.- - -----÷M÷E÷N÷U÷------------------------------------------------------------- --- ----  -------------.
!  WALL ! STATS ! GOODIES ! YARA ! FAQ ! RSS                                                            !
`--------------  - ---  ---------- -------- -------- -------- -------- ----------------- -  ---- ---- --'

                                           ATM MALWARE NOTICE 
                    0ef71569308d44e89bde48096c67caf73ec177c1c970a2fd843fd3a094502d78
 
Date...........: 2017-04-12
Family.........: ATMii
File name......: dll.dll
File size......: 14.00 KB
Type file......: DLL/Windows
Virscan........: VT - HA
Documentation..: https://securelist.com/atmii-a-small-but-effective-atm-robber/82707/

Entropy:


Binary Histogram:


=== PEDUMP REPORT === 
=== MZ Header === signature: "MZ" bytes_in_last_block: 144 0x90 blocks_in_file: 3 3 num_relocs: 0 0 header_paragraphs: 4 4 min_extra_paragraphs: 0 0 max_extra_paragraphs: 65535 0xffff ss: 0 0 sp: 184 0xb8 checksum: 0 0 ip: 0 0 cs: 0 0 reloc_table_offset: 64 0x40 overlay_number: 0 0 reserved0: 0 0 oem_id: 0 0 oem_info: 0 0 reserved2: 0 0 reserved3: 0 0 reserved4: 0 0 reserved5: 0 0 reserved6: 0 0 lfanew: 208 0xd0 === DOS STUB === 00000000: 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 |........!..L.!Th| 00000010: 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f |is program canno| 00000020: 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 |t be run in DOS | 00000030: 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 |mode....$.......| === RICH Header === LIB_ID VERSION TIMES_USED 147 93 30729 7809 6 6 4 4 8447 20ff 3 3 1 1 0 0 28 1c 175 af 40219 9d1b 3 3 157 9d 40219 9d1b 1 1 === PE Header === signature: "PE\x00\x00" # IMAGE_FILE_HEADER: Machine: 332 0x14c x86 NumberOfSections: 4 4 TimeDateStamp: "2013-11-01 14:33:23" PointerToSymbolTable: 0 0 NumberOfSymbols: 0 0 SizeOfOptionalHeader: 224 0xe0 Characteristics: 8450 0x2102 EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL # IMAGE_OPTIONAL_HEADER32: Magic: 267 0x10b 32-bit executable LinkerVersion: 10.0 SizeOfCode: 7168 0x1c00 SizeOfInitializedData: 6144 0x1800 SizeOfUninitializedData: 0 0 AddressOfEntryPoint: 10832 0x2a50 BaseOfCode: 4096 0x1000 BaseOfData: 12288 0x3000 ImageBase: 268435456 0x10000000 SectionAlignment: 4096 0x1000 FileAlignment: 512 0x200 OperatingSystemVersion: 5.1 ImageVersion: 0.0 SubsystemVersion: 5.1 Reserved1: 0 0 SizeOfImage: 24576 0x6000 SizeOfHeaders: 1024 0x400 CheckSum: 0 0 Subsystem: 2 2 WINDOWS_GUI DllCharacteristics: 1344 0x540 DYNAMIC_BASE, NX_COMPAT, NO_SEH SizeOfStackReserve: 1048576 0x100000 SizeOfStackCommit: 4096 0x1000 SizeOfHeapReserve: 1048576 0x100000 SizeOfHeapCommit: 4096 0x1000 