.- - -----÷M÷E÷N÷U÷------------------------------------------------------------- --- ---- -------------.
! WALL ! STATS ! GOODIES ! YARA ! FAQ ! RSS ! EMV !
`-------------- - --- ---------- -------- -------- -------- -------- ----------------- - ---- ---- --'
ATM MALWARE NOTICE
34e7060e7a0c0ba24fcb55c641e5b586cef744e10ebd5a9f73ecd2ed2f4e9c1f
Date...........: 2009-03-21
Family.........: Trojan.Skimer.15
File name......: 01390aeb5c4bbf2eeb
File size......: 21.00 KB
Type file......: EXE/Windows
Virscan........: VT - HA
Entropy:
Binary Histogram:
=== PEDUMP REPORT ===
=== MZ Header ===
signature: "MZ"
bytes_in_last_block: 80 0x50
blocks_in_file: 2 2
num_relocs: 0 0
header_paragraphs: 4 4
min_extra_paragraphs: 15 0xf
max_extra_paragraphs: 65535 0xffff
ss: 0 0
sp: 184 0xb8
checksum: 0 0
ip: 0 0
cs: 0 0
reloc_table_offset: 64 0x40
overlay_number: 26 0x1a
reserved0: 0 0
oem_id: 0 0
oem_info: 0 0
reserved2: 0 0
reserved3: 0 0
reserved4: 0 0
reserved5: 0 0
reserved6: 0 0
lfanew: 256 0x100
=== DOS STUB ===
00000000: ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 |........!..L.!..|
00000010: 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 |This program mus|
00000020: 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 |t be run under W|
00000030: 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 |in32..$7........|
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
=== PE Header ===
signature: "PE\x00\x00"
# IMAGE_FILE_HEADER:
Machine: 332 0x14c x86
NumberOfSections: 8 8
TimeDateStamp: "1992-06-19 22:22:17"
PointerToSymbolTable: 0 0
NumberOfSymbols: 0 0
SizeOfOptionalHeader: 224 0xe0
Characteristics: 33166 0x818e EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO
32BIT_MACHINE, BYTES_REVERSED_HI
# IMAGE_OPTIONAL_HEADER32:
Magic: 267 0x10b 32-bit executable
LinkerVersion: 2.25
SizeOfCode: 15360 0x3c00
SizeOfInitializedData: 5120 0x1400
SizeOfUninitializedData: 0 0
AddressOfEntryPoint: 19004 0x4a3c
BaseOfCode: 4096 0x1000
BaseOfData: 20480 0x5000
ImageBase: 4194304 0x400000
SectionAlignment: 4096 0x1000
FileAlignment: 512 0x200
OperatingSystemVersion: 4.0
ImageVersion: 0.0
SubsystemVersion: 4.0
Reserved1: 0 0
SizeOfImage: 49152 0xc000
SizeOfHeaders: 1024 0x400
CheckSum: 0 0
Subsystem: 2 2 WINDOWS_GUI
DllCharacteristics: 0 0
SizeOfStackReserve: 1048576 0x100000
SizeOfStackCommit: 16384 0x4000
SizeOfHeapReserve: 1048576 0x100000
SizeOfHeapCommit: 4096 0x1000
LoaderFlags: 0 0
NumberOfRvaAndSizes: 16 0x10
=== DATA DIRECTORY ===
EXPORT rva:0x 0 size:0x 0
IMPORT rva:0x 7000 size:0x 694
RESOURCE rva:0x b000 size:0x 200
EXCEPTION rva:0x 0 size:0x 0
SECURITY rva:0x 0 size:0x 0
BASERELOC rva:0x a000 size:0x 45c
DEBUG rva:0x 0 size:0x 0
ARCHITECTURE rva:0x 0 size:0x 0
GLOBALPTR rva:0x 0 size:0x 0
TLS rva:0x 9000 size:0x 18
LOAD_CONFIG rva:0x 0 size:0x 0
Bound_IAT rva:0x 0 size:0x 0
IAT rva:0x 0 size:0x 0
Delay_IAT rva:0x 0 size:0x 0
CLR_Header rva:0x 0 size:0x 0
rva:0x 0 size:0x 0
=== SECTIONS ===
NAME RVA VSZ RAW_SZ RAW_PTR nREL REL_PTR nLINE LINE_PTR FLAGS
