.- - -----÷M÷E÷N÷U÷------------------------------------------------------------- --- ---- -------------.
! WALL ! STATS ! GOODIES ! YARA ! FAQ ! RSS ! EMV !
`-------------- - --- ---------- -------- -------- -------- -------- ----------------- - ---- ---- --'
ATM MALWARE NOTICE
4035d977202b44666885f9781ac8755c799350a03838ff782eb730c0d7069958
Date...........: 2016-08-02
Family.........: ATMSpitter
File name......: cngdisp.exe
File size......: 51.50 KB
Type file......: EXE/Windows
Virscan........: VT - HA
Documentation..: https://usa.visa.com/dam/VCOM/global/partner-with-us/documents/visa-technical-analysis-atm-jackpottingmalware.pdf
Additional note: Date check (2016) at 0x408729 and 0x408735
ATMSpitter for CSCWCNG.DLL
Entropy:
Binary Histogram:
=== SCREENSHOT ===
=== PEDUMP REPORT ===
=== MZ Header ===
signature: "MZ"
bytes_in_last_block: 144 0x90
blocks_in_file: 3 3
num_relocs: 0 0
header_paragraphs: 4 4
min_extra_paragraphs: 0 0
max_extra_paragraphs: 65535 0xffff
ss: 0 0
sp: 184 0xb8
checksum: 0 0
ip: 0 0
cs: 0 0
reloc_table_offset: 64 0x40
overlay_number: 0 0
reserved0: 0 0
oem_id: 0 0
oem_info: 0 0
reserved2: 0 0
reserved3: 0 0
reserved4: 0 0
reserved5: 0 0
reserved6: 0 0
lfanew: 240 0xf0
=== DOS STUB ===
00000000: 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 |........!..L.!Th|
00000010: 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f |is program canno|
00000020: 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 |t be run in DOS |
00000030: 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 |mode....$.......|
=== RICH Header ===
LIB_ID VERSION TIMES_USED
171 ab 30319 766f 23 17
158 9e 30319 766f 17 11
170 aa 30319 766f 87 57
147 93 30729 7809 4 4
4 4 8447 20ff 3 3
1 1 0 0 85 55
174 ae 30319 766f 1 1
157 9d 30319 766f 1 1
=== PE Header ===
signature: "PE\x00\x00"
# IMAGE_FILE_HEADER:
Machine: 332 0x14c x86
NumberOfSections: 5 5
TimeDateStamp: "2015-11-08 18:33:21"
PointerToSymbolTable: 0 0
NumberOfSymbols: 0 0
SizeOfOptionalHeader: 224 0xe0
Characteristics: 258 0x102 EXECUTABLE_IMAGE, 32BIT_MACHINE
# IMAGE_OPTIONAL_HEADER32:
Magic: 267 0x10b 32-bit executable
LinkerVersion: 10.0
SizeOfCode: 31744 0x7c00
SizeOfInitializedData: 19968 0x4e00
SizeOfUninitializedData: 0 0
AddressOfEntryPoint: 5355 0x14eb
BaseOfCode: 4096 0x1000
BaseOfData: 36864 0x9000
ImageBase: 4194304 0x400000
SectionAlignment: 4096 0x1000
FileAlignment: 512 0x200
OperatingSystemVersion: 5.1
ImageVersion: 0.0
SubsystemVersion: 5.1
Reserved1: 0 0
SizeOfImage: 69632 0x11000
SizeOfHeaders: 1024 0x400
CheckSum: 104745 0x19929
Subsystem: 3 3 WINDOWS_CUI
DllCharacteristics: 33088 0x8140 DYNAMIC_BASE, NX_COMPAT
TERMINAL_SERVER_AWARE
SizeOfStackReserve: 1048576 0x100000
SizeOfStackCommit: 4096 0x1000
SizeOfHeapReserve: 1048576 0x100000
SizeOfHeapCommit: 4096 0x1000
LoaderFlags: 0 0
NumberOfRvaAndSizes: 16 0x10
=== DATA DIRECTORY ===
EXPORT rva:0x 0 size:0x 0
IMPORT rva:0x b854 size:0x 50
RESOURCE rva:0x f000 size:0x 1b4
EXCEPTION rva:0x 0 size:0x 0
SECURITY rva:0x 0 size:0x 0
BASERELOC rva:0x 10000 size:0x 7e4
DEBUG rva:0x 0 size:0x 0
ARCHITECTURE rva:0x 0 size:0x 0
GLOBALPTR rva:0x 0 size:0x 0
TLS rva:0x 0 size:0x 0
LOAD_CONFIG rva:0x b530 size:0x 40
Bound_IAT rva:0x 0 size:0x 0
IAT rva:0x 9000 size:0x 134
Delay_IAT rva:0x 0 size:0x 0
CLR_Header rva:0x 0 size:0x 0
rva:0x 0 size:0x 0
=== SECTIONS ===
NAME RVA VSZ RAW_SZ RAW_PTR nREL REL_PTR nLINE LINE_PTR FLAGS
.text 1000 7a57 7c00 400 0 0 0 0 60000020 R-X CODE
.rdata 9000 2eca 3000 8000 0 0 0 0 40000040 R-- IDATA
.data c000 2ba4 e00 b000 0 0 0 0 c0000040 RW- IDATA
.rsrc f000 1b4 200 be00 0 0 0 0 40000040 R-- IDATA
.reloc 10000 cb6 e00 c000 0 0 0 0 42000040 R-- IDATA DISCARDABLE
=== RESOURCES ===
FILE_OFFSET CP LANG SIZE TYPE NAME
0xbe58 1252 0x409 346 MANIFEST #1
=== IMPORTS ===
MODULE_NAME HINT ORD FUNCTION_NAME
CSCWCNG.dll 15
CSCWCNG.dll 16
CSCWCNG.dll 1a
CSCWCNG.dll 2b
CSCWCNG.dll 2a
CSCWCNG.dll 1b
KERNEL32.dll 88 CreateFileA
KERNEL32.dll 466 SetFilePointer
KERNEL32.dll 54d lstrlenA
KERNEL32.dll 525 WriteFile
KERNEL32.dll 52 CloseHandle
KERNEL32.dll 277 GetSystemTime
KERNEL32.dll 157 FlushFileBuffers
KERNEL32.dll 202 GetLastError
KERNEL32.dll 2cf HeapFree
KERNEL32.dll 2cb HeapAlloc
KERNEL32.dll 186 GetCommandLineA
KERNEL32.dll 2d3 HeapSetInformation
KERNEL32.dll ca DecodePointer
KERNEL32.dll 4d3 UnhandledExceptionFilter
KERNEL32.dll 4a5 SetUnhandledExceptionFilter
KERNEL32.dll 300 IsDebuggerPresent
KERNEL32.dll ea EncodePointer
KERNEL32.dll 4c0 TerminateProcess
KERNEL32.dll 1c0 GetCurrentProcess
KERNEL32.dll 2cd HeapCreate
KERNEL32.dll 245 GetProcAddress
KERNEL32.dll 218 GetModuleHandleW
KERNEL32.dll 119 ExitProcess
KERNEL32.dll 264 GetStdHandle
KERNEL32.dll 214 GetModuleFileNameW
KERNEL32.dll ee EnterCriticalSection
KERNEL32.dll 339 LeaveCriticalSection
