.- - -----÷M÷E÷N÷U÷------------------------------------------------------------- --- ---- -------------.
! WALL ! STATS ! GOODIES ! YARA ! FAQ ! RSS ! EMV !
`-------------- - --- ---------- -------- -------- -------- -------- ----------------- - ---- ---- --'
ATM MALWARE NOTICE
867991ade335186baa19a227e3a044c8321a6cef96c23c98eef21fe6b87edf6a
Date...........: 2019-02-25
Family.........: HelloWorld
File name......: dispenserXFS.exe
File size......: 25.50 KB
Type file......: EXE/Windows
Virscan........: VT - HA
PDB Path found.: C:\_bkittest\dispenser\Release_noToken\dispenserXFS.pdb
Documentation..: https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
Additional note: Save logs into C:\xfsasdf.txt
Entropy:
Binary Histogram:
=== SCREENSHOT ===
=== PEDUMP REPORT ===
=== MZ Header ===
signature: "MZ"
bytes_in_last_block: 144 0x90
blocks_in_file: 3 3
num_relocs: 0 0
header_paragraphs: 4 4
min_extra_paragraphs: 0 0
max_extra_paragraphs: 65535 0xffff
ss: 0 0
sp: 184 0xb8
checksum: 0 0
ip: 0 0
cs: 0 0
reloc_table_offset: 64 0x40
overlay_number: 0 0
reserved0: 0 0
oem_id: 0 0
oem_info: 0 0
reserved2: 0 0
reserved3: 0 0
reserved4: 0 0
reserved5: 0 0
reserved6: 0 0
lfanew: 240 0xf0
=== DOS STUB ===
00000000: 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 |........!..L.!Th|
00000010: 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f |is program canno|
00000020: 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 |t be run in DOS |
00000030: 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 |mode....$.......|
=== RICH Header ===
LIB_ID VERSION TIMES_USED
93 5d 4035 fc3 8 8
149 95 30729 7809 7 7
132 84 30729 7809 14 e
1 1 0 0 165 a5
147 93 30729 7809 3 3
131 83 30729 7809 68 44
126 7e 50727 c627 1 1
229 e5 30501 7725 11 b
219 db 21005 520d 1 1
222 de 30501 7725 1 1
=== PE Header ===
signature: "PE\x00\x00"
# IMAGE_FILE_HEADER:
Machine: 332 0x14c x86
NumberOfSections: 5 5
TimeDateStamp: "2019-02-10 18:13:13"
PointerToSymbolTable: 0 0
NumberOfSymbols: 0 0
SizeOfOptionalHeader: 224 0xe0
Characteristics: 258 0x102 EXECUTABLE_IMAGE, 32BIT_MACHINE
# IMAGE_OPTIONAL_HEADER32:
Magic: 267 0x10b 32-bit executable
LinkerVersion: 12.0
SizeOfCode: 12288 0x3000
SizeOfInitializedData: 26624 0x6800
SizeOfUninitializedData: 0 0
AddressOfEntryPoint: 5608 0x15e8
BaseOfCode: 4096 0x1000
BaseOfData: 16384 0x4000
ImageBase: 4194304 0x400000
SectionAlignment: 4096 0x1000
FileAlignment: 512 0x200
OperatingSystemVersion: 5.1
ImageVersion: 0.0
SubsystemVersion: 5.1
Reserved1: 0 0
SizeOfImage: 53248 0xd000
SizeOfHeaders: 1024 0x400
CheckSum: 0 0
Subsystem: 2 2 WINDOWS_GUI
DllCharacteristics: 33088 0x8140 DYNAMIC_BASE, NX_COMPAT
TERMINAL_SERVER_AWARE
SizeOfStackReserve: 1048576 0x100000
SizeOfStackCommit: 4096 0x1000
SizeOfHeapReserve: 1048576 0x100000
SizeOfHeapCommit: 4096 0x1000
LoaderFlags: 0 0
NumberOfRvaAndSizes: 16 0x10
=== DATA DIRECTORY ===
EXPORT rva:0x 0 size:0x 0
IMPORT rva:0x 4b34 size:0x 78
RESOURCE rva:0x b000 size:0x 1e0
EXCEPTION rva:0x 0 size:0x 0
SECURITY rva:0x 0 size:0x 0
BASERELOC rva:0x c000 size:0x 3d4
DEBUG rva:0x 41a0 size:0x 38
ARCHITECTURE rva:0x 0 size:0x 0
GLOBALPTR rva:0x 0 size:0x 0
TLS rva:0x 0 size:0x 0
LOAD_CONFIG rva:0x 4a20 size:0x 40
Bound_IAT rva:0x 0 size:0x 0
IAT rva:0x 4000 size:0x 178
Delay_IAT rva:0x 0 size:0x 0
CLR_Header rva:0x 0 size:0x 0
rva:0x 0 size:0x 0
=== SECTIONS ===