CODE 1000 3a98 3c00 400 0 0 0 0 60000020 R-X CODE
DATA 5000 ec 200 4000 0 0 0 0 c0000040 RW- IDATA
BSS 6000 6bd 0 4200 0 0 0 0 c0000000 RW-
.idata 7000 694 800 4200 0 0 0 0 c0000040 RW- IDATA
.tls 8000 8 0 4a00 0 0 0 0 c0000000 RW-
.rdata 9000 18 200 4a00 0 0 0 0 50000040 R-- IDATA SHARED
.reloc a000 45c 600 4c00 0 0 0 0 50000040 R-- IDATA SHARED
.rsrc b000 200 200 5200 0 0 0 0 50000040 R-- IDATA SHARED
=== TLS ===
RAW_START RAW_END INDEX CALLBKS ZEROFILL FLAGS
408000 408008 405084 409010 0 0
=== RESOURCES ===
FILE_OFFSET CP LANG SIZE TYPE NAME
0x52b0 0 0 16 RCDATA DVCLAL
0x52c0 0 0 80 RCDATA PACKAGEINFO
=== IMPORTS ===
MODULE_NAME HINT ORD FUNCTION_NAME
kernel32.dll 0 DeleteCriticalSection
kernel32.dll 0 LeaveCriticalSection
kernel32.dll 0 EnterCriticalSection
kernel32.dll 0 InitializeCriticalSection
kernel32.dll 0 VirtualFree
kernel32.dll 0 VirtualAlloc
kernel32.dll 0 LocalFree
kernel32.dll 0 LocalAlloc
kernel32.dll 0 GetVersion
kernel32.dll 0 GetCurrentThreadId
kernel32.dll 0 GetThreadLocale
kernel32.dll 0 GetStartupInfoA
kernel32.dll 0 GetLocaleInfoA
kernel32.dll 0 GetCommandLineA
kernel32.dll 0 FreeLibrary
kernel32.dll 0 ExitProcess
kernel32.dll 0 WriteFile
kernel32.dll 0 UnhandledExceptionFilter
kernel32.dll 0 RtlUnwind
kernel32.dll 0 RaiseException
kernel32.dll 0 GetStdHandle
user32.dll 0 GetKeyboardType
user32.dll 0 MessageBoxA
advapi32.dll 0 RegQueryValueExA
advapi32.dll 0 RegOpenKeyExA
advapi32.dll 0 RegCloseKey
kernel32.dll 0 TlsSetValue
kernel32.dll 0 TlsGetValue
kernel32.dll 0 LocalAlloc
kernel32.dll 0 GetModuleHandleA
kernel32.dll 0 lstrlenA
kernel32.dll 0 lstrcpyA
kernel32.dll 0 lstrcmpiA
kernel32.dll 0 lstrcatA
kernel32.dll 0 WriteFile
kernel32.dll 0 WaitForSingleObject
kernel32.dll 0 VirtualProtect
kernel32.dll 0 VirtualFreeEx
kernel32.dll 0 TerminateProcess
kernel32.dll 0 Sleep
kernel32.dll 0 ReadFile
kernel32.dll 0 OpenProcess
kernel32.dll 0 LocalFree
kernel32.dll 0 LocalAlloc
kernel32.dll 0 GetWindowsDirectoryA
kernel32.dll 0 GetVolumeInformationA
kernel32.dll 0 GetTickCount
kernel32.dll 0 GetProcAddress
kernel32.dll 0 GetModuleHandleA
kernel32.dll 0 GetModuleFileNameA
kernel32.dll 0 GetLastError
kernel32.dll 0 GetFileSize
kernel32.dll 0 GetFileAttributesA
kernel32.dll 0 GetExitCodeThread
kernel32.dll 0 FormatMessageA
kernel32.dll 0 DeleteFileA
kernel32.dll 0 CreateFileA
kernel32.dll 0 CopyFileA
kernel32.dll 0 CloseHandle
user32.dll 0 MessageBoxA
advapi32.dll 0 StartServiceA
advapi32.dll 0 QueryServiceStatus
advapi32.dll 0 QueryServiceConfigA
advapi32.dll 0 OpenServiceA
advapi32.dll 0 OpenSCManagerA
advapi32.dll 0 ControlService
advapi32.dll 0 CloseServiceHandle
=== Packer / Compiler ===
Borland Delphi 2006
File pos Mem pos ID Text
======== ======= == ====
000000000050 000000400050 0 This program must be run under Win32
000000000270 000000400270 0 .idata
0000000002C0 0000004002C0 0 .rdata
0000000002E7 0000004002E7 0 P.reloc
00000000030F 00000040030F 0 P.rsrc
00000000058C 00000040118C 0 SVWUQ
0000000007AD 0000004013AD 0 w;;t$
0000000008B8 0000004014B8 0 SVWUQ
