Difference between revisions of "Analysis:20130911-malware"
(Created page with "Analysis by ~~~~ ==File Overview== <nowiki> [+] mgifragd.exe > [TYPE] MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit > [MIME] application/x-dosexec > [M...") |
|||
Line 42: | Line 42: | ||
> [MIME] application/x-dosexec | > [MIME] application/x-dosexec | ||
> [MD5 ] 595257b15af9ef944aa6aee850088fd0 | > [MD5 ] 595257b15af9ef944aa6aee850088fd0 | ||
+ | </nowiki> | ||
+ | |||
+ | ==File Disassembly== | ||
+ | ===mgifragd.exe=== | ||
+ | ''(MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit)'' | ||
+ | ====Private Headers==== | ||
+ | <nowiki> | ||
+ | |||
+ | mgifragd.exe: file format pei-i386 | ||
+ | |||
+ | Characteristics 0x10f | ||
+ | relocations stripped | ||
+ | executable | ||
+ | line numbers stripped | ||
+ | symbols stripped | ||
+ | 32 bit words | ||
+ | |||
+ | Time/Date Wed Sep 11 03:00:09 2013 | ||
+ | Magic 010b (PE32) | ||
+ | MajorLinkerVersion 7 | ||
+ | MinorLinkerVersion 0 | ||
+ | SizeOfCode 00012000 | ||
+ | SizeOfInitializedData 00082000 | ||
+ | SizeOfUninitializedData 00000000 | ||
+ | AddressOfEntryPoint 00009795 | ||
+ | BaseOfCode 00001000 | ||
+ | BaseOfData 00013000 | ||
+ | ImageBase 00400000 | ||
+ | SectionAlignment 00001000 | ||
+ | FileAlignment 00001000 | ||
+ | MajorOSystemVersion 4 | ||
+ | MinorOSystemVersion 0 | ||
+ | MajorImageVersion 0 | ||
+ | MinorImageVersion 0 | ||
+ | MajorSubsystemVersion 4 | ||
+ | MinorSubsystemVersion 0 | ||
+ | Win32Version 00000000 | ||
+ | SizeOfImage 00106000 | ||
+ | SizeOfHeaders 00001000 | ||
+ | CheckSum 00000000 | ||
+ | Subsystem 00000002 (Windows GUI) | ||
+ | DllCharacteristics 00000000 | ||
+ | SizeOfStackReserve 00100000 | ||
+ | SizeOfStackCommit 00001000 | ||
+ | SizeOfHeapReserve 00100000 | ||
+ | SizeOfHeapCommit 00001000 | ||
+ | LoaderFlags 00000000 | ||
+ | NumberOfRvaAndSizes 00000010 | ||
+ | |||
+ | The Data Directory | ||
+ | Entry 0 00000000 00000000 Export Directory [.edata (or where ever we found it)] | ||
+ | Entry 1 0001474c 000000a0 Import Directory [parts of .idata] | ||
+ | Entry 2 00102000 000031d2 Resource Directory [.rsrc] | ||
+ | Entry 3 00000000 00000000 Exception Directory [.pdata] | ||
+ | Entry 4 00000000 00000000 Security Directory | ||
+ | Entry 5 00000000 00000000 Base Relocation Directory [.reloc] | ||
+ | Entry 6 00000000 00000000 Debug Directory | ||
+ | Entry 7 00000000 00000000 Description Directory | ||
+ | Entry 8 00000000 00000000 Special Directory | ||
+ | Entry 9 00000000 00000000 Thread Storage Directory [.tls] | ||
+ | Entry a 00000000 00000000 Load Configuration Directory | ||
+ | Entry b 00000000 00000000 Bound Import Directory | ||
+ | Entry c 00013000 00000138 Import Address Table Directory | ||
+ | Entry d 00000000 00000000 Delay Import Directory | ||
+ | Entry e 00000000 00000000 CLR Runtime Header | ||
+ | Entry f 00000000 00000000 Reserved | ||
+ | |||
+ | There is an import table in .rdata at 0x41474c | ||
+ | |||
+ | The Import Tables (interpreted .rdata section contents) | ||
+ | vma: Hint Time Forward DLL First | ||
+ | Table Stamp Chain Name Thunk | ||
+ | 0001474c 00014800 00000000 00000000 000149d2 00013014 | ||
+ | |||
+ | DLL Name: KERNEL32.dll | ||
+ | vma: Hint/Ord Member-Name Bound-To | ||
+ | 1496a 811 SuspendThread | ||
+ | 1497a 656 ReadFile | ||
+ | 14986 792 SetThreadPriority | ||
+ | 1499a 393 GetProcAddress | ||
+ | 149ac 853 VirtualAlloc | ||
+ | 1495e 886 WriteFile | ||
+ | 14df6 44 CloseHandle | ||
+ | 1492c 446 GetTickCount | ||
+ | 14dda 689 RtlUnwind | ||
+ | 14dce 507 HeapSize | ||
+ | 14dbe 545 LCMapStringW | ||
+ | 14950 120 DeleteFileA | ||
+ | 149bc 869 WaitForSingleObject | ||
+ | 1493c 359 GetModuleHandleA | ||
+ | 14dae 544 LCMapStringA | ||
+ | 14d9c 643 RaiseException | ||
+ | 14d8a 418 GetStringTypeW | ||
+ | 14d78 415 GetStringTypeA | ||
+ | 14d5e 428 GetSystemTimeAsFileTime | ||
+ | 14d48 304 GetCurrentProcessId | ||
+ | 14de6 780 SetStdHandle | ||
+ | 14924 809 Sleep | ||
+ | 14d32 306 GetCurrentThreadId | ||
+ | 14d18 638 QueryPerformanceCounter | ||
+ | 14d06 753 SetFilePointer | ||
+ | 14ad0 412 GetStartupInfoA | ||
+ | 14ae2 253 GetCommandLineA | ||
+ | 14af4 456 GetVersionExA | ||
+ | 14b04 501 HeapFree | ||
+ | 14b10 171 ExitProcess | ||
+ | 14b1e 817 TerminateProcess | ||
+ | 14b32 303 GetCurrentProcess | ||
+ | 14b46 414 GetStdHandle | ||
+ | 14b56 357 GetModuleFileNameA | ||
+ | 14b6c 834 UnhandledExceptionFilter | ||
+ | 14b88 227 FreeEnvironmentStringsA | ||
+ | 14ba2 319 GetEnvironmentStrings | ||
+ | 14bba 228 FreeEnvironmentStringsW | ||
+ | 14bd4 873 WideCharToMultiByte | ||
+ | 14bea 346 GetLastError | ||
+ | 14bfa 321 GetEnvironmentStringsW | ||
+ | 14c14 762 SetHandleCount | ||
+ | 14c26 336 GetFileType | ||
+ | 14c34 499 HeapDestroy | ||
+ | 14c42 497 HeapCreate | ||
+ | 14c50 856 VirtualFree | ||
+ | 14c5e 495 HeapAlloc | ||
+ | 14c6a 505 HeapReAlloc | ||
+ | 14c78 593 MultiByteToWideChar | ||
+ | 14c8e 859 VirtualProtect | ||
+ | 14ca0 424 GetSystemInfo | ||
+ | 14cb0 861 VirtualQuery | ||
+ | 14cc0 558 LoadLibraryA | ||
+ | 14cd0 235 GetACP | ||
+ | 14cda 380 GetOEMCP | ||
+ | 14ce6 241 GetCPInfo | ||
+ | 14cf2 219 FlushFileBuffers | ||
+ | 14e04 349 GetLocaleInfoA | ||
+ | |||
+ | 00014760 000148ec 00000000 00000000 00014a18 00013100 | ||
+ | |||
+ | DLL Name: USER32.dll | ||
+ | vma: Hint/Ord Member-Name Bound-To | ||
+ | 149e0 268 GetDC | ||
+ | 149e8 270 GetDesktopWindow | ||
+ | 14a0a 445 LoadImageA | ||
+ | 149fc 439 LoadCursorA | ||
+ | |||
+ | 00014774 000147f4 00000000 00000000 00014a40 00013008 | ||
+ | |||
+ | DLL Name: GDI32.dll | ||
+ | vma: Hint/Ord Member-Name Bound-To | ||
+ | 14a24 71 CreatePen | ||
+ | 14a30 524 SelectObject | ||
+ | |||
+ | 00014788 0001490c 00000000 00000000 00014a4a 00013120 | ||
+ | |||
+ | DLL Name: WS2_32.dll | ||
+ | vma: Hint/Ord Member-Name Bound-To | ||
+ | 80000003 3 <none> | ||
+ | 80000012 18 <none> | ||
+ | |||
+ | 0001479c 00014900 00000000 00000000 00014a78 00013114 | ||
+ | |||
+ | DLL Name: WINMM.dll | ||
+ | vma: Hint/Ord Member-Name Bound-To | ||
+ | 14a66 62 mciSendCommandA | ||
+ | 14a56 26 auxSetVolume | ||
+ | |||
+ | 000147b0 000147ec 00000000 00000000 00014a96 00013000 | ||
+ | |||
+ | DLL Name: AVIFIL32.dll | ||
+ | vma: Hint/Ord Member-Name Bound-To | ||
+ | 14a82 3 AVIClearClipboard | ||
+ | |||
+ | 000147c4 00014918 00000000 00000000 00014ac2 0001312c | ||
+ | |||
+ | DLL Name: WinSCard.dll | ||
+ | vma: Hint/Ord Member-Name Bound-To | ||
+ | 14ab4 6 SCardCancel | ||
