HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Graftor.Elzob.7491 (B) (Emsisoft), Gen:Variant.Graftor.Elzob.7491 (AdAware), Trojan.Win32.Swrort.4.FD, TrojanSwrort.YR, GenericAutorunWorm.YR, GenericIRCBot.YR (Lavasoft MAS)Behaviour: Trojan, Worm, WormAutorun, IRCBot
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 567e45c71e8cdad5e58cb786636a6ec0
SHA1: e72aa8839edbab1430b0ed21e29b81dd14205ef4
SHA256: 7cb16524418d7e384bda354d8a7a65c150fed2b55ad898877f721e80084389c2
SSDeep: 768:m B Zrc7iL HgeoU 1Dfe7Zclf2EBMEPHV:m klcO AeoU 1DC8eEmEPHV
Size: 49152 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: P i r i f o r m L t d .
Created at: no data
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
IRCBot | A bot can communicate with command and control servers via IRC channel. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:176
The Trojan injects its code into the following process(es):
spoolsv.exe:636
File activity
The process %original file name%.exe:176 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\drivers\spoolsv.exe (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8XKL8N8T\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OSFK0HBG\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AHP4HQKJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVMJQJ2B\desktop.ini (67 bytes)
Registry activity
The process %original file name%.exe:176 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 DE FB 15 94 52 8A 55 EA 29 0B 88 7D D2 56 07"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Msn" = "C:\Windows\system32\Drivers\spoolsv.exe"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:176
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\drivers\spoolsv.exe (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8XKL8N8T\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OSFK0HBG\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AHP4HQKJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVMJQJ2B\desktop.ini (67 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Msn" = "C:\Windows\system32\Drivers\spoolsv.exe" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 20180 | 20480 | 4.18336 | e3813cab21782484dae91fcff783ca6d |
.data | 24576 | 19584 | 19968 | 5.12527 | 77aa69eb5410927418d55b7c6516171f |
.rdata | 45056 | 1032 | 1536 | 2.43541 | 1665546ed03231308c1ca49ed3166cba |
.bss | 49152 | 16672 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.edata | 69632 | 73 | 512 | 0.562331 | 1093b65d31dca17165cb4b81c8a10efd |
.idata | 73728 | 1696 | 2048 | 2.97431 | 28485cb22887f073da270fe186b8c860 |
.rsrc | 77824 | 924 | 1024 | 2.43818 | 75c22e74c7d5cfe6b035105e53a89ced |
.reloc | 81920 | 58368 | 1024 | 3.75276 | 9f39025d8ef8620ad5434305a1f59404 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
spoolsv.exe_636:
`.rsrc
`.rsrc
SSSh$z@
SSSh$z@
FVSSh
FVSSh
ddos.syn
ddos.syn
ddos.ack
ddos.ack
ddos.random
ddos.random
ddos.supersyn
ddos.supersyn
ddos.udp
ddos.udp
msn.spread
msn.spread
msn.msg
msn.msg
msn.stats
msn.stats
msn.addcontact
msn.addcontact
[UDP] Failed to start flood thread, error: <%d>
[UDP] Failed to start flood thread, error: <%d>
[UDP] Sending %d packets to: %s. Packet size: %d, Delay: %d(ms)
[UDP] Sending %d packets to: %s. Packet size: %d, Delay: %d(ms)
[DDoS]: Failed to start flood thread, error: <%d>.
[DDoS]: Failed to start flood thread, error: <%d>.
%s Flooding %s:%s for %s seconds
%s Flooding %s:%s for %s seconds
%s Downloading update from: %s to: %s.
%s Downloading update from: %s to: %s.
%seraseme_%d%d%d%d%d.exe
%seraseme_%d%d%d%d%d.exe
%s Downloading URL: %s to: %s.
%s Downloading URL: %s to: %s.
%s address %s added to msn.
%s address %s added to msn.
%s Thread Activated: Sending Message.
%s Thread Activated: Sending Message.