00000000179D 00000040239D 0 Uh%$@
0000000019FF 0000004025FF 0 ~KxI[)
000000001B28 000000402728 0 SOFTWARE\Borland\Delphi\RTL
000000001B44 000000402744 0 FPUMaskValue
000000001B91 000000402791 0 PPRTj
000000001D0B 00000040290B 0 YZXtp
000000001D27 000000402927 0 Ph4)@
000000001E82 000000402A82 0 t=HtN
000000001F35 000000402B35 0 PhB+@
000000001FFE 000000402BFE 0 Uh*,@
000000002401 000000403001 0 Uh\0@
0000000024E1 0000004030E1 0 Uh&1@
000000002711 000000403311 0 Uh13@
000000002749 000000403349 0 Uhi3@
0000000028E9 0000004034E9 0 Uh 5@
000000002A78 000000403678 0 kernel32.dll
000000002A88 000000403688 0 CreateToolhelp32Snapshot
000000002AA4 0000004036A4 0 Heap32ListFirst
000000002AB4 0000004036B4 0 Heap32ListNext
000000002AC4 0000004036C4 0 Heap32First
000000002AD0 0000004036D0 0 Heap32Next
000000002ADC 0000004036DC 0 Toolhelp32ReadProcessMemory
000000002AF8 0000004036F8 0 Process32First
000000002B08 000000403708 0 Process32Next
000000002B18 000000403718 0 Process32FirstW
000000002B28 000000403728 0 Process32NextW
000000002B38 000000403738 0 Thread32First
000000002B48 000000403748 0 Thread32Next
000000002B58 000000403758 0 Module32First
000000002B68 000000403768 0 Module32Next
000000002B78 000000403778 0 Module32FirstW
000000002B88 000000403788 0 Module32NextW
000000002C3D 00000040383D 0 Uh]8@
000000002C70 000000403870 0 APC UPS Service
000000002C80 000000403880 0 Apache Tomcat
000000002C90 000000403890 0 PCD_MODULELauncher
000000002CA4 0000004038A4 0 ntfsvc
000000002CAC 0000004038AC 0 LogWriter
000000002CB8 0000004038B8 0 Diebold XFS
000000002CC4 0000004038C4 0 TagBeginUUUU
000000002CD1 0000004038D1 0 <'! 49
000000002CE6 0000004038E6 0 ':60&&
000000002CED 0000004038ED 0 08:',UU
000000002CF5 0000004038F5 0 '04!0
000000002CFB 0000004038FB 0 08:!0
000000002D01 000000403901 0 ='041UU0-%9:'0'{0-0UUUU%"'&!'{199UU !'9guuUUUUU >9UUUUU '01&!:;0{78%UUU 79 0&!:;0y78%UU 2'00;&!:;0{78%o'01&!:;0{78%UUUU 2'00;&!:;0{78%o79 0&!:;0{78%UUUTagEnd
0000000030D8 000000403CD8 0 LoadLibraryA
0000000030E8 000000403CE8 0 kernel32
0000000030F4 000000403CF4 0 SVWUQ
00000000315C 000000403D5C 0 CreateFile (wr)
0000000031E4 000000403DE4 0 QueryServiceStatus
0000000031F8 000000403DF8 0 Wait Stop Service TimeOut
File pos Mem pos ID Text
======== ======= == ====
0000000032B0 000000403EB0 0 MSCOREE.DLL
000000003328 000000403F28 0 D$<PV
0000000035C0 0000004041C0 0 OpenSCManager
0000000035D0 0000004041D0 0 OpenService
0000000035DC 0000004041DC 0 QueryServiceConfig
0000000035F4 0000004041F4 0 LoadFile
000000003600 000000404200 0 Error
000000003608 000000404208 0 Alredy instaled
000000003618 000000404218 0 mscore.dll in import
000000003630 000000404230 0 Stop
000000003638 000000404238 0 ControlService
000000003650 000000404250 0 StartService
000000003660 000000404260 0 CopyFile
00000000369F 00000040429F 0 8NTFS
000000003838 000000404438 0 CreateToolhelp32Snapshot
000000003854 000000404454 0 Module32First
00000000389C 00000040449C 0 D$$PW
000000003940 000000404540 0 \lsass.exe
00000000394C 00000040454C 0 lsass.exe
