sub_outside(): KERNEL32.lstrlenA MSVCRT.strncat MSVCRT.strcat USER32.GetClassNameA KERNEL32.lstrcmpA USER32.EnumChildWindows MSVCRT.strcmp KERNEL32.MultiByteToWideChar MSVCRT.calloc KERNEL32.WideCharToMultiByte USER32.GetForegroundWindow USER32.GetWindowThreadProcessId KERNEL32.GetCurrentThreadId USER32.AttachThreadInput USER32.GetKeyboardState USER32.GetKeyboardLayout USER32.ToAsciiEx KERNEL32.lstrcpyA USER32.GetSystemMetrics USER32.WindowFromPoint KERNEL32.lstrcatA USER32.CallNextHookEx MSVCRT.time MSVCRT.srand KERNEL32.GetSystemDirectoryA MSVCRT.sprintf KERNEL32.CreateFileA KERNEL32.GetFileSize MSVCRT.malloc KERNEL32.ReadFile KERNEL32.GetFileTime KERNEL32.CloseHandle MSVCRT.strstr KERNEL32.DeleteFileA KERNEL32.MoveFileA KERNEL32.WriteFile KERNEL32.SetFileTime MSVCRT.free ADVAPI32.CryptGetProvParam KERNEL32.GetSystemTime MSVCRT.strcpy KERNEL32.LoadLibraryA KERNEL32.GetProcAddress KERNEL32.FreeLibrary MSVCRT.atoi KERNEL32.CreateThread KERNEL32.Sleep |
_DllMain12(): KERNEL32.GetModuleFileNameA MSVCRT._strlwr MSVCRT.strstr KERNEL32.CreateThread KERNEL32.CreateEventA |
sub_1000FCEB(0090): KERNEL32.WideCharToMultiByte MSVCRT.strcmp "AppInit_DLLs" |
sub_1000291D(01b8): KERNEL32.lstrlenA MSVCRT.malloc MSVCRT.memset MSVCRT.strncat KERNEL32.GetSystemDirectoryA KERNEL32.lstrcatA MSVCRT.sprintf KERNEL32.CreateFileA KERNEL32.SetFilePointer KERNEL32.WriteFile KERNEL32.SetFileTime KERNEL32.CloseHandle MSVCRT.free "\\" "ms32clod" "c:\\%s.log" |
sub_10018943(0211): ADVAPI32.IsTextUnicode |
sub_10015BF1(02a3): WS2_32.select WS2_32.recv WS2_32.closesocket MSVCRT.malloc WS2_32.send WS2_32.socket WS2_32.gethostbyname MSVCRT.memcpy WS2_32.connect WS2_32.bind WS2_32.accept KERNEL32.CreateThread |
sub_10007B34(02c7): MSVCRT.strrchr KERNEL32.lstrcpyA MSVCRT.sprintf KERNEL32.FindFirstFileA KERNEL32.lstrcmpA MSVCRT.malloc KERNEL32.FindClose MSVCRT.free MSVCRT.strstr KERNEL32.CreateThread KERNEL32.GetSystemDirectoryA KERNEL32.CreateFileA KERNEL32.SetFilePointer MSVCRT.strlen KERNEL32.WriteFile KERNEL32.CloseHandle MSVCRT._strlwr KERNEL32.DeleteFileA KERNEL32.FindNextFileA KERNEL32.Sleep "%s\\*.*" "." ".." "%s\\%s" "%s\\%s" "%s__%s" ".sol" "%s__%s&&%s" "%s\\hlst.tmp" "\r\n" "%s__%s" ".sol" "%s__%s&&%s" "%s\\hlst.tmp" "\r\n" |
sub_100189B8(037e): MSVCRT.fopen MSVCRT.fread KERNEL32.lstrcpyA MSVCRT.fclose "rb" |
sub_10014916(041f): WS2_32.select WS2_32.recv WS2_32.closesocket WS2_32.send |
sub_10011AA3(0733): MSVCRT.malloc MSVCRT.strncpy MSVCRT.strstr WS2_32.getpeername WS2_32.gethostbyaddr KERNEL32.lstrlenA MSVCRT.sprintf KERNEL32.lstrcatA MSVCRT.memset MSVCRT.free "USER" "PASS" "---------------hFTP--------------\r\nURL "... "\r\n\r\n" "\r\n - PASS error" |
sub_1000C9DC(085d): GDI32.CreateSolidBrush MSVCRT.memset KERNEL32.lstrcpyA GDI32.CreateFontIndirectA MSVCRT.time MSVCRT.srand KERNEL32.GetSystemDirectoryA MSVCRT.strcat KERNEL32.CreateFileA KERNEL32.GetFileTime KERNEL32.CloseHandle USER32.RegisterWindowMessageA KERNEL32.GetModuleHandleA USER32.SetWindowsHookExA KERNEL32.CreateEventA USER32.SetTimer KERNEL32.CreateThread "Times New Roman" "\\kernel32.dll" "KPMM" "ms32clod" |