%s Thread Activated: Sending Zipfile.
%s Thread Activated: Sending Zipfile.
%s Thread Activated: Sending Zipfile and Message.
%s Thread Activated: Sending Zipfile and Message.
%s Visiting Website Now
%s Visiting Website Now
MSN MSG
MSN MSG
%s Failed to parse command.
%s Failed to parse command.
USER %s * 0 :%s
USER %s * 0 :%s
NICK %s
NICK %s
PASS %s
PASS %s
QUIT %s
QUIT %s
PRIVMSG %s :%s
PRIVMSG %s :%s
JOIN %s
JOIN %s
JOIN %s %s
JOIN %s %s
MODE %s %s %s
MODE %s %s %s
MODE %s %s
MODE %s %s
Ping Timeout? (%d-%d)%d/%d
Ping Timeout? (%d-%d)%d/%d
PONG %s
PONG %s
NICK
NICK
PRIVMSG
PRIVMSG
JOIN
JOIN
icmp.dll
icmp.dll
shlwapi.dll
shlwapi.dll
ShellExecuteA
ShellExecuteA
shell32.dll
shell32.dll
Mozilla/4.0 (compatible)
Mozilla/4.0 (compatible)
InternetCrackUrlA
InternetCrackUrlA
InternetOpenUrlA
InternetOpenUrlA
FtpPutFileA
FtpPutFileA
FtpGetFileA
FtpGetFileA
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
wininet.dll
wininet.dll
ws2_32.dll
ws2_32.dll
user32.dll
user32.dll
kernel32.dll
kernel32.dll
%s!%s@%s
%s!%s@%s
%s No %s thread found.
%s No %s thread found.
%s %s thread stopped. (%d thread(s) stopped.)
%s %s thread stopped. (%d thread(s) stopped.)
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
%s\%s
%s\%s
del "%s">nul
del "%s">nul
if exist "%s" goto Repeat
if exist "%s" goto Repeat
ping 0.0.0.0>nul
ping 0.0.0.0>nul
%s\removeMe%i%i%i%i.bat
%s\removeMe%i%i%i%i.bat
[DDoS]: Send error: <%d>.
[DDoS]: Send error: <%d>.
wonk.ack
wonk.ack
wonk.syn
wonk.syn
%s Done with flood (%iKB/sec).
%s Done with flood (%iKB/sec).
%s Flooding %s:%s with %s for %s seconds
%s Flooding %s:%s with %s for %s seconds
%s Bad URL or DNS Error, error: <%d>
%s Bad URL or DNS Error, error: <%d>
%s Update failed: Error executing file: %s.
%s Update failed: Error executing file: %s.
%s Process Finished: "%s", Total Running Time: %s.
%s Process Finished: "%s", Total Running Time: %s.
%s Created process: "%s", PID: <%d>
%s Created process: "%s", PID: <%d>
%s Failed to create process: "%s", error: <%d>
%s Failed to create process: "%s", error: <%d>
%s Couldn't parse path, error: <%d>
%s Couldn't parse path, error: <%d>
%s File download: %.1fKB to: %s @ %.1fKB/sec.
%s File download: %.1fKB to: %s @ %.1fKB/sec.
A%s Couldn't open file for writing: %s.
A%s Couldn't open file for writing: %s.
[UDP] Finished sending packets to %s
[UDP] Finished sending packets to %s
[UDP] Error sending udp packets to %s.
[UDP] Error sending udp packets to %s.
%s Failed to get requested URL from HTTP server.
%s Failed to get requested URL from HTTP server.
%s URL visited.
%s URL visited.
%s Failed to connect to HTTP server.
%s Failed to connect to HTTP server.
%s Could not open a connection.
%s Could not open a connection.
%s Invalid URL.
%s Invalid URL.
\autorun.inf
\autorun.inf
icon=%SystemRoot%\system32\SHELL32.dll,4
icon=%SystemRoot%\system32\SHELL32.dll,4
autorunme.exe
autorunme.exe
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
\Desktop.ini
\Desktop.ini
Infected drive: %s
Infected drive: %s
%s Welcome Bitch.
