.- - -----÷M÷E÷N÷U÷------------------------------------------------------------- --- ---- -------------.
! WALL ! STATS ! GOODIES ! YARA ! FAQ ! RSS ! EMV !
`-------------- - --- ---------- -------- -------- -------- -------- ----------------- - ---- ---- --'
ATM MALWARE NOTICE
0ef71569308d44e89bde48096c67caf73ec177c1c970a2fd843fd3a094502d78
Date...........: 2017-04-12
Family.........: ATMii
File name......: dll.dll
File size......: 14.00 KB
Type file......: DLL/Windows
Virscan........: VT - HA
Documentation..: https://securelist.com/atmii-a-small-but-effective-atm-robber/82707/
Entropy:
Binary Histogram:
=== PEDUMP REPORT ===
=== MZ Header ===
signature: "MZ"
bytes_in_last_block: 144 0x90
blocks_in_file: 3 3
num_relocs: 0 0
header_paragraphs: 4 4
min_extra_paragraphs: 0 0
max_extra_paragraphs: 65535 0xffff
ss: 0 0
sp: 184 0xb8
checksum: 0 0
ip: 0 0
cs: 0 0
reloc_table_offset: 64 0x40
overlay_number: 0 0
reserved0: 0 0
oem_id: 0 0
oem_info: 0 0
reserved2: 0 0
reserved3: 0 0
reserved4: 0 0
reserved5: 0 0
reserved6: 0 0
lfanew: 208 0xd0
=== DOS STUB ===
00000000: 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 |........!..L.!Th|
00000010: 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f |is program canno|
00000020: 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 |t be run in DOS |
00000030: 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 |mode....$.......|
=== RICH Header ===
LIB_ID VERSION TIMES_USED
147 93 30729 7809 6 6
4 4 8447 20ff 3 3
1 1 0 0 28 1c
175 af 40219 9d1b 3 3
157 9d 40219 9d1b 1 1
=== PE Header ===
signature: "PE\x00\x00"
# IMAGE_FILE_HEADER:
Machine: 332 0x14c x86
NumberOfSections: 4 4
TimeDateStamp: "2013-11-01 14:33:23"
PointerToSymbolTable: 0 0
NumberOfSymbols: 0 0
SizeOfOptionalHeader: 224 0xe0
Characteristics: 8450 0x2102 EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
# IMAGE_OPTIONAL_HEADER32:
Magic: 267 0x10b 32-bit executable
LinkerVersion: 10.0
SizeOfCode: 7168 0x1c00
SizeOfInitializedData: 6144 0x1800
SizeOfUninitializedData: 0 0
AddressOfEntryPoint: 10832 0x2a50
BaseOfCode: 4096 0x1000
BaseOfData: 12288 0x3000
ImageBase: 268435456 0x10000000
SectionAlignment: 4096 0x1000
FileAlignment: 512 0x200
