sub_outside(): KERNEL32.GetModuleHandleA KERNEL32.DeleteFileA NTDLL.RtlGetLastWin32Error KERNEL32.ExitProcess KERNEL32.Sleep WININET.InternetGetConnectedState MSVCRT.rand KERNEL32.lstrcatA KERNEL32.lstrlenA KERNEL32.lstrcpyA |
sub_31501962(09ff): MSVCRT.memset KERNEL32.CreateProcessA KERNEL32.CloseHandle |
sub_31502418(12a2): ADVAPI32.RegCreateKeyExA ADVAPI32.RegSetValueExA ADVAPI32.RegCloseKey |
sub_31501911(1a20): KERNEL32.CreateThread KERNEL32.CloseHandle |
sub_3150238A(2057): ADVAPI32.RegOpenKeyExA ADVAPI32.RegDeleteValueA ADVAPI32.RegCloseKey |
sub_315018F7(336c): KERNEL32.CreateThread |
sub_315027DB(3cd5): KERNEL32.VirtualAlloc |
sub_31501F15(4795): MSVCRT.strlen |
sub_31501727(4891): KERNEL32.LoadLibraryA KERNEL32.GetProcAddress KERNEL32.GetCurrentProcess "advapi32" "OpenProcessToken" "LookupPrivilegeValueA" "AdjustTokenPrivileges" "SeDebugPrivilege" |
sub_31502C92(48f8): MSVCRT.strchr "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" |
sub_31501A48(502b): KERNEL32.OpenEventA KERNEL32.SetEvent |
sub_315019B8(518e): WS2_32.inet_addr WS2_32.gethostbyname |
sub_31501B9B(52a4): KERNEL32.CreateFileA KERNEL32.ExitThread KERNEL32.GetFileSize KERNEL32.ReadFile KERNEL32.CloseHandle WS2_32.socket MSVCRT.memset MSVCRT.rand WS2_32.ntohs WS2_32.bind WS2_32.listen WS2_32.accept "System Update" "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"... |
sub_315035E3(531a): WININET.InternetOpenA KERNEL32.GetSystemDirectoryA KERNEL32.lstrcatA KERNEL32.lstrlenA KERNEL32.CreateFileA WININET.InternetOpenUrlA KERNEL32.CloseHandle WININET.InternetReadFile KERNEL32.WriteFile "Mozilla/4.0 (compatible; MSIE 6.0; Wind"... "\\" ".exe" |
sub_315032D5(6253): KERNEL32.lstrlenA USER32.wsprintfA KERNEL32.Sleep WS2_32.send "PRIVMSG %s %s\r\n" |
sub_31501D89(67a6): KERNEL32.CreateEventA KERNEL32.LoadLibraryA KERNEL32.Sleep ADVAPI32.AbortSystemShutdownA "u13ix" "u10x" "u11x" "u12x" "u13x" "u8" "u9" "u10" "u11" "u12" "u13" "u13i" "u14" "ws2_32" "wininet" "msvcrt" "advapi32" "user32" "uterm13i" |
sub_315023BF(75ba): ADVAPI32.RegOpenKeyExA ADVAPI32.RegQueryValueExA ADVAPI32.RegCloseKey |
sub_31502103(7a74): MSVCRT.rand KERNEL32.InterlockedIncrement KERNEL32.Sleep |
sub_3150315E(7aa2): MSVCRT.rand USER32.wsprintfA KERNEL32.lstrlenA WS2_32.send WS2_32.closesocket "QUIT %s\r\n" |
sub_31502523(7c2b): "Windows Security Manager" "Disk Defragmenter" "System Restore Service" "Bot Loader" "WinUpdate" "Windows Update Service" "avserve.exe" "avserve2.exeUpdate Service" "MS Config v13" "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"... |
sub_315017AF(7e12): KERNEL32.GetModuleHandleA KERNEL32.GetProcAddress USER32.FindWindowA USER32.GetForegroundWindow USER32.GetWindowThreadProcessId KERNEL32.OpenProcess KERNEL32.WriteProcessMemory KERNEL32.CloseHandle "kernel32" "VirtualAllocEx" "CreateRemoteThread" "uterm13i" |
sub_315025D1(80a1): KERNEL32.DeleteFileA KERNEL32.GetSystemDirectoryA MSVCRT.rand KERNEL32.lstrcatA KERNEL32.CopyFileA KERNEL32.lstrlenA KERNEL32.CloseHandle KERNEL32.WinExec KERNEL32.Sleep KERNEL32.ExitProcess ".exe" "\\" "System Update" "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"... |
sub_315029A2(81ab): KERNEL32.GetSystemDirectoryA KERNEL32.SetCurrentDirectoryA KERNEL32.lstrcpynA KERNEL32.CreateFileA WS2_32.send WS2_32.recv KERNEL32.WriteFile KERNEL32.CloseHandle |
sub_31501A32(81da): WININET.InternetGetConnectedState |
sub_31501D75(82c5): KERNEL32.WaitForSingleObject |
