In fact I learned my customer how to not use Internet explorer, because I'm sure it come from there....
Attached Files
-
mdjheed.zip 207.15K
13 downloads
Sponsored by: █ Sparkhost - Hosting Without Compromises! █ Hybrid Performance Web Hosting █ Spark Host Stream Hosting █ Hybrid IRC & IRCd Server Shell Accounts
Another One To Play With, 4/41 On Virustotal
Started by
Chinzo
, Sep 28 2009 12:32 AM
2 replies to this topic
#1
Chinzo
-
- Members
-
- 52 posts
Private First Class
Posted 28 September 2009 - 12:32 AM
I discovered this on a customer computer, 4/41 on virustotal and malware for sure it's been "hidden" (lol) in 'document and settings\user\local settings\application data\', putted in this computer on 24 September, don't have time to play with, but interesting this for people who like it, then I post it for you
In fact I learned my customer how to not use Internet explorer, because I'm sure it come from there....
In fact I learned my customer how to not use Internet explorer, because I'm sure it come from there....
#2
aliceinwire
-
- Members
-
- 5 posts
Private
Posted 01 October 2009 - 06:38 PM
Report:
0009:Starting process L"Z:\\tmp\\vir\\e00fd6129b643e8c576dbf03a6b662e9\\malware.exe" (entryproc=0x409600)
0009:Call KERNEL32.GetCommandLineA() ret=004096a3
0009:Call KERNEL32.VirtualAlloc(00000000,00117674,00001000,00000040) ret=00409a05
0009:Call ntdll.NtAllocateVirtualMemory(ffffffff,0032f174,00000000,0032f188,00001000,00000040) ret=7b899a09
0009:Call ntdll.LdrShutdownProcess() ret=7b892042
0009:Call PE DLL (proc=0x7b8a12c0,module=0x7b820000 L"KERNEL32.dll",reason=PROCESS_DETACH,res=0x1)
0009:Call PE DLL (proc=0x7bc77530,module=0x7bc10000 L"ntdll.dll",reason=PROCESS_DETACH,res=0x1)
000b:Call KERNEL32.ExitProcess(00000000) ret=7efa8555
000b:Call ntdll.LdrShutdownProcess() ret=7b87302f
000b:Call PE DLL (proc=0x7ef84910,module=0x7ef50000 L"advapi32.dll",reason=PROCESS_DETACH,res=0x1)
000b:Call PE DLL (proc=0x7b8a12c0,module=0x7b820000 L"KERNEL32.dll",reason=PROCESS_DETACH,res=0x1)
000b:Call PE DLL (proc=0x7bc77530,module=0x7bc10000 L"ntdll.dll",reason=PROCESS_DETACH,res=0x1)
000b:Call ntdll.NtTerminateProcess(ffffffff,00000000) ret=7b87303f
000d:Call ntdll.NtClose(00000038) ret=7b873a45
000d:Call advapi32.RegCloseKey(00000020) ret=7efa6f7a
000d:Call ntdll.NtClose(00000020) ret=7eed68e8
000d:Call KERNEL32.ExitProcess(00000000) ret=7efac805
000d:Call ntdll.LdrShutdownProcess() ret=7b87302f
000d:Call PE DLL (proc=0x7ef7c420,module=0x7ef40000 L"rpcrt4.dll",reason=PROCESS_DETACH,res=0x1)
000d:Call PE DLL (proc=0x7ef29b90,module=0x7ef20000 L"iphlpapi.dll",reason=PROCESS_DETACH,res=0x1)
000d:Call PE DLL (proc=0x7eeee910,module=0x7eec0000 L"advapi32.dll",reason=PROCESS_DETACH,res=0x1)
000d:Call PE DLL (proc=0x7b8a12c0,module=0x7b820000 L"KERNEL32.dll",reason=PROCESS_DETACH,res=0x1)
000d:Call PE DLL (proc=0x7bc77530,module=0x7bc10000 L"ntdll.dll",reason=PROCESS_DETACH,res=0x1)
000d:Call ntdll.NtTerminateProcess(ffffffff,00000000) ret=7b87303f
malware 1966 1965 0 04:29 ? 00:00:00 /bin/sh /usr/bin/xvfb-run /home/malware/bin/malware_launcher.sh /tmp/vir/e00fd6129b643e8c576dbf03a6b662e9/malware.exe 30 /tmp/vir/e00fd6129b643e8c576dbf03a6b662e9/dump 1
malware 1979 1966 0 04:29 ? 00:00:00 /bin/sh /home/malware/bin/malware_launcher.sh /tmp/vir/e00fd6129b643e8c576dbf03a6b662e9/malware.exe 30 /tmp/vir/e00fd6129b643e8c576dbf03a6b662e9/dump 1
malware 1997 1979 0 04:30 ? 00:00:00 grep .exe
Dumping the process memory for child processes...
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 03:53 ? 00:00:07 init [2]
root 2 1 0 03:53 ? 00:00:00 [migration/0]
root 3 1 0 03:53 ? 00:00:00 [ksoftirqd/0]
root 4 1 0 03:53 ? 00:00:00 [events/0]
root 5 1 0 03:53 ? 00:00:00 [khelper]
root 6 1 0 03:53 ? 00:00:00 [kthread]
root 9 6 0 03:53 ? 00:00:00 [kblockd/0]
root 10 6 0 03:53 ? 00:00:00 [kacpid]
root 76 6 0 03:53 ? 00:00:00 [kseriod]
root 112 6 0 03:53 ? 00:00:00 [pdflush]
root 113 6 0 03:53 ? 00:00:00 [pdflush]
root 114 6 0 03:53 ? 00:00:00 [kswapd0]
root 115 6 0 03:53 ? 00:00:00 [aio/0]
root 810 6 0 03:54 ? 00:00:00 [kjournald]
root 966 1 0 03:54 ? 00:00:01 udevd --daemon
root 1238 6 0 03:55 ? 00:00:00 [kpsmoused]
root 1519 6 0 03:55 ? 00:00:00 [kmirrord]
root 1652 1 0 03:55 ? 00:00:00 dhclient3 -pf /var/run/dhclient.eth0.pid -lf /var/lib/dhcp3/dhclient.eth0.leases eth0
root 1851 1 0 03:56 ? 00:00:00 /sbin/syslogd
root 1857 1 0 03:56 ? 00:00:00 /sbin/klogd -x
root 1879 1 0 03:56 ? 00:00:00 /usr/sbin/sshd
root 1897 1 0 03:56 ? 00:00:00 /usr/sbin/cron
malware 1919 1 0 03:56 ? 00:00:00 boa -c /home/malware/zerowine/
root 1931 1 0 03:56 tty1 00:00:00 /bin/login --
root 1932 1 0 03:56 tty2 00:00:00 /sbin/getty 38400 tty2
root 1933 1 0 03:56 tty3 00:00:00 /sbin/getty 38400 tty3
root 1934 1 0 03:56 tty4 00:00:00 /sbin/getty 38400 tty4
root 1935 1 0 03:56 tty5 00:00:00 /sbin/getty 38400 tty5
root 1939 1 0 03:56 tty6 00:00:00 /sbin/getty 38400 tty6
root 1949 1931 0 04:00 tty1 00:00:00 -bash
root 1959 1949 0 04:00 tty1 00:00:00 hd
malware 1965 1919 6 04:29 ? 00:00:02 /usr/bin/python /home/malware/zerowine/cgi-bin/upload.py
malware 1966 1965 0 04:29 ? 00:00:00 /bin/sh /usr/bin/xvfb-run /home/malware/bin/malware_launcher.sh /tmp/vir/e00fd6129b643e8c576dbf03a6b662e9/malware.exe 30 /tmp/vir/e00fd6129b643e8c576dbf03a6b662e9/dump 1
malware 1977 1966 13 04:29 ? 00:00:04 Xvfb :99 -screen 0 640x480x8 -nolisten tcp
malware 1979 1966 0 04:29 ? 00:00:00 /bin/sh /home/malware/bin/malware_launcher.sh /tmp/vir/e00fd6129b643e8c576dbf03a6b662e9/malware.exe 30 /tmp/vir/e00fd6129b643e8c576dbf03a6b662e9/dump 1
malware 1998 1979 0 04:30 ? 00:00:00 ps -edf
Dumping proc 1966
['/home/malware/bin/dump_process.py', '1966', '/tmp/vir/e00fd6129b643e8c576dbf03a6b662e9/dump-1966']
*** Searching for process 'dump1'
Dumping proc 1979
['/home/malware/bin/dump_process.py', '1979', '/tmp/vir/e00fd6129b643e8c576dbf03a6b662e9/dump-1979']
*** Searching for process 'dump1'
Dumping proc 1999
['/home/malware/bin/dump_process.py', '1999', '/tmp/vir/e00fd6129b643e8c576dbf03a6b662e9/dump-1999']
Traceback (most recent call last):
File "/home/malware/bin/dump_process.py", line 150, in <module>
main(int(sys.argv[1]), sys.argv[2])
File "/home/malware/bin/dump_process.py", line 134, in main
dbg.addProcess(pid, False)
File "/usr/lib/python2.5/site-packages/ptrace/debugger/debugger.py", line 74, in addProcess
process = PtraceProcess(self, pid, is_attached, parent=parent)
File "/usr/lib/python2.5/site-packages/ptrace/debugger/process.py", line 165, in __init__
self.attach()
File "/usr/lib/python2.5/site-packages/ptrace/debugger/process.py", line 182, in attach
ptrace_attach(self.pid)
File "/usr/lib/python2.5/site-packages/ptrace/binding/func.py", line 155, in ptrace_attach
ptrace(PTRACE_ATTACH, pid)
File "/usr/lib/python2.5/site-packages/ptrace/binding/func.py", line 148, in ptrace
raise PtraceError(message, errno=errno, pid=pid)
ptrace.error.PtraceError: ptrace(cmd=16, pid=1999, 0, 0) error #3: No such process
strings:H0_^
VLO"
X<^[
F,_^
FDt
F,t
V _^][
F0t
A(SV
Yl^[
QDVW
Q,_^[
Q<VW
A4t
qX_^
_^][
QS_^
N0_^
V,_^[
~t_^[
N<t
FLt
V@^][
F _^
N,_^[
Q4SVW
A,t
A@+y8
~ _^
VLt
Vt_^
Y(VW
V4_^
Q\H^
i0VW
+Yd+
YDC_
QpB[
Q @V
Fd^[
Q8SV
Y|t 3
^`t
_^][
Y [Y
Y4VW
_^][
V8t
F<^[
Qh[t
~l_^[
_^][
N<t
N _^][
~L_^[
X(^[
Y(][
_^][
Y t
Qd[t
N8_^
VH_^[
VL_^
V ^[
Po[*
D$,
D$h3
D$DP
\$@S
L$8QV
murmurio boycott tabouiserai THURSTON CREOLE
RISQUE engurru
ir ZAFIAMENTE Alonso compasivo MACHEN Preselect
ESBROUFERAI PENDONEAR DIFF
RENTIABLE EXEGETE Conejero ACTIVISM
SAMBENITEN misgovernment
treintaidosavo Heinrik BAR
METRO
)Crrepte .2
Tinkle sopladero
confect floritura PADRINO atti
dirai Foule
Ferromagn
tique idem theosophy s'efflanquassent distordis
DESTRIPACUENTOS scrotum
Belleville T-shirt pi
tiner
Armen D
Palisades PORTE-COUTEAU FAJARDO Intercar barbaque
vropathie
coordonnatrice racleuse Childbirth commutativity
fH&1
compl
tement attendis
Trapacear
trituration COAGULATE
Baremo EXCR
dorerai Retrorocket
Buchanan GUISANTE
Udell posterior
Marmoriser d
crispais Gwenneth ABDUCCI
Accusation HISTOPLASMOSE commercialiser Mangeottai Coccyx PIFFAIS
Wightman fireproof ESQUIVO Ion papelote agarr
raillerai
NE Cobijarlo
Jannel plastique Rengorge VENT
AMBLYOSCOPE MIDDLESEX
rancie
appointee recordais
erseau
Compuerta
Pingo LEUCITE NOISERAIE
Lambris Transf
rement SUSCRIPTION s'insinuent saigner MANTELET
Impluvio yellowish PLANCHEREL Maquile
Suportar
lactic Audrey pimplike ciervo
bisector PLEITEE
cellulaire
Comenzad caponar flambement
capsule FLIMFLAMMED
CITERIOR Poterie NIGHT
boustifailler Suportar :
Despacho j'
chinasse
ENDOBLAR RETHA
plan
renifle
ABOLIR
apersogar Chiquita d'Ohio Pelecaniforme
rembarquai
bidegr
claireraient encamisar apposer ATIPLAR Mandurria
PECTE Ligate
DINARADA
litt
rateur
s'abonn
rent S'exploitait mat
ndoos apropiar atestiguo
saboulai D
traque
chement
Agobiar
taillais cornily ALBARIZO
Voiturage ROM virilisme AVIVARLE l
LIVABILITY
monopsone
S'ESTOMPA Taillerai DESVAIR
BSA Geoffry Apresador
carburai Reestructure chourave
DXc~
I)Q'
4b8ZI
<[S:
73l_
$,$!
maVW
c[@d
q8s~g
dX`n
D~Uu}
-i'u
Q9|y
4SFT
CFo5
P4RS.7
6~!V
"1~f
GOGq
Yk3;m4T
=tu{
:<Mb
AAv[
lr;Ug
-7jl
q/Pv
Xd]p
U7tp
?OO{S
ZScb
Kcl#
*=+r_
6vH/+*Rr
3H^=-
0-n>
>az=
[PX!d
t5\d~R94
:A*,
:54D+
'wmW6<
WmK_
p?S?