+ | 14aa4 7 SCardConnectA | ||
+ | |||
+ | 000147d8 00000000 00000000 00000000 00000000 00000000 | ||
+ | |||
+ | </nowiki> | ||
+ | ====Embedded Resources==== | ||
+ | <nowiki> | ||
+ | |||
+ | mgifragd.exe: file format pei-i386 | ||
+ | |||
+ | Sections: | ||
+ | Idx Name Size VMA LMA File off Algn | ||
+ | 0 .text 00011eea 00401000 00401000 00001000 2**2 | ||
+ | CONTENTS, ALLOC, LOAD, READONLY, CODE | ||
+ | 1 .rdata 00001e16 00413000 00413000 00013000 2**2 | ||
+ | CONTENTS, ALLOC, LOAD, READONLY, DATA | ||
+ | 2 .data 00002000 00415000 00415000 00015000 2**2 | ||
+ | CONTENTS, ALLOC, LOAD, DATA | ||
+ | 3 .xcode 0007a000 00418000 00418000 00017000 2**2 | ||
+ | CONTENTS, ALLOC, LOAD, DATA | ||
+ | 4 .rsrc 000031d2 00502000 00502000 00091000 2**2 | ||
+ | CONTENTS, ALLOC, LOAD, READONLY, DATA | ||
+ | </nowiki> | ||
+ | ===rksmkjjl.exe=== | ||
+ | ''(MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit)'' | ||
+ | ====Private Headers==== | ||
+ | <nowiki> | ||
+ | |||
+ | rksmkjjl.exe: file format pei-i386 | ||
+ | |||
+ | Characteristics 0x10f | ||
+ | relocations stripped | ||
+ | executable | ||
+ | line numbers stripped | ||
+ | symbols stripped | ||
+ | 32 bit words | ||
+ | |||
+ | Time/Date Wed Jun 16 00:28:57 2010 | ||
+ | Magic 010b (PE32) | ||
+ | MajorLinkerVersion 6 | ||
+ | MinorLinkerVersion 0 | ||
+ | SizeOfCode 00032a00 | ||
+ | SizeOfInitializedData 00006a00 | ||
+ | SizeOfUninitializedData 00000000 | ||
+ | AddressOfEntryPoint 000068d0 | ||
+ | BaseOfCode 00001000 | ||
+ | BaseOfData 00034000 | ||
+ | ImageBase 00400000 | ||
+ | SectionAlignment 00001000 | ||
+ | FileAlignment 00000200 | ||
+ | MajorOSystemVersion 4 | ||
+ | MinorOSystemVersion 0 | ||
+ | MajorImageVersion 0 | ||
+ | MinorImageVersion 0 | ||
+ | MajorSubsystemVersion 4 | ||
+ | MinorSubsystemVersion 0 | ||
+ | Win32Version 00000000 | ||
+ | SizeOfImage 0003c000 | ||
+ | SizeOfHeaders 00000400 | ||
+ | CheckSum 00041a40 | ||
+ | Subsystem 00000002 (Windows GUI) | ||
+ | DllCharacteristics 00000000 | ||
+ | SizeOfStackReserve 00100000 | ||
+ | SizeOfStackCommit 00001000 | ||
+ | SizeOfHeapReserve 00100000 | ||
+ | SizeOfHeapCommit 00001000 | ||
+ | LoaderFlags 00000000 | ||
+ | NumberOfRvaAndSizes 00000010 | ||
+ | |||
+ | The Data Directory | ||
+ | Entry 0 00000000 00000000 Export Directory [.edata (or where ever we found it)] | ||
+ | Entry 1 00034cd0 0000008c Import Directory [parts of .idata] | ||
+ | Entry 2 0003b000 00000530 Resource Directory [.rsrc] | ||
+ | Entry 3 00000000 00000000 Exception Directory [.pdata] | ||
+ | Entry 4 00000000 00000000 Security Directory | ||
+ | Entry 5 00000000 00000000 Base Relocation Directory [.reloc] | ||
+ | Entry 6 00000000 00000000 Debug Directory | ||
+ | Entry 7 00000000 00000000 Description Directory | ||
+ | Entry 8 00000000 00000000 Special Directory | ||
+ | Entry 9 00000000 00000000 Thread Storage Directory [.tls] | ||
+ | Entry a 00000000 00000000 Load Configuration Directory | ||
+ | Entry b 00000000 00000000 Bound Import Directory | ||
+ | Entry c 00034000 0000041c Import Address Table Directory | ||
+ | Entry d 00000000 00000000 Delay Import Directory | ||
+ | Entry e 00000000 00000000 CLR Runtime Header | ||
+ | Entry f 00000000 00000000 Reserved | ||
+ | |||
+ | There is an import table in .rdata at 0x434cd0 | ||
+ | |||
+ | The Import Tables (interpreted .rdata section contents) | ||
+ | vma: Hint Time Forward DLL First | ||
+ | Table Stamp Chain Name Thunk | ||
+ | 00034cd0 0003515c 00000000 00000000 000351b8 00034400 | ||
+ | |||
+ | DLL Name: WINMM.dll | ||
+ | vma: Hint/Ord Member-Name Bound-To | ||
+ | 35184 132 mmioAdvance | ||
+ | 351a6 190 waveOutGetPitch | ||
+ | 35178 124 mixerOpen | ||
+ | 35192 162 timeGetSystemTime | ||
+ | |||
+ | 00034ce4 00034ff8 00000000 00000000 0003576c 0003429c | ||
+ | |||
+ | DLL Name: USER32.dll | ||
+ | vma: Hint/Ord Member-Name Bound-To | ||
+ | 354a4 366 GetWindowLongA | ||
+ | 353fe 311 GetMenuState | ||
+ | 353ee 307 GetMenuItemID | ||
+ | 356d0 658 ShowWindow | ||
+ | 35688 640 SetWindowLongA | ||
+ | 355ce 515 PostQuitMessage | ||
+ | 35224 74 CopyRect | ||
+ | 3563e 579 SetActiveWindow | ||
+ | 35514 417 IsDialogMessageA | ||
+ | 35558 439 LoadBitmapA | ||
+ | 3567c 618 SetPropA | ||
+ | 35498 362 GetWindow | ||
+ | 352be 198 EndDialog | ||
+ | 35666 609 SetMenuItemBitmaps | ||
+ | 355ae 511 PeekMessageA | ||
+ | 3538e 289 GetKeyState | ||
+ | 3570a 686 UnhookWindowsHookEx | ||
+ | 35444 345 GetSubMenu | ||
+ | 351e2 27 CallWindowProcA | ||
+ | 35650 599 SetForegroundWindow | ||
+ | 353da 306 GetMenuItemCount | ||
+ | 3534e 272 GetDlgCtrlID | ||
+ | 354b6 371 GetWindowPlacement | ||
+ | 35534 430 IsWindowEnabled | ||
+ | 35460 347 GetSysColorBrush | ||
+ | 353bc 302 GetMenuCheckMarkDimensions | ||
+ | 35488 355 GetTopWindow | ||
+ | 35618 566 SendDlgItemMessageA | ||
+ | 35528 429 IsWindow | ||
+ | 352d6 225 ExitWindowsEx | ||
+ | 354cc 372 GetWindowRect | ||
+ | 35734 699 UpdateWindow | ||
+ | 35290 182 DrawIcon | ||
+ | 352ca 200 EndPaint | ||
+ | 355e0 523 PtInRect | ||
+ | 3569a 643 SetWindowPos | ||
+ | 35506 381 GrayStringA | ||
+ | 3540e 314 GetMessageA | ||
+ | 354ee 376 GetWindowTextLengthA | ||
+ | 355a0 478 MessageBoxA | ||
+ | 351d0 26 CallNextHookEx | ||
+ | 354dc 375 GetWindowTextA | ||
+ | 35580 458 LoadStringA | ||
+ | 3541c 316 GetMessagePos | ||
+ | 351f4 52 CharUpperA | ||
+ | 352e6 235 GetActiveWindow | ||
+ | 35754 720 WinHelpA | ||
+ | 35720 691 UnregisterClassA | ||
+ | 355ec 534 RegisterClassA | ||
+ | 356aa 646 SetWindowTextA | ||
+ | 3529c 194 EnableMenuItem | ||
+ | 356de 665 SystemParametersInfoA | ||
+ | 355fe 554 ReleaseDC | ||
+ | 35272 151 DestroyMenu | ||
+ | 3536c 278 GetFocus | ||
+ | 353b2 300 GetMenu | ||
+ | 35378 279 GetForegroundWindow | ||
+ | 35760 726 wsprintfA | ||
+ | 35230 82 CreateDialogIndirectParamA | ||
+ | 3539c 296 GetLastActivePopup | ||
+ | 35202 57 CheckMenuItem | ||
+ | 352f8 243 GetCapture | ||
+ | 355be 513 PostMessageA | ||
+ | 356f6 682 TranslateMessage | ||
+ | 35566 441 LoadCursorA | ||
+ | 3558e 473 MapWindowPoints | ||
+ | 351c2 13 BeginPaint | ||
+ | 35306 246 GetClassInfoA | ||
+ | 3562e 571 SendMessageA | ||
+ | 352ae 196 EnableWindow | ||
+ | 35212 64 ClientToScreen | ||
+ | 35438 330 GetPropA | ||
+ | 35336 267 GetCursorPos | ||
+ | 35316 252 GetClassNameA | ||
+ | 356bc 650 SetWindowsHookExA | ||
+ | 35474 349 GetSystemMetrics | ||
+ | 35452 346 GetSysColor | ||
+ | 35326 255 GetClientRect | ||
+ | 3535e 273 GetDlgItem | ||
+ | 35280 153 DestroyWindow | ||
+ | 35574 445 LoadIconA | ||
