Difference between revisions of "Analysis:20130911-malware"
(Created page with "Analysis by ~~~~ ==File Overview== <nowiki> [+] mgifragd.exe > [TYPE] MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit > [MIME] application/x-dosexec > [M...") |
|||
| Line 42: | Line 42: | ||
> [MIME] application/x-dosexec | > [MIME] application/x-dosexec | ||
> [MD5 ] 595257b15af9ef944aa6aee850088fd0 | > [MD5 ] 595257b15af9ef944aa6aee850088fd0 | ||
| + | </nowiki> | ||
| + | |||
| + | ==File Disassembly== | ||
| + | ===mgifragd.exe=== | ||
| + | ''(MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit)'' | ||
| + | ====Private Headers==== | ||
| + | <nowiki> | ||
| + | |||
| + | mgifragd.exe: file format pei-i386 | ||
| + | |||
| + | Characteristics 0x10f | ||
| + | relocations stripped | ||
| + | executable | ||
| + | line numbers stripped | ||
| + | symbols stripped | ||
| + | 32 bit words | ||
| + | |||
| + | Time/Date Wed Sep 11 03:00:09 2013 | ||
| + | Magic 010b (PE32) | ||
| + | MajorLinkerVersion 7 | ||
| + | MinorLinkerVersion 0 | ||
| + | SizeOfCode 00012000 | ||
| + | SizeOfInitializedData 00082000 | ||
| + | SizeOfUninitializedData 00000000 | ||
| + | AddressOfEntryPoint 00009795 | ||
| + | BaseOfCode 00001000 | ||
| + | BaseOfData 00013000 | ||
| + | ImageBase 00400000 | ||
| + | SectionAlignment 00001000 | ||
| + | FileAlignment 00001000 | ||
| + | MajorOSystemVersion 4 | ||
| + | MinorOSystemVersion 0 | ||
| + | MajorImageVersion 0 | ||
| + | MinorImageVersion 0 | ||
| + | MajorSubsystemVersion 4 | ||
| + | MinorSubsystemVersion 0 | ||
| + | Win32Version 00000000 | ||
| + | SizeOfImage 00106000 | ||
| + | SizeOfHeaders 00001000 | ||
| + | CheckSum 00000000 | ||
| + | Subsystem 00000002 (Windows GUI) | ||
| + | DllCharacteristics 00000000 | ||
| + | SizeOfStackReserve 00100000 | ||
| + | SizeOfStackCommit 00001000 | ||
| + | SizeOfHeapReserve 00100000 | ||
| + | SizeOfHeapCommit 00001000 | ||
| + | LoaderFlags 00000000 | ||
| + | NumberOfRvaAndSizes 00000010 | ||
| + | |||
| + | The Data Directory | ||
| + | Entry 0 00000000 00000000 Export Directory [.edata (or where ever we found it)] | ||
| + | Entry 1 0001474c 000000a0 Import Directory [parts of .idata] | ||
| + | Entry 2 00102000 000031d2 Resource Directory [.rsrc] | ||
| + | Entry 3 00000000 00000000 Exception Directory [.pdata] | ||
| + | Entry 4 00000000 00000000 Security Directory | ||
| + | Entry 5 00000000 00000000 Base Relocation Directory [.reloc] | ||
| + | Entry 6 00000000 00000000 Debug Directory | ||
| + | Entry 7 00000000 00000000 Description Directory | ||
| + | Entry 8 00000000 00000000 Special Directory | ||
| + | Entry 9 00000000 00000000 Thread Storage Directory [.tls] | ||
| + | Entry a 00000000 00000000 Load Configuration Directory | ||
| + | Entry b 00000000 00000000 Bound Import Directory | ||
| + | Entry c 00013000 00000138 Import Address Table Directory | ||
| + | Entry d 00000000 00000000 Delay Import Directory | ||
| + | Entry e 00000000 00000000 CLR Runtime Header | ||
| + | Entry f 00000000 00000000 Reserved | ||
| + | |||
| + | There is an import table in .rdata at 0x41474c | ||
| + | |||
| + | The Import Tables (interpreted .rdata section contents) | ||
| + | vma: Hint Time Forward DLL First | ||
| + | Table Stamp Chain Name Thunk | ||
| + | 0001474c 00014800 00000000 00000000 000149d2 00013014 | ||
| + | |||
| + | DLL Name: KERNEL32.dll | ||
| + | vma: Hint/Ord Member-Name Bound-To | ||
| + | 1496a 811 SuspendThread | ||
| + | 1497a 656 ReadFile | ||
| + | 14986 792 SetThreadPriority | ||
| + | 1499a 393 GetProcAddress | ||
| + | 149ac 853 VirtualAlloc | ||
| + | 1495e 886 WriteFile | ||
| + | 14df6 44 CloseHandle | ||
| + | 1492c 446 GetTickCount | ||
| + | 14dda 689 RtlUnwind | ||
| + | 14dce 507 HeapSize | ||
| + | 14dbe 545 LCMapStringW | ||
| + | 14950 120 DeleteFileA | ||
| + | 149bc 869 WaitForSingleObject | ||
| + | 1493c 359 GetModuleHandleA | ||
| + | 14dae 544 LCMapStringA | ||
| + | 14d9c 643 RaiseException | ||
| + | 14d8a 418 GetStringTypeW | ||
| + | 14d78 415 GetStringTypeA | ||
| + | 14d5e 428 GetSystemTimeAsFileTime | ||
| + | 14d48 304 GetCurrentProcessId | ||
| + | 14de6 780 SetStdHandle | ||
| + | 14924 809 Sleep | ||
| + | 14d32 306 GetCurrentThreadId | ||
| + | 14d18 638 QueryPerformanceCounter | ||
| + | 14d06 753 SetFilePointer | ||
| + | 14ad0 412 GetStartupInfoA | ||
| + | 14ae2 253 GetCommandLineA | ||
| + | 14af4 456 GetVersionExA | ||
| + | 14b04 501 HeapFree | ||
| + | 14b10 171 ExitProcess | ||
| + | 14b1e 817 TerminateProcess | ||
| + | 14b32 303 GetCurrentProcess | ||
| + | 14b46 414 GetStdHandle | ||
| + | 14b56 357 GetModuleFileNameA | ||
| + | 14b6c 834 UnhandledExceptionFilter | ||
| + | 14b88 227 FreeEnvironmentStringsA | ||
| + | 14ba2 319 GetEnvironmentStrings | ||
| + | 14bba 228 FreeEnvironmentStringsW | ||
| + | 14bd4 873 WideCharToMultiByte | ||
| + | 14bea 346 GetLastError | ||
| + | 14bfa 321 GetEnvironmentStringsW | ||
| + | 14c14 762 SetHandleCount | ||
| + | 14c26 336 GetFileType | ||
| + | 14c34 499 HeapDestroy | ||
| + | 14c42 497 HeapCreate | ||
| + | 14c50 856 VirtualFree | ||
| + | 14c5e 495 HeapAlloc | ||
| + | 14c6a 505 HeapReAlloc | ||
| + | 14c78 593 MultiByteToWideChar | ||
| + | 14c8e 859 VirtualProtect | ||
| + | 14ca0 424 GetSystemInfo | ||
| + | 14cb0 861 VirtualQuery | ||
| + | 14cc0 558 LoadLibraryA | ||
| + | 14cd0 235 GetACP | ||
| + | 14cda 380 GetOEMCP | ||
| + | 14ce6 241 GetCPInfo | ||
| + | 14cf2 219 FlushFileBuffers | ||
| + | 14e04 349 GetLocaleInfoA | ||
| + | |||
| + | 00014760 000148ec 00000000 00000000 00014a18 00013100 | ||
| + | |||
| + | DLL Name: USER32.dll | ||
| + | vma: Hint/Ord Member-Name Bound-To | ||
| + | 149e0 268 GetDC | ||
| + | 149e8 270 GetDesktopWindow | ||
| + | 14a0a 445 LoadImageA | ||
| + | 149fc 439 LoadCursorA | ||
| + | |||
| + | 00014774 000147f4 00000000 00000000 00014a40 00013008 | ||
| + | |||
| + | DLL Name: GDI32.dll | ||
| + | vma: Hint/Ord Member-Name Bound-To | ||
| + | 14a24 71 CreatePen | ||
| + | 14a30 524 SelectObject | ||
| + | |||
| + | 00014788 0001490c 00000000 00000000 00014a4a 00013120 | ||
| + | |||
| + | DLL Name: WS2_32.dll | ||
| + | vma: Hint/Ord Member-Name Bound-To | ||
| + | 80000003 3 <none> | ||
| + | 80000012 18 <none> | ||
| + | |||
| + | 0001479c 00014900 00000000 00000000 00014a78 00013114 | ||
| + | |||
| + | DLL Name: WINMM.dll | ||
| + | vma: Hint/Ord Member-Name Bound-To | ||
| + | 14a66 62 mciSendCommandA | ||
| + | 14a56 26 auxSetVolume | ||
| + | |||
| + | 000147b0 000147ec 00000000 00000000 00014a96 00013000 | ||
| + | |||
| + | DLL Name: AVIFIL32.dll | ||
| + | vma: Hint/Ord Member-Name Bound-To | ||
| + | 14a82 3 AVIClearClipboard | ||
| + | |||
| + | 000147c4 00014918 00000000 00000000 00014ac2 0001312c | ||