sub_1001936C(0b14): MSVCRT._EH_prolog |
sub_1001B450(110c): MSVCRT.fwrite |
sub_10002F3C(1311): KERNEL32.GetCurrentProcessId KERNEL32.CreateToolhelp32Snapshot KERNEL32.Thread32First USER32.EnumThreadWindows KERNEL32.Thread32Next KERNEL32.CloseHandle |
sub_100100FD(13ed): KERNEL32.WideCharToMultiByte MSVCRT.malloc KERNEL32.lstrcpyA MSVCRT.memcpy MSVCRT.strcpy KERNEL32.CreateThread |
sub_1001A916(14e2): MSVCRT._mbsicmp |
sub_1000579B(15a7): KERNEL32.GetCurrentProcess ADVAPI32.OpenProcessToken ADVAPI32.LookupPrivilegeValueA ADVAPI32.AdjustTokenPrivileges USER32.ExitWindowsEx "SeShutdownPrivilege" |
sub_10018059(1d93): KERNEL32.GetCurrentThreadId KERNEL32.VirtualProtect |
sub_10017832(1de9): MSVCRT.memset |
sub_10003786(1ea7): MSVCRT.memset KERNEL32.lstrcpyA KERNEL32.lstrlenA KERNEL32.lstrcatA KERNEL32.lstrcmpA USER32.GetCursorPos USER32.ScreenToClient MSVCRT.atoi MSVCRT.isalpha MSVCRT.isdigit "," "," "," "password" "text" "hidden" "submit" "button" "image" "=" "l" "d" "\r\n" |
sub_10014769(1fd0): WS2_32.getsockname WS2_32.htons WS2_32.send WS2_32.closesocket |
sub_1001366B(21bd): KERNEL32.TlsSetValue |
sub_10017768(21d9): KERNEL32.GetCurrentThreadId KERNEL32.VirtualProtect KERNEL32.ResumeThread |
sub_10018210(22a6): KERNEL32.GetModuleHandleA MSVCRT.strcmp ".detour" |
sub_10009FE2(2381): MSVCRT.sprintf KERNEL32.CreateFileA KERNEL32.GetFileSize MSVCRT.malloc MSVCRT.memset KERNEL32.CloseHandle KERNEL32.ReadFile KERNEL32.SetFilePointer KERNEL32.SetEndOfFile KERNEL32.SetFileTime KERNEL32.lstrcpyA KERNEL32.lstrlenA MSVCRT.strstr "%s%s" "%s%s" "%s__.all" "%s__.log" |
sub_10004DAA(2598): GDI32.SelectObject USER32.GetForegroundWindow USER32.GetWindowThreadProcessId KERNEL32.GetCurrentThreadId USER32.AttachThreadInput USER32.GetKeyboardState USER32.GetKeyboardLayout USER32.ToAsciiEx KERNEL32.lstrcpyA KERNEL32.MultiByteToWideChar MSVCRT.malloc USER32.DrawTextW USER32.CallNextHookEx |
sub_10003541(2737): USER32.CallNextHookEx |
sub_100194D2(2754): MSVCRT.free |
sub_1000B027(2a64): KERNEL32.QueryPerformanceCounter MSVCRT.srand KERNEL32.GetSystemDirectoryA MSVCRT.sprintf KERNEL32.DeleteFileA MSVCRT.malloc MSVCRT.strlen MSVCRT.strcpy MSVCRT.free KERNEL32.lstrcpyA KERNEL32.CreateThread "%s\\%s.tmp" "c:" "%s%s" "d:" "%s%s" "%s%s" "1" "s" |
sub_100071C0(2c0d): MSVCRT.sprintf KERNEL32.FindFirstFileA KERNEL32.lstrcmpA MSVCRT.malloc KERNEL32.FindClose MSVCRT.free KERNEL32.lstrlenA KERNEL32.FindNextFileA KERNEL32.Sleep "%s\\*.*" "." ".." "%s\\%s" "%s\\%s" |
sub_100142FF(2c38): WS2_32.gethostbyname WS2_32.WSAGetLastError MSVCRT.fprintf KERNEL32.SetEvent MSVCRT.memset MSVCRT.memcpy WS2_32.htons WS2_32.socket WS2_32.connect WS2_32.select WS2_32.recv WS2_32.closesocket WS2_32.send "Client: Cannot resolve address [%s]: Er"... |
sub_1000274A(2d1d): MSVCRT.memset MSVCRT.rand |
sub_10017AB5(2fef): KERNEL32.GetCurrentThread KERNEL32.SuspendThread |
sub_1000279F(30d5): KERNEL32.LocalAlloc MSVCRT.wcscmp KERNEL32.LocalFree |
sub_100011DC(3133): MSVCRT.strlen MSVCRT.strstr MSVCRT.malloc MSVCRT.memset MSVCRT.strncpy |
sub_1001AE00(3215): MSVCRT.fopen MSVCRT.fputc MSVCRT.fclose "wb" |