LoaderFlags: 0 0 NumberOfRvaAndSizes: 16 0x10 === DATA DIRECTORY === EXPORT rva:0x 0 size:0x 0 IMPORT rva:0x 3b54 size:0x 64 RESOURCE rva:0x 0 size:0x 0 EXCEPTION rva:0x 0 size:0x 0 SECURITY rva:0x 0 size:0x 0 BASERELOC rva:0x 5000 size:0x 2d0 DEBUG rva:0x 0 size:0x 0 ARCHITECTURE rva:0x 0 size:0x 0 GLOBALPTR rva:0x 0 size:0x 0 TLS rva:0x 0 size:0x 0 LOAD_CONFIG rva:0x 0 size:0x 0 Bound_IAT rva:0x 0 size:0x 0 IAT rva:0x 3000 size:0x 80 Delay_IAT rva:0x 0 size:0x 0 CLR_Header rva:0x 0 size:0x 0 rva:0x 0 size:0x 0 === SECTIONS === NAME RVA VSZ RAW_SZ RAW_PTR nREL REL_PTR nLINE LINE_PTR FLAGS .text 1000 1b2c 1c00 400 0 0 0 0 60000020 R-X CODE .rdata 3000 e1e 1000 2000 0 0 0 0 40000040 R-- IDATA .data 4000 22b 400 3000 0 0 0 0 c0000040 RW- IDATA .reloc 5000 316 400 3400 0 0 0 0 42000040 R-- IDATA DISCARDABLE === IMPORTS === MODULE_NAME HINT ORD FUNCTION_NAME MSXFS.dll 19 WFSExecute MSXFS.dll 1e WFSLock MSXFS.dll 24 WFSUnlock MSXFS.dll 1a WFSFreeResult SHLWAPI.dll 14e StrToIntW SHLWAPI.dll 45 PathFileExistsW KERNEL32.dll 218 GetModuleHandleW KERNEL32.dll 52 CloseHandle KERNEL32.dll 545 lstrcmpiW KERNEL32.dll 213 GetModuleFileNameA KERNEL32.dll 245 GetProcAddress KERNEL32.dll 547 lstrcpyA KERNEL32.dll 548 lstrcpyW KERNEL32.dll 1c0 GetCurrentProcess KERNEL32.dll 4ed VirtualFreeEx KERNEL32.dll 4f0 VirtualProtectEx KERNEL32.dll 4ea VirtualAllocEx KERNEL32.dll 52e WriteProcessMemory KERNEL32.dll 466 SetFilePointer KERNEL32.dll 54d lstrlenA KERNEL32.dll 54a lstrcpynA KERNEL32.dll 54e lstrlenW KERNEL32.dll 242 GetPrivateProfileStringW KERNEL32.dll 525 WriteFile KERNEL32.dll 33f LoadLibraryW KERNEL32.dll 8f CreateFileW KERNEL32.dll d6 DeleteFileW USER32.dll 332 wsprintfA
=== Strings ===
File pos Mem pos ID Text ======== ======= == ==== 00000000004D 00001000004D 0 !This program cannot be run in DOS mode. 0000000000B8 0000100000B8 0 Richgq 0000000001C8 0000100001C8 0 .text 0000000001F0 0000100001F0 0 .rdata 000000000217 000010000217 0 @.data 000000000240 000010000240 0 .reloc 0000000007D1 0000100013D1 0 JIt3It 000000001B71 000010002771 0 f95(B 000000001BB2 0000100027B2 0 f95(B 000000001E5F 000010002A5F 0 SVthH 0000000020C0 0000100030C0 0 CheckServiceForValid 0000000020D8 0000100030D8 0 (%d):%s() ------------------------------------------------ 000000002114 000010003114 0 (%d):%s() Waiting for lock 000000002130 000010003130 0 (%d):%s() Device was locked 000000002150 000010003150 0 (%d):%s() WFSGetInfo Success %d 000000002174 000010003174 0 WFS_CDM_DEVONLINE 000000002188 000010003188 0 WFS_CDM_DEVOFFLINE 00000000219C 00001000319C 0 WFS_CDM_DEVPOWEROFF 0000000021B0 0000100031B0 0 WFS_CDM_DEVNODEVICE 0000000021C4 0000100031C4 0 WFS_CDM_DEVHWERROR 0000000021D8 0000100031D8 