| + | |||
| + | DLL Name: WinSCard.dll | ||
| + | vma: Hint/Ord Member-Name Bound-To | ||
| + | 14ab4 6 SCardCancel | ||
| + | 14aa4 7 SCardConnectA | ||
| + | |||
| + | 000147d8 00000000 00000000 00000000 00000000 00000000 | ||
| + | |||
| + | </nowiki> | ||
| + | ====Embedded Resources==== | ||
| + | <nowiki> | ||
| + | |||
| + | mgifragd.exe: file format pei-i386 | ||
| + | |||
| + | Sections: | ||
| + | Idx Name Size VMA LMA File off Algn | ||
| + | 0 .text 00011eea 00401000 00401000 00001000 2**2 | ||
| + | CONTENTS, ALLOC, LOAD, READONLY, CODE | ||
| + | 1 .rdata 00001e16 00413000 00413000 00013000 2**2 | ||
| + | CONTENTS, ALLOC, LOAD, READONLY, DATA | ||
| + | 2 .data 00002000 00415000 00415000 00015000 2**2 | ||
| + | CONTENTS, ALLOC, LOAD, DATA | ||
| + | 3 .xcode 0007a000 00418000 00418000 00017000 2**2 | ||
| + | CONTENTS, ALLOC, LOAD, DATA | ||
| + | 4 .rsrc 000031d2 00502000 00502000 00091000 2**2 | ||
| + | CONTENTS, ALLOC, LOAD, READONLY, DATA | ||
| + | </nowiki> | ||
| + | ===rksmkjjl.exe=== | ||
| + | ''(MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit)'' | ||
| + | ====Private Headers==== | ||
| + | <nowiki> | ||
| + | |||
| + | rksmkjjl.exe: file format pei-i386 | ||
| + | |||
| + | Characteristics 0x10f | ||
| + | relocations stripped | ||
| + | executable | ||
| + | line numbers stripped | ||
| + | symbols stripped | ||
| + | 32 bit words | ||
| + | |||
| + | Time/Date Wed Jun 16 00:28:57 2010 | ||
| + | Magic 010b (PE32) | ||
| + | MajorLinkerVersion 6 | ||
| + | MinorLinkerVersion 0 | ||
| + | SizeOfCode 00032a00 | ||
| + | SizeOfInitializedData 00006a00 | ||
| + | SizeOfUninitializedData 00000000 | ||
| + | AddressOfEntryPoint 000068d0 | ||
| + | BaseOfCode 00001000 | ||
| + | BaseOfData 00034000 | ||
| + | ImageBase 00400000 | ||
| + | SectionAlignment 00001000 | ||
| + | FileAlignment 00000200 | ||
| + | MajorOSystemVersion 4 | ||
| + | MinorOSystemVersion 0 | ||
| + | MajorImageVersion 0 | ||
| + | MinorImageVersion 0 | ||
| + | MajorSubsystemVersion 4 | ||
| + | MinorSubsystemVersion 0 | ||
| + | Win32Version 00000000 | ||
| + | SizeOfImage 0003c000 | ||
| + | SizeOfHeaders 00000400 | ||
| + | CheckSum 00041a40 | ||
| + | Subsystem 00000002 (Windows GUI) | ||
| + | DllCharacteristics 00000000 | ||
| + | SizeOfStackReserve 00100000 | ||
| + | SizeOfStackCommit 00001000 | ||
| + | SizeOfHeapReserve 00100000 | ||
| + | SizeOfHeapCommit 00001000 | ||
| + | LoaderFlags 00000000 | ||
| + | NumberOfRvaAndSizes 00000010 | ||
| + | |||
| + | The Data Directory | ||
| + | Entry 0 00000000 00000000 Export Directory [.edata (or where ever we found it)] | ||
| + | Entry 1 00034cd0 0000008c Import Directory [parts of .idata] | ||
| + | Entry 2 0003b000 00000530 Resource Directory [.rsrc] | ||
| + | Entry 3 00000000 00000000 Exception Directory [.pdata] | ||
| + | Entry 4 00000000 00000000 Security Directory | ||
| + | Entry 5 00000000 00000000 Base Relocation Directory [.reloc] | ||
| + | Entry 6 00000000 00000000 Debug Directory | ||
| + | Entry 7 00000000 00000000 Description Directory | ||
| + | Entry 8 00000000 00000000 Special Directory | ||
| + | Entry 9 00000000 00000000 Thread Storage Directory [.tls] | ||
| + | Entry a 00000000 00000000 Load Configuration Directory | ||
| + | Entry b 00000000 00000000 Bound Import Directory | ||
| + | Entry c 00034000 0000041c Import Address Table Directory | ||
| + | Entry d 00000000 00000000 Delay Import Directory | ||
| + | Entry e 00000000 00000000 CLR Runtime Header | ||
| + | Entry f 00000000 00000000 Reserved | ||
| + | |||
| + | There is an import table in .rdata at 0x434cd0 | ||
| + | |||
| + | The Import Tables (interpreted .rdata section contents) | ||
| + | vma: Hint Time Forward DLL First | ||
| + | Table Stamp Chain Name Thunk | ||
| + | 00034cd0 0003515c 00000000 00000000 000351b8 00034400 | ||
| + | |||
| + | DLL Name: WINMM.dll | ||
| + | vma: Hint/Ord Member-Name Bound-To | ||
| + | 35184 132 mmioAdvance | ||
| + | 351a6 190 waveOutGetPitch | ||
| + | 35178 124 mixerOpen | ||
| + | 35192 162 timeGetSystemTime | ||
| + | |||
| + | 00034ce4 00034ff8 00000000 00000000 0003576c 0003429c | ||
| + | |||
| + | DLL Name: USER32.dll | ||
| + | vma: Hint/Ord Member-Name Bound-To | ||
| + | 354a4 366 GetWindowLongA | ||
| + | 353fe 311 GetMenuState | ||
| + | 353ee 307 GetMenuItemID | ||
| + | 356d0 658 ShowWindow | ||
| + | 35688 640 SetWindowLongA | ||
| + | 355ce 515 PostQuitMessage | ||
| + | 35224 74 CopyRect | ||
| + | 3563e 579 SetActiveWindow | ||
| + | 35514 417 IsDialogMessageA | ||
| + | 35558 439 LoadBitmapA | ||
| + | 3567c 618 SetPropA | ||
| + | 35498 362 GetWindow | ||
| + | 352be 198 EndDialog | ||
| + | 35666 609 SetMenuItemBitmaps | ||
| + | 355ae 511 PeekMessageA | ||
| + | 3538e 289 GetKeyState | ||
| + | 3570a 686 UnhookWindowsHookEx | ||
| + | 35444 345 GetSubMenu | ||
| + | 351e2 27 CallWindowProcA | ||
| + | 35650 599 SetForegroundWindow | ||
| + | 353da 306 GetMenuItemCount | ||
| + | 3534e 272 GetDlgCtrlID | ||
| + | 354b6 371 GetWindowPlacement | ||
| + | 35534 430 IsWindowEnabled | ||
| + | 35460 347 GetSysColorBrush | ||
| + | 353bc 302 GetMenuCheckMarkDimensions | ||
| + | 35488 355 GetTopWindow | ||
| + | 35618 566 SendDlgItemMessageA | ||
| + | 35528 429 IsWindow | ||
| + | 352d6 225 ExitWindowsEx | ||
| + | 354cc 372 GetWindowRect | ||
| + | 35734 699 UpdateWindow | ||
| + | 35290 182 DrawIcon | ||
| + | 352ca 200 EndPaint | ||
| + | 355e0 523 PtInRect | ||
| + | 3569a 643 SetWindowPos | ||
| + | 35506 381 GrayStringA | ||
| + | 3540e 314 GetMessageA | ||
| + | 354ee 376 GetWindowTextLengthA | ||
| + | 355a0 478 MessageBoxA | ||
| + | 351d0 26 CallNextHookEx | ||
| + | 354dc 375 GetWindowTextA | ||
| + | 35580 458 LoadStringA | ||
| + | 3541c 316 GetMessagePos | ||
| + | 351f4 52 CharUpperA | ||
| + | 352e6 235 GetActiveWindow | ||
| + | 35754 720 WinHelpA | ||
| + | 35720 691 UnregisterClassA | ||
| + | 355ec 534 RegisterClassA | ||
| + | 356aa 646 SetWindowTextA | ||
| + | 3529c 194 EnableMenuItem | ||
| + | 356de 665 SystemParametersInfoA | ||
| + | 355fe 554 ReleaseDC | ||
| + | 35272 151 DestroyMenu | ||
| + | 3536c 278 GetFocus | ||
| + | 353b2 300 GetMenu | ||
| + | 35378 279 GetForegroundWindow | ||
| + | 35760 726 wsprintfA | ||
| + | 35230 82 CreateDialogIndirectParamA | ||
| + | 3539c 296 GetLastActivePopup | ||
| + | 35202 57 CheckMenuItem | ||
| + | 352f8 243 GetCapture | ||
| + | 355be 513 PostMessageA | ||
| + | 356f6 682 TranslateMessage | ||
| + | 35566 441 LoadCursorA | ||
| + | 3558e 473 MapWindowPoints | ||
| + | 351c2 13 BeginPaint | ||
| + | 35306 246 GetClassInfoA | ||
| + | 3562e 571 SendMessageA | ||
| + | 352ae 196 EnableWindow | ||
| + | 35212 64 ClientToScreen | ||
| + | 35438 330 GetPropA | ||