sub_10018954(3261): MSVCRT.malloc |
sub_1001785F(3319): KERNEL32.GetCurrentThreadId KERNEL32.GetThreadContext KERNEL32.GetCurrentProcess KERNEL32.VirtualProtect KERNEL32.FlushInstructionCache KERNEL32.ResumeThread |
sub_10012DD0(3873): WININET.InternetQueryOptionA KERNEL32.lstrlenA MSVCRT.malloc MSVCRT.memset KERNEL32.lstrcpyA MSVCRT.strstr MSVCRT.free MSVCRT.strncat KERNEL32.CreateThread "\r\nAccept-Encoding: gzip, deflate" "Referer" "Referer" "\r\n" "\r\n" "---------------" "--------------\r\n" "Field :\r\n" "\r\n\r\nThread: " "\r\n\r\n\r\n" |
sub_1000B536(39f9): KERNEL32.GetSystemDirectoryA MSVCRT.sprintf KERNEL32.CreateFileA KERNEL32.GetFileTime KERNEL32.CloseHandle KERNEL32.lstrcatA KERNEL32.ReadFile KERNEL32.lstrlenA MSVCRT.time KERNEL32.QueryPerformanceCounter KERNEL32.WriteFile KERNEL32.SetFileTime "%x-%x-%x" "%d_%s" |
sub_10016BBE(3d2d): WS2_32.htons WS2_32.socket WS2_32.bind KERNEL32.CreateThread |
sub_1001BBB0(4335): MSVCRT.memmove MSVCRT.putc |
sub_1001931B(447f): MSVCRT.malloc MSVCRT.realloc |
sub_1001CB81(4529): KERNEL32.LocalFree |
sub_1001361F(4620): KERNEL32.TlsSetValue KERNEL32.InterlockedIncrement |
sub_1000E615(4659): KERNEL32.CreateFileA KERNEL32.WriteFile KERNEL32.CloseHandle |
sub_1001CAE2(4878): MSVCRT._CxxThrowException |
sub_10013A20(4a3e): KERNEL32.GetProcessHeap MSVCRT.sscanf MSVCRT._stricmp MSVCRT.strcpy MSVCRT.atoi MSVCRT.strstr MSVCRT.strlen MSVCRT.strcat MSVCRT.memset "%s%s%s" "CONNECT" ":" "http://" "http://" ":" ":" "http://" "Proxy-Connection: Keep-Alive\r\n" "HTTP/1.1" "HTTP/1.0" |
sub_10001DE0(4c72): USER32.GetSystemMetrics USER32.WindowFromPoint USER32.GetClassNameA MSVCRT.strcmp KERNEL32.lstrcmpA KERNEL32.lstrlenA KERNEL32.lstrcpyA USER32.SendMessageA MSVCRT.memset MSVCRT.strstr "IEFrame" "msctls_statusbar32" "Edit" |
fn(5183): USER32.IsWindowVisible USER32.GetAncestor MSVCRT.memcpy |
sub_1000E66B(5372): MSVCRT.memset KERNEL32.GetTempPathA KERNEL32.lstrcpyA KERNEL32.lstrcatA ".pfx" |
sub_100190C2(5598): MSVCRT.free |
sub_100012D1(59e0): MSVCRT.strlen MSVCRT.strstr KERNEL32.lstrcpyA MSVCRT.strncat MSVCRT.strcat |
sub_100139D0(5c2a): MSVCRT.rand MSVCRT._itoa |
sub_10016AB3(5d01): WS2_32.socket WS2_32.htons WS2_32.bind WS2_32.accept KERNEL32.CreateThread |
sub_100176F1(5fbd): KERNEL32.GetCurrentThreadId KERNEL32.InterlockedCompareExchange |
sub_1001CA12(64ff): MSVCRT.wcslen KERNEL32.WideCharToMultiByte |
sub_10013713(66fe): KERNEL32.TlsFree |
sub_10003460(6931): KERNEL32.GetModuleHandleA USER32.GetWindowThreadProcessId USER32.SetWindowsHookExA "ms32clod" |
sub_1001906B(693a): MSVCRT.strlen MSVCRT._mbsnbicmp |
sub_10017B39(6e5d): KERNEL32.GetCurrentThreadId KERNEL32.VirtualProtect |
sub_10005BE3(6f8d): KERNEL32.lstrcpyA MSVCRT.strchr WS2_32.WSAStartup WS2_32.gethostbyname MSVCRT.memset MSVCRT.memcpy WS2_32.htons WS2_32.socket WS2_32.connect WS2_32.closesocket |