KERNEL32.dll 213 GetModuleFileNameA
KERNEL32.dll 161 FreeEnvironmentStringsW
KERNEL32.dll 511 WideCharToMultiByte
KERNEL32.dll 1da GetEnvironmentStringsW
KERNEL32.dll 46f SetHandleCount
KERNEL32.dll 2e3 InitializeCriticalSectionAndSpinCount
KERNEL32.dll 1f3 GetFileType
KERNEL32.dll 263 GetStartupInfoW
KERNEL32.dll d1 DeleteCriticalSection
KERNEL32.dll 4c5 TlsAlloc
KERNEL32.dll 4c7 TlsGetValue
KERNEL32.dll 4c8 TlsSetValue
KERNEL32.dll 4c6 TlsFree
KERNEL32.dll 2ef InterlockedIncrement
KERNEL32.dll 473 SetLastError
KERNEL32.dll 1c5 GetCurrentThreadId
KERNEL32.dll 2eb InterlockedDecrement
KERNEL32.dll 3a7 QueryPerformanceCounter
KERNEL32.dll 293 GetTickCount
KERNEL32.dll 1c1 GetCurrentProcessId
KERNEL32.dll 279 GetSystemTimeAsFileTime
KERNEL32.dll 19a GetConsoleCP
KERNEL32.dll 1ac GetConsoleMode
KERNEL32.dll 172 GetCPInfo
KERNEL32.dll 168 GetACP
KERNEL32.dll 237 GetOEMCP
KERNEL32.dll 30a IsValidCodePage
KERNEL32.dll 4b2 Sleep
KERNEL32.dll 33f LoadLibraryW
KERNEL32.dll 418 RtlUnwind
KERNEL32.dll 487 SetStdHandle
KERNEL32.dll 524 WriteConsoleW
KERNEL32.dll 367 MultiByteToWideChar
KERNEL32.dll 32d LCMapStringW
KERNEL32.dll 269 GetStringTypeW
KERNEL32.dll 2d2 HeapReAlloc
KERNEL32.dll 304 IsProcessorFeaturePresent
KERNEL32.dll 2d4 HeapSize
KERNEL32.dll 8f CreateFileW
USER32.dll 334 wvsprintfA
USER32.dll 332 wsprintfA
=== Packer / Compiler ===
MS Visual C++ v8.0
File pos Mem pos ID Text
======== ======= == ====
00000000004D 00000040004D 0 !This program cannot be run in DOS mode.
0000000001E8 0000004001E8 0 .text
000000000210 000000400210 0 .rdata
000000000237 000000400237 0 @.data
000000000260 000000400260 0 .rsrc
000000000287 000000400287 0 @.reloc
000000000D3D 00000040193D 0 t%HHt
000000000F7F 000000401B7F 0 HHtXHHt
00000000106F 000000401C6F 0 HHty+
0000000014D5 0000004020D5 0 ?If90t
0000000018BF 0000004024BF 0 PPPPP
000000001A61 000000402661 0 uTVWh
000000001D47 000000402947 0 PPPPP
000000001DC9 0000004029C9 0 SSSSS
000000002860 000000403460 0 t?VSP
0000000028BA 0000004034BA 0 PPPPP
0000000029EB 0000004035EB 0 < tK< tG
000000002B35 000000403735 0 wf93t
000000002B5A 00000040375A 0 @PSVV
000000002C2A 00000040382A 0 SWf9M
000000004A02 000000405602 0 QSWVj
000000004B4B 00000040574B 0 v N+D$
0000000057BA 0000004063BA 0 ~,WPV
00000000593F 00000040653F 0 URPQQh
000000005A5A 00000040665A 0 Rhff@
000000005F23 000000406B23 0 9](SS
000000006069 000000406C69 0 t"SS9] u
000000006129 000000406D29 0 9] SS
0000000065EB 0000004071EB 0 v4;5\
0000000066E9 0000004072E9 0 vL;5t
000000006DE6 0000004079E6 0 PPPPPPPP
000000006EC6 000000407AC6 0 PPPPPPPP
0000000070C3 000000407CC3 0 SVWUj
000000007164 000000407D64 0 ;t$,v-
0000000071E9 000000407DE9 0 UQPXY]Y[
000000007742 000000408342 0 wctO
00000000774E 00000040834E 0 t3It
0000000078B8 0000004084B8 0 w9t(-
0000000078C4 0000004084C4 0 Hu7hL
0000000078F8 0000004084F8 0 (t%Ht
0000000078FF 0000004084FF 0 E$Ph0
0000000079B8 0000004085B8 0
000000007A1A 00000040861A 0 D$<120
000000007B24 000000408724 0 f9L$P
000000007D3B 00000040893B 0 L$LPQhX
000000008180 000000409180 0 (null)
0000000081A9 0000004091A9 0 ( 8PX
0000000081B1 0000004091B1 0 700WP
0000000081C9 0000004091C9 0 xpxxxx
0000000081E4 0000004091E4 0 CorExitProcess
000000008CBC 000000409CBC 0 FlsFree
000000008CC4 000000409CC4 0 FlsSetValue
000000008CD0 000000409CD0 0 FlsGetValue
000000008CDC 000000409CDC 0 FlsAlloc
000000008F0C 000000409F0C 0 HH:mm:ss
000000008F18 000000409F18 0 dddd, MMMM dd, yyyy
000000008F2C 000000409F2C 0 MM/dd/yy
000000008F40 000000409F40 0 December
000000008F4C 000000409F4C 0 November
000000008F58 000000409F58 0 October
File pos Mem pos ID Text
======== ======= == ====
000000008F60 000000409F60 0 September
000000008F6C 000000409F6C 0 August
000000008F84 000000409F84 0 April
000000008F8C 000000409F8C 0 March
000000008F94 000000409F94 0 February
000000008FA0 000000409FA0 0 January
000000008FD8 000000409FD8 0 Saturday
000000008FE4 000000409FE4 0 Friday
000000008FEC 000000409FEC 0 Thursday
000000008FF8 000000409FF8 0 Wednesday
000000009004 00000040A004 0 Tuesday
00000000900C 00000040A00C 0 Monday
000000009014 00000040A014 0 Sunday
00000000905D 00000040A05D 0 ('8PW
000000009066 00000040A066 0 700PP
000000009081 00000040A081 0 xppwpp
000000009094 00000040A094 0 GetProcessWindowStation
0000000090AC 00000040A0AC 0 GetUserObjectInformationW
0000000090C8 00000040A0C8 0 GetLastActivePopup
0000000090DC 00000040A0DC 0 GetActiveWindow
0000000090EC 00000040A0EC 0 MessageBoxW
00000000912F 00000040A12F 0 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]
000000009170 00000040A170 0 abcdefghijklmnopqrstuvwxyz{|}~
000000009738 00000040A738 0 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]
000000009779 00000040A779 0 abcdefghijklmnopqrstuvwxyz{|}~
0000000098B8 00000040A8B8 0 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]