+ | 3542c 325 GetParent | ||
+ | 35546 433 IsWindowVisible | ||
+ | 3560a 556 RemovePropA | ||
+ | 35346 268 GetDC | ||
+ | 35260 142 DefWindowProcA | ||
+ | 35744 707 ValidateRect | ||
+ | 3524e 96 CreateWindowExA | ||
+ | |||
+ | 00034cf8 00034d9c 00000000 00000000 0003587a 00034040 | ||
+ | |||
+ | DLL Name: GDI32.dll | ||
+ | vma: Hint/Ord Member-Name Bound-To | ||
+ | 3581a 519 SaveDC | ||
+ | 357d8 352 GetClipBox | ||
+ | 35802 512 RestoreDC | ||
+ | 3586e 590 TextOutA | ||
+ | 3583a 555 SetMapMode | ||
+ | 357ba 143 DeleteObject | ||
+ | 357ca 221 ExtTextOutA | ||
+ | 357e6 363 GetDeviceCaps | ||
+ | 357f6 419 GetRelAbs | ||
+ | 357ae 140 DeleteDC | ||
+ | 3585c 578 SetWindowExtEx | ||
+ | 35824 520 ScaleViewportExtEx | ||
+ | 3580e 513 RoundRect | ||
+ | 35788 51 CreateDIBitmap | ||
+ | 3579a 53 CreateEllipticRgn | ||
+ | 35848 574 SetViewportExtEx | ||
+ | 35778 39 CreateBitmap | ||
+ | |||
+ | 00034d0c 00034de4 00000000 00000000 000361be 00034088 | ||
+ | |||
+ | DLL Name: KERNEL32.dll | ||
+ | vma: Hint/Ord Member-Name Bound-To | ||
+ | 35a86 317 GetCurrentThread | ||
+ | 3603c 810 SetStdHandle | ||
+ | 3591c 140 DuplicateHandle | ||
+ | 35c2a 464 GetThreadLocale | ||
+ | 35bf0 434 GetStringTypeA | ||
+ | 35884 25 Beep | ||
+ | 360d2 854 TlsGetValue | ||
+ | 35fc8 774 SetEnvironmentVariableA | ||
+ | 35cea 500 GlobalFlags | ||
+ | 361a6 953 lstrcpynA | ||
+ | 359b4 218 FindResourceA | ||
+ | 35dfa 550 IsBadCodePtr | ||
+ | 35a5a 312 GetCurrentDirectoryA | ||
+ | 35d98 537 InitializeCriticalSection | ||
+ | 35ac0 334 GetEnvironmentStringsA | ||
+ | 359f0 237 FreeEnvironmentStringsA | ||
+ | 35eea 600 LocalUnlock | ||
+ | 35f04 603 LockResource | ||
+ | 35a48 264 GetCommandLineA | ||
+ | 35e4e 570 LCMapStringA | ||
+ | 361b2 956 lstrlenA | ||
+ | 36182 944 lstrcmpA | ||
+ | 35c8c 489 GetWindowsDirectoryA | ||
+ | 35b0e 342 GetFileAttributesA | ||
+ | 358ac 52 CompareStringA | ||
+ | 35b9c 395 GetOEMCP | ||
+ | 35e5e 571 LCMapStringW | ||
+ | 3596e 188 FileTimeToSystemTime | ||
+ | 35b4e 353 GetFullPathNameA | ||
+ | 35e2a 559 IsDebuggerPresent | ||
+ | 3602c 795 SetLastError | ||
+ | 3607a 839 Sleep | ||
+ | 360ee 856 Toolhelp32ReadProcessMemory | ||
+ | 35a32 245 GetACP | ||
+ | 35b88 375 GetModuleHandleA | ||
+ | 35986 197 FindClose | ||
+ | 359c4 229 FlushFileBuffers | ||
+ | 35cf8 501 GlobalFree | ||
+ | 35d56 520 HeapCreate | ||
+ | 35c3c 472 GetTimeZoneInformation | ||
+ | 35be0 433 GetStdHandle | ||
+ | 35e6e 583 LeaveCriticalSection | ||
+ | 35d4a 518 HeapAlloc | ||
+ | 35dca 542 InterlockedDecrement | ||
+ | 35d7e 528 HeapReAlloc | ||
+ | 3618e 947 lstrcmpiA | ||
+ | 35eb4 592 LocalFileTimeToFileTime | ||
+ | 360e0 855 TlsSetValue | ||
+ | 35c56 478 GetVersion | ||
+ | 35eda 597 LocalReAlloc | ||
+ | 35d2c 505 GlobalLock | ||
+ | 3604c 812 SetSystemTime | ||
+ | 35af4 336 GetEnvironmentVariableA | ||
+ | 35b72 373 GetModuleFileNameA | ||
+ | 358d0 77 CreateFileA | ||
+ | 36082 844 SystemTimeToFileTime | ||
+ | 3592e 143 EnterCriticalSection | ||
+ | 35f34 667 RaiseException | ||
+ | 360c8 853 TlsFree | ||
+ | 35f6e 739 SetConsoleCursorInfo | ||
+ | 35d3a 512 GlobalUnlock | ||
+ | 35946 175 ExitProcess | ||
+ | 35a72 314 GetCurrentProcess | ||
+ | 358be 53 CompareStringW | ||
+ | 36154 903 WideCharToMultiByte | ||
+ | 35fe2 776 SetErrorMode | ||
+ | 3589e 46 CloseHandle | ||
+ | 35e3e 567 IsValidLocale | ||
+ | 35e86 584 LoadLibraryA | ||
+ | 3609a 845 SystemTimeToTzSpecificLocalTime | ||
+ | 35b24 347 GetFileSize | ||
+ | 3588c 44 ClearCommError | ||
+ | 35954 187 FileTimeToLocalFileTime | ||
+ | 35f62 714 RtlUnwind | ||
+ | 35c64 479 GetVersionExA | ||
+ | 3605c 827 SetUnhandledExceptionFilter | ||
+ | 35a3c 252 GetCPInfo | ||
+ | 35d72 524 HeapFree | ||
+ | 35c14 441 GetSystemDirectoryA | ||
+ | 35ab0 331 GetDriveTypeA | ||
+ | 35d8c 530 HeapSize | ||
+ | 35992 201 FindFirstFileA | ||
+ | 35f14 618 MulDiv | ||
+ | 35d64 522 HeapDestroy | ||
+ | 35b40 350 GetFileType | ||
+ | 35f46 681 ReadFile | ||
+ | 35e96 589 LoadResource | ||
+ | 35de2 546 InterlockedIncrement | ||
+ | 35904 136 DosDateTimeToFileTime | ||
+ | 36176 941 lstrcatA | ||
+ | 35db4 539 InitializeSListHead | ||
+ | 359a4 211 FindNextFileA | ||
+ | 35fb8 771 SetEndOfFile | ||
+ | 35e1a 556 IsBadWritePtr | ||
+ | 36008 782 SetFilePointer | ||
+ | 35d06 502 GlobalGetAtomNameA | ||
+ | 35ba8 408 GetProcAddress | ||
+ | 3616a 916 WriteFile | ||
+ | 35ea6 590 LocalAlloc | ||
+ | 35f52 693 ReleaseActCtx | ||
+ | 36136 883 VirtualAlloc | ||
+ | 35ada 335 GetEnvironmentStringsW | ||
+ | 35f86 760 SetConsoleTextAttribute | ||
+ | 35a9a 318 GetCurrentThreadId | ||
+ | 35ece 594 LocalFree | ||
+ | 35c02 437 GetStringTypeW | ||
+ | 35e0a 553 IsBadReadPtr | ||
+ | 35fa0 765 SetCurrentDirectoryA | ||
+ | 35bce 431 GetStartupInfoA | ||
+ | 35d1c 504 GlobalHandle | ||
+ | 35cd8 497 GlobalFindAtomA | ||
+ | 35ca4 492 GlobalAddAtomA | ||
+ | 358de 122 DeleteCriticalSection | ||
+ | 35b62 361 GetLastError | ||
+ | 35bba 419 GetProcessVersion | ||
+ | 358f6 124 DeleteFileA | ||
+ | 35a0a 238 FreeEnvironmentStringsW | ||
+ | 3601a 791 SetHandleCount | ||
+ | 3619a 950 lstrcpyA | ||
+ | 35f1e 619 MultiByteToWideChar | ||
+ | 35a24 239 FreeLibrary | ||
+ | 36146 886 VirtualFree | ||
+ | 360bc 852 TlsAlloc | ||
+ | 35b32 349 GetFileTime | ||
+ | 3610c 864 UnhandledExceptionFilter | ||
+ | 359d8 230 FlushInstructionCache | ||
+ | 35ef8 601 LockFile | ||
+ | 36128 865 UnlockFile | ||
+ | 35cc4 496 GlobalDeleteAtom | ||
+ | 35c74 481 GetVolumeInformationA | ||
+ | 35ff2 780 SetFileAttributesA | ||
+ | 35cb6 494 GlobalAlloc | ||
+ | |||
+ | 00034d20 00035170 00000000 00000000 000361dc 00034414 | ||
+ | |||
+ | DLL Name: comdlg32.dll | ||
+ | vma: Hint/Ord Member-Name Bound-To | ||
+ | 361cc 7 GetFileTitleA | ||
+ | |||
+ | 00034d34 00034d5c 00000000 00000000 00036330 00034000 | ||
+ | |||
+ | DLL Name: ADVAPI32.dll | ||
+ | vma: Hint/Ord Member-Name Bound-To | ||
+ | 362a8 457 RegCloseKey | ||
+ | 362b6 461 RegCreateKeyExA | ||
+ | 36202 26 AddUsersToEncryptedFile | ||
+ | 36246 350 LsaEnumeratePrivileges | ||
+ | 3631c 597 SystemFunction016 | ||
+ | 36260 360 LsaICLookupNamesWithCreds | ||
+ | 36296 431 OpenThreadToken | ||
+ | 362c8 466 RegDeleteValueA | ||
+ | 362ea 505 RegSetValueExA | ||
+ | 362da 482 RegOpenKeyExA | ||
+ | 3627c 404 MSChapSrvChangePassword | ||
+ | 361ea 20 AddAccessDeniedAceEx | ||
+ | 36230 320 LockServiceDatabase | ||
+ | 362fc 558 SetSecurityDescriptorControl | ||
+ | 3621c 229 GetAclInformation | ||
+ | |||
+ | 00034d48 00000000 00000000 00000000 00000000 00000000 | ||