#s)S
~s"(
v1WMp
2Me(
+u@{
BXr{t
:ON: :M
DO;!
'MW$
Nw!8
'XhV
S5i_
5_G1
;[e\
$!:.
HHzS
sS4k
_~r8
nLFO
n)Lu<
z@/5
z:>'
t.+l
rd0~
a!s)m
WE)g
TtIC
<lL!
+H&?
oC*f
tAL{wPO
)/(Y.
NIvLh
r-(6!
~ED#
]saR|
FG:}
ba!w
E!^25
T@gVFr
^u;>
K~hs
-CSIfL!
AM%6
|fcQ
.wip
y?%u
HKfD
i8I'Ic#
-F1+]b,
pLLyG_C^
bcx:
^;+Y
268u
9]-\5
5LL
Z:JjR
VM7
UxO
!$d?
s(Ar
Mwt[
- t
r`:?4
<B:t
0$Q$
?[9K
v\'xU
@jzU
%Nkn
>*JkH+
/6pk
%XNa
]NnR
[4Qv?:Pq
H=PdJ\%
R_!}
Y\5i
aEybK
q*2NVR.
(][g
yS"N
E+![d
7M~9
2iQf
5@@-
+Thyn'
R">6
31c[
VWvx
,)i0e
R*x'5
:k;V
w[fP
TXeFQ0
!wQ"+l
_<ax
E}:Y
pn0@
NHrVku
YQWy4
Ac]T+
CcIe
JUW6
@mE3
X"Kc
uaRa
hMDF
.7%wM
_uIl
/89A
9|u:
z:q8
yKqMS
@q5sa
!&5*/
PK`&lr_.
WV(~
EJ-*
Ww/^
!xc,
i777
~777
777i
~N7$$Ka0a
EE$$G
$ia|
Ead-
r0_77
|<+`
07ir
<|<7
<_ir
DKEc
KKvv
aEI-
<-@_
IN8<
r,a`
`>vd
77N[
|vda0
`ddLE
d|Ii
0vdK
7_)7
)N~I
I_da_0
KrN-
v0K0
7_r$
v<a)
~<_NI
t-d)
_$|r
ri^N
K<ar
v`)7N
-<~i
_0KE_
xa)E~}
a`$0_E
ir_d
ada|
I<0~
i<D~
d$L)
_NNK
`&D$_
~$d7
v7r_
|aID
$~)|a
bdr0
&|`0<
dE&a
r_~7i
K&Bi
0)9)
7~ID
N<~+-
0DKv
i&D$
0-)aKv
_$I<
`~0-)
v0)7
N-0~
@I`N
<rI$
ad7&
)d_i
7|<-
EII_
~5-7
g<EE
`K-|
dEKNN
`I:0
D7_<
d<dE07
DK~K~
zdI~r
vi~I7
h||K)
K_~i
|K_r0r
_KD_
NEva
i7&$
I&d~
7/~~|
-$$--$|
~$_-
~Na_
vrI`
<|r_
<-OKE
f&_0I`
d&IK
N|K)
i0v`"`
|d_K
DK``
vvE~)
r;D`0
)KK|
7|-`
IdK}r
|iD)
N_0&d
0<-I
7|Z&
$Ee~I
d`_@
80i-
|7rK--
DK`r
_$_d
E-N0
iiKD
E_vE
rKEi`
Na`_M
N~~D
r~~`
rNvi`
g_K`
`vE_vN
0ddFI
E_EN
&<~_
_`a)d
_0__
rk)E
r_r_
Er)0
IK07
iD|N
0$0,
Kr~$E
&rrvd<N
`UE-
$dir
Lv-|)N
Nva)DK
)~-T
<v`I
K$I)
7I0-
w-$$0p
Da0N
$*--
#r`_
&<r|?
D_]<0aa
D~AE
ir-7
DfI7
K_vN
v0<NX$
Na-)
a-)N
$$`N
_|d)~-
rI`&0
;)ka
_I~-
~7r<
~N|)
~r|&
riNd<)D
i`_c
<``3
~NK$
a7vs
<77K
j<0|
~aiN
E`IK
-d`v
T$M_
)i&ai7
D-|)
-_d_
-`ait
dv$N
2r-~
~F-a
DK`rDR_
~`$~
$)D_r
$d~<i
&70EK
+_)N_|
~~0l
<<mvK_
777$
$~Ha_
-N'|_
&8`i
iNaE
|7<v
i60jI
d<KN
)rdK_<r
)vK-
|EI~
7_TEd
N~)&
0-Na
ad$i
I|d~a
K|_!-K
A$<O
7E~<
<K~E
$$~_
N7dvE
<+Da
vEK0
`|&i
K~)}7`
ND7DE
IDZD
a~dv
~v-e
`iD|
~d|~
v$aU7
~L<&
)ErK
C<I_$v
I_7Q
a~$<
7&0T
&Dd<
i~D`d_
|0~&K
&!<tD
]`~I~~_
a0A-
ID^E
7"I$0v|
`&i`
NI~va
_~G-
l$|-
~_77
a$a)
~|-$
I$<&
$rQ_I
a7$77
vTvi
K_0$
Di_~
Div7
$<7~
~davI
`-2DN
)d)<
0KvI
i<_E
i~|{
&_7)
K|a0
dNd7
7rD~
r$__
dKN&
~_$$r
<ED-
7Dj<
-I&d
L~&E-
&-dv
)i-D
v&i-D
|0-N
&_g$
d_$-
I`_r
?dv7_
-|E)
EI`I
7<0&
v|)E
$I&&
_a&7K`7
Eh<7
IEH)
d<Ir
N|v~
D_va
ad_a
K))<E
~)Eu
$aa0
Ia-_QK
`-D|
~KE$
)a5$
rEKd|
i7-a
<i7v
4&&v?a$
-d&N
~vv|
N7$$
v`zI
di$G
$<-{
a0Y<
$aK<
N)`h
$K&~
vrEE
Ivd<
__a&-7
-<cE
`~|_
$a>N
0KIK
K`&rK
-|&`
_~D~
)v<a
-KaN
_`<N$
IE7?
$|R-|
&-DS
NEI-
D&lN
_I-&_
`$-)|v
E~ED
i7r_<
i_a$
_<8~
$id`
d`7I~7
||N|
vI~`
$N_Ed
~7_<
$rN~
Dg-<
&d~)
077_
`-<<
<`NK
a~aE)
D&0a<
KrIaO
a<7_
^d<I
|~|0
I)97I)
E$m~
0_;v
N|~0E
|8K0
<0d&
i$~d
0$Nd
-0i~
v/$_
|I_0
_$`Iv
r<$0
_~vd
0&$~
E|w7
<a)$
aIvv
_rDv
Ed`I`
Ea_$d
<v$$Kz
~dBE
<~K-
{$raI
v_v$`
'rrD
~|7_
7$aN
i3r<
K_~&
&&`60a
j77_
d$r_
D7~i
Na77N$r
$$)&
$v|N&
v)rd
wi$E
0Ia|
<IDED
d7_$N&<
#_07
I$$i
|-$d
0-<_
`7EEI
d~NE)
&~_7
$~-I
rRvK
rr|<
D$N_
N`&E
IIEK
0|%N
E|,$
dr~|IN<
D$0_
IE|D
NNUK
)|$$
diI_M
E0_rvdr
rvid
X_DEN
R)$$
a~"<`
{ii+
_~&-
I`d|
K$d_`<
y)`H
$$vr~
KvDN
Nr$s~E
N~iE
N|`J
N_|)K
|D~d
aa0N
D`dd
vUNN
$~v<$~&
d`Di
~DE~
d7)w
v|`v
d0$$
|7o$
7#|7
E`~<
rI`d:`
$77`
~vIa
K~~^
ai$0
I_I$
vE|~
~_IN
$$KKv
Iv~$
y`$N~`NH
K0aZ
v@N~~I
)~~|
r)&~7N
DNE-I
`-Iv
-6|d
I&~I
<<Nr
NK0Q
__&)
&_d7.
0i~d
70_$
K_raD
i~_K
OK||
$_Nvi<E
~&-a
dI0NE
fr<)
F<EI
Ei$d
D-rN
0D^|`r
`7SDE
dKvd
_`<&
~Id<-
G<-D
r$Bd
N<7r
~aa~
~0<K
)kK`$
K``dK
_7~E
~$&<
N)N$i0
$L|)
vDMdr
IErv
rN|a
)_Fa
-7$7
&I<7d)
0rrd
~&||IE
)rav
ddKE)
N-$$|
)~~I
_xi}$
|vi0$Y
dI<\
v~$v
_&-$
Dd_D<~
IrDv
E<~~
v_Ii
~KI&r
~~K_
I|0a`
)v_<
7K)ia
v0$)
D&~-
)rvdD
KNt$~
<KE4
A~07I
dKN$
00`_$
)0_N
~+K`7
`&ra
rIE$Y
70||7N
D0Er
vEID'
0Na3
d@Iv~
E&d$
aN_7
<_&v
iED0
7aEE
N`Ku
$E_&i
$~0i
-NID|N
d`0|_
Kr1E
)-7vi0
0rIMa
$K_EE
rEE$~
~a0r|i
dINN
`dv
NI|<
K<d&
NKD^
K~07
-riE
d|-|
{)+iK
__$<l
_$Yd
iK)K
%IeaKv
~_KU~&
~0r~IrI
I_$0ii
<_~)
vE7Q
wap$
i_~I
ENr~
$)&oE
DD_-
dii-
a-`d_-rN
<$I-
_A$N
2-iI
v&~<
777r
dDNI
I<DK
$)^N
`E~~
"vKr
|_$EN
|`a<K
_}N$
7iKa
dI7<
``-v
Ev_)<
~~i7
70D~
I_Ii
)diva
NN_|
NO<~
d|&d
iaS7
0_K~
|N~&~
N{N-
I_KI
NK70
&_~)~
0i&I0v__
_&dE&IZ
0K~<
Ia<v
KrI|
7<<~7~
~&_d
-IvJ)
`_-E
_7|a
-$-<
-II<i
~$$a
_`i&
r|`N
0~`<
d~`<
r<E7
|<-`a_
D$ DN
i~`-
{K+D
<raI
v`N;~~
)dNE
$_I`E
7Ir-
D|__
|<r~
E$1a
<Tid-
$0~a
$$<w
|<v-
D~<)
~`d|
ri|`
~rID
$t-0
V`Ea
K4~_
?7|0
_]a|
_<di
ra~<
_I_~d
&D`vE
|$|E
)_`{0I
-0N-
7_N~
xrN})|
-ID0
)7~K
drr-
))DK)
ID`D~&
KE)&
>I|[v
v<$&
E1KT
0-E0
p7I0
vd~~N
dv0K
47`?
