.- - -----÷M÷E÷N÷U÷------------------------------------------------------------- --- ---- -------------.
! WALL ! STATS ! GOODIES ! YARA ! FAQ ! RSS ! EMV !
`-------------- - --- ---------- -------- -------- -------- -------- ----------------- - ---- ---- --'
ATM MALWARE NOTICE
1243c478a7145fa08a03200611fcf5fae9bb58039c5069ef93e150d53cf22524
Date...........: 2011-05-20
Family.........: Ligsterac
File name......: lsass.exe
File size......: 80.00 KB
Type file......: EXE/Windows
Virscan........: VT - HA
Documentation..: http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=154358
Entropy:
Binary Histogram:
=== PEDUMP REPORT ===
=== MZ Header ===
signature: "MZ"
bytes_in_last_block: 80 0x50
blocks_in_file: 2 2
num_relocs: 0 0
header_paragraphs: 4 4
min_extra_paragraphs: 15 0xf
max_extra_paragraphs: 65535 0xffff
ss: 0 0
sp: 184 0xb8
checksum: 0 0
ip: 0 0
cs: 0 0
reloc_table_offset: 64 0x40
overlay_number: 26 0x1a
reserved0: 0 0
oem_id: 0 0
oem_info: 0 0
reserved2: 0 0
reserved3: 0 0
reserved4: 0 0
reserved5: 0 0
reserved6: 0 0
lfanew: 256 0x100
=== DOS STUB ===
00000000: ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 |........!..L.!..|
00000010: 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 |This program mus|
00000020: 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 |t be run under W|
00000030: 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 |in32..$7........|
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
=== PE Header ===
signature: "PE\x00\x00"
# IMAGE_FILE_HEADER:
Machine: 332 0x14c x86
NumberOfSections: 9 9
TimeDateStamp: "1992-06-19 22:22:17"
PointerToSymbolTable: 0 0
NumberOfSymbols: 0 0
SizeOfOptionalHeader: 224 0xe0
Characteristics: 33166 0x818e EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO
32BIT_MACHINE, BYTES_REVERSED_HI
# IMAGE_OPTIONAL_HEADER32:
Magic: 267 0x10b 32-bit executable
LinkerVersion: 2.25
SizeOfCode: 40448 0x9e00
SizeOfInitializedData: 8704 0x2200
SizeOfUninitializedData: 0 0
AddressOfEntryPoint: 44112 0xac50
BaseOfCode: 4096 0x1000
BaseOfData: 45056 0xb000
ImageBase: 4194304 0x400000
SectionAlignment: 4096 0x1000
FileAlignment: 512 0x200
OperatingSystemVersion: 4.0
ImageVersion: 0.0
SubsystemVersion: 4.0
Reserved1: 0 0
SizeOfImage: 77824 0x13000
SizeOfHeaders: 1024 0x400
CheckSum: 0 0
Subsystem: 2 2 WINDOWS_GUI
DllCharacteristics: 0 0
SizeOfStackReserve: 1048576 0x100000
SizeOfStackCommit: 16384 0x4000
SizeOfHeapReserve: 1048576 0x100000
SizeOfHeapCommit: 4096 0x1000
LoaderFlags: 0 0
NumberOfRvaAndSizes: 16 0x10
=== DATA DIRECTORY ===
EXPORT rva:0x 0 size:0x 0
IMPORT rva:0x 12400 size:0x dc
RESOURCE rva:0x 12000 size:0x 3f0
EXCEPTION rva:0x 0 size:0x 0
SECURITY rva:0x 0 size:0x 0
BASERELOC rva:0x 11000 size:0x 964
DEBUG rva:0x 0 size:0x 0
ARCHITECTURE rva:0x 0 size:0x 0
GLOBALPTR rva:0x 0 size:0x 0
TLS rva:0x 10000 size:0x 18
LOAD_CONFIG rva:0x 0 size:0x 0
Bound_IAT rva:0x 0 size:0x 0
IAT rva:0x 0 size:0x 0
Delay_IAT rva:0x 0 size:0x 0
CLR_Header rva:0x 0 size:0x 0
rva:0x 0 size:0x 0
=== SECTIONS ===
NAME RVA VSZ RAW_SZ RAW_PTR nREL REL_PTR nLINE LINE_PTR FLAGS
CODE 1000 9cb8 9cb8 1000 0 0 0 0 60000020 R-X CODE
DATA b000 398 398 b000 0 0 0 0 c0000040 RW- IDATA
BSS c000 1c3d 1c3d c000 0 0 0 0 c0000000 RW-
.idata e000 cba cba e000 0 0 0 0 c0000040 RW- IDATA
.tls f000 8 8 f000 0 0 0 0 c0000000 RW-
.rdata 10000 18 18 10000 0 0 0 0 50000040 R-- IDATA SHARED
.reloc 11000 964 964 11000 0 0 0 0 50000040 R-- IDATA SHARED
.rsrc 12000 3f0 3f0 12000 0 0 0 0 50000040 R-- IDATA SHARED
.idata 12400 c00 c00 13000 0 0 0 0 c0000040 RW- IDATA
=== TLS ===
RAW_START RAW_END INDEX CALLBKS ZEROFILL FLAGS
40f000 40f008 40b084 410010 0 0
=== RESOURCES ===
FILE_OFFSET CP LANG SIZE TYPE NAME
0x12058 1252 0x409 920 VERSION #1
=== IMPORTS ===
MODULE_NAME HINT ORD FUNCTION_NAME
KERNEL32.dll 80 DeleteCriticalSection
KERNEL32.dll 244 LeaveCriticalSection
KERNEL32.dll 97 EnterCriticalSection
KERNEL32.dll 219 InitializeCriticalSection
KERNEL32.dll 373 VirtualFree
KERNEL32.dll 370 VirtualAlloc
KERNEL32.dll 24f LocalFree
KERNEL32.dll 24b LocalAlloc
KERNEL32.dll 1de GetVersion
KERNEL32.dll 13f GetCurrentThreadId
KERNEL32.dll 1d0 GetThreadLocale
KERNEL32.dll 1af GetStartupInfoA
KERNEL32.dll 16c GetLocaleInfoA
KERNEL32.dll 10a GetCommandLineA
KERNEL32.dll f1 FreeLibrary
KERNEL32.dll b7 ExitProcess
KERNEL32.dll 6d CreateThread
KERNEL32.dll 391 WriteFile
KERNEL32.dll 35d UnhandledExceptionFilter
KERNEL32.dll 2c8 RtlUnwind
KERNEL32.dll 29a RaiseException
KERNEL32.dll 1b1 GetStdHandle
USER32.dll 128 GetKeyboardType
USER32.dll 1dd MessageBoxA
ADVAPI32.dll 1f0 RegQueryValueExA
ADVAPI32.dll 1e6 RegOpenKeyExA
ADVAPI32.dll 1cc RegCloseKey
KERNEL32.dll 354 TlsSetValue
KERNEL32.dll 353 TlsGetValue
KERNEL32.dll 24b LocalAlloc
KERNEL32.dll 177 GetModuleHandleA
ADVAPI32.dll 1f0 RegQueryValueExA
ADVAPI32.dll 1e6 RegOpenKeyExA
ADVAPI32.dll 1cc RegCloseKey
ADVAPI32.dll 1ac OpenProcessToken
ADVAPI32.dll 14f LookupPrivilegeValueA
ADVAPI32.dll 135 InitiateSystemShutdownA
ADVAPI32.dll 1e AdjustTokenPrivileges
KERNEL32.dll 3b8 lstrlen
KERNEL32.dll 3b5 lstrcpyn
KERNEL32.dll 3b2 lstrcpy
KERNEL32.dll 3af lstrcmpi
KERNEL32.dll 3ac lstrcmp
KERNEL32.dll 3a9 lstrcat
KERNEL32.dll 39a WriteProcessMemory
KERNEL32.dll 391 WriteFile
KERNEL32.dll 381 WaitForSingleObjectEx
KERNEL32.dll 380 WaitForSingleObject
KERNEL32.dll 374 VirtualFreeEx
KERNEL32.dll 371 VirtualAllocEx
KERNEL32.dll 34d TerminateThread
KERNEL32.dll 345 SleepEx
KERNEL32.dll 344 Sleep
KERNEL32.dll 33f SetWaitableTimer
KERNEL32.dll 30a SetFilePointer
KERNEL32.dll 305 SetEvent
KERNEL32.dll 2a7 ReadFile
KERNEL32.dll 278 OpenProcess
KERNEL32.dll 255 LocalUnlock
KERNEL32.dll 254 LocalSize
KERNEL32.dll 252 LocalReAlloc
KERNEL32.dll 251 LocalLock
KERNEL32.dll 24f LocalFree
KERNEL32.dll 24b LocalAlloc
KERNEL32.dll 245 LoadLibraryA
KERNEL32.dll 1e9 GetWindowsDirectoryA
KERNEL32.dll 1d5 GetTickCount
KERNEL32.dll 1ca GetTempFileNameA
KERNEL32.dll 1c1 GetSystemTimeAsFileTime
KERNEL32.dll 1ba GetSystemDirectoryA
KERNEL32.dll 199 GetProcAddress
KERNEL32.dll 177 GetModuleHandleA
KERNEL32.dll 175 GetModuleFileNameA
KERNEL32.dll 169 GetLastError
KERNEL32.dll 15c GetFileSize
KERNEL32.dll 154 GetExitCodeThread
KERNEL32.dll 13c GetCurrentProcess
KERNEL32.dll ec FormatMessageA
KERNEL32.dll c4 FileTimeToSystemTime
KERNEL32.dll c3 FileTimeToLocalFileTime
KERNEL32.dll b7 ExitProcess
KERNEL32.dll 92 DuplicateHandle
KERNEL32.dll 82 DeleteFileA
KERNEL32.dll 72 CreateWaitableTimerA
KERNEL32.dll 6d CreateThread
KERNEL32.dll 68 CreateRemoteThread
KERNEL32.dll 50 CreateFileA
KERNEL32.dll 4c CreateEventA
KERNEL32.dll 40 CopyFileA
KERNEL32.dll 32 CloseHandle
GDI32.dll 250 TextOutA
GDI32.dll 1be GetTextMetricsA
GDI32.dll d5 Escape
GDI32.dll 97 EndDoc
GDI32.dll 8d DeleteDC
GDI32.dll 2f CreateDCA
USER32.dll 61 CreateWindowExA
USER32.dll 2b4 UnregisterClassA
USER32.dll 2ab TranslateMessage
USER32.dll 27b SetTimer
USER32.dll 258 SetForegroundWindow
USER32.dll 257 SetFocus
USER32.dll 23c SendMessageA
USER32.dll 217 RegisterClassA
USER32.dll 216 RedrawWindow
USER32.dll 200 PostMessageA
USER32.dll 1fe PeekMessageA
USER32.dll 1bc LoadIconA
USER32.dll 1b8 LoadCursorA
USER32.dll 178 GetWindowTextA
USER32.dll 16d GetWindowDC
USER32.dll 15e GetSystemMetrics
USER32.dll 13b GetMessageA
USER32.dll 118 GetForegroundWindow
USER32.dll 10f GetDesktopWindow
USER32.dll 100 GetClientRect
USER32.dll e5 FindWindowExA
USER32.dll e4 FindWindowA
USER32.dll bd DrawTextA
USER32.dll a2 DispatchMessageA
USER32.dll 9a DestroyWindow
USER32.dll 8f DefWindowProcA
USER32.dll 35 CharUpperA
ADVAPI32.dll 243 StartServiceCtrlDispatcherA
ADVAPI32.dll 23d SetServiceStatus
ADVAPI32.dll 205 RegisterServiceCtrlHandlerA
ADVAPI32.dll 1af OpenServiceA
ADVAPI32.dll 1ad OpenSCManagerA
ADVAPI32.dll 40 CloseServiceHandle
ADVAPI32.dll 38 ChangeServiceConfigA
WINSPOOL.DRV ea EnumPrintersA
USER32.dll 2d9 wsprintfA
USER32.dll 140 GetMonitorInfoA
USER32.dll d3 EnumDisplayMonitors
=== VERSION INFO ===
# VS_FIXEDFILEINFO:
FileVersion : 5.1.2600.2180
ProductVersion : 5.1.2600.2180
StrucVersion : 0x10000
FileFlagsMask : 0x3f
FileFlags : 0
FileOS : 0x40004
FileType : 2
FileSubtype : 0
# StringTable 040904B0:
CompanyName : "Microsoft Corporation"
FileDescription : "LSA Shell (Export Version)"
FileVersion : "5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)"
InternalName : "lsass.exe"
LegalCopyright : "\u00A9 Microsoft Corporation. All rights reserved."