%s Welcome Bitch.
%s Fail.
%s Fail.
%s %s out.
%s %s out.
%s <%i> out.
%s <%i> out.
%s No user at: <%i>
%s No user at: <%i>
%s Invalid slot: <%i>
%s Invalid slot: <%i>
%s Kill: <%d> threads
%s Kill: <%d> threads
%s No threads
%s No threads
%s Killed thread: <%s>
%s Killed thread: <%s>
%s %s already running: <%d>.
%s %s already running: <%d>.
%s Fail start %s, err: <%d>.
%s Fail start %s, err: <%d>.
[msn]: Message & Zipfile sent to: %d contacts.
[msn]: Message & Zipfile sent to: %d contacts.
[msn]: Message sent to: %d Contacts.
[msn]: Message sent to: %d Contacts.
[msn]: Sent Stats - Messages: %d :: Files: %d :: Message & Files: %d.
[msn]: Sent Stats - Messages: %d :: Files: %d :: Message & Files: %d.
Go fuck yourself %s.
Go fuck yourself %s.
%s logged in.
%s logged in.
Removed by: %s!%s@%s
Removed by: %s!%s@%s
%s main thread
%s main thread
%s mis param.
%s mis param.
C:\Windows\system32\Drivers\
C:\Windows\system32\Drivers\
spoolsv.exe
spoolsv.exe
*@nasa.gov
*@nasa.gov
ircd.novaraja.org
ircd.novaraja.org
ircd.grandetrivic.com
ircd.grandetrivic.com
GetWindowsDirectoryA
GetWindowsDirectoryA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
_acmdln
_acmdln
_amsg_exit
_amsg_exit
keybd_event
keybd_event
VkKeyScanA
VkKeyScanA
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
mGuperQOudpv
mGuperQOudpv
[UDP] F
[UDP] F
^ror: <%d>_Se
^ror: <%d>_Se
URLwt
URLwt
VeuWeb
VeuWeb
PASSQUIT
PASSQUIT
-myJOIN
-myJOIN
UrlA'O:k`
UrlA'O:k`
rGFtpPL
rGFtpPL
e7P HTTP
e7P HTTP
up,.eU7
up,.eU7
=%SynmR
=%SynmR
*@nasa.govX
*@nasa.govX
SKey
SKey
5_>keybdv
5_>keybdv
.MN<?
.MN<?
KERNEL32.DLL
KERNEL32.DLL
ADVAPI32.dll
ADVAPI32.dll
MSVCR71.dll
MSVCR71.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
SHELL32.dll
SHELL32.dll
USER32.dll
USER32.dll
WS2_32.dll
WS2_32.dll
spoolsv.exe_636_rwx_00400000_00052000:
`.rsrc
`.rsrc
SSSh$z@
SSSh$z@
FVSSh
FVSSh
ddos.syn
ddos.syn
ddos.ack
ddos.ack
ddos.random
ddos.random
ddos.supersyn
ddos.supersyn
ddos.udp
ddos.udp
msn.spread
msn.spread
msn.msg
msn.msg
msn.stats
msn.stats
msn.addcontact
msn.addcontact
[UDP] Failed to start flood thread, error: <%d>
[UDP] Failed to start flood thread, error: <%d>
[UDP] Sending %d packets to: %s. Packet size: %d, Delay: %d(ms)
[UDP] Sending %d packets to: %s. Packet size: %d, Delay: %d(ms)
[DDoS]: Failed to start flood thread, error: <%d>.
[DDoS]: Failed to start flood thread, error: <%d>.
%s Flooding %s:%s for %s seconds
%s Flooding %s:%s for %s seconds
%s Downloading update from: %s to: %s.
%s Downloading update from: %s to: %s.
%seraseme_%d%d%d%d%d.exe
%seraseme_%d%d%d%d%d.exe
%s Downloading URL: %s to: %s.