NAME RVA VSZ RAW_SZ RAW_PTR nREL REL_PTR nLINE LINE_PTR FLAGS
.text 1000 2fbe 3000 400 0 0 0 0 60000020 R-X CODE
.rdata 4000 1372 1400 3400 0 0 0 0 40000040 R-- IDATA
.data 6000 4d48 1800 4800 0 0 0 0 c0000040 RW- IDATA
.rsrc b000 1e0 200 6000 0 0 0 0 40000040 R-- IDATA
.reloc c000 3d4 400 6200 0 0 0 0 42000040 R-- IDATA DISCARDABLE
=== RESOURCES ===
FILE_OFFSET CP LANG SIZE TYPE NAME
0x6060 0 0x409 381 MANIFEST #1
=== IMPORTS ===
MODULE_NAME HINT ORD FUNCTION_NAME
msvcrt.dll 101 _amsg_exit
msvcrt.dll 127 _controlfp
msvcrt.dll 37 ?terminate@@YAXXZ
msvcrt.dll d2 __set_app_type
msvcrt.dll be __p__fmode
msvcrt.dll b9 __p__commode
msvcrt.dll d4 __setusermatherr
msvcrt.dll 1d5 _initterm
msvcrt.dll e7 _acmdln
msvcrt.dll 48f exit
msvcrt.dll 6a _XcptFilter
msvcrt.dll 162 _exit
msvcrt.dll 114 _cexit
msvcrt.dll 91 __getmainargs
msvcrt.dll 4ee memset
msvcrt.dll 1f4 _ismbblead
msvcrt.dll 52d swprintf
msvcrt.dll 534 time
msvcrt.dll 4b1 fwrite
msvcrt.dll 50e srand
msvcrt.dll 49d fopen
msvcrt.dll 495 fflush
msvcrt.dll 526 strstr
msvcrt.dll 3c8 _vsnprintf
msvcrt.dll 32f _snprintf
msvcrt.dll 339 _snwprintf
ntdll.dll 352 RtlUnwind
ADVAPI32.dll 56 ConvertStringSecurityDescriptorToSecurityDescriptorW
ADVAPI32.dll 231 SetSecurityDescriptorDacl
ADVAPI32.dll 132 InitializeSecurityDescriptor
ADVAPI32.dll 235 SetSecurityDescriptorSacl
ADVAPI32.dll 108 GetSecurityDescriptorDacl
ADVAPI32.dll 10d GetSecurityDescriptorSacl
KERNEL32.dll b6 ExitProcess
KERNEL32.dll 13b GetCurrentProcess
KERNEL32.dll 1c0 GetSystemTimeAsFileTime
KERNEL32.dll 13e GetCurrentThreadId
KERNEL32.dll 294 QueryPerformanceCounter
KERNEL32.dll 176 GetModuleHandleA
KERNEL32.dll 336 SetUnhandledExceptionFilter
KERNEL32.dll 35b UnhandledExceptionFilter
KERNEL32.dll 34a TerminateProcess
KERNEL32.dll 1ae GetStartupInfoA
KERNEL32.dll 21b InterlockedCompareExchange
KERNEL32.dll 21d InterlockedExchange
KERNEL32.dll 1d4 GetTickCount
KERNEL32.dll 244 LoadLibraryA
KERNEL32.dll 198 GetProcAddress
KERNEL32.dll 398 WriteProcessMemory
KERNEL32.dll 13c GetCurrentProcessId
KERNEL32.dll 91 DuplicateHandle
KERNEL32.dll 6f CreateToolhelp32Snapshot
KERNEL32.dll 28a Process32NextW
KERNEL32.dll 288 Process32FirstW
KERNEL32.dll 36f VirtualAllocEx
KERNEL32.dll 372 VirtualFreeEx
KERNEL32.dll 277 OpenProcess
KERNEL32.dll 67 CreateRemoteThread
KERNEL32.dll 5d CreateMutexW
KERNEL32.dll 96 EnterCriticalSection
KERNEL32.dll 243 LeaveCriticalSection
KERNEL32.dll 218 InitializeCriticalSection
KERNEL32.dll 342 Sleep
KERNEL32.dll 276 OpenMutexW
KERNEL32.dll 6c CreateThread
KERNEL32.dll 24e LocalFree
KERNEL32.dll 31 CloseHandle
USER32.dll 61 CreateWindowExW
USER32.dll a2 DispatchMessageW
USER32.dll 8f DefWindowProcW
USER32.dll 2bb UpdateWindow
USER32.dll 292 ShowWindow
USER32.dll 283 SetWindowPos
USER32.dll 215 RedrawWindow
USER32.dll 60 CreateWindowExA
USER32.dll 26c SetRect
USER32.dll 1bc LoadIconW
USER32.dll 218 RegisterClassExW
USER32.dll 2aa TranslateMessage
USER32.dll d BeginPaint
USER32.dll 256 SetFocus
USER32.dll 1ba LoadCursorW
USER32.dll bf DrawTextW
USER32.dll e2 FillRect
USER32.dll 201 PostQuitMessage
USER32.dll 13e GetMessageW
USER32.dll 99 DestroyWindow
USER32.dll c8 EndPaint
USER32.dll 240 SendMessageW
=== Packer / Compiler ===
MS Visual C++ v8.0
File pos Mem pos ID Text
======== ======= == ====
00000000004D 00000040004D 0 !This program cannot be run in DOS mode.
