.- - -----÷M÷E÷N÷U÷------------------------------------------------------------- --- ---- -------------.
! WALL ! STATS ! GOODIES ! YARA ! FAQ ! RSS ! EMV !
`-------------- - --- ---------- -------- -------- -------- -------- ----------------- - ---- ---- --'
ATM MALWARE NOTICE
646433de5c56fdbc7e6e934a05e9e99012ef39a0ed6cc4bdb1d984cd4435379e
Date...........: 2014-10-08
Family.........: Tyupkin
File name......: CopyApplicationFiles.exe
File size......: 18.50 KB
Type file......: EXE/Windows
Virscan........: VT - HA
Documentation..: https://community.mcafee.com/nysyc36988/attachments/nysyc36988/security-awareness-documents/1186/1/MTIS14-156.pdf
Additional note: Try to kill McAfee Solidcore for APTRA (swin.sys, solidcore.log, s3diag.log)
Entropy:
Binary Histogram:
=== SCREENSHOT ===
=== PEDUMP REPORT ===
=== MZ Header ===
signature: "MZ"
bytes_in_last_block: 144 0x90
blocks_in_file: 3 3
num_relocs: 0 0
header_paragraphs: 4 4
min_extra_paragraphs: 0 0
max_extra_paragraphs: 65535 0xffff
ss: 0 0
sp: 184 0xb8
checksum: 0 0
ip: 0 0
cs: 0 0
reloc_table_offset: 64 0x40
overlay_number: 0 0
reserved0: 0 0
oem_id: 0 0
oem_info: 0 0
reserved2: 0 0
reserved3: 0 0
reserved4: 0 0
reserved5: 0 0
reserved6: 0 0
lfanew: 232 0xe8
=== DOS STUB ===
00000000: 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 |........!..L.!Th|
00000010: 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f |is program canno|
00000020: 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 |t be run in DOS |
00000030: 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 |mode....$.......|
=== RICH Header ===
LIB_ID VERSION TIMES_USED
110 6e 50727 c627 1 1
125 7d 50727 c627 1 1
109 6d 50727 c627 20 14
123 7b 50727 c627 4 4
147 93 30729 7809 2 2
93 5d 4035 fc3 3 3
1 1 0 0 82 52
114 72 50727 c627 2 2
120 78 50727 c627 1 1
=== PE Header ===
signature: "PE\x00\x00"
# IMAGE_FILE_HEADER:
Machine: 332 0x14c x86
NumberOfSections: 4 4
TimeDateStamp: "2014-05-08 15:48:31"
PointerToSymbolTable: 0 0
NumberOfSymbols: 0 0
SizeOfOptionalHeader: 224 0xe0
Characteristics: 259 0x103 RELOCS_STRIPPED, EXECUTABLE_IMAGE
32BIT_MACHINE
# IMAGE_OPTIONAL_HEADER32:
Magic: 267 0x10b 32-bit executable
LinkerVersion: 8.0
SizeOfCode: 8704 0x2200
SizeOfInitializedData: 9216 0x2400
SizeOfUninitializedData: 0 0
AddressOfEntryPoint: 11165 0x2b9d
BaseOfCode: 4096 0x1000
BaseOfData: 16384 0x4000
ImageBase: 4194304 0x400000
SectionAlignment: 4096 0x1000
FileAlignment: 512 0x200
OperatingSystemVersion: 4.0
ImageVersion: 0.0
SubsystemVersion: 4.0
Reserved1: 0 0
SizeOfImage: 32768 0x8000
SizeOfHeaders: 1024 0x400
CheckSum: 55092 0xd734
Subsystem: 3 3 WINDOWS_CUI
DllCharacteristics: 0 0
SizeOfStackReserve: 1048576 0x100000
SizeOfStackCommit: 4096 0x1000
SizeOfHeapReserve: 1048576 0x100000
SizeOfHeapCommit: 4096 0x1000
LoaderFlags: 0 0
NumberOfRvaAndSizes: 16 0x10
=== DATA DIRECTORY ===
EXPORT rva:0x 0 size:0x 0
IMPORT rva:0x 5500 size:0x 64
RESOURCE rva:0x 7000 size:0x 1ac
EXCEPTION rva:0x 0 size:0x 0
SECURITY rva:0x 0 size:0x 0
BASERELOC rva:0x 0 size:0x 0
DEBUG rva:0x 0 size:0x 0
ARCHITECTURE rva:0x 0 size:0x 0
GLOBALPTR rva:0x 0 size:0x 0
TLS rva:0x 0 size:0x 0
LOAD_CONFIG rva:0x 53a8 size:0x 40
Bound_IAT rva:0x 0 size:0x 0
IAT rva:0x 4000 size:0x 12c
Delay_IAT rva:0x 0 size:0x 0
CLR_Header rva:0x 0 size:0x 0
rva:0x 0 size:0x 0
=== SECTIONS ===