sub_1000B7EF(7320): KERNEL32.LoadLibraryA KERNEL32.GetProcAddress KERNEL32.lstrcpyA KERNEL32.GetSystemDirectoryA KERNEL32.lstrcatA KERNEL32.CreateFileA KERNEL32.GetFileSize MSVCRT.malloc MSVCRT.memset KERNEL32.ReadFile KERNEL32.CloseHandle ADVAPI32.RegOpenKeyExA KERNEL32.lstrcmpA ADVAPI32.RegQueryValueExA MSVCRT.time MSVCRT.atoi ADVAPI32.RegEnumKeyExA ADVAPI32.RegDeleteKeyA MSVCRT.sprintf KERNEL32.GetLogicalDrives KERNEL32.GetDriveTypeA KERNEL32.WriteFile KERNEL32.SetFileAttributesA KERNEL32.CopyFileA MSVCRT.memcpy MSVCRT.strcpy KERNEL32.CreateThread MSVCRT.strlen KERNEL32.FreeLibrary KERNEL32.GetTempPathA MSVCRT.strrchr MSVCRT.free SHELL32.SHGetSpecialFolderPathA KERNEL32.DeleteFileA "shell32" "SHGetSpecialFolderPathA" "\\l00834.dat" "\n" "close" "sl" "close" "gl" "CopyFileA" "kernel32" "%c:\\" "%sautorun.inf" "[autorun]\r\nopen=browser.exe\r\n" "browser.exe" "\\mmd109en.dat" "%s%s" "%s__PS.txt" ".pfx" "MY" "%s%s" "%s%s" "%s\\Macromedia" "%s%s" "%s__macromed" "\\cok458en.dat" "%s%s" "%s__cookies" |
sub_100034DC(7383): USER32.UnhookWindowsHookEx |
sub_1001B640(747a): MSVCRT.putc |
sub_1001845C(74fb): MSVCRT.memcpy |
sub_10018AC6(7537): MSVCRT._EH_prolog MSVCRT.fopen MSVCRT.sprintf MSVCRT.time MSVCRT.srand MSVCRT.rand MSVCRT.fclose MSVCRT.free "wb" "utf-8" "\n" |
sub_10005E66(75f9): KERNEL32.lstrlenA MSVCRT.malloc KERNEL32.lstrcpyA MSVCRT.strchr WS2_32.WSAStartup WS2_32.gethostbyname MSVCRT.memset MSVCRT.memcpy WS2_32.htons WS2_32.socket WS2_32.connect MSVCRT.sprintf MSVCRT.strcat MSVCRT.strlen WS2_32.send WS2_32.select WS2_32.recv MSVCRT.strstr MSVCRT.atoi KERNEL32.CreateFileA KERNEL32.WriteFile KERNEL32.CloseHandle WS2_32.closesocket MSVCRT.free "GET %s HTTP/1.0\r\nAccept: */*\r\nHost: %s\r"... "\r\n" "HTTP/1.1 200 OK" "\r\n\r\n" "\r\n" |
sub_100136A4(7839): KERNEL32.TlsAlloc |
sub_100105F9(7b5f): USER32.MessageBoxA "LoadLibrary" |
sub_10012894(7bf4): WININET.InternetQueryOptionA MSVCRT.malloc MSVCRT.memset KERNEL32.WideCharToMultiByte KERNEL32.MultiByteToWideChar MSVCRT.strstr KERNEL32.lstrcpyA KERNEL32.lstrlenA MSVCRT.free MSVCRT.strncat KERNEL32.CreateThread "\r\nAccept-Encoding: gzip, deflate" "Referer" "Referer" "\r\n" "\r\n" "---------------" "--------------\r\n" "Field :\r\n" "\r\n\r\nThread: " "\r\n\r\n\r\n" |
sub_10017741(7df6): KERNEL32.VirtualProtect |
sub_1001780B(7df6): KERNEL32.VirtualProtect |
sub_1000D7F0(7e17): KERNEL32.InterlockedDecrement |
sub_10019167(7f37): MSVCRT.memmove |
sub_100102E8(7f3d): KERNEL32.SetEvent |
sub_10019DAA(8221): MSVCRT._EH_prolog MSVCRT.strlen |
sub_1001947D(82b0): MSVCRT.free |
sub_10001F5B(8441): USER32.GetClassNameA MSVCRT.strcmp MSVCRT.strlen MSVCRT.strcpy USER32.SendMessageA MSVCRT.memset MSVCRT.strstr "msctls_statusbar32" "Edit" |
sub_100055F0(8481): KERNEL32.CreateFileA KERNEL32.GetFileSize MSVCRT.malloc KERNEL32.ReadFile KERNEL32.CloseHandle MSVCRT.strlen MSVCRT.strncpy MSVCRT.strcmp "**" |
sub_1001B270(864f): MSVCRT.vfprintf MSVCRT.exit |
sub_1001A057(86f7): MSVCRT._EH_prolog MSVCRT.fopen MSVCRT.ftell MSVCRT.fclose MSVCRT.malloc MSVCRT.fread MSVCRT.free "rb" |
sub_1000827F(899b): KERNEL32.lstrlenA MSVCRT.malloc MSVCRT.memset KERNEL32.lstrcpyA |
sub_1001C6A0(8b7e): "17" |