OriginalFilename : "lsass.exe"
ProductName : "Microsoft\u00AE Windows\u00AE Operating System"
ProductVersion : "5.1.2600.2180"
VarFileInfo : [ 0x409, 0x4b0 ]
=== Packer / Compiler ===
Borland Delphi 2006
File pos Mem pos ID Text
======== ======= == ====
000000000050 000000400050 0 This program must be run under Win32
000000000270 000000400270 0 .idata
0000000002C0 0000004002C0 0 .rdata
0000000002E7 0000004002E7 0 P.reloc
00000000030F 00000040030F 0 P.rsrc
000000000337 000000400337 0 P.idata
000000001194 000000401194 0 SVWUQ
0000000013B5 0000004013B5 0 w;;t$
0000000014C0 0000004014C0 0 SVWUQ
0000000023A5 0000004023A5 0 Uh-$@
00000000274F 00000040274F 0 ~KxI[)
0000000028A8 0000004028A8 0 SOFTWARE\Borland\Delphi\RTL
0000000028C4 0000004028C4 0 FPUMaskValue
000000002911 000000402911 0 PPRTj
000000002A8B 000000402A8B 0 YZXtp
000000002C02 000000402C02 0 t=HtN
000000003324 000000403324 0 SVWRP
000000003504 000000403504 0 Uh#5@
0000000035D2 0000004035D2 0 Uh*6@
000000003E7C 000000403E7C 0 kernel32.dll
000000003E8C 000000403E8C 0 CreateToolhelp32Snapshot
000000003EA8 000000403EA8 0 Heap32ListFirst
000000003EB8 000000403EB8 0 Heap32ListNext
000000003EC8 000000403EC8 0 Heap32First
000000003ED4 000000403ED4 0 Heap32Next
000000003EE0 000000403EE0 0 Toolhelp32ReadProcessMemory
000000003EFC 000000403EFC 0 Process32First
000000003F0C 000000403F0C 0 Process32Next
000000003F1C 000000403F1C 0 Process32FirstW
000000003F2C 000000403F2C 0 Process32NextW
000000003F3C 000000403F3C 0 Thread32First
000000003F4C 000000403F4C 0 Thread32Next
000000003F5C 000000403F5C 0 Module32First
000000003F6C 000000403F6C 0 Module32Next
000000003F7C 000000403F7C 0 Module32FirstW
000000003F8C 000000403F8C 0 Module32NextW
000000004001 000000404001 0 Uh!@@
000000004039 000000404039 0 UhY@@
0000000040AC 0000004040AC 0 ProtectedStorage
0000000040C8 0000004040C8 0 TES TEDafwhicomm
0000000040DC 0000004040DC 0 C:\Program Files\Diebold\AMI\AMITRACE\AMITrace.txt
000000004110 000000404110 0 C:\windows\EpsStmApi.log\
00000000423B 00000040423B 0 Ph E@
000000004264 000000404264 0 D$xPj
0000000043A9 0000004043A9 0 D$LPSj
000000004439 000000404439 0 PhPE@
00000000445C 00000040445C 0 D$lPj
000000004470 000000404470 0 jdj{S
000000004504 000000404504 0 Ph,E@
00000000452C 00000040452C 0 ATMDialog
000000004538 000000404538 0 hello
000000004540 000000404540 0 STATIC
0000000045EC 0000004045EC 0 Error
0000000046D5 0000004046D5 0 Uh_G@
000000004778 000000404778 0 CreateFile
0000000048EB 0000004048EB 0 Uh[I@
0000000048F6 0000004048F6 0 !RPhhI@
000000004968 000000404968 0 %s Error code= %d
00000000499D 00000040499D 0 t"Jt"
0000000049AC 0000004049AC 0 Jt Jt
File pos Mem pos ID Text
======== ======= == ====
0000000049E9 0000004049E9 0 t -"%
000000004BB8 000000404BB8 0 DbdDevExecute(EPP4_ENCODE_DECODE)
000000004BDC 000000404BDC 0 DbdDevExecute(EPP4_ENABLE_KEYBOARD_READ)
000000004C08 000000404C08 0 EPP Complete LOCK
000000004C1C 000000404C1C 0 EPP Complete ENCODE_DECODE
000000004CFC 000000404CFC 0 DBDDevOpen
000000004D08 000000404D08 0 DbdDevRegisterCallback
000000004D20 000000404D20 0 DbdDevLock
000000004D2C 000000404D2C 0 DbdDevUnregisterCallback
000000004D48 000000404D48 0 DBDDevClose
000000004DC4 000000404DC4 0 DbdDevUnlock
000000004DD4 000000404DD4 0 bdDevUnregisterCallback
000000004DEC 000000404DEC 0 DBDDevClose
000000004ED4 000000404ED4 0 DbdDevAPI.dll
000000004EE4 000000404EE4 0 DbdDevOpen
000000004EF0 000000404EF0 0 DbdDevClose
000000004EFC 000000404EFC 0 DbdDevGetInfo
000000004F0C 000000404F0C 0 DbdDevRegisterCallback
000000004F24 000000404F24 0 DbdDevUnregisterCallback
000000004F40 000000404F40 0 DbdDevLock
000000004F4C 000000404F4C 0 DbdDevUnlock
000000004F5C 000000404F5C 0 DbdDevExecute
000000004FB1 000000404FB1 0 PhTM@
000000005060 000000405060 0 AMI function don
000000005071 000000405071 0 t return in 1 sec
00000000528C 00000040528C 0 RECEIPT
000000005294 000000405294 0 WINSPOOL
0000000052A8 0000004052A8 0 CreateDC
0000000052B4 0000004052B4 0 hello
0000000052C4 0000004052C4 0 escape
0000000052D4 0000004052D4 0 TextOut
0000000052E4 0000004052E4 0 enddoc
0000000053E8 0000004053E8 0 OpenProcessToken
000000005404 000000405404 0 LookupPrivilegeValue
000000005424 000000405424 0 AdjustTokenPrivileges
0000000055FC 0000004055FC 0 getProcessEntry
00000000560C 00000040560C 0 SeDebugPrivilege
000000005628 000000405628 0 OpenProcess
00000000563C 00000040563C 0 GetExitCodeThread
000000005658 000000405658 0 VirtualFreeEx
0000000058BB 0000004058BB 0 |$0hhV@
000000005908 000000405908 0 kernel32.dll
000000005918 000000405918 0 GetModuleHandleA
00000000592C 00000040592C 0 GetProcAddress
00000000593C 00000040593C 0 OASYS.dll
000000005948 000000405948 0 OasPostMessage
000000005958 000000405958 0 mu.exe
000000005A20 000000405A20 0 kernel32.dll
000000005A30 000000405A30 0 GetModuleHandleA
000000005A44 000000405A44 0 GetProcAddress
000000005A54 000000405A54 0 DbdDevAPI.dll
000000005A64 000000405A64 0 DbdDevOpen
000000005A70 000000405A70 0 DbdDevClose
000000005A7C 000000405A7C 0 DbdDevUnlock
000000005A8C 000000405A8C 0 DbdDevUnregisterCallback
000000005BC7 000000405BC7 0 l$BhpW@
000000005C04 000000405C04 0 kernel32.dll
000000005C14 000000405C14 0 GetModuleHandleA
000000005C28 000000405C28 0 GetProcAddress
000000005C38 000000405C38 0 DbdDevAPI.dll
File pos Mem pos ID Text
======== ======= == ====
000000005C48 000000405C48 0 DbdDevRegisterCallback
000000005C60 000000405C60 0 DbdDevLock
000000005C80 000000405C80 0 SVWUQ
000000005DF4 000000405DF4 0 LocalAlloc
000000005E08 000000405E08 0 LocalLock
00000000628D 00000040628D 0 t Find Key A
0000000062A9 0000004062A9 0 t Find Key B
0000000064B0 0000004064B0 0 UhAe@
000000006683 000000406683 0 u7IBF
000000006712 000000406712 0 I(NBu
000000006A5E 000000406A5E 0 Ph4k@
000000006A97 000000406A97 0 Ph<k@
000000006B18 000000406B18 0 %.2d/%.2d/%.2d %.2d:%.2d
000000006C87 000000406C87 0 tdHuaj
000000006D00 000000406D00 0 DbdDevExecute(RECEIPT_PRINTER_START_GDI)
000000006D30 000000406D30 0 t LOCK EPP
000000006D3C 000000406D3C 0 RECEIPT_PRINTER_START_GDI
000000006D58 000000406D58 0 DbdDevExecute(RECEIPT_PRINTER_EJECT)
000000006ECC 000000406ECC 0 DbdDevExecute(AFD_DISPENCE)
000000006EE8 000000406EE8 0 CDM Complete LOCK
000000006EFC 000000406EFC 0 DbdDevExecute(AFD_PRESENT)
000000006F18 000000406F18 0 DbdDevExecute(AFD_RESTORE)
000000006FEC 000000406FEC 0 mu.exe
000000006FF4 000000406FF4 0 SeDebugPrivilege
000000007008 000000407008 0 SpiService.exe
0000000070ED 0000004070ED 0 T$ RSPP
000000007140 000000407140 0 kernel32.dll
000000007150 000000407150 0 WaitForSingleObject
000000007164 000000407164 0 CloseHandle
000000007170 000000407170 0 ExitProcess
00000000717C 00000040717C 0 DeleteFileA
000000007188 000000407188 0 mu.exe
000000007198 000000407198 0 getProcessEntry
0000000071B0 0000004071B0 0 OpenProcess
000000007274 000000407274 0 \lsass.exe
000000007288 000000407288 0 OpenSCManager
000000007298 000000407298 0 ProtectedStorage
0000000072AC 0000004072AC 0 Protected Storage
0000000072C0 0000004072C0 0 RemoteValidation
0000000072DC 0000004072DC 0 ChangeServiceConfig
0000000072F0 0000004072F0 0 SVWUQ
000000007400 000000407400 0 DZX|@3
000000007438 000000407438 0 <0u AG
000000007480 000000407480 0 SeShutdownPrivilege
0000000074A0 0000004074A0 0 InitiateSystemShutdown
0000000075C8 0000004075C8 0 mu.exe
0000000075D0 0000004075D0 0 SeDebugPrivilege
0000000075E4 0000004075E4 0 SpiService.exe
0000000076F4 0000004076F4 0 TimeOut EPP4_DISABLE_KEYBOARD_READ complete
000000007720 000000407720 0 DbdDevExecute(EPP4_DISABLE_KEYBOARD_READ)
0000000078A4 0000004078A4 0 %.2X%.2X
0000000078B0 0000004078B0 0 Request Code: %.6d
0000000078C3 0000004078C3 0 Enter Responce
0000000078D4 0000004078D4 0 Autorization