000000003B14 000000404714 0 getProcessEntry
000000003B24 000000404724 0 OpenProcess
000000003B30 000000404730 0 GetExitCodeThread
000000003B44 000000404744 0 VirtualFreeEx
000000003CCC 0000004048CC 0 kernel32.dll
000000003CDC 0000004048DC 0 FindFirstFileA
000000003CEC 0000004048EC 0 FindNextFileA
000000003CFC 0000004048FC 0 FindClose
000000003D08 000000404908 0 lstrcpy
000000003D10 000000404910 0 DeleteFileA
000000003D1C 00000040491C 0 Sleep
000000003D24 000000404924 0 \Prefetch\
000000003D30 000000404930 0 -*.pf
000000003D38 000000404938 0 SVWUhpI@
000000003D70 000000404970 0 kernel32.dll
000000003DC4 0000004049C4 0 VirtualProtect
000000003E8C 000000404A8C 0 C:\Diebold
00000000404C 00000040504C 0 Error
000000004054 000000405054 0 Runtime error at 00000000
000000004074 000000405074 0 0123456789ABCDEF
0000000043C8 0000004071C8 0 kernel32.dll
0000000043D8 0000004071D8 0 DeleteCriticalSection
0000000043F0 0000004071F0 0 LeaveCriticalSection
000000004408 000000407208 0 EnterCriticalSection
000000004420 000000407220 0 InitializeCriticalSection
00000000443C 00000040723C 0 VirtualFree
00000000444A 00000040724A 0 VirtualAlloc
00000000445A 00000040725A 0 LocalFree
000000004466 000000407266 0 LocalAlloc
000000004474 000000407274 0 GetVersion
000000004482 000000407282 0 GetCurrentThreadId
000000004498 000000407298 0 GetThreadLocale
0000000044AA 0000004072AA 0 GetStartupInfoA
0000000044BC 0000004072BC 0 GetLocaleInfoA
0000000044CE 0000004072CE 0 GetCommandLineA
0000000044E0 0000004072E0 0 FreeLibrary
0000000044EE 0000004072EE 0 ExitProcess
0000000044FC 0000004072FC 0 WriteFile
000000004508 000000407308 0 UnhandledExceptionFilter
000000004524 000000407324 0 RtlUnwind
000000004530 000000407330 0 RaiseException
File pos Mem pos ID Text
======== ======= == ====
000000004542 000000407342 0 GetStdHandle
000000004550 000000407350 0 user32.dll
00000000455E 00000040735E 0 GetKeyboardType
000000004570 000000407370 0 MessageBoxA
00000000457C 00000040737C 0 advapi32.dll
00000000458C 00000040738C 0 RegQueryValueExA
0000000045A0 0000004073A0 0 RegOpenKeyExA
0000000045B0 0000004073B0 0 RegCloseKey
0000000045BC 0000004073BC 0 kernel32.dll
0000000045CC 0000004073CC 0 TlsSetValue
0000000045DA 0000004073DA 0 TlsGetValue
0000000045E8 0000004073E8 0 LocalAlloc
0000000045F6 0000004073F6 0 GetModuleHandleA
000000004608 000000407408 0 kernel32.dll
000000004618 000000407418 0 lstrlenA
000000004624 000000407424 0 lstrcpyA
000000004630 000000407430 0 lstrcmpiA
00000000463C 00000040743C 0 lstrcatA
000000004648 000000407448 0 WriteFile
000000004654 000000407454 0 WaitForSingleObject
00000000466A 00000040746A 0 VirtualProtect
00000000467C 00000040747C 0 VirtualFreeEx
00000000468C 00000040748C 0 TerminateProcess
0000000046A0 0000004074A0 0 Sleep
0000000046A8 0000004074A8 0 ReadFile
0000000046B4 0000004074B4 0 OpenProcess
0000000046C2 0000004074C2 0 LocalFree
0000000046CE 0000004074CE 0 LocalAlloc
0000000046DC 0000004074DC 0 GetWindowsDirectoryA
0000000046F4 0000004074F4 0 GetVolumeInformationA
00000000470C 00000040750C 0 GetTickCount