sub_1000537C(8cce): USER32.GetForegroundWindow USER32.GetDC USER32.GetSystemMetrics GDI32.CreateCompatibleDC GDI32.SetTextColor GDI32.SetBkColor GDI32.CreateCompatibleBitmap GDI32.SelectObject GDI32.BitBlt USER32.ReleaseDC USER32.FillRect KERNEL32.GetModuleHandleA USER32.SetWindowsHookExA USER32.SetTimer USER32.GetMessageA USER32.TranslateMessage USER32.DispatchMessageA "ms32clod" "ms32clod" |
sub_100050D9(8d2c): MSVCRT._strlwr MSVCRT.strstr KERNEL32.ResetEvent KERNEL32.lstrcpyA KERNEL32.CreateThread GDI32.SelectObject USER32.DrawTextA USER32.wsprintfA KERNEL32.SetEvent USER32.CallNextHookEx "http://" "://" "%d" |
StartAddress(917f): MSVCRT.time MSVCRT.srand MSVCRT.malloc MSVCRT.memset MSVCRT.sprintf MSVCRT.strcpy MSVCRT.strchr WS2_32.WSAStartup WS2_32.gethostbyname MSVCRT.memcpy WS2_32.htons WS2_32.socket WS2_32.connect MSVCRT.strlen KERNEL32.CreateFileA KERNEL32.GetFileSize WS2_32.send KERNEL32.ReadFile KERNEL32.CloseHandle WS2_32.select WS2_32.recv MSVCRT.strstr KERNEL32.GetModuleHandleA KERNEL32.GetModuleFileNameA MSVCRT.strrchr MSVCRT.strcat KERNEL32.lstrlenA KERNEL32.WriteFile MSVCRT.atoi WS2_32.closesocket MSVCRT.free KERNEL32.DeleteFileA KERNEL32.ExitThread "---------------------------%s" "--%s\r\nContent-Disposition: form-data; n"... "\r\n--%s--\r\n" "POST %s HTTP/1.1\r\nAccept: */*\r\nContent-"... "\r\n\r\n" "ms32clod" "\r\n\r\n" |
sub_10001D30(9197): USER32.GetClassNameA MSVCRT.strcmp "Internet Explorer_Server" |
sub_10011E49(91dd): KERNEL32.lstrlenA MSVCRT.malloc KERNEL32.lstrcpyA WININET.InternetQueryOptionA MSVCRT.strstr MSVCRT.strchr MSVCRT.atoi MSVCRT.strcmp MSVCRT._strlwr WININET.InternetCloseHandle WININET.InternetConnectA MSVCRT.free ".htm*.php*.do*.asp*.jsp*?" "//" "//" "/" "/" "//" "//" "/" "//" "//" "/" "POST" |
sub_10011167(938e): MSVCRT.malloc KERNEL32.WaitForSingleObject MSVCRT.realloc KERNEL32.lstrlenA MSVCRT.memset KERNEL32.lstrcpyA MSVCRT.strcmp KERNEL32.CreateThread MSVCRT.free MSVCRT.memcpy "1" "---------------" "--------------\r\nBalance :\r\n" "\r\n\r\n\r\n" |
sub_1001AB59(97e8): MSVCRT.memcpy MSVCRT.strstr "encoding" "utf-8" "utf8" "shiftjis" "shift-jis" "sjis" |
sub_10019709(9868): MSVCRT._EH_prolog |
sub_1001B770(9a22): "Out of memory." |
sub_10017656(9ac4): KERNEL32.VirtualQuery |
sub_10018D54(9e65): MSVCRT.strcpy |
sub_1001A6C0(9fe5): MSVCRT.malloc |
sub_1001954D(a046): MSVCRT._mbsstr MSVCRT.strlen |
sub_1000D7D0(a21d): KERNEL32.InterlockedIncrement |
sub_10014871(a2a8): WS2_32.getsockname WS2_32.send WS2_32.closesocket |
sub_1000FFF9(a395): KERNEL32.WideCharToMultiByte "======" "======\r\n" "=====End=====\r\n" |
sub_1000559C(a59b): KERNEL32.MultiByteToWideChar KERNEL32.LoadLibraryA KERNEL32.GetProcAddress "sfc_os.dll" |
sub_1000F7FE(a665): MSVCRT.strstr MSVCRT.strncat |
sub_10002881(a788): MSVCRT.strlen "0123456789abcdef" |
sub_1001A8DB(a7f6): MSVCRT._mbsicmp |
sub_10014B0F(a9b0): WS2_32.socket WS2_32.htons WS2_32.gethostbyname MSVCRT.memcpy WS2_32.connect KERNEL32.Sleep KERNEL32.lstrlenA WS2_32.send WS2_32.select WS2_32.closesocket WS2_32.WSAIoctl WS2_32.recv MSVCRT.malloc WS2_32.bind WS2_32.accept KERNEL32.CreateThread |
sub_1000116E(aaba): MSVCRT.strlen MSVCRT.strchr "\\/:*\"<>|?" |
sub_1001C420(ab66): "Out of memory." |