NAME RVA VSZ RAW_SZ RAW_PTR nREL REL_PTR nLINE LINE_PTR FLAGS
.text 1000 207d 2200 400 0 0 0 0 60000020 R-X CODE
.rdata 4000 1e36 2000 2600 0 0 0 0 40000040 R-- IDATA
.data 6000 394 200 4600 0 0 0 0 c0000040 RW- IDATA
.rsrc 7000 1ac 200 4800 0 0 0 0 40000040 R-- IDATA
=== RESOURCES ===
FILE_OFFSET CP LANG SIZE TYPE NAME
0x4858 1252 0x409 338 MANIFEST #1
=== IMPORTS ===
MODULE_NAME HINT ORD FUNCTION_NAME
KERNEL32.dll 46 CopyFileW
KERNEL32.dll 142 GetCurrentProcess
KERNEL32.dll 356 Sleep
KERNEL32.dll 171 GetLastError
KERNEL32.dll 31a SetFileAttributesW
KERNEL32.dll 143 GetCurrentProcessId
KERNEL32.dll 146 GetCurrentThreadId
KERNEL32.dll 1df GetTickCount
KERNEL32.dll 2a3 QueryPerformanceCounter
KERNEL32.dll 239 IsDebuggerPresent
KERNEL32.dll 34a SetUnhandledExceptionFilter
KERNEL32.dll 36e UnhandledExceptionFilter
KERNEL32.dll 35e TerminateProcess
KERNEL32.dll 226 InterlockedCompareExchange
KERNEL32.dll 229 InterlockedExchange
KERNEL32.dll 1ca GetSystemTimeAsFileTime
ADVAPI32.dll 1f AdjustTokenPrivileges
ADVAPI32.dll 281 RegUnLoadKeyW
ADVAPI32.dll 25a RegLoadKeyW
ADVAPI32.dll 1f7 OpenProcessToken
ADVAPI32.dll 230 RegCloseKey
ADVAPI32.dll 27e RegSetValueExW
ADVAPI32.dll 197 LookupPrivilegeValueW
ADVAPI32.dll 261 RegOpenKeyExW
MSVCP80.dll 314 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@K@Z
MSVCP80.dll 313 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z
MSVCP80.dll 311 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z
MSVCP80.dll 318 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z
MSVCP80.dll b3a ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z
MSVCP80.dll 799 ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z
MSVCP80.dll 31c ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@PBX@Z
MSVCP80.dll bda ?uncaught_exception@std@@YA_NXZ
MSVCP80.dll b6c ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHPBDH@Z
MSVCP80.dll 570 ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ
MSVCP80.dll 54b ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEXXZ
MSVCP80.dll 5c3 ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEXXZ
MSVCP80.dll b69 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z
MSVCP80.dll 817 ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ
MSVCP80.dll 675 ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
MSVCR80.dll fe __winitenv
MSVCR80.dll 67 _XcptFilter
MSVCR80.dll 20b _initterm_e
MSVCR80.dll 13f _configthreadlocale
MSVCR80.dll e9 __setusermatherr
MSVCR80.dll 111 _adjust_fdiv
MSVCR80.dll cc __p__commode
MSVCR80.dll d0 __p__fmode
MSVCR80.dll 16d _encode_pointer
MSVCR80.dll e6 __set_app_type
MSVCR80.dll 14e _crt_debugger_hook
MSVCR80.dll 3ed _unlock
MSVCR80.dll 97 __dllonexit
MSVCR80.dll 27c _lock
MSVCR80.dll 322 _onexit
MSVCR80.dll 163 _decode_pointer
MSVCR80.dll 176 _except_handler4_common
MSVCR80.dll 211 _invoke_watson
MSVCR80.dll 142 _controlfp_s
MSVCR80.dll 17f _exit
MSVCR80.dll 12f _cexit
MSVCR80.dll fd __wgetmainargs
MSVCR80.dll 118 _amsg_exit
MSVCR80.dll 479 _wgetcwd
MSVCR80.dll 5af wprintf
MSVCR80.dll 4d6 exit
MSVCR80.dll 537 printf
MSVCR80.dll 544 remove
MSVCR80.dll 20a _initterm
MSVCR80.dll 5a8 wcstombs
MSVCR80.dll 74 __CxxFrameHandler3
MSVCR80.dll 533 memset
=== Packer / Compiler ===
MS Visual C++ v8.0
File pos Mem pos ID Text
======== ======= == ====
00000000004D 00000040004D 0 !This program cannot be run in DOS mode.