OperatingSystemVersion: 5.1
ImageVersion: 0.0
SubsystemVersion: 5.1
Reserved1: 0 0
SizeOfImage: 24576 0x6000
SizeOfHeaders: 1024 0x400
CheckSum: 0 0
Subsystem: 2 2 WINDOWS_GUI
DllCharacteristics: 1344 0x540 DYNAMIC_BASE, NX_COMPAT, NO_SEH
SizeOfStackReserve: 1048576 0x100000
SizeOfStackCommit: 4096 0x1000
SizeOfHeapReserve: 1048576 0x100000
SizeOfHeapCommit: 4096 0x1000
LoaderFlags: 0 0
NumberOfRvaAndSizes: 16 0x10
=== DATA DIRECTORY ===
EXPORT rva:0x 0 size:0x 0
IMPORT rva:0x 3b54 size:0x 64
RESOURCE rva:0x 0 size:0x 0
EXCEPTION rva:0x 0 size:0x 0
SECURITY rva:0x 0 size:0x 0
BASERELOC rva:0x 5000 size:0x 2d0
DEBUG rva:0x 0 size:0x 0
ARCHITECTURE rva:0x 0 size:0x 0
GLOBALPTR rva:0x 0 size:0x 0
TLS rva:0x 0 size:0x 0
LOAD_CONFIG rva:0x 0 size:0x 0
Bound_IAT rva:0x 0 size:0x 0
IAT rva:0x 3000 size:0x 80
Delay_IAT rva:0x 0 size:0x 0
CLR_Header rva:0x 0 size:0x 0
rva:0x 0 size:0x 0
=== SECTIONS ===
NAME RVA VSZ RAW_SZ RAW_PTR nREL REL_PTR nLINE LINE_PTR FLAGS
.text 1000 1b2c 1c00 400 0 0 0 0 60000020 R-X CODE
.rdata 3000 e1e 1000 2000 0 0 0 0 40000040 R-- IDATA
.data 4000 22b 400 3000 0 0 0 0 c0000040 RW- IDATA
.reloc 5000 316 400 3400 0 0 0 0 42000040 R-- IDATA DISCARDABLE
=== IMPORTS ===
MODULE_NAME HINT ORD FUNCTION_NAME
MSXFS.dll 19 WFSExecute
MSXFS.dll 1e WFSLock
MSXFS.dll 24 WFSUnlock
MSXFS.dll 1a WFSFreeResult
SHLWAPI.dll 14e StrToIntW
SHLWAPI.dll 45 PathFileExistsW
KERNEL32.dll 218 GetModuleHandleW
KERNEL32.dll 52 CloseHandle
KERNEL32.dll 545 lstrcmpiW
KERNEL32.dll 213 GetModuleFileNameA
KERNEL32.dll 245 GetProcAddress
KERNEL32.dll 547 lstrcpyA
KERNEL32.dll 548 lstrcpyW
KERNEL32.dll 1c0 GetCurrentProcess
KERNEL32.dll 4ed VirtualFreeEx
KERNEL32.dll 4f0 VirtualProtectEx
KERNEL32.dll 4ea VirtualAllocEx
KERNEL32.dll 52e WriteProcessMemory
KERNEL32.dll 466 SetFilePointer
KERNEL32.dll 54d lstrlenA
KERNEL32.dll 54a lstrcpynA
KERNEL32.dll 54e lstrlenW
KERNEL32.dll 242 GetPrivateProfileStringW
KERNEL32.dll 525 WriteFile
KERNEL32.dll 33f LoadLibraryW
KERNEL32.dll 8f CreateFileW
KERNEL32.dll d6 DeleteFileW
USER32.dll 332 wsprintfA
File pos Mem pos ID Text
======== ======= == ====
00000000004D 00001000004D 0 !This program cannot be run in DOS mode.