0000000098F9 00000040A8F9 0 ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0000000099B0 00000040A9B0 0 StClass =
0000000099C0 00000040A9C0 0 STCLASS_OK
0000000099CC 00000040A9CC 0 STCLASS_ERROR_COMM
0000000099E0 00000040A9E0 0 STCLASS_ERROR_CNG
0000000099F4 00000040A9F4 0 STCLASS_ERROR_EDS
000000009A08 00000040AA08 0 STCLASS_ERROR_INI
000000009A1C 00000040AA1C 0 STCLASS_ERROR_LDR
000000009A34 00000040AA34 0 StCode =
000000009A44 00000040AA44 0 CSC_INVALID_SPEC
000000009A58 00000040AA58 0 CSC_INVALID_HANDLE
000000009A6C 00000040AA6C 0 CSC_INVALID_LOGICAL_ID
000000009A84 00000040AA84 0 CSC_INVALID_PINDATA
000000009A9C 00000040AA9C 0 CSC_INVALID_INLEN
000000009AB0 00000040AAB0 0 CSC_INVALID_OUTLEN
000000009AC4 00000040AAC4 0 CSC_INVALID_POUTDATA
000000009ADC 00000040AADC 0 CSC_DEVICE_ALREADY_OPENED
000000009AF8 00000040AAF8 0 CNG_INVALID_VARIANT
000000009B10 00000040AB10 0 CNG_INVALID_RESPONSE
000000009B28 00000040AB28 0 CNG_INVALID_RECOVERY
000000009B40 00000040AB40 0 CNG_FIRMWARE_INCOMPLETE
000000009B60 00000040AB60 0 CNG_FRM_CONTEXT (<nSTA>!=R --> cassette error; <TF>=N --> transport path is not free; <SHERR>=B --> shutter error; <TER>=M --> possible manipulation)
000000009BF8 00000040ABF8 0 CNG_FRM_SYNTAX (Invalid cassette ID; Too many tries to dispense (> 10); Number of notes > maximum value (standard CNG: 60; ProCash Compact: 20))
000000009C8C 00000040AC8C 0 CNG_FRM_SW_MISSING (Firmware not loaded)
000000009CB8 00000040ACB8 0 CNG_FRM_ACCESS_ERROR
000000009CD0 00000040ACD0 0 CNG_FRM_ACCESS_CONTEXT
000000009CE8 00000040ACE8 0 CNG_FRM_SCOP
000000009CF8 00000040ACF8 0 CNG_FRM_ACCESS_DEVICE_NOT_READY
000000009D20 00000040AD20 0 CNG_FRM_DEVICE_NOT_READY (<S_SW>=O --> safety switch open; <DLOC>=Y --> device lock activated; <CAS>=N --> minimum configuration (reject box + cash-out cassette); <SR>=R --> single reject switch defective (is in reject direction); <TER>=J --> banknote jam; <OR>=Y --> operator request; <TST>=Y --> self-test active)
000000009E60 00000040AE60 0 CNG_FRM_ERROR (<nSTA>=E --> the cassette is empty; <DIS>=M --> too many banknotes with wrong size; <nSTA>=R --> timeout: no receipts for dispensing available (for printing cassette only); <DIS>=S --> too many multiple-banknote dispensing operations; <DIS>=N --> banknote dispensing is not possible*; <DIS>=J --> banknote jam has occurred during dispensing; <DIS>=E --> too many bundle rejects)
000000009FEC 00000040AFEC 0 CNG_FRM_ERROR_DECRYPTION
00000000A008 00000040B008 0 StWarn =
00000000A018 00000040B018 0 CNG_WARN_MONEY_NOT_REMOVED
00000000A034 00000040B034 0 CNG_WARN_MONEY_REMOVED
File pos Mem pos ID Text
======== ======= == ====
00000000A04C 00000040B04C 0 CNG_NO_FIRMWARE
00000000A060 00000040B060 0 CNG_NO_ACTUAL_FIRMWARE
00000000A078 00000040B078 0 CNG_WARN_LED
00000000A088 00000040B088 0 displog.txt
00000000A098 00000040B098 0 Congratulations! You are very skilled in reverse engineering! :)
00000000A0DC 00000040B0DC 0 CSCCNG
00000000A0E4 00000040B0E4 0 Usage: %s <Cassette Slot Number (D)> <Banknotes Count (DD)>
00000000A128 00000040B128 0 Invalid Parameter: Cassette Slot Number. Must be a digit from 1 to 9
00000000A170 00000040B170 0 Invalid Parameter: Banknotes Count. Must be a digit from 1 to 60
00000000A1B4 00000040B1B4 0 %s,%s;
00000000A1BC 00000040B1BC 0 Connecting to the CNG...
00000000A1D8 00000040B1D8 0 CscCngOpen/CscCdmOpen failed with error:
00000000A204 00000040B204 0 CscCngOpen/CscCdmOpen failed with error:
00000000A22D 00000040B22D 0 System Failure
00000000A240 00000040B240 0 Successfully connected!
00000000A25C 00000040B25C 0 Locking device for exclusive access...
00000000A284 00000040B284 0 CscCngLock/CscCdmLock failed with error:
00000000A2B0 00000040B2B0 0 Device successfully locked!
00000000A2D0 00000040B2D0 0 Dispensing cash to collection tray...
00000000A2F8 00000040B2F8 0 CscCngDispense/CscCdmDispense failed with error:
00000000A32C 00000040B32C 0 Dispensed Successfully! Raw Response: %s
00000000A358 00000040B358 0 Transporting cash to wait pos...
00000000A37C 00000040B37C 0 CscCngTransport failed with error:
00000000A3A0 00000040B3A0 0 Cash successfully transported to the wait pos.
00000000A3D0 00000040B3D0 0 Transporting cash to customer...
00000000A3F4 00000040B3F4 0 CscCngTransport/CscCdmTransport failed with error:
00000000A428 00000040B428 0 Cash successfully transported to the customer!
00000000A458 00000040B458 0 %s:%s
00000000A460 00000040B460 0 Unlocking device...
00000000A478 00000040B478 0 CscCngUnlock/CscCdmUnlock failed with error:
00000000A4A8 00000040B4A8 0 Device successfully unlocked.
00000000A4C8 00000040B4C8 0 Disconnecting from CNG...
00000000A4E4 00000040B4E4 0 CscCngClose/CscCdmClose failed with error:
00000000A510 00000040B510 0 Successfully disconnected.