0000000000D8 0000004000D8 0 Rich3
0000000001E0 0000004001E0 0 .text
000000000208 000000400208 0 .rdata
00000000022F 00000040022F 0 @.data
000000000258 000000400258 0 .rsrc
000000000414 000000401014 0 SUVWh
0000000007DE 0000004013DE 0 D$$Ph?
0000000007EA 0000004013EA 0 L$|Qh
000000000844 000000401444 0 L$LQV
0000000008B6 0000004014B6 0 T$,Rj
0000000008BE 0000004014BE 0 D$dPQ
0000000008D3 0000004014D3 0 RhtH@
000000000968 000000401568 0 T$<RQ
000000000A1A 00000040161A 0 Ph I@
000000000A20 000000401620 0 Sh0I@
000000000A78 000000401678 0 L$<QP
000000000A8E 00000040168E 0 PhHI@
000000000AF1 0000004016F1 0 T$ Rh?
000000000B22 000000401722 0 D$<PQ
000000000DA7 0000004019A7 0 L$|Qh
000000000E01 000000401A01 0 L$LQV
000000000E4A 000000401A4A 0 D$$Ph?
000000000E66 000000401A66 0 uS9D$
000000000E75 000000401A75 0 T$,Rj
000000000E7D 000000401A7D 0 D$dPQ
000000000E93 000000401A93 0 PhtH@
000000000F28 000000401B28 0 D$<PQ
000000000FD2 000000401BD2 0 T$<RQ
000000000FE7 000000401BE7 0 QhHI@
00000000104B 000000401C4B 0 D$ Ph?
00000000107C 000000401C7C 0 D$<PQ
0000000011AD 000000401DAD 0 Qh J@
0000000011EB 000000401DEB 0 RhDJ@
00000000133D 000000401F3D 0 Qh J@
00000000137B 000000401F7B 0 RhDJ@
0000000014B4 0000004020B4 0 SUVWh
000000001C05 000000402805 0 L1(WR
000000002342 000000402F42 0 VVVVV
000000002750 000000404150 0 bad allocation
000000002B98 000000404598 0 LookupPrivilegeValue error: %u
000000002BB8 0000004045B8 0 AdjustTokenPrivileges error: %u
000000002BDC 0000004045DC 0 The token does not have the specified privilege.
000000002DEC 0000004047EC 0 Key was installed successfully!!!
000000002E10 000000404810 0 ERROR!!!
000000002E1C 00000040481C 0 Error writing to loaded HIVE, code:
000000002E45 000000404845 0 ****** ERROR INSTALLING APPLICATION! ******
000000002E74 000000404874 0 Restrict value was installed successfully!!!
000000002EA8 0000004048A8 0 Start Option value was changed successfully to ControlSet001!!!
000000002EE8 0000004048E8 0 Error changing ControlSet001, code:
000000002F10 000000404910 0 ===== hkey:
000000002F20 000000404920 0 lastError:
000000002F30 000000404930 0 REGOPENKEY status:
000000002F48 000000404948 0 Start Option value was changed successfully to ControlSet002!!!
000000002F88 000000404988 0 Error changing ControlSet002, code:
000000002FB0 0000004049B0 0 Start Option value was changed successfully to ControlSet003!!!
000000002FF0 0000004049F0 0 Error changing ControlSet003, code:
0000000031CC 000000404BCC 0 HIVE unloaded. +++++++
0000000031E4 000000404BE4 0 ****** APLICATION IS INSTALLED WITH SUCCESS!!! ******
00000000321C 000000404C1C 0 Error unloading HIVE.
File pos Mem pos ID Text
======== ======= == ====
000000003232 000000404C32 0 ATTENTIION!
0000000034B1 000000404EB1 0 ==========================================
0000000034DC 000000404EDC 0 PROTECTION DRIVER WAS REMOVED WITH SUCCESS!
000000003508 000000404F08 0 ==========================================
000000003749 000000405149 0 ++++++++ PROTECTION LOG FILES DETELED WITH SUCCESS! ++++++++
000000003818 000000405218 0 Copying executable file to "System32" folder...