0000000000E0 0000004000E0 0 RichS
0000000001E8 0000004001E8 0 .text
000000000210 000000400210 0 .rdata
000000000237 000000400237 0 @.data
000000000260 000000400260 0 .rsrc
000000000287 000000400287 0 @.reloc
00000000041F 00000040101F 0 URPQQh
000000000B4B 00000040174B 0 v N+D$
000000000B95 000000401795 0 UQPXY]Y[
00000000102C 000000401C2C 0 ShPB@
00000000108A 000000401C8A 0 f
000000001159 000000401D59 0 WhPB@
000000001484 000000402084 0 YYh0u
0000000014D8 0000004020D8 0 TSVWH
000000001762 000000402362 0 VVVVj
0000000017D5 0000004023D5 0 VVVhK)@
0000000018C5 0000004024C5 0 WWWh]#@
000000001929 000000402529 0 SVWj@h
000000001B79 000000402779 0 uehDE@
000000001BA8 0000004027A8 0 u3hlE@
000000001DF4 0000004029F4 0 uVhDE@
000000001E1F 000000402A1F 0 u+hlE@
00000000227C 000000402E7C 0 Ph8F@
0000000022D5 000000402ED5 0 @f;C.
000000002310 000000402F10 0 PhxF@
00000000276F 00000040336F 0 @f;C.
0000000027AA 0000004033AA 0 PhxF@
000000002804 000000403404 0 Wf
0000000028C6 0000004034C6 0 Xh G@
000000003014 000000403C14 0 f;B.s
000000003032 000000403C32 0 Cf;Z.r
0000000030AA 000000403CAA 0 PhHH@
0000000030C2 000000403CC2 0 PhlH@
0000000031DC 000000403DDC 0 QQSVW
000000003212 000000403E12 0 YWSVh
000000003246 000000403E46 0 YWSVh
00000000327A 000000403E7A 0 YWSVh
0000000032AE 000000403EAE 0 YWSVh
0000000032E2 000000403EE2 0 YWSVh
000000003330 000000403F30 0 YWSVh
000000003605 000000404205 0 ('8PW
00000000360E 00000040420E 0 700PP
000000003629 000000404229 0 xppwpp
00000000363C 00000040423C 0 Getting billcount.
000000003650 000000404250 0 maxbill = %d
000000003660 000000404260 0 GettingCDMStatus.
000000003674 000000404274 0 Getting CashUnitStatus.
00000000368C 00000040428C 0 User left, cleaning up.
0000000036A4 0000004042A4 0 Error locking XFS
0000000036B8 0000004042B8 0 Resetting CDM.
0000000036C8 0000004042C8 0 %d:[%d]
0000000036D8 0000004042D8 0 Error dispensing 0x%08X
0000000036F0 0000004042F0 0 No denominations found
000000003708 000000404308 0 %d...
000000003710 000000404310 0 No msxfs installed...
000000003728 000000404328 0 Waiting for freeze msxfs processes...
000000003750 000000404350 0 Starting WFSManager...
000000003768 000000404368 0 Connecting...
000000003778 000000404378 0 nxcdm
File pos Mem pos ID Text
======== ======= == ====
000000003780 000000404380 0 Connected. Version: wfs:%d.%d, srvc:%d.%d, spi:%d.%d
0000000037B8 0000004043B8 0 Unknown version %d
0000000037CC 0000004043CC 0 Disconnecting...