| + | 35336 267 GetCursorPos | ||
| + | 35316 252 GetClassNameA | ||
| + | 356bc 650 SetWindowsHookExA | ||
| + | 35474 349 GetSystemMetrics | ||
| + | 35452 346 GetSysColor | ||
| + | 35326 255 GetClientRect | ||
| + | 3535e 273 GetDlgItem | ||
| + | 35280 153 DestroyWindow | ||
| + | 35574 445 LoadIconA | ||
| + | 3542c 325 GetParent | ||
| + | 35546 433 IsWindowVisible | ||
| + | 3560a 556 RemovePropA | ||
| + | 35346 268 GetDC | ||
| + | 35260 142 DefWindowProcA | ||
| + | 35744 707 ValidateRect | ||
| + | 3524e 96 CreateWindowExA | ||
| + | |||
| + | 00034cf8 00034d9c 00000000 00000000 0003587a 00034040 | ||
| + | |||
| + | DLL Name: GDI32.dll | ||
| + | vma: Hint/Ord Member-Name Bound-To | ||
| + | 3581a 519 SaveDC | ||
| + | 357d8 352 GetClipBox | ||
| + | 35802 512 RestoreDC | ||
| + | 3586e 590 TextOutA | ||
| + | 3583a 555 SetMapMode | ||
| + | 357ba 143 DeleteObject | ||
| + | 357ca 221 ExtTextOutA | ||
| + | 357e6 363 GetDeviceCaps | ||
| + | 357f6 419 GetRelAbs | ||
| + | 357ae 140 DeleteDC | ||
| + | 3585c 578 SetWindowExtEx | ||
| + | 35824 520 ScaleViewportExtEx | ||
| + | 3580e 513 RoundRect | ||
| + | 35788 51 CreateDIBitmap | ||
| + | 3579a 53 CreateEllipticRgn | ||
| + | 35848 574 SetViewportExtEx | ||
| + | 35778 39 CreateBitmap | ||
| + | |||
| + | 00034d0c 00034de4 00000000 00000000 000361be 00034088 | ||
| + | |||
| + | DLL Name: KERNEL32.dll | ||
| + | vma: Hint/Ord Member-Name Bound-To | ||
| + | 35a86 317 GetCurrentThread | ||
| + | 3603c 810 SetStdHandle | ||
| + | 3591c 140 DuplicateHandle | ||
| + | 35c2a 464 GetThreadLocale | ||
| + | 35bf0 434 GetStringTypeA | ||
| + | 35884 25 Beep | ||
| + | 360d2 854 TlsGetValue | ||
| + | 35fc8 774 SetEnvironmentVariableA | ||
| + | 35cea 500 GlobalFlags | ||
| + | 361a6 953 lstrcpynA | ||
| + | 359b4 218 FindResourceA | ||
| + | 35dfa 550 IsBadCodePtr | ||
| + | 35a5a 312 GetCurrentDirectoryA | ||
| + | 35d98 537 InitializeCriticalSection | ||
| + | 35ac0 334 GetEnvironmentStringsA | ||
| + | 359f0 237 FreeEnvironmentStringsA | ||
| + | 35eea 600 LocalUnlock | ||
| + | 35f04 603 LockResource | ||
| + | 35a48 264 GetCommandLineA | ||
| + | 35e4e 570 LCMapStringA | ||
| + | 361b2 956 lstrlenA | ||
| + | 36182 944 lstrcmpA | ||
| + | 35c8c 489 GetWindowsDirectoryA | ||
| + | 35b0e 342 GetFileAttributesA | ||
| + | 358ac 52 CompareStringA | ||
| + | 35b9c 395 GetOEMCP | ||
| + | 35e5e 571 LCMapStringW | ||
| + | 3596e 188 FileTimeToSystemTime | ||
| + | 35b4e 353 GetFullPathNameA | ||
| + | 35e2a 559 IsDebuggerPresent | ||
| + | 3602c 795 SetLastError | ||
| + | 3607a 839 Sleep | ||
| + | 360ee 856 Toolhelp32ReadProcessMemory | ||
| + | 35a32 245 GetACP | ||
| + | 35b88 375 GetModuleHandleA | ||
| + | 35986 197 FindClose | ||
| + | 359c4 229 FlushFileBuffers | ||
| + | 35cf8 501 GlobalFree | ||
| + | 35d56 520 HeapCreate | ||
| + | 35c3c 472 GetTimeZoneInformation | ||
| + | 35be0 433 GetStdHandle | ||
| + | 35e6e 583 LeaveCriticalSection | ||
| + | 35d4a 518 HeapAlloc | ||
| + | 35dca 542 InterlockedDecrement | ||
| + | 35d7e 528 HeapReAlloc | ||
| + | 3618e 947 lstrcmpiA | ||
| + | 35eb4 592 LocalFileTimeToFileTime | ||
| + | 360e0 855 TlsSetValue | ||
| + | 35c56 478 GetVersion | ||
| + | 35eda 597 LocalReAlloc | ||
| + | 35d2c 505 GlobalLock | ||
| + | 3604c 812 SetSystemTime | ||
| + | 35af4 336 GetEnvironmentVariableA | ||
| + | 35b72 373 GetModuleFileNameA | ||
| + | 358d0 77 CreateFileA | ||
| + | 36082 844 SystemTimeToFileTime | ||
| + | 3592e 143 EnterCriticalSection | ||
| + | 35f34 667 RaiseException | ||
| + | 360c8 853 TlsFree | ||
| + | 35f6e 739 SetConsoleCursorInfo | ||
| + | 35d3a 512 GlobalUnlock | ||
| + | 35946 175 ExitProcess | ||
| + | 35a72 314 GetCurrentProcess | ||
| + | 358be 53 CompareStringW | ||
| + | 36154 903 WideCharToMultiByte | ||
| + | 35fe2 776 SetErrorMode | ||
| + | 3589e 46 CloseHandle | ||
| + | 35e3e 567 IsValidLocale | ||
| + | 35e86 584 LoadLibraryA | ||
| + | 3609a 845 SystemTimeToTzSpecificLocalTime | ||
| + | 35b24 347 GetFileSize | ||
| + | 3588c 44 ClearCommError | ||
| + | 35954 187 FileTimeToLocalFileTime | ||
| + | 35f62 714 RtlUnwind | ||
| + | 35c64 479 GetVersionExA | ||
| + | 3605c 827 SetUnhandledExceptionFilter | ||
| + | 35a3c 252 GetCPInfo | ||
| + | 35d72 524 HeapFree | ||
| + | 35c14 441 GetSystemDirectoryA | ||
| + | 35ab0 331 GetDriveTypeA | ||
| + | 35d8c 530 HeapSize | ||
| + | 35992 201 FindFirstFileA | ||
| + | 35f14 618 MulDiv | ||
| + | 35d64 522 HeapDestroy | ||
| + | 35b40 350 GetFileType | ||
| + | 35f46 681 ReadFile | ||
| + | 35e96 589 LoadResource | ||
| + | 35de2 546 InterlockedIncrement | ||
| + | 35904 136 DosDateTimeToFileTime | ||
| + | 36176 941 lstrcatA | ||
| + | 35db4 539 InitializeSListHead | ||
| + | 359a4 211 FindNextFileA | ||
| + | 35fb8 771 SetEndOfFile | ||
| + | 35e1a 556 IsBadWritePtr | ||
| + | 36008 782 SetFilePointer | ||
| + | 35d06 502 GlobalGetAtomNameA | ||
| + | 35ba8 408 GetProcAddress | ||
| + | 3616a 916 WriteFile | ||
| + | 35ea6 590 LocalAlloc | ||
| + | 35f52 693 ReleaseActCtx | ||
| + | 36136 883 VirtualAlloc | ||
| + | 35ada 335 GetEnvironmentStringsW | ||
| + | 35f86 760 SetConsoleTextAttribute | ||
| + | 35a9a 318 GetCurrentThreadId | ||
| + | 35ece 594 LocalFree | ||
| + | 35c02 437 GetStringTypeW | ||
| + | 35e0a 553 IsBadReadPtr | ||
| + | 35fa0 765 SetCurrentDirectoryA | ||
| + | 35bce 431 GetStartupInfoA | ||
| + | 35d1c 504 GlobalHandle | ||
| + | 35cd8 497 GlobalFindAtomA | ||
| + | 35ca4 492 GlobalAddAtomA | ||
| + | 358de 122 DeleteCriticalSection | ||
| + | 35b62 361 GetLastError | ||
| + | 35bba 419 GetProcessVersion | ||
| + | 358f6 124 DeleteFileA | ||
| + | 35a0a 238 FreeEnvironmentStringsW | ||
| + | 3601a 791 SetHandleCount | ||
| + | 3619a 950 lstrcpyA | ||
| + | 35f1e 619 MultiByteToWideChar | ||
| + | 35a24 239 FreeLibrary | ||
| + | 36146 886 VirtualFree | ||
| + | 360bc 852 TlsAlloc | ||
| + | 35b32 349 GetFileTime | ||
| + | 3610c 864 UnhandledExceptionFilter | ||
| + | 359d8 230 FlushInstructionCache | ||
| + | 35ef8 601 LockFile | ||
| + | 36128 865 UnlockFile | ||
| + | 35cc4 496 GlobalDeleteAtom | ||
| + | 35c74 481 GetVolumeInformationA | ||
| + | 35ff2 780 SetFileAttributesA | ||
| + | 35cb6 494 GlobalAlloc | ||
| + | |||
| + | 00034d20 00035170 00000000 00000000 000361dc 00034414 | ||
| + | |||
| + | DLL Name: comdlg32.dll | ||
| + | vma: Hint/Ord Member-Name Bound-To | ||
| + | 361cc 7 GetFileTitleA | ||
| + | |||
| + | 00034d34 00034d5c 00000000 00000000 00036330 00034000 | ||
| + | |||
| + | DLL Name: ADVAPI32.dll | ||
| + | vma: Hint/Ord Member-Name Bound-To | ||
| + | 362a8 457 RegCloseKey | ||
| + | 362b6 461 RegCreateKeyExA | ||
| + | 36202 26 AddUsersToEncryptedFile | ||
| + | 36246 350 LsaEnumeratePrivileges | ||