sub_31502889(8398): KERNEL32.GetSystemTime KERNEL32.SystemTimeToFileTime WS2_32.recv MSVCRT.memcpy ADVAPI32.CryptCreateHash ADVAPI32.CryptHashData ADVAPI32.CryptVerifySignatureA NTDLL.RtlGetLastWin32Error ADVAPI32.CryptDestroyHash MSVCRT.rand WS2_32.send |
sub_3150246B(87a6): KERNEL32.lstrlenA KERNEL32.CreateToolhelp32Snapshot MSVCRT.memset KERNEL32.Process32First MSVCRT.strstr KERNEL32.OpenProcess KERNEL32.TerminateProcess KERNEL32.Process32Next |
sub_315036FD(9195): MSVCRT.strstr KERNEL32.GetTickCount USER32.wsprintfA KERNEL32.lstrlenA MSVCRT.strchr KERNEL32.lstrcmpA KERNEL32.lstrcpyA MSVCRT.atoi MSVCRT.rand KERNEL32.lstrcatA "-1,%d" "e" "|" "i" "%d,%d,13%s,%d" "q" "JOIN" |
sub_31501A62(9441): WS2_32.recv MSVCRT.strstr WS2_32.send USER32.wsprintfA MSVCRT.strlen KERNEL32.Sleep WS2_32.shutdown WS2_32.closesocket KERNEL32.ExitThread "GET" ".exe" "HTTP/1.1 200 OK\r\nContent-Type: applicat"... "Content-Length: %u\r\n\r\n" "HTTP/1.1 200 OK\r\n\r\n\r\n" |
sub_3150286E(9445): ADVAPI32.CryptDestroyKey ADVAPI32.CryptReleaseContext |
sub_3150209F(9491): MSVCRT.rand KERNEL32.Sleep |
sub_3150269D(99c3): KERNEL32.GetModuleFileNameA MSVCRT.rand KERNEL32.lstrlenA KERNEL32.lstrcpyA KERNEL32.lstrcmpiA "Software\\Microsoft\\Wireless" "ID" "dfashnzdsdl" "ID" "dfashnzdsdl" "System Update" "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"... "1" "Client" "Client" |
sub_315148B3(a381): KERNEL32.LoadLibraryA |
sub_31502252(a67f): WS2_32.inet_ntoa KERNEL32.lstrcpyA USER32.wsprintfA KERNEL32.lstrlenA "http://%s:%d/x.exe" |
sub_315027EF(a71a): KERNEL32.VirtualFree |
sub_315018E8(a71a): KERNEL32.CreateMutexA |
sub_315011C0(abb0): WS2_32.socket WS2_32.inet_ntoa KERNEL32.lstrcpynA USER32.wsprintfA MSVCRT.memcpy MSVCRT.strlen MSVCRT.memset WS2_32.ntohs WS2_32.connect KERNEL32.Sleep WS2_32.send WS2_32.recv KERNEL32.lstrlenA WS2_32.shutdown WS2_32.closesocket |
sub_315019F3(b95f): WS2_32.gethostname WS2_32.WSAGetLastError WS2_32.gethostbyname |
sub_315018BA(bc62): KERNEL32.GetTickCount MSVCRT.srand |
sub_31502D91(bca3): KERNEL32.lstrcpynA |
sub_31503009(bf8d): MSVCRT.strstr KERNEL32.lstrlenA KERNEL32.lstrcpynA USER32.wsprintfA WS2_32.send "PING" "PONG%s\r\n" |
sub_3150334C(d1c9): KERNEL32.GetSystemTime MSVCRT.atan MSVCRT.sin MSVCRT.cos MSVCRT.srand MSVCRT.rand |
sub_3150281A(d285): ADVAPI32.CryptAcquireContextA ADVAPI32.CryptImportKey |
sub_3150308C(d435): USER32.wsprintfA KERNEL32.Sleep KERNEL32.lstrlenA WS2_32.send WS2_32.recv MSVCRT.strstr KERNEL32.lstrcpynA "JOIN %s\r\n" "451" "PING" |
sub_31502DC7(e24b): WS2_32.socket WS2_32.ntohs WS2_32.connect WS2_32.recv USER32.wsprintfA KERNEL32.Sleep KERNEL32.lstrlenA WS2_32.send MSVCRT.strstr WS2_32.closesocket "PASS %s\r\n" "NICK %s\r\n" "already" "NICK %s\r\n" "USER %s 8 * :%s\r\n" |
sub_31502BC3(e562): WS2_32.socket MSVCRT.memset WS2_32.ntohs WS2_32.bind WS2_32.listen WS2_32.accept KERNEL32.CreateEventA KERNEL32.CreateThread KERNEL32.CloseHandle KERNEL32.WaitForSingleObject |
sub_31501932(e56c): MSVCRT.rand |
sub_31501CDF(e965): WS2_32.WSAStartup |
sub_3150218B(ed82): MSVCRT.rand KERNEL32.InterlockedIncrement KERNEL32.Sleep KERNEL32.ExitThread |
sub_315031C7(f228): KERNEL32.GetTickCount WS2_32.select KERNEL32.ExitThread WS2_32.recv KERNEL32.Sleep WS2_32.closesocket |
sub_31502801(fa42): KERNEL32.lstrcpyA "cont" |
sub_31502B27(fd6d): KERNEL32.SetEvent WS2_32.recv WS2_32.closesocket KERNEL32.ExitThread |
sub_31501F46(fda7): MSVCRT.rand MSVCRT.strcpy WS2_32.socket WS2_32.ntohl WS2_32.ntohs WS2_32.bind WS2_32.listen WS2_32.accept KERNEL32.Sleep WS2_32.recv WS2_32.closesocket MSVCRT.strcat MSVCRT.strlen WS2_32.send " : USERID : UNIX : " "\r\n" |