00000000384C 00000040524C 0 File copyied with success!
00000000386D 00000040526D 0 1. Error copying executable file! ERROR CODE:
0000000038DD 0000004052DD 0 2. Error copying executable file! ERROR CODE:
000000003912 000000405312 0 ***** ERROR INSTALLING APPLICATION!!! *****
00000000393F 00000040533F 0 CLOSING...
000000003956 000000405356 0 Closing application....
00000000396E 00000040536E 0 Please wait...
000000003980 000000405380 0 seconds.
00000000398C 00000040538C 0 Closing application in
000000003C92 000000405692 0 SetFileAttributesW
000000003CA8 0000004056A8 0 GetLastError
000000003CB8 0000004056B8 0 Sleep
000000003CC0 0000004056C0 0 GetCurrentProcess
000000003CD4 0000004056D4 0 CopyFileW
000000003CDE 0000004056DE 0 KERNEL32.dll
000000003CEE 0000004056EE 0 LookupPrivilegeValueW
000000003D06 000000405706 0 AdjustTokenPrivileges
000000003D1E 00000040571E 0 RegOpenKeyExW
000000003D2E 00000040572E 0 RegSetValueExW
000000003D40 000000405740 0 RegCloseKey
000000003D4E 00000040574E 0 OpenProcessToken
000000003D62 000000405762 0 RegLoadKeyW
000000003D70 000000405770 0 RegUnLoadKeyW
000000003D7E 00000040577E 0 ADVAPI32.dll
000000003D8E 00000040578E 0 ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
000000003DCA 0000004057CA 0 ?uncaught_exception@std@@YA_NXZ
000000003DEC 0000004057EC 0 ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHPBDH@Z
000000003E30 000000405830 0 ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ
000000003E6E 00000040586E 0 ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEXXZ
000000003EAE 0000004058AE 0 ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEXXZ
000000003EF0 0000004058F0 0 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z
000000003F30 000000405930 0 ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ
000000003F72 000000405972 0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@PBX@Z
000000003FB4 0000004059B4 0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@K@Z
000000003FF4 0000004059F4 0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z
000000004034 000000405A34 0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z
000000004074 000000405A74 0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z
0000000040C4 000000405AC4 0 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z
000000004104 000000405B04 0 ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z
000000004148 000000405B48 0 MSVCP80.dll
000000004156 000000405B56 0 wcstombs
000000004162 000000405B62 0 remove
00000000416C 000000405B6C 0 printf
00000000417E 000000405B7E 0 wprintf
000000004188 000000405B88 0 _wgetcwd
000000004192 000000405B92 0 MSVCR80.dll
0000000041A0 000000405BA0 0 _amsg_exit
0000000041AE 000000405BAE 0 __wgetmainargs
0000000041C0 000000405BC0 0 _cexit
0000000041CA 000000405BCA 0 _exit
0000000041D2 000000405BD2 0 _XcptFilter
0000000041E0 000000405BE0 0 __winitenv
0000000041EE 000000405BEE 0 _initterm
0000000041FA 000000405BFA 0 _initterm_e
File pos Mem pos ID Text
======== ======= == ====
000000004208 000000405C08 0 _configthreadlocale
00000000421E 000000405C1E 0 __setusermatherr
000000004232 000000405C32 0 _adjust_fdiv
000000004242 000000405C42 0 __p__commode
000000004252 000000405C52 0 __p__fmode
000000004260 000000405C60 0 _encode_pointer
000000004272 000000405C72 0 __set_app_type
000000004284 000000405C84 0 _crt_debugger_hook
00000000429A 000000405C9A 0 _unlock
0000000042A4 000000405CA4 0 __dllonexit
0000000042B2 000000405CB2 0 _lock
0000000042BA 000000405CBA 0 _onexit
0000000042C4 000000405CC4 0 _decode_pointer
0000000042D6 000000405CD6 0 _except_handler4_common
0000000042F0 000000405CF0 0 _invoke_watson
000000004302 000000405D02 0 _controlfp_s
000000004312 000000405D12 0 InterlockedExchange
000000004328 000000405D28 0 InterlockedCompareExchange
000000004346 000000405D46 0 TerminateProcess
00000000435A 000000405D5A 0 UnhandledExceptionFilter