%s Downloading URL: %s to: %s.
%s address %s added to msn.
%s address %s added to msn.
%s Thread Activated: Sending Message.
%s Thread Activated: Sending Message.
%s Thread Activated: Sending Zipfile.
%s Thread Activated: Sending Zipfile.
%s Thread Activated: Sending Zipfile and Message.
%s Thread Activated: Sending Zipfile and Message.
%s Visiting Website Now
%s Visiting Website Now
MSN MSG
MSN MSG
%s Failed to parse command.
%s Failed to parse command.
USER %s * 0 :%s
USER %s * 0 :%s
NICK %s
NICK %s
PASS %s
PASS %s
QUIT %s
QUIT %s
PRIVMSG %s :%s
PRIVMSG %s :%s
JOIN %s
JOIN %s
JOIN %s %s
JOIN %s %s
MODE %s %s %s
MODE %s %s %s
MODE %s %s
MODE %s %s
Ping Timeout? (%d-%d)%d/%d
Ping Timeout? (%d-%d)%d/%d
PONG %s
PONG %s
NICK
NICK
PRIVMSG
PRIVMSG
JOIN
JOIN
icmp.dll
icmp.dll
shlwapi.dll
shlwapi.dll
ShellExecuteA
ShellExecuteA
shell32.dll
shell32.dll
Mozilla/4.0 (compatible)
Mozilla/4.0 (compatible)
InternetCrackUrlA
InternetCrackUrlA
InternetOpenUrlA
InternetOpenUrlA
FtpPutFileA
FtpPutFileA
FtpGetFileA
FtpGetFileA
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
wininet.dll
wininet.dll
ws2_32.dll
ws2_32.dll
user32.dll
user32.dll
kernel32.dll
kernel32.dll
%s!%s@%s
%s!%s@%s
%s No %s thread found.
%s No %s thread found.
%s %s thread stopped. (%d thread(s) stopped.)
%s %s thread stopped. (%d thread(s) stopped.)
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
%s\%s
%s\%s
del "%s">nul
del "%s">nul
if exist "%s" goto Repeat
if exist "%s" goto Repeat
ping 0.0.0.0>nul
ping 0.0.0.0>nul
%s\removeMe%i%i%i%i.bat
%s\removeMe%i%i%i%i.bat
[DDoS]: Send error: <%d>.
[DDoS]: Send error: <%d>.
wonk.ack
wonk.ack
wonk.syn
wonk.syn
%s Done with flood (%iKB/sec).
%s Done with flood (%iKB/sec).
%s Flooding %s:%s with %s for %s seconds
%s Flooding %s:%s with %s for %s seconds
%s Bad URL or DNS Error, error: <%d>
%s Bad URL or DNS Error, error: <%d>
%s Update failed: Error executing file: %s.
%s Update failed: Error executing file: %s.
%s Process Finished: "%s", Total Running Time: %s.
%s Process Finished: "%s", Total Running Time: %s.
%s Created process: "%s", PID: <%d>
%s Created process: "%s", PID: <%d>
%s Failed to create process: "%s", error: <%d>
%s Failed to create process: "%s", error: <%d>
%s Couldn't parse path, error: <%d>
%s Couldn't parse path, error: <%d>
%s File download: %.1fKB to: %s @ %.1fKB/sec.
%s File download: %.1fKB to: %s @ %.1fKB/sec.
A%s Couldn't open file for writing: %s.
A%s Couldn't open file for writing: %s.
[UDP] Finished sending packets to %s
[UDP] Finished sending packets to %s
[UDP] Error sending udp packets to %s.
[UDP] Error sending udp packets to %s.
%s Failed to get requested URL from HTTP server.
%s Failed to get requested URL from HTTP server.
%s URL visited.
%s URL visited.
%s Failed to connect to HTTP server.
%s Failed to connect to HTTP server.
%s Could not open a connection.
%s Could not open a connection.
%s Invalid URL.
%s Invalid URL.