0000000000B8 0000100000B8 0 Richgq
0000000001C8 0000100001C8 0 .text
0000000001F0 0000100001F0 0 .rdata
000000000217 000010000217 0 @.data
000000000240 000010000240 0 .reloc
0000000007D1 0000100013D1 0 JIt3It
000000001B71 000010002771 0 f95(B
000000001BB2 0000100027B2 0 f95(B
000000001E5F 000010002A5F 0 SVthH
0000000020C0 0000100030C0 0 CheckServiceForValid
0000000020D8 0000100030D8 0 (%d):%s() ------------------------------------------------
000000002114 000010003114 0 (%d):%s() Waiting for lock
000000002130 000010003130 0 (%d):%s() Device was locked
000000002150 000010003150 0 (%d):%s() WFSGetInfo Success %d
000000002174 000010003174 0 WFS_CDM_DEVONLINE
000000002188 000010003188 0 WFS_CDM_DEVOFFLINE
00000000219C 00001000319C 0 WFS_CDM_DEVPOWEROFF
0000000021B0 0000100031B0 0 WFS_CDM_DEVNODEVICE
0000000021C4 0000100031C4 0 WFS_CDM_DEVHWERROR
0000000021D8 0000100031D8 0 WFS_CDM_DEVUSERERROR
0000000021F0 0000100031F0 0 WFS_CDM_DEVBUSY
000000002200 000010003200 0 UKNOWN
000000002208 000010003208 0 WFS_CDM_DISPOK
000000002218 000010003218 0 WFS_CDM_DISPCUSTATE
00000000222C 00001000322C 0 WFS_CDM_DISPCUSTOP
000000002240 000010003240 0 WFS_CDM_DISPCUUNKNOWN
000000002258 000010003258 0 WFS_CDM_ISEMPTY
000000002268 000010003268 0 WFS_CDM_ISNOTEMPTY
00000000227C 00001000327C 0 WFS_CDM_ISNOTEMPTYCUST
000000002294 000010003294 0 WFS_CDM_ISNOTEMPTYUNK
0000000022AC 0000100032AC 0 WFS_CDM_ISUNKNOWN
0000000022C0 0000100032C0 0 WFS_CDM_ISNOTSUPPORTED
0000000022D8 0000100032D8 0 WFS_CDM_DOORNOTSUPPORTED
0000000022F4 0000100032F4 0 WFS_CDM_DOOROPEN
000000002308 000010003308 0 WFS_CDM_DOORCLOSED
00000000231C 00001000331C 0 WFS_CDM_DOORUNKNOWN
000000002330 000010003330 0 (%d):%s() Done-> szDevice: %s, szDispenser: %s, szIntermediateStacker: %s, szSafeDoor: %s
00000000238C 00001000338C 0 (%d):%s() WFSGetInfo failed = %d
0000000023B0 0000100033B0 0 (%d):%s() Unlocking device
0000000023CC 0000100033CC 0 Unknown.exe
0000000023D8 0000100033D8 0 GetDeviceInformation
0000000023F0 0000100033F0 0 (%d):%s() Device locked %d
00000000240C 00001000340C 0 Unknown
000000002414 000010003414 0 REJECTCASSETTE
000000002424 000010003424 0 BILLCASSETTE
000000002434 000010003434 0 COINCYLINDER
000000002444 000010003444 0 COINDISPENSER
000000002454 000010003454 0 RETRACTCASSETTE
000000002464 000010003464 0 COUPON
00000000246C 00001000346C 0 DOCUMENT
000000002478 000010003478 0 REPCONTAINER
000000002488 000010003488 0 RECYCLINGCASSETTE
00000000249C 00001000349C 0 NOTAPPLICABLE
0000000024AC 0000100034AC 0 HEALTHY
0000000024C8 0000100034C8 0 EMPTY
0000000024D0 0000100034D0 0 MISSING
0000000024D8 0000100034D8 0 NOVALUES
0000000024E4 0000100034E4 0 NOREFERENCE
0000000024F0 0000100034F0 0 MANIPULATED
File pos Mem pos ID Text
======== ======= == ====
0000000024FC 0000100034FC 0 INOPERATIVE
000000002508 000010003508 0 (%d):%s() Module: %s