$IE$
dv_)
a7~07
~<i$~
_)F77
RKI~
_~rrI
m~id
K0_Er
K`%|~
`$sa~~
JaIN
`~|$
`a7N$
`)-K
E|<a
`$iT$
v__E7
_~| N
`r<``
<-7$D
)#rd
iIrv~|]
`d0I
N&KI
a)$K
``)~$
a~zd
EI0N
`$_N
_ia-
a<iH
DNv)
0$7a7
Ka|v
v|_&
a)N`~i
~I&N
<)~~
D|`-~
IE|ar
_id0
07`r
KND)w
`r<&
-r_)~&a
iK&r
itaI
)_DON~
~aEK
EB__)
$d<l
iK'$
0-vi
~-/v
DKN~
&r0D~
-_||
|$g~
$_It
~_~7
<~7$~
D"`d
_~Na
&`i<
__vK
K&Nv
_IND
$r~D$}
~dv$
N)~7
s$I08
|$)d/E
$aDIi$|
DK)K
I|$$
-<vDI$
`=r)
_d4$
&|&N
rrDf
-&0KK
-KrK
)dKd
_~i~
BE~~
r~D&
K~v`k_
a`Y_
K|$N
&sD`
I,-v
NEE-
&I)-
/Kar<
`~0Iu
v-0|
NIN*
i&K)
$)$$
d$!v
aiVI
I-O~
_vd|
77v~
I`|-
$r|r
l--Kr
v7d$
~|i_0
i~K~~
|~_rd
iaYNI
`-$)
N`E~
`$iD
<_-|r~
0_~r
~i3v
~$Dv
)&~&
dM|_N
)<ID
Iw`ia
0Kp$
N&Ia
0I<|d
$i&<&<$
_:|-
&)<a
N&$a
-vN$
R~~D
EEr$
-_`-
)d<v
Kir`
kix~
N~-$
-K`r
|7E_
)_|i
<dED
`&Ni0
v~<)
i_0-
E_Kd
/EK$
a`&<|N
_0<-
II~$
)|<$
aN0v`-
DrE|
$#--
-EqE
$I&v
v`|
|9N_
_Iiv$7
rI$<
)N_|
v-KD<
aN<N
v|0|
-KD<
$i_$_
Pi-a
|<IZ~
a0$E
N-7~$
NKE$
07-rNI,
-|~~
a&N<
0i<$
|r_K)
Ea~~
$-K<
-|D<&
$rD$
<ra-
$&|$
ida$
E<$~E
v$~A
D$N-
$rv~
a7aa
I-{|~
|)~``
&lr$
_~&E
_&Iv)
Nr7_
aa_NP
N~~v
$$@)a
0<__
r_Iv
r6<0
KIUDi
$|_`
|<`vr
r$$a
$)v(
~0Nr
|<N$
KID~
arv:
)<4`
&a~N
$|i&
rEa~
F<vI
`NdD
~$`E
|a~0K-
0$d`
aE`D
rN`d
$$Kk
0xa}
|%dd
E`|0_
~$s<
Ed&$_
_-v)
NEN7
~I$D
)i``
)&d_
ari$
i<Kd$
Dd_I#
aD``
-aAI
vE`dO
K|`&a
)-vr
$07K
rrIN
~7Ni
~<<~
N`KD
-_Na
I_E)
(DE|
I&~`
$|IEK
r$di
dEKEa
7bri
<~-~d
0a7NK
)z<a0|
Ei~$
-Id<N
d_~D
-a<k
0K_|
$$DK
0>NN
Kd~7L
`i&C
$$--
_)7rN
dII~
I7d|&)~
d|&d
-__I
&7Ka
rE$I
Wvi-
|dIN_K
aA`O
27|-
N`rIv
d&`_
-r&`
7|~K~7`
a-|~0
i|9){
~iNy
vE<_
7)~3
$r_~-~
Dr|~
-K`N
iDK|
|_a-
0&<E
$_--u
0<`)|
7V_`
_I`|`
r|~K
-2N-
d)i||
_~K-
-$<K
D7v_
|--7
N_vNI
Da$|
<`d-
$|-I`~
v|$I
-)_I
a<~&
a-|)
v$$r
_|37
~D<<`
_~IrN
|~-|dv_
-&v~&
NID$
v$N)
vvd$
I$(dI
dD$)
-_v-
--i$E
d4II
_Ev~i
7-NK
dD)~$<~
77`&
-<$`
)-dN
<E~i
|i)D
a$Dr
~i|aI
iiI~
ya|7
vd~_
KIiKI
iv)~
7e77
7777
77777
)777
EEa`N
|~~i
Iv-|r
s<&&
7777
$N|K~
7777
NI~_
77777
7777
)$a7777
7777
a7777
L)~K
777u77)
7777
arE)
)v0-
Ea77777
7777
a7777
-i1-
_7I~0&
r|N|
7777
i_IDKa
7777
77777
7777
DEDr
7777
va`|a
7777*7
~=i~
_777
#77777
777777!
7_va
-Ea_
?77777
|r~<$
7777O0v
$`Ed
D_2<
7777
$~`-
77777q
777770-
<rr)
777777
rE77777X_
7a"7
<7$d
$77777
777770B
K97-
77777
77777
_<DvN
)dv~|
i77777_
`77777
vNiD
k))_D
7777
_YaEi
7777
7777
a|`D
N&H77
77777
%777777
`a||
|&`E
K$riE
r~E<aID
77787
77777
|E~a
-d|r
77777iE
77777
~`7K
<077777j
aI7~
77777
7777
$a077/777
777L77
77777
777777$
N77777
0a777771
77Ei7
I(0_
7777
7777
`_777
7077
ira7777
~__i*
N~~N
0777
|-)N
7777#
777K7_
7)N~
7777
<777
--a47777?
7A7Oi7
0777
d&`r
E7^r<
7777
7777
K<NN
77777
7777
a7777
7777
77777
D)<r
77777
rr00_;7ii
7777i7
rY0~
77777
_0i\
a777
7777
77777
Ev'&a$
77777
<7v$
077777
aa0E$
a7770
77777_
7777E
0E|<
7Ei7
77777_
N)&N_
77777
77777
77777
a777
0$&&~-
7777i7
|00|
i7777
Ed&|
7770
777Q77
7M7777`_-E&)
077777EE
EE_r
77777
_|E$$7
D7&i
_7r)
7777<`
&777
`--0
7777
7777
7775
7777
dda*
`7i_
a7770
aE~&
`77_
77777W
077777iK
~ti7777V7D
EaN~_
d7777
iv&~
77777
r|D)
A)7)r
7777|<
&7777i<
77777N
77777
$`777
77"7
777K
$D7_z
I_<$E
I_BN
7777
|77777
7777
_dKr
7777
a777m7
_-0E-
I_a7777
a7777
<ha&
77777
7777
E~d`
Pa7777Z7
r%ri
&Na0
)3di
a7777
s`D0
_7IN
7777
|,&)
$a777
`E--
&77E
dE>777[77
7777
v-777
77&7&<
va07i7
D`~~N
~`dD
7777<
a7777
~d~<
a7777
7777
$|777777
&777
<7rd0
7770
E7|)K|
7777
7`77
77777
NDN-
77707
7777.7
77777E~
7`77
77777w
~77777
77777
Ev&a
dD~&
)~~d
~77777#
-`Wr
77777
?$I])
AKrO
iidD
77777
I<$rK
777R77
$`-S
D7"7
Na77
7777
|Nd-
)a&`
~$_$
$~|-
$_|0m
a7|`N
KEI|Dd
)d<)
Zd<)
%I`e
|)&~
3a@N
6$j_
7~E-
&777
iI7|
-D0)
dvE`rEK
Ea(`
-|)a
&-7)
<0-r
K<~_<
-Naa
<7)7
dD-~E
<a<_
K&Ea
`r$r
|~)7
)&)d
0$&~
d-$~
d-~E<
aNNd-|~_
0ar)
|30~@
<E8N7
_v<`
7_77
_~$$
_|6<K
7i77
`Ea-
$~7i
)D-|
IK<`
_<_$a
iN0o
&i-|
vK-|<
vr:$
~i_D
$N-I
_<`a
0|$N0
~DK|
d-|)
-&IE
d$zK
)+N_iI
0a`7vr
&E&$
-Pd$
ei)`
-Ev`N
v`K`
v7E_
r0E~
<id_
_|U7KN_
-IND
~vKd
`|.D
<-$)
v-7~
)0-N
`-|N
-aOa
)~-$
ddIa
d-D_-E
INB)
` dI
d-9IN
x~D<`
$K~aN_
da_<0
<7~3$
Ia`&
_$EIL_
a<`u
$aCa
D_|a
Ia`d
-|)$
Na~a-
a`$E
$Nd#-
Kr-$]~
-|)0a`
_iE<`
$0<_E
`-$~
_$&D
d`a77
|am-
N|-|
-IaK
-|)d
-$N<_
dD$D
K$d0
iEa-
I<|~
$$<&i
~`U-
uadI
a<<7$
IE<&
-_v-a
$iKw
$7-a77
)ia$
7_4I<<?a
)|K0
7I77N
|7_a
77O7
i-af
Erb_
_$07
7007
7a77
)770
D7zd
$GE&7
E7E`7
N90-_
-7;~)
r0ah
I0-7
77-7<
D$N7
)7a_
)_K)
a`d&
|a77`
$.$|
E0-7
0|d7
_K_D
a~N7
7*7-
Nd=a70
`~7`7
$$EWD_
NtvV`
__))
d|)IDi
)N$d``-
a&2r
0E_Ra
$_0N$D
&a`z
|))Ii
0__9
KNKd
E~Er`
|m`rd
`|xE<
7a~H
P$Z_
&)D|
<d`3E
$vi)
i)7~
DK<d
KE&&
_<i`
r~$Ir
i_Dr
|E-&
$I=|
)d7K
iN<N
|27K
Ea)N
v)Ki
rKrv
rRN)
NrIr|
~<|<
EK0N
7)N)
E`$&
<_Dr
K|-K_
K|<@
0`rIE
``<K
rK/_
a`$v
`v$&`
&KEa
arr|
$I<a
-07_
&$Ii
r~_E0
)$r_$i~
$2)0
_dEd<
$_`_)
k$rI
-INi7
-a<7
7_}&
ia0E70I
r~I`v
~0iE
8~)0
)dE_NdK
vaJN7777vE
)77777
760N)
7777n77
77777U
~07~
7777
K|NC-
~_7d
ia`IE
7777
ai7N
a1ETI
7777
707w77
7777<
7777
<KKN
&<i0
7777
5Ea~~
7777
EaD|
77777
7777
vvI~
7]7777
7777
)~EDr
<&da
7rFIKrv&&
Ka77&7
777^
a-v~
E$ar7-
a77777
77777Rd
7777
|-)d
Da7777
_0-
a7777
)_$D
K7$a
7777
}avd
P777
a7777
v`-&
a7777
<N~Na77777
77787
&rIE
777777
<ir)
7777
777n7
~0`I
)v7d
&777
7777
Iav7
77771
Ea|&
E&iT
7777
a7777
_<a777
KdE7
a777W7
a7777
7777
77777
0777
I~dDI
II_d
7777
|$N`
iv77
a770
7777
a7777
70777
a777
K)07
$da7777
I{N0a
KN+777
~|r&
|`d_
r-<~vdD
7h7E
77777
7777
aa777
77777
r'r&
7777
7777
77777
a77777
a77J7
7i77
$)EK$
D07>0$E
N777
<6K~
`777
K_<a
`777
7777
|-`777
7777771
77777
7777
77777
N777
r7777
7777
K~<`
$gK$$
07i7
<<*ii
&E)E
_|Iv
77V777
77K7E
<0E$
&7777
7777
_i2_
a7777
Df<v
D77777q
7777
-`-v
Irai7
N<iv
7777
a777
|`i7
II~E${
7-7<
7777+
a7D7
7777N
7777
7h77
|vrI7
H777E
7777
7)7'77
$0IrKD<
777_
P_|_7
7777
ed<a
d0D<
a7777
NI)I$K
a777
`>$N
77777
77777
7777
a7U7777
a`-0
7777
77777
7777
77777
v_&7
77i.7Di
77777M
7777
N<rK
`D7)
77777
77w77
N&v|-
77777
v|a77775
D-$)~
$7)a
7777
7g77
-aK_-
7 777
|rN_0&
a77777
Ktr-&&-
i777
0`v$
7770
_IIv_$
7727
777770
77R777
<7777
N0$v
i|~)~0
77Y777_
7777
7|~i)
&&7Z
&&)`77
<iE&
D-I<
$NI_)&
EN&$
7K|K
a60i7
$)$D
v7_7E7
7777
|~a)
|a7`
|N77777
77777
7|I<
0&777
)777
777777T
77777
_a7p7
777777`
77g77KE
vDKv7777
0_$-
)N777
77777
77777
7777
i7707
&777
77NEDNv
EK|N
~a7707&
77777K
77777
i&7707
vK<i
d_&7
`)77777
7777
07707
7777
|`dK
77777
7777d$
Ii77777
iN&l
I&77E
7k777
7v-`
a77777
_v7777
&KKK
K&777
r~7dD
77777%7
77777
DEI0K
a)77777
7777@7
77_7
NN707&7
-7i~I
7a77
77i7I_~0
76DI
7n07
a&77
7777
|7717
aN_`
77777~w|
v7_Dir
77777N
&o77777d
777777
i7g7777
I&Ei
77777
)777770
7777
)77777
da77777
-0`i
<img src='http://www.governmentsecurity.org/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />!`
7777
7777
77777a
vd-ii
v`77]777r
<--0
77777
777727
&DF0
77777
-N_I
7707
NS$r
"_ir
77777
ia$r
77777
za<N
dE-vED&
77777v
7 7-7
i77777r
vK)r
r0Ea777770E|
7a77
7l77E
0`77777
vI;d
-)iY
0`K-
0_~_h
~`d`
rE__
d~`<D
iID$
i6d|
NIEi
jE$Kr
NN|-&
$N)v)
0)iK
K0|0
)I_0
t~IK)d
K_ED
DEE)
`di?