0000000037E0 0000004043E0 0 Error connecting: %p
0000000037F8 0000004043F8 0 Error starting WFS: %p
00000000382C 00000040442C 0 C:\xfsasdf.txt
00000000383C 00000040443C 0 --exchange
000000003848 000000404448 0 Injected mxsfs killer into %d.
000000003888 000000404488 0 msxfs.dll
000000003944 000000404544 0 kernel32.dll
000000003954 000000404554 0 EnumProcessModulesEx
00000000396C 00000040456C 0 psapi.dll
000000003978 000000404578 0 GetModuleFileNameExA
000000003990 000000404590 0 Error getting maxbill: %p
0000000039AC 0000004045AC 0 state=%d, safedoor=%d, dispenser=%d, stacker=%d
0000000039E0 0000004045E0 0 pos=%d, OutputPosition=%d, shutter=%d, transport=%d
000000003A18 000000404618 0 Error getting cdm status: 0x%p.
000000003A38 000000404638 0 Id:%s(nr=%d)(l=%d,h=%d), %d|%d|%d of %d [%s][%d][%d],[%d][%d]
000000003A78 000000404678 0 Error getting bill status: 0x%p.
000000003A9C 00000040469C 0 chosen %d | %d
000000003AAC 0000004046AC 0 pos=%d, status=%d, shutter=%d, transport=%d, status=%d
000000003AE4 0000004046E4 0 Id:%s(nr=%d)(l=%d,h=%d), %d|%d|%d of %d [%s][%d][%d],[%d]
000000003B20 000000404720 0 Exchanging cashunits
000000003B64 000000404764 0 USD A
000000003B6C 00000040476C 0 USD B
000000003B74 000000404774 0 USD C
000000003B7C 00000040477C 0 USD D
000000003B84 000000404784 0 Exchanged units
000000003B94 000000404794 0 Error ending exchange 0x%08X
000000003BB4 0000004047B4 0 Exchanged units to null
000000003BCC 0000004047CC 0 Error starting exchange 0x%08X
000000003BEC 0000004047EC 0 Getting cashunit infos
000000003C04 000000404804 0 Changing cashunit infos
000000003C1C 00000040481C 0 Setting cashunit infos
000000003C34 000000404834 0 Set cashunit infos
000000003C48 000000404848 0 Error setting cashunit info: 0x%p.
000000003C6C 00000040486C 0 Error getting cashunit info: 0x%p.
000000003C90 000000404890 0 WFSExecute
000000003C9C 00000040489C 0 WFSGetInfo
000000003CA8 0000004048A8 0 WFSOpen
000000003CB0 0000004048B0 0 WFSClose
000000003CBC 0000004048BC 0 WFSFreeResult
000000003CCC 0000004048CC 0 WFSStartUp
000000003CD8 0000004048D8 0 WFSCleanUp
000000003CE4 0000004048E4 0 WFSLock
000000003CEC 0000004048EC 0 WFSUnlock
000000003CF8 0000004048F8 0 Trying Nautilus.
000000003D0C 00000040490C 0 CashDispenser
000000003D1C 00000040491C 0 Connected Nautilus.
000000003D30 000000404930 0 Trying Nautilus2.
000000003D44 000000404944 0 NXCdm
000000003D4C 00000040494C 0 Connected Nautilus2.
000000003D64 000000404964 0 Trying Diabold.
000000003D74 000000404974 0 DBD_AdvFuncDisp
000000003D84 000000404984 0 Connected Diabold.
000000003D98 000000404998 0 Trying NCR.
000000003DA4 0000004049A4 0 CurrencyDispenser1
000000003DB8 0000004049B8 0 Connected NCR.
000000003DC8 0000004049C8 0 Trying WINCOR.
000000003DD8 0000004049D8 0 CDM30
File pos Mem pos ID Text
======== ======= == ====
000000003DE0 0000004049E0 0 Connected WINCOR.
000000003DF4 0000004049F4 0 Trying GENERIC.
000000003E08 000000404A08 0 Connected GENERIC.