00000000251D 00001000351D 0 Cash Unit # %d, name=%s
000000002535 000010003535 0 Type: %s
00000000253E 00001000353E 0 Status: %s
000000002549 000010003549 0 Currency ID: 0x%02x-0x%02x-0x%02x
00000000256B 00001000356B 0 Note Value: %u
00000000257A 00001000357A 0 Notes Count: %u
00000000258A 00001000358A 0 Notes Initial Count: %u
0000000025A2 0000100035A2 0 Notes Minimum Count: %u
0000000025BA 0000100035BA 0 Notes Maximum Count: %u
0000000025D4 0000100035D4 0 FindValidService
0000000025E8 0000100035E8 0 (%d):%s() Checking device index=%d
00000000260C 00001000360C 0 cmd_scan
000000002618 000010003618 0 (%d):%s() Searching valid service
00000000263C 00001000363C 0 (%d):%s() Service found %d
000000002658 000010003658 0 (%d):%s() Service does not found :(
000000002680 000010003680 0 cmd_info
00000000268C 00001000368C 0 (%d):%s() ! hFoundGlobalService = %d
0000000026B4 0000100036B4 0 cmd_disp_ex
0000000026C0 0000100036C0 0 (%d):%s() WFSExecute (WFS_CMD_CDM_DISPENSE) failed with error: %d
000000002704 000010003704 0 (%d):%s() WFSExecute() Success :-)
000000002758 000010003758 0 cmd_disp
000000002764 000010003764 0 (%d):%s() Currency %s
00000000277C 00001000377C 0 (%d):%s() Amount is %d
000000002794 000010003794 0 (%d):%s() ERROR: (amount % 10) != 0
0000000027BC 0000100037BC 0 (%d):%s() Failed to get parameters
0000000027F0 0000100037F0 0 ExecuteCmd
0000000027FC 0000100037FC 0 (%d):%s() Executing cmd
000000002820 000010003820 0 (%d):%s() CMD = %S
000000002860 000010003860 0 (%d):%s() Failed to get main->cmd value
00000000288C 00001000388C 0 mWFSGetInfo
000000002898 000010003898 0 (%d):%s() Call -> hService=0x%X, Result = 0x%X
0000000028C8 0000100038C8 0 (%d):%s() hResult success, search valid service
0000000028FC 0000100038FC 0 (%d):%s() Okay man, you can send commands to me, just try
00000000293C 00001000393C 0 (%d):%s() Found command file, executing...
000000002968 000010003968 0 (%d):%s() hResult failed
000000002984 000010003984 0 WFSGetInfo
0000000029A4 0000100039A4 0 SetHooks
0000000029B0 0000100039B0 0 (%d):%s() OK: Module found
0000000029CC 0000100039CC 0 CloseHandle
0000000029F4 0000100039F4 0 (%d):%s() WFSGetInfo found
000000002A10 000010003A10 0 (%d):%s() Failed to get closehandle
000000002A38 000010003A38 0 (%d):%s() _WFSOpen not found :-(
000000002A5C 000010003A5C 0 (%d):%s() Failed to load
000000002A76 000010003A76 0 msxfs.dll
000000002A84 000010003A84 0 RemoveHooks
000000002A90 000010003A90 0 (%d):%s() Unhooking
000000002AA8 000010003AA8 0 (%d):%s() Unhooked
000000002ABC 000010003ABC 0 DllMain
000000002AC4 000010003AC4 0 (%d):%s() Initialize library, and search valid service
000000002AFC 000010003AFC 0 (%d):%s() Hooking
000000002B10 000010003B10 0 (%d):%s() Unloading library
000000002B30 000010003B30 0 (%d):%s() Unload functions stuff
000000002C3A 000010003C3A 0 WFSFreeResult
000000002C4A 000010003C4A 0 WFSUnlock