aO~0
0-$I
Drra
iaz&`
0Dd$
Gv&|B
aE)iN
~iiriI
)_v--
\N$$
IvIa
`777
7777
7a777
)7777
$_)_77
707E
DD<I
D|va
777_
7>N_-
777E
i_~a777
~N$~
i_&_
N00T
N_|d
i~-_
|aa_
<_rd
<d_N
_rEv
~N-K
7777
a_`A
7O77
ai2$
$70i
a777
_Ia-
|-Ed<
a777
)vK7
D~K7`a777
i7`E
_r~$Kv
7v&I
I~-_
$N$7
-K7_
6Dj|
N_a_u
Ki|arN
__dD
Nv77
a<-r
EI0|-
~rNr
0vr$
7_E_|~
adN$
ivN$
_``_
))vF
I$i~`
$vd0
-Dr<
7I|<
Ddvi
vmid_
_~D;
r07|
_NiK
Ni$|
I-$|N~
Pa_7
$K7$
7777
7dd`
__`&
~,KN
`v77v
`v77v
fa$F
$E`v
$E`v@
8$E`v
$KdK$d
$KdK$
$`$_
lstrlenA
VirtualAlloc
GetCommandLineA
LeaveCriticalSection
GetCurrentProcessId
WaitForSingleObject
GetVersionExA
CreateFileA
SetEndOfFile
GetThreadLocale
ExitProcess
HeapDestroy
QueryPerformanceCounter
FreeLibrary
DeleteFileA
ReadFile
GetModuleHandleA
TlsFree
LCMapStringA
GetCurrentProcess
KERNEL32.dll
file Headers:
----------DOS_HEADER----------
[IMAGE_DOS_HEADER]
e_magic: 0x5A4D
e_cblp: 0x90
e_cp: 0x3
e_crlc: 0x0
e_cparhdr: 0x4
e_minalloc: 0x0
e_maxalloc: 0xFFFF
e_ss: 0x0
e_sp: 0xB8
e_csum: 0x0
e_ip: 0x0
e_cs: 0x0
e_lfarlc: 0x40
e_ovno: 0x0
e_res:
e_oemid: 0x0
e_oeminfo: 0x0
e_res2:
e_lfanew: 0xE0
----------NT_HEADERS----------
[IMAGE_NT_HEADERS]
Signature: 0x4550
----------FILE_HEADER----------
[IMAGE_FILE_HEADER]
Machine: 0x14C
NumberOfSections: 0x3
TimeDateStamp: 0x44D8240C [Tue Aug 8 05:41:32 2006 UTC]
PointerToSymbolTable: 0x0
NumberOfSymbols: 0x0
SizeOfOptionalHeader: 0xE0
Characteristics: 0x10F
Flags: IMAGE_FILE_LOCAL_SYMS_STRIPPED, IMAGE_FILE_32BIT_MACHINE, IMAGE_FILE_EXECUTABLE_IMAGE, IMAGE_FILE_LINE_NUMS_STRIPPED, IMAGE_FILE_RELOCS_STRIPPED
----------OPTIONAL_HEADER----------
[IMAGE_OPTIONAL_HEADER]
Magic: 0x10B
MajorLinkerVersion: 0x6
MinorLinkerVersion: 0x0
SizeOfCode: 0xA000
SizeOfInitializedData: 0x3A000
SizeOfUninitializedData: 0x0
AddressOfEntryPoint: 0x9600
BaseOfCode: 0x1000
BaseOfData: 0xB000
ImageBase: 0x400000
SectionAlignment: 0x1000
FileAlignment: 0x1000
MajorOperatingSystemVersion: 0x4
MinorOperatingSystemVersion: 0x0
MajorImageVersion: 0x0
MinorImageVersion: 0x0
MajorSubsystemVersion: 0x4
MinorSubsystemVersion: 0x0
Reserved1: 0x0
SizeOfImage: 0x45000
SizeOfHeaders: 0x1000
CheckSum: 0x52D15
Subsystem: 0x2
DllCharacteristics: 0x0
SizeOfStackReserve: 0x100000
SizeOfStackCommit: 0x1000
SizeOfHeapReserve: 0x100000
SizeOfHeapCommit: 0x1000
LoaderFlags: 0x0
NumberOfRvaAndSizes: 0x10
DllCharacteristics:
----------PE Sections----------
[IMAGE_SECTION_HEADER]
Name: .text
Misc: 0x91C0
Misc_PhysicalAddress: 0x91C0
Misc_VirtualSize: 0x91C0
VirtualAddress: 0x1000
SizeOfRawData: 0xA000
PointerToRawData: 0x1000
PointerToRelocations: 0x0
PointerToLinenumbers: 0x0
NumberOfRelocations: 0x0
NumberOfLinenumbers: 0x0
Characteristics: 0x60000020
Flags: IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Entropy: 5.694083 (Min=0.0, Max=8.0)
MD5 hash: 1f1847d78fb8eaefc24c80ae1c21fa5a
SHA-1 hash: 747a1a9039d3573bcdbd511b32c55b94fe4b5508
SHA-256 hash: daa9a356f1aa9e1960e9d30140154dcb1d6ce661f41a3007b3ee1d517832d627
SHA-512 hash: 409d81a78d4218905cdb5f25d97487e5efbebf6162adc4335f626cc25f91abb5c7d7731f6d5a35debf118d412e07faea3b0b602de4dd24ebbaf1b42351fb4987
[IMAGE_SECTION_HEADER]
Name: .data
Misc: 0x387B8
Misc_PhysicalAddress: 0x387B8
Misc_VirtualSize: 0x387B8
VirtualAddress: 0xB000
SizeOfRawData: 0x39000
PointerToRawData: 0xB000
PointerToRelocations: 0x0
PointerToLinenumbers: 0x0
NumberOfRelocations: 0x0
NumberOfLinenumbers: 0x0
Characteristics: 0xC0000040
Flags: IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
Entropy: 6.597233 (Min=0.0, Max=8.0)
MD5 hash: dc7c0a1442d1b0516c6a1c10772a2567
SHA-1 hash: 4d4ee9200bce670e641b223c7864c2e4691f9c94
SHA-256 hash: f3ba616d69921d0f693b706af198014284e2eccdfdeb659328d878e791d66539
SHA-512 hash: 4a51f5b57a8257f8cfb80b06a557fdf8e59d3f8318d08b0c84b82d9aa79a79a73c9e063136c7fe136425332a2281b4a1905c3ece29857d6d7598ff5fba447fe2
[IMAGE_SECTION_HEADER]
Name: .rsrc
Misc: 0xF38
Misc_PhysicalAddress: 0xF38
Misc_VirtualSize: 0xF38
VirtualAddress: 0x44000
SizeOfRawData: 0x1000
PointerToRawData: 0x44000
PointerToRelocations: 0x0
PointerToLinenumbers: 0x0
NumberOfRelocations: 0x0
NumberOfLinenumbers: 0x0
Characteristics: 0x40000040
Flags: IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
Entropy: 3.197878 (Min=0.0, Max=8.0)
MD5 hash: 32e09078b595d43301476cbfe9c9293b
SHA-1 hash: 6fa704dd2933091916f9c962bca5130cbb3b0710
SHA-256 hash: 9abac1c2e38c96758080e677ced0b28d7cec818afb81102ddc3744d7e4f0dcf5
SHA-512 hash: 5917ea794d43728b86c988d835cbe3eb51faf7f62b5cb4a16d271b7ca4169fec8241afd32cb720b0f39cd5edaae62d40a52796827d27b08fe7b6dd00f99714be
----------Directories----------
[IMAGE_DIRECTORY_ENTRY_EXPORT]
VirtualAddress: 0x0
Size: 0x0
[IMAGE_DIRECTORY_ENTRY_IMPORT]
VirtualAddress: 0x435DC
Size: 0x28
[IMAGE_DIRECTORY_ENTRY_RESOURCE]
VirtualAddress: 0x44000
Size: 0xF38
[IMAGE_DIRECTORY_ENTRY_EXCEPTION]
VirtualAddress: 0x0
Size: 0x0
[IMAGE_DIRECTORY_ENTRY_SECURITY]
VirtualAddress: 0x0
Size: 0x0
[IMAGE_DIRECTORY_ENTRY_BASERELOC]
VirtualAddress: 0x0
Size: 0x0
[IMAGE_DIRECTORY_ENTRY_DEBUG]
VirtualAddress: 0x0
Size: 0x0
[IMAGE_DIRECTORY_ENTRY_COPYRIGHT]
VirtualAddress: 0x0
Size: 0x0
[IMAGE_DIRECTORY_ENTRY_GLOBALPTR]
VirtualAddress: 0x0
Size: 0x0
[IMAGE_DIRECTORY_ENTRY_TLS]
VirtualAddress: 0x0
Size: 0x0
[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG]
VirtualAddress: 0x0
Size: 0x0
[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT]
VirtualAddress: 0x0
Size: 0x0
[IMAGE_DIRECTORY_ENTRY_IAT]
VirtualAddress: 0xB000
Size: 0x54
[IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT]
VirtualAddress: 0x0
Size: 0x0
[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR]
VirtualAddress: 0x0
Size: 0x0
[IMAGE_DIRECTORY_ENTRY_RESERVED]
VirtualAddress: 0x0
Size: 0x0
----------Version Information----------
[VS_VERSIONINFO]
Length: 0x220
ValueLength: 0x34
Type: 0x0
[VS_FIXEDFILEINFO]
Signature: 0xFEEF04BD
StrucVersion: 0x10000
FileVersionMS: 0x70008
FileVersionLS: 0x9
ProductVersionMS: 0x70008
ProductVersionLS: 0x9
FileFlagsMask: 0x3F
FileFlags: 0x0
FileOS: 0x40004
FileType: 0x1
FileSubtype: 0x0
FileDateMS: 0x0
FileDateLS: 0x0
[StringFileInfo]
Length: 0x17E
ValueLength: 0x0
Type: 0x1
[StringTable]
Length: 0x15A
ValueLength: 0x0
Type: 0x1
LangID: 040904b0
FileVersion: 7, 8, 0, 9
CompanyName: aplanir
Comments: powerboat
ProductName: marketing
ProductVersion: 7, 8, 0, 9
FileDescription: subsecuente
[VarFileInfo]
Length: 0x44
ValueLength: 0x0
Type: 0x1
[Var]
Length: 0x24
ValueLength: 0x4
Type: 0x0
Translation: 0x0409 0x04b0
----------Imported symbols----------
[IMAGE_IMPORT_DESCRIPTOR]
OriginalFirstThunk: 0x43604
Characteristics: 0x43604
TimeDateStamp: 0x0 [Thu Jan 1 00:00:00 1970 UTC]
ForwarderChain: 0x0
Name: 0x437AA
FirstThunk: 0xB000
KERNEL32.dll.lstrlenA Hint[959]
KERNEL32.dll.VirtualAlloc Hint[885]
KERNEL32.dll.GetCommandLineA Hint[264]
KERNEL32.dll.LeaveCriticalSection Hint[583]
KERNEL32.dll.GetCurrentProcessId Hint[315]
KERNEL32.dll.WaitForSingleObject Hint[901]
KERNEL32.dll.GetVersionExA Hint[479]
KERNEL32.dll.CreateFileA Hint[77]
KERNEL32.dll.SetEndOfFile Hint[773]
KERNEL32.dll.GetThreadLocale Hint[464]
KERNEL32.dll.ExitProcess Hint[175]
KERNEL32.dll.HeapDestroy Hint[522]
KERNEL32.dll.QueryPerformanceCounter Hint[665]
KERNEL32.dll.FreeLibrary Hint[239]
KERNEL32.dll.DeleteFileA Hint[124]
KERNEL32.dll.ReadFile Hint[683]
KERNEL32.dll.GetModuleHandleA Hint[375]
KERNEL32.dll.TlsFree Hint[855]
KERNEL32.dll.LCMapStringA Hint[570]
KERNEL32.dll.GetCurrentProcess Hint[314]
----------Resource directory----------
[IMAGE_RESOURCE_DIRECTORY]
Characteristics: 0x0
TimeDateStamp: 0x0 [Thu Jan 1 00:00:00 1970 UTC]
MajorVersion: 0x0
MinorVersion: 0x0
NumberOfNamedEntries: 0x0
NumberOfIdEntries: 0x2
Id: [0x6] (RT_STRING)