000000004376 000000405D76 0 SetUnhandledExceptionFilter
000000004394 000000405D94 0 IsDebuggerPresent
0000000043A8 000000405DA8 0 QueryPerformanceCounter
0000000043C2 000000405DC2 0 GetTickCount
0000000043D2 000000405DD2 0 GetCurrentThreadId
0000000043E8 000000405DE8 0 GetCurrentProcessId
0000000043FE 000000405DFE 0 GetSystemTimeAsFileTime
000000004418 000000405E18 0 __CxxFrameHandler3
00000000442E 000000405E2E 0 memset
000000004858 000000407058 0 <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
0000000048A3 0000004070A3 0 <dependency>
0000000048B3 0000004070B3 0 <dependentAssembly>
0000000048CC 0000004070CC 0 <assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50608.0" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>
000000004974 000000407174 0 </dependentAssembly>
00000000498E 00000040718E 0 </dependency>
00000000499F 00000040719F 0 </assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
000000002760 000000404160 0 C:\windows\system32\ulssm.exe
00000000279C 00000040419C 0 C:\windows\system32\ulssm.exe
0000000027DC 0000004041DC 0 C:\windows\system32\msxfs.dll
000000002818 000000404218 0 C:\windows\system32\msxfs.dll
000000002858 000000404258 0 C:\windows\system32\xfs_conf.dll
0000000028A0 0000004042A0 0 C:\windows\system32\xfs_conf.dll
0000000028E8 0000004042E8 0 C:\windows\system32\xfs_supp.dll
000000002930 000000404330 0 C:\windows\system32\xfs_supp.dll
000000002974 000000404374 0 C:\WINXPPRO\system32\ulssm.exe
0000000029B8 0000004043B8 0 C:\WINXPPRO\system32\ulssm.exe
0000000029F8 0000004043F8 0 C:\WINXPPRO\system32\msxfs.dll
000000002A38 000000404438 0 C:\WINXPPRO\system32\msxfs.dll
000000002A78 000000404478 0 C:\WINXPPRO\system32\xfs_conf.dll
000000002AC0 0000004044C0 0 C:\WINXPPRO\system32\xfs_conf.dll
000000002B08 000000404508 0 C:\WINXPPRO\system32\xfs_supp.dll
000000002B50 000000404550 0 C:\WINXPPRO\system32\xfs_supp.dll
000000002C10 000000404610 0 a\Microsoft\Windows\CurrentVersion\Run
000000002C60 000000404660 0 AptraDebug
000000002C78 000000404678 0 RestrictRun
000000002C98 000000404698 0 a\Microsoft\Windows\CurrentVersion\policies\Explorer
000000002D04 000000404704 0 Start
000000002D18 000000404718 0 b\ControlSet001\Services\scsrvc
000000002D60 000000404760 0 b\ControlSet002\Services\scsrvc
000000002DA8 0000004047A8 0 b\ControlSet003\Services\scsrvc
File pos Mem pos ID Text
======== ======= == ====
000000003020 000000404A20 0 SeBackupPrivilege
000000003044 000000404A44 0 SeRestorePrivilege
000000003070 000000404A70 0 c:\windows\system32\config\software
0000000030C0 000000404AC0 0 c:\windows\system32\config\system
00000000313E 000000404B3E 0 ****** ERROR INSTALLING APPLICATION! ******
000000003240 000000404C40 0 c:\WINXPPRO\system32\config\software
000000003290 000000404C90 0 c:\WINXPPRO\system32\config\system
0000000032D8 000000404CD8 0 C:\windows\system32\drivers\swin.sys
000000003328 000000404D28 0 C:\windows\system32\config\swin.sys
000000003370 000000404D70 0 C:\windows\system32\drivers\swin.sys
0000000033C0 000000404DC0 0 C:\WINXPPRO\system32\drivers\swin.sys
000000003410 000000404E10 0 C:\WINXPPRO\system32\config\swin.sys
000000003460 000000404E60 0 C:\WINXPPRO\system32\drivers\swin.sys
000000003538 000000404F38 0 C:\program files\ncr aptra\Solidcore for APTRA\Logs\solidcore.log
0000000035C0 000000404FC0 0 C:\program files\ncr aptra\Solidcore for APTRA\Logs\solidcore.log
000000003648 000000405048 0 C:\program files\ncr aptra\Solidcore for APTRA\Logs\s3diag.log
0000000036C8 0000004050C8 0 C:\program files\ncr aptra\Solidcore for APTRA\Logs\s3diag.log
000000003788 000000405188 0 \app\ulssm.exe
0000000037A8 0000004051A8 0 \libs\msxfs.dll
0000000037C8 0000004051C8 0 \libs\xfs_conf.dll
0000000037F0 0000004051F0 0 \libs\xfs_supp.dll
00000000389B 00000040529B 0 c:\WINXPPRO\system32\ulssm.exe
00000000004D 00000040004D 0 !This program cannot be run in DOS mode.