| + | 3631c 597 SystemFunction016 | ||
| + | 36260 360 LsaICLookupNamesWithCreds | ||
| + | 36296 431 OpenThreadToken | ||
| + | 362c8 466 RegDeleteValueA | ||
| + | 362ea 505 RegSetValueExA | ||
| + | 362da 482 RegOpenKeyExA | ||
| + | 3627c 404 MSChapSrvChangePassword | ||
| + | 361ea 20 AddAccessDeniedAceEx | ||
| + | 36230 320 LockServiceDatabase | ||
| + | 362fc 558 SetSecurityDescriptorControl | ||
| + | 3621c 229 GetAclInformation | ||
| + | |||
| + | 00034d48 00000000 00000000 00000000 00000000 00000000 | ||
| + | |||
| + | </nowiki> | ||
| + | ====Embedded Resources==== | ||
| + | <nowiki> | ||
| + | |||
| + | rksmkjjl.exe: file format pei-i386 | ||
| + | |||
| + | Sections: | ||
| + | Idx Name Size VMA LMA File off Algn | ||
| + | 0 .text 000329fb 00401000 00401000 00000400 2**2 | ||
| + | CONTENTS, ALLOC, LOAD, READONLY, CODE | ||
| + | 1 .rdata 0000237b 00434000 00434000 00032e00 2**2 | ||
| + | CONTENTS, ALLOC, LOAD, READONLY, DATA | ||
| + | 2 .data 00004000 00437000 00437000 00035200 2**2 | ||
| + | CONTENTS, ALLOC, LOAD, DATA | ||
| + | 3 .rsrc 00000530 0043b000 0043b000 00039200 2**2 | ||
| + | CONTENTS, ALLOC, LOAD, READONLY, DATA | ||
| + | </nowiki> | ||
| + | ===sggmfdxd.exe=== | ||
| + | ''(MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit)'' | ||
| + | ====Private Headers==== | ||
| + | <nowiki> | ||
| + | BFD: sggmfdxd.exe (.data): Section flag STYP_COPY (0x10) ignored | ||
| + | BFD: sggmfdxd.exe (.data): Section flag STYP_COPY (0x10) ignored | ||
| + | objdump: sggmfdxd.exe: File format not recognized | ||
| + | </nowiki> | ||
| + | ====Embedded Resources==== | ||
| + | <nowiki> | ||
| + | BFD: sggmfdxd.exe (.data): Section flag STYP_COPY (0x10) ignored | ||
| + | BFD: sggmfdxd.exe (.data): Section flag STYP_COPY (0x10) ignored | ||
| + | objdump: sggmfdxd.exe: File format not recognized | ||
| + | </nowiki> | ||
| + | ===sgipopnq.exe=== | ||
| + | ''(MS-DOS executable PE for MS Windows (GUI) Intel 80386)'' | ||
| + | ====Private Headers==== | ||
| + | <nowiki> | ||
| + | BFD: sgipopnq.exe (.data): Section flag STYP_COPY (0x10) ignored | ||
| + | BFD: sgipopnq.exe (.data): Section flag STYP_COPY (0x10) ignored | ||
| + | objdump: sgipopnq.exe: File format not recognized | ||
| + | </nowiki> | ||
| + | ====Embedded Resources==== | ||
| + | <nowiki> | ||
| + | BFD: sgipopnq.exe (.data): Section flag STYP_COPY (0x10) ignored | ||
| + | BFD: sgipopnq.exe (.data): Section flag STYP_COPY (0x10) ignored | ||
| + | objdump: sgipopnq.exe: File format not recognized | ||
| + | </nowiki> | ||
| + | ===tgdtrhmg.exe=== | ||
| + | ''(MS-DOS executable PE for MS Windows (GUI) Intel 80386)'' | ||
| + | ====Private Headers==== | ||
| + | <nowiki> | ||
| + | BFD: tgdtrhmg.exe (.data): Section flag STYP_COPY (0x10) ignored | ||
| + | BFD: tgdtrhmg.exe (.data): Section flag STYP_COPY (0x10) ignored | ||
| + | objdump: tgdtrhmg.exe: File format not recognized | ||
| + | </nowiki> | ||
| + | ====Embedded Resources==== | ||
| + | <nowiki> | ||
| + | BFD: tgdtrhmg.exe (.data): Section flag STYP_COPY (0x10) ignored | ||
| + | BFD: tgdtrhmg.exe (.data): Section flag STYP_COPY (0x10) ignored | ||
| + | objdump: tgdtrhmg.exe: File format not recognized | ||
| + | </nowiki> | ||
| + | ===wkjdctce.exe=== | ||
| + | ''(MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit)'' | ||
| + | ====Private Headers==== | ||
| + | <nowiki> | ||
| + | |||
| + | wkjdctce.exe: file format pei-i386 | ||
| + | |||
| + | Characteristics 0x10f | ||
| + | relocations stripped | ||
| + | executable | ||
| + | line numbers stripped | ||
| + | symbols stripped | ||
| + | 32 bit words | ||
| + | |||
| + | Time/Date Tue Sep 10 16:24:00 2013 | ||
| + | Magic 010b (PE32) | ||
| + | MajorLinkerVersion 7 | ||
| + | MinorLinkerVersion 10 | ||
| + | SizeOfCode 00006000 | ||
| + | SizeOfInitializedData 0000a000 | ||
| + | SizeOfUninitializedData 00000000 | ||
| + | AddressOfEntryPoint 00003164 | ||
| + | BaseOfCode 00001000 | ||
| + | BaseOfData 00007000 | ||
| + | ImageBase 00400000 | ||
| + | SectionAlignment 00001000 | ||
| + | FileAlignment 00001000 | ||
| + | MajorOSystemVersion 4 | ||
| + | MinorOSystemVersion 0 | ||
| + | MajorImageVersion 0 | ||
| + | MinorImageVersion 0 | ||
| + | MajorSubsystemVersion 4 | ||
| + | MinorSubsystemVersion 0 | ||
| + | Win32Version 00000000 | ||
| + | SizeOfImage 00011000 | ||
| + | SizeOfHeaders 00001000 | ||
| + | CheckSum 00000000 | ||
| + | Subsystem 00000002 (Windows GUI) | ||
| + | DllCharacteristics 00000000 | ||
| + | SizeOfStackReserve 00100000 | ||
| + | SizeOfStackCommit 00001000 | ||
| + | SizeOfHeapReserve 00100000 | ||
| + | SizeOfHeapCommit 00001000 | ||
| + | LoaderFlags 00000000 | ||
| + | NumberOfRvaAndSizes 00000010 | ||
| + | |||
| + | The Data Directory | ||
| + | Entry 0 00000000 00000000 Export Directory [.edata (or where ever we found it)] | ||
| + | Entry 1 00006788 0000003c Import Directory [parts of .idata] | ||
| + | Entry 2 0000f000 00001810 Resource Directory [.rsrc] | ||
| + | Entry 3 00000000 00000000 Exception Directory [.pdata] | ||
| + | Entry 4 00000000 00000000 Security Directory | ||
| + | Entry 5 00000000 00000000 Base Relocation Directory [.reloc] | ||
| + | Entry 6 00000000 00000000 Debug Directory | ||
| + | Entry 7 00000000 00000000 Description Directory | ||
| + | Entry 8 00000000 00000000 Special Directory | ||
| + | Entry 9 00000000 00000000 Thread Storage Directory [.tls] | ||
| + | Entry a 00000000 00000000 Load Configuration Directory | ||
| + | Entry b 00000000 00000000 Bound Import Directory | ||
| + | Entry c 00001000 00000130 Import Address Table Directory | ||
| + | Entry d 00000000 00000000 Delay Import Directory | ||
| + | Entry e 00000000 00000000 CLR Runtime Header | ||
| + | Entry f 00000000 00000000 Reserved | ||
| + | |||
| + | There is an import table in .text at 0x406788 | ||
| + | |||
| + | The Import Tables (interpreted .text section contents) | ||
| + | vma: Hint Time Forward DLL First | ||
| + | Table Stamp Chain Name Thunk | ||
| + | 00006788 000068ec 00000000 00000000 000068f4 00001128 | ||
| + | |||
| + | DLL Name: msi.dll | ||
| + | vma: Hint/Ord Member-Name Bound-To | ||
| + | 80000047 71 <none> | ||
| + | |||
| + | 0000679c 000067c4 00000000 00000000 00006c04 00001000 | ||
| + | |||
| + | DLL Name: KERNEL32.dll | ||
| + | vma: Hint/Ord Member-Name Bound-To | ||
| + | 6bb2 332 GetPriorityClass | ||
| + | 6e12 365 GetStringTypeA | ||
| + | 68fc 52 CreateEventA | ||
| + | 690c 394 GetTickCount | ||
| + | 691c 364 GetStdHandle | ||
| + | 692c 318 GetModuleHandleA | ||
| + | 6940 813 lstrcmpA | ||
| + | 694c 403 GetVersionExA | ||
| + | 695c 666 SetFilePointerEx | ||
| + | 6970 115 EnterCriticalSection | ||
| + | 6988 825 lstrlenA | ||