00000000A9D8 00000040B9D8 0 CSCWCNG.dll
00000000A9E6 00000040B9E6 0 CreateFileA
00000000A9F4 00000040B9F4 0 SetFilePointer
00000000AA06 00000040BA06 0 lstrlenA
00000000AA12 00000040BA12 0 WriteFile
00000000AA1E 00000040BA1E 0 CloseHandle
00000000AA2C 00000040BA2C 0 GetSystemTime
00000000AA3A 00000040BA3A 0 KERNEL32.dll
00000000AA4A 00000040BA4A 0 wvsprintfA
00000000AA58 00000040BA58 0 wsprintfA
00000000AA62 00000040BA62 0 USER32.dll
00000000AA70 00000040BA70 0 GetLastError
00000000AA80 00000040BA80 0 HeapFree
00000000AA8C 00000040BA8C 0 HeapAlloc
00000000AA98 00000040BA98 0 GetCommandLineA
00000000AAAA 00000040BAAA 0 HeapSetInformation
00000000AAC0 00000040BAC0 0 DecodePointer
00000000AAD0 00000040BAD0 0 UnhandledExceptionFilter
00000000AAEC 00000040BAEC 0 SetUnhandledExceptionFilter
00000000AB0A 00000040BB0A 0 IsDebuggerPresent
00000000AB1E 00000040BB1E 0 EncodePointer
00000000AB2E 00000040BB2E 0 TerminateProcess
00000000AB42 00000040BB42 0 GetCurrentProcess
00000000AB56 00000040BB56 0 HeapCreate
00000000AB64 00000040BB64 0 GetProcAddress
00000000AB76 00000040BB76 0 GetModuleHandleW
File pos Mem pos ID Text
======== ======= == ====
00000000AB8A 00000040BB8A 0 ExitProcess
00000000AB98 00000040BB98 0 GetStdHandle
00000000ABA8 00000040BBA8 0 GetModuleFileNameW
00000000ABBE 00000040BBBE 0 EnterCriticalSection
00000000ABD6 00000040BBD6 0 LeaveCriticalSection
00000000ABEE 00000040BBEE 0 GetModuleFileNameA
00000000AC04 00000040BC04 0 FreeEnvironmentStringsW
00000000AC1E 00000040BC1E 0 WideCharToMultiByte
00000000AC34 00000040BC34 0 GetEnvironmentStringsW
00000000AC4E 00000040BC4E 0 SetHandleCount
00000000AC60 00000040BC60 0 InitializeCriticalSectionAndSpinCount
00000000AC88 00000040BC88 0 GetFileType
00000000AC96 00000040BC96 0 GetStartupInfoW
00000000ACA8 00000040BCA8 0 DeleteCriticalSection
00000000ACC0 00000040BCC0 0 TlsAlloc
00000000ACCC 00000040BCCC 0 TlsGetValue
00000000ACDA 00000040BCDA 0 TlsSetValue
00000000ACE8 00000040BCE8 0 TlsFree
00000000ACF2 00000040BCF2 0 InterlockedIncrement
00000000AD0A 00000040BD0A 0 SetLastError
00000000AD1A 00000040BD1A 0 GetCurrentThreadId
00000000AD30 00000040BD30 0 InterlockedDecrement
00000000AD48 00000040BD48 0 QueryPerformanceCounter
00000000AD62 00000040BD62 0 GetTickCount
00000000AD72 00000040BD72 0 GetCurrentProcessId
00000000AD88 00000040BD88 0 GetSystemTimeAsFileTime
00000000ADA2 00000040BDA2 0 GetConsoleCP
00000000ADB2 00000040BDB2 0 GetConsoleMode
00000000ADC4 00000040BDC4 0 GetCPInfo
00000000ADD0 00000040BDD0 0 GetACP
00000000ADDA 00000040BDDA 0 GetOEMCP
00000000ADE6 00000040BDE6 0 IsValidCodePage
00000000ADF8 00000040BDF8 0 Sleep
00000000AE00 00000040BE00 0 LoadLibraryW
00000000AE10 00000040BE10 0 RtlUnwind
00000000AE1C 00000040BE1C 0 SetStdHandle
00000000AE2C 00000040BE2C 0 WriteConsoleW
00000000AE3C 00000040BE3C 0 MultiByteToWideChar
00000000AE52 00000040BE52 0 LCMapStringW
00000000AE62 00000040BE62 0 GetStringTypeW
00000000AE74 00000040BE74 0 HeapReAlloc
00000000AE82 00000040BE82 0 IsProcessorFeaturePresent
00000000AE9E 00000040BE9E 0 HeapSize
00000000AEAA 00000040BEAA 0 FlushFileBuffers
00000000AEBE 00000040BEBE 0 CreateFileW
00000000B4CE 00000040C4CE 0
00000000B5AE 00000040C5AE 0 abcdefghijklmnopqrstuvwxyz
00000000B5CE 00000040C5CE 0 ABCDEFGHIJKLMNOPQRSTUVWXYZ
00000000B6D2 00000040C6D2 0
00000000B7B9 00000040C7B9 0 abcdefghijklmnopqrstuvwxyz
00000000B7D9 00000040C7D9 0 ABCDEFGHIJKLMNOPQRSTUVWXYZ
00000000BE58 00000040F058 0 <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
00000000BEA3 00000040F0A3 0 <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
00000000BEDB 00000040F0DB 0 <security>
00000000BEEB 00000040F0EB 0 <requestedPrivileges>
00000000BF08 00000040F108 0 <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
00000000BF68 00000040F168 0 </requestedPrivileges>
00000000BF86 00000040F186 0 </security>
00000000BF97 00000040F197 0 </trustInfo>
00000000BFA7 00000040F1A7 0 </assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
File pos Mem pos ID Text
======== ======= == ====
00000000C00B 00000041000B 0 0*0L0{0
00000000C017 000000410017 0 2L3W3h3
00000000C02F 00000041002F 0 31464@4z4
00000000C04B 00000041004B 0 7+8I8o8
00000000C057 000000410057 0 8G<7=
00000000C075 000000410075 0 3#3'3+3/3<3N3.484E4
00000000C095 000000410095 0 5,5c5o5|5
00000000C0A5 0000004100A5 0 5)616D6O6T6f6p6u6
00000000C0C9 0000004100C9 0 7I7S7y7
00000000C0E7 0000004100E7 0 9%939g9t9
00000000C0F5 0000004100F5 0 9#:Q:x:
00000000C10F 00000041010F 0 >->4>C>O>\>
00000000C127 000000410127 0 ?'?0?T?
00000000C153 000000410153 0 324<4}4
00000000C171 000000410171 0 7&7N7
00000000C181 000000410181 0 8[8b8w8
00000000C18F 00000041018F 0 9)9M9}9
00000000C1A1 0000004101A1 0 9 :%:F:M:Y:_:k:q:z:
00000000C1EB 0000004101EB 0 <?=E=[=
00000000C1F3 0000004101F3 0 =h=n=u={=
00000000C225 000000410225 0 >#>(>0>5><>K>P>V>_>
00000000C24B 00000041024B 0 ?@?H?