0000000078E4 0000004078E4 0 1..4 - dispense cassete
0000000078FC 0000004078FC 0 9 - Uninstall
00000000790A 00000040790A 0 0 - Exit
000000007914 000000407914 0 Enter Command
000000007B20 000000407B20 0 Diebold:OGuiFrame
000000007B34 000000407B34 0 Enter Password
File pos Mem pos ID Text
======== ======= == ====
000000007B48 000000407B48 0 STATIC
000000007B58 000000407B58 0 Supply Manager
000000007B68 000000407B68 0 Pripnt
000000007B70 000000407B70 0 View All Counts
000000008184 000000408184 0 DBDDEV_LOCK(CRW)
000000008198 000000408198 0 DbdDevExecute(MCRW_ACCEPT_INSERTION)
0000000081C0 0000004081C0 0 MCRW_ACCEPT_INSERTION
0000000081D8 0000004081D8 0 DbdDevExecute(MCRW_POWERON)
00000000829D 00000040829D 0 ;C&v=
000000008E75 000000408E75 0 t find KEY C
000000008F00 000000408F00 0 Hello
000000008F30 000000408F30 0 01234567789
0000000091C4 0000004091C4 0 DbdDevExecute(MCRW_POWERON)
0000000093C8 0000004093C8 0 SOFTWARE\Diebold\Agilis 91x Core
0000000093EC 0000004093EC 0 SOFTWARE\Diebold\Agilis 91x
000000009408 000000409408 0 Product Version
00000000941C 00000040941C 0 version
000000009430 000000409430 0 RegQueryValue
000000009450 000000409450 0 Agilis %s
000000009461 000000409461 0 Agent %s
000000009471 000000409471 0 Transactions %d
000000009482 000000409482 0 Cards %d
000000009496 000000409496 0 KEYs %d
0000000095EC 0000004095EC 0 Enter command:
0000000095FC 0000004095FC 0 Agent
00000000967F 00000040967F 0 <3=t FJu
000000009B83 000000409B83 0 aE;l$
000000009BEF 000000409BEF 0 $E;l$
000000009F84 000000409F84 0 PSTATPL
000000009F8C 000000409F8C 0 IAMJZPL
000000009FAC 000000409FAC 0 BALANCE:
00000000A008 00000040A008 0 SetWaitableTimer
00000000A0AD 00000040A0AD 0 8TCS,t
00000000A0B8 00000040A0B8 0 8HST,u0
00000000A45C 00000040A45C 0 kernel32.dll
00000000A46C 00000040A46C 0 GetModuleHandleA
00000000A480 00000040A480 0 GetProcAddress
00000000A490 00000040A490 0 LoadLibraryA
00000000A4A0 00000040A4A0 0 Sleep
00000000A4A8 00000040A4A8 0 VirtualProtect
00000000A4B8 00000040A4B8 0 DbdDevAPI.dll
00000000A4C9 00000040A4C9 0 DbdDevRegisterCallback
00000000A4E1 00000040A4E1 0 DbdDevLock
00000000A640 00000040A640 0 \trl2
00000000A650 00000040A650 0 mu.exe
00000000A658 00000040A658 0 sharedq.dll
00000000A66C 00000040A66C 0 LoadLibrary(sharedq.dll)
00000000A688 00000040A688 0 SQReceiveFromServer
00000000A6A4 00000040A6A4 0 GetProcAddress(SQReceiveFromServer)
00000000A730 00000040A730 0 ProtectedStorage
00000000A7C5 00000040A7C5 0 33333
00000000A7E7 00000040A7E7 0 UUUU3
00000000A939 00000040A939 0 VWUSQ
00000000A981 00000040A981 0 33333
00000000A9A3 00000040A9A3 0 UUUU3
00000000AA57 00000040AA57 0 UUUU3
00000000AAB5 00000040AAB5 0 VWUSQ
00000000AB6C 00000040AB6C 0 UUUU3
00000000AC9C 00000040AC9C 0 StartServiceCtrlDispatcher
00000000B04C 00000040B04C 0 Error
File pos Mem pos ID Text
======== ======= == ====
00000000B054 00000040B054 0 Runtime error at 00000000
00000000B074 00000040B074 0 0123456789ABCDEF
00000000B0A0 00000040B0A0 0 1AY&SX
00000000B0E4 00000040B0E4 0 mu.exe
00000000B0F8 00000040B0F8 0 SpiService.exe
00000000B250 00000040B250 0 <4,$?7/'
00000000B296 00000040B296 0 !"#$%&'()*+,-./012345678
00000000B2E1 00000040B2E1 0 (3-!0
00000000B2E8 00000040B2E8 0 ,1'8"5
00000000E334 00000040E334 0 kernel32.dll
00000000E344 00000040E344 0 DeleteCriticalSection
00000000E35C 00000040E35C 0 LeaveCriticalSection
00000000E374 00000040E374 0 EnterCriticalSection
00000000E38C 00000040E38C 0 InitializeCriticalSection
00000000E3A8 00000040E3A8 0 VirtualFree
00000000E3B6 00000040E3B6 0 VirtualAlloc
00000000E3C6 00000040E3C6 0 LocalFree
00000000E3D2 00000040E3D2 0 LocalAlloc
00000000E3E0 00000040E3E0 0 GetVersion
00000000E3EE 00000040E3EE 0 GetCurrentThreadId
00000000E404 00000040E404 0 GetThreadLocale
00000000E416 00000040E416 0 GetStartupInfoA
00000000E428 00000040E428 0 GetLocaleInfoA
00000000E43A 00000040E43A 0 GetCommandLineA
00000000E44C 00000040E44C 0 FreeLibrary
00000000E45A 00000040E45A 0 ExitProcess
00000000E468 00000040E468 0 CreateThread
00000000E478 00000040E478 0 WriteFile
00000000E484 00000040E484 0 UnhandledExceptionFilter
00000000E4A0 00000040E4A0 0 RtlUnwind
00000000E4AC 00000040E4AC 0 RaiseException
00000000E4BE 00000040E4BE 0 GetStdHandle
00000000E4CC 00000040E4CC 0 user32.dll
00000000E4DA 00000040E4DA 0 GetKeyboardType
00000000E4EC 00000040E4EC 0 MessageBoxA
00000000E4F8 00000040E4F8 0 advapi32.dll
00000000E508 00000040E508 0 RegQueryValueExA
00000000E51C 00000040E51C 0 RegOpenKeyExA
00000000E52C 00000040E52C 0 RegCloseKey
00000000E538 00000040E538 0 kernel32.dll
00000000E548 00000040E548 0 TlsSetValue
00000000E556 00000040E556 0 TlsGetValue
00000000E564 00000040E564 0 LocalAlloc
00000000E572 00000040E572 0 GetModuleHandleA
00000000E584 00000040E584 0 advapi32.dll
00000000E594 00000040E594 0 RegQueryValueExA
00000000E5A8 00000040E5A8 0 RegOpenKeyExA
00000000E5B8 00000040E5B8 0 RegCloseKey
00000000E5C6 00000040E5C6 0 OpenProcessToken
00000000E5DA 00000040E5DA 0 LookupPrivilegeValueA
00000000E5F2 00000040E5F2 0 InitiateSystemShutdownA
00000000E60C 00000040E60C 0 AdjustTokenPrivileges
00000000E622 00000040E622 0 kernel32.dll
00000000E632 00000040E632 0 lstrlenA
00000000E63E 00000040E63E 0 lstrcpynA
00000000E64A 00000040E64A 0 lstrcpyA
00000000E656 00000040E656 0 lstrcmpiA
00000000E662 00000040E662 0 lstrcmpA
00000000E66E 00000040E66E 0 lstrcatA
00000000E67A 00000040E67A 0 WriteProcessMemory
File pos Mem pos ID Text
======== ======= == ====
00000000E690 00000040E690 0 WriteFile
00000000E69C 00000040E69C 0 WaitForSingleObjectEx
00000000E6B4 00000040E6B4 0 WaitForSingleObject
00000000E6CA 00000040E6CA 0 VirtualFreeEx
00000000E6DA 00000040E6DA 0 VirtualAllocEx
00000000E6EC 00000040E6EC 0 TerminateThread
00000000E6FE 00000040E6FE 0 SleepEx
00000000E708 00000040E708 0 Sleep
00000000E710 00000040E710 0 SetWaitableTimer
00000000E724 00000040E724 0 SetFilePointer
00000000E736 00000040E736 0 SetEvent
00000000E742 00000040E742 0 ReadFile
00000000E74E 00000040E74E 0 OpenProcess
00000000E75C 00000040E75C 0 LocalUnlock
00000000E76A 00000040E76A 0 LocalSize
00000000E776 00000040E776 0 LocalReAlloc
00000000E786 00000040E786 0 LocalLock
00000000E792 00000040E792 0 LocalFree
00000000E79E 00000040E79E 0 LocalAlloc
00000000E7AC 00000040E7AC 0 LoadLibraryA
00000000E7BC 00000040E7BC 0 GetWindowsDirectoryA
00000000E7D4 00000040E7D4 0 GetTickCount
00000000E7E4 00000040E7E4 0 GetTempFileNameA
00000000E7F8 00000040E7F8 0 GetSystemTimeAsFileTime
00000000E812 00000040E812 0 GetSystemDirectoryA
00000000E828 00000040E828 0 GetProcAddress
00000000E83A 00000040E83A 0 GetModuleHandleA
00000000E84E 00000040E84E 0 GetModuleFileNameA
00000000E864 00000040E864 0 GetLastError
00000000E874 00000040E874 0 GetFileSize
00000000E882 00000040E882 0 GetExitCodeThread
00000000E896 00000040E896 0 GetCurrentProcess
00000000E8AA 00000040E8AA 0 FormatMessageA
00000000E8BC 00000040E8BC 0 FileTimeToSystemTime
00000000E8D4 00000040E8D4 0 FileTimeToLocalFileTime
00000000E8EE 00000040E8EE 0 ExitProcess
00000000E8FC 00000040E8FC 0 DuplicateHandle
00000000E90E 00000040E90E 0 DeleteFileA
00000000E91C 00000040E91C 0 CreateWaitableTimerA
00000000E934 00000040E934 0 CreateThread
00000000E944 00000040E944 0 CreateRemoteThread
00000000E95A 00000040E95A 0 CreateFileA
00000000E968 00000040E968 0 CreateEventA
00000000E978 00000040E978 0 CopyFileA
00000000E984 00000040E984 0 CloseHandle
00000000E990 00000040E990 0 gdi32.dll
00000000E99C 00000040E99C 0 TextOutA
00000000E9A8 00000040E9A8 0 GetTextMetricsA
00000000E9BA 00000040E9BA 0 Escape
00000000E9C4 00000040E9C4 0 EndDoc
00000000E9CE 00000040E9CE 0 DeleteDC
00000000E9DA 00000040E9DA 0 CreateDCA
00000000E9E4 00000040E9E4 0 user32.dll
00000000E9F2 00000040E9F2 0 CreateWindowExA
00000000EA04 00000040EA04 0 UnregisterClassA