000000003E6D 000000404A6D 0 N~+G
000000003E80 000000404A80 0 C:\_bkittest\dispenser\Release_noToken\dispenserXFS.pdb
000000004126 000000404D26 0 _snwprintf
000000004134 000000404D34 0 _snprintf
000000004140 000000404D40 0 _vsnprintf
00000000414E 000000404D4E 0 strstr
000000004158 000000404D58 0 fflush
000000004162 000000404D62 0 fopen
00000000416A 000000404D6A 0 srand
000000004172 000000404D72 0 fwrite
000000004184 000000404D84 0 swprintf
00000000418E 000000404D8E 0 msvcrt.dll
00000000419C 000000404D9C 0 _ismbblead
0000000041AA 000000404DAA 0 memset
0000000041B4 000000404DB4 0 __getmainargs
0000000041C4 000000404DC4 0 _cexit
0000000041CE 000000404DCE 0 _exit
0000000041D6 000000404DD6 0 _XcptFilter
0000000041EC 000000404DEC 0 _acmdln
0000000041F6 000000404DF6 0 _initterm
000000004202 000000404E02 0 _amsg_exit
000000004210 000000404E10 0 __setusermatherr
000000004224 000000404E24 0 __p__commode
000000004234 000000404E34 0 __p__fmode
000000004242 000000404E42 0 __set_app_type
000000004254 000000404E54 0 ?terminate@@YAXXZ
000000004268 000000404E68 0 _controlfp
000000004276 000000404E76 0 RtlUnwind
000000004280 000000404E80 0 ntdll.dll
00000000428C 000000404E8C 0 InitializeSecurityDescriptor
0000000042AC 000000404EAC 0 SetSecurityDescriptorDacl
0000000042C8 000000404EC8 0 ConvertStringSecurityDescriptorToSecurityDescriptorW
000000004300 000000404F00 0 GetSecurityDescriptorSacl
00000000431C 000000404F1C 0 SetSecurityDescriptorSacl
000000004338 000000404F38 0 GetSecurityDescriptorDacl
000000004352 000000404F52 0 ADVAPI32.dll
000000004362 000000404F62 0 GetCurrentProcess
000000004376 000000404F76 0 CloseHandle
000000004384 000000404F84 0 LocalFree
000000004390 000000404F90 0 CreateThread
0000000043A0 000000404FA0 0 ExitProcess
0000000043AE 000000404FAE 0 Sleep
0000000043B6 000000404FB6 0 InitializeCriticalSection
0000000043D2 000000404FD2 0 LeaveCriticalSection
0000000043EA 000000404FEA 0 EnterCriticalSection
000000004402 000000405002 0 CreateMutexW
000000004412 000000405012 0 CreateRemoteThread
000000004428 000000405028 0 OpenProcess
000000004436 000000405036 0 VirtualFreeEx
000000004446 000000405046 0 OpenMutexW
000000004454 000000405054 0 VirtualAllocEx
000000004466 000000405066 0 Process32FirstW
000000004478 000000405078 0 Process32NextW
00000000448A 00000040508A 0 CreateToolhelp32Snapshot
0000000044A6 0000004050A6 0 DuplicateHandle
0000000044B8 0000004050B8 0 GetCurrentProcessId
0000000044CE 0000004050CE 0 WriteProcessMemory
File pos Mem pos ID Text
======== ======= == ====
0000000044E4 0000004050E4 0 GetProcAddress
0000000044F6 0000004050F6 0 LoadLibraryA
000000004506 000000405106 0 GetTickCount
000000004516 000000405116 0 InterlockedExchange
00000000452C 00000040512C 0 InterlockedCompareExchange
00000000454A 00000040514A 0 GetStartupInfoA
00000000455C 00000040515C 0 TerminateProcess
000000004570 000000405170 0 UnhandledExceptionFilter
00000000458C 00000040518C 0 SetUnhandledExceptionFilter
0000000045AA 0000004051AA 0 GetModuleHandleA
0000000045BE 0000004051BE 0 QueryPerformanceCounter
0000000045D8 0000004051D8 0 GetCurrentThreadId
0000000045EE 0000004051EE 0 GetSystemTimeAsFileTime
000000004606 000000405206 0 KERNEL32.dll
000000004616 000000405216 0 DispatchMessageW
00000000462A 00000040522A 0 DefWindowProcW
00000000463C 00000040523C 0 UpdateWindow
00000000464C 00000040524C 0 SendMessageW
00000000465C 00000040525C 0 CreateWindowExW
00000000466E 00000040526E 0 ShowWindow
00000000467C 00000040527C 0 SetWindowPos
00000000468C 00000040528C 0 RedrawWindow
00000000469C 00000040529C 0 CreateWindowExA
0000000046AE 0000004052AE 0 SetRect
0000000046B8 0000004052B8 0 LoadIconW
0000000046C4 0000004052C4 0 RegisterClassExW