00000000C2A1 0000004102A1 0 ;3<><H<a<k<~<
00000000C2C5 0000004102C5 0 ?+?F?N?V?m?
00000000C2E9 0000004102E9 0 0/0C0
00000000C2F1 0000004102F1 0 0&1z1=2k2
00000000C2FF 0000004102FF 0 3G3{3
00000000C313 000000410313 0 4J4S4_4
00000000C329 000000410329 0 8$8;8I8O8r8y8
00000000C359 000000410359 0 :H:N:V:
00000000C371 000000410371 0 ;h;q;w;
00000000C37D 00000041037D 0 <%<-<
00000000C399 000000410399 0 >1>7>
00000000C3B3 0000004103B3 0 ?'?-?7?@?K?P?Y?c?n?
00000000C3DD 0000004103DD 0 3!3H3U3Z3h3C4f4q4
00000000C3F1 0000004103F1 0 4E5Q5\6_7r7
00000000C401 000000410401 0 7%8>8Z8
00000000C43F 00000041043F 0 2'292K2]2o2
00000000C457 000000410457 0 2E3K3U3
00000000C465 000000410465 0 4$4A4G4M4S4Y4_4f4m4t4{4
00000000C4A1 0000004104A1 0 5.555
00000000C4BF 0000004104BF 0 7=7D7H7L7P7T7X7\7
00000000C4DB 0000004104DB 0 7"8-8H8O8T8X8\8}8
00000000C4FF 0000004104FF 0 8F9L9P9T9X9
00000000C513 000000410513 0 <.<d<n<
00000000C51B 00000041051B 0 <1===
00000000C52D 00000041052D 0 >(>v?
00000000C541 000000410541 0 020Z0d1z1
00000000C559 000000410559 0 2"2'262E2T2c2r2
00000000C579 000000410579 0 3a3s3
00000000C58F 00000041058F 0 4.4=4L4[4j4y4
00000000C5AB 0000004105AB 0 5!5054585<5@5D5H5l5p5t5x5|5
00000000C5E5 0000004105E5 0 6;6Q6
00000000C5F5 0000004105F5 0 7E7U7_7
00000000C605 000000410605 0 8'838_8l8
00000000C619 000000410619 0 8 9-9A9N9m9y9
00000000C631 000000410631 0 :&:?:
00000000C640 000000410640 0 @1D1H1L1P1\1
00000000C671 000000410671 0 ;$;,;4;<;
00000000C69D 00000041069D 0 6$6@6L6h6
File pos Mem pos ID Text
======== ======= == ====
00000000C6AF 0000004106AF 0 7$7(7H7h7
00000000C6C5 0000004106C5 0 808P8
00000000C6DB 0000004106DB 0 1x8x9|9
00000000C731 000000410731 0 : :0:4:8:<:@:D:H:L:P:T:X:\:
00000000C74D 00000041074D 0 :d:h:l:p:t:x:|:
00000000C789 000000410789 0 :8;H;X;h;x;
00000000C7B9 0000004107B9 0 =(=,=0=4=8=<=@=D=H=L=X=\=
00000000C7D3 0000004107D3 0 =d=h=l=p=t=x=|=
000000008170 000000409170 0 (null)
0000000081F4 0000004091F4 0 mscoree.dll
00000000820C 00000040920C 0 runtime error
000000008B3F 000000409B3F 0 @Microsoft Visual C++ Runtime Library
000000008B9C 000000409B9C 0 <program name unknown>
000000008BEC 000000409BEC 0 Program:
000000008CA0 000000409CA0 0 KERNEL32.DLL
000000008CE8 000000409CE8 0 HH:mm:ss
000000008CFC 000000409CFC 0 dddd, MMMM dd, yyyy
000000008D24 000000409D24 0 MM/dd/yy
000000008D48 000000409D48 0 December
000000008D5C 000000409D5C 0 November
000000008D70 000000409D70 0 October
000000008D80 000000409D80 0 September
000000008D94 000000409D94 0 August
000000008DBC 000000409DBC 0 April
000000008DC8 000000409DC8 0 March
000000008DD4 000000409DD4 0 February
000000008DE8 000000409DE8 0 January
000000008E58 000000409E58 0 Saturday
000000008E6C 000000409E6C 0 Friday
000000008E7C 000000409E7C 0 Thursday
000000008E90 000000409E90 0 Wednesday
000000008EA4 000000409EA4 0 Tuesday
000000008EB4 000000409EB4 0 Monday
000000008EC4 000000409EC4 0 Sunday
0000000090F7 00000040A0F7 0 WUSER32.DLL
00000000999F 00000040A99F 0 @CONOUT$
00000000004D 00000040004D 0 !This program cannot be run in DOS mode.
