sub_4040DE(02cc): KERNEL32.lstrcpyn WS2_32.inet_addr WS2_32.htons WS2_32.WSASocketA WS2_32.bind WS2_32.listen WS2_32.accept WS2_32.closesocket WS2_32.connect KERNEL32.ExpandEnvironmentStringsA KERNEL32.CreateProcessA "\"%comspec%\" /Q" |
sub_402193(07bd): ADVAPI32.OpenSCManagerA ADVAPI32.OpenServiceA ADVAPI32.CreateServiceA ADVAPI32.ChangeServiceConfig2A KERNEL32.lstrcpyn ADVAPI32.StartServiceA "rpcsvc" "C:\\WINDOWS\\System32\\rpcsvc.exe" "Windows Remote Procedure Call Monitorin"... "Provides reliability and uptime monitor"... |
sub_4033F9(1136): KERNEL32.lstrcpyn KERNEL32.CreateThread KERNEL32.Sleep |
sub_4022CE(1c31): ADVAPI32.RegisterServiceCtrlHandlerA ADVAPI32.SetServiceStatus "rpcsvc" |
sub_403CA4(1d28): KERNEL32.lstrcmp KERNEL32.GetTickCount USER32.wsprintfA WS2_32.send "PING" "PONG %.500s\r\n" "433" |
sub_402E88(2437): KERNEL32.LoadLibraryA KERNEL32.GetProcAddress "dnsapi.dll" "DnsFlushResolverCache" |
sub_40421C(39b9): USER32.FindWindowA USER32.SendMessageA USER32.GetWindowThreadProcessId USER32.FindWindowExA KERNEL32.Sleep "_Oscar_StatusNotify" "#32770" "#32770" "_Oscar_Tree" |
sub_4045CA(39e3): KERNEL32.CreateFileA WS2_32.socket WS2_32.connect KERNEL32.CloseHandle "C:\\m_unpacker\\packed.exe" |
sub_402A81(41e9): KERNEL32.GetCurrentProcess ADVAPI32.SetSecurityInfo ADVAPI32.RegCreateKeyA ADVAPI32.RegSetValueExA ADVAPI32.RegCloseKey KERNEL32.GetWindowsDirectoryA USER32.wsprintfA KERNEL32._lcreat KERNEL32._lclose KERNEL32.SetFileAttributesA ADVAPI32.OpenSCManagerA ADVAPI32.OpenServiceA ADVAPI32.ControlService ADVAPI32.ChangeServiceConfigA ADVAPI32.CloseServiceHandle "software\\microsoft\\ole" "n" "enabledcom" "system\\currentcontrolset\\control\\lsa" "restrictanonymous" "restrictanonymoussam" "system\\currentcontrolset\\services\\lanma"... "autoshareserver" "autosharewks" "software\\microsoft\\security center" "antivirusdisablenotify" "antivirusoverride" "firewalldisablenotify" "firewalldisableoverride" "software\\policies\\microsoft\\windowsfire"... "enablefirewall" "software\\policies\\microsoft\\windowsfire"... "enablefirewall" "%s\\debug\\dcpromo.log" "sharedaccess" |
sub_403207(4340): KERNEL32.lstrcpyn KERNEL32.CreateThread KERNEL32.Sleep |
sub_40212C(511a): KERNEL32.GetSystemDirectoryA USER32.wsprintfA KERNEL32.SetFileAttributesA KERNEL32.CopyFileA KERNEL32.Sleep "C:\\WINDOWS\\System32\\rpcsvc.exe" "rpcsvc.exe" "C:\\m_unpacker\\packed.exe" |
sub_4032E0(5b87): USER32.wsprintfA KERNEL32.FindFirstFileA KERNEL32.lstrcmp KERNEL32.FindNextFileA KERNEL32.FindClose "%.256s*" "." ".." "%.256s%.250s\\" "[findfile] %.256s%.240s" |
sub_40230D(5be9): WS2_32.gethostbyname WS2_32.socket WS2_32.setsockopt WS2_32.connect WS2_32.send KERNEL32.GetTickCount USER32.wsprintfA WS2_32.getsockname WS2_32.select WS2_32.recv WS2_32.closesocket "bbjj.househot.com" "ypgw.wallloan.com" |
sub_402FC3(5c43): WS2_32.socket WS2_32.ioctlsocket KERNEL32.Sleep WS2_32.htonl WS2_32.connect WS2_32.select WS2_32.closesocket WS2_32.__WSAFDIsSet KERNEL32.CreateThread |
sub_40435D(5d96): USER32.FindWindowExA USER32.SendMessageA USER32.GetMenu "Instant Message" "AIM_IMessage" "CBClass" "Ate32Class" "_Oscar_IconBtn" "_Oscar_IconBtn" "Instant Message" "AIM_IMessage" |