0000000046D8 0000004052D8 0 TranslateMessage
0000000046EC 0000004052EC 0 BeginPaint
0000000046FA 0000004052FA 0 SetFocus
000000004706 000000405306 0 LoadCursorW
000000004714 000000405314 0 DrawTextW
000000004720 000000405320 0 FillRect
00000000472C 00000040532C 0 PostQuitMessage
00000000473E 00000040533E 0 GetMessageW
00000000474C 00000040534C 0 DestroyWindow
00000000475C 00000040535C 0 EndPaint
000000004766 000000405366 0 USER32.dll
000000004A4E 00000040624E 0 z?aUY
000000004A90 000000406290 0 zc%C1
000000004AE3 0000004062E3 0 -64OS
000000006060 00000040B060 0 <?xml version='1.0' encoding='UTF-8' standalone='yes'?>
000000006099 00000040B099 0 <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
0000000060E4 00000040B0E4 0 <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
00000000611C 00000040B11C 0 <security>
00000000612C 00000040B12C 0 <requestedPrivileges>
000000006149 00000040B149 0 <requestedExecutionLevel level='asInvoker' uiAccess='false' />
000000006191 00000040B191 0 </requestedPrivileges>
0000000061AF 00000040B1AF 0 </security>
0000000061C0 00000040B1C0 0 </trustInfo>
0000000061D0 00000040B1D0 0 </assembly>
000000006209 00000040C009 0 0%010=1X2
000000006219 00000040C019 0 3"3'3,31363<3D3L3c3
000000006247 00000040C047 0 4 4(4>4C4
000000006263 00000040C063 0 4 505;5A5
00000000628D 00000040C08D 0 6#6*61686?6F6M6U6]6e6q6z6
0000000062BD 00000040C0BD 0 778E8
0000000062CB 00000040C0CB 0 9_9d9~9
0000000062D5 00000040C0D5 0 9,:O:\:h:p:x:
0000000062F9 00000040C0F9 0 <.<8<L<
000000006307 00000040C107 0 <'=4=F=[=h=|=
File pos Mem pos ID Text
======== ======= == ====
000000006317 00000040C117 0 ==>k>
00000000632D 00000040C12D 0 ?%?/?H?X?
000000006343 00000040C143 0 0 0A0M0]0e0r0{0
000000006363 00000040C163 0 101K1Y1
00000000637F 00000040C17F 0 2,2P2
00000000639B 00000040C19B 0 30363A3R3X3j3p3{3
0000000063CB 00000040C1CB 0 4)4F4U4k4
0000000063F3 00000040C1F3 0 5C5S5[5|5
00000000640D 00000040C20D 0 6W6b6i6z6
000000006421 00000040C221 0 7P7|7
00000000643D 00000040C23D 0 7A8\8p8
000000006455 00000040C255 0 9)9X9d9j9~9
000000006477 00000040C277 0 :":(:1:8:=:D:~:
000000006497 00000040C297 0 =d=l=
0000000064BF 00000040C2BF 0 2 2W2
0000000064CD 00000040C2CD 0 3I4a4
0000000064E1 00000040C2E1 0 6%7.9
0000000064E7 00000040C2E7 0 9,:L:l:
0000000064F3 00000040C2F3 0 ;&;.;>;Z;c;t;|;
00000000652B 00000040C32B 0 ="=(=-=4=:=?=F=L=Q=X=
000000006541 00000040C341 0 =c=j=p=u=|=
000000006565 00000040C365 0 >#>*>0>=>W>
000000006571 00000040C371 0 >d>q>
00000000658F 00000040C38F 0 ?'?A?H?N?]?v?
0000000065CF 00000040C3CF 0 ;,;0;
000000003868 000000404468 0 Global\%08X%08X
000000003898 000000404498 0 S:(ML;;NW;;;LW)D:(A;;0x1FFFFF;;;WD)(A;;0x1FFFFF;;;S-1-15-2-1)
000000003914 000000404514 0 D:(A;;0x1FFFFF;;;WD)
000000004B20 000000406320 0 NO_TOKEN
000000004B34 000000406334 0 win32app
00000000004D 00000040004D 0 !This program cannot be run in DOS mode.
0000000000E0 0000004000E0 0 RichS
0000000001E8 0000004001E8 0 .text
000000000210 000000400210 0 .rdata
000000000237 000000400237 0 @.data
000000000260 000000400260 0 .rsrc
000000000287 000000400287 0 @.reloc
00000000041F 00000040101F 0 URPQQh
000000000B4B 00000040174B 0 v N+D$
000000000B95 000000401795 0 UQPXY]Y[
00000000102C 000000401C2C 0 ShPB@
00000000108A 000000401C8A 0 f
000000001159 000000401D59 0 WhPB@
000000001484 000000402084 0 YYh0u
0000000014D8 0000004020D8 0 TSVWH
000000001762 000000402362 0 VVVVj
0000000017D5 0000004023D5 0 VVVhK)@
0000000018C5 0000004024C5 0 WWWh]#@
000000001929 000000402529 0 SVWj@h
000000001B79 000000402779 0 uehDE@
000000001BA8 0000004027A8 0 u3hlE@
000000001DF4 0000004029F4 0 uVhDE@
000000001E1F 000000402A1F 0 u+hlE@
00000000227C 000000402E7C 0 Ph8F@
0000000022D5 000000402ED5 0 @f;C.