+ | |||
+ | </nowiki> | ||
+ | ====Embedded Resources==== | ||
+ | <nowiki> | ||
+ | |||
+ | rksmkjjl.exe: file format pei-i386 | ||
+ | |||
+ | Sections: | ||
+ | Idx Name Size VMA LMA File off Algn | ||
+ | 0 .text 000329fb 00401000 00401000 00000400 2**2 | ||
+ | CONTENTS, ALLOC, LOAD, READONLY, CODE | ||
+ | 1 .rdata 0000237b 00434000 00434000 00032e00 2**2 | ||
+ | CONTENTS, ALLOC, LOAD, READONLY, DATA | ||
+ | 2 .data 00004000 00437000 00437000 00035200 2**2 | ||
+ | CONTENTS, ALLOC, LOAD, DATA | ||
+ | 3 .rsrc 00000530 0043b000 0043b000 00039200 2**2 | ||
+ | CONTENTS, ALLOC, LOAD, READONLY, DATA | ||
+ | </nowiki> | ||
+ | ===sggmfdxd.exe=== | ||
+ | ''(MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit)'' | ||
+ | ====Private Headers==== | ||
+ | <nowiki> | ||
+ | BFD: sggmfdxd.exe (.data): Section flag STYP_COPY (0x10) ignored | ||
+ | BFD: sggmfdxd.exe (.data): Section flag STYP_COPY (0x10) ignored | ||
+ | objdump: sggmfdxd.exe: File format not recognized | ||
+ | </nowiki> | ||
+ | ====Embedded Resources==== | ||
+ | <nowiki> | ||
+ | BFD: sggmfdxd.exe (.data): Section flag STYP_COPY (0x10) ignored | ||
+ | BFD: sggmfdxd.exe (.data): Section flag STYP_COPY (0x10) ignored | ||
+ | objdump: sggmfdxd.exe: File format not recognized | ||
+ | </nowiki> | ||
+ | ===sgipopnq.exe=== | ||
+ | ''(MS-DOS executable PE for MS Windows (GUI) Intel 80386)'' | ||
+ | ====Private Headers==== | ||
+ | <nowiki> | ||
+ | BFD: sgipopnq.exe (.data): Section flag STYP_COPY (0x10) ignored | ||
+ | BFD: sgipopnq.exe (.data): Section flag STYP_COPY (0x10) ignored | ||
+ | objdump: sgipopnq.exe: File format not recognized | ||
+ | </nowiki> | ||
+ | ====Embedded Resources==== | ||
+ | <nowiki> | ||
+ | BFD: sgipopnq.exe (.data): Section flag STYP_COPY (0x10) ignored | ||
+ | BFD: sgipopnq.exe (.data): Section flag STYP_COPY (0x10) ignored | ||
+ | objdump: sgipopnq.exe: File format not recognized | ||
+ | </nowiki> | ||
+ | ===tgdtrhmg.exe=== | ||
+ | ''(MS-DOS executable PE for MS Windows (GUI) Intel 80386)'' | ||
+ | ====Private Headers==== | ||
+ | <nowiki> | ||
+ | BFD: tgdtrhmg.exe (.data): Section flag STYP_COPY (0x10) ignored | ||
+ | BFD: tgdtrhmg.exe (.data): Section flag STYP_COPY (0x10) ignored | ||
+ | objdump: tgdtrhmg.exe: File format not recognized | ||
+ | </nowiki> | ||
+ | ====Embedded Resources==== | ||
+ | <nowiki> | ||
+ | BFD: tgdtrhmg.exe (.data): Section flag STYP_COPY (0x10) ignored | ||
+ | BFD: tgdtrhmg.exe (.data): Section flag STYP_COPY (0x10) ignored | ||
+ | objdump: tgdtrhmg.exe: File format not recognized | ||
+ | </nowiki> | ||
+ | ===wkjdctce.exe=== | ||
+ | ''(MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit)'' | ||
+ | ====Private Headers==== | ||
+ | <nowiki> | ||
+ | |||
+ | wkjdctce.exe: file format pei-i386 | ||
+ | |||
+ | Characteristics 0x10f | ||
+ | relocations stripped | ||
+ | executable | ||
+ | line numbers stripped | ||
+ | symbols stripped | ||
+ | 32 bit words | ||
+ | |||
+ | Time/Date Tue Sep 10 16:24:00 2013 | ||
+ | Magic 010b (PE32) | ||
+ | MajorLinkerVersion 7 | ||
+ | MinorLinkerVersion 10 | ||
+ | SizeOfCode 00006000 | ||
+ | SizeOfInitializedData 0000a000 | ||
+ | SizeOfUninitializedData 00000000 | ||
+ | AddressOfEntryPoint 00003164 | ||
+ | BaseOfCode 00001000 | ||
+ | BaseOfData 00007000 | ||
+ | ImageBase 00400000 | ||
+ | SectionAlignment 00001000 | ||
+ | FileAlignment 00001000 | ||
+ | MajorOSystemVersion 4 | ||
+ | MinorOSystemVersion 0 | ||
+ | MajorImageVersion 0 | ||
+ | MinorImageVersion 0 | ||
+ | MajorSubsystemVersion 4 | ||
+ | MinorSubsystemVersion 0 | ||
+ | Win32Version 00000000 | ||
+ | SizeOfImage 00011000 | ||
+ | SizeOfHeaders 00001000 | ||
+ | CheckSum 00000000 | ||
+ | Subsystem 00000002 (Windows GUI) | ||
+ | DllCharacteristics 00000000 | ||
+ | SizeOfStackReserve 00100000 | ||
+ | SizeOfStackCommit 00001000 | ||
+ | SizeOfHeapReserve 00100000 | ||
+ | SizeOfHeapCommit 00001000 | ||
+ | LoaderFlags 00000000 | ||
+ | NumberOfRvaAndSizes 00000010 | ||
+ | |||
+ | The Data Directory | ||
+ | Entry 0 00000000 00000000 Export Directory [.edata (or where ever we found it)] | ||
+ | Entry 1 00006788 0000003c Import Directory [parts of .idata] | ||
+ | Entry 2 0000f000 00001810 Resource Directory [.rsrc] | ||
+ | Entry 3 00000000 00000000 Exception Directory [.pdata] | ||
+ | Entry 4 00000000 00000000 Security Directory | ||
+ | Entry 5 00000000 00000000 Base Relocation Directory [.reloc] | ||
+ | Entry 6 00000000 00000000 Debug Directory | ||
+ | Entry 7 00000000 00000000 Description Directory | ||
+ | Entry 8 00000000 00000000 Special Directory | ||
+ | Entry 9 00000000 00000000 Thread Storage Directory [.tls] | ||
+ | Entry a 00000000 00000000 Load Configuration Directory | ||
+ | Entry b 00000000 00000000 Bound Import Directory | ||
+ | Entry c 00001000 00000130 Import Address Table Directory | ||
+ | Entry d 00000000 00000000 Delay Import Directory | ||
+ | Entry e 00000000 00000000 CLR Runtime Header | ||
+ | Entry f 00000000 00000000 Reserved | ||
+ | |||
+ | There is an import table in .text at 0x406788 | ||
+ | |||
+ | The Import Tables (interpreted .text section contents) | ||
+ | vma: Hint Time Forward DLL First | ||
+ | Table Stamp Chain Name Thunk | ||
+ | 00006788 000068ec 00000000 00000000 000068f4 00001128 | ||
+ | |||
+ | DLL Name: msi.dll | ||
+ | vma: Hint/Ord Member-Name Bound-To | ||
+ | 80000047 71 <none> | ||
+ | |||
+ | 0000679c 000067c4 00000000 00000000 00006c04 00001000 | ||
+ | |||
+ | DLL Name: KERNEL32.dll | ||
+ | vma: Hint/Ord Member-Name Bound-To | ||
+ | 6bb2 332 GetPriorityClass | ||
+ | 6e12 365 GetStringTypeA | ||
+ | 68fc 52 CreateEventA | ||
+ | 690c 394 GetTickCount | ||
+ | 691c 364 GetStdHandle | ||
+ | 692c 318 GetModuleHandleA | ||
+ | 6940 813 lstrcmpA | ||
+ | 694c 403 GetVersionExA | ||
+ | 695c 666 SetFilePointerEx | ||
+ | 6970 115 EnterCriticalSection | ||
+ | 6988 825 lstrlenA | ||
+ | 6994 94 DeleteCriticalSection | ||
+ | 69ac 518 MultiByteToWideChar | ||
+ | 69c2 200 FreeLibraryAndExitThread | ||
+ | 69de 319 GetModuleHandleW | ||
+ | 69f2 461 InterlockedExchange | ||
+ | 6a08 446 HeapFree | ||
+ | 6a14 56 CreateFileA | ||
+ | 6a22 459 InterlockedCompareExchange | ||
+ | 6a40 144 ExitProcess | ||
+ | 6a4e 684 SetStdHandle | ||
+ | 6a5e 577 ReadFile | ||
+ | 6a6a 199 FreeLibrary | ||
+ | 6a78 493 LocalFree | ||
+ | 6a84 458 InitializeCriticalSectionAndSpinCount | ||
+ | 6aac 474 IsDebuggerPresent | ||
+ | 6ac0 316 GetModuleFileNameA | ||
+ | 6ad6 773 WideCharToMultiByte | ||