000000002C56 000010003C56 0 WFSLock
000000002C60 000010003C60 0 WFSExecute
000000002C6C 000010003C6C 0 MSXFS.dll
000000002C78 000010003C78 0 PathFileExistsW
File pos Mem pos ID Text
======== ======= == ====
000000002C8A 000010003C8A 0 StrToIntW
000000002C94 000010003C94 0 SHLWAPI.dll
000000002CA2 000010003CA2 0 GetCurrentProcess
000000002CB6 000010003CB6 0 VirtualFreeEx
000000002CC6 000010003CC6 0 VirtualProtectEx
000000002CDA 000010003CDA 0 VirtualAllocEx
000000002CEC 000010003CEC 0 WriteProcessMemory
000000002D02 000010003D02 0 SetFilePointer
000000002D14 000010003D14 0 lstrlenA
000000002D20 000010003D20 0 lstrcpynA
000000002D2C 000010003D2C 0 GetModuleHandleW
000000002D40 000010003D40 0 GetPrivateProfileStringW
000000002D5C 000010003D5C 0 WriteFile
000000002D68 000010003D68 0 LoadLibraryW
000000002D78 000010003D78 0 CreateFileW
000000002D86 000010003D86 0 lstrlenW
000000002D92 000010003D92 0 GetProcAddress
000000002DA4 000010003DA4 0 GetModuleFileNameA
000000002DBA 000010003DBA 0 lstrcmpiW
000000002DC6 000010003DC6 0 CloseHandle
000000002DD4 000010003DD4 0 DeleteFileW
000000002DE2 000010003DE2 0 lstrcpyW
000000002DEE 000010003DEE 0 lstrcpyA
000000002DF8 000010003DF8 0 KERNEL32.dll
000000002E08 000010003E08 0 wsprintfA
000000002E12 000010003E12 0 USER32.dll
000000003056 000010004056 0 YYYYY
000000003062 000010004062 0 YYYYYYYYYYYY
000000003070 000010004070 0 }YPPPPYYYYa
000000003086 000010004086 0 YYYYYYYYYYY
000000003138 000010004138 0 JJJJKRJJJJOLJJJJJJJJUE@JJJEYMFJ]JJJJJJJJJJJJJJacgNJJkmJJEmJJDEJJ
000000003409 000010005009 0 040;0
00000000340F 00001000500F 0 0&101
00000000341D 00001000501D 0 2&2+2
000000003433 000010005033 0 5 5$5(5,5
000000003455 000010005055 0 8/898H8a8h8
000000003461 000010005061 0 8X9l9
000000003479 000010005079 0 :<:M:Z:y:
000000003497 000010005097 0 ;%;/;A;F;T;[;i;w;
0000000034C1 0000100050C1 0 <+<R<b<
0000000034E5 0000100050E5 0 = =$=(=,=0=4=8=<=@=D=H=L=P=n=u=z=
000000003517 000010005117 0 >,>E>k>
000000003539 000010005139 0 ?+?0?;?B?M?X?_?j?u?|?
000000003561 000010005161 0 0%0;0N0]0d0
00000000359F 00001000519F 0 1&1-1D1a1w1
0000000035B9 0000100051B9 0 2,2H2X2
0000000035CD 0000100051CD 0 2A3e3o3
0000000035E1 0000100051E1 0 3 4(484=4D4T4Y4a4
0000000035FD 0000100051FD 0 585B5P5Z5g5
00000000361D 00001000521D 0 6$6)6@6F6T6k6q6
00000000363F 00001000523F 0 727;7D7T7t7|7
00000000365F 00001000525F 0 8.848D8T8
000000003687 000010005287 0 9&9:9@9M9X9g9u9
0000000036A9 0000100052A9 0 :):0:l:q:
000000002080 000010003080 0 C:\ATM\tlogs.log
0000000020A4 0000100030A4 0 C:\ATM\c.ini
000000002728 000010003728 0 currency
000000002748 000010003748 0 amount
0000000027E0 0000100037E0 0 unknown
000000002990 000010003990 0 msxfs.dll
File pos Mem pos ID Text
======== ======= == ====
0000000029D7 0000100039D7 0 ekernel32.dll
00000000004D 00001000004D 0 !This program cannot be run in DOS mode.