0 WFS_CDM_DEVUSERERROR 0000000021F0 0000100031F0 0 WFS_CDM_DEVBUSY 000000002200 000010003200 0 UKNOWN 000000002208 000010003208 0 WFS_CDM_DISPOK 000000002218 000010003218 0 WFS_CDM_DISPCUSTATE 00000000222C 00001000322C 0 WFS_CDM_DISPCUSTOP 000000002240 000010003240 0 WFS_CDM_DISPCUUNKNOWN 000000002258 000010003258 0 WFS_CDM_ISEMPTY 000000002268 000010003268 0 WFS_CDM_ISNOTEMPTY 00000000227C 00001000327C 0 WFS_CDM_ISNOTEMPTYCUST 000000002294 000010003294 0 WFS_CDM_ISNOTEMPTYUNK 0000000022AC 0000100032AC 0 WFS_CDM_ISUNKNOWN 0000000022C0 0000100032C0 0 WFS_CDM_ISNOTSUPPORTED 0000000022D8 0000100032D8 0 WFS_CDM_DOORNOTSUPPORTED 0000000022F4 0000100032F4 0 WFS_CDM_DOOROPEN 000000002308 000010003308 0 WFS_CDM_DOORCLOSED 00000000231C 00001000331C 0 WFS_CDM_DOORUNKNOWN 000000002330 000010003330 0 (%d):%s() Done-> szDevice: %s, szDispenser: %s, szIntermediateStacker: %s, szSafeDoor: %s 00000000238C 00001000338C 0 (%d):%s() WFSGetInfo failed = %d 0000000023B0 0000100033B0 0 (%d):%s() Unlocking device 0000000023CC 0000100033CC 0 Unknown.exe 0000000023D8 0000100033D8 0 GetDeviceInformation 0000000023F0 0000100033F0 0 (%d):%s() Device locked %d 00000000240C 00001000340C 0 Unknown 000000002414 000010003414 0 REJECTCASSETTE 000000002424 000010003424 0 BILLCASSETTE 000000002434 000010003434 0 COINCYLINDER 000000002444 000010003444 0 COINDISPENSER 000000002454 000010003454 0 RETRACTCASSETTE 000000002464 000010003464 0 COUPON 00000000246C 00001000346C 0 DOCUMENT 000000002478 000010003478 0 REPCONTAINER 000000002488 000010003488 0 RECYCLINGCASSETTE 00000000249C 00001000349C 0 NOTAPPLICABLE 0000000024AC 0000100034AC 0 HEALTHY 0000000024C8 0000100034C8 0 EMPTY 0000000024D0 0000100034D0 0 MISSING 0000000024D8 0000100034D8 0 NOVALUES 0000000024E4 0000100034E4 0 NOREFERENCE 0000000024F0 0000100034F0 0 MANIPULATED File pos Mem pos ID Text ======== ======= == ==== 0000000024FC 0000100034FC 0 INOPERATIVE 000000002508 000010003508 0 (%d):%s() Module: %s 00000000251D 00001000351D 0 Cash Unit # %d, name=%s 000000002535 000010003535 0 Type: %s 00000000253E 00001000353E 0 Status: %s 000000002549 000010003549 0 Currency ID: 0x%02x-0x%02x-0x%02x 00000000256B 00001000356B 0 Note Value: %u 00000000257A 00001000357A 0 Notes Count: %u 00000000258A 00001000358A 0 Notes Initial Count: %u 0000000025A2 0000100035A2 0 Notes Minimum Count: %u 0000000025BA 0000100035BA 0 Notes Maximum Count: %u 0000000025D4 0000100035D4 0 FindValidService 0000000025E8 0000100035E8 0 (%d):%s() Checking device index=%d 00000000260C 00001000360C 0 cmd_scan 000000002618 000010003618 0 (%d):%s() Searching valid service 00000000263C 00001000363C 0 (%d):%s() Service found %d 000000002658 000010003658 0 (%d):%s() Service