+ | 6aec 483 LoadLibraryA | ||
+ | 6afc 287 GetEnvironmentStringsW | ||
+ | 6b16 404 GetVersionExW | ||
+ | 6b26 770 WaitForSingleObjectEx | ||
+ | 6b3e 672 SetLastError | ||
+ | 6b4e 786 WriteFile | ||
+ | 6b5a 769 WaitForSingleObject | ||
+ | 6b70 482 LeaveCriticalSection | ||
+ | 6b88 270 GetCurrentProcessId | ||
+ | 6b9e 78 CreateSemaphoreA | ||
+ | 6e24 368 GetStringTypeW | ||
+ | 6bc6 222 GetCommandLineA | ||
+ | 6bd8 285 GetEnvironmentStrings | ||
+ | 6bf0 271 GetCurrentThread | ||
+ | 6c12 362 GetStartupInfoA | ||
+ | 6c24 402 GetVersion | ||
+ | 6c32 719 TerminateProcess | ||
+ | 6c46 269 GetCurrentProcess | ||
+ | 6c5a 735 UnhandledExceptionFilter | ||
+ | 6c76 197 FreeEnvironmentStringsA | ||
+ | 6c90 198 FreeEnvironmentStringsW | ||
+ | 6caa 668 SetHandleCount | ||
+ | 6cbc 300 GetFileType | ||
+ | 6cca 272 GetCurrentThreadId | ||
+ | 6ce0 727 TlsSetValue | ||
+ | 6cee 724 TlsAlloc | ||
+ | 6cfa 725 TlsFree | ||
+ | 6d04 726 TlsGetValue | ||
+ | 6d12 305 GetLastError | ||
+ | 6d22 444 HeapDestroy | ||
+ | 6d30 442 HeapCreate | ||
+ | 6d3e 757 VirtualFree | ||
+ | 6d4c 603 RtlUnwind | ||
+ | 6d58 457 InitializeCriticalSection | ||
+ | 6d74 152 FatalAppExitA | ||
+ | 6d84 211 GetCPInfo | ||
+ | 6d90 205 GetACP | ||
+ | 6d9a 330 GetOEMCP | ||
+ | 6da6 440 HeapAlloc | ||
+ | 6db2 754 VirtualAlloc | ||
+ | 6dc2 449 HeapReAlloc | ||
+ | 6dd0 471 IsBadWritePtr | ||
+ | 6de0 343 GetProcAddress | ||
+ | 6df2 480 LCMapStringA | ||
+ | 6e02 481 LCMapStringW | ||
+ | |||
+ | 000067b0 00000000 00000000 00000000 00000000 00000000 | ||
+ | |||
+ | </nowiki> | ||
+ | ====Embedded Resources==== | ||
+ | <nowiki> | ||
+ | |||
+ | wkjdctce.exe: file format pei-i386 | ||
+ | |||
+ | Sections: | ||
+ | Idx Name Size VMA LMA File off Algn | ||
+ | 0 .text 00005e36 00401000 00401000 00001000 2**2 | ||
+ | CONTENTS, ALLOC, LOAD, READONLY, CODE | ||
+ | 1 .data 00006000 00407000 00407000 00007000 2**2 | ||
+ | CONTENTS, ALLOC, LOAD, DATA | ||
+ | 2 .rsrc 00001810 0040f000 0040f000 0000d000 2**2 | ||
+ | CONTENTS, ALLOC, LOAD, READONLY, DATA | ||
+ | </nowiki> | ||
+ | ===xpneklio.exe=== | ||
+ | ''(MS-DOS executable PE for MS Windows (GUI) Intel 80386)'' | ||
+ | ====Private Headers==== | ||
+ | <nowiki> | ||
+ | BFD: xpneklio.exe (.data): Section flag STYP_COPY (0x10) ignored | ||
+ | BFD: xpneklio.exe (.data): Section flag STYP_COPY (0x10) ignored | ||
+ | objdump: xpneklio.exe: File format not recognized | ||
+ | </nowiki> | ||
+ | ====Embedded Resources==== | ||
+ | <nowiki> | ||
+ | BFD: xpneklio.exe (.data): Section flag STYP_COPY (0x10) ignored | ||
+ | BFD: xpneklio.exe (.data): Section flag STYP_COPY (0x10) ignored | ||
+ | objdump: xpneklio.exe: File format not recognized | ||
+ | </nowiki> | ||
+ | ===xvoidaio.exe=== | ||
+ | ''(MS-DOS executable PE for MS Windows (GUI) Intel 80386)'' | ||
+ | ====Private Headers==== | ||
+ | <nowiki> | ||
+ | BFD: xvoidaio.exe (.data): Section flag STYP_COPY (0x10) ignored | ||
+ | BFD: xvoidaio.exe (.data): Section flag STYP_COPY (0x10) ignored | ||
+ | objdump: xvoidaio.exe: File format not recognized | ||
+ | </nowiki> | ||
+ | ====Embedded Resources==== | ||
+ | <nowiki> | ||
+ | BFD: xvoidaio.exe (.data): Section flag STYP_COPY (0x10) ignored | ||
+ | BFD: xvoidaio.exe (.data): Section flag STYP_COPY (0x10) ignored | ||
+ | objdump: xvoidaio.exe: File format not recognized | ||
</nowiki> | </nowiki> |
Latest revision as of 22:09, 29 September 2013
Analysis by Kradorex Xeron (talk) 22:57, 29 September 2013 (EDT)
Contents
File Overview
[+] mgifragd.exe > [TYPE] MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit > [MIME] application/x-dosexec > [MD5 ] 9b5da0df71b3ac50a836672793c29f1d [+] rksmkjjl.exe > [TYPE] MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit > [MIME] application/x-dosexec > [MD5 ] 3debe84b92cc387bcbfc3034793a8dc6 [+] sggmfdxd.exe > [TYPE] MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit > [MIME] application/x-dosexec > [MD5 ] 6faecc658746004333fa946c53d3424e [+] sgipopnq.exe > [TYPE] MS-DOS executable PE for MS Windows (GUI) Intel 80386 > [MIME] application/x-dosexec > [MD5 ] 4cf7869df6f7a65d3b33e82795f5eebf [+] tgdtrhmg.exe > [TYPE] MS-DOS executable PE for MS Windows (GUI) Intel 80386 > [MIME] application/x-dosexec > [MD5 ] 1a411d28f17298c43f2072596a44ef01 [+] wkjdctce.exe > [TYPE] MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit > [MIME] application/x-dosexec > [MD5 ] 6d383a9e45c651ade3df88522c0ff409 [+] xpneklio.exe > [TYPE] MS-DOS executable PE for MS Windows (GUI) Intel 80386 > [MIME] application/x-dosexec > [MD5 ] 9607d960108e3c8217a71eb7ee81f0c5 [+] xvoidaio.exe > [TYPE] MS-DOS executable PE for MS Windows (GUI) Intel 80386 > [MIME] application/x-dosexec > [MD5 ] 595257b15af9ef944aa6aee850088fd0
File Disassembly
mgifragd.exe
(MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit)
Private Headers
mgifragd.exe: file format pei-i386 Characteristics 0x10f relocations stripped executable line numbers stripped symbols stripped 32 bit words Time/Date Wed Sep 11 03:00:09 2013 Magic 010b (PE32) MajorLinkerVersion 7 MinorLinkerVersion 0 SizeOfCode 00012000 SizeOfInitializedData 00082000 SizeOfUninitializedData 00000000 AddressOfEntryPoint 00009795 BaseOfCode 00001000 BaseOfData 00013000 ImageBase 00400000 SectionAlignment 00001000 FileAlignment 00001000 MajorOSystemVersion 4 MinorOSystemVersion 0 MajorImageVersion 0 MinorImageVersion 0 MajorSubsystemVersion 4 MinorSubsystemVersion 0 Win32Version 00000000 SizeOfImage 00106000 SizeOfHeaders 00001000 CheckSum 00000000 Subsystem 00000002 (Windows GUI) DllCharacteristics 00000000 SizeOfStackReserve 00100000 SizeOfStackCommit 00001000 SizeOfHeapReserve 00100000 SizeOfHeapCommit 00001000 LoaderFlags 00000000 NumberOfRvaAndSizes 00000010 The Data Directory Entry 0 00000000 00000000 Export Directory [.edata (or where ever we found it)] Entry 1 0001474c 000000a0 Import Directory [parts of .idata] Entry 2 00102000 000031d2 Resource Directory [.rsrc] Entry 3 00000000 00000000 Exception Directory [.pdata] Entry 4 00000000 00000000 Security Directory Entry 5 00000000 00000000 Base Relocation Directory [.reloc] Entry 6 00000000 00000000 Debug Directory Entry 7 00000000 00000000 Description Directory Entry 8 00000000 00000000 Special Directory Entry 9 00000000 00000000 Thread Storage Directory [.tls] Entry a 00000000 00000000 Load Configuration Directory Entry b 00000000 00000000 Bound Import Directory Entry c 00013000 00000138 Import Address Table Directory Entry d 00000000 00000000 Delay Import Directory Entry