[IMAGE_RESOURCE_DIRECTORY_ENTRY]
Name: 0x6
OffsetToData: 0x80000020
[IMAGE_RESOURCE_DIRECTORY]
Characteristics: 0x0
TimeDateStamp: 0x0 [Thu Jan 1 00:00:00 1970 UTC]
MajorVersion: 0x0
MinorVersion: 0x0
NumberOfNamedEntries: 0x0
NumberOfIdEntries: 0x2
Id: [0x1]
[IMAGE_RESOURCE_DIRECTORY_ENTRY]
Name: 0x1
OffsetToData: 0x80000058
[IMAGE_RESOURCE_DIRECTORY]
Characteristics: 0x0
TimeDateStamp: 0x0 [Thu Jan 1 00:00:00 1970 UTC]
MajorVersion: 0x0
MinorVersion: 0x0
NumberOfNamedEntries: 0x0
NumberOfIdEntries: 0x1
[IMAGE_RESOURCE_DIRECTORY_ENTRY]
Name: 0x409
OffsetToData: 0xA0
[IMAGE_RESOURCE_DATA_ENTRY]
OffsetToData: 0x442F0
Size: 0x700
CodePage: 0x0
Reserved: 0x0
Id: [0x2]
[IMAGE_RESOURCE_DIRECTORY_ENTRY]
Name: 0x2
OffsetToData: 0x80000070
[IMAGE_RESOURCE_DIRECTORY]
Characteristics: 0x0
TimeDateStamp: 0x0 [Thu Jan 1 00:00:00 1970 UTC]
MajorVersion: 0x0
MinorVersion: 0x0
NumberOfNamedEntries: 0x0
NumberOfIdEntries: 0x1
[IMAGE_RESOURCE_DIRECTORY_ENTRY]
Name: 0x409
OffsetToData: 0xB0
[IMAGE_RESOURCE_DATA_ENTRY]
OffsetToData: 0x449F0
Size: 0x546
CodePage: 0x0
Reserved: 0x0
Id: [0x10] (RT_VERSION)
[IMAGE_RESOURCE_DIRECTORY_ENTRY]
Name: 0x10
OffsetToData: 0x80000040
[IMAGE_RESOURCE_DIRECTORY]
Characteristics: 0x0
TimeDateStamp: 0x0 [Thu Jan 1 00:00:00 1970 UTC]
MajorVersion: 0x0
MinorVersion: 0x0
NumberOfNamedEntries: 0x0
NumberOfIdEntries: 0x1
Id: [0x1]
[IMAGE_RESOURCE_DIRECTORY_ENTRY]
Name: 0x1
OffsetToData: 0x80000088
[IMAGE_RESOURCE_DIRECTORY]
Characteristics: 0x0
TimeDateStamp: 0x0 [Thu Jan 1 00:00:00 1970 UTC]
MajorVersion: 0x0
MinorVersion: 0x0
NumberOfNamedEntries: 0x0
NumberOfIdEntries: 0x1
[IMAGE_RESOURCE_DIRECTORY_ENTRY]
Name: 0x409
OffsetToData: 0xC0
[IMAGE_RESOURCE_DATA_ENTRY]
OffsetToData: 0x440D0
Size: 0x220
CodePage: 0x0
Reserved: 0x0
#3
wajika
-
- Members
-
- 5 posts
Private
Posted 03 May 2010 - 04:41 PM
Report:0009:Starting process L"Z:\\tmp\\vir\\e00fd6129b643e8c576dbf03a6b662e9\\malware.exe" (entryproc=0x409600) 0009:Call KERNEL32.GetCommandLineA() ret=004096a3 0009:Call KERNEL32.VirtualAlloc(00000000,00117674,00001000,00000040) ret=00409a05 0009:Call ntdll.NtAllocateVirtualMemory(ffffffff,0032f174,00000000,0032f188,00001000,00000040) ret=7b899a09 0009:Call ntdll.LdrShutdownProcess() ret=7b892042 0009:Call PE DLL (proc=0x7b8a12c0,module=0x7b820000 L"KERNEL32.dll",reason=PROCESS_DETACH,res=0x1) 0009:Call PE DLL (proc=0x7bc77530,module=0x7bc10000 L"ntdll.dll",reason=PROCESS_DETACH,res=0x1) 000b:Call KERNEL32.ExitProcess(00000000) ret=7efa8555 000b:Call ntdll.LdrShutdownProcess() ret=7b87302f 000b:Call PE DLL (proc=0x7ef84910,module=0x7ef50000 L"advapi32.dll",reason=PROCESS_DETACH,res=0x1) 000b:Call PE DLL (proc=0x7b8a12c0,module=0x7b820000 L"KERNEL32.dll",reason=PROCESS_DETACH,res=0x1) 000b:Call PE DLL (proc=0x7bc77530,module=0x7bc10000 L"ntdll.dll",reason=PROCESS_DETACH,res=0x1) 000b:Call ntdll.NtTerminateProcess(ffffffff,00000000) ret=7b87303f 000d:Call ntdll.NtClose(00000038) ret=7b873a45 000d:Call advapi32.RegCloseKey(00000020) ret=7efa6f7a 000d:Call ntdll.NtClose(00000020) ret=7eed68e8 000d:Call KERNEL32.ExitProcess(00000000) ret=7efac805 000d:Call ntdll.LdrShutdownProcess() ret=7b87302f 000d:Call PE DLL (proc=0x7ef7c420,module=0x7ef40000 L"rpcrt4.dll",reason=PROCESS_DETACH,res=0x1) 000d:Call PE DLL (proc=0x7ef29b90,module=0x7ef20000 L"iphlpapi.dll",reason=PROCESS_DETACH,res=0x1) 000d:Call PE DLL (proc=0x7eeee910,module=0x7eec0000 L"advapi32.dll",reason=PROCESS_DETACH,res=0x1) 000d:Call PE DLL (proc=0x7b8a12c0,module=0x7b820000 L"KERNEL32.dll",reason=PROCESS_DETACH,res=0x1) 000d:Call PE DLL (proc=0x7bc77530,module=0x7bc10000 L"ntdll.dll",reason=PROCESS_DETACH,res=0x1) 000d:Call ntdll.NtTerminateProcess(ffffffff,00000000) ret=7b87303f malware 1966 1965 0 04:29 ? 00:00:00 /bin/sh /usr/bin/xvfb-run /home/malware/bin/malware_launcher.sh /tmp/vir/e00fd6129b643e8c576dbf03a6b662e9/malware.exe 30 /tmp/vir/e00fd6129b643e8c576dbf03a6b662e9/dump 1 malware 1979 1966 0 04:29 ? 00:00:00 /bin/sh /home/malware/bin/malware_launcher.sh /tmp/vir/e00fd6129b643e8c576dbf03a6b662e9/malware.exe 30 /tmp/vir/e00fd6129b643e8c576dbf03a6b662e9/dump 1 malware 1997 1979 0 04:30 ? 00:00:00 grep .exe Dumping the process memory for child processes... UID PID PPID C STIME TTY TIME CMD root 1 0 0 03:53 ? 00:00:07 init [2] root 2 1 0 03:53 ? 00:00:00 [migration/0] root 3 1 0 03:53 ? 00:00:00 [ksoftirqd/0] root 4 1 0 03:53 ? 00:00:00 [events/0] root 5 1 0 03:53 ? 00:00:00 [khelper] root 6 1 0 03:53 ? 00:00:00 [kthread] root 9 6 0 03:53 ? 00:00:00 [kblockd/0] root 10 6 0 03:53 ? 00:00:00 [kacpid] root 76 6 0 03:53 ? 00:00:00 [kseriod] root 112 6 0 03:53 ? 00:00:00 [pdflush] root 113 6 0 03:53 ? 00:00:00 [pdflush] root 114 6 0 03:53 ? 00:00:00 [kswapd0] root 115 6 0 03:53 ? 00:00:00 [aio/0] root 810 6 0 03:54 ? 00:00:00 [kjournald] root 966 1 0 03:54 ? 00:00:01 udevd --daemon root 1238 6 0 03:55 ? 00:00:00 [kpsmoused] root 1519 6 0 03:55 ? 00:00:00 [kmirrord] root 1652 1 0 03:55 ? 00:00:00 dhclient3 -pf /var/run/dhclient.eth0.pid -lf /var/lib/dhcp3/dhclient.eth0.leases eth0 root 1851 1 0 03:56 ? 00:00:00 /sbin/syslogd root 1857 1 0 03:56 ? 00:00:00 /sbin/klogd -x root 1879 1 0 03:56 ? 00:00:00 /usr/sbin/sshd root 1897 1 0 03:56 ? 00:00:00 /usr/sbin/cron malware 1919 1 0 03:56 ? 00:00:00 boa -c /home/malware/zerowine/ root 1931 1 0 03:56 tty1 00:00:00 /bin/login -- root 1932 1 0 03:56 tty2 00:00:00 /sbin/getty 38400 tty2 root 1933 1 0 03:56 tty3 00:00:00 /sbin/getty 38400 tty3 root 1934 1 0 03:56 tty4 00:00:00 /sbin/getty 38400 tty4 root 1935 1 0 03:56 tty5 00:00:00 /sbin/getty 38400 tty5 root 1939 1 0 03:56 tty6 00:00:00 /sbin/getty 38400 tty6 root 1949 1931 0 04:00 tty1 00:00:00 -bash root 1959 1949 0 04:00 tty1 00:00:00 hd malware 1965 1919 6 04:29 ? 00:00:02 /usr/bin/python /home/malware/zerowine/cgi-bin/upload.py malware 1966 1965 0 04:29 ? 00:00:00 /bin/sh /usr/bin/xvfb-run /home/malware/bin/malware_launcher.sh /tmp/vir/e00fd6129b643e8c576dbf03a6b662e9/malware.exe 30 /tmp/vir/e00fd6129b643e8c576dbf03a6b662e9/dump 1 malware 1977 1966 13 04:29 ? 00:00:04 Xvfb :99 -screen 0 640x480x8 -nolisten tcp malware 1979 1966 0 04:29 ? 00:00:00 /bin/sh /home/malware/bin/malware_launcher.sh /tmp/vir/e00fd6129b643e8c576dbf03a6b662e9/malware.exe 30 /tmp/vir/e00fd6129b643e8c576dbf03a6b662e9/dump 1 malware 1998 1979 0 04:30 ? 00:00:00 ps -edf Dumping proc 1966 ['/home/malware/bin/dump_process.py', '1966', '/tmp/vir/e00fd6129b643e8c576dbf03a6b662e9/dump-1966'] *** Searching for process 'dump1' Dumping proc 1979 ['/home/malware/bin/dump_process.py', '1979', '/tmp/vir/e00fd6129b643e8c576dbf03a6b662e9/dump-1979'] *** Searching for process 'dump1' Dumping proc 1999 ['/home/malware/bin/dump_process.py', '1999', '/tmp/vir/e00fd6129b643e8c576dbf03a6b662e9/dump-1999'] Traceback (most recent call last): File "/home/malware/bin/dump_process.py", line 150, in <module> main(int(sys.argv[1]), sys.argv[2]) File "/home/malware/bin/dump_process.py", line 134, in main dbg.addProcess(pid, False) File "/usr/lib/python2.5/site-packages/ptrace/debugger/debugger.py", line 74, in addProcess process = PtraceProcess(self, pid, is_attached, parent=parent) File "/usr/lib/python2.5/site-packages/ptrace/debugger/process.py", line 165, in __init__ self.attach() File "/usr/lib/python2.5/site-packages/ptrace/debugger/process.py", line 182, in attach ptrace_attach(self.pid) File "/usr/lib/python2.5/site-packages/ptrace/binding/func.py", line 155, in ptrace_attach ptrace(PTRACE_ATTACH, pid) File "/usr/lib/python2.5/site-packages/ptrace/binding/func.py", line 148, in ptrace raise PtraceError(message, errno=errno, pid=pid) ptrace.error.PtraceError: ptrace(cmd=16, pid=1999, 