000000002310 000000402F10 0 PhxF@
00000000276F 00000040336F 0 @f;C.
0000000027AA 0000004033AA 0 PhxF@
000000002804 000000403404 0 Wf
0000000028C6 0000004034C6 0 Xh G@
File pos Mem pos ID Text
======== ======= == ====
000000003014 000000403C14 0 f;B.s
000000003032 000000403C32 0 Cf;Z.r
0000000030AA 000000403CAA 0 PhHH@
0000000030C2 000000403CC2 0 PhlH@
0000000031DC 000000403DDC 0 QQSVW
000000003212 000000403E12 0 YWSVh
000000003246 000000403E46 0 YWSVh
00000000327A 000000403E7A 0 YWSVh
0000000032AE 000000403EAE 0 YWSVh
0000000032E2 000000403EE2 0 YWSVh
000000003330 000000403F30 0 YWSVh
000000003605 000000404205 0 ('8PW
00000000360E 00000040420E 0 700PP
000000003629 000000404229 0 xppwpp
00000000363C 00000040423C 0 Getting billcount.
000000003650 000000404250 0 maxbill = %d
000000003660 000000404260 0 GettingCDMStatus.
000000003674 000000404274 0 Getting CashUnitStatus.
00000000368C 00000040428C 0 User left, cleaning up.
0000000036A4 0000004042A4 0 Error locking XFS
0000000036B8 0000004042B8 0 Resetting CDM.
0000000036C8 0000004042C8 0 %d:[%d]
0000000036D8 0000004042D8 0 Error dispensing 0x%08X
0000000036F0 0000004042F0 0 No denominations found
000000003708 000000404308 0 %d...
000000003710 000000404310 0 No msxfs installed...
000000003728 000000404328 0 Waiting for freeze msxfs processes...
000000003750 000000404350 0 Starting WFSManager...
000000003768 000000404368 0 Connecting...
000000003778 000000404378 0 nxcdm
000000003780 000000404380 0 Connected. Version: wfs:%d.%d, srvc:%d.%d, spi:%d.%d
0000000037B8 0000004043B8 0 Unknown version %d
0000000037CC 0000004043CC 0 Disconnecting...
0000000037E0 0000004043E0 0 Error connecting: %p
0000000037F8 0000004043F8 0 Error starting WFS: %p
00000000382C 00000040442C 0 C:\xfsasdf.txt
00000000383C 00000040443C 0 --exchange
000000003848 000000404448 0 Injected mxsfs killer into %d.
000000003888 000000404488 0 msxfs.dll
000000003944 000000404544 0 kernel32.dll
000000003954 000000404554 0 EnumProcessModulesEx
00000000396C 00000040456C 0 psapi.dll
000000003978 000000404578 0 GetModuleFileNameExA
000000003990 000000404590 0 Error getting maxbill: %p
0000000039AC 0000004045AC 0 state=%d, safedoor=%d, dispenser=%d, stacker=%d
0000000039E0 0000004045E0 0 pos=%d, OutputPosition=%d, shutter=%d, transport=%d
000000003A18 000000404618 0 Error getting cdm status: 0x%p.
000000003A38 000000404638 0 Id:%s(nr=%d)(l=%d,h=%d), %d|%d|%d of %d [%s][%d][%d],[%d][%d]
000000003A78 000000404678 0 Error getting bill status: 0x%p.
000000003A9C 00000040469C 0 chosen %d | %d
000000003AAC 0000004046AC 0 pos=%d, status=%d, shutter=%d, transport=%d, status=%d
000000003AE4 0000004046E4 0 Id:%s(nr=%d)(l=%d,h=%d), %d|%d|%d of %d [%s][%d][%d],[%d]
000000003B20 000000404720 0 Exchanging cashunits
000000003B64 000000404764 0 USD A
000000003B6C 00000040476C 0 USD B
000000003B74 000000404774 0 USD C
000000003B7C 00000040477C 0 USD D
000000003B84 000000404784 0 Exchanged units
000000003B94 000000404794 0 Error ending exchange 0x%08X
000000003BB4 0000004047B4 0 Exchanged units to null
File pos Mem pos ID Text
======== ======= == ====
000000003BCC 0000004047CC 0 Error starting exchange 0x%08X
000000003BEC 0000004047EC 0 Getting cashunit infos
000000003C04 000000404804 0 Changing cashunit infos
000000003C1C 00000040481C 0 Setting cashunit infos
000000003C34 000000404834 0 Set cashunit infos
000000003C48 000000404848 0 Error setting cashunit info: 0x%p.