00000000471C 00000040751C 0 GetProcAddress
00000000472E 00000040752E 0 GetModuleHandleA
000000004742 000000407542 0 GetModuleFileNameA
000000004758 000000407558 0 GetLastError
000000004768 000000407568 0 GetFileSize
000000004776 000000407576 0 GetFileAttributesA
00000000478C 00000040758C 0 GetExitCodeThread
0000000047A0 0000004075A0 0 FormatMessageA
0000000047B2 0000004075B2 0 DeleteFileA
0000000047C0 0000004075C0 0 CreateFileA
0000000047CE 0000004075CE 0 CopyFileA
0000000047DA 0000004075DA 0 CloseHandle
0000000047E6 0000004075E6 0 user32.dll
0000000047F4 0000004075F4 0 MessageBoxA
000000004800 000000407600 0 advapi32.dll
000000004810 000000407610 0 StartServiceA
000000004820 000000407620 0 QueryServiceStatus
000000004836 000000407636 0 QueryServiceConfigA
00000000484C 00000040764C 0 OpenServiceA
00000000485C 00000040765C 0 OpenSCManagerA
00000000486E 00000040766E 0 ControlService
000000004880 000000407680 0 CloseServiceHandle
000000004C0F 00000040A00F 0 0"0*020:0B0J0R0Z0b0j0r0z0
000000004C55 00000040A055 0 5)5D5
000000004C5B 00000040A05B 0 5&7b7
000000004C7D 00000040A07D 0 8$868B8Q8]8e8p8v8
000000004CA9 00000040A0A9 0 9*9K9c9
000000004CB9 00000040A0B9 0 9G:g:
000000004CCB 00000040A0CB 0 < <+<4<;<J<Q<s<
File pos Mem pos ID Text
======== ======= == ====
000000004CDD 00000040A0DD 0 <Y=w=|=
000000004CED 00000040A0ED 0 >R>[>q>
000000004CFD 00000040A0FD 0 ?"?L?U?e?m?s?|?
000000004D29 00000040A129 0 000<0D0[0j0z0
000000004D47 00000040A147 0 1n1t1|1
000000004D59 00000040A159 0 2e2l2|2
000000004D7D 00000040A17D 0 4?4_4z4
000000004D89 00000040A189 0 4m5Z6
000000004D9B 00000040A19B 0 7Y7n7
000000004DAD 00000040A1AD 0 8"868@8S8
000000004DBF 00000040A1BF 0 8)909R9
000000004DCB 00000040A1CB 0 ;7;>;V;x;
000000004DFB 00000040A1FB 0 ='=D=N=s=}=
000000004E1B 00000040A21B 0 >->A>
000000004E39 00000040A239 0 0!0*060=0x0
000000004E4F 00000040A24F 0 1!121?1F1J1P1T1Z1a1e1
000000004E7D 00000040A27D 0 2F2p2~2
000000004E9D 00000040A29D 0 3,3>3K3W3d3v3~3
000000004ED3 00000040A2D3 0 4&4.464>4F4N4V4
000000004EE3 00000040A2E3 0 4f4{4
000000004F05 00000040A305 0 5,5A5N5S5
000000004F0F 00000040A30F 0 5e5r5w5
000000004F39 00000040A339 0 6&6+686=6J6O6\6g6
000000004F51 00000040A351 0 8+8?8K8X8j8
000000004F5F 00000040A35F 0 9c<i<n<
000000004F8B 00000040A38B 0 00050}0
000000004F97 00000040A397 0 0+101Y1
000000004FA9 00000040A3A9 0 2(3;3
000000004FB7 00000040A3B7 0 5+6O6q6
000000004FD1 00000040A3D1 0 8$8@8
000000004FDB 00000040A3DB 0 8=9I9S9
000000004FFD 00000040A3FD 0 : :$:(:,:0:8:C:M:r:|:
00000000501C 00000040A41C 0 $0(0,0
0000000052CE 00000040B0CE 0 Install1
0000000052D8 00000040B0D8 0 UTypes
0000000052E1 00000040B0E1 0 System
0000000052EA 00000040B0EA 0 SysInit
0000000052F4 00000040B0F4 0 TlHelp32
0000000052FE 00000040B0FE 0 KWindows
000000005309 00000040B109 0 WinSvc
000000005298 00000040B098 0 PACKAGEINFO
000000000050 000000400050 0 This program must be run under Win32
000000000270 000000400270 0 .idata
0000000002C0 0000004002C0 0 .rdata
0000000002E7 0000004002E7 0 P.reloc