0000000000B8 0000100000B8 0 Richgq
0000000001C8 0000100001C8 0 .text
0000000001F0 0000100001F0 0 .rdata
000000000217 000010000217 0 @.data
000000000240 000010000240 0 .reloc
0000000007D1 0000100013D1 0 JIt3It
000000001B71 000010002771 0 f95(B
000000001BB2 0000100027B2 0 f95(B
000000001E5F 000010002A5F 0 SVthH
0000000020C0 0000100030C0 0 CheckServiceForValid
0000000020D8 0000100030D8 0 (%d):%s() ------------------------------------------------
000000002114 000010003114 0 (%d):%s() Waiting for lock
000000002130 000010003130 0 (%d):%s() Device was locked
000000002150 000010003150 0 (%d):%s() WFSGetInfo Success %d
000000002174 000010003174 0 WFS_CDM_DEVONLINE
000000002188 000010003188 0 WFS_CDM_DEVOFFLINE
00000000219C 00001000319C 0 WFS_CDM_DEVPOWEROFF
0000000021B0 0000100031B0 0 WFS_CDM_DEVNODEVICE
0000000021C4 0000100031C4 0 WFS_CDM_DEVHWERROR
0000000021D8 0000100031D8 0 WFS_CDM_DEVUSERERROR
0000000021F0 0000100031F0 0 WFS_CDM_DEVBUSY
000000002200 000010003200 0 UKNOWN
000000002208 000010003208 0 WFS_CDM_DISPOK
000000002218 000010003218 0 WFS_CDM_DISPCUSTATE
00000000222C 00001000322C 0 WFS_CDM_DISPCUSTOP
000000002240 000010003240 0 WFS_CDM_DISPCUUNKNOWN
000000002258 000010003258 0 WFS_CDM_ISEMPTY
000000002268 000010003268 0 WFS_CDM_ISNOTEMPTY
00000000227C 00001000327C 0 WFS_CDM_ISNOTEMPTYCUST
000000002294 000010003294 0 WFS_CDM_ISNOTEMPTYUNK
0000000022AC 0000100032AC 0 WFS_CDM_ISUNKNOWN
0000000022C0 0000100032C0 0 WFS_CDM_ISNOTSUPPORTED
0000000022D8 0000100032D8 0 WFS_CDM_DOORNOTSUPPORTED
0000000022F4 0000100032F4 0 WFS_CDM_DOOROPEN
000000002308 000010003308 0 WFS_CDM_DOORCLOSED
00000000231C 00001000331C 0 WFS_CDM_DOORUNKNOWN
000000002330 000010003330 0 (%d):%s() Done-> szDevice: %s, szDispenser: %s, szIntermediateStacker: %s, szSafeDoor: %s
00000000238C 00001000338C 0 (%d):%s() WFSGetInfo failed = %d
0000000023B0 0000100033B0 0 (%d):%s() Unlocking device
0000000023CC 0000100033CC 0 Unknown.exe
0000000023D8 0000100033D8 0 GetDeviceInformation
0000000023F0 0000100033F0 0 (%d):%s() Device locked %d
00000000240C 00001000340C 0 Unknown
000000002414 000010003414 0 REJECTCASSETTE
000000002424 000010003424 0 BILLCASSETTE
000000002434 000010003434 0 COINCYLINDER
000000002444 000010003444 0 COINDISPENSER
000000002454 000010003454 0 RETRACTCASSETTE
000000002464 000010003464 0 COUPON
00000000246C 00001000346C 0 DOCUMENT
000000002478 000010003478 0 REPCONTAINER
000000002488 000010003488 0 RECYCLINGCASSETTE
00000000249C 00001000349C 0 NOTAPPLICABLE
0000000024AC 0000100034AC 0 HEALTHY
0000000024C8 0000100034C8 0 EMPTY
0000000024D0 0000100034D0 0 MISSING
0000000024D8 0000100034D8 0 NOVALUES
0000000024E4 0000100034E4 0 NOREFERENCE
File pos Mem pos ID Text
======== ======= == ====
0000000024F0 0000100034F0 0 MANIPULATED
0000000024FC 0000100034FC 0 INOPERATIVE
000000002508 000010003508 0 (%d):%s() Module: %s