| + | 6994 94 DeleteCriticalSection | ||
| + | 69ac 518 MultiByteToWideChar | ||
| + | 69c2 200 FreeLibraryAndExitThread | ||
| + | 69de 319 GetModuleHandleW | ||
| + | 69f2 461 InterlockedExchange | ||
| + | 6a08 446 HeapFree | ||
| + | 6a14 56 CreateFileA | ||
| + | 6a22 459 InterlockedCompareExchange | ||
| + | 6a40 144 ExitProcess | ||
| + | 6a4e 684 SetStdHandle | ||
| + | 6a5e 577 ReadFile | ||
| + | 6a6a 199 FreeLibrary | ||
| + | 6a78 493 LocalFree | ||
| + | 6a84 458 InitializeCriticalSectionAndSpinCount | ||
| + | 6aac 474 IsDebuggerPresent | ||
| + | 6ac0 316 GetModuleFileNameA | ||
| + | 6ad6 773 WideCharToMultiByte | ||
| + | 6aec 483 LoadLibraryA | ||
| + | 6afc 287 GetEnvironmentStringsW | ||
| + | 6b16 404 GetVersionExW | ||
| + | 6b26 770 WaitForSingleObjectEx | ||
| + | 6b3e 672 SetLastError | ||
| + | 6b4e 786 WriteFile | ||
| + | 6b5a 769 WaitForSingleObject | ||
| + | 6b70 482 LeaveCriticalSection | ||
| + | 6b88 270 GetCurrentProcessId | ||
| + | 6b9e 78 CreateSemaphoreA | ||
| + | 6e24 368 GetStringTypeW | ||
| + | 6bc6 222 GetCommandLineA | ||
| + | 6bd8 285 GetEnvironmentStrings | ||
| + | 6bf0 271 GetCurrentThread | ||
| + | 6c12 362 GetStartupInfoA | ||
| + | 6c24 402 GetVersion | ||
| + | 6c32 719 TerminateProcess | ||
| + | 6c46 269 GetCurrentProcess | ||
| + | 6c5a 735 UnhandledExceptionFilter | ||
| + | 6c76 197 FreeEnvironmentStringsA | ||
| + | 6c90 198 FreeEnvironmentStringsW | ||
| + | 6caa 668 SetHandleCount | ||
| + | 6cbc 300 GetFileType | ||
| + | 6cca 272 GetCurrentThreadId | ||
| + | 6ce0 727 TlsSetValue | ||
| + | 6cee 724 TlsAlloc | ||
| + | 6cfa 725 TlsFree | ||
| + | 6d04 726 TlsGetValue | ||
| + | 6d12 305 GetLastError | ||
| + | 6d22 444 HeapDestroy | ||
| + | 6d30 442 HeapCreate | ||
| + | 6d3e 757 VirtualFree | ||
| + | 6d4c 603 RtlUnwind | ||
| + | 6d58 457 InitializeCriticalSection | ||
| + | 6d74 152 FatalAppExitA | ||
| + | 6d84 211 GetCPInfo | ||
| + | 6d90 205 GetACP | ||
| + | 6d9a 330 GetOEMCP | ||
| + | 6da6 440 HeapAlloc | ||
| + | 6db2 754 VirtualAlloc | ||
| + | 6dc2 449 HeapReAlloc | ||
| + | 6dd0 471 IsBadWritePtr | ||
| + | 6de0 343 GetProcAddress | ||
| + | 6df2 480 LCMapStringA | ||
| + | 6e02 481 LCMapStringW | ||
| + | |||
| + | 000067b0 00000000 00000000 00000000 00000000 00000000 | ||
| + | |||
| + | </nowiki> | ||
| + | ====Embedded Resources==== | ||
| + | <nowiki> | ||
| + | |||
| + | wkjdctce.exe: file format pei-i386 | ||
| + | |||
| + | Sections: | ||
| + | Idx Name Size VMA LMA File off Algn | ||
| + | 0 .text 00005e36 00401000 00401000 00001000 2**2 | ||
| + | CONTENTS, ALLOC, LOAD, READONLY, CODE | ||
| + | 1 .data 00006000 00407000 00407000 00007000 2**2 | ||
| + | CONTENTS, ALLOC, LOAD, DATA | ||
| + | 2 .rsrc 00001810 0040f000 0040f000 0000d000 2**2 | ||
| + | CONTENTS, ALLOC, LOAD, READONLY, DATA | ||
| + | </nowiki> | ||
| + | ===xpneklio.exe=== | ||
| + | ''(MS-DOS executable PE for MS Windows (GUI) Intel 80386)'' | ||
| + | ====Private Headers==== | ||
| + | <nowiki> | ||
| + | BFD: xpneklio.exe (.data): Section flag STYP_COPY (0x10) ignored | ||
| + | BFD: xpneklio.exe (.data): Section flag STYP_COPY (0x10) ignored | ||
| + | objdump: xpneklio.exe: File format not recognized | ||
| + | </nowiki> | ||
| + | ====Embedded Resources==== | ||
| + | <nowiki> | ||
| + | BFD: xpneklio.exe (.data): Section flag STYP_COPY (0x10) ignored | ||
| + | BFD: xpneklio.exe (.data): Section flag STYP_COPY (0x10) ignored | ||
| + | objdump: xpneklio.exe: File format not recognized | ||
| + | </nowiki> | ||
| + | ===xvoidaio.exe=== | ||
| + | ''(MS-DOS executable PE for MS Windows (GUI) Intel 80386)'' | ||
| + | ====Private Headers==== | ||
| + | <nowiki> | ||
| + | BFD: xvoidaio.exe (.data): Section flag STYP_COPY (0x10) ignored | ||
| + | BFD: xvoidaio.exe (.data): Section flag STYP_COPY (0x10) ignored | ||
| + | objdump: xvoidaio.exe: File format not recognized | ||
| + | </nowiki> | ||
| + | ====Embedded Resources==== | ||
| + | <nowiki> | ||
| + | BFD: xvoidaio.exe (.data): Section flag STYP_COPY (0x10) ignored | ||
| + | BFD: xvoidaio.exe (.data): Section flag STYP_COPY (0x10) ignored | ||
| + | objdump: xvoidaio.exe: File format not recognized | ||
</nowiki> | </nowiki> | ||
Latest revision as of 23:09, 29 September 2013
Analysis by Kradorex Xeron (talk) 22:57, 29 September 2013 (EDT)
Contents
File Overview
[+] mgifragd.exe > [TYPE] MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit > [MIME] application/x-dosexec > [MD5 ] 9b5da0df71b3ac50a836672793c29f1d [+] rksmkjjl.exe > [TYPE] MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit > [MIME] application/x-dosexec > [MD5 ] 3debe84b92cc387bcbfc3034793a8dc6 [+] sggmfdxd.exe > [TYPE] MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit > [MIME] application/x-dosexec > [MD5 ] 6faecc658746004333fa946c53d3424e [+] sgipopnq.exe > [TYPE] MS-DOS executable PE for MS Windows (GUI) Intel 80386 > [MIME] application/x-dosexec > [MD5 ] 4cf7869df6f7a65d3b33e82795f5eebf [+] tgdtrhmg.exe > [TYPE] MS-DOS executable PE for MS Windows (GUI) Intel 80386 > [MIME] application/x-dosexec > [MD5 ] 1a411d28f17298c43f2072596a44ef01 [+] wkjdctce.exe > [TYPE] MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit > [MIME] application/x-dosexec > [MD5 ] 6d383a9e45c651ade3df88522c0ff409 [+] xpneklio.exe > [TYPE] MS-DOS executable PE for MS Windows (GUI) Intel 80386 > [MIME] application/x-dosexec > [MD5 ] 9607d960108e3c8217a71eb7ee81f0c5 [+] xvoidaio.exe > [TYPE] MS-DOS executable PE for MS Windows (GUI) Intel 80386 > [MIME] application/x-dosexec > [MD5 ] 595257b15af9ef944aa6aee850088fd0
File Disassembly
mgifragd.exe
(MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit)
Private Headers
mgifragd.exe: file format pei-i386
Characteristics 0x10f
relocations stripped
executable
line numbers stripped
symbols stripped
32 bit words
Time/Date Wed Sep 11 03:00:09 2013
Magic 010b (PE32)
MajorLinkerVersion 7
MinorLinkerVersion 0
SizeOfCode 00012000
SizeOfInitializedData 00082000
SizeOfUninitializedData 00000000
AddressOfEntryPoint 00009795
BaseOfCode 00001000
BaseOfData 00013000
ImageBase 00400000
SectionAlignment 00001000
FileAlignment 00001000
MajorOSystemVersion 4
MinorOSystemVersion 0
MajorImageVersion 0
MinorImageVersion 0
MajorSubsystemVersion 4
MinorSubsystemVersion 0
Win32Version 00000000
SizeOfImage 00106000
SizeOfHeaders 00001000
CheckSum 00000000
Subsystem 00000002 (Windows GUI)
DllCharacteristics 00000000
SizeOfStackReserve 00100000
SizeOfStackCommit 00001000
SizeOfHeapReserve 00100000
SizeOfHeapCommit 00001000
LoaderFlags 00000000
NumberOfRvaAndSizes 00000010
The Data Directory
Entry 0 00000000 00000000 Export Directory [.edata (or where ever we found it)]
Entry 1 0001474c 000000a0 Import Directory [parts of .idata]