e 00000000 00000000 CLR Runtime Header Entry f 00000000 00000000 Reserved There is an import table in .rdata at 0x41474c The Import Tables (interpreted .rdata section contents) vma: Hint Time Forward DLL First Table Stamp Chain Name Thunk 0001474c 00014800 00000000 00000000 000149d2 00013014 DLL Name: KERNEL32.dll vma: Hint/Ord Member-Name Bound-To 1496a 811 SuspendThread 1497a 656 ReadFile 14986 792 SetThreadPriority 1499a 393 GetProcAddress 149ac 853 VirtualAlloc 1495e 886 WriteFile 14df6 44 CloseHandle 1492c 446 GetTickCount 14dda 689 RtlUnwind 14dce 507 HeapSize 14dbe 545 LCMapStringW 14950 120 DeleteFileA 149bc 869 WaitForSingleObject 1493c 359 GetModuleHandleA 14dae 544 LCMapStringA 14d9c 643 RaiseException 14d8a 418 GetStringTypeW 14d78 415 GetStringTypeA 14d5e 428 GetSystemTimeAsFileTime 14d48 304 GetCurrentProcessId 14de6 780 SetStdHandle 14924 809 Sleep 14d32 306 GetCurrentThreadId 14d18 638 QueryPerformanceCounter 14d06 753 SetFilePointer 14ad0 412 GetStartupInfoA 14ae2 253 GetCommandLineA 14af4 456 GetVersionExA 14b04 501 HeapFree 14b10 171 ExitProcess 14b1e 817 TerminateProcess 14b32 303 GetCurrentProcess 14b46 414 GetStdHandle 14b56 357 GetModuleFileNameA 14b6c 834 UnhandledExceptionFilter 14b88 227 FreeEnvironmentStringsA 14ba2 319 GetEnvironmentStrings 14bba 228 FreeEnvironmentStringsW 14bd4 873 WideCharToMultiByte 14bea 346 GetLastError 14bfa 321 GetEnvironmentStringsW 14c14 762 SetHandleCount 14c26 336 GetFileType 14c34 499 HeapDestroy 14c42 497 HeapCreate 14c50 856 VirtualFree 14c5e 495 HeapAlloc 14c6a 505 HeapReAlloc 14c78 593 MultiByteToWideChar 14c8e 859 VirtualProtect 14ca0 424 GetSystemInfo 14cb0 861 VirtualQuery 14cc0 558 LoadLibraryA 14cd0 235 GetACP 14cda 380 GetOEMCP 14ce6 241 GetCPInfo 14cf2 219 FlushFileBuffers 14e04 349 GetLocaleInfoA 00014760 000148ec 00000000 00000000 00014a18 00013100 DLL Name: USER32.dll vma: Hint/Ord Member-Name Bound-To 149e0 268 GetDC 149e8 270 GetDesktopWindow 14a0a 445 LoadImageA 149fc 439 LoadCursorA 00014774 000147f4 00000000 00000000 00014a40 00013008 DLL Name: GDI32.dll vma: Hint/Ord Member-Name Bound-To 14a24 71 CreatePen 14a30 524 SelectObject 00014788 0001490c 00000000 00000000 00014a4a 00013120 DLL Name: WS2_32.dll vma: Hint/Ord Member-Name Bound-To 80000003 3 <none> 80000012 18 <none> 0001479c 00014900 00000000 00000000 00014a78 00013114 DLL Name: WINMM.dll vma: Hint/Ord Member-Name Bound-To 14a66 62 mciSendCommandA 14a56 26 auxSetVolume 000147b0 000147ec 00000000 00000000 00014a96 00013000 DLL Name: AVIFIL32.dll vma: Hint/Ord Member-Name Bound-To 14a82 3 AVIClearClipboard 000147c4 00014918 00000000 00000000 00014ac2 0001312c DLL Name: WinSCard.dll vma: Hint/Ord Member-Name Bound-To 14ab4 6 SCardCancel 14aa4 7 SCardConnectA 000147d8 00000000 00000000 00000000 00000000 00000000
Embedded Resources
mgifragd.exe: file format pei-i386 Sections: Idx Name Size VMA LMA File off Algn 0 .text 00011eea 00401000 00401000 00001000 2**2 CONTENTS, ALLOC, LOAD, READONLY, CODE 1 .rdata 00001e16 00413000 00413000 00013000 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA 2 .data 00002000 00415000 00415000 00015000 2**2 CONTENTS, ALLOC, LOAD, DATA 3 .xcode 0007a000 00418000 00418000 00017000 2**2 CONTENTS, ALLOC, LOAD, DATA 4 .rsrc 000031d2 00502000 00502000 00091000 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA
rksmkjjl.exe
(MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit)
Private Headers
rksmkjjl.exe: file format pei-i386 Characteristics 0x10f relocations stripped executable line numbers stripped symbols stripped 32 bit words Time/Date Wed Jun 16 00:28:57 2010 Magic 010b (PE32) MajorLinkerVersion 6 MinorLinkerVersion 0 SizeOfCode 00032a00 SizeOfInitializedData 00006a00 SizeOfUninitializedData 00000000 AddressOfEntryPoint 000068d0 BaseOfCode 00001000 BaseOfData 00034000 ImageBase 00400000 SectionAlignment 00001000 FileAlignment 00000200 MajorOSystemVersion 4 MinorOSystemVersion 0 MajorImageVersion 0 MinorImageVersion 0 MajorSubsystemVersion 4 MinorSubsystemVersion 0 Win32Version 00000000 SizeOfImage 0003c000 SizeOfHeaders 00000400 CheckSum 00041a40 Subsystem 00000002 (Windows GUI) DllCharacteristics 00000000 SizeOfStackReserve 00100000 SizeOfStackCommit 00001000 SizeOfHeapReserve 00100000 SizeOfHeapCommit 00001000 LoaderFlags 00000000 NumberOfRvaAndSizes 00000010 The Data Directory Entry 0 00000000 00000000 Export Directory [.edata (or where ever we found it)] Entry 1 00034cd0 0000008c Import Directory [parts of .idata] Entry 2 0003b000 00000530 Resource Directory [.rsrc] Entry 3 00000000 00000000 Exception Directory [.pdata] Entry 4 00000000 00000000 Security Directory Entry 5 00000000 00000000 Base Relocation Directory [.reloc] Entry 6 00000000 00000000 Debug Directory Entry 7 00000000 00000000 Description Directory Entry 8 00000000 00000000 Special Directory Entry 9 00000000 00000000 Thread Storage Directory [.tls] Entry a 00000000 00000000 Load Configuration Directory Entry b 00000000 00000000 Bound Import Directory Entry c 00034000 0000041c Import Address Table Directory Entry d 00000000 00000000 Delay Import Directory Entry e 00000000 00000000 CLR Runtime Header Entry f 00000000 00000000 Reserved There is an import table in .rdata at 0x434cd0 The Import Tables (interpreted .rdata section contents) vma: Hint Time Forward DLL First Table Stamp Chain Name Thunk 00034cd0 0003515c 00000000 00000000 000351b8 00034400 DLL Name: WINMM.dll vma: Hint/Ord Member-Name Bound-To 35184 132 mmioAdvance 351a6 190 waveOutGetPitch 35178 124 mixerOpen 35192 162 timeGetSystemTime 00034ce4 00034ff8 00000000 00000000 0003576c 0003429c DLL Name: USER32.dll vma: Hint/Ord Member-Name Bound-To 354a4 366 GetWindowLongA 353fe 311 GetMenuState 353ee 307 GetMenuItemID 356d0 658 ShowWindow 35688 640 SetWindowLongA 355ce 515 PostQuitMessage 35224 74 CopyRect 3563e 579 SetActiveWindow 35514 417 IsDialogMessageA 35558 439 LoadBitmapA 3567c 618 SetPropA 35498 362 GetWindow 352be 198 EndDialog 35666 609 SetMenuItemBitmaps 355ae 511 PeekMessageA 3538e 289 GetKeyState 3570a 686 UnhookWindowsHookEx 35444 345 GetSubMenu 351e2 27 CallWindowProcA 35650 599 SetForegroundWindow 353da 306 GetMenuItemCount 3534e 272 GetDlgCtrlID 354b6 371 GetWindowPlacement 35534 430 IsWindowEnabled 35460 347 GetSysColorBrush 353bc 302 GetMenuCheckMarkDimensions 35488 355 GetTopWindow 35618 566 SendDlgItemMessageA 35528 429 IsWindow 352d6 225 ExitWindowsEx 354cc 372 GetWindowRect 35734 699 UpdateWindow 35290 182 DrawIcon 352ca 200 EndPaint 355e0 523 PtInRect 3569a 643 SetWindowPos 35506 381 GrayStringA 3540e 314 