sub_10003645(afd4): KERNEL32.LoadLibraryA USER32.RegisterWindowMessageA USER32.SendMessageTimeoutA KERNEL32.GetProcAddress KERNEL32.FreeLibrary "OLEACC.DLL" "WM_HTML_GETOBJECT" "ObjectFromLresult" "{626fc520-a41e-11cf-a731-00a0c9082637}" |
sub_1001B3E0(b41e): MSVCRT.fread |
sub_10017DDC(b4d7): KERNEL32.VirtualQuery KERNEL32.VirtualAlloc MSVCRT.memset |
sub_1000EB30(b647): KERNEL32.GetLocaleInfoA MSVCRT.malloc MSVCRT.sprintf MSVCRT.memset KERNEL32.GetVersionExA KERNEL32.lstrcatA ADVAPI32.RegOpenKeyExA ADVAPI32.RegQueryValueExA ADVAPI32.RegCloseKey KERNEL32.lstrcmpiA USER32.GetSystemMetrics "User Locale: %s\r\n System: " "Microsoft Windows Server 2003, " "Microsoft Windows XP " "Microsoft Windows 2000 " "Microsoft Windows NT " "Workstation 4.0 " "Home Edition " "Professional " "Datacenter Edition " "Enterprise Edition " "Web Edition " "Standard Edition " "Datacenter Server " "Advanced Server " "Server " "Server 4.0, Enterprise Edition " "Server 4.0 " "SYSTEM\\CurrentControlSet\\Control\\Produc"... "ProductType" "WINNT" "Workstation " "LANMANNT" "Server " "SERVERNT" "Advanced Server " "%d.%d " "Service Pack 6" "SOFTWARE\\Microsoft\\Windows NT\\CurrentVe"... "Service Pack 6a (Build %d)\n" "%s (Build %d)\n" "%s (Build %d)\n" "\nRes: %dx%d" "User Agent" "\r\nUser agent:" |
sub_100010BB(b68b): MSVCRT.malloc MSVCRT.memset MSVCRT.strlen MSVCRT.strncat |
sub_1001A9E3(ba8c): MSVCRT._mbsicmp |
sub_10004960(bc62): USER32.GetCursorPos USER32.WindowFromPoint USER32.GetClassNameA KERNEL32.lstrcmpA USER32.CallNextHookEx "Internet Explorer_Server" |
sub_10006FD3(beea): KERNEL32.lstrlenA MSVCRT._strlwr KERNEL32.lstrcmpA MSVCRT.free MSVCRT.strstr "." "." |
sub_100191E6(c3bb): MSVCRT.memmove |
sub_1000878F(c662): KERNEL32.GetModuleHandleA KERNEL32.GetModuleFileNameA MSVCRT.strrchr KERNEL32.lstrcatA MSVCRT.malloc MSVCRT.memset MSVCRT.atoi SHELL32.SHGetSpecialFolderPathA KERNEL32.lstrlenA KERNEL32.lstrcpyA KERNEL32.GetLogicalDrives MSVCRT.sprintf KERNEL32.GetDriveTypeA "ms32clod" "config" "notifyes" "notify" "url" "notify" "threadmasks" "threadmask" "mask" "threadmask" "what" "threadmask" "replaces" "replace" "item" "replace" "what" "replace" "injects" "inject" "url" "inject" "before" "inject" "what" "inject" "block" "inject" "check" "inject" "quan" "inject" "content" "inject" "t" "inject" "type" "inject" "notify" "inject" "global" "time" "test" "feeds" "feed" "url" "feed" "fps" "fp" "fp" "hlsts" "hlst" "hlst" "%c:\\" "%c:?" "limits" "num" "inject" "rep" "inject" "num" "scsh" "rep" "scsh" "num" "gp" "rep" "gp" "fakes" "fake" "url" "fake" "param" "fake" "item1" "fake" "item2" "fake" "type" "fake" "rtype" "fake" "scshs" "scsh" "url" "scsh" "param" "scsh" "multiscshs" "multiscsh" "url" "multiscsh" "param" "multiscsh" "gfs" "gf" "url" "gf" "param" "gf" |
sub_10013E02(c6a0): WS2_32.accept KERNEL32.CreateThread WS2_32.select WS2_32.recv MSVCRT.printf WS2_32.closesocket KERNEL32.CreateEventA KERNEL32.WaitForSingleObject KERNEL32.CloseHandle WS2_32.send MSVCRT.strstr "\nError Recv" "Client Close connection\n" "HTTP/1.1 200 Connection established\r\n\r\n"... "CONNECT" |