0, 0) error #3: No such processstrings:H0_^ VLO" X<^[ F,_^ FDt F,t V _^][ F0t A(SV Yl^[ QDVW Q,_^[ Q<VW A4t qX_^ _^][ QS_^ N0_^ V,_^[ ~t_^[ N<t FLt V@^][ F _^ N,_^[ Q4SVW A,t A@+y8 ~ _^ VLt Vt_^ Y(VW V4_^ Q\H^ i0VW +Yd+ YDC_ QpB[ Q @V Fd^[ Q8SV Y|t 3 ^`t _^][ Y [Y Y4VW _^][ V8t F<^[ Qh[t ~l_^[ _^][ N<t N _^][ ~L_^[ X(^[ Y(][ _^][ Y t Qd[t N8_^ VH_^[ VL_^ V ^[ Po[* D$, D$h3 D$DP \$@S L$8QV murmurio boycott tabouiserai THURSTON CREOLE RISQUE engurru ir ZAFIAMENTE Alonso compasivo MACHEN Preselect ESBROUFERAI PENDONEAR DIFF RENTIABLE EXEGETE Conejero ACTIVISM SAMBENITEN misgovernment treintaidosavo Heinrik BAR METRO )Crrepte .2 Tinkle sopladero confect floritura PADRINO atti dirai Foule Ferromagn tique idem theosophy s'efflanquassent distordis DESTRIPACUENTOS scrotum Belleville T-shirt pi tiner Armen D Palisades PORTE-COUTEAU FAJARDO Intercar barbaque vropathie coordonnatrice racleuse Childbirth commutativity fH&1 compl tement attendis Trapacear trituration COAGULATE Baremo EXCR dorerai Retrorocket Buchanan GUISANTE Udell posterior Marmoriser d crispais Gwenneth ABDUCCI Accusation HISTOPLASMOSE commercialiser Mangeottai Coccyx PIFFAIS Wightman fireproof ESQUIVO Ion papelote agarr raillerai NE Cobijarlo Jannel plastique Rengorge VENT AMBLYOSCOPE MIDDLESEX rancie appointee recordais erseau Compuerta Pingo LEUCITE NOISERAIE Lambris Transf rement SUSCRIPTION s'insinuent saigner MANTELET Impluvio yellowish PLANCHEREL Maquile Suportar lactic Audrey pimplike ciervo bisector PLEITEE cellulaire Comenzad caponar flambement capsule FLIMFLAMMED CITERIOR Poterie NIGHT boustifailler Suportar : Despacho j' chinasse ENDOBLAR RETHA plan renifle ABOLIR apersogar Chiquita d'Ohio Pelecaniforme rembarquai bidegr claireraient encamisar apposer ATIPLAR Mandurria PECTE Ligate DINARADA litt rateur s'abonn rent S'exploitait mat ndoos apropiar atestiguo saboulai D traque chement Agobiar taillais cornily ALBARIZO Voiturage ROM virilisme AVIVARLE l LIVABILITY monopsone S'ESTOMPA Taillerai DESVAIR BSA Geoffry Apresador carburai Reestructure chourave DXc~ I)Q' 4b8ZI <[S: 73l_ $,$! maVW c[@d q8s~g dX`n D~Uu} -i'u Q9|y 4SFT CFo5 P4RS.7 6~!V "1~f GOGq Yk3;m4T =tu{ :<Mb AAv[ lr;Ug -7jl q/Pv Xd]p U7tp ?OO{S ZScb Kcl# *=+r_ 6vH/+*Rr 3H^=- 0-n> >az= [PX!d t5\d~R94 :A*, :54D+ 'wmW6< WmK_ p?S? #s)S ~s"( v1WMp 2Me( +u@{ BXr{t :ON: :M DO;! 'MW$ Nw!8 'XhV S5i_ 5_G1 ;[e\ $!:. HHzS sS4k _~r8 nLFO n)Lu< z@/5 z:>' t.+l rd0~ a!s)m WE)g TtIC <lL! +H&? oC*f tAL{wPO )/(Y. NIvLh r-(6! ~ED# ]saR| FG:} ba!w E!^25 T@gVFr ^u;> K~hs -CSIfL! AM%6 |fcQ .wip y?%u HKfD i8I'Ic# -F1+]b, pLLyG_C^ bcx: ^;+Y 268u 9]-\5 5LL Z:JjR VM7 UxO !$d? s(Ar Mwt[ - t r`:?4 <B:t 0$Q$ ?[9K v\'xU @jzU %Nkn >*JkH+ /6pk %XNa ]NnR [4Qv?:Pq H=PdJ\% R_!} Y\5i aEybK q*2NVR. (][g yS"N E+![d 7M~9 2iQf 5@@- +Thyn' R">6 31c[ VWvx ,)i0e R*x'5 :k;V w[fP TXeFQ0 !wQ"+l _<ax E}:Y pn0@ NHrVku YQWy4 Ac]T+ CcIe JUW6 @mE3 X"Kc uaRa hMDF .7%wM _uIl /89A 9|u: z:q8 yKqMS @q5sa !&5*/ PK`&lr_. WV(~ EJ-* Ww/^ !xc, i777 ~777 777i ~N7$$Ka0a EE$$G $ia| Ead- r0_77 |<+` 07ir <|<7 <_ir DKEc KKvv aEI- <-@_ IN8< r,a` `>vd 77N[ |vda0 `ddLE d|Ii 0vdK 7_)7 )N~I I_da_0 KrN- v0K0 7_r$ v<a) ~<_NI t-d) _$|r ri^N K<ar v`)7N -<~i _0KE_ xa)E~} a`$0_E ir_d ada| I<0~ i<D~ d$L) _NNK `&D$_ ~$d7 v7r_ |aID $~)|a bdr0 &|`0< dE&a r_~7i K&Bi 0)9) 7~ID N<~+- 0DKv i&D$ 0-)aKv _$I< `~0-) v0)7 N-0~ @I`N <rI$ ad7& )d_i 7|<- EII_ ~5-7 g<EE `K-| dEKNN `I:0 D7_< d<dE07 DK~K~ zdI~r vi~I7 h||K) K_~i |K_r0r _KD_ NEva i7&$ I&d~ 7/~~| -$$--$| ~$_- ~Na_ vrI` <|r_ <-OKE f&_0I` d&IK N|K) i0v`"` |d_K DK`` vvE~) r;D`0 )KK| 7|-` IdK}r |iD) N_0&d 0<-I 7|Z& $Ee~I d`_@ 80i- |7rK-- DK`r _$_d E-N0 iiKD E_vE rKEi` Na`_M N~~D r~~` rNvi` g_K` `vE_vN 0ddFI E_EN &<~_ _`a)d _0__ rk)E r_r_ Er)0 IK07 iD|N 0$0, Kr~$E &rrvd<N `UE- $dir Lv-|)N Nva)DK )~-T <v`I K$I) 7I0- w-$$0p Da0N $*-- #r`_ &<r|? D_]<0aa D~AE ir-7 DfI7 K_vN v0<NX$ Na-) a-)N $$`N _|d)~- rI`&0 ;)ka _I~- ~7r< ~N|) ~r|& riNd<)D i`_c <``3 ~NK$ a7vs <77K j<0| ~aiN E`IK -d`v T$M_ )i&ai7 D-|) -_d_ -`ait dv$N 2r-~ ~F-a DK`rDR_ ~`$~ $)D_r $d~<i &70EK +_)N_| ~~0l <<mvK_ 777$ $~Ha_ -N'|_ &8`i iNaE |7<v i60jI d<KN )rdK_<r )vK- |EI~ 7_TEd N~)& 0-Na ad$i I|d~a K|_!-K A$<O 7E~< <K~E $$~_ N7dvE <+Da vEK0 `|&i K~)}7` ND7DE IDZD a~dv ~v-e `iD| ~d|~ v$aU7 ~L<& )ErK C<I_$v I_7Q a~$< 7&0T &Dd< i~D`d_ |0~&K &!<tD ]`~I~~_ a0A- ID^E 7"I$0v| `&i` NI~va _~G- l$|- ~_77 a$a) ~|-$ I$<& $rQ_I a7$77 vTvi K_0$ Di_~ Div7 $<7~ ~davI `-2DN )d)< 0KvI i<_E i~|{ &_7) K|a0 dNd7 7rD~ r$__ dKN& ~_$$r <ED- 7Dj< -I&d L~&E- &-dv )i-D v&i-D |0-N &_g$ d_$- I`_r ?dv7_ -|E) EI`I 7<0& v|)E $I&& _a&7K`7 Eh<7 IEH) d<Ir N|v~ D_va ad_a K))<E ~)Eu $aa0 Ia-_QK `-D| ~KE$ )a5$ rEKd| i7-a <i7v 4&&v?a$ -d&N ~vv| N7$$ v`zI di$G $<-{ a0Y< $aK< N)`h $K&~ vrEE Ivd< __a&-7 -<cE `~|_ $a>N 0KIK K`&rK -|&` _~D~ )v<a -KaN _`<N$ IE7? $|R-| &-DS NEI- D&lN _I-&_ `$-)|v E~ED i7r_< i_a$ _<8~ $id` d`7I~7 ||N| vI~` $N_Ed ~7_< $rN~ Dg-< &d~) 077_ `-<< <`NK a~aE) D&0a< KrIaO a<7_ ^d<I |~|0 I)97I) E$m~ 0_;v N|~0E |8K0 <0d& i$~d 0$Nd -0i~ v/$_ |I_0 _$`Iv r<$0 _~vd 0&$~ E|w7 <a)$ aIvv _rDv Ed`I` Ea_$d <v$$Kz ~dBE <~K- {$raI v_v$` 'rrD ~|7_ 7$aN i3r< K_~& &&`60a j77_ d$r_ D7~i Na77N$r $$)& $v|N& v)rd wi$E 0Ia| <IDED d7_$N&< #_07 I$$i |-$d 0-<_ `7EEI d~NE) &~_7 $~-I rRvK rr|< D$N_ N`&E IIEK 0|%N E|,$ dr~|IN< D$0_ IE|D NNUK )|$$ diI_M E0_rvdr rvid X_DEN R)$$ a~"<` {ii+ _~&- I`d| K$d_`< y)`H $$vr~ KvDN Nr$s~E N~iE N|`J N_|)K |D~d aa0N D`dd vUNN $~v<$~& d`Di ~DE~ d7)w v|`v d0$$ |7o$ 7#|7 E`~< rI`d:` $77` ~vIa K~~^ ai$0 I_I$ vE|~ ~_IN $$KKv Iv~$ y`$N~`NH K0aZ v@N~~I )~~| r)&~7N DNE-I `-Iv -6|d I&~I <<Nr NK0Q __&) &_d7. 0i~d 70_$ K_raD i~_K OK|| $_Nvi<E ~&-a dI0NE fr<) F<EI Ei$d D-rN 0D^|`r `7SDE dKvd _`<& ~Id<- G<-D r$Bd N<7r ~aa~ ~0<K )kK`$ K``dK _7~E ~$&< N)N$i0 $L|) vDMdr IErv rN|a )_Fa -7$7 &I<7d) 0rrd ~&||IE )rav ddKE) N-$$| )~~I _xi}$ |vi0$Y dI<\ v~$v _&-$ Dd_D<~ IrDv E<~~ v_Ii ~KI&r ~~K_ I|0a` )v_< 7K)ia v0$) D&~- )rvdD KNt$~ <KE4 A~07I dKN$ 00`_$ )0_N ~+K`7 `&ra rIE$Y 70||7N D0Er vEID' 0Na3 d@Iv~ E&d$ aN_7 <_&v iED0 7aEE N`Ku $E_&i $~0i -NID|N d`0|_ Kr1E )-7vi0 0rIMa $K_EE rEE$~ ~a0r|i dINN `dv NI|< K<d& NKD^ K~07 -riE d|-| {)+iK __$<l _$Yd iK)K %IeaKv ~_KU~& ~0r~IrI I_$0ii <_~) vE7Q wap$ i_~I ENr~ $)&oE DD_- dii- a-`d_-rN <$I- _A$N 2-iI v&~< 777r dDNI I<DK $)^N `E~~ "vKr |_$EN |`a<K _}N$ 7iKa dI7< ``-v Ev_)< ~~i7 70D~ I_Ii )diva NN_| NO<~ d|&d iaS7 0_K~ |N~&~ N{N- I_KI NK70 &_~)~ 0i&I0v__ _&dE&IZ 0K~< Ia<v KrI| 7<<~7~ ~&_d -IvJ) `_-E _7|a -$-< -II<i ~$$a _`i& r|`N 0~`< d~`< r<E7 |<-`a_ D$ DN i~`- {K+D <raI v`N;~~ )dNE $_I`E 7Ir- D|__ |<r~ E$1a <Tid- $0~a $$<w |<v- D~<) ~`d| ri|` ~rID $t-0 V`Ea K4~_ ?7|0 _]a| _<di ra~< _I_~d &D`vE |$|E )_`{0I -0N- 7_N~ xrN})| -ID0 )7~K drr- ))DK) ID`D~& KE)& >I|[v v<$& E1KT 0-E0 p7I0 vd~~N dv0K 47`? $IE$ dv_) a7~07 ~<i$~ _)F77 RKI~ _~rrI m~id K0_Er K`%|~ `$sa~~ JaIN `~|$ `a7N$ `)-K E|<a `$iT$ v__E7 _~| N `r<`` <-7$D )#rd iIrv~|] `d0I N&KI a)$K ``)~$ a~zd EI0N `$_N _ia- a<iH DNv) 0$7a7 Ka|v v|_& a)N`~i ~I&N <)~~ D|`-~ IE|ar _id0 07`r KND)w `r<& -r_)~&a iK&r itaI )_DON~ ~aEK EB__) $d<l iK'$ 0-vi ~-/v DKN~ &r0D~ -_|| |$g~ $_It ~_~7 <~7$~ D"`d _~Na &`i< __vK K&Nv _IND $r~D$} ~dv$ N)~7 s$I08 |$)d/E $aDIi$| DK)K I|$$ -<vDI$ `=r) _d4$ &|&N rrDf -&0KK -KrK )dKd _~i~ BE~~ r~D& K~v`k_ a`Y_ K|$N &sD` I,-v NEE- &I)- /Kar< `~0Iu v-0| NIN* i&K) $)$$ d$!v aiVI I-O~ _vd| 77v~ I`|- $r|r l--Kr v7d$ ~|i_0 i~K~~ |~_rd iaYNI `-$) N`E~ `$iD <_-|r~ 0_~r ~i3v ~$Dv )&~& dM|_N )<ID Iw`ia 0Kp$ N&Ia 0I<|d $i&<&<$ _:|- &)<a N&$a -vN$ R~~D EEr$ -_`- )d<v Kir` kix~ N~-$ -K`r |7E_ )_|i <dED `&Ni0 v~<) i_0- E_Kd /EK$ a`&<|N _0<- II~$ )|<$ aN0v`- DrE| $#-- -EqE $I&v v`| |9N_ _Iiv$7 rI$< )N_| v-KD< aN<N v|0| -KD< $i_$_ Pi-a |<IZ~ a0$E N-7~$ NKE$ 07-rNI, -|~~ a&N< 0i<$ |r_K) Ea~~ $-K< -|D<& $rD$ <ra- $&|$ ida$ E<$~E v$~A D$N- $rv~ a7aa I-{|~ |)~`` &lr$ _~&E _&Iv) Nr7_ aa_NP N~~v $$@)a 0<__ r_Iv r6<0 KIUDi $|_` |<`vr r$$a $)v( ~0Nr |<N$ KID~ arv: )<4` &a~N $|i& rEa~ F<vI `NdD ~$`E |a~0K- 0$d` aE`D rN`d $$Kk 0xa} |%dd E`|0_ ~$s< Ed&$_ _-v) NEN7 ~I$D )i`` )&d_ ari$ i<Kd$ Dd_I# aD`` -aAI vE`dO K|`&a )-vr $07K rrIN ~7Ni ~<<~ N`KD -_Na I_E) (DE| I&~` $|IEK r$di dEKEa 7bri <~-~d 0a7NK )z<a0| Ei~$ -Id<N d_~D -a<k 0K_| $$DK 0>NN Kd~7L `i&C $$-- _)7rN dII~ I7d|&)~ d|&d -__I &7Ka rE$I Wvi- |dIN_K aA`O 27|- N`rIv d&`_ -r&` 7|~K~7` a-|~0 i|9){ ~iNy vE<_ 7)~3 $r_~-~ Dr|~ -K`N iDK| |_a- 0&<E $_--u 0<`)| 7V_` _I`|` r|~K -2N- d)i|| _~K- -$<K D7v_ |--7 N_vNI Da$| <`d- $|-I`~ v|$I -)_I a<~& a-|) v$$r _|37 ~D<<` _~IrN |~-|dv_ -&v~& NID$ v$N) vvd$ I$(dI dD$) -_v- --i$E d4II _Ev~i 7-NK dD)~$<~ 77`& -<$` )-dN <E~i |i)D a$Dr ~i|aI iiI~ ya|7 vd~_ KIiKI iv)~ 7e77 7777 77777 )777 EEa`N |~~i Iv-|r s<&& 7777 $N|K~ 7777 NI~_ 77777 7777 )$a7777 7777 a7777 L)~K 777u77) 7777 arE) )v0- Ea77777 7777 a7777 -i1- _7I~0& r|N| 7777 i_IDKa 7777 77777 7777 DEDr 7777 va`|a 7777*7 ~=i~ _777 #77777 777777! 