0000000000D8 0000004000D8 0 Rich3
0000000001E0 0000004001E0 0 .text
000000000208 000000400208 0 .rdata
00000000022F 00000040022F 0 @.data
000000000258 000000400258 0 .rsrc
000000000414 000000401014 0 SUVWh
0000000007DE 0000004013DE 0 D$$Ph?
0000000007EA 0000004013EA 0 L$|Qh
000000000844 000000401444 0 L$LQV
0000000008B6 0000004014B6 0 T$,Rj
0000000008BE 0000004014BE 0 D$dPQ
0000000008D3 0000004014D3 0 RhtH@
000000000968 000000401568 0 T$<RQ
000000000A1A 00000040161A 0 Ph I@
000000000A20 000000401620 0 Sh0I@
000000000A78 000000401678 0 L$<QP
000000000A8E 00000040168E 0 PhHI@
000000000AF1 0000004016F1 0 T$ Rh?
000000000B22 000000401722 0 D$<PQ
000000000DA7 0000004019A7 0 L$|Qh
000000000E01 000000401A01 0 L$LQV
000000000E4A 000000401A4A 0 D$$Ph?
000000000E66 000000401A66 0 uS9D$
000000000E75 000000401A75 0 T$,Rj
000000000E7D 000000401A7D 0 D$dPQ
000000000E93 000000401A93 0 PhtH@
000000000F28 000000401B28 0 D$<PQ
000000000FD2 000000401BD2 0 T$<RQ
000000000FE7 000000401BE7 0 QhHI@
00000000104B 000000401C4B 0 D$ Ph?
00000000107C 000000401C7C 0 D$<PQ
0000000011AD 000000401DAD 0 Qh J@
0000000011EB 000000401DEB 0 RhDJ@
00000000133D 000000401F3D 0 Qh J@
00000000137B 000000401F7B 0 RhDJ@
0000000014B4 0000004020B4 0 SUVWh
000000001C05 000000402805 0 L1(WR
File pos Mem pos ID Text
======== ======= == ====
000000002342 000000402F42 0 VVVVV
000000002750 000000404150 0 bad allocation
000000002B98 000000404598 0 LookupPrivilegeValue error: %u
000000002BB8 0000004045B8 0 AdjustTokenPrivileges error: %u
000000002BDC 0000004045DC 0 The token does not have the specified privilege.
000000002DEC 0000004047EC 0 Key was installed successfully!!!
000000002E10 000000404810 0 ERROR!!!
000000002E1C 00000040481C 0 Error writing to loaded HIVE, code:
000000002E45 000000404845 0 ****** ERROR INSTALLING APPLICATION! ******
000000002E74 000000404874 0 Restrict value was installed successfully!!!
000000002EA8 0000004048A8 0 Start Option value was changed successfully to ControlSet001!!!
000000002EE8 0000004048E8 0 Error changing ControlSet001, code:
000000002F10 000000404910 0 ===== hkey:
000000002F20 000000404920 0 lastError:
000000002F30 000000404930 0 REGOPENKEY status:
000000002F48 000000404948 0 Start Option value was changed successfully to ControlSet002!!!
000000002F88 000000404988 0 Error changing ControlSet002, code:
000000002FB0 0000004049B0 0 Start Option value was changed successfully to ControlSet003!!!
000000002FF0 0000004049F0 0 Error changing ControlSet003, code:
0000000031CC 000000404BCC 0 HIVE unloaded. +++++++
0000000031E4 000000404BE4 0 ****** APLICATION IS INSTALLED WITH SUCCESS!!! ******
00000000321C 000000404C1C 0 Error unloading HIVE.
000000003232 000000404C32 0 ATTENTIION!
0000000034B1 000000404EB1 0 ==========================================
0000000034DC 000000404EDC 0 PROTECTION DRIVER WAS REMOVED WITH SUCCESS!
000000003508 000000404F08 0 ==========================================
000000003749 000000405149 0 ++++++++ PROTECTION LOG FILES DETELED WITH SUCCESS! ++++++++
000000003818 000000405218 0 Copying executable file to "System32" folder...
00000000384C 00000040524C 0 File copyied with success!