000000003C6C 00000040486C 0 Error getting cashunit info: 0x%p.
000000003C90 000000404890 0 WFSExecute
000000003C9C 00000040489C 0 WFSGetInfo
000000003CA8 0000004048A8 0 WFSOpen
000000003CB0 0000004048B0 0 WFSClose
000000003CBC 0000004048BC 0 WFSFreeResult
000000003CCC 0000004048CC 0 WFSStartUp
000000003CD8 0000004048D8 0 WFSCleanUp
000000003CE4 0000004048E4 0 WFSLock
000000003CEC 0000004048EC 0 WFSUnlock
000000003CF8 0000004048F8 0 Trying Nautilus.
000000003D0C 00000040490C 0 CashDispenser
000000003D1C 00000040491C 0 Connected Nautilus.
000000003D30 000000404930 0 Trying Nautilus2.
000000003D44 000000404944 0 NXCdm
000000003D4C 00000040494C 0 Connected Nautilus2.
000000003D64 000000404964 0 Trying Diabold.
000000003D74 000000404974 0 DBD_AdvFuncDisp
000000003D84 000000404984 0 Connected Diabold.
000000003D98 000000404998 0 Trying NCR.
000000003DA4 0000004049A4 0 CurrencyDispenser1
000000003DB8 0000004049B8 0 Connected NCR.
000000003DC8 0000004049C8 0 Trying WINCOR.
000000003DD8 0000004049D8 0 CDM30
000000003DE0 0000004049E0 0 Connected WINCOR.
000000003DF4 0000004049F4 0 Trying GENERIC.
000000003E08 000000404A08 0 Connected GENERIC.
000000003E6D 000000404A6D 0 N~+G
000000003E80 000000404A80 0 C:\_bkittest\dispenser\Release_noToken\dispenserXFS.pdb
000000004126 000000404D26 0 _snwprintf
000000004134 000000404D34 0 _snprintf
000000004140 000000404D40 0 _vsnprintf
00000000414E 000000404D4E 0 strstr
000000004158 000000404D58 0 fflush
000000004162 000000404D62 0 fopen
00000000416A 000000404D6A 0 srand
000000004172 000000404D72 0 fwrite
000000004184 000000404D84 0 swprintf
00000000418E 000000404D8E 0 msvcrt.dll
00000000419C 000000404D9C 0 _ismbblead
0000000041AA 000000404DAA 0 memset
0000000041B4 000000404DB4 0 __getmainargs
0000000041C4 000000404DC4 0 _cexit
0000000041CE 000000404DCE 0 _exit
0000000041D6 000000404DD6 0 _XcptFilter
0000000041EC 000000404DEC 0 _acmdln
0000000041F6 000000404DF6 0 _initterm
000000004202 000000404E02 0 _amsg_exit
000000004210 000000404E10 0 __setusermatherr
000000004224 000000404E24 0 __p__commode
000000004234 000000404E34 0 __p__fmode
000000004242 000000404E42 0 __set_app_type
000000004254 000000404E54 0 ?terminate@@YAXXZ
000000004268 000000404E68 0 _controlfp
File pos Mem pos ID Text
======== ======= == ====
000000004276 000000404E76 0 RtlUnwind
000000004280 000000404E80 0 ntdll.dll
00000000428C 000000404E8C 0 InitializeSecurityDescriptor
0000000042AC 000000404EAC 0 SetSecurityDescriptorDacl
0000000042C8 000000404EC8 0 ConvertStringSecurityDescriptorToSecurityDescriptorW
000000004300 000000404F00 0 GetSecurityDescriptorSacl
00000000431C 000000404F1C 0 SetSecurityDescriptorSacl
000000004338 000000404F38 0 GetSecurityDescriptorDacl
000000004352 000000404F52 0 ADVAPI32.dll
000000004362 000000404F62 0 GetCurrentProcess
000000004376 000000404F76 0 CloseHandle
000000004384 000000404F84 0 LocalFree
000000004390 000000404F90 0 CreateThread
0000000043A0 000000404FA0 0 