0000000001E8 0000004001E8 0 .text
000000000210 000000400210 0 .rdata
000000000237 000000400237 0 @.data
000000000260 000000400260 0 .rsrc
000000000287 000000400287 0 @.reloc
000000000D3D 00000040193D 0 t%HHt
000000000F7F 000000401B7F 0 HHtXHHt
00000000106F 000000401C6F 0 HHty+
0000000014D5 0000004020D5 0 ?If90t
0000000018BF 0000004024BF 0 PPPPP
000000001A61 000000402661 0 uTVWh
000000001D47 000000402947 0 PPPPP
000000001DC9 0000004029C9 0 SSSSS
000000002860 000000403460 0 t?VSP
0000000028BA 0000004034BA 0 PPPPP
0000000029EB 0000004035EB 0 < tK< tG
000000002B35 000000403735 0 wf93t
000000002B5A 00000040375A 0 @PSVV
000000002C2A 00000040382A 0 SWf9M
000000004A02 000000405602 0 QSWVj
000000004B4B 00000040574B 0 v N+D$
0000000057BA 0000004063BA 0 ~,WPV
00000000593F 00000040653F 0 URPQQh
File pos Mem pos ID Text
======== ======= == ====
000000005A5A 00000040665A 0 Rhff@
000000005F23 000000406B23 0 9](SS
000000006069 000000406C69 0 t"SS9] u
000000006129 000000406D29 0 9] SS
0000000065EB 0000004071EB 0 v4;5\
0000000066E9 0000004072E9 0 vL;5t
000000006DE6 0000004079E6 0 PPPPPPPP
000000006EC6 000000407AC6 0 PPPPPPPP
0000000070C3 000000407CC3 0 SVWUj
000000007164 000000407D64 0 ;t$,v-
0000000071E9 000000407DE9 0 UQPXY]Y[
000000007742 000000408342 0 wctO
00000000774E 00000040834E 0 t3It
0000000078B8 0000004084B8 0 w9t(-
0000000078C4 0000004084C4 0 Hu7hL
0000000078F8 0000004084F8 0 (t%Ht
0000000078FF 0000004084FF 0 E$Ph0
0000000079B8 0000004085B8 0
000000007A1A 00000040861A 0 D$<120
000000007B24 000000408724 0 f9L$P
000000007D3B 00000040893B 0 L$LPQhX
000000008180 000000409180 0 (null)
0000000081A9 0000004091A9 0 ( 8PX
0000000081B1 0000004091B1 0 700WP
0000000081C9 0000004091C9 0 xpxxxx
0000000081E4 0000004091E4 0 CorExitProcess
000000008CBC 000000409CBC 0 FlsFree
000000008CC4 000000409CC4 0 FlsSetValue
000000008CD0 000000409CD0 0 FlsGetValue
000000008CDC 000000409CDC 0 FlsAlloc
000000008F0C 000000409F0C 0 HH:mm:ss
000000008F18 000000409F18 0 dddd, MMMM dd, yyyy
000000008F2C 000000409F2C 0 MM/dd/yy
000000008F40 000000409F40 0 December
000000008F4C 000000409F4C 0 November
000000008F58 000000409F58 0 October
000000008F60 000000409F60 0 September
000000008F6C 000000409F6C 0 August
000000008F84 000000409F84 0 April
000000008F8C 000000409F8C 0 March
000000008F94 000000409F94 0 February
000000008FA0 000000409FA0 0 January
000000008FD8 000000409FD8 0 Saturday
000000008FE4 000000409FE4 0 Friday
000000008FEC 000000409FEC 0 Thursday
000000008FF8 000000409FF8 0 Wednesday
000000009004 00000040A004 0 Tuesday
00000000900C 00000040A00C 0 Monday
000000009014 00000040A014 0 Sunday
00000000905D 00000040A05D 0 ('8PW
000000009066 00000040A066 0 700PP
000000009081 00000040A081 0 xppwpp
000000009094 00000040A094 0 GetProcessWindowStation
0000000090AC 00000040A0AC 0 GetUserObjectInformationW
0000000090C8 00000040A0C8 0 GetLastActivePopup
0000000090DC 00000040A0DC 0 GetActiveWindow
0000000090EC 00000040A0EC 0 MessageBoxW
00000000912F 00000040A12F 0 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]
000000009170 00000040A170 0 abcdefghijklmnopqrstuvwxyz{|}~
000000009738 00000040A738 0 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]
File pos Mem pos ID Text
======== ======= == ====
000000009779 00000040A779 0 abcdefghijklmnopqrstuvwxyz{|}~
0000000098B8 00000040A8B8 0 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]
0000000098F9 00000040A8F9 0 ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0000000099B0 00000040A9B0 0 StClass =
0000000099C0 00000040A9C0 0 STCLASS_OK
0000000099CC 00000040A9CC 0 STCLASS_ERROR_COMM
0000000099E0 00000040A9E0 0 STCLASS_ERROR_CNG
0000000099F4 00000040A9F4 0 STCLASS_ERROR_EDS
000000009A08 00000040AA08 0 STCLASS_ERROR_INI
000000009A1C 00000040AA1C 0 STCLASS_ERROR_LDR
000000009A34 00000040AA34 0 StCode =
000000009A44 00000040AA44 0 CSC_INVALID_SPEC
000000009A58 00000040AA58 0 CSC_INVALID_HANDLE
000000009A6C 00000040AA6C 0 CSC_INVALID_LOGICAL_ID
000000009A84 00000040AA84 0 CSC_INVALID_PINDATA
000000009A9C 00000040AA9C 0 CSC_INVALID_INLEN
000000009AB0 00000040AAB0 0 CSC_INVALID_OUTLEN
000000009AC4 00000040AAC4 0 CSC_INVALID_POUTDATA
000000009ADC 00000040AADC 0 CSC_DEVICE_ALREADY_OPENED
000000009AF8 00000040AAF8 0 CNG_INVALID_VARIANT
000000009B10 00000040AB10 0 CNG_INVALID_RESPONSE
000000009B28 00000040AB28 0 CNG_INVALID_RECOVERY
000000009B40 00000040AB40 0 CNG_FIRMWARE_INCOMPLETE
000000009B60 00000040AB60 0 CNG_FRM_CONTEXT (<nSTA>!=R --> cassette error; <TF>=N --> transport path is not free; <SHERR>=B --> shutter error; <TER>=M --> possible manipulation)
000000009BF8 00000040ABF8 0 CNG_FRM_SYNTAX (Invalid cassette ID; Too many tries to dispense (> 10); Number of notes > maximum value (standard CNG: 60; ProCash Compact: 20))
000000009C8C 00000040AC8C 0 CNG_FRM_SW_MISSING (Firmware not loaded)
000000009CB8 00000040ACB8 0 CNG_FRM_ACCESS_ERROR
000000009CD0 00000040ACD0 0 CNG_FRM_ACCESS_CONTEXT
000000009CE8 00000040ACE8 0 CNG_FRM_SCOP
000000009CF8 00000040ACF8 0 CNG_FRM_ACCESS_DEVICE_NOT_READY
000000009D20 00000040AD20 0 CNG_FRM_DEVICE_NOT_READY (<S_SW>=O --> safety switch open; <DLOC>=Y --> device lock activated; <CAS>=N --> minimum configuration (reject box + cash-out cassette); <SR>=R --> single reject switch defective (is in reject direction); <TER>=J --> banknote jam; <OR>=Y --> operator request; <TST>=Y --> self-test active)
000000009E60 00000040AE60 0 CNG_FRM_ERROR (<nSTA>=E --> the cassette is empty; <DIS>=M --> too many banknotes with wrong size; <nSTA>=R --> timeout: no receipts for dispensing available (for printing cassette only); <DIS>=S --> too many multiple-banknote dispensing operations; <DIS>=N --> banknote dispensing is not possible*; <DIS>=J --> banknote jam has occurred during dispensing; <DIS>=E --> too many bundle rejects)
000000009FEC 00000040AFEC 0 CNG_FRM_ERROR_DECRYPTION
00000000A008 00000040B008 0 StWarn =
00000000A018 00000040B018 0 CNG_WARN_MONEY_NOT_REMOVED
00000000A034 00000040B034 0 CNG_WARN_MONEY_REMOVED
00000000A04C 00000040B04C 0 CNG_NO_FIRMWARE
00000000A060 00000040B060 0 CNG_NO_ACTUAL_FIRMWARE
00000000A078 00000040B078 0 CNG_WARN_LED
00000000A088 00000040B088 0 displog.txt
00000000A098 00000040B098 0 Congratulations! You are very skilled in reverse engineering! :)
00000000A0DC 00000040B0DC 0 CSCCNG
00000000A0E4 00000040B0E4 0 Usage: %s <Cassette Slot Number (D)> <Banknotes Count (DD)>
00000000A128 00000040B128 0 Invalid Parameter: Cassette Slot Number. Must be a digit from 1 to 9
00000000A170 00000040B170 0 Invalid Parameter: Banknotes Count. Must be a digit from 1 to 60
00000000A1B4 00000040B1B4 0 %s,%s;
00000000A1BC 00000040B1BC 0 Connecting to the CNG...