00000000EA18 00000040EA18 0 TranslateMessage
00000000EA2C 00000040EA2C 0 SetTimer
00000000EA38 00000040EA38 0 SetForegroundWindow
00000000EA4E 00000040EA4E 0 SetFocus
00000000EA5A 00000040EA5A 0 SendMessageA
File pos Mem pos ID Text
======== ======= == ====
00000000EA6A 00000040EA6A 0 RegisterClassA
00000000EA7C 00000040EA7C 0 RedrawWindow
00000000EA8C 00000040EA8C 0 PostMessageA
00000000EA9C 00000040EA9C 0 PeekMessageA
00000000EAAC 00000040EAAC 0 LoadIconA
00000000EAB8 00000040EAB8 0 LoadCursorA
00000000EAC6 00000040EAC6 0 GetWindowTextA
00000000EAD8 00000040EAD8 0 GetWindowDC
00000000EAE6 00000040EAE6 0 GetSystemMetrics
00000000EAFA 00000040EAFA 0 GetMessageA
00000000EB08 00000040EB08 0 GetForegroundWindow
00000000EB1E 00000040EB1E 0 GetDesktopWindow
00000000EB32 00000040EB32 0 GetClientRect
00000000EB42 00000040EB42 0 FindWindowExA
00000000EB52 00000040EB52 0 FindWindowA
00000000EB60 00000040EB60 0 DrawTextA
00000000EB6C 00000040EB6C 0 DispatchMessageA
00000000EB80 00000040EB80 0 DestroyWindow
00000000EB90 00000040EB90 0 DefWindowProcA
00000000EBA2 00000040EBA2 0 CharUpperA
00000000EBAE 00000040EBAE 0 advapi32.dll
00000000EBBE 00000040EBBE 0 StartServiceCtrlDispatcherA
00000000EBDC 00000040EBDC 0 SetServiceStatus
00000000EBF0 00000040EBF0 0 RegisterServiceCtrlHandlerA
00000000EC0E 00000040EC0E 0 OpenServiceA
00000000EC1E 00000040EC1E 0 OpenSCManagerA
00000000EC30 00000040EC30 0 CloseServiceHandle
00000000EC46 00000040EC46 0 ChangeServiceConfigA
00000000EC5C 00000040EC5C 0 winspool.drv
00000000EC6C 00000040EC6C 0 EnumPrintersA
00000000EC7A 00000040EC7A 0 user32.dll
00000000EC88 00000040EC88 0 wsprintfA
00000000EC94 00000040EC94 0 GetMonitorInfoA
00000000ECA6 00000040ECA6 0 EnumDisplayMonitors
00000001100F 00000041100F 0 0"0*020:0B0J0R0Z0b0j0r0z0
000000011055 000000411055 0 4%515L5
00000001105D 00000041105D 0 5.7j7
00000001107D 00000041107D 0 8$8,8>8J8Y8e8m8x8~8
0000000110A9 0000004110A9 0 9'929S9k9
0000000110BB 0000004110BB 0 :O:o:
0000000110CD 0000004110CD 0 <(<3<<<C<R<Y<{<
0000000110EF 0000004110EF 0 >Z>c>y>
0000000110FF 0000004110FF 0 ?*?T?]?m?u?{?
00000001112B 00000041112B 0 0 080D0L0c0r0
000000011145 000000411145 0 0$1H1f1v1|1
00000001115D 00000041115D 0 2m2t2
00000001117F 00000041117F 0 4#4G4g4
00000001119D 00000041119D 0 8)8?8]8s8
0000000111B1 0000004111B1 0 9 989F9z9
0000000111C5 0000004111C5 0 :0:9:k:t:
0000000111E1 0000004111E1 0 <,=4=?=k=
0000000111F1 0000004111F1 0 =&>*>0>4>9>@>F>N>Y>h>p>
000000011219 000000411219 0 ?#?>?S?]?b?
000000011238 000000411238 0 &0/0U0b0x0
00000001124B 00000041124B 0 5F5M5_5}5
00000001125D 00000041125D 0 6?6K6R6\6f6}6
000000011285 000000411285 0 7*7?7P7Z7b7j7r7z7
0000000112A3 0000004112A3 0 8*868;8@8G8N8X8o8{8
0000000112D3 0000004112D3 0 9"9*929:9B9J9R9Z9b9j9r9z9
000000011313 000000411313 0 :":*:2:::B:J:R:Z:b:j:r:z:
File pos Mem pos ID Text
======== ======= == ====
000000011353 000000411353 0 ;";*;2;:;B;J;R;Z;b;j;r;z;
000000011397 000000411397 0 ="=0=E=R=W=d=i=v={=
0000000113CD 0000004113CD 0 >*>/><>A>N>S>
0000000113F1 0000004113F1 0 0.0;0G0T0f0n0{0
000000011405 000000411405 0 0.161>1F1N1
00000001144D 00000041144D 0 686=6P6{6
000000011467 000000411467 0 8K90:C:Y:
000000011477 000000411477 0 ;+;4;G;q;
000000011485 000000411485 0 ;[<f<z<
0000000114AD 0000004114AD 0 >">'>2>7><>G>L>Q>\>a>f>q>v>{>
000000011501 000000411501 0 2$2:2Y2h3
000000011525 000000411525 0 8'8.8C8H8X8o8{8
00000001153D 00000041153D 0 8k9w9
00000001155F 00000041155F 0 ;6;?;l;x;
000000011579 000000411579 0 =(=.=6=E=P=V=
0000000115BF 0000004115BF 0 90:>:a:o:
0000000115DB 0000004115DB 0 <*<1<7<=<
0000000115F1 0000004115F1 0 >#>R>
0000000115FD 0000004115FD 0 >>?N?_?p?{?
000000011620 000000411620 0 D0P0_0n0}0
00000001163D 00000041163D 0 2'242N2
00000001164B 00000041164B 0 3&30353
000000011659 000000411659 0 4G4U4v4
000000011669 000000411669 0 595I5Z5k5
00000001167B 00000041167B 0 6;6@6i6w6
000000011693 000000411693 0 8?8D8
0000000116AD 0000004116AD 0 <$<A<O<
0000000116D3 0000004116D3 0 ="=7=>=K=[=p=
0000000116F5 0000004116F5 0 >!?.?~?
00000001170F 00000041170F 0 0%0?0
00000001171B 00000041171B 0 1!1'1L1j1q1
000000011755 000000411755 0 0%1.141;1U1\1e1q1
000000011769 000000411769 0 1$2@2[2
000000011777 000000411777 0 2-3X3j3
000000011795 000000411795 0 4@5H5|5
0000000117BD 0000004117BD 0 8$8#9
0000000117E5 0000004117E5 0 ;#;';+;/;3;7;;;?;S<h<}<
000000011801 000000411801 0 =-=D=
000000011844 000000411844 0 $050:0?0T0
00000001184F 00000041184F 0 1$1B1J1Y1/343{3
000000011875 000000411875 0 5)53585G5Q5V5e5y5~5
0000000118AF 0000004118AF 0 8+8<8D8\8k8u8~8
0000000118E1 0000004118E1 0 : :(:0:;:
0000000118F7 0000004118F7 0 ;0;6;<;B;H;S;
000000011917 000000411917 0 < <$<(<,<0<4<8<<<@<D<L<W<b<f<k<
000000011940 000000411940 0 $0(0,0
0000000123F0 0000004123F0 0 PADDINGXXPADDING
0000000130F0 0000004124F0 0 KERNEL32.dll
000000013100 000000412500 0 DeleteCriticalSection
000000013118 000000412518 0 LeaveCriticalSection
000000013130 000000412530 0 EnterCriticalSection
000000013148 000000412548 0 InitializeCriticalSection
000000013164 000000412564 0 VirtualFree
000000013172 000000412572 0 VirtualAlloc
000000013182 000000412582 0 LocalFree
00000001318E 00000041258E 0 LocalAlloc
00000001319C 00000041259C 0 GetVersion
0000000131AA 0000004125AA 0 GetCurrentThreadId
0000000131C0 0000004125C0 0 GetThreadLocale
0000000131D2 0000004125D2 0 GetStartupInfoA
File pos Mem pos ID Text
======== ======= == ====
0000000131E4 0000004125E4 0 GetLocaleInfoA
0000000131F6 0000004125F6 0 GetCommandLineA
000000013208 000000412608 0 FreeLibrary
000000013216 000000412616 0 ExitProcess
000000013224 000000412624 0 CreateThread
000000013234 000000412634 0 WriteFile
000000013240 000000412640 0 UnhandledExceptionFilter
00000001325C 00000041265C 0 RtlUnwind
000000013268 000000412668 0 RaiseException
00000001327A 00000041267A 0 GetStdHandle
000000013288 000000412688 0 USER32.dll
000000013296 000000412696 0 GetKeyboardType
0000000132A8 0000004126A8 0 MessageBoxA
0000000132B4 0000004126B4 0 ADVAPI32.dll
0000000132C4 0000004126C4 0 RegQueryValueExA
0000000132D8 0000004126D8 0 RegOpenKeyExA
0000000132E8 0000004126E8 0 RegCloseKey
0000000132F4 0000004126F4 0 KERNEL32.dll
000000013304 000000412704 0 TlsSetValue
000000013312 000000412712 0 TlsGetValue
000000013320 000000412720 0 LocalAlloc
00000001332E 00000041272E 0 GetModuleHandleA
000000013340 000000412740 0 ADVAPI32.dll
000000013350 000000412750 0 RegQueryValueExA
000000013364 000000412764 0 RegOpenKeyExA
000000013374 000000412774 0 RegCloseKey
000000013382 000000412782 0 OpenProcessToken
000000013396 000000412796 0 LookupPrivilegeValueA
0000000133AE 0000004127AE 0 InitiateSystemShutdownA
0000000133C8 0000004127C8 0 AdjustTokenPrivileges
0000000133DE 0000004127DE 0 KERNEL32.dll
0000000133EE 0000004127EE 0 lstrlen
0000000133F8 0000004127F8 0 lstrcpyn
000000013404 000000412804 0 lstrcpy
00000001340E 00000041280E 0 lstrcmpi
00000001341A 00000041281A 0 lstrcmp
000000013424 000000412824 0 lstrcat
00000001342E 00000041282E 0 WriteProcessMemory
000000013444 000000412844 0 WriteFile
000000013450 000000412850 0 WaitForSingleObjectEx
000000013468 000000412868 0 WaitForSingleObject
00000001347E 00000041287E 0 VirtualFreeEx
00000001348E 00000041288E 0 VirtualAllocEx
0000000134A0 0000004128A0 0 TerminateThread
0000000134B2 0000004128B2 0 SleepEx
0000000134BC 0000004128BC 0 Sleep
0000000134C4 0000004128C4 0 SetWaitableTimer
0000000134D8 0000004128D8 0 SetFilePointer
0000000134EA 0000004128EA 0 SetEvent
0000000134F6 0000004128F6 0 ReadFile
000000013502 000000412902 0 OpenProcess
000000013510 000000412910 0 LocalUnlock
00000001351E 00000041291E 0 LocalSize
00000001352A 00000041292A 0 LocalReAlloc
00000001353A 00000041293A 0 LocalLock
000000013546 000000412946 0 LocalFree