00000000030F 00000040030F 0 P.rsrc
00000000058C 00000040118C 0 SVWUQ
0000000007AD 0000004013AD 0 w;;t$
0000000008B8 0000004014B8 0 SVWUQ
00000000179D 00000040239D 0 Uh%$@
0000000019FF 0000004025FF 0 ~KxI[)
000000001B28 000000402728 0 SOFTWARE\Borland\Delphi\RTL
000000001B44 000000402744 0 FPUMaskValue
000000001B91 000000402791 0 PPRTj
000000001D0B 00000040290B 0 YZXtp
000000001D27 000000402927 0 Ph4)@
000000001E82 000000402A82 0 t=HtN
000000001F35 000000402B35 0 PhB+@
000000001FFE 000000402BFE 0 Uh*,@
000000002401 000000403001 0 Uh\0@
File pos Mem pos ID Text
======== ======= == ====
0000000024E1 0000004030E1 0 Uh&1@
000000002711 000000403311 0 Uh13@
000000002749 000000403349 0 Uhi3@
0000000028E9 0000004034E9 0 Uh 5@
000000002A78 000000403678 0 kernel32.dll
000000002A88 000000403688 0 CreateToolhelp32Snapshot
000000002AA4 0000004036A4 0 Heap32ListFirst
000000002AB4 0000004036B4 0 Heap32ListNext
000000002AC4 0000004036C4 0 Heap32First
000000002AD0 0000004036D0 0 Heap32Next
000000002ADC 0000004036DC 0 Toolhelp32ReadProcessMemory
000000002AF8 0000004036F8 0 Process32First
000000002B08 000000403708 0 Process32Next
000000002B18 000000403718 0 Process32FirstW
000000002B28 000000403728 0 Process32NextW
000000002B38 000000403738 0 Thread32First
000000002B48 000000403748 0 Thread32Next
000000002B58 000000403758 0 Module32First
000000002B68 000000403768 0 Module32Next
000000002B78 000000403778 0 Module32FirstW
000000002B88 000000403788 0 Module32NextW
000000002C3D 00000040383D 0 Uh]8@
000000002C70 000000403870 0 APC UPS Service
000000002C80 000000403880 0 Apache Tomcat
000000002C90 000000403890 0 PCD_MODULELauncher
000000002CA4 0000004038A4 0 ntfsvc
000000002CAC 0000004038AC 0 LogWriter
000000002CB8 0000004038B8 0 Diebold XFS
000000002CC4 0000004038C4 0 TagBeginUUUU
000000002CD1 0000004038D1 0 <'! 49
000000002CE6 0000004038E6 0 ':60&&
000000002CED 0000004038ED 0 08:',UU
000000002CF5 0000004038F5 0 '04!0
000000002CFB 0000004038FB 0 08:!0
000000002D01 000000403901 0 ='041UU0-%9:'0'{0-0UUUU%"'&!'{199UU !'9guuUUUUU >9UUUUU '01&!:;0{78%UUU 79 0&!:;0y78%UU 2'00;&!:;0{78%o'01&!:;0{78%UUUU 2'00;&!:;0{78%o79 0&!:;0{78%UUUTagEnd
0000000030D8 000000403CD8 0 LoadLibraryA
0000000030E8 000000403CE8 0 kernel32
0000000030F4 000000403CF4 0 SVWUQ
00000000315C 000000403D5C 0 CreateFile (wr)
0000000031E4 000000403DE4 0 QueryServiceStatus
0000000031F8 000000403DF8 0 Wait Stop Service TimeOut
0000000032B0 000000403EB0 0 MSCOREE.DLL
000000003328 000000403F28 0 D$<PV
0000000035C0 0000004041C0 0 OpenSCManager
0000000035D0 0000004041D0 0 OpenService
0000000035DC 0000004041DC 0 QueryServiceConfig
0000000035F4 0000004041F4 0 LoadFile
000000003600 000000404200 0 Error
000000003608 000000404208 0 Alredy instaled
000000003618 000000404218 0 mscore.dll in import
000000003630 000000404230 0 Stop
000000003638 000000404238 0 ControlService
000000003650 000000404250 0 StartService
000000003660 000000404260 0 CopyFile
00000000369F 00000040429F 0 8NTFS
000000003838 000000404438 0 CreateToolhelp32Snapshot
000000003854 000000404454 0 Module32First