00000000A1D8 00000040B1D8 0 CscCngOpen/CscCdmOpen failed with error:
00000000A204 00000040B204 0 CscCngOpen/CscCdmOpen failed with error:
00000000A22D 00000040B22D 0 System Failure
00000000A240 00000040B240 0 Successfully connected!
00000000A25C 00000040B25C 0 Locking device for exclusive access...
00000000A284 00000040B284 0 CscCngLock/CscCdmLock failed with error:
00000000A2B0 00000040B2B0 0 Device successfully locked!
00000000A2D0 00000040B2D0 0 Dispensing cash to collection tray...
00000000A2F8 00000040B2F8 0 CscCngDispense/CscCdmDispense failed with error:
00000000A32C 00000040B32C 0 Dispensed Successfully! Raw Response: %s
00000000A358 00000040B358 0 Transporting cash to wait pos...
00000000A37C 00000040B37C 0 CscCngTransport failed with error:
00000000A3A0 00000040B3A0 0 Cash successfully transported to the wait pos.
File pos Mem pos ID Text
======== ======= == ====
00000000A3D0 00000040B3D0 0 Transporting cash to customer...
00000000A3F4 00000040B3F4 0 CscCngTransport/CscCdmTransport failed with error:
00000000A428 00000040B428 0 Cash successfully transported to the customer!
00000000A458 00000040B458 0 %s:%s
00000000A460 00000040B460 0 Unlocking device...
00000000A478 00000040B478 0 CscCngUnlock/CscCdmUnlock failed with error:
00000000A4A8 00000040B4A8 0 Device successfully unlocked.
00000000A4C8 00000040B4C8 0 Disconnecting from CNG...
00000000A4E4 00000040B4E4 0 CscCngClose/CscCdmClose failed with error:
00000000A510 00000040B510 0 Successfully disconnected.
00000000A9D8 00000040B9D8 0 CSCWCNG.dll
00000000A9E6 00000040B9E6 0 CreateFileA
00000000A9F4 00000040B9F4 0 SetFilePointer
00000000AA06 00000040BA06 0 lstrlenA
00000000AA12 00000040BA12 0 WriteFile
00000000AA1E 00000040BA1E 0 CloseHandle
00000000AA2C 00000040BA2C 0 GetSystemTime
00000000AA3A 00000040BA3A 0 KERNEL32.dll
00000000AA4A 00000040BA4A 0 wvsprintfA
00000000AA58 00000040BA58 0 wsprintfA
00000000AA62 00000040BA62 0 USER32.dll
00000000AA70 00000040BA70 0 GetLastError
00000000AA80 00000040BA80 0 HeapFree
00000000AA8C 00000040BA8C 0 HeapAlloc
00000000AA98 00000040BA98 0 GetCommandLineA
00000000AAAA 00000040BAAA 0 HeapSetInformation
00000000AAC0 00000040BAC0 0 DecodePointer
00000000AAD0 00000040BAD0 0 UnhandledExceptionFilter
00000000AAEC 00000040BAEC 0 SetUnhandledExceptionFilter
00000000AB0A 00000040BB0A 0 IsDebuggerPresent
00000000AB1E 00000040BB1E 0 EncodePointer
00000000AB2E 00000040BB2E 0 TerminateProcess
00000000AB42 00000040BB42 0 GetCurrentProcess
00000000AB56 00000040BB56 0 HeapCreate
00000000AB64 00000040BB64 0 GetProcAddress
00000000AB76 00000040BB76 0 GetModuleHandleW
00000000AB8A 00000040BB8A 0 ExitProcess
00000000AB98 00000040BB98 0 GetStdHandle
00000000ABA8 00000040BBA8 0 GetModuleFileNameW
00000000ABBE 00000040BBBE 0 EnterCriticalSection
00000000ABD6 00000040BBD6 0 LeaveCriticalSection
00000000ABEE 00000040BBEE 0 GetModuleFileNameA
00000000AC04 00000040BC04 0 FreeEnvironmentStringsW
00000000AC1E 00000040BC1E 0 WideCharToMultiByte
00000000AC34 00000040BC34 0 GetEnvironmentStringsW
00000000AC4E 00000040BC4E 0 SetHandleCount
00000000AC60 00000040BC60 0 InitializeCriticalSectionAndSpinCount
00000000AC88 00000040BC88 0 GetFileType
00000000AC96 00000040BC96 0 GetStartupInfoW
00000000ACA8 00000040BCA8 0 DeleteCriticalSection
00000000ACC0 00000040BCC0 0 TlsAlloc
00000000ACCC 00000040BCCC 0 TlsGetValue
00000000ACDA 00000040BCDA 0 TlsSetValue
00000000ACE8 00000040BCE8 0 TlsFree
00000000ACF2 00000040BCF2 0 InterlockedIncrement
00000000AD0A 00000040BD0A 0 SetLastError
00000000AD1A 00000040BD1A 0 GetCurrentThreadId
00000000AD30 00000040BD30 0 InterlockedDecrement
00000000AD48 00000040BD48 0 QueryPerformanceCounter
00000000AD62 00000040BD62 0 GetTickCount
File pos Mem pos ID Text
======== ======= == ====
00000000AD72 00000040BD72 0 GetCurrentProcessId
00000000AD88 00000040BD88 0 GetSystemTimeAsFileTime
00000000ADA2 00000040BDA2 0 GetConsoleCP
00000000ADB2 00000040BDB2 0 GetConsoleMode
00000000ADC4 00000040BDC4 0 GetCPInfo
00000000ADD0 00000040BDD0 0 GetACP
00000000ADDA 00000040BDDA 0 GetOEMCP
00000000ADE6 00000040BDE6 0 IsValidCodePage
00000000ADF8 00000040BDF8 0 Sleep
00000000AE00 00000040BE00 0 LoadLibraryW
00000000AE10 00000040BE10 0 RtlUnwind
00000000AE1C 00000040BE1C 0 SetStdHandle
00000000AE2C 00000040BE2C 0 WriteConsoleW
00000000AE3C 00000040BE3C 0 MultiByteToWideChar
00000000AE52 00000040BE52 0 LCMapStringW
00000000AE62 00000040BE62 0 GetStringTypeW
00000000AE74 00000040BE74 0 HeapReAlloc
00000000AE82 00000040BE82 0 IsProcessorFeaturePresent
00000000AE9E 00000040BE9E 0 HeapSize
00000000AEAA 00000040BEAA 0 FlushFileBuffers
00000000AEBE 00000040BEBE 0 CreateFileW
00000000B4CE 00000040C4CE 0
00000000B5AE 00000040C5AE 0 abcdefghijklmnopqrstuvwxyz
00000000B5CE 00000040C5CE 0 ABCDEFGHIJKLMNOPQRSTUVWXYZ
00000000B6D2 00000040C6D2 0
00000000B7B9 00000040C7B9 0 abcdefghijklmnopqrstuvwxyz
00000000B7D9 00000040C7D9 0 ABCDEFGHIJKLMNOPQRSTUVWXYZ
00000000BE58 00000040F058 0 <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
00000000BEA3 00000040F0A3 0 <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
00000000BEDB 00000040F0DB 0 <security>
00000000BEEB 00000040F0EB 0 <requestedPrivileges>
00000000BF08 00000040F108 0 <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
00000000BF68 00000040F168 0 </requestedPrivileges>
00000000BF86 00000040F186 0 </security>
00000000BF97 00000040F197 0 </trustInfo>
00000000BFA7 00000040F1A7 0 </assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
00000000C00B 00000041000B 0 0*0L0{0
00000000C017 000000410017 0 2L3W3h3
00000000C02F 00000041002F 0 31464@4z4
00000000C04B 00000041004B 0 7+8I8o8
00000000C057 000000410057 0 8G<7=
00000000C075 000000410075 0 3#3'3+3/3<3N3.484E4
00000000C095 000000410095 0 5,5c5o5|5
00000000C0A5 0000004100A5 0 5)616D6O6T6f6p6u6
00000000C0C9 0000004100C9 0 7I7S7y7
00000000C0E7 0000004100E7 0 9%939g9t9
00000000C0F5 0000004100F5 0 9#:Q:x:
00000000C10F 00000041010F 0 >->4>C>O>\>
00000000C127 000000410127 0 ?'?0?T?