7_va -Ea_ ?77777 |r~<$ 7777O0v $`Ed D_2< 7777 $~`- 77777q 777770- <rr) 777777 rE77777X_ 7a"7 <7$d $77777 777770B K97- 77777 77777 _<DvN )dv~| i77777_ `77777 vNiD k))_D 7777 _YaEi 7777 7777 a|`D N&H77 77777 %777777 `a|| |&`E K$riE r~E<aID 77787 77777 |E~a -d|r 77777iE 77777 ~`7K <077777j aI7~ 77777 7777 $a077/777 777L77 77777 777777$ N77777 0a777771 77Ei7 I(0_ 7777 7777 `_777 7077 ira7777 ~__i* N~~N 0777 |-)N 7777# 777K7_ 7)N~ 7777 <777 --a47777? 7A7Oi7 0777 d&`r E7^r< 7777 7777 K<NN 77777 7777 a7777 7777 77777 D)<r 77777 rr00_;7ii 7777i7 rY0~ 77777 _0i\ a777 7777 77777 Ev'&a$ 77777 <7v$ 077777 aa0E$ a7770 77777_ 7777E 0E|< 7Ei7 77777_ N)&N_ 77777 77777 77777 a777 0$&&~- 7777i7 |00| i7777 Ed&| 7770 777Q77 7M7777`_-E&) 077777EE EE_r 77777 _|E$$7 D7&i _7r) 7777<` &777 `--0 7777 7777 7775 7777 dda* `7i_ a7770 aE~& `77_ 77777W 077777iK ~ti7777V7D EaN~_ d7777 iv&~ 77777 r|D) A)7)r 7777|< &7777i< 77777N 77777 $`777 77"7 777K $D7_z I_<$E I_BN 7777 |77777 7777 _dKr 7777 a777m7 _-0E- I_a7777 a7777 <ha& 77777 7777 E~d` Pa7777Z7 r%ri &Na0 )3di a7777 s`D0 _7IN 7777 |,&) $a777 `E-- &77E dE>777[77 7777 v-777 77&7&< va07i7 D`~~N ~`dD 7777< a7777 ~d~< a7777 7777 $|777777 &777 <7rd0 7770 E7|)K| 7777 7`77 77777 NDN- 77707 7777.7 77777E~ 7`77 77777w ~77777 77777 Ev&a dD~& )~~d ~77777# -`Wr 77777 ?$I]) AKrO iidD 77777 I<$rK 777R77 $`-S D7"7 Na77 7777 |Nd- )a&` ~$_$ $~|- $_|0m a7|`N KEI|Dd )d<) Zd<) %I`e |)&~ 3a@N 6$j_ 7~E- &777 iI7| -D0) dvE`rEK Ea(` -|)a &-7) <0-r K<~_< -Naa <7)7 dD-~E <a<_ K&Ea `r$r |~)7 )&)d 0$&~ d-$~ d-~E< aNNd-|~_ 0ar) |30~@ <E8N7 _v<` 7_77 _~$$ _|6<K 7i77 `Ea- $~7i )D-| IK<` _<_$a iN0o &i-| vK-|< vr:$ ~i_D $N-I _<`a 0|$N0 ~DK| d-|) -&IE d$zK )+N_iI 0a`7vr &E&$ -Pd$ ei)` -Ev`N v`K` v7E_ r0E~ <id_ _|U7KN_ -IND ~vKd `|.D <-$) v-7~ )0-N `-|N -aOa )~-$ ddIa d-D_-E INB) ` dI d-9IN x~D<` $K~aN_ da_<0 <7~3$ Ia`& _$EIL_ a<`u $aCa D_|a Ia`d -|)$ Na~a- a`$E $Nd#- Kr-$]~ -|)0a` _iE<` $0<_E `-$~ _$&D d`a77 |am- N|-| -IaK -|)d -$N<_ dD$D K$d0 iEa- I<|~ $$<&i ~`U- uadI a<<7$ IE<& -_v-a $iKw $7-a77 )ia$ 7_4I<<?a )|K0 7I77N |7_a 77O7 i-af Erb_ _$07 7007 7a77 )770 D7zd $GE&7 E7E`7 N90-_ -7;~) r0ah I0-7 77-7< D$N7 )7a_ )_K) a`d& |a77` $.$| E0-7 0|d7 _K_D a~N7 7*7- Nd=a70 `~7`7 $$EWD_ NtvV` __)) d|)IDi )N$d``- a&2r 0E_Ra $_0N$D &a`z |))Ii 0__9 KNKd E~Er` |m`rd `|xE< 7a~H P$Z_ &)D| <d`3E $vi) i)7~ DK<d KE&& _<i` r~$Ir i_Dr |E-& $I=| )d7K iN<N |27K Ea)N v)Ki rKrv rRN) NrIr| ~<|< EK0N 7)N) E`$& <_Dr K|-K_ K|<@ 0`rIE ``<K rK/_ a`$v `v$&` &KEa arr| $I<a -07_ &$Ii r~_E0 )$r_$i~ $2)0 _dEd< $_`_) k$rI -INi7 -a<7 7_}& ia0E70I r~I`v ~0iE 8~)0 )dE_NdK vaJN7777vE )77777 760N) 7777n77 77777U ~07~ 7777 K|NC- ~_7d ia`IE 7777 ai7N a1ETI 7777 707w77 7777< 7777 <KKN &<i0 7777 5Ea~~ 7777 EaD| 77777 7777 vvI~ 7]7777 7777 )~EDr <&da 7rFIKrv&& Ka77&7 777^ a-v~ E$ar7- a77777 77777Rd 7777 |-)d Da7777 _0- a7777 )_$D K7$a 7777 }avd P777 a7777 v`-& a7777 <N~Na77777 77787 &rIE 777777 <ir) 7777 777n7 ~0`I )v7d &777 7777 Iav7 77771 Ea|& E&iT 7777 a7777 _<a777 KdE7 a777W7 a7777 7777 77777 0777 I~dDI II_d 7777 |$N` iv77 a770 7777 a7777 70777 a777 K)07 $da7777 I{N0a KN+777 ~|r& |`d_ r-<~vdD 7h7E 77777 7777 aa777 77777 r'r& 7777 7777 77777 a77777 a77J7 7i77 $)EK$ D07>0$E N777 <6K~ `777 K_<a `777 7777 |-`777 7777771 77777 7777 77777 N777 r7777 7777 K~<` $gK$$ 07i7 <<*ii &E)E _|Iv 77V777 77K7E <0E$ &7777 7777 _i2_ a7777 Df<v D77777q 7777 -`-v Irai7 N<iv 7777 a777 |`i7 II~E${ 7-7< 7777+ a7D7 7777N 7777 7h77 |vrI7 H777E 7777 7)7'77 $0IrKD< 777_ P_|_7 7777 ed<a d0D< a7777 NI)I$K a777 `>$N 77777 77777 7777 a7U7777 a`-0 7777 77777 7777 77777 v_&7 77i.7Di 77777M 7777 N<rK `D7) 77777 77w77 N&v|- 77777 v|a77775 D-$)~ $7)a 7777 7g77 -aK_- 7 777 |rN_0& a77777 Ktr-&&- i777 0`v$ 7770 _IIv_$ 7727 777770 77R777 <7777 N0$v i|~)~0 77Y777_ 7777 7|~i) &&7Z &&)`77 <iE& D-I< $NI_)& EN&$ 7K|K a60i7 $)$D v7_7E7 7777 |~a) |a7` |N77777 77777 7|I< 0&777 )777 777777T 77777 _a7p7 777777` 77g77KE vDKv7777 0_$- )N777 77777 77777 7777 i7707 &777 77NEDNv EK|N ~a7707& 77777K 77777 i&7707 vK<i d_&7 `)77777 7777 07707 7777 |`dK 77777 7777d$ Ii77777 iN&l I&77E 7k777 7v-` a77777 _v7777 &KKK K&777 r~7dD 77777%7 77777 DEI0K a)77777 7777@7 77_7 NN707&7 -7i~I 7a77 77i7I_~0 76DI 7n07 a&77 7777 |7717 aN_` 77777~w| v7_Dir 77777N &o77777d 777777 i7g7777 I&Ei 77777 )777770 7777 )77777 da77777 -0`i <img src='http://www.governmentsecurity.org/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />!` 7777 7777 77777a vd-ii v`77]777r <--0 77777 777727 &DF0 77777 -N_I 7707 NS$r "_ir 77777 ia$r 77777 za<N dE-vED& 77777v 7 7-7 i77777r vK)r r0Ea777770E| 7a77 7l77E 0`77777 vI;d -)iY 0`K- 0_~_h ~`d` rE__ d~`<D iID$ i6d| NIEi jE$Kr NN|-& $N)v) 0)iK K0|0 )I_0 t~IK)d K_ED DEE) `di? aO~0 0-$I Drra iaz&` 0Dd$ Gv&|B aE)iN ~iiriI )_v-- \N$$ IvIa `777 7777 7a777 )7777 $_)_77 707E DD<I D|va 777_ 7>N_- 777E i_~a777 ~N$~ i_&_ N00T N_|d i~-_ |aa_ <_rd <d_N _rEv ~N-K 7777 a_`A 7O77 ai2$ $70i a777 _Ia- |-Ed< a777 )vK7 D~K7`a777 i7`E _r~$Kv 7v&I I~-_ $N$7 -K7_ 6Dj| N_a_u Ki|arN __dD Nv77 a<-r EI0|- ~rNr 0vr$ 7_E_|~ adN$ ivN$ _``_ ))vF I$i~` $vd0 -Dr< 7I|< Ddvi vmid_ _~D; r07| _NiK Ni$| I-$|N~ Pa_7 $K7$ 7777 7dd` __`& ~,KN `v77v `v77v fa$F $E`v $E`v@ 8$E`v $KdK$d $KdK$ $`$_ lstrlenA VirtualAlloc GetCommandLineA LeaveCriticalSection GetCurrentProcessId WaitForSingleObject GetVersionExA CreateFileA SetEndOfFile GetThreadLocale ExitProcess HeapDestroy QueryPerformanceCounter FreeLibrary DeleteFileA ReadFile GetModuleHandleA TlsFree LCMapStringA GetCurrentProcess KERNEL32.dll