000000013552 000000412952 0 LocalAlloc
000000013560 000000412960 0 LoadLibraryA
000000013570 000000412970 0 GetWindowsDirectoryA
000000013588 000000412988 0 GetTickCount
File pos Mem pos ID Text
======== ======= == ====
000000013598 000000412998 0 GetTempFileNameA
0000000135AC 0000004129AC 0 GetSystemTimeAsFileTime
0000000135C6 0000004129C6 0 GetSystemDirectoryA
0000000135DC 0000004129DC 0 GetProcAddress
0000000135EE 0000004129EE 0 GetModuleHandleA
000000013602 000000412A02 0 GetModuleFileNameA
000000013618 000000412A18 0 GetLastError
000000013628 000000412A28 0 GetFileSize
000000013636 000000412A36 0 GetExitCodeThread
00000001364A 000000412A4A 0 GetCurrentProcess
00000001365E 000000412A5E 0 FormatMessageA
000000013670 000000412A70 0 FileTimeToSystemTime
000000013688 000000412A88 0 FileTimeToLocalFileTime
0000000136A2 000000412AA2 0 ExitProcess
0000000136B0 000000412AB0 0 DuplicateHandle
0000000136C2 000000412AC2 0 DeleteFileA
0000000136D0 000000412AD0 0 CreateWaitableTimerA
0000000136E8 000000412AE8 0 CreateThread
0000000136F8 000000412AF8 0 CreateRemoteThread
00000001370E 000000412B0E 0 CreateFileA
00000001371C 000000412B1C 0 CreateEventA
00000001372C 000000412B2C 0 CopyFileA
000000013738 000000412B38 0 CloseHandle
000000013744 000000412B44 0 GDI32.dll
000000013750 000000412B50 0 TextOutA
00000001375C 000000412B5C 0 GetTextMetricsA
00000001376E 000000412B6E 0 Escape
000000013778 000000412B78 0 EndDoc
000000013782 000000412B82 0 DeleteDC
00000001378E 000000412B8E 0 CreateDCA
000000013798 000000412B98 0 USER32.dll
0000000137A6 000000412BA6 0 CreateWindowExA
0000000137B8 000000412BB8 0 UnregisterClassA
0000000137CC 000000412BCC 0 TranslateMessage
0000000137E0 000000412BE0 0 SetTimer
0000000137EC 000000412BEC 0 SetForegroundWindow
000000013802 000000412C02 0 SetFocus
00000001380E 000000412C0E 0 SendMessageA
00000001381E 000000412C1E 0 RegisterClassA
000000013830 000000412C30 0 RedrawWindow
000000013840 000000412C40 0 PostMessageA
000000013850 000000412C50 0 PeekMessageA
000000013860 000000412C60 0 LoadIconA
00000001386C 000000412C6C 0 LoadCursorA
00000001387A 000000412C7A 0 GetWindowTextA
00000001388C 000000412C8C 0 GetWindowDC
00000001389A 000000412C9A 0 GetSystemMetrics
0000000138AE 000000412CAE 0 GetMessageA
0000000138BC 000000412CBC 0 GetForegroundWindow
0000000138D2 000000412CD2 0 GetDesktopWindow
0000000138E6 000000412CE6 0 GetClientRect
0000000138F6 000000412CF6 0 FindWindowExA
000000013906 000000412D06 0 FindWindowA
000000013914 000000412D14 0 DrawTextA
000000013920 000000412D20 0 DispatchMessageA
000000013934 000000412D34 0 DestroyWindow
000000013944 000000412D44 0 DefWindowProcA
000000013956 000000412D56 0 CharUpperA
000000013962 000000412D62 0 ADVAPI32.dll
000000013972 000000412D72 0 StartServiceCtrlDispatcherA
File pos Mem pos ID Text
======== ======= == ====
000000013990 000000412D90 0 SetServiceStatus
0000000139A4 000000412DA4 0 RegisterServiceCtrlHandlerA
0000000139C2 000000412DC2 0 OpenServiceA
0000000139D2 000000412DD2 0 OpenSCManagerA
0000000139E4 000000412DE4 0 CloseServiceHandle
0000000139FA 000000412DFA 0 ChangeServiceConfigA
000000013A10 000000412E10 0 WINSPOOL.DRV
000000013A20 000000412E20 0 EnumPrintersA
000000013A2E 000000412E2E 0 USER32.dll
000000013A3C 000000412E3C 0 wsprintfA
000000013A48 000000412E48 0 GetMonitorInfoA
000000013A5A 000000412E5A 0 EnumDisplayMonitors
00000001205E 00000041205E 0 VS_VERSION_INFO
0000000120BA 0000004120BA 0 StringFileInfo
0000000120DE 0000004120DE 0 040904B0
0000000120F6 0000004120F6 0 CompanyName
000000012110 000000412110 0 Microsoft Corporation
000000012142 000000412142 0 FileDescription
000000012164 000000412164 0 LSA Shell (Export Version)
0000000121A2 0000004121A2 0 FileVersion
0000000121BC 0000004121BC 0 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
000000012216 000000412216 0 InternalName
000000012230 000000412230 0 lsass.exe
00000001224A 00000041224A 0 LegalCopyright
00000001226A 00000041226A 0 Microsoft Corporation. All rights reserved.
0000000122CA 0000004122CA 0 OriginalFilename
0000000122EC 0000004122EC 0 lsass.exe
000000012306 000000412306 0 ProductName
000000012346 000000412346 0 Operating System
000000012372 000000412372 0 ProductVersion
000000012390 000000412390 0 5.1.2600.2180
0000000123B2 0000004123B2 0 VarFileInfo
0000000123D2 0000004123D2 0 Translation
000000000050 000000400050 0 This program must be run under Win32
000000000270 000000400270 0 .idata
0000000002C0 0000004002C0 0 .rdata
0000000002E7 0000004002E7 0 P.reloc
00000000030F 00000040030F 0 P.rsrc
000000000337 000000400337 0 P.idata
000000001194 000000401194 0 SVWUQ
0000000013B5 0000004013B5 0 w;;t$
0000000014C0 0000004014C0 0 SVWUQ
0000000023A5 0000004023A5 0 Uh-$@
00000000274F 00000040274F 0 ~KxI[)
0000000028A8 0000004028A8 0 SOFTWARE\Borland\Delphi\RTL
0000000028C4 0000004028C4 0 FPUMaskValue
000000002911 000000402911 0 PPRTj
000000002A8B 000000402A8B 0 YZXtp
000000002C02 000000402C02 0 t=HtN
000000003324 000000403324 0 SVWRP
000000003504 000000403504 0 Uh#5@
0000000035D2 0000004035D2 0 Uh*6@
000000003E7C 000000403E7C 0 kernel32.dll
000000003E8C 000000403E8C 0 CreateToolhelp32Snapshot
000000003EA8 000000403EA8 0 Heap32ListFirst
000000003EB8 000000403EB8 0 Heap32ListNext
000000003EC8 000000403EC8 0 Heap32First
000000003ED4 000000403ED4 0 Heap32Next
000000003EE0 000000403EE0 0 Toolhelp32ReadProcessMemory
000000003EFC 000000403EFC 0 Process32First
File pos Mem pos ID Text
======== ======= == ====
000000003F0C 000000403F0C 0 Process32Next
000000003F1C 000000403F1C 0 Process32FirstW
000000003F2C 000000403F2C 0 Process32NextW
000000003F3C 000000403F3C 0 Thread32First
000000003F4C 000000403F4C 0 Thread32Next
000000003F5C 000000403F5C 0 Module32First
000000003F6C 000000403F6C 0 Module32Next
000000003F7C 000000403F7C 0 Module32FirstW
000000003F8C 000000403F8C 0 Module32NextW
000000004001 000000404001 0 Uh!@@
000000004039 000000404039 0 UhY@@
0000000040AC 0000004040AC 0 ProtectedStorage
0000000040C8 0000004040C8 0 TES TEDafwhicomm
0000000040DC 0000004040DC 0 C:\Program Files\Diebold\AMI\AMITRACE\AMITrace.txt
000000004110 000000404110 0 C:\windows\EpsStmApi.log\
00000000423B 00000040423B 0 Ph E@
000000004264 000000404264 0 D$xPj
0000000043A9 0000004043A9 0 D$LPSj
000000004439 000000404439 0 PhPE@
00000000445C 00000040445C 0 D$lPj
000000004470 000000404470 0 jdj{S
000000004504 000000404504 0 Ph,E@
00000000452C 00000040452C 0 ATMDialog
000000004538 000000404538 0 hello
000000004540 000000404540 0 STATIC
0000000045EC 0000004045EC 0 Error
0000000046D5 0000004046D5 0 Uh_G@
000000004778 000000404778 0 CreateFile
0000000048EB 0000004048EB 0 Uh[I@
0000000048F6 0000004048F6 0 !RPhhI@
000000004968 000000404968 0 %s Error code= %d
00000000499D 00000040499D 0 t"Jt"
0000000049AC 0000004049AC 0 Jt Jt
0000000049E9 0000004049E9 0 t -"%
000000004BB8 000000404BB8 0 DbdDevExecute(EPP4_ENCODE_DECODE)
000000004BDC 000000404BDC 0 DbdDevExecute(EPP4_ENABLE_KEYBOARD_READ)
000000004C08 000000404C08 0 EPP Complete LOCK
000000004C1C 000000404C1C 0 EPP Complete ENCODE_DECODE
000000004CFC 000000404CFC 0 DBDDevOpen
000000004D08 000000404D08 0 DbdDevRegisterCallback
000000004D20 000000404D20 0 DbdDevLock
000000004D2C 000000404D2C 0 DbdDevUnregisterCallback
000000004D48 000000404D48 0 DBDDevClose
000000004DC4 000000404DC4 0 DbdDevUnlock
000000004DD4 000000404DD4 0 bdDevUnregisterCallback
000000004DEC 000000404DEC 0 DBDDevClose
000000004ED4 000000404ED4 0 DbdDevAPI.dll
000000004EE4 000000404EE4 0 DbdDevOpen
000000004EF0 000000404EF0 0 DbdDevClose
000000004EFC 000000404EFC 0 DbdDevGetInfo
000000004F0C 000000404F0C 0 DbdDevRegisterCallback
000000004F24 000000404F24 0 DbdDevUnregisterCallback
000000004F40 000000404F40 0 DbdDevLock
000000004F4C 000000404F4C 0 DbdDevUnlock