sub_1001B1B0(c700): MSVCRT.fseek |
sub_1000F5B1(cbe9): MSVCRT.isdigit MSVCRT.strstr |
sub_1001AE90(cc2f): MSVCRT.fopen MSVCRT.fprintf MSVCRT.printf MSVCRT.rewind MSVCRT.fclose "rb" "Can't open %s\n" "Replacing %s " "Adding %s " " %d.%d%%\n" |
sub_10018621(cc79): MSVCRT.memcpy |
sub_10017FD3(cc81): KERNEL32.VirtualQuery |
sub_1000F2AB(ceb8): KERNEL32.lstrlenA MSVCRT.strcmp MSVCRT.strstr MSVCRT.free "*" |
sub_10018D0C(cf32): MSVCRT.strlen MSVCRT.malloc MSVCRT.memcpy |
sub_10003605(cf8d): USER32.SendMessageA |
sub_10011CA2(cf91): MSVCRT.strstr WS2_32.getpeername WS2_32.gethostbyaddr KERNEL32.lstrlenA MSVCRT.sprintf MSVCRT.strncat KERNEL32.lstrcatA MSVCRT.memset "USER" "PASS" "---------------hFTP--------------\r\nURL "... "\r\n\r\n" "\r\n - PASS error" |
sub_100108A3(d086): MSVCRT.malloc MSVCRT.realloc KERNEL32.WaitForSingleObject KERNEL32.lstrlenA MSVCRT.memset KERNEL32.lstrcpyA MSVCRT.strcmp KERNEL32.CreateThread MSVCRT.free MSVCRT.memcpy "1" "---------------" "--------------\r\nBalance :\r\n" "\r\n\r\n\r\n" |
sub_10018E33(d11e): MSVCRT._mbsnbicmp MSVCRT.malloc MSVCRT.free |
sub_10010623(d271): KERNEL32.GetSystemTime MSVCRT.sprintf MSVCRT.malloc KERNEL32.lstrlenA MSVCRT.memset MSVCRT.realloc KERNEL32.lstrcatA "%d.%d.%d %d:%d" "%s%s" "%d|%s|%s|%s|%s|%s" |
sub_1001CBA7(d3fd): KERNEL32.LoadLibraryA KERNEL32.RaiseException KERNEL32.InterlockedExchange KERNEL32.LocalAlloc KERNEL32.FreeLibrary KERNEL32.GetProcAddress |
sub_10018E19(d44b): MSVCRT.free |
sub_100190FC(d462): MSVCRT.malloc |
sub_1000E866(d6b3): MSVCRT.strcmp "MY" |
sub_1001A730(d6e6): MSVCRT.memmove MSVCRT.free |
sub_10002C3D(d83e): ADVAPI32.RegOpenKeyExA ADVAPI32.RegCreateKeyExA KERNEL32.GetSystemDirectoryA MSVCRT.strcat MSVCRT.strlen ADVAPI32.RegSetValueExA MSVCRT.atoi ADVAPI32.RegFlushKey ADVAPI32.RegCloseKey |
sub_1000A318(d895): KERNEL32.GetSystemDirectoryA KERNEL32.lstrcatA KERNEL32.GetModuleHandleA KERNEL32.GetModuleFileNameA MSVCRT.strrchr MSVCRT.strcat KERNEL32.lstrcpyA MSVCRT._strlwr KERNEL32.lstrcmpA KERNEL32.CreateFileA KERNEL32.SetFilePointer KERNEL32.WriteFile KERNEL32.lstrlenA KERNEL32.SetFileTime KERNEL32.CloseHandle MSVCRT.strcmp MSVCRT.free KERNEL32.LoadLibraryA KERNEL32.GetProcAddress MSVCRT.malloc KERNEL32.GetTempPathA MSVCRT.sprintf ADVAPI32.RegOpenKeyExA ADVAPI32.RegDeleteValueA ADVAPI32.RegCloseKey KERNEL32.SetFileAttributesA KERNEL32.DeleteFileA MSVCRT.memcpy MSVCRT.strcpy KERNEL32.CreateThread MSVCRT.memset "\\" "ms32clod" "commands" "command" "cmd" "command" "param1" "command" "param2" "command" "command" "hst" "\r\n" " " "get" "run" "ms32clod" "run" "shell32" "export" ".pfx" "MY" "%s%s" "reset" "f" "u" "g" "s" "il" "iln" "gl" "kill" "reboot" "selfk" "grabf" "hrdlst" " " "%20" |
TimerFunc(da8e): KERNEL32.WaitForSingleObject USER32.UnhookWindowsHookEx USER32.KillTimer KERNEL32.ResetEvent GDI32.SelectObject GDI32.DeleteDC MSVCRT.malloc KERNEL32.GetTempPathW KERNEL32.GetTickCount USER32.wsprintfW KERNEL32.WideCharToMultiByte MSVCRT.free MSVCRT.sprintf KERNEL32.lstrcpyA MSVCRT.strchr KERNEL32.CreateThread GDI32.DeleteObject KERNEL32.ExitThread "image/jpeg" "%s%hs_%d.tmp" "%s%s" "%s__%s.jpg" |