does not found :( 000000002680 000010003680 0 cmd_info 00000000268C 00001000368C 0 (%d):%s() ! hFoundGlobalService = %d 0000000026B4 0000100036B4 0 cmd_disp_ex 0000000026C0 0000100036C0 0 (%d):%s() WFSExecute (WFS_CMD_CDM_DISPENSE) failed with error: %d 000000002704 000010003704 0 (%d):%s() WFSExecute() Success :-) 000000002758 000010003758 0 cmd_disp 000000002764 000010003764 0 (%d):%s() Currency %s 00000000277C 00001000377C 0 (%d):%s() Amount is %d 000000002794 000010003794 0 (%d):%s() ERROR: (amount % 10) != 0 0000000027BC 0000100037BC 0 (%d):%s() Failed to get parameters 0000000027F0 0000100037F0 0 ExecuteCmd 0000000027FC 0000100037FC 0 (%d):%s() Executing cmd 000000002820 000010003820 0 (%d):%s() CMD = %S 000000002860 000010003860 0 (%d):%s() Failed to get main->cmd value 00000000288C 00001000388C 0 mWFSGetInfo 000000002898 000010003898 0 (%d):%s() Call -> hService=0x%X, Result = 0x%X 0000000028C8 0000100038C8 0 (%d):%s() hResult success, search valid service 0000000028FC 0000100038FC 0 (%d):%s() Okay man, you can send commands to me, just try 00000000293C 00001000393C 0 (%d):%s() Found command file, executing... 000000002968 000010003968 0 (%d):%s() hResult failed 000000002984 000010003984 0 WFSGetInfo 0000000029A4 0000100039A4 0 SetHooks 0000000029B0 0000100039B0 0 (%d):%s() OK: Module found 0000000029CC 0000100039CC 0 CloseHandle 0000000029F4 0000100039F4 0 (%d):%s() WFSGetInfo found 000000002A10 000010003A10 0 (%d):%s() Failed to get closehandle 000000002A38 000010003A38 0 (%d):%s() _WFSOpen not found :-( 000000002A5C 000010003A5C 0 (%d):%s() Failed to load 000000002A76 000010003A76 0 msxfs.dll 000000002A84 000010003A84 0 RemoveHooks 000000002A90 000010003A90 0 (%d):%s() Unhooking 000000002AA8 000010003AA8 0 (%d):%s() Unhooked 000000002ABC 000010003ABC 0 DllMain 000000002AC4 000010003AC4 0 (%d):%s() Initialize library, and search valid service 000000002AFC 000010003AFC 0 (%d):%s() Hooking 000000002B10 000010003B10 0 (%d):%s() Unloading library 000000002B30 000010003B30 0 (%d):%s() Unload functions stuff 000000002C3A 000010003C3A 0 WFSFreeResult 000000002C4A 000010003C4A 0 WFSUnlock 000000002C56 000010003C56 0 WFSLock 000000002C60 000010003C60 0 WFSExecute 000000002C6C 000010003C6C 0 MSXFS.dll 000000002C78 000010003C78 0 PathFileExistsW File pos Mem pos ID Text ======== ======= == ==== 000000002C8A 000010003C8A 0 StrToIntW 000000002C94 000010003C94 0 SHLWAPI.dll 000000002CA2 000010003CA2 0 GetCurrentProcess 000000002CB6 000010003CB6 0 VirtualFreeEx 000000002CC6 000010003CC6 0 VirtualProtectEx 000000002CDA 000010003CDA 0 VirtualAllocEx 000000002CEC 000010003CEC 0 WriteProcessMemory 000000002D02 000010003D02 0 SetFilePointer 000000002D14 