00000000389C 00000040449C 0 D$$PW
000000003940 000000404540 0 \lsass.exe
00000000394C 00000040454C 0 lsass.exe
File pos Mem pos ID Text
======== ======= == ====
000000003B14 000000404714 0 getProcessEntry
000000003B24 000000404724 0 OpenProcess
000000003B30 000000404730 0 GetExitCodeThread
000000003B44 000000404744 0 VirtualFreeEx
000000003CCC 0000004048CC 0 kernel32.dll
000000003CDC 0000004048DC 0 FindFirstFileA
000000003CEC 0000004048EC 0 FindNextFileA
000000003CFC 0000004048FC 0 FindClose
000000003D08 000000404908 0 lstrcpy
000000003D10 000000404910 0 DeleteFileA
000000003D1C 00000040491C 0 Sleep
000000003D24 000000404924 0 \Prefetch\
000000003D30 000000404930 0 -*.pf
000000003D38 000000404938 0 SVWUhpI@
000000003D70 000000404970 0 kernel32.dll
000000003DC4 0000004049C4 0 VirtualProtect
000000003E8C 000000404A8C 0 C:\Diebold
00000000404C 00000040504C 0 Error
000000004054 000000405054 0 Runtime error at 00000000
000000004074 000000405074 0 0123456789ABCDEF
0000000043C8 0000004071C8 0 kernel32.dll
0000000043D8 0000004071D8 0 DeleteCriticalSection
0000000043F0 0000004071F0 0 LeaveCriticalSection
000000004408 000000407208 0 EnterCriticalSection
000000004420 000000407220 0 InitializeCriticalSection
00000000443C 00000040723C 0 VirtualFree
00000000444A 00000040724A 0 VirtualAlloc
00000000445A 00000040725A 0 LocalFree
000000004466 000000407266 0 LocalAlloc
000000004474 000000407274 0 GetVersion
000000004482 000000407282 0 GetCurrentThreadId
000000004498 000000407298 0 GetThreadLocale
0000000044AA 0000004072AA 0 GetStartupInfoA
0000000044BC 0000004072BC 0 GetLocaleInfoA
0000000044CE 0000004072CE 0 GetCommandLineA
0000000044E0 0000004072E0 0 FreeLibrary
0000000044EE 0000004072EE 0 ExitProcess
0000000044FC 0000004072FC 0 WriteFile
000000004508 000000407308 0 UnhandledExceptionFilter
000000004524 000000407324 0 RtlUnwind
000000004530 000000407330 0 RaiseException
000000004542 000000407342 0 GetStdHandle
000000004550 000000407350 0 user32.dll
00000000455E 00000040735E 0 GetKeyboardType
000000004570 000000407370 0 MessageBoxA
00000000457C 00000040737C 0 advapi32.dll
00000000458C 00000040738C 0 RegQueryValueExA
0000000045A0 0000004073A0 0 RegOpenKeyExA
0000000045B0 0000004073B0 0 RegCloseKey
0000000045BC 0000004073BC 0 kernel32.dll
0000000045CC 0000004073CC 0 TlsSetValue
0000000045DA 0000004073DA 0 TlsGetValue
0000000045E8 0000004073E8 0 LocalAlloc
0000000045F6 0000004073F6 0 GetModuleHandleA
000000004608 000000407408 0 kernel32.dll
000000004618 000000407418 0 lstrlenA
000000004624 000000407424 0 lstrcpyA
000000004630 000000407430 0 lstrcmpiA
00000000463C 00000040743C 0 lstrcatA
000000004648 000000407448 0 WriteFile
File pos Mem pos ID Text
======== ======= == ====
000000004654 000000407454 0 WaitForSingleObject
00000000466A 00000040746A 0 VirtualProtect
00000000467C 00000040747C 0 VirtualFreeEx
00000000468C 00000040748C 0 TerminateProcess
0000000046A0 0000004074A0 0 Sleep
0000000046A8 0000004074A8 0 ReadFile
0000000046B4 0000004074B4 0 OpenProcess
