni] %.16s %.16s" "D" "[exec] :)" "[exec] :(" |
sub_4027AF(7477): ADVAPI32.OpenSCManagerA ADVAPI32.OpenServiceA ADVAPI32.DeleteService ADVAPI32.CloseServiceHandle "wgareg" |
sub_4059B4(74c7): WS2_32.send WS2_32.recv |
sub_405394(7c3c): KERNEL32.lstrcmp USER32.wsprintfA WS2_32.send KERNEL32.GetTickCount "PING" "PONG %.500s\r\n" "433" "NICK %.16s\n" |
sub_4028D3(86cf): WS2_32.gethostbyname WS2_32.socket WS2_32.setsockopt WS2_32.connect WS2_32.send KERNEL32.lstrcpyn USER32.wsprintfA WS2_32.getsockname WS2_32.select WS2_32.recv WS2_32.closesocket "bniu.househot.com" "ypgw.wallloan.com" "bniu.househot.com" "USeR l l l l\n" "NiCK %.24s\n" |
sub_4027FE(8d33): KERNEL32.GetModuleFileNameA "C:\\m_unpacker\\packed.exe" "C:\\m_unpacker\\packed.exe" "D" "D" |
sub_403A51(905a): KERNEL32.CreateThread |
sub_404FCE(9d25): USER32.wsprintfA WS2_32.send "%.500s\n" |
sub_40553F(a162): USER32.FindWindowA USER32.SendMessageA USER32.GetWindowThreadProcessId USER32.FindWindowExA KERNEL32.Sleep "_Oscar_StatusNotify" "#32770" "#32770" "_Oscar_Tree" |
sub_4048CF(a7a6): KERNEL32.CreateThread |
sub_403A18(ab94): KERNEL32.LoadLibraryA KERNEL32.GetProcAddress "dnsapi.dll" "DnsFlushResolverCache" |
sub_4059EF(c07e): WS2_32.send KERNEL32.Sleep |
sub_405AE6(c222): WS2_32.send |
sub_4037DC(dc6b): KERNEL32.GetCurrentProcess KERNEL32.CreateProcessA KERNEL32.DuplicateHandle KERNEL32.VirtualAllocEx KERNEL32.WriteProcessMemory KERNEL32.CreateRemoteThread KERNEL32.ExitProcess "D" "explorer.exe" "C:\\m_unpacker\\packed.exe" |
sub_4034BB(dde2): KERNEL32.GetTickCount USER32.wsprintfA "%.8s%08x" |
sub_404033(eadd): USER32.wsprintfA KERNEL32.FindFirstFileA KERNEL32.lstrcmp KERNEL32.FindNextFileA KERNEL32.FindClose "%.256s*" "." ".." "%.256s%.250s\\" "[findfile] %.256s%.240s" |
sub_403B95(fdb7): WS2_32.socket WS2_32.ioctlsocket KERNEL32.Sleep WS2_32.htonl WS2_32.connect WS2_32.select WS2_32.closesocket WS2_32.__WSAFDIsSet KERNEL32.CreateThread |