000010003D14 0 lstrlenA 000000002D20 000010003D20 0 lstrcpynA 000000002D2C 000010003D2C 0 GetModuleHandleW 000000002D40 000010003D40 0 GetPrivateProfileStringW 000000002D5C 000010003D5C 0 WriteFile 000000002D68 000010003D68 0 LoadLibraryW 000000002D78 000010003D78 0 CreateFileW 000000002D86 000010003D86 0 lstrlenW 000000002D92 000010003D92 0 GetProcAddress 000000002DA4 000010003DA4 0 GetModuleFileNameA 000000002DBA 000010003DBA 0 lstrcmpiW 000000002DC6 000010003DC6 0 CloseHandle 000000002DD4 000010003DD4 0 DeleteFileW 000000002DE2 000010003DE2 0 lstrcpyW 000000002DEE 000010003DEE 0 lstrcpyA 000000002DF8 000010003DF8 0 KERNEL32.dll 000000002E08 000010003E08 0 wsprintfA 000000002E12 000010003E12 0 USER32.dll 000000003056 000010004056 0 YYYYY 000000003062 000010004062 0 YYYYYYYYYYYY 000000003070 000010004070 0 }YPPPPYYYYa 000000003086 000010004086 0 YYYYYYYYYYY 000000003138 000010004138 0 JJJJKRJJJJOLJJJJJJJJUE@JJJEYMFJ]JJJJJJJJJJJJJJacgNJJkmJJEmJJDEJJ 000000003409 000010005009 0 040;0 00000000340F 00001000500F 0 0&101 00000000341D 00001000501D 0 2&2+2 000000003433 000010005033 0 5 5$5(5,5 000000003455 000010005055 0 8/898H8a8h8 000000003461 000010005061 0 8X9l9 000000003479 000010005079 0 :<:M:Z:y: 000000003497 000010005097 0 ;%;/;A;F;T;[;i;w; 0000000034C1 0000100050C1 0 <+<R<b< 0000000034E5 0000100050E5 0 = =$=(=,=0=4=8=<=@=D=H=L=P=n=u=z= 000000003517 000010005117 0 >,>E>k> 000000003539 000010005139 0 ?+?0?;?B?M?X?_?j?u?|? 000000003561 000010005161 0 0%0;0N0]0d0 00000000359F 00001000519F 0 1&1-1D1a1w1 0000000035B9 0000100051B9 0 2,2H2X2 0000000035CD 0000100051CD 0 2A3e3o3 0000000035E1 0000100051E1 0 3 4(484=4D4T4Y4a4 0000000035FD 0000100051FD 0 585B5P5Z5g5 00000000361D 00001000521D 0 6$6)6@6F6T6k6q6 00000000363F 00001000523F 0 727;7D7T7t7|7 00000000365F 00001000525F 0 8.848D8T8 000000003687 000010005287 0 9&9:9@9M9X9g9u9 0000000036A9 0000100052A9 0 :):0:l:q: 000000002080 000010003080 0 C:\ATM\tlogs.log 0000000020A4 0000100030A4 0 C:\ATM\c.ini 000000002728 000010003728 0 currency 000000002748 000010003748 0 amount 0000000027E0 0000100037E0 0 unknown 000000002990 000010003990 0 msxfs.dll File pos Mem pos ID Text ======== ======= == ==== 0000000029D7 0000100039D7 0 ekernel32.dll 00000000004D 00001000004D 0 !This program cannot be run in DOS mode. 0000000000B8 0000100000B8 0 Richgq 0000000001C8 0000100001C8 0 .text 0000000001F0 0000100001F0 0 .rdata 000000000217 000010000217 0 @.data 000000000240 000010000240 0 .reloc 0000000007D1 0000100013D1 0 JIt3It 000000001B71 000010002771 0 f95(B 000000001BB2 0000100027B2 0 f95(B 000000001E5F 000010002A5F 0 SVthH 0000000020C0 0000100030C0 0 CheckServiceForValid 0000000020D8 0000100030D8 0 (%d):%s() ------------------------------------------------ 000000002114 000010003114 0 (%d):%s() Waiting for lock 000000002130 000010003130 0 (%d):%s() Device was locked 000000002150 000010003150 0 (%d):%s() WFSGetInfo Success %d 000000002174 000010003174 0 WFS_CDM_DEVONLINE 000000002188 000010003188 0 WFS_CDM_DEVOFFLINE 00000000219C 00001000319C 0 WFS_CDM_DEVPOWEROFF 0000000021B0 0000100031B0 0 WFS_CDM_DEVNODEVICE 0000000021C4 0000100031C4 0 WFS_CDM_DEVHWERROR 0000000021D8 0000100031D8 0 WFS_CDM_DEVUSERERROR 0000000021F0 0000100031F0 0 WFS_CDM_DEVBUSY 000000002200 000010003200 0 UKNOWN 000000002208 000010003208 0 WFS_CDM_DISPOK 000000002218 000010003218 0 WFS_CDM_DISPCUSTATE 00000000222C 00001000322C 0 WFS_CDM_DISPCUSTOP 000000002240 000010003240 0 WFS_CDM_DISPCUUNKNOWN 000000002258 000010003258 0 WFS_CDM_ISEMPTY 000000002268 000010003268 0 WFS_CDM_ISNOTEMPTY 00000000227C 00001000327C 0 WFS_CDM_ISNOTEMPTYCUST 000000002294 000010003294 0 WFS_CDM_ISNOTEMPTYUNK 0000000022AC 0000100032AC 0 WFS_CDM_ISUNKNOWN 0000000022C0 0000100032C0 0 WFS_CDM_ISNOTSUPPORTED 0000000022D8 0000100032D8 0 WFS_CDM_DOORNOTSUPPORTED 0000000022F4 0000100032F4 0 WFS_CDM_DOOROPEN 000000002308 000010003308 0 WFS_CDM_DOORCLOSED 00000000231C 00001000331C 0 WFS_CDM_DOORUNKNOWN 000000002330 000010003330 0 (%d):%s() Done-> szDevice: %s, szDispenser: %s, szIntermediateStacker: %s, szSafeDoor: %s 00000000238C 00001000338C 0 (%d):%s() WFSGetInfo failed = %d 0000000023B0 0000100033B0 0 (%d):%s() Unlocking device 0000000023CC 0000100033CC 0 Unknown.exe 0000000023D8 0000100033D8 0 GetDeviceInformation 0000000023F0 0000100033F0 0 (%d):%s() Device locked %d 00000000240C 00001000340C 0 Unknown 000000002414 000010003414 0 REJECTCASSETTE 000000002424 000010003424 0 BILLCASSETTE 000000002434 000010003434 0 COINCYLINDER 000000002444 000010003444 0 COINDISPENSER 000000002454 000010003454 0 RETRACTCASSETTE 000000002464 000010003464 0 COUPON 00000000246C 00001000346C 0 DOCUMENT 000000002478 000010003478 0 REPCONTAINER 000000002488 000010003488 0 RECYCLINGCASSETTE 00000000249C 00001000349C 0 NOTAPPLICABLE 0000000024AC 0000100034AC 0 HEALTHY 0000000024C8 0000100034C8 0 EMPTY 0000000024D0 0000100034D0 0 MISSING 0000000024D8 0000100034D8 0 NOVALUES 0000000024E4 0000100034E4 0 NOREFERENCE File pos Mem pos ID Text ======== ======= == ==== 0000000024F0 0000100034F0 0 MANIPULATED 0000000024FC 0000100034FC 0 INOPERATIVE 000000002508 000010003508 0 (%d):%s() Module: %s 00000000251D 00001000351D 0 Cash Unit # %d, name=%s 000000002535 000010003535 0 Type: %s 00000000253E 00001000353E 0 Status: %s 000000002549 000010003549 0 Currency ID: 0x%02x-0x%02x-0x%02x 00000000256B 00001000356B 0 Note Value: %u 00000000257A 00001000357A 0 Notes