file Headers:----------DOS_HEADER---------- [IMAGE_DOS_HEADER] e_magic: 0x5A4D e_cblp: 0x90 e_cp: 0x3 e_crlc: 0x0 e_cparhdr: 0x4 e_minalloc: 0x0 e_maxalloc: 0xFFFF e_ss: 0x0 e_sp: 0xB8 e_csum: 0x0 e_ip: 0x0 e_cs: 0x0 e_lfarlc: 0x40 e_ovno: 0x0 e_res: e_oemid: 0x0 e_oeminfo: 0x0 e_res2: e_lfanew: 0xE0 ----------NT_HEADERS---------- [IMAGE_NT_HEADERS] Signature: 0x4550 ----------FILE_HEADER---------- [IMAGE_FILE_HEADER] Machine: 0x14C NumberOfSections: 0x3 TimeDateStamp: 0x44D8240C [Tue Aug 8 05:41:32 2006 UTC] PointerToSymbolTable: 0x0 NumberOfSymbols: 0x0 SizeOfOptionalHeader: 0xE0 Characteristics: 0x10F Flags: IMAGE_FILE_LOCAL_SYMS_STRIPPED, IMAGE_FILE_32BIT_MACHINE, IMAGE_FILE_EXECUTABLE_IMAGE, IMAGE_FILE_LINE_NUMS_STRIPPED, IMAGE_FILE_RELOCS_STRIPPED ----------OPTIONAL_HEADER---------- [IMAGE_OPTIONAL_HEADER] Magic: 0x10B MajorLinkerVersion: 0x6 MinorLinkerVersion: 0x0 SizeOfCode: 0xA000 SizeOfInitializedData: 0x3A000 SizeOfUninitializedData: 0x0 AddressOfEntryPoint: 0x9600 BaseOfCode: 0x1000 BaseOfData: 0xB000 ImageBase: 0x400000 SectionAlignment: 0x1000 FileAlignment: 0x1000 MajorOperatingSystemVersion: 0x4 MinorOperatingSystemVersion: 0x0 MajorImageVersion: 0x0 MinorImageVersion: 0x0 MajorSubsystemVersion: 0x4 MinorSubsystemVersion: 0x0 Reserved1: 0x0 SizeOfImage: 0x45000 SizeOfHeaders: 0x1000 CheckSum: 0x52D15 Subsystem: 0x2 DllCharacteristics: 0x0 SizeOfStackReserve: 0x100000 SizeOfStackCommit: 0x1000 SizeOfHeapReserve: 0x100000 SizeOfHeapCommit: 0x1000 LoaderFlags: 0x0 NumberOfRvaAndSizes: 0x10 DllCharacteristics: ----------PE Sections---------- [IMAGE_SECTION_HEADER] Name: .text Misc: 0x91C0 Misc_PhysicalAddress: 0x91C0 Misc_VirtualSize: 0x91C0 VirtualAddress: 0x1000 SizeOfRawData: 0xA000 PointerToRawData: 0x1000 PointerToRelocations: 0x0 PointerToLinenumbers: 0x0 NumberOfRelocations: 0x0 NumberOfLinenumbers: 0x0 Characteristics: 0x60000020 Flags: IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ Entropy: 5.694083 (Min=0.0, Max=8.0) MD5 hash: 1f1847d78fb8eaefc24c80ae1c21fa5a SHA-1 hash: 747a1a9039d3573bcdbd511b32c55b94fe4b5508 SHA-256 hash: daa9a356f1aa9e1960e9d30140154dcb1d6ce661f41a3007b3ee1d517832d627 SHA-512 hash: 409d81a78d4218905cdb5f25d97487e5efbebf6162adc4335f626cc25f91abb5c7d7731f6d5a35debf118d412e07faea3b0b602de4dd24ebbaf1b42351fb4987 [IMAGE_SECTION_HEADER] Name: .data Misc: 0x387B8 Misc_PhysicalAddress: 0x387B8 Misc_VirtualSize: 0x387B8 VirtualAddress: 0xB000 SizeOfRawData: 0x39000 PointerToRawData: 0xB000 PointerToRelocations: 0x0 PointerToLinenumbers: 0x0 NumberOfRelocations: 0x0 NumberOfLinenumbers: 0x0 Characteristics: 0xC0000040 Flags: IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ Entropy: 6.597233 (Min=0.0, Max=8.0) MD5 hash: dc7c0a1442d1b0516c6a1c10772a2567 SHA-1 hash: 4d4ee9200bce670e641b223c7864c2e4691f9c94 SHA-256 hash: f3ba616d69921d0f693b706af198014284e2eccdfdeb659328d878e791d66539 SHA-512 hash: 4a51f5b57a8257f8cfb80b06a557fdf8e59d3f8318d08b0c84b82d9aa79a79a73c9e063136c7fe136425332a2281b4a1905c3ece29857d6d7598ff5fba447fe2 [IMAGE_SECTION_HEADER] Name: .rsrc Misc: 0xF38 Misc_PhysicalAddress: 0xF38 Misc_VirtualSize: 0xF38 VirtualAddress: 0x44000 SizeOfRawData: 0x1000 PointerToRawData: 0x44000 PointerToRelocations: 0x0 PointerToLinenumbers: 0x0 NumberOfRelocations: 0x0 NumberOfLinenumbers: 0x0 Characteristics: 0x40000040 Flags: IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ Entropy: 3.197878 (Min=0.0, Max=8.0) MD5 hash: 32e09078b595d43301476cbfe9c9293b SHA-1 hash: 6fa704dd2933091916f9c962bca5130cbb3b0710 SHA-256 hash: 9abac1c2e38c96758080e677ced0b28d7cec818afb81102ddc3744d7e4f0dcf5 SHA-512 hash: 5917ea794d43728b86c988d835cbe3eb51faf7f62b5cb4a16d271b7ca4169fec8241afd32cb720b0f39cd5edaae62d40a52796827d27b08fe7b6dd00f99714be ----------Directories---------- [IMAGE_DIRECTORY_ENTRY_EXPORT] VirtualAddress: 0x0 Size: 0x0 [IMAGE_DIRECTORY_ENTRY_IMPORT] VirtualAddress: 0x435DC Size: 0x28 [IMAGE_DIRECTORY_ENTRY_RESOURCE] VirtualAddress: 0x44000 Size: 0xF38 [IMAGE_DIRECTORY_ENTRY_EXCEPTION] VirtualAddress: 0x0 Size: 0x0 [IMAGE_DIRECTORY_ENTRY_SECURITY] VirtualAddress: 0x0 Size: 0x0 [IMAGE_DIRECTORY_ENTRY_BASERELOC] VirtualAddress: 0x0 Size: 0x0 [IMAGE_DIRECTORY_ENTRY_DEBUG] VirtualAddress: 0x0 Size: 0x0 [IMAGE_DIRECTORY_ENTRY_COPYRIGHT] VirtualAddress: 0x0 Size: 0x0 [IMAGE_DIRECTORY_ENTRY_GLOBALPTR] VirtualAddress: 0x0 Size: 0x0 [IMAGE_DIRECTORY_ENTRY_TLS] VirtualAddress: 0x0 Size: 0x0 [IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG] VirtualAddress: 0x0 Size: 0x0 [IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT] VirtualAddress: 0x0 Size: 0x0 [IMAGE_DIRECTORY_ENTRY_IAT] VirtualAddress: 0xB000 Size: 0x54 [IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT] VirtualAddress: 0x0 Size: 0x0 [IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR] VirtualAddress: 0x0 Size: 0x0 [IMAGE_DIRECTORY_ENTRY_RESERVED] VirtualAddress: 0x0 Size: 0x0 ----------Version Information---------- [VS_VERSIONINFO] Length: 0x220 ValueLength: 0x34 Type: 0x0 [VS_FIXEDFILEINFO] Signature: 0xFEEF04BD StrucVersion: 0x10000 FileVersionMS: 0x70008 FileVersionLS: 0x9 ProductVersionMS: 0x70008 ProductVersionLS: 0x9 FileFlagsMask: 0x3F FileFlags: 0x0 FileOS: 0x40004 FileType: 0x1 FileSubtype: 0x0 FileDateMS: 0x0 FileDateLS: 0x0 [StringFileInfo] Length: 0x17E ValueLength: 0x0 Type: 0x1 [StringTable] Length: 0x15A ValueLength: 0x0 Type: 0x1 LangID: 040904b0 FileVersion: 7, 8, 0, 9 CompanyName: aplanir Comments: powerboat ProductName: marketing ProductVersion: 7, 8, 0, 9 FileDescription: subsecuente [VarFileInfo] Length: 0x44 ValueLength: 0x0 Type: 0x1 [Var] Length: 0x24 ValueLength: 0x4 Type: 0x0 Translation: 0x0409 0x04b0 ----------Imported symbols---------- [IMAGE_IMPORT_DESCRIPTOR] OriginalFirstThunk: 0x43604 Characteristics: 0x43604 TimeDateStamp: 0x0 [Thu Jan 1 00:00:00 1970 UTC] ForwarderChain: 0x0 Name: 0x437AA FirstThunk: 0xB000 KERNEL32.dll.lstrlenA Hint[959] KERNEL32.dll.VirtualAlloc Hint[885] KERNEL32.dll.GetCommandLineA Hint[264] KERNEL32.dll.LeaveCriticalSection Hint[583] KERNEL32.dll.GetCurrentProcessId Hint[315] KERNEL32.dll.WaitForSingleObject Hint[901] KERNEL32.dll.GetVersionExA Hint[479] KERNEL32.dll.CreateFileA Hint[77] KERNEL32.dll.SetEndOfFile Hint[773] KERNEL32.dll.GetThreadLocale Hint[464] KERNEL32.dll.ExitProcess Hint[175] KERNEL32.dll.HeapDestroy Hint[522] KERNEL32.dll.QueryPerformanceCounter Hint[665] KERNEL32.dll.FreeLibrary Hint[239] KERNEL32.dll.DeleteFileA Hint[124] KERNEL32.dll.ReadFile Hint[683] KERNEL32.dll.GetModuleHandleA Hint[375] KERNEL32.dll.TlsFree Hint[855] KERNEL32.dll.LCMapStringA Hint[570] KERNEL32.dll.GetCurrentProcess Hint[314] ----------Resource directory---------- [IMAGE_RESOURCE_DIRECTORY] Characteristics: 0x0 TimeDateStamp: 0x0 [Thu Jan 1 00:00:00 1970 UTC] MajorVersion: 0x0 MinorVersion: 0x0 NumberOfNamedEntries: 0x0 NumberOfIdEntries: 0x2 Id: [0x6] (RT_STRING) [IMAGE_RESOURCE_DIRECTORY_ENTRY] Name: 0x6 OffsetToData: 0x80000020 [IMAGE_RESOURCE_DIRECTORY] Characteristics: 0x0 TimeDateStamp: 0x0 [Thu Jan 1 00:00:00 1970 UTC] MajorVersion: 0x0 MinorVersion: 0x0 NumberOfNamedEntries: 0x0 NumberOfIdEntries: 0x2 Id: [0x1] [IMAGE_RESOURCE_DIRECTORY_ENTRY] Name: 0x1 OffsetToData: 0x80000058 [IMAGE_RESOURCE_DIRECTORY] Characteristics: 0x0 TimeDateStamp: 0x0 [Thu Jan 1 00:00:00 1970 UTC] MajorVersion: 0x0 MinorVersion: 0x0 NumberOfNamedEntries: 0x0 NumberOfIdEntries: 0x1 [IMAGE_RESOURCE_DIRECTORY_ENTRY] Name: 0x409 OffsetToData: 0xA0 [IMAGE_RESOURCE_DATA_ENTRY] OffsetToData: 0x442F0 Size: 0x700 CodePage: 0x0 Reserved: 0x0 Id: [0x2] [IMAGE_RESOURCE_DIRECTORY_ENTRY] Name: 0x2 OffsetToData: 0x80000070 [IMAGE_RESOURCE_DIRECTORY] Characteristics: 0x0 TimeDateStamp: 0x0 [Thu Jan 1 00:00:00 1970 UTC] MajorVersion: 0x0 MinorVersion: 0x0 NumberOfNamedEntries: 0x0 NumberOfIdEntries: 0x1 [IMAGE_RESOURCE_DIRECTORY_ENTRY] Name: 0x409 OffsetToData: 0xB0 [IMAGE_RESOURCE_DATA_ENTRY] OffsetToData: 0x449F0 Size: 0x546 CodePage: 0x0 Reserved: 0x0 Id: [0x10] (RT_VERSION) [IMAGE_RESOURCE_DIRECTORY_ENTRY] Name: 0x10 OffsetToData: 0x80000040 [IMAGE_RESOURCE_DIRECTORY] Characteristics: 0x0 TimeDateStamp: 0x0 [Thu Jan 1 00:00:00 1970 UTC] MajorVersion: 0x0 MinorVersion: 0x0 NumberOfNamedEntries: 0x0 NumberOfIdEntries: 0x1 Id: [0x1] [IMAGE_RESOURCE_DIRECTORY_ENTRY] Name: 0x1 OffsetToData: 0x80000088 [IMAGE_RESOURCE_DIRECTORY] Characteristics: 0x0 TimeDateStamp: 0x0 [Thu Jan 1 00:00:00 1970 UTC] MajorVersion: 0x0 MinorVersion: 0x0 NumberOfNamedEntries: 0x0 NumberOfIdEntries: 0x1 [IMAGE_RESOURCE_DIRECTORY_ENTRY] Name: 0x409 OffsetToData: 0xC0 [IMAGE_RESOURCE_DATA_ENTRY] OffsetToData: 0x440D0 Size: 0x220 CodePage: 0x0 Reserved: 0x0
What tool do you use to analyze?
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