000000004F5C 000000404F5C 0 DbdDevExecute
000000004FB1 000000404FB1 0 PhTM@
000000005060 000000405060 0 AMI function don
000000005071 000000405071 0 t return in 1 sec
00000000528C 00000040528C 0 RECEIPT
000000005294 000000405294 0 WINSPOOL
File pos Mem pos ID Text
======== ======= == ====
0000000052A8 0000004052A8 0 CreateDC
0000000052B4 0000004052B4 0 hello
0000000052C4 0000004052C4 0 escape
0000000052D4 0000004052D4 0 TextOut
0000000052E4 0000004052E4 0 enddoc
0000000053E8 0000004053E8 0 OpenProcessToken
000000005404 000000405404 0 LookupPrivilegeValue
000000005424 000000405424 0 AdjustTokenPrivileges
0000000055FC 0000004055FC 0 getProcessEntry
00000000560C 00000040560C 0 SeDebugPrivilege
000000005628 000000405628 0 OpenProcess
00000000563C 00000040563C 0 GetExitCodeThread
000000005658 000000405658 0 VirtualFreeEx
0000000058BB 0000004058BB 0 |$0hhV@
000000005908 000000405908 0 kernel32.dll
000000005918 000000405918 0 GetModuleHandleA
00000000592C 00000040592C 0 GetProcAddress
00000000593C 00000040593C 0 OASYS.dll
000000005948 000000405948 0 OasPostMessage
000000005958 000000405958 0 mu.exe
000000005A20 000000405A20 0 kernel32.dll
000000005A30 000000405A30 0 GetModuleHandleA
000000005A44 000000405A44 0 GetProcAddress
000000005A54 000000405A54 0 DbdDevAPI.dll
000000005A64 000000405A64 0 DbdDevOpen
000000005A70 000000405A70 0 DbdDevClose
000000005A7C 000000405A7C 0 DbdDevUnlock
000000005A8C 000000405A8C 0 DbdDevUnregisterCallback
000000005BC7 000000405BC7 0 l$BhpW@
000000005C04 000000405C04 0 kernel32.dll
000000005C14 000000405C14 0 GetModuleHandleA
000000005C28 000000405C28 0 GetProcAddress
000000005C38 000000405C38 0 DbdDevAPI.dll
000000005C48 000000405C48 0 DbdDevRegisterCallback
000000005C60 000000405C60 0 DbdDevLock
000000005C80 000000405C80 0 SVWUQ
000000005DF4 000000405DF4 0 LocalAlloc
000000005E08 000000405E08 0 LocalLock
00000000628D 00000040628D 0 t Find Key A
0000000062A9 0000004062A9 0 t Find Key B
0000000064B0 0000004064B0 0 UhAe@
000000006683 000000406683 0 u7IBF
000000006712 000000406712 0 I(NBu
000000006A5E 000000406A5E 0 Ph4k@
000000006A97 000000406A97 0 Ph<k@
000000006B18 000000406B18 0 %.2d/%.2d/%.2d %.2d:%.2d
000000006C87 000000406C87 0 tdHuaj
000000006D00 000000406D00 0 DbdDevExecute(RECEIPT_PRINTER_START_GDI)
000000006D30 000000406D30 0 t LOCK EPP
000000006D3C 000000406D3C 0 RECEIPT_PRINTER_START_GDI
000000006D58 000000406D58 0 DbdDevExecute(RECEIPT_PRINTER_EJECT)
000000006ECC 000000406ECC 0 DbdDevExecute(AFD_DISPENCE)
000000006EE8 000000406EE8 0 CDM Complete LOCK
000000006EFC 000000406EFC 0 DbdDevExecute(AFD_PRESENT)
000000006F18 000000406F18 0 DbdDevExecute(AFD_RESTORE)
000000006FEC 000000406FEC 0 mu.exe
000000006FF4 000000406FF4 0 SeDebugPrivilege
000000007008 000000407008 0 SpiService.exe
0000000070ED 0000004070ED 0 T$ RSPP
000000007140 000000407140 0 kernel32.dll
File pos Mem pos ID Text
======== ======= == ====
000000007150 000000407150 0 WaitForSingleObject
000000007164 000000407164 0 CloseHandle
000000007170 000000407170 0 ExitProcess
00000000717C 00000040717C 0 DeleteFileA
000000007188 000000407188 0 mu.exe
000000007198 000000407198 0 getProcessEntry
0000000071B0 0000004071B0 0 OpenProcess
000000007274 000000407274 0 \lsass.exe
000000007288 000000407288 0 OpenSCManager
000000007298 000000407298 0 ProtectedStorage
0000000072AC 0000004072AC 0 Protected Storage
0000000072C0 0000004072C0 0 RemoteValidation
0000000072DC 0000004072DC 0 ChangeServiceConfig
0000000072F0 0000004072F0 0 SVWUQ
000000007400 000000407400 0 DZX|@3
000000007438 000000407438 0 <0u AG
000000007480 000000407480 0 SeShutdownPrivilege
0000000074A0 0000004074A0 0 InitiateSystemShutdown
0000000075C8 0000004075C8 0 mu.exe
0000000075D0 0000004075D0 0 SeDebugPrivilege
0000000075E4 0000004075E4 0 SpiService.exe
0000000076F4 0000004076F4 0 TimeOut EPP4_DISABLE_KEYBOARD_READ complete
000000007720 000000407720 0 DbdDevExecute(EPP4_DISABLE_KEYBOARD_READ)
0000000078A4 0000004078A4 0 %.2X%.2X
0000000078B0 0000004078B0 0 Request Code: %.6d
0000000078C3 0000004078C3 0 Enter Responce
0000000078D4 0000004078D4 0 Autorization
0000000078E4 0000004078E4 0 1..4 - dispense cassete
0000000078FC 0000004078FC 0 9 - Uninstall
00000000790A 00000040790A 0 0 - Exit
000000007914 000000407914 0 Enter Command
000000007B20 000000407B20 0 Diebold:OGuiFrame
000000007B34 000000407B34 0 Enter Password
000000007B48 000000407B48 0 STATIC
000000007B58 000000407B58 0 Supply Manager
000000007B68 000000407B68 0 Pripnt
000000007B70 000000407B70 0 View All Counts
000000008184 000000408184 0 DBDDEV_LOCK(CRW)
000000008198 000000408198 0 DbdDevExecute(MCRW_ACCEPT_INSERTION)
0000000081C0 0000004081C0 0 MCRW_ACCEPT_INSERTION
0000000081D8 0000004081D8 0 DbdDevExecute(MCRW_POWERON)
00000000829D 00000040829D 0 ;C&v=
000000008E75 000000408E75 0 t find KEY C
000000008F00 000000408F00 0 Hello
000000008F30 000000408F30 0 01234567789
0000000091C4 0000004091C4 0 DbdDevExecute(MCRW_POWERON)
0000000093C8 0000004093C8 0 SOFTWARE\Diebold\Agilis 91x Core
0000000093EC 0000004093EC 0 SOFTWARE\Diebold\Agilis 91x
000000009408 000000409408 0 Product Version
00000000941C 00000040941C 0 version
000000009430 000000409430 0 RegQueryValue
000000009450 000000409450 0 Agilis %s
000000009461 000000409461 0 Agent %s
000000009471 000000409471 0 Transactions %d
000000009482 000000409482 0 Cards %d
000000009496 000000409496 0 KEYs %d
0000000095EC 0000004095EC 0 Enter command:
0000000095FC 0000004095FC 0 Agent
00000000967F 00000040967F 0 <3=t FJu
000000009B83 000000409B83 0 aE;l$
File pos Mem pos ID Text
======== ======= == ====
000000009BEF 000000409BEF 0 $E;l$
000000009F84 000000409F84 0 PSTATPL
000000009F8C 000000409F8C 0 IAMJZPL
000000009FAC 000000409FAC 0 BALANCE:
00000000A008 00000040A008 0 SetWaitableTimer
00000000A0AD 00000040A0AD 0 8TCS,t
00000000A0B8 00000040A0B8 0 8HST,u0
00000000A45C 00000040A45C 0 kernel32.dll
00000000A46C 00000040A46C 0 GetModuleHandleA
00000000A480 00000040A480 0 GetProcAddress
00000000A490 00000040A490 0 LoadLibraryA
00000000A4A0 00000040A4A0 0 Sleep
00000000A4A8 00000040A4A8 0 VirtualProtect
00000000A4B8 00000040A4B8 0 DbdDevAPI.dll
00000000A4C9 00000040A4C9 0 DbdDevRegisterCallback
00000000A4E1 00000040A4E1 0 DbdDevLock
00000000A640 00000040A640 0 \trl2
00000000A650 00000040A650 0 mu.exe
00000000A658 00000040A658 0 sharedq.dll
00000000A66C 00000040A66C 0 LoadLibrary(sharedq.dll)
00000000A688 00000040A688 0 SQReceiveFromServer
00000000A6A4 00000040A6A4 0 GetProcAddress(SQReceiveFromServer)
00000000A730 00000040A730 0 ProtectedStorage
00000000A7C5 00000040A7C5 0 33333
00000000A7E7 00000040A7E7 0 UUUU3
00000000A939 00000040A939 0 VWUSQ
00000000A981 00000040A981 0 33333
00000000A9A3 00000040A9A3 0 UUUU3
00000000AA57 00000040AA57 0 UUUU3
00000000AAB5 00000040AAB5 0 VWUSQ
00000000AB6C 00000040AB6C 0 UUUU3
00000000AC9C 00000040AC9C 0 StartServiceCtrlDispatcher
00000000B04C 00000040B04C 0 Error
00000000B054 00000040B054 0 Runtime error at 00000000
00000000B074 00000040B074 0 0123456789ABCDEF
00000000B0A0 00000040B0A0 0 1AY&SX
00000000B0E4 00000040B0E4 0 mu.exe
00000000B0F8 00000040B0F8 0 SpiService.exe
00000000B250 00000040B250 0 <4,$?7/'
00000000B296 00000040B296 0 !"#$%&'()*+,-./012345678
00000000B2E1 00000040B2E1 0 (3-!0
00000000B2E8 00000040B2E8 0 ,1'8"5
00000000E334 00000040E334 0 kernel32.dll
00000000E344 00000040E344 0 DeleteCriticalSection
00000000E35C 00000040E35C 0 LeaveCriticalSection
00000000E374 00000040E374 0 EnterCriticalSection
00000000E38C 00000040E38C 0 InitializeCriticalSection
00000000E3A8 00000040E3A8 0 VirtualFree
00000000E3B6 00000040E3B6 0 VirtualAlloc
00000000E3C6 00000040E3C6 0 LocalFree
00000000E3D2 00000040E3D2 0 LocalAlloc
00000000E3E0 00000040E3E0 0 GetVersion