sub_4020D7(5dcd): KERNEL32.CreateMutexA NTDLL.RtlGetLastWin32Error WS2_32.WSAStartup KERNEL32.Sleep KERNEL32.ExitProcess "rpcsvc" |
sub_404086(6c6b): KERNEL32.lstrcpyn KERNEL32.CreateThread KERNEL32.Sleep |
sub_403A7A(6f13): KERNEL32.GetTickCount WS2_32.socket WS2_32.htons WS2_32.inet_addr WS2_32.connect USER32.wsprintfA WS2_32.send WS2_32.recv WS2_32.closesocket "USER %.16s \"\" \"%.16s\" %.16s\n" |
sub_403DA9(7c0d): WS2_32.getsockname WS2_32.socket WS2_32.bind WS2_32.WSAIoctl WS2_32.closesocket KERNEL32.GlobalAlloc WS2_32.recv WS2_32.htons WS2_32.inet_ntoa KERNEL32.lstrcpyn USER32.wsprintfA KERNEL32.GlobalFree "[%.16s:%hu->%.16s:%hu] \"%.256s\"" |
sub_40258D(7ee7): KERNEL32.lstrcmp USER32.wsprintfA WS2_32.send KERNEL32.GetTickCount WS2_32.inet_addr WS2_32.gethostbyname "PING" "PoNG %.500s\r\n" "PRIVMSG" "433" "332" "302" "001" "USeRHOST %.16s\n" "ihodc9hi" "JOiN %.16s %.16s\n" |
sub_40254D(80c3): USER32.wsprintfA WS2_32.send "PRiVMSG %.16s :%.480s\n" |
sub_403D7D(850f): KERNEL32.CreateThread |
sub_402CD9(961f): KERNEL32.GetCurrentProcess KERNEL32.CreateProcessA KERNEL32.DuplicateHandle KERNEL32.VirtualAllocEx KERNEL32.WriteProcessMemory KERNEL32.CreateRemoteThread KERNEL32.ExitProcess "D" "C:\\m_unpacker\\packed.exe" |
sub_40228C(9c3a): KERNEL32.GetModuleFileNameA "C:\\m_unpacker\\packed.exe" "C:\\m_unpacker\\packed.exe" "D" "D" |
sub_402EAA(9f24): KERNEL32.CreateThread |
sub_40443A(a529): WS2_32.inet_ntoa USER32.wsprintfA KERNEL32.CreateFileA KERNEL32.WriteFile KERNEL32.GetTickCount KERNEL32.CloseHandle KERNEL32.Sleep "\\\\%.16s\\pipe" "%.24s\\browser" |
sub_40384E(ab08): KERNEL32.LoadLibraryA KERNEL32.GetProcAddress KERNEL32.GetCurrentThreadId USER32.wsprintfA KERNEL32.CreateProcessA "urlmon.dll" "URLDownloadToFileA" "[dl:%08x] %.180s to %.180s" "D" "[dl:%08x] :)" "[dl:%08x] :( exec" "[dl:%08x] :( dl" |
sub_403185(b49b): USER32.CharUpperA |
sub_40325F(b58a): KERNEL32.GetLogicalDriveStringsA KERNEL32.GetDriveTypeA KERNEL32.lstrlen |
sub_403A36(b952): USER32.wsprintfA WS2_32.send "%.500s\n" |
sub_4034C1(c19f): WS2_32.socket WS2_32.setsockopt WS2_32.inet_addr WS2_32.getsockname KERNEL32.GetTickCount WS2_32.htons WS2_32.sendto WS2_32.closesocket USER32.wsprintfA "[syn:%.16s] done [%ums] [%u packets] [%"... |
sub_40399D(c43f): KERNEL32.lstrcpyn KERNEL32.CreateThread KERNEL32.Sleep |
sub_4027CB(d5b9): KERNEL32.CreateProcessA WS2_32.send WS2_32.closesocket USER32.wsprintfA WS2_32.inet_ntoa KERNEL32.lstrcpyn "D" "[exec] :)" "[exec] :(" "QUiT\n" "%.500s\n" "[ni] %.16s %.16s" |
sub_4037CC(da61): KERNEL32.lstrcpyn KERNEL32.GetTempFileNameA KERNEL32.CreateThread KERNEL32.Sleep "." |
sub_402094(ea67): ADVAPI32.StartServiceCtrlDispatcherA "rpcsvc" |
sub_403FF9(eb9b): "*:*.* 332 * #* :?* *" "*PRIVMSG * :?* *" "* :?login * *" "* :?set * * *" "* :?*scan* *" "* :?*syn* *" "* :?*udp* *" "* :?*ddos* *" "USER ?* " "PASS ?* " "OPER ?* ?* *" "JOIN #* *" |
sub_402F08(ec20): KERNEL32.GetCurrentThreadId KERNEL32.GetTickCount KERNEL32.Sleep |
sub_40224E(ecb2): ADVAPI32.OpenSCManagerA ADVAPI32.OpenServiceA ADVAPI32.DeleteService ADVAPI32.CloseServiceHandle "rpcsvc" |