\autorun.inf
\autorun.inf
icon=%SystemRoot%\system32\SHELL32.dll,4
icon=%SystemRoot%\system32\SHELL32.dll,4
autorunme.exe
autorunme.exe
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
\Desktop.ini
\Desktop.ini
Infected drive: %s
Infected drive: %s
%s Welcome Bitch.
%s Welcome Bitch.
%s Fail.
%s Fail.
%s %s out.
%s %s out.
%s <%i> out.
%s <%i> out.
%s No user at: <%i>
%s No user at: <%i>
%s Invalid slot: <%i>
%s Invalid slot: <%i>
%s Kill: <%d> threads
%s Kill: <%d> threads
%s No threads
%s No threads
%s Killed thread: <%s>
%s Killed thread: <%s>
%s %s already running: <%d>.
%s %s already running: <%d>.
%s Fail start %s, err: <%d>.
%s Fail start %s, err: <%d>.
[msn]: Message & Zipfile sent to: %d contacts.
[msn]: Message & Zipfile sent to: %d contacts.
[msn]: Message sent to: %d Contacts.
[msn]: Message sent to: %d Contacts.
[msn]: Sent Stats - Messages: %d :: Files: %d :: Message & Files: %d.
[msn]: Sent Stats - Messages: %d :: Files: %d :: Message & Files: %d.
Go fuck yourself %s.
Go fuck yourself %s.
%s logged in.
%s logged in.
Removed by: %s!%s@%s
Removed by: %s!%s@%s
%s main thread
%s main thread
%s mis param.
%s mis param.
C:\Windows\system32\Drivers\
C:\Windows\system32\Drivers\
spoolsv.exe
spoolsv.exe
*@nasa.gov
*@nasa.gov
ircd.novaraja.org
ircd.novaraja.org
ircd.grandetrivic.com
ircd.grandetrivic.com
GetWindowsDirectoryA
GetWindowsDirectoryA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
_acmdln
_acmdln
_amsg_exit
_amsg_exit
keybd_event
keybd_event
VkKeyScanA
VkKeyScanA
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
mGuperQOudpv
mGuperQOudpv
[UDP] F
[UDP] F
^ror: <%d>_Se
^ror: <%d>_Se
URLwt
URLwt
VeuWeb
VeuWeb
PASSQUIT
PASSQUIT
-myJOIN
-myJOIN
UrlA'O:k`
UrlA'O:k`
rGFtpPL
rGFtpPL
e7P HTTP
e7P HTTP
up,.eU7
up,.eU7
=%SynmR
=%SynmR
*@nasa.govX
*@nasa.govX
SKey
SKey
5_>keybdv
5_>keybdv
.MN<?
.MN<?
KERNEL32.DLL
KERNEL32.DLL
ADVAPI32.dll
ADVAPI32.dll
MSVCR71.dll
MSVCR71.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
SHELL32.dll
SHELL32.dll
USER32.dll
USER32.dll
WS2_32.dll
WS2_32.dll
spoolsv.exe_636_rwx_004A0000_00023000:
.text
.text
.data
.data
.rdata
.rdata
@.bss
@.bss
.edata
.edata
@.idata
@.idata
.rsrc
.rsrc
.reloc
.reloc
(Y.izCa
(Y.izCa
w86$V.ii
w86$V.ii
-0A294}\A
-0A294}\A
*ns.oX^s'
*ns.oX^s'
H%s3\HLw4/ha=
H%s3\HLw4/ha=
/build/buildd/mingw32-3.4.5.20060117.1.dfsg/build_dir/src/gcc-3.4.5-20060117-1-dfsg/gcc/config/i386/w32-shared-ptr.c
/build/buildd/mingw32-3.4.5.20060117.1.dfsg/build_dir/src/gcc-3.4.5-20060117-1-dfsg/gcc/config/i386/w32-shared-ptr.c
result.exe
result.exe
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
msvcrt.dll
msvcrt.dll
kernel32.dll
kernel32.dll