00000000E3EE 00000040E3EE 0 GetCurrentThreadId
00000000E404 00000040E404 0 GetThreadLocale
00000000E416 00000040E416 0 GetStartupInfoA
00000000E428 00000040E428 0 GetLocaleInfoA
00000000E43A 00000040E43A 0 GetCommandLineA
00000000E44C 00000040E44C 0 FreeLibrary
00000000E45A 00000040E45A 0 ExitProcess
00000000E468 00000040E468 0 CreateThread
File pos Mem pos ID Text
======== ======= == ====
00000000E478 00000040E478 0 WriteFile
00000000E484 00000040E484 0 UnhandledExceptionFilter
00000000E4A0 00000040E4A0 0 RtlUnwind
00000000E4AC 00000040E4AC 0 RaiseException
00000000E4BE 00000040E4BE 0 GetStdHandle
00000000E4CC 00000040E4CC 0 user32.dll
00000000E4DA 00000040E4DA 0 GetKeyboardType
00000000E4EC 00000040E4EC 0 MessageBoxA
00000000E4F8 00000040E4F8 0 advapi32.dll
00000000E508 00000040E508 0 RegQueryValueExA
00000000E51C 00000040E51C 0 RegOpenKeyExA
00000000E52C 00000040E52C 0 RegCloseKey
00000000E538 00000040E538 0 kernel32.dll
00000000E548 00000040E548 0 TlsSetValue
00000000E556 00000040E556 0 TlsGetValue
00000000E564 00000040E564 0 LocalAlloc
00000000E572 00000040E572 0 GetModuleHandleA
00000000E584 00000040E584 0 advapi32.dll
00000000E594 00000040E594 0 RegQueryValueExA
00000000E5A8 00000040E5A8 0 RegOpenKeyExA
00000000E5B8 00000040E5B8 0 RegCloseKey
00000000E5C6 00000040E5C6 0 OpenProcessToken
00000000E5DA 00000040E5DA 0 LookupPrivilegeValueA
00000000E5F2 00000040E5F2 0 InitiateSystemShutdownA
00000000E60C 00000040E60C 0 AdjustTokenPrivileges
00000000E622 00000040E622 0 kernel32.dll
00000000E632 00000040E632 0 lstrlenA
00000000E63E 00000040E63E 0 lstrcpynA
00000000E64A 00000040E64A 0 lstrcpyA
00000000E656 00000040E656 0 lstrcmpiA
00000000E662 00000040E662 0 lstrcmpA
00000000E66E 00000040E66E 0 lstrcatA
00000000E67A 00000040E67A 0 WriteProcessMemory
00000000E690 00000040E690 0 WriteFile
00000000E69C 00000040E69C 0 WaitForSingleObjectEx
00000000E6B4 00000040E6B4 0 WaitForSingleObject
00000000E6CA 00000040E6CA 0 VirtualFreeEx
00000000E6DA 00000040E6DA 0 VirtualAllocEx
00000000E6EC 00000040E6EC 0 TerminateThread
00000000E6FE 00000040E6FE 0 SleepEx
00000000E708 00000040E708 0 Sleep
00000000E710 00000040E710 0 SetWaitableTimer
00000000E724 00000040E724 0 SetFilePointer
00000000E736 00000040E736 0 SetEvent
00000000E742 00000040E742 0 ReadFile
00000000E74E 00000040E74E 0 OpenProcess
00000000E75C 00000040E75C 0 LocalUnlock
00000000E76A 00000040E76A 0 LocalSize
00000000E776 00000040E776 0 LocalReAlloc
00000000E786 00000040E786 0 LocalLock
00000000E792 00000040E792 0 LocalFree
00000000E79E 00000040E79E 0 LocalAlloc
00000000E7AC 00000040E7AC 0 LoadLibraryA
00000000E7BC 00000040E7BC 0 GetWindowsDirectoryA
00000000E7D4 00000040E7D4 0 GetTickCount
00000000E7E4 00000040E7E4 0 GetTempFileNameA
00000000E7F8 00000040E7F8 0 GetSystemTimeAsFileTime
00000000E812 00000040E812 0 GetSystemDirectoryA
00000000E828 00000040E828 0 GetProcAddress
00000000E83A 00000040E83A 0 GetModuleHandleA
File pos Mem pos ID Text
======== ======= == ====
00000000E84E 00000040E84E 0 GetModuleFileNameA
00000000E864 00000040E864 0 GetLastError
00000000E874 00000040E874 0 GetFileSize
00000000E882 00000040E882 0 GetExitCodeThread
00000000E896 00000040E896 0 GetCurrentProcess
00000000E8AA 00000040E8AA 0 FormatMessageA
00000000E8BC 00000040E8BC 0 FileTimeToSystemTime
00000000E8D4 00000040E8D4 0 FileTimeToLocalFileTime
00000000E8EE 00000040E8EE 0 ExitProcess
00000000E8FC 00000040E8FC 0 DuplicateHandle
00000000E90E 00000040E90E 0 DeleteFileA
00000000E91C 00000040E91C 0 CreateWaitableTimerA
00000000E934 00000040E934 0 CreateThread
00000000E944 00000040E944 0 CreateRemoteThread
00000000E95A 00000040E95A 0 CreateFileA
00000000E968 00000040E968 0 CreateEventA
00000000E978 00000040E978 0 CopyFileA
00000000E984 00000040E984 0 CloseHandle
00000000E990 00000040E990 0 gdi32.dll
00000000E99C 00000040E99C 0 TextOutA
00000000E9A8 00000040E9A8 0 GetTextMetricsA
00000000E9BA 00000040E9BA 0 Escape
00000000E9C4 00000040E9C4 0 EndDoc
00000000E9CE 00000040E9CE 0 DeleteDC
00000000E9DA 00000040E9DA 0 CreateDCA
00000000E9E4 00000040E9E4 0 user32.dll
00000000E9F2 00000040E9F2 0 CreateWindowExA
00000000EA04 00000040EA04 0 UnregisterClassA
00000000EA18 00000040EA18 0 TranslateMessage
00000000EA2C 00000040EA2C 0 SetTimer
00000000EA38 00000040EA38 0 SetForegroundWindow
00000000EA4E 00000040EA4E 0 SetFocus
00000000EA5A 00000040EA5A 0 SendMessageA
00000000EA6A 00000040EA6A 0 RegisterClassA
00000000EA7C 00000040EA7C 0 RedrawWindow
00000000EA8C 00000040EA8C 0 PostMessageA
00000000EA9C 00000040EA9C 0 PeekMessageA
00000000EAAC 00000040EAAC 0 LoadIconA
00000000EAB8 00000040EAB8 0 LoadCursorA
00000000EAC6 00000040EAC6 0 GetWindowTextA
00000000EAD8 00000040EAD8 0 GetWindowDC
00000000EAE6 00000040EAE6 0 GetSystemMetrics
00000000EAFA 00000040EAFA 0 GetMessageA
00000000EB08 00000040EB08 0 GetForegroundWindow
00000000EB1E 00000040EB1E 0 GetDesktopWindow
00000000EB32 00000040EB32 0 GetClientRect
00000000EB42 00000040EB42 0 FindWindowExA
00000000EB52 00000040EB52 0 FindWindowA
00000000EB60 00000040EB60 0 DrawTextA
00000000EB6C 00000040EB6C 0 DispatchMessageA
00000000EB80 00000040EB80 0 DestroyWindow
00000000EB90 00000040EB90 0 DefWindowProcA
00000000EBA2 00000040EBA2 0 CharUpperA
00000000EBAE 00000040EBAE 0 advapi32.dll
00000000EBBE 00000040EBBE 0 StartServiceCtrlDispatcherA
00000000EBDC 00000040EBDC 0 SetServiceStatus
00000000EBF0 00000040EBF0 0 RegisterServiceCtrlHandlerA
00000000EC0E 00000040EC0E 0 OpenServiceA
00000000EC1E 00000040EC1E 0 OpenSCManagerA
00000000EC30 00000040EC30 0 CloseServiceHandle
File pos Mem pos ID Text
======== ======= == ====
00000000EC46 00000040EC46 0 ChangeServiceConfigA
00000000EC5C 00000040EC5C 0 winspool.drv
00000000EC6C 00000040EC6C 0 EnumPrintersA
00000000EC7A 00000040EC7A 0 user32.dll
00000000EC88 00000040EC88 0 wsprintfA
00000000EC94 00000040EC94 0 GetMonitorInfoA
00000000ECA6 00000040ECA6 0 EnumDisplayMonitors
00000001100F 00000041100F 0 0"0*020:0B0J0R0Z0b0j0r0z0
000000011055 000000411055 0 4%515L5
00000001105D 00000041105D 0 5.7j7
00000001107D 00000041107D 0 8$8,8>8J8Y8e8m8x8~8
0000000110A9 0000004110A9 0 9'929S9k9
0000000110BB 0000004110BB 0 :O:o:
0000000110CD 0000004110CD 0 <(<3<<<C<R<Y<{<
0000000110EF 0000004110EF 0 >Z>c>y>
0000000110FF 0000004110FF 0 ?*?T?]?m?u?{?
00000001112B 00000041112B 0 0 080D0L0c0r0
000000011145 000000411145 0 0$1H1f1v1|1
00000001115D 00000041115D 0 2m2t2
00000001117F 00000041117F 0 4#4G4g4
00000001119D 00000041119D 0 8)8?8]8s8
0000000111B1 0000004111B1 0 9 989F9z9
0000000111C5 0000004111C5 0 :0:9:k:t:
0000000111E1 0000004111E1 0 <,=4=?=k=
0000000111F1 0000004111F1 0 =&>*>0>4>9>@>F>N>Y>h>p>
000000011219 000000411219 0 ?#?>?S?]?b?
000000011238 000000411238 0 &0/0U0b0x0
00000001124B 00000041124B 0 5F5M5_5}5
00000001125D 00000041125D 0 6?6K6R6\6f6}6
000000011285 000000411285 0 7*7?7P7Z7b7j7r7z7
0000000112A3 0000004112A3 0 8*868;8@8G8N8X8o8{8
0000000112D3 0000004112D3 0 9"9*929:9B9J9R9Z9b9j9r9z9
000000011313 000000411313 0 :":*:2:::B:J:R:Z:b:j:r:z:
000000011353 000000411353 0 ;";*;2;:;B;J;R;Z;b;j;r;z;
000000011397 000000411397 0 ="=0=E=R=W=d=i=v={=
0000000113CD 0000004113CD 0 >*>/><>A>N>S>
0000000113F1 0000004113F1 0 0.0;0G0T0f0n0{0
000000011405 000000411405 0 0.161>1F1N1
00000001144D 00000041144D 0 686=6P6{6
000000011467 000000411467 0 8K90:C:Y:
000000011477 000000411477 0 ;+;4;G;q;
000000011485 000000411485 0 ;[<f<z<
0000000114AD 0000004114AD 0 >">'>2>7><>G>L>Q>\>a>f>q>v>{>
000000011501 000000411501 0 2$2:2Y2h3
000000011525 000000411525 0 8'8.8C8H8X8o8{8
00000001153D 00000041153D 0 8k9w9
00000001155F 00000041155F 0 ;6;?;l;x;
000000011579 000000411579 0 =(=.=6=E=P=V=
0000000115BF 0000004115BF 0 90:>:a:o:
0000000115DB 0000004115DB 0 <*<1<7<=<
0000000115F1 0000004115F1 0 >#>R>
0000000115FD 0000004115FD 0 >>?N?_?p?{?