GetMessageA 354ee 376 GetWindowTextLengthA 355a0 478 MessageBoxA 351d0 26 CallNextHookEx 354dc 375 GetWindowTextA 35580 458 LoadStringA 3541c 316 GetMessagePos 351f4 52 CharUpperA 352e6 235 GetActiveWindow 35754 720 WinHelpA 35720 691 UnregisterClassA 355ec 534 RegisterClassA 356aa 646 SetWindowTextA 3529c 194 EnableMenuItem 356de 665 SystemParametersInfoA 355fe 554 ReleaseDC 35272 151 DestroyMenu 3536c 278 GetFocus 353b2 300 GetMenu 35378 279 GetForegroundWindow 35760 726 wsprintfA 35230 82 CreateDialogIndirectParamA 3539c 296 GetLastActivePopup 35202 57 CheckMenuItem 352f8 243 GetCapture 355be 513 PostMessageA 356f6 682 TranslateMessage 35566 441 LoadCursorA 3558e 473 MapWindowPoints 351c2 13 BeginPaint 35306 246 GetClassInfoA 3562e 571 SendMessageA 352ae 196 EnableWindow 35212 64 ClientToScreen 35438 330 GetPropA 35336 267 GetCursorPos 35316 252 GetClassNameA 356bc 650 SetWindowsHookExA 35474 349 GetSystemMetrics 35452 346 GetSysColor 35326 255 GetClientRect 3535e 273 GetDlgItem 35280 153 DestroyWindow 35574 445 LoadIconA 3542c 325 GetParent 35546 433 IsWindowVisible 3560a 556 RemovePropA 35346 268 GetDC 35260 142 DefWindowProcA 35744 707 ValidateRect 3524e 96 CreateWindowExA 00034cf8 00034d9c 00000000 00000000 0003587a 00034040 DLL Name: GDI32.dll vma: Hint/Ord Member-Name Bound-To 3581a 519 SaveDC 357d8 352 GetClipBox 35802 512 RestoreDC 3586e 590 TextOutA 3583a 555 SetMapMode 357ba 143 DeleteObject 357ca 221 ExtTextOutA 357e6 363 GetDeviceCaps 357f6 419 GetRelAbs 357ae 140 DeleteDC 3585c 578 SetWindowExtEx 35824 520 ScaleViewportExtEx 3580e 513 RoundRect 35788 51 CreateDIBitmap 3579a 53 CreateEllipticRgn 35848 574 SetViewportExtEx 35778 39 CreateBitmap 00034d0c 00034de4 00000000 00000000 000361be 00034088 DLL Name: KERNEL32.dll vma: Hint/Ord Member-Name Bound-To 35a86 317 GetCurrentThread 3603c 810 SetStdHandle 3591c 140 DuplicateHandle 35c2a 464 GetThreadLocale 35bf0 434 GetStringTypeA 35884 25 Beep 360d2 854 TlsGetValue 35fc8 774 SetEnvironmentVariableA 35cea 500 GlobalFlags 361a6 953 lstrcpynA 359b4 218 FindResourceA 35dfa 550 IsBadCodePtr 35a5a 312 GetCurrentDirectoryA 35d98 537 InitializeCriticalSection 35ac0 334 GetEnvironmentStringsA 359f0 237 FreeEnvironmentStringsA 35eea 600 LocalUnlock 35f04 603 LockResource 35a48 264 GetCommandLineA 35e4e 570 LCMapStringA 361b2 956 lstrlenA 36182 944 lstrcmpA 35c8c 489 GetWindowsDirectoryA 35b0e 342 GetFileAttributesA 358ac 52 CompareStringA 35b9c 395 GetOEMCP 35e5e 571 LCMapStringW 3596e 188 FileTimeToSystemTime 35b4e 353 GetFullPathNameA 35e2a 559 IsDebuggerPresent 3602c 795 SetLastError 3607a 839 Sleep 360ee 856 Toolhelp32ReadProcessMemory 35a32 245 GetACP 35b88 375 GetModuleHandleA 35986 197 FindClose 359c4 229 FlushFileBuffers 35cf8 501 GlobalFree 35d56 520 HeapCreate 35c3c 472 GetTimeZoneInformation 35be0 433 GetStdHandle 35e6e 583 LeaveCriticalSection 35d4a 518 HeapAlloc 35dca 542 InterlockedDecrement 35d7e 528 HeapReAlloc 3618e 947 lstrcmpiA 35eb4 592 LocalFileTimeToFileTime 360e0 855 TlsSetValue 35c56 478 GetVersion 35eda 597 LocalReAlloc 35d2c 505 GlobalLock 3604c 812 SetSystemTime 35af4 336 GetEnvironmentVariableA 35b72 373 GetModuleFileNameA 358d0 77 CreateFileA 36082 844 SystemTimeToFileTime 3592e 143 EnterCriticalSection 35f34 667 RaiseException 360c8 853 TlsFree 35f6e 739 SetConsoleCursorInfo 35d3a 512 GlobalUnlock 35946 175 ExitProcess 35a72 314 GetCurrentProcess 358be 53 CompareStringW 36154 903 WideCharToMultiByte 35fe2 776 SetErrorMode 3589e 46 CloseHandle 35e3e 567 IsValidLocale 35e86 584 LoadLibraryA 3609a 845 SystemTimeToTzSpecificLocalTime 35b24 347 GetFileSize 3588c 44 ClearCommError 35954 187 FileTimeToLocalFileTime 35f62 714 RtlUnwind 35c64 479 GetVersionExA 3605c 827 SetUnhandledExceptionFilter 35a3c 252 GetCPInfo 35d72 524 HeapFree 35c14 441 GetSystemDirectoryA 35ab0 331 GetDriveTypeA 35d8c 530 HeapSize 35992 201 FindFirstFileA 35f14 618 MulDiv 35d64 522 HeapDestroy 35b40 350 GetFileType 35f46 681 ReadFile 35e96 589 LoadResource 35de2 546 InterlockedIncrement 35904 136 DosDateTimeToFileTime 36176 941 lstrcatA 35db4 539 InitializeSListHead 359a4 211 FindNextFileA 35fb8 771 SetEndOfFile 35e1a 556 IsBadWritePtr 36008 782 SetFilePointer 35d06 502 GlobalGetAtomNameA 35ba8 408 GetProcAddress 3616a 916 WriteFile 35ea6 590 LocalAlloc 35f52 693 ReleaseActCtx 36136 883 VirtualAlloc 35ada 335 GetEnvironmentStringsW 35f86 760 SetConsoleTextAttribute 35a9a 318 GetCurrentThreadId 35ece 594 LocalFree 35c02 437 GetStringTypeW 35e0a 553 IsBadReadPtr 35fa0 765 SetCurrentDirectoryA 35bce 431 GetStartupInfoA 35d1c 504 GlobalHandle 35cd8 497 GlobalFindAtomA 35ca4 492 GlobalAddAtomA 358de 122 DeleteCriticalSection 35b62 361 GetLastError 35bba 419 GetProcessVersion 358f6 124 DeleteFileA 35a0a 238 FreeEnvironmentStringsW 3601a 791 SetHandleCount 3619a 950 lstrcpyA 35f1e 619 MultiByteToWideChar 35a24 239 FreeLibrary 36146 886 VirtualFree 360bc 852 TlsAlloc 35b32 349 GetFileTime 3610c 864 UnhandledExceptionFilter 359d8 230 FlushInstructionCache 35ef8 601 LockFile 36128 865 UnlockFile 35cc4 496 GlobalDeleteAtom 35c74 481 GetVolumeInformationA 35ff2 780 SetFileAttributesA 35cb6 494 GlobalAlloc 00034d20 00035170 00000000 00000000 000361dc 00034414 DLL Name: comdlg32.dll vma: Hint/Ord Member-Name Bound-To 361cc 7 GetFileTitleA 00034d34 00034d5c 00000000 00000000 00036330 00034000 DLL Name: ADVAPI32.dll vma: Hint/Ord Member-Name Bound-To 362a8 457 RegCloseKey 362b6 461 RegCreateKeyExA 36202 26 AddUsersToEncryptedFile 36246 350 LsaEnumeratePrivileges 3631c 597 SystemFunction016 36260 360 LsaICLookupNamesWithCreds 36296 431 OpenThreadToken 362c8 466 RegDeleteValueA 362ea 505 RegSetValueExA 362da 482 RegOpenKeyExA 3627c 404 MSChapSrvChangePassword 361ea 20 AddAccessDeniedAceEx 36230 320 LockServiceDatabase 362fc 558 SetSecurityDescriptorControl 3621c 229 GetAclInformation 00034d48 00000000 00000000 00000000 00000000 00000000
Embedded Resources
rksmkjjl.exe: file format pei-i386 Sections: Idx Name Size VMA LMA File off Algn 0 .text 000329fb 00401000 00401000 00000400 2**2 CONTENTS, ALLOC, LOAD, READONLY, CODE 1 .rdata 0000237b 00434000 00434000 00032e00 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA 2 .data 00004000 00437000 00437000 00035200 2**2 CONTENTS, ALLOC, LOAD, DATA 3 .rsrc 00000530 0043b000 0043b000 00039200 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA
sggmfdxd.exe
(MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit)
Private Headers
BFD: sggmfdxd.exe (.data): Section flag STYP_COPY (0x10) ignored BFD: sggmfdxd.exe (.data): Section flag STYP_COPY (0x10) ignored objdump: sggmfdxd.exe: File format not recognized