Entry 2 00102000 000031d2 Resource Directory [.rsrc]
Entry 3 00000000 00000000 Exception Directory [.pdata]
Entry 4 00000000 00000000 Security Directory
Entry 5 00000000 00000000 Base Relocation Directory [.reloc]
Entry 6 00000000 00000000 Debug Directory
Entry 7 00000000 00000000 Description Directory
Entry 8 00000000 00000000 Special Directory
Entry 9 00000000 00000000 Thread Storage Directory [.tls]
Entry a 00000000 00000000 Load Configuration Directory
Entry b 00000000 00000000 Bound Import Directory
Entry c 00013000 00000138 Import Address Table Directory
Entry d 00000000 00000000 Delay Import Directory
Entry e 00000000 00000000 CLR Runtime Header
Entry f 00000000 00000000 Reserved
There is an import table in .rdata at 0x41474c
The Import Tables (interpreted .rdata section contents)
vma: Hint Time Forward DLL First
Table Stamp Chain Name Thunk
0001474c 00014800 00000000 00000000 000149d2 00013014
DLL Name: KERNEL32.dll
vma: Hint/Ord Member-Name Bound-To
1496a 811 SuspendThread
1497a 656 ReadFile
14986 792 SetThreadPriority
1499a 393 GetProcAddress
149ac 853 VirtualAlloc
1495e 886 WriteFile
14df6 44 CloseHandle
1492c 446 GetTickCount
14dda 689 RtlUnwind
14dce 507 HeapSize
14dbe 545 LCMapStringW
14950 120 DeleteFileA
149bc 869 WaitForSingleObject
1493c 359 GetModuleHandleA
14dae 544 LCMapStringA
14d9c 643 RaiseException
14d8a 418 GetStringTypeW
14d78 415 GetStringTypeA
14d5e 428 GetSystemTimeAsFileTime
14d48 304 GetCurrentProcessId
14de6 780 SetStdHandle
14924 809 Sleep
14d32 306 GetCurrentThreadId
14d18 638 QueryPerformanceCounter
14d06 753 SetFilePointer
14ad0 412 GetStartupInfoA
14ae2 253 GetCommandLineA
14af4 456 GetVersionExA
14b04 501 HeapFree
14b10 171 ExitProcess
14b1e 817 TerminateProcess
14b32 303 GetCurrentProcess
14b46 414 GetStdHandle
14b56 357 GetModuleFileNameA
14b6c 834 UnhandledExceptionFilter
14b88 227 FreeEnvironmentStringsA
14ba2 319 GetEnvironmentStrings
14bba 228 FreeEnvironmentStringsW
14bd4 873 WideCharToMultiByte
14bea 346 GetLastError
14bfa 321 GetEnvironmentStringsW
14c14 762 SetHandleCount
14c26 336 GetFileType
14c34 499 HeapDestroy
14c42 497 HeapCreate
14c50 856 VirtualFree
14c5e 495 HeapAlloc
14c6a 505 HeapReAlloc
14c78 593 MultiByteToWideChar
14c8e 859 VirtualProtect
14ca0 424 GetSystemInfo
14cb0 861 VirtualQuery
14cc0 558 LoadLibraryA
14cd0 235 GetACP
14cda 380 GetOEMCP
14ce6 241 GetCPInfo
14cf2 219 FlushFileBuffers
14e04 349 GetLocaleInfoA
00014760 000148ec 00000000 00000000 00014a18 00013100
DLL Name: USER32.dll
vma: Hint/Ord Member-Name Bound-To
149e0 268 GetDC
149e8 270 GetDesktopWindow
14a0a 445 LoadImageA
149fc 439 LoadCursorA
00014774 000147f4 00000000 00000000 00014a40 00013008
DLL Name: GDI32.dll
vma: Hint/Ord Member-Name Bound-To
14a24 71 CreatePen
14a30 524 SelectObject
00014788 0001490c 00000000 00000000 00014a4a 00013120
DLL Name: WS2_32.dll
vma: Hint/Ord Member-Name Bound-To
80000003 3 <none>
80000012 18 <none>
0001479c 00014900 00000000 00000000 00014a78 00013114
DLL Name: WINMM.dll
vma: Hint/Ord Member-Name Bound-To
14a66 62 mciSendCommandA
14a56 26 auxSetVolume
000147b0 000147ec 00000000 00000000 00014a96 00013000
DLL Name: AVIFIL32.dll
vma: Hint/Ord Member-Name Bound-To
14a82 3 AVIClearClipboard
000147c4 00014918 00000000 00000000 00014ac2 0001312c
DLL Name: WinSCard.dll
vma: Hint/Ord Member-Name Bound-To
14ab4 6 SCardCancel
14aa4 7 SCardConnectA
000147d8 00000000 00000000 00000000 00000000 00000000
Embedded Resources
mgifragd.exe: file format pei-i386
Sections:
Idx Name Size VMA LMA File off Algn
0 .text 00011eea 00401000 00401000 00001000 2**2
CONTENTS, ALLOC, LOAD, READONLY, CODE
1 .rdata 00001e16 00413000 00413000 00013000 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
2 .data 00002000 00415000 00415000 00015000 2**2
CONTENTS, ALLOC, LOAD, DATA
3 .xcode 0007a000 00418000 00418000 00017000 2**2
CONTENTS, ALLOC, LOAD, DATA
4 .rsrc 000031d2 00502000 00502000 00091000 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
rksmkjjl.exe
(MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit)
Private Headers
rksmkjjl.exe: file format pei-i386
Characteristics 0x10f
relocations stripped
executable
line numbers stripped
symbols stripped
32 bit words
Time/Date Wed Jun 16 00:28:57 2010
Magic 010b (PE32)
MajorLinkerVersion 6
MinorLinkerVersion 0
SizeOfCode 00032a00
SizeOfInitializedData 00006a00
SizeOfUninitializedData 00000000
AddressOfEntryPoint 000068d0
BaseOfCode 00001000
BaseOfData 00034000
ImageBase 00400000
SectionAlignment 00001000
FileAlignment 00000200
MajorOSystemVersion 4
MinorOSystemVersion 0
MajorImageVersion 0
MinorImageVersion 0
MajorSubsystemVersion 4
MinorSubsystemVersion 0
Win32Version 00000000
SizeOfImage 0003c000
SizeOfHeaders 00000400
CheckSum 00041a40
Subsystem 00000002 (Windows GUI)
DllCharacteristics 00000000
SizeOfStackReserve 00100000
SizeOfStackCommit 00001000
SizeOfHeapReserve 00100000
SizeOfHeapCommit 00001000
LoaderFlags 00000000
NumberOfRvaAndSizes 00000010
The Data Directory
Entry 0 00000000 00000000 Export Directory [.edata (or where ever we found it)]
Entry 1 00034cd0 0000008c Import Directory [parts of .idata]
Entry 2 0003b000 00000530 Resource Directory [.rsrc]
Entry 3 00000000 00000000 Exception Directory [.pdata]
Entry 4 00000000 00000000 Security Directory
Entry 5 00000000 00000000 Base Relocation Directory [.reloc]
Entry 6 00000000 00000000 Debug Directory
Entry 7 00000000 00000000 Description Directory
Entry 8 00000000 00000000 Special Directory
Entry 9 00000000 00000000 Thread Storage Directory [.tls]
Entry a 00000000 00000000 Load Configuration Directory
Entry b 00000000 00000000 Bound Import Directory
Entry c 00034000 0000041c Import Address Table Directory
Entry d 00000000 00000000 Delay Import Directory
Entry e 00000000 00000000 CLR Runtime Header
Entry f 00000000 00000000 Reserved
There is an import table in .rdata at 0x434cd0
The Import Tables (interpreted .rdata section contents)
vma: Hint Time Forward DLL First
Table Stamp Chain Name Thunk
00034cd0 0003515c 00000000 00000000 000351b8 00034400
DLL Name: WINMM.dll
vma: Hint/Ord Member-Name Bound-To
35184 132 mmioAdvance
351a6 190 waveOutGetPitch
35178 124 mixerOpen
35192 162 timeGetSystemTime
00034ce4 00034ff8 00000000 00000000 0003576c 0003429c
DLL Name: USER32.dll
vma: Hint/Ord Member-Name Bound-To
354a4 366 GetWindowLongA
353fe 311 GetMenuState
353ee 307 GetMenuItemID
356d0 658 ShowWindow
35688 640 SetWindowLongA
355ce 515 PostQuitMessage
35224 74 CopyRect
3563e 579 SetActiveWindow
35514 417 IsDialogMessageA
35558 439 LoadBitmapA
3567c 618 SetPropA
35498 362 GetWindow
352be 198 EndDialog
35666 609 SetMenuItemBitmaps
355ae 511 PeekMessageA
3538e 289 GetKeyState
3570a 686 UnhookWindowsHookEx
35444 345 GetSubMenu
351e2 27 CallWindowProcA
35650 599 SetForegroundWindow
353da 306 GetMenuItemCount