00000000386D 00000040526D 0 1. Error copying executable file! ERROR CODE:
0000000038DD 0000004052DD 0 2. Error copying executable file! ERROR CODE:
000000003912 000000405312 0 ***** ERROR INSTALLING APPLICATION!!! *****
00000000393F 00000040533F 0 CLOSING...
000000003956 000000405356 0 Closing application....
00000000396E 00000040536E 0 Please wait...
000000003980 000000405380 0 seconds.
00000000398C 00000040538C 0 Closing application in
000000003C92 000000405692 0 SetFileAttributesW
000000003CA8 0000004056A8 0 GetLastError
000000003CB8 0000004056B8 0 Sleep
000000003CC0 0000004056C0 0 GetCurrentProcess
000000003CD4 0000004056D4 0 CopyFileW
000000003CDE 0000004056DE 0 KERNEL32.dll
000000003CEE 0000004056EE 0 LookupPrivilegeValueW
000000003D06 000000405706 0 AdjustTokenPrivileges
000000003D1E 00000040571E 0 RegOpenKeyExW
000000003D2E 00000040572E 0 RegSetValueExW
000000003D40 000000405740 0 RegCloseKey
000000003D4E 00000040574E 0 OpenProcessToken
000000003D62 000000405762 0 RegLoadKeyW
000000003D70 000000405770 0 RegUnLoadKeyW
000000003D7E 00000040577E 0 ADVAPI32.dll
000000003D8E 00000040578E 0 ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
000000003DCA 0000004057CA 0 ?uncaught_exception@std@@YA_NXZ
000000003DEC 0000004057EC 0 ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHPBDH@Z
000000003E30 000000405830 0 ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ
000000003E6E 00000040586E 0 ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEXXZ
000000003EAE 0000004058AE 0 ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEXXZ
000000003EF0 0000004058F0 0 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z
000000003F30 000000405930 0 ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ
File pos Mem pos ID Text
======== ======= == ====
000000003F72 000000405972 0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@PBX@Z
000000003FB4 0000004059B4 0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@K@Z
000000003FF4 0000004059F4 0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z
000000004034 000000405A34 0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z
000000004074 000000405A74 0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z
0000000040C4 000000405AC4 0 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z
000000004104 000000405B04 0 ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z
000000004148 000000405B48 0 MSVCP80.dll
000000004156 000000405B56 0 wcstombs
000000004162 000000405B62 0 remove
00000000416C 000000405B6C 0 printf
00000000417E 000000405B7E 0 wprintf
000000004188 000000405B88 0 _wgetcwd
000000004192 000000405B92 0 MSVCR80.dll
0000000041A0 000000405BA0 0 _amsg_exit
0000000041AE 000000405BAE 0 __wgetmainargs
0000000041C0 000000405BC0 0 _cexit
0000000041CA 000000405BCA 0 _exit
0000000041D2 000000405BD2 0 _XcptFilter
0000000041E0 000000405BE0 0 __winitenv
0000000041EE 000000405BEE 0 _initterm
0000000041FA 000000405BFA 0 _initterm_e
000000004208 000000405C08 0 _configthreadlocale
00000000421E 000000405C1E 0 __setusermatherr
000000004232 000000405C32 0 _adjust_fdiv
000000004242 000000405C42 0 __p__commode
000000004252 000000405C52 0 __p__fmode
000000004260 000000405C60 0 _encode_pointer
000000004272 000000405C72 0 __set_app_type
000000004284 000000405C84 0 _crt_debugger_hook
00000000429A 000000405C9A 0 _unlock
0000000042A4 000000405CA4 0 __dllonexit
0000000042B2 000000405CB2 0 _lock
0000000042BA 000000405CBA 0 _onexit
0000000042C4 000000405CC4 0 _decode_pointer
0000000042D6 000000405CD6 0 _except_handler4_common
0000000042F0 000000405CF0 0 _invoke_watson
000000004302 000000405D02 0 _controlfp_s
000000004312 000000405D12 0 InterlockedExchange
000000004328 000000405D28 0 InterlockedCompareExchange
000000004346 000000405D46 0 TerminateProcess
00000000435A 000000405D5A 0 UnhandledExceptionFilter