Count: %u 00000000258A 00001000358A 0 Notes Initial Count: %u 0000000025A2 0000100035A2 0 Notes Minimum Count: %u 0000000025BA 0000100035BA 0 Notes Maximum Count: %u 0000000025D4 0000100035D4 0 FindValidService 0000000025E8 0000100035E8 0 (%d):%s() Checking device index=%d 00000000260C 00001000360C 0 cmd_scan 000000002618 000010003618 0 (%d):%s() Searching valid service 00000000263C 00001000363C 0 (%d):%s() Service found %d 000000002658 000010003658 0 (%d):%s() Service does not found :( 000000002680 000010003680 0 cmd_info 00000000268C 00001000368C 0 (%d):%s() ! hFoundGlobalService = %d 0000000026B4 0000100036B4 0 cmd_disp_ex 0000000026C0 0000100036C0 0 (%d):%s() WFSExecute (WFS_CMD_CDM_DISPENSE) failed with error: %d 000000002704 000010003704 0 (%d):%s() WFSExecute() Success :-) 000000002758 000010003758 0 cmd_disp 000000002764 000010003764 0 (%d):%s() Currency %s 00000000277C 00001000377C 0 (%d):%s() Amount is %d 000000002794 000010003794 0 (%d):%s() ERROR: (amount % 10) != 0 0000000027BC 0000100037BC 0 (%d):%s() Failed to get parameters 0000000027F0 0000100037F0 0 ExecuteCmd 0000000027FC 0000100037FC 0 (%d):%s() Executing cmd 000000002820 000010003820 0 (%d):%s() CMD = %S 000000002860 000010003860 0 (%d):%s() Failed to get main->cmd value 00000000288C 00001000388C 0 mWFSGetInfo 000000002898 000010003898 0 (%d):%s() Call -> hService=0x%X, Result = 0x%X 0000000028C8 0000100038C8 0 (%d):%s() hResult success, search valid service 0000000028FC 0000100038FC 0 (%d):%s() Okay man, you can send commands to me, just try 00000000293C 00001000393C 0 (%d):%s() Found command file, executing... 000000002968 000010003968 0 (%d):%s() hResult failed 000000002984 000010003984 0 WFSGetInfo 0000000029A4 0000100039A4 0 SetHooks 0000000029B0 0000100039B0 0 (%d):%s() OK: Module found 0000000029CC 0000100039CC 0 CloseHandle 0000000029F4 0000100039F4 0 (%d):%s() WFSGetInfo found 000000002A10 000010003A10 0 (%d):%s() Failed to get closehandle 000000002A38 000010003A38 0 (%d):%s() _WFSOpen not found :-( 000000002A5C 000010003A5C 0 (%d):%s() Failed to load 000000002A76 000010003A76 0 msxfs.dll 000000002A84 000010003A84 0 RemoveHooks 000000002A90 000010003A90 0 (%d):%s() Unhooking 000000002AA8 000010003AA8 0 (%d):%s() Unhooked 000000002ABC 000010003ABC 0 DllMain 000000002AC4 000010003AC4 0 (%d):%s() Initialize library, and search valid service 000000002AFC 000010003AFC 0 (%d):%s() Hooking 000000002B10 000010003B10 0 (%d):%s() Unloading library 000000002B30 000010003B30 0 (%d):%s() Unload functions stuff 000000002C3A 000010003C3A 0 WFSFreeResult 000000002C4A 000010003C4A 0 WFSUnlock 000000002C56 000010003C56 0 WFSLock 000000002C60 000010003C60 0 WFSExecute 000000002C6C 000010003C6C 0 MSXFS.dll File pos Mem pos ID Text ======== ======= == ==== 000000002C78 000010003C78 0 PathFileExistsW 000000002C8A 000010003C8A 0 StrToIntW 000000002C94 000010003C94 0 SHLWAPI.dll 000000002CA2 000010003CA2 0 GetCurrentProcess 000000002CB6 000010003CB6 0 VirtualFreeEx 000000002CC6 000010003CC6 0 VirtualProtectEx 000000002CDA 000010003CDA 0 VirtualAllocEx 000000002CEC 000010003CEC 0 WriteProcessMemory 000000002D02 000010003D02 0 SetFilePointer 000000002D14 000010003D14 0 lstrlenA 000000002D20 000010003D20 0 lstrcpynA 000000002D2C 000010003D2C 0 GetModuleHandleW 000000002D40 000010003D40 0 GetPrivateProfileStringW 000000002D5C 000010003D5C 0 WriteFile 000000002D68 000010003D68 0 LoadLibraryW 000000002D78 000010003D78 0 CreateFileW 000000002D86 000010003D86 0 lstrlenW 000000002D92 000010003D92 0 GetProcAddress 000000002DA4 000010003DA4 0 GetModuleFileNameA 000000002DBA 000010003DBA 0 lstrcmpiW 000000002DC6 000010003DC6 0 CloseHandle 000000002DD4 000010003DD4 0 DeleteFileW 000000002DE2 000010003DE2 0 lstrcpyW 000000002DEE 000010003DEE 0 lstrcpyA 000000002DF8 000010003DF8 0 KERNEL32.dll 000000002E08 000010003E08 0 wsprintfA 000000002E12 000010003E12 0 USER32.dll 000000003056 000010004056 0 YYYYY 000000003062 000010004062 0 YYYYYYYYYYYY 000000003070 000010004070 0 }YPPPPYYYYa 000000003086 000010004086 0 YYYYYYYYYYY 000000003138 000010004138 0 JJJJKRJJJJOLJJJJJJJJUE@JJJEYMFJ]JJJJJJJJJJJJJJacgNJJkmJJEmJJDEJJ 000000003409 000010005009 0 040;0 00000000340F 00001000500F 0 0&101 00000000341D 00001000501D 0 2&2+2 000000003433 000010005033 0 5 5$5(5,5 000000003455 000010005055 0 8/898H8a8h8 000000003461 000010005061 0 8X9l9 000000003479 000010005079 0 :<:M:Z:y: 000000003497 000010005097 0 ;%;/;A;F;T;[;i;w; 0000000034C1 0000100050C1 0 <+<R<b< 0000000034E5 0000100050E5 0 = =$=(=,=0=4=8=<=@=D=H=L=P=n=u=z= 000000003517 000010005117 0 >,>E>k> 000000003539 000010005139 0 ?+?0?;?B?M?X?_?j?u?|? 000000003561 000010005161 0 0%0;0N0]0d0 00000000359F 00001000519F 0 1&1-1D1a1w1 0000000035B9 0000100051B9 0 2,2H2X2 0000000035CD 0000100051CD 0 2A3e3o3 0000000035E1 0000100051E1 0 3 4(484=4D4T4Y4a4 0000000035FD 0000100051FD 0 585B5P5Z5g5 00000000361D 00001000521D 0 6$6)6@6F6T6k6q6 00000000363F 00001000523F 0 727;7D7T7t7|7 00000000365F 00001000525F 0 8.848D8T8 000000003687 000010005287 0 9&9:9@9M9X9g9u9 0000000036A9 0000100052A9 0 :):0:l:q: 000000002080 000010003080 0 C:\ATM\tlogs.log 0000000020A4 0000100030A4 0 C:\ATM\c.ini 000000002728 000010003728 0 currency 000000002748 000010003748 0 amount 0000000027E0 0000100037E0 0 unknown File pos Mem pos ID Text ======== ======= == ==== 000000002990 000010003990 0 msxfs.dll 0000000029D7 0000100039D7 0 ekernel32.dll
=== DOWNLOAD ===