3534e 272 GetDlgCtrlID
354b6 371 GetWindowPlacement
35534 430 IsWindowEnabled
35460 347 GetSysColorBrush
353bc 302 GetMenuCheckMarkDimensions
35488 355 GetTopWindow
35618 566 SendDlgItemMessageA
35528 429 IsWindow
352d6 225 ExitWindowsEx
354cc 372 GetWindowRect
35734 699 UpdateWindow
35290 182 DrawIcon
352ca 200 EndPaint
355e0 523 PtInRect
3569a 643 SetWindowPos
35506 381 GrayStringA
3540e 314 GetMessageA
354ee 376 GetWindowTextLengthA
355a0 478 MessageBoxA
351d0 26 CallNextHookEx
354dc 375 GetWindowTextA
35580 458 LoadStringA
3541c 316 GetMessagePos
351f4 52 CharUpperA
352e6 235 GetActiveWindow
35754 720 WinHelpA
35720 691 UnregisterClassA
355ec 534 RegisterClassA
356aa 646 SetWindowTextA
3529c 194 EnableMenuItem
356de 665 SystemParametersInfoA
355fe 554 ReleaseDC
35272 151 DestroyMenu
3536c 278 GetFocus
353b2 300 GetMenu
35378 279 GetForegroundWindow
35760 726 wsprintfA
35230 82 CreateDialogIndirectParamA
3539c 296 GetLastActivePopup
35202 57 CheckMenuItem
352f8 243 GetCapture
355be 513 PostMessageA
356f6 682 TranslateMessage
35566 441 LoadCursorA
3558e 473 MapWindowPoints
351c2 13 BeginPaint
35306 246 GetClassInfoA
3562e 571 SendMessageA
352ae 196 EnableWindow
35212 64 ClientToScreen
35438 330 GetPropA
35336 267 GetCursorPos
35316 252 GetClassNameA
356bc 650 SetWindowsHookExA
35474 349 GetSystemMetrics
35452 346 GetSysColor
35326 255 GetClientRect
3535e 273 GetDlgItem
35280 153 DestroyWindow
35574 445 LoadIconA
3542c 325 GetParent
35546 433 IsWindowVisible
3560a 556 RemovePropA
35346 268 GetDC
35260 142 DefWindowProcA
35744 707 ValidateRect
3524e 96 CreateWindowExA
00034cf8 00034d9c 00000000 00000000 0003587a 00034040
DLL Name: GDI32.dll
vma: Hint/Ord Member-Name Bound-To
3581a 519 SaveDC
357d8 352 GetClipBox
35802 512 RestoreDC
3586e 590 TextOutA
3583a 555 SetMapMode
357ba 143 DeleteObject
357ca 221 ExtTextOutA
357e6 363 GetDeviceCaps
357f6 419 GetRelAbs
357ae 140 DeleteDC
3585c 578 SetWindowExtEx
35824 520 ScaleViewportExtEx
3580e 513 RoundRect
35788 51 CreateDIBitmap
3579a 53 CreateEllipticRgn
35848 574 SetViewportExtEx
35778 39 CreateBitmap
00034d0c 00034de4 00000000 00000000 000361be 00034088
DLL Name: KERNEL32.dll
vma: Hint/Ord Member-Name Bound-To
35a86 317 GetCurrentThread
3603c 810 SetStdHandle
3591c 140 DuplicateHandle
35c2a 464 GetThreadLocale
35bf0 434 GetStringTypeA
35884 25 Beep
360d2 854 TlsGetValue
35fc8 774 SetEnvironmentVariableA
35cea 500 GlobalFlags
361a6 953 lstrcpynA
359b4 218 FindResourceA
35dfa 550 IsBadCodePtr
35a5a 312 GetCurrentDirectoryA
35d98 537 InitializeCriticalSection
35ac0 334 GetEnvironmentStringsA
359f0 237 FreeEnvironmentStringsA
35eea 600 LocalUnlock
35f04 603 LockResource
35a48 264 GetCommandLineA
35e4e 570 LCMapStringA
361b2 956 lstrlenA
36182 944 lstrcmpA
35c8c 489 GetWindowsDirectoryA
35b0e 342 GetFileAttributesA
358ac 52 CompareStringA
35b9c 395 GetOEMCP
35e5e 571 LCMapStringW
3596e 188 FileTimeToSystemTime
35b4e 353 GetFullPathNameA
35e2a 559 IsDebuggerPresent
3602c 795 SetLastError
3607a 839 Sleep
360ee 856 Toolhelp32ReadProcessMemory
35a32 245 GetACP
35b88 375 GetModuleHandleA
35986 197 FindClose
359c4 229 FlushFileBuffers
35cf8 501 GlobalFree
35d56 520 HeapCreate
35c3c 472 GetTimeZoneInformation
35be0 433 GetStdHandle
35e6e 583 LeaveCriticalSection
35d4a 518 HeapAlloc
35dca 542 InterlockedDecrement
35d7e 528 HeapReAlloc
3618e 947 lstrcmpiA
35eb4 592 LocalFileTimeToFileTime
360e0 855 TlsSetValue
35c56 478 GetVersion
35eda 597 LocalReAlloc
35d2c 505 GlobalLock
3604c 812 SetSystemTime
35af4 336 GetEnvironmentVariableA
35b72 373 GetModuleFileNameA
358d0 77 CreateFileA
36082 844 SystemTimeToFileTime
3592e 143 EnterCriticalSection
35f34 667 RaiseException
360c8 853 TlsFree
35f6e 739 SetConsoleCursorInfo
35d3a 512 GlobalUnlock
35946 175 ExitProcess
35a72 314 GetCurrentProcess
358be 53 CompareStringW
36154 903 WideCharToMultiByte
35fe2 776 SetErrorMode
3589e 46 CloseHandle
35e3e 567 IsValidLocale
35e86 584 LoadLibraryA
3609a 845 SystemTimeToTzSpecificLocalTime
35b24 347 GetFileSize
3588c 44 ClearCommError
35954 187 FileTimeToLocalFileTime
35f62 714 RtlUnwind
35c64 479 GetVersionExA
3605c 827 SetUnhandledExceptionFilter
35a3c 252 GetCPInfo
35d72 524 HeapFree
35c14 441 GetSystemDirectoryA
35ab0 331 GetDriveTypeA
35d8c 530 HeapSize
35992 201 FindFirstFileA
35f14 618 MulDiv
35d64 522 HeapDestroy
35b40 350 GetFileType
35f46 681 ReadFile
35e96 589 LoadResource
35de2 546 InterlockedIncrement
35904 136 DosDateTimeToFileTime
36176 941 lstrcatA
35db4 539 InitializeSListHead
359a4 211 FindNextFileA
35fb8 771 SetEndOfFile
35e1a 556 IsBadWritePtr
36008 782 SetFilePointer
35d06 502 GlobalGetAtomNameA
35ba8 408 GetProcAddress
3616a 916 WriteFile
35ea6 590 LocalAlloc
35f52 693 ReleaseActCtx
36136 883 VirtualAlloc
35ada 335 GetEnvironmentStringsW
35f86 760 SetConsoleTextAttribute
35a9a 318 GetCurrentThreadId
35ece 594 LocalFree
35c02 437 GetStringTypeW
35e0a 553 IsBadReadPtr
35fa0 765 SetCurrentDirectoryA
35bce 431 GetStartupInfoA
35d1c 504 GlobalHandle
35cd8 497 GlobalFindAtomA
35ca4 492 GlobalAddAtomA
358de 122 DeleteCriticalSection
35b62 361 GetLastError
35bba 419 GetProcessVersion
358f6 124 DeleteFileA
35a0a 238 FreeEnvironmentStringsW
3601a 791 SetHandleCount
3619a 950 lstrcpyA
35f1e 619 MultiByteToWideChar
35a24 239 FreeLibrary
36146 886 VirtualFree
360bc 852 TlsAlloc
35b32 349 GetFileTime
3610c 864 UnhandledExceptionFilter
359d8 230 FlushInstructionCache
35ef8 601 LockFile
36128 865 UnlockFile
35cc4 496 GlobalDeleteAtom
35c74 481 GetVolumeInformationA
35ff2 780 SetFileAttributesA
35cb6 494 GlobalAlloc
00034d20 00035170 00000000 00000000 000361dc 00034414
DLL Name: comdlg32.dll
vma: Hint/Ord Member-Name Bound-To
361cc 7 GetFileTitleA
00034d34 00034d5c 00000000 00000000 00036330 00034000
DLL Name: ADVAPI32.dll
vma: Hint/Ord Member-Name Bound-To
362a8 457 RegCloseKey
362b6 461 RegCreateKeyExA
36202 26 AddUsersToEncryptedFile
36246 350 LsaEnumeratePrivileges
3631c 597 SystemFunction016
36260 360 LsaICLookupNamesWithCreds
36296 431 OpenThreadToken
362c8 466 RegDeleteValueA
362ea 505 RegSetValueExA
362da 482 RegOpenKeyExA
3627c 404 MSChapSrvChangePassword
361ea 20 AddAccessDeniedAceEx
36230 320 LockServiceDatabase
362fc 558 SetSecurityDescriptorControl
3621c 229 GetAclInformation
00034d48 00000000 00000000 00000000 00000000 00000000
Embedded Resources
rksmkjjl.exe: file format pei-i386
Sections:
Idx Name Size VMA LMA File off Algn
0 .text 000329fb 00401000 00401000 00000400 2**2
CONTENTS, ALLOC, LOAD, READONLY, CODE
1 .rdata 0000237b 00434000 00434000 00032e00 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
2 .data 00004000 00437000 00437000 00035200 2**2
CONTENTS, ALLOC, LOAD, DATA
3 .rsrc 00000530 0043b000 0043b000 00039200 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
sggmfdxd.exe
(MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit)
Private Headers
BFD: sggmfdxd.exe (.data): Section flag STYP_COPY (0x10) ignored BFD: sggmfdxd.exe (.data): Section flag STYP_COPY (0x10) ignored objdump: sggmfdxd.exe: File format not recognized
Embedded Resources
BFD: sggmfdxd.exe (.data): Section flag STYP_COPY (0x10) ignored BFD: sggmfdxd.exe (.data): Section flag STYP_COPY (0x10) ignored objdump: sggmfdxd.exe: File format not recognized
sgipopnq.exe
(MS-DOS executable PE for MS Windows (GUI) Intel 80386)
Private Headers
BFD: sgipopnq.exe (.data): Section flag STYP_COPY (0x10) ignored BFD: sgipopnq.exe (.data): Section flag STYP_COPY (0x10) ignored objdump: sgipopnq.exe: File format not recognized
Embedded Resources
BFD: sgipopnq.exe (.data): Section flag STYP_COPY (0x10) ignored BFD: sgipopnq.exe (.data): Section flag STYP_COPY (0x10) ignored objdump: sgipopnq.exe: File format not recognized
tgdtrhmg.exe
(MS-DOS executable PE for MS Windows (GUI) Intel 80386)
Private Headers
BFD: tgdtrhmg.exe (.data): Section flag STYP_COPY (0x10) ignored BFD: tgdtrhmg.exe (.data): Section flag STYP_COPY (0x10) ignored objdump: tgdtrhmg.exe: File format not recognized
Embedded Resources
BFD: tgdtrhmg.exe (.data): Section flag STYP_COPY (0x10) ignored BFD: tgdtrhmg.exe (.data): Section flag STYP_COPY (0x10) ignored objdump: tgdtrhmg.exe: File format not recognized
wkjdctce.exe
(MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit)
Private Headers
wkjdctce.exe: file format pei-i386
Characteristics 0x10f
relocations stripped
executable
line numbers stripped
symbols stripped
32 bit words
Time/Date Tue Sep 10 16:24:00 2013
Magic 010b (PE32)
MajorLinkerVersion 7
MinorLinkerVersion 10
SizeOfCode 00006000
SizeOfInitializedData 0000a000
SizeOfUninitializedData 00000000
AddressOfEntryPoint 00003164
BaseOfCode 00001000
BaseOfData 00007000
ImageBase 00400000
SectionAlignment 00001000
FileAlignment 00001000
MajorOSystemVersion 4
MinorOSystemVersion 0
MajorImageVersion 0
MinorImageVersion 0
MajorSubsystemVersion 4
MinorSubsystemVersion 0
Win32Version 00000000
SizeOfImage 00011000
SizeOfHeaders 00001000
CheckSum 00000000
Subsystem 00000002 (Windows GUI)
DllCharacteristics 00000000
SizeOfStackReserve 00100000
SizeOfStackCommit 00001000
SizeOfHeapReserve 00100000
SizeOfHeapCommit 00001000
LoaderFlags 00000000
NumberOfRvaAndSizes 00000010
The Data Directory
Entry 0 00000000 00000000 Export Directory [.edata (or where ever we found it)]
Entry 1 00006788 0000003c Import Directory [parts of .idata]
Entry 2 0000f000 00001810 Resource Directory [.rsrc]
Entry 3 00000000 00000000 Exception Directory [.pdata]
Entry 4 00000000 00000000 Security Directory
Entry 5 00000000 00000000 Base Relocation Directory [.reloc]
Entry 6 00000000 00000000 Debug Directory
Entry 7 00000000 00000000 Description Directory
Entry 8 00000000 00000000 Special Directory
Entry 9 00000000 00000000 Thread Storage Directory [.tls]
Entry a 00000000 00000000 Load Configuration Directory
Entry b 00000000 00000000 Bound Import Directory
Entry c 00001000 00000130 Import Address Table Directory
Entry d 00000000 00000000 Delay Import Directory
Entry e 00000000 00000000 CLR Runtime Header
Entry f 00000000 00000000 Reserved
There is an import table in .text at 0x406788
The Import Tables (interpreted .text section contents)
vma: Hint Time Forward DLL First
Table Stamp Chain Name Thunk
00006788 000068ec 00000000 00000000 000068f4 00001128
DLL Name: msi.dll
vma: Hint/Ord Member-Name Bound-To
80000047 71 <none>
0000679c 000067c4 00000000 00000000 00006c04 00001000
DLL Name: KERNEL32.dll
vma: Hint/Ord Member-Name Bound-To
6bb2 332 GetPriorityClass
6e12 365 GetStringTypeA
68fc 52 CreateEventA
690c 394 GetTickCount
691c 364 GetStdHandle
692c 318 GetModuleHandleA
6940 813 lstrcmpA
694c 403 GetVersionExA
695c 666 SetFilePointerEx
6970 115 EnterCriticalSection
6988 825 lstrlenA
6994 94 DeleteCriticalSection
69ac 518 MultiByteToWideChar
69c2 200 FreeLibraryAndExitThread
69de 319 GetModuleHandleW
69f2 461 InterlockedExchange
6a08 446 HeapFree
6a14 56 CreateFileA
6a22 459 InterlockedCompareExchange
6a40 144 ExitProcess
6a4e 684 SetStdHandle
6a5e 577 ReadFile
6a6a 199 FreeLibrary
6a78 493 LocalFree
6a84 458 InitializeCriticalSectionAndSpinCount
6aac 474 IsDebuggerPresent
6ac0 316 GetModuleFileNameA
6ad6 773 WideCharToMultiByte
6aec 483 LoadLibraryA
6afc 287 GetEnvironmentStringsW
6b16 404 GetVersionExW
6b26 770 WaitForSingleObjectEx
6b3e 672 SetLastError
6b4e 786 WriteFile
6b5a 769 WaitForSingleObject
6b70 482 LeaveCriticalSection
6b88 270 GetCurrentProcessId
6b9e 78 CreateSemaphoreA
6e24 368 GetStringTypeW
6bc6 222 GetCommandLineA
6bd8 285 GetEnvironmentStrings
6bf0 271 GetCurrentThread
6c12 362 GetStartupInfoA
6c24 402 GetVersion
6c32 719 TerminateProcess
6c46 269 GetCurrentProcess
6c5a 735 UnhandledExceptionFilter
6c76 197 FreeEnvironmentStringsA
6c90 198 FreeEnvironmentStringsW
6caa 668 SetHandleCount
6cbc 300 GetFileType
6cca 272 GetCurrentThreadId
6ce0 727 TlsSetValue
6cee 724 TlsAlloc
6cfa 725 TlsFree
6d04 726 TlsGetValue
6d12 305 GetLastError
6d22 444 HeapDestroy
6d30 442 HeapCreate
6d3e 757 VirtualFree
6d4c 603 RtlUnwind
6d58 457 InitializeCriticalSection
6d74 152 FatalAppExitA
6d84 211 GetCPInfo
6d90 205 GetACP
6d9a 330 GetOEMCP
6da6 440 HeapAlloc
6db2 754 VirtualAlloc
6dc2 449 HeapReAlloc
6dd0 471 IsBadWritePtr
6de0 343 GetProcAddress
6df2 480 LCMapStringA
6e02 481 LCMapStringW
000067b0 00000000 00000000 00000000 00000000 00000000
Embedded Resources
wkjdctce.exe: file format pei-i386
Sections:
Idx Name Size VMA LMA File off Algn
0 .text 00005e36 00401000 00401000 00001000 2**2
CONTENTS, ALLOC, LOAD, READONLY, CODE
1 .data 00006000 00407000 00407000 00007000 2**2
CONTENTS, ALLOC, LOAD, DATA
2 .rsrc 00001810 0040f000 0040f000 0000d000 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
xpneklio.exe
(MS-DOS executable PE for MS Windows (GUI) Intel 80386)
Private Headers
BFD: xpneklio.exe (.data): Section flag STYP_COPY (0x10) ignored BFD: xpneklio.exe (.data): Section flag STYP_COPY (0x10) ignored objdump: xpneklio.exe: File format not recognized
Embedded Resources
BFD: xpneklio.exe (.data): Section flag STYP_COPY (0x10) ignored BFD: xpneklio.exe (.data): Section flag STYP_COPY (0x10) ignored objdump: xpneklio.exe: File format not recognized
xvoidaio.exe
(MS-DOS executable PE for MS Windows (GUI) Intel 80386)
Private Headers
BFD: xvoidaio.exe (.data): Section flag STYP_COPY (0x10) ignored BFD: xvoidaio.exe (.data): Section flag STYP_COPY (0x10) ignored objdump: xvoidaio.exe: File format not recognized
Embedded Resources
BFD: xvoidaio.exe (.data): Section flag STYP_COPY (0x10) ignored BFD: xvoidaio.exe (.data): Section flag STYP_COPY (0x10) ignored objdump: xvoidaio.exe: File format not recognized