00000000C153 000000410153 0 324<4}4
00000000C171 000000410171 0 7&7N7
00000000C181 000000410181 0 8[8b8w8
00000000C18F 00000041018F 0 9)9M9}9
00000000C1A1 0000004101A1 0 9 :%:F:M:Y:_:k:q:z:
00000000C1EB 0000004101EB 0 <?=E=[=
00000000C1F3 0000004101F3 0 =h=n=u={=
00000000C225 000000410225 0 >#>(>0>5><>K>P>V>_>
00000000C24B 00000041024B 0 ?@?H?
00000000C2A1 0000004102A1 0 ;3<><H<a<k<~<
00000000C2C5 0000004102C5 0 ?+?F?N?V?m?
File pos Mem pos ID Text
======== ======= == ====
00000000C2E9 0000004102E9 0 0/0C0
00000000C2F1 0000004102F1 0 0&1z1=2k2
00000000C2FF 0000004102FF 0 3G3{3
00000000C313 000000410313 0 4J4S4_4
00000000C329 000000410329 0 8$8;8I8O8r8y8
00000000C359 000000410359 0 :H:N:V:
00000000C371 000000410371 0 ;h;q;w;
00000000C37D 00000041037D 0 <%<-<
00000000C399 000000410399 0 >1>7>
00000000C3B3 0000004103B3 0 ?'?-?7?@?K?P?Y?c?n?
00000000C3DD 0000004103DD 0 3!3H3U3Z3h3C4f4q4
00000000C3F1 0000004103F1 0 4E5Q5\6_7r7
00000000C401 000000410401 0 7%8>8Z8
00000000C43F 00000041043F 0 2'292K2]2o2
00000000C457 000000410457 0 2E3K3U3
00000000C465 000000410465 0 4$4A4G4M4S4Y4_4f4m4t4{4
00000000C4A1 0000004104A1 0 5.555
00000000C4BF 0000004104BF 0 7=7D7H7L7P7T7X7\7
00000000C4DB 0000004104DB 0 7"8-8H8O8T8X8\8}8
00000000C4FF 0000004104FF 0 8F9L9P9T9X9
00000000C513 000000410513 0 <.<d<n<
00000000C51B 00000041051B 0 <1===
00000000C52D 00000041052D 0 >(>v?
00000000C541 000000410541 0 020Z0d1z1
00000000C559 000000410559 0 2"2'262E2T2c2r2
00000000C579 000000410579 0 3a3s3
00000000C58F 00000041058F 0 4.4=4L4[4j4y4
00000000C5AB 0000004105AB 0 5!5054585<5@5D5H5l5p5t5x5|5
00000000C5E5 0000004105E5 0 6;6Q6
00000000C5F5 0000004105F5 0 7E7U7_7
00000000C605 000000410605 0 8'838_8l8
00000000C619 000000410619 0 8 9-9A9N9m9y9
00000000C631 000000410631 0 :&:?:
00000000C640 000000410640 0 @1D1H1L1P1\1
00000000C671 000000410671 0 ;$;,;4;<;
00000000C69D 00000041069D 0 6$6@6L6h6
00000000C6AF 0000004106AF 0 7$7(7H7h7
00000000C6C5 0000004106C5 0 808P8
00000000C6DB 0000004106DB 0 1x8x9|9
00000000C731 000000410731 0 : :0:4:8:<:@:D:H:L:P:T:X:\:
00000000C74D 00000041074D 0 :d:h:l:p:t:x:|:
00000000C789 000000410789 0 :8;H;X;h;x;
00000000C7B9 0000004107B9 0 =(=,=0=4=8=<=@=D=H=L=X=\=
00000000C7D3 0000004107D3 0 =d=h=l=p=t=x=|=
000000008170 000000409170 0 (null)
0000000081F4 0000004091F4 0 mscoree.dll
00000000820C 00000040920C 0 runtime error
000000008B3F 000000409B3F 0 @Microsoft Visual C++ Runtime Library
000000008B9C 000000409B9C 0 <program name unknown>
000000008BEC 000000409BEC 0 Program:
000000008CA0 000000409CA0 0 KERNEL32.DLL
000000008CE8 000000409CE8 0 HH:mm:ss
000000008CFC 000000409CFC 0 dddd, MMMM dd, yyyy
000000008D24 000000409D24 0 MM/dd/yy
000000008D48 000000409D48 0 December
000000008D5C 000000409D5C 0 November
000000008D70 000000409D70 0 October
000000008D80 000000409D80 0 September
000000008D94 000000409D94 0 August
000000008DBC 000000409DBC 0 April
File pos Mem pos ID Text
======== ======= == ====
000000008DC8 000000409DC8 0 March
000000008DD4 000000409DD4 0 February
000000008DE8 000000409DE8 0 January
000000008E58 000000409E58 0 Saturday
000000008E6C 000000409E6C 0 Friday
000000008E7C 000000409E7C 0 Thursday
000000008E90 000000409E90 0 Wednesday
000000008EA4 000000409EA4 0 Tuesday
000000008EB4 000000409EB4 0 Monday
000000008EC4 000000409EC4 0 Sunday
0000000090F7 00000040A0F7 0 WUSER32.DLL
00000000999F 00000040A99F 0 @CONOUT$