00000000251D 00001000351D 0 Cash Unit # %d, name=%s
000000002535 000010003535 0 Type: %s
00000000253E 00001000353E 0 Status: %s
000000002549 000010003549 0 Currency ID: 0x%02x-0x%02x-0x%02x
00000000256B 00001000356B 0 Note Value: %u
00000000257A 00001000357A 0 Notes Count: %u
00000000258A 00001000358A 0 Notes Initial Count: %u
0000000025A2 0000100035A2 0 Notes Minimum Count: %u
0000000025BA 0000100035BA 0 Notes Maximum Count: %u
0000000025D4 0000100035D4 0 FindValidService
0000000025E8 0000100035E8 0 (%d):%s() Checking device index=%d
00000000260C 00001000360C 0 cmd_scan
000000002618 000010003618 0 (%d):%s() Searching valid service
00000000263C 00001000363C 0 (%d):%s() Service found %d
000000002658 000010003658 0 (%d):%s() Service does not found :(
000000002680 000010003680 0 cmd_info
00000000268C 00001000368C 0 (%d):%s() ! hFoundGlobalService = %d
0000000026B4 0000100036B4 0 cmd_disp_ex
0000000026C0 0000100036C0 0 (%d):%s() WFSExecute (WFS_CMD_CDM_DISPENSE) failed with error: %d
000000002704 000010003704 0 (%d):%s() WFSExecute() Success :-)
000000002758 000010003758 0 cmd_disp
000000002764 000010003764 0 (%d):%s() Currency %s
00000000277C 00001000377C 0 (%d):%s() Amount is %d
000000002794 000010003794 0 (%d):%s() ERROR: (amount % 10) != 0
0000000027BC 0000100037BC 0 (%d):%s() Failed to get parameters
0000000027F0 0000100037F0 0 ExecuteCmd
0000000027FC 0000100037FC 0 (%d):%s() Executing cmd
000000002820 000010003820 0 (%d):%s() CMD = %S
000000002860 000010003860 0 (%d):%s() Failed to get main->cmd value
00000000288C 00001000388C 0 mWFSGetInfo
000000002898 000010003898 0 (%d):%s() Call -> hService=0x%X, Result = 0x%X
0000000028C8 0000100038C8 0 (%d):%s() hResult success, search valid service
0000000028FC 0000100038FC 0 (%d):%s() Okay man, you can send commands to me, just try
00000000293C 00001000393C 0 (%d):%s() Found command file, executing...
000000002968 000010003968 0 (%d):%s() hResult failed
000000002984 000010003984 0 WFSGetInfo
0000000029A4 0000100039A4 0 SetHooks
0000000029B0 0000100039B0 0 (%d):%s() OK: Module found
0000000029CC 0000100039CC 0 CloseHandle
0000000029F4 0000100039F4 0 (%d):%s() WFSGetInfo found
000000002A10 000010003A10 0 (%d):%s() Failed to get closehandle
000000002A38 000010003A38 0 (%d):%s() _WFSOpen not found :-(
000000002A5C 000010003A5C 0 (%d):%s() Failed to load
000000002A76 000010003A76 0 msxfs.dll
000000002A84 000010003A84 0 RemoveHooks
000000002A90 000010003A90 0 (%d):%s() Unhooking
000000002AA8 000010003AA8 0 (%d):%s() Unhooked
000000002ABC 000010003ABC 0 DllMain
000000002AC4 000010003AC4 0 (%d):%s() Initialize library, and search valid service
000000002AFC 000010003AFC 0 (%d):%s() Hooking
000000002B10 000010003B10 0 (%d):%s() Unloading library
000000002B30 000010003B30 0 (%d):%s() Unload functions stuff
000000002C3A 000010003C3A 0 WFSFreeResult