0000000046C2 0000004074C2 0 LocalFree
0000000046CE 0000004074CE 0 LocalAlloc
0000000046DC 0000004074DC 0 GetWindowsDirectoryA
0000000046F4 0000004074F4 0 GetVolumeInformationA
00000000470C 00000040750C 0 GetTickCount
00000000471C 00000040751C 0 GetProcAddress
00000000472E 00000040752E 0 GetModuleHandleA
000000004742 000000407542 0 GetModuleFileNameA
000000004758 000000407558 0 GetLastError
000000004768 000000407568 0 GetFileSize
000000004776 000000407576 0 GetFileAttributesA
00000000478C 00000040758C 0 GetExitCodeThread
0000000047A0 0000004075A0 0 FormatMessageA
0000000047B2 0000004075B2 0 DeleteFileA
0000000047C0 0000004075C0 0 CreateFileA
0000000047CE 0000004075CE 0 CopyFileA
0000000047DA 0000004075DA 0 CloseHandle
0000000047E6 0000004075E6 0 user32.dll
0000000047F4 0000004075F4 0 MessageBoxA
000000004800 000000407600 0 advapi32.dll
000000004810 000000407610 0 StartServiceA
000000004820 000000407620 0 QueryServiceStatus
000000004836 000000407636 0 QueryServiceConfigA
00000000484C 00000040764C 0 OpenServiceA
00000000485C 00000040765C 0 OpenSCManagerA
00000000486E 00000040766E 0 ControlService
000000004880 000000407680 0 CloseServiceHandle
000000004C0F 00000040A00F 0 0"0*020:0B0J0R0Z0b0j0r0z0
000000004C55 00000040A055 0 5)5D5
000000004C5B 00000040A05B 0 5&7b7
000000004C7D 00000040A07D 0 8$868B8Q8]8e8p8v8
000000004CA9 00000040A0A9 0 9*9K9c9
000000004CB9 00000040A0B9 0 9G:g:
000000004CCB 00000040A0CB 0 < <+<4<;<J<Q<s<
000000004CDD 00000040A0DD 0 <Y=w=|=
000000004CED 00000040A0ED 0 >R>[>q>
000000004CFD 00000040A0FD 0 ?"?L?U?e?m?s?|?
000000004D29 00000040A129 0 000<0D0[0j0z0
000000004D47 00000040A147 0 1n1t1|1
000000004D59 00000040A159 0 2e2l2|2
000000004D7D 00000040A17D 0 4?4_4z4
000000004D89 00000040A189 0 4m5Z6
000000004D9B 00000040A19B 0 7Y7n7
000000004DAD 00000040A1AD 0 8"868@8S8
000000004DBF 00000040A1BF 0 8)909R9
000000004DCB 00000040A1CB 0 ;7;>;V;x;
000000004DFB 00000040A1FB 0 ='=D=N=s=}=
000000004E1B 00000040A21B 0 >->A>
000000004E39 00000040A239 0 0!0*060=0x0
000000004E4F 00000040A24F 0 1!121?1F1J1P1T1Z1a1e1
000000004E7D 00000040A27D 0 2F2p2~2
000000004E9D 00000040A29D 0 3,3>3K3W3d3v3~3
000000004ED3 00000040A2D3 0 4&4.464>4F4N4V4
File pos Mem pos ID Text
======== ======= == ====
000000004EE3 00000040A2E3 0 4f4{4
000000004F05 00000040A305 0 5,5A5N5S5
000000004F0F 00000040A30F 0 5e5r5w5
000000004F39 00000040A339 0 6&6+686=6J6O6\6g6
000000004F51 00000040A351 0 8+8?8K8X8j8
000000004F5F 00000040A35F 0 9c<i<n<
000000004F8B 00000040A38B 0 00050}0
000000004F97 00000040A397 0 0+101Y1
000000004FA9 00000040A3A9 0 2(3;3
000000004FB7 00000040A3B7 0 5+6O6q6
000000004FD1 00000040A3D1 0 8$8@8
000000004FDB 00000040A3DB 0 8=9I9S9
000000004FFD 00000040A3FD 0 : :$:(:,:0:8:C:M:r:|:
00000000501C 00000040A41C 0 $0(0,0
0000000052CE 00000040B0CE 0 Install1
0000000052D8 00000040B0D8 0 UTypes
0000000052E1 00000040B0E1 0 System
0000000052EA 00000040B0EA 0 SysInit
0000000052F4 00000040B0F4 0 TlHelp32
0000000052FE 00000040B0FE 0 KWindows
000000005309 00000040B109 0 WinSvc
000000005298 00000040B098 0 PACKAGEINFO