sub_1000AF7F(dd13): USER32.KillTimer KERNEL32.CreateThread USER32.SetTimer |
sub_10018155(dd27): MSVCRT.memset KERNEL32.VirtualQuery |
sub_1001A22D(ddbb): MSVCRT.strlen MSVCRT.strcpy "" ">\n" "/>" "/>\n" |
sub_1000741F(dddd): MSVCRT.strrchr KERNEL32.lstrcpyA MSVCRT.strchr MSVCRT.sprintf KERNEL32.FindFirstFileA KERNEL32.lstrcmpA MSVCRT.malloc KERNEL32.FindClose MSVCRT.free MSVCRT.strstr KERNEL32.CreateThread KERNEL32.CreateFileA KERNEL32.SetFilePointer KERNEL32.lstrlenA KERNEL32.WriteFile KERNEL32.CloseHandle MSVCRT.strlen KERNEL32.DeleteFileA KERNEL32.FindNextFileA KERNEL32.Sleep "%s\\*.*" "." ".." "%s\\%s" "%s\\%s" "%s__%s" ".sol" "%s__%s&&%s" "\r\n" "%s__%s.file" ".sol" "%s__%s&&%s" "\r\n" |
sub_1001338E(e3ef): KERNEL32.GetCurrentThread "&(PVOID&)Real_CreateFileW" "&(PVOID&)Real_PFXImportCertStore" "&(PVOID&)Real_InternetConnect" "&(PVOID&)Real_HttpOpenRequest" "&(PVOID&)Real_HttpSendRequestW" "&(PVOID&)Real_HttpSendRequestA" "&(PVOID&)Real_InternetQueryDataAvailabl"... "&(PVOID&)Real_InternetReadFile" "&(PVOID&)Real_InternetReadFileEx" "&(PVOID&)Real_InternetSetStatusCallback"... "&(PVOID&)Real_RegEnumValueW" "&(PVOID&)Real_send" "&(PVOID&)Real_WSASend" |
sub_100134D4(e3ef): KERNEL32.GetCurrentThread "&(PVOID&)Real_CreateFileW" "&(PVOID&)Real_PFXImportCertStore" "&(PVOID&)Real_InternetConnect" "&(PVOID&)Real_HttpOpenRequest" "&(PVOID&)Real_HttpSendRequestW" "&(PVOID&)Real_HttpSendRequestA" "&(PVOID&)Real_InternetQueryDataAvailabl"... "&(PVOID&)Real_InternetReadFile" "&(PVOID&)Real_InternetReadFileEx" "&(PVOID&)Real_InternetSetStatusCallback"... "&(PVOID&)Real_RegEnumValueW" "&(PVOID&)Real_send" "&(PVOID&)Real_WSASend" |
sub_100020B5(e44e): ADVAPI32.RegOpenKeyExA ADVAPI32.RegEnumKeyExA ADVAPI32.RegEnumValueA KERNEL32.lstrcatA ADVAPI32.RegQueryValueExA MSVCRT.sprintf MSVCRT.strstr MSVCRT.strcat ADVAPI32.RegCloseKey KERNEL32.LoadLibraryA KERNEL32.GetProcAddress "SOFTWARE\\Microsoft\\Internet Account Man"... "----------Outlook Express record-------"... "%s = %ws\n" "%s = %s\n" "%s = %d\n" "Name" "Email" "Server" "Port" "---------------PS item------------\n" "PStoreCreateInstance" "itemName = %ws\n" "itemData = %ws\n" "itemData = %s\n" |
sub_100015CE(e7d7): KERNEL32.GetModuleHandleA KERNEL32.GetModuleFileNameA MSVCRT.strrchr KERNEL32.lstrcatA KERNEL32.CreateFileA KERNEL32.GetFileSize KERNEL32.ReadFile MSVCRT.malloc MSVCRT.memset KERNEL32.CloseHandle MSVCRT.free KERNEL32.lstrlenA MSVCRT.strstr KERNEL32.lstrcpyA MSVCRT.strchr "ms32clod" "set_url " |
sub_10016C4C(f60b): WS2_32.WSAStartup KERNEL32.LoadLibraryA KERNEL32.GetProcAddress KERNEL32.lstrcpyA KERNEL32.FreeLibrary KERNEL32.Sleep WS2_32.socket WS2_32.WSAIoctl WS2_32.inet_ntoa MSVCRT.strncmp WS2_32.closesocket MSVCRT.time MSVCRT.srand KERNEL32.GetSystemDirectoryA KERNEL32.lstrcatA KERNEL32.CreateFileA KERNEL32.ReadFile KERNEL32.CloseHandle MSVCRT.atoi KERNEL32.WriteFile MSVCRT.sprintf "ws2_32" "accept" "bind" "--" "10." "192.168." "172.16." ":TCP" ":TCP" "CB" "%s%s%s&cnt=%s" |
sub_1001C99D(fec3): KERNEL32.lstrlenA KERNEL32.MultiByteToWideChar |