000000004376 000000405D76 0 SetUnhandledExceptionFilter
000000004394 000000405D94 0 IsDebuggerPresent
0000000043A8 000000405DA8 0 QueryPerformanceCounter
0000000043C2 000000405DC2 0 GetTickCount
0000000043D2 000000405DD2 0 GetCurrentThreadId
0000000043E8 000000405DE8 0 GetCurrentProcessId
0000000043FE 000000405DFE 0 GetSystemTimeAsFileTime
000000004418 000000405E18 0 __CxxFrameHandler3
00000000442E 000000405E2E 0 memset
000000004858 000000407058 0 <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
0000000048A3 0000004070A3 0 <dependency>
0000000048B3 0000004070B3 0 <dependentAssembly>
0000000048CC 0000004070CC 0 <assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50608.0" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>
000000004974 000000407174 0 </dependentAssembly>
00000000498E 00000040718E 0 </dependency>
00000000499F 00000040719F 0 </assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
000000002760 000000404160 0 C:\windows\system32\ulssm.exe
00000000279C 00000040419C 0 C:\windows\system32\ulssm.exe
File pos Mem pos ID Text
======== ======= == ====
0000000027DC 0000004041DC 0 C:\windows\system32\msxfs.dll
000000002818 000000404218 0 C:\windows\system32\msxfs.dll
000000002858 000000404258 0 C:\windows\system32\xfs_conf.dll
0000000028A0 0000004042A0 0 C:\windows\system32\xfs_conf.dll
0000000028E8 0000004042E8 0 C:\windows\system32\xfs_supp.dll
000000002930 000000404330 0 C:\windows\system32\xfs_supp.dll
000000002974 000000404374 0 C:\WINXPPRO\system32\ulssm.exe
0000000029B8 0000004043B8 0 C:\WINXPPRO\system32\ulssm.exe
0000000029F8 0000004043F8 0 C:\WINXPPRO\system32\msxfs.dll
000000002A38 000000404438 0 C:\WINXPPRO\system32\msxfs.dll
000000002A78 000000404478 0 C:\WINXPPRO\system32\xfs_conf.dll
000000002AC0 0000004044C0 0 C:\WINXPPRO\system32\xfs_conf.dll
000000002B08 000000404508 0 C:\WINXPPRO\system32\xfs_supp.dll
000000002B50 000000404550 0 C:\WINXPPRO\system32\xfs_supp.dll
000000002C10 000000404610 0 a\Microsoft\Windows\CurrentVersion\Run
000000002C60 000000404660 0 AptraDebug
000000002C78 000000404678 0 RestrictRun
000000002C98 000000404698 0 a\Microsoft\Windows\CurrentVersion\policies\Explorer
000000002D04 000000404704 0 Start
000000002D18 000000404718 0 b\ControlSet001\Services\scsrvc
000000002D60 000000404760 0 b\ControlSet002\Services\scsrvc
000000002DA8 0000004047A8 0 b\ControlSet003\Services\scsrvc
000000003020 000000404A20 0 SeBackupPrivilege
000000003044 000000404A44 0 SeRestorePrivilege
000000003070 000000404A70 0 c:\windows\system32\config\software
0000000030C0 000000404AC0 0 c:\windows\system32\config\system
00000000313E 000000404B3E 0 ****** ERROR INSTALLING APPLICATION! ******
000000003240 000000404C40 0 c:\WINXPPRO\system32\config\software
000000003290 000000404C90 0 c:\WINXPPRO\system32\config\system
0000000032D8 000000404CD8 0 C:\windows\system32\drivers\swin.sys
000000003328 000000404D28 0 C:\windows\system32\config\swin.sys
000000003370 000000404D70 0 C:\windows\system32\drivers\swin.sys
0000000033C0 000000404DC0 0 C:\WINXPPRO\system32\drivers\swin.sys
000000003410 000000404E10 0 C:\WINXPPRO\system32\config\swin.sys
000000003460 000000404E60 0 C:\WINXPPRO\system32\drivers\swin.sys
000000003538 000000404F38 0 C:\program files\ncr aptra\Solidcore for APTRA\Logs\solidcore.log
0000000035C0 000000404FC0 0 C:\program files\ncr aptra\Solidcore for APTRA\Logs\solidcore.log
000000003648 000000405048 0 C:\program files\ncr aptra\Solidcore for APTRA\Logs\s3diag.log
0000000036C8 0000004050C8 0 C:\program files\ncr aptra\Solidcore for APTRA\Logs\s3diag.log
000000003788 000000405188 0 \app\ulssm.exe
0000000037A8 0000004051A8 0 \libs\msxfs.dll
0000000037C8 0000004051C8 0 \libs\xfs_conf.dll
0000000037F0 0000004051F0 0 \libs\xfs_supp.dll
00000000389B 00000040529B 0 c:\WINXPPRO\system32\ulssm.exe