Embedded Resources
BFD: sggmfdxd.exe (.data): Section flag STYP_COPY (0x10) ignored BFD: sggmfdxd.exe (.data): Section flag STYP_COPY (0x10) ignored objdump: sggmfdxd.exe: File format not recognized
sgipopnq.exe
(MS-DOS executable PE for MS Windows (GUI) Intel 80386)
Private Headers
BFD: sgipopnq.exe (.data): Section flag STYP_COPY (0x10) ignored BFD: sgipopnq.exe (.data): Section flag STYP_COPY (0x10) ignored objdump: sgipopnq.exe: File format not recognized
Embedded Resources
BFD: sgipopnq.exe (.data): Section flag STYP_COPY (0x10) ignored BFD: sgipopnq.exe (.data): Section flag STYP_COPY (0x10) ignored objdump: sgipopnq.exe: File format not recognized
tgdtrhmg.exe
(MS-DOS executable PE for MS Windows (GUI) Intel 80386)
Private Headers
BFD: tgdtrhmg.exe (.data): Section flag STYP_COPY (0x10) ignored BFD: tgdtrhmg.exe (.data): Section flag STYP_COPY (0x10) ignored objdump: tgdtrhmg.exe: File format not recognized
Embedded Resources
BFD: tgdtrhmg.exe (.data): Section flag STYP_COPY (0x10) ignored BFD: tgdtrhmg.exe (.data): Section flag STYP_COPY (0x10) ignored objdump: tgdtrhmg.exe: File format not recognized
wkjdctce.exe
(MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit)
Private Headers
wkjdctce.exe: file format pei-i386 Characteristics 0x10f relocations stripped executable line numbers stripped symbols stripped 32 bit words Time/Date Tue Sep 10 16:24:00 2013 Magic 010b (PE32) MajorLinkerVersion 7 MinorLinkerVersion 10 SizeOfCode 00006000 SizeOfInitializedData 0000a000 SizeOfUninitializedData 00000000 AddressOfEntryPoint 00003164 BaseOfCode 00001000 BaseOfData 00007000 ImageBase 00400000 SectionAlignment 00001000 FileAlignment 00001000 MajorOSystemVersion 4 MinorOSystemVersion 0 MajorImageVersion 0 MinorImageVersion 0 MajorSubsystemVersion 4 MinorSubsystemVersion 0 Win32Version 00000000 SizeOfImage 00011000 SizeOfHeaders 00001000 CheckSum 00000000 Subsystem 00000002 (Windows GUI) DllCharacteristics 00000000 SizeOfStackReserve 00100000 SizeOfStackCommit 00001000 SizeOfHeapReserve 00100000 SizeOfHeapCommit 00001000 LoaderFlags 00000000 NumberOfRvaAndSizes 00000010 The Data Directory Entry 0 00000000 00000000 Export Directory [.edata (or where ever we found it)] Entry 1 00006788 0000003c Import Directory [parts of .idata] Entry 2 0000f000 00001810 Resource Directory [.rsrc] Entry 3 00000000 00000000 Exception Directory [.pdata] Entry 4 00000000 00000000 Security Directory Entry 5 00000000 00000000 Base Relocation Directory [.reloc] Entry 6 00000000 00000000 Debug Directory Entry 7 00000000 00000000 Description Directory Entry 8 00000000 00000000 Special Directory Entry 9 00000000 00000000 Thread Storage Directory [.tls] Entry a 00000000 00000000 Load Configuration Directory Entry b 00000000 00000000 Bound Import Directory Entry c 00001000 00000130 Import Address Table Directory Entry d 00000000 00000000 Delay Import Directory Entry e 00000000 00000000 CLR Runtime Header Entry f 00000000 00000000 Reserved There is an import table in .text at 0x406788 The Import Tables (interpreted .text section contents) vma: Hint Time Forward DLL First Table Stamp Chain Name Thunk 00006788 000068ec 00000000 00000000 000068f4 00001128 DLL Name: msi.dll vma: Hint/Ord Member-Name Bound-To 80000047 71 <none> 0000679c 000067c4 00000000 00000000 00006c04 00001000 DLL Name: KERNEL32.dll vma: Hint/Ord Member-Name Bound-To 6bb2 332 GetPriorityClass 6e12 365 GetStringTypeA 68fc 52 CreateEventA 690c 394 GetTickCount 691c 364 GetStdHandle 692c 318 GetModuleHandleA 6940 813 lstrcmpA 694c 403 GetVersionExA 695c 666 SetFilePointerEx 6970 115 EnterCriticalSection 6988 825 lstrlenA 6994 94 DeleteCriticalSection 69ac 518 MultiByteToWideChar 69c2 200 FreeLibraryAndExitThread 69de 319 GetModuleHandleW 69f2 461 InterlockedExchange 6a08 446 HeapFree 6a14 56 CreateFileA 6a22 459 InterlockedCompareExchange 6a40 144 ExitProcess 6a4e 684 SetStdHandle 6a5e 577 ReadFile 6a6a 199 FreeLibrary 6a78 493 LocalFree 6a84 458 InitializeCriticalSectionAndSpinCount 6aac 474 IsDebuggerPresent 6ac0 316 GetModuleFileNameA 6ad6 773 WideCharToMultiByte 6aec 483 LoadLibraryA 6afc 287 GetEnvironmentStringsW 6b16 404 GetVersionExW 6b26 770 WaitForSingleObjectEx 6b3e 672 SetLastError 6b4e 786 WriteFile 6b5a 769 WaitForSingleObject 6b70 482 LeaveCriticalSection 6b88 270 GetCurrentProcessId 6b9e 78 CreateSemaphoreA 6e24 368 GetStringTypeW 6bc6 222 GetCommandLineA 6bd8 285 GetEnvironmentStrings 6bf0 271 GetCurrentThread 6c12 362 GetStartupInfoA 6c24 402 GetVersion 6c32 719 TerminateProcess 6c46 269 GetCurrentProcess 6c5a 735 UnhandledExceptionFilter 6c76 197 FreeEnvironmentStringsA 6c90 198 FreeEnvironmentStringsW 6caa 668 SetHandleCount 6cbc 300 GetFileType 6cca 272 GetCurrentThreadId 6ce0 727 TlsSetValue 6cee 724 TlsAlloc 6cfa 725 TlsFree 6d04 726 TlsGetValue 6d12 305 GetLastError 6d22 444 HeapDestroy 6d30 442 HeapCreate 6d3e 757 VirtualFree 6d4c 603 RtlUnwind 6d58 457 InitializeCriticalSection 6d74 152 FatalAppExitA 6d84 211 GetCPInfo 6d90 205 GetACP 6d9a 330 GetOEMCP 6da6 440 HeapAlloc 6db2 754 VirtualAlloc 6dc2 449 HeapReAlloc 6dd0 471 IsBadWritePtr 6de0 343 GetProcAddress 6df2 480 LCMapStringA 6e02 481 LCMapStringW 000067b0 00000000 00000000 00000000 00000000 00000000
Embedded Resources
wkjdctce.exe: file format pei-i386 Sections: Idx Name Size VMA LMA File off Algn 0 .text 00005e36 00401000 00401000 00001000 2**2 CONTENTS, ALLOC, LOAD, READONLY, CODE 1 .data 00006000 00407000 00407000 00007000 2**2 CONTENTS, ALLOC, LOAD, DATA 2 .rsrc 00001810 0040f000 0040f000 0000d000 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA
xpneklio.exe
(MS-DOS executable PE for MS Windows (GUI) Intel 80386)
Private Headers
BFD: xpneklio.exe (.data): Section flag STYP_COPY (0x10) ignored BFD: xpneklio.exe (.data): Section flag STYP_COPY (0x10) ignored objdump: xpneklio.exe: File format not recognized
Embedded Resources
BFD: xpneklio.exe (.data): Section flag STYP_COPY (0x10) ignored BFD: xpneklio.exe (.data): Section flag STYP_COPY (0x10) ignored objdump: xpneklio.exe: File format not recognized
xvoidaio.exe
(MS-DOS executable PE for MS Windows (GUI) Intel 80386)
Private Headers
BFD: xvoidaio.exe (.data): Section flag STYP_COPY (0x10) ignored BFD: xvoidaio.exe (.data): Section flag STYP_COPY (0x10) ignored objdump: xvoidaio.exe: File format not recognized
Embedded Resources
BFD: xvoidaio.exe (.data): Section flag STYP_COPY (0x10) ignored BFD: xvoidaio.exe (.data): Section flag STYP_COPY (0x10) ignored objdump: xvoidaio.exe: File format not recognized