000000002C4A 000010003C4A 0 WFSUnlock
000000002C56 000010003C56 0 WFSLock
000000002C60 000010003C60 0 WFSExecute
000000002C6C 000010003C6C 0 MSXFS.dll
File pos Mem pos ID Text
======== ======= == ====
000000002C78 000010003C78 0 PathFileExistsW
000000002C8A 000010003C8A 0 StrToIntW
000000002C94 000010003C94 0 SHLWAPI.dll
000000002CA2 000010003CA2 0 GetCurrentProcess
000000002CB6 000010003CB6 0 VirtualFreeEx
000000002CC6 000010003CC6 0 VirtualProtectEx
000000002CDA 000010003CDA 0 VirtualAllocEx
000000002CEC 000010003CEC 0 WriteProcessMemory
000000002D02 000010003D02 0 SetFilePointer
000000002D14 000010003D14 0 lstrlenA
000000002D20 000010003D20 0 lstrcpynA
000000002D2C 000010003D2C 0 GetModuleHandleW
000000002D40 000010003D40 0 GetPrivateProfileStringW
000000002D5C 000010003D5C 0 WriteFile
000000002D68 000010003D68 0 LoadLibraryW
000000002D78 000010003D78 0 CreateFileW
000000002D86 000010003D86 0 lstrlenW
000000002D92 000010003D92 0 GetProcAddress
000000002DA4 000010003DA4 0 GetModuleFileNameA
000000002DBA 000010003DBA 0 lstrcmpiW
000000002DC6 000010003DC6 0 CloseHandle
000000002DD4 000010003DD4 0 DeleteFileW
000000002DE2 000010003DE2 0 lstrcpyW
000000002DEE 000010003DEE 0 lstrcpyA
000000002DF8 000010003DF8 0 KERNEL32.dll
000000002E08 000010003E08 0 wsprintfA
000000002E12 000010003E12 0 USER32.dll
000000003056 000010004056 0 YYYYY
000000003062 000010004062 0 YYYYYYYYYYYY
000000003070 000010004070 0 }YPPPPYYYYa
000000003086 000010004086 0 YYYYYYYYYYY
000000003138 000010004138 0 JJJJKRJJJJOLJJJJJJJJUE@JJJEYMFJ]JJJJJJJJJJJJJJacgNJJkmJJEmJJDEJJ
000000003409 000010005009 0 040;0
00000000340F 00001000500F 0 0&101
00000000341D 00001000501D 0 2&2+2
000000003433 000010005033 0 5 5$5(5,5
000000003455 000010005055 0 8/898H8a8h8
000000003461 000010005061 0 8X9l9
000000003479 000010005079 0 :<:M:Z:y:
000000003497 000010005097 0 ;%;/;A;F;T;[;i;w;
0000000034C1 0000100050C1 0 <+<R<b<
0000000034E5 0000100050E5 0 = =$=(=,=0=4=8=<=@=D=H=L=P=n=u=z=
000000003517 000010005117 0 >,>E>k>
000000003539 000010005139 0 ?+?0?;?B?M?X?_?j?u?|?
000000003561 000010005161 0 0%0;0N0]0d0
00000000359F 00001000519F 0 1&1-1D1a1w1
0000000035B9 0000100051B9 0 2,2H2X2
0000000035CD 0000100051CD 0 2A3e3o3
0000000035E1 0000100051E1 0 3 4(484=4D4T4Y4a4
0000000035FD 0000100051FD 0 585B5P5Z5g5
00000000361D 00001000521D 0 6$6)6@6F6T6k6q6
00000000363F 00001000523F 0 727;7D7T7t7|7
00000000365F 00001000525F 0 8.848D8T8
000000003687 000010005287 0 9&9:9@9M9X9g9u9
0000000036A9 0000100052A9 0 :):0:l:q:
000000002080 000010003080 0 C:\ATM\tlogs.log
0000000020A4 0000100030A4 0 C:\ATM\c.ini
000000002728 000010003728 0 currency
000000002748 000010003748 0 amount
0000000027E0 0000100037E0 0 unknown
File pos Mem pos ID Text
======== ======= == ====
000000002990 000010003990 0 msxfs.dll
0000000029D7 0000100039D7 0 ekernel32.dll