000000011620 000000411620 0 D0P0_0n0}0
00000001163D 00000041163D 0 2'242N2
00000001164B 00000041164B 0 3&30353
000000011659 000000411659 0 4G4U4v4
000000011669 000000411669 0 595I5Z5k5
00000001167B 00000041167B 0 6;6@6i6w6
000000011693 000000411693 0 8?8D8
0000000116AD 0000004116AD 0 <$<A<O<
File pos Mem pos ID Text
======== ======= == ====
0000000116D3 0000004116D3 0 ="=7=>=K=[=p=
0000000116F5 0000004116F5 0 >!?.?~?
00000001170F 00000041170F 0 0%0?0
00000001171B 00000041171B 0 1!1'1L1j1q1
000000011755 000000411755 0 0%1.141;1U1\1e1q1
000000011769 000000411769 0 1$2@2[2
000000011777 000000411777 0 2-3X3j3
000000011795 000000411795 0 4@5H5|5
0000000117BD 0000004117BD 0 8$8#9
0000000117E5 0000004117E5 0 ;#;';+;/;3;7;;;?;S<h<}<
000000011801 000000411801 0 =-=D=
000000011844 000000411844 0 $050:0?0T0
00000001184F 00000041184F 0 1$1B1J1Y1/343{3
000000011875 000000411875 0 5)53585G5Q5V5e5y5~5
0000000118AF 0000004118AF 0 8+8<8D8\8k8u8~8
0000000118E1 0000004118E1 0 : :(:0:;:
0000000118F7 0000004118F7 0 ;0;6;<;B;H;S;
000000011917 000000411917 0 < <$<(<,<0<4<8<<<@<D<L<W<b<f<k<
000000011940 000000411940 0 $0(0,0
0000000123F0 0000004123F0 0 PADDINGXXPADDING
0000000130F0 0000004124F0 0 KERNEL32.dll
000000013100 000000412500 0 DeleteCriticalSection
000000013118 000000412518 0 LeaveCriticalSection
000000013130 000000412530 0 EnterCriticalSection
000000013148 000000412548 0 InitializeCriticalSection
000000013164 000000412564 0 VirtualFree
000000013172 000000412572 0 VirtualAlloc
000000013182 000000412582 0 LocalFree
00000001318E 00000041258E 0 LocalAlloc
00000001319C 00000041259C 0 GetVersion
0000000131AA 0000004125AA 0 GetCurrentThreadId
0000000131C0 0000004125C0 0 GetThreadLocale
0000000131D2 0000004125D2 0 GetStartupInfoA
0000000131E4 0000004125E4 0 GetLocaleInfoA
0000000131F6 0000004125F6 0 GetCommandLineA
000000013208 000000412608 0 FreeLibrary
000000013216 000000412616 0 ExitProcess
000000013224 000000412624 0 CreateThread
000000013234 000000412634 0 WriteFile
000000013240 000000412640 0 UnhandledExceptionFilter
00000001325C 00000041265C 0 RtlUnwind
000000013268 000000412668 0 RaiseException
00000001327A 00000041267A 0 GetStdHandle
000000013288 000000412688 0 USER32.dll
000000013296 000000412696 0 GetKeyboardType
0000000132A8 0000004126A8 0 MessageBoxA
0000000132B4 0000004126B4 0 ADVAPI32.dll
0000000132C4 0000004126C4 0 RegQueryValueExA
0000000132D8 0000004126D8 0 RegOpenKeyExA
0000000132E8 0000004126E8 0 RegCloseKey
0000000132F4 0000004126F4 0 KERNEL32.dll
000000013304 000000412704 0 TlsSetValue
000000013312 000000412712 0 TlsGetValue
000000013320 000000412720 0 LocalAlloc
00000001332E 00000041272E 0 GetModuleHandleA
000000013340 000000412740 0 ADVAPI32.dll
000000013350 000000412750 0 RegQueryValueExA
000000013364 000000412764 0 RegOpenKeyExA
000000013374 000000412774 0 RegCloseKey
000000013382 000000412782 0 OpenProcessToken
File pos Mem pos ID Text
======== ======= == ====
000000013396 000000412796 0 LookupPrivilegeValueA
0000000133AE 0000004127AE 0 InitiateSystemShutdownA
0000000133C8 0000004127C8 0 AdjustTokenPrivileges
0000000133DE 0000004127DE 0 KERNEL32.dll
0000000133EE 0000004127EE 0 lstrlen
0000000133F8 0000004127F8 0 lstrcpyn
000000013404 000000412804 0 lstrcpy
00000001340E 00000041280E 0 lstrcmpi
00000001341A 00000041281A 0 lstrcmp
000000013424 000000412824 0 lstrcat
00000001342E 00000041282E 0 WriteProcessMemory
000000013444 000000412844 0 WriteFile
000000013450 000000412850 0 WaitForSingleObjectEx
000000013468 000000412868 0 WaitForSingleObject
00000001347E 00000041287E 0 VirtualFreeEx
00000001348E 00000041288E 0 VirtualAllocEx
0000000134A0 0000004128A0 0 TerminateThread
0000000134B2 0000004128B2 0 SleepEx
0000000134BC 0000004128BC 0 Sleep
0000000134C4 0000004128C4 0 SetWaitableTimer
0000000134D8 0000004128D8 0 SetFilePointer
0000000134EA 0000004128EA 0 SetEvent
0000000134F6 0000004128F6 0 ReadFile
000000013502 000000412902 0 OpenProcess
000000013510 000000412910 0 LocalUnlock
00000001351E 00000041291E 0 LocalSize
00000001352A 00000041292A 0 LocalReAlloc
00000001353A 00000041293A 0 LocalLock
000000013546 000000412946 0 LocalFree
000000013552 000000412952 0 LocalAlloc
000000013560 000000412960 0 LoadLibraryA
000000013570 000000412970 0 GetWindowsDirectoryA
000000013588 000000412988 0 GetTickCount
000000013598 000000412998 0 GetTempFileNameA
0000000135AC 0000004129AC 0 GetSystemTimeAsFileTime
0000000135C6 0000004129C6 0 GetSystemDirectoryA
0000000135DC 0000004129DC 0 GetProcAddress
0000000135EE 0000004129EE 0 GetModuleHandleA
000000013602 000000412A02 0 GetModuleFileNameA
000000013618 000000412A18 0 GetLastError
000000013628 000000412A28 0 GetFileSize
000000013636 000000412A36 0 GetExitCodeThread
00000001364A 000000412A4A 0 GetCurrentProcess
00000001365E 000000412A5E 0 FormatMessageA
000000013670 000000412A70 0 FileTimeToSystemTime
000000013688 000000412A88 0 FileTimeToLocalFileTime
0000000136A2 000000412AA2 0 ExitProcess
0000000136B0 000000412AB0 0 DuplicateHandle
0000000136C2 000000412AC2 0 DeleteFileA
0000000136D0 000000412AD0 0 CreateWaitableTimerA
0000000136E8 000000412AE8 0 CreateThread
0000000136F8 000000412AF8 0 CreateRemoteThread
00000001370E 000000412B0E 0 CreateFileA
00000001371C 000000412B1C 0 CreateEventA
00000001372C 000000412B2C 0 CopyFileA
000000013738 000000412B38 0 CloseHandle
000000013744 000000412B44 0 GDI32.dll
000000013750 000000412B50 0 TextOutA
00000001375C 000000412B5C 0 GetTextMetricsA
00000001376E 000000412B6E 0 Escape
File pos Mem pos ID Text
======== ======= == ====
000000013778 000000412B78 0 EndDoc
000000013782 000000412B82 0 DeleteDC
00000001378E 000000412B8E 0 CreateDCA
000000013798 000000412B98 0 USER32.dll
0000000137A6 000000412BA6 0 CreateWindowExA
0000000137B8 000000412BB8 0 UnregisterClassA
0000000137CC 000000412BCC 0 TranslateMessage
0000000137E0 000000412BE0 0 SetTimer
0000000137EC 000000412BEC 0 SetForegroundWindow
000000013802 000000412C02 0 SetFocus
00000001380E 000000412C0E 0 SendMessageA
00000001381E 000000412C1E 0 RegisterClassA
000000013830 000000412C30 0 RedrawWindow
000000013840 000000412C40 0 PostMessageA
000000013850 000000412C50 0 PeekMessageA
000000013860 000000412C60 0 LoadIconA
00000001386C 000000412C6C 0 LoadCursorA
00000001387A 000000412C7A 0 GetWindowTextA
00000001388C 000000412C8C 0 GetWindowDC
00000001389A 000000412C9A 0 GetSystemMetrics
0000000138AE 000000412CAE 0 GetMessageA
0000000138BC 000000412CBC 0 GetForegroundWindow
0000000138D2 000000412CD2 0 GetDesktopWindow
0000000138E6 000000412CE6 0 GetClientRect
0000000138F6 000000412CF6 0 FindWindowExA
000000013906 000000412D06 0 FindWindowA
000000013914 000000412D14 0 DrawTextA
000000013920 000000412D20 0 DispatchMessageA
000000013934 000000412D34 0 DestroyWindow
000000013944 000000412D44 0 DefWindowProcA
000000013956 000000412D56 0 CharUpperA
000000013962 000000412D62 0 ADVAPI32.dll
000000013972 000000412D72 0 StartServiceCtrlDispatcherA
000000013990 000000412D90 0 SetServiceStatus
0000000139A4 000000412DA4 0 RegisterServiceCtrlHandlerA
0000000139C2 000000412DC2 0 OpenServiceA
0000000139D2 000000412DD2 0 OpenSCManagerA
0000000139E4 000000412DE4 0 CloseServiceHandle
0000000139FA 000000412DFA 0 ChangeServiceConfigA
000000013A10 000000412E10 0 WINSPOOL.DRV
000000013A20 000000412E20 0 EnumPrintersA
000000013A2E 000000412E2E 0 USER32.dll
000000013A3C 000000412E3C 0 wsprintfA
000000013A48 000000412E48 0 GetMonitorInfoA
000000013A5A 000000412E5A 0 EnumDisplayMonitors
00000001205E 00000041205E 0 VS_VERSION_INFO
0000000120BA 0000004120BA 0 StringFileInfo
0000000120DE 0000004120DE 0 040904B0
0000000120F6 0000004120F6 0 CompanyName
000000012110 000000412110 0 Microsoft Corporation
000000012142 000000412142 0 FileDescription
000000012164 000000412164 0 LSA Shell (Export Version)
0000000121A2 0000004121A2 0 FileVersion
0000000121BC 0000004121BC 0 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
000000012216 000000412216 0 InternalName
000000012230 000000412230 0 lsass.exe
00000001224A 00000041224A 0 LegalCopyright
00000001226A 00000041226A 0 Microsoft Corporation. All rights reserved.
0000000122CA 0000004122CA 0 OriginalFilename
0000000122EC 0000004122EC 0 lsass.exe
File pos Mem pos ID Text
======== ======= == ====
000000012306 000000412306 0 ProductName
000000012346 000000412346 0 Operating System
000000012372 000000412372 0 ProductVersion
000000012390 000000412390 0 5.1.2600.2180
0000000123B2 0000004123B2 0 VarFileInfo
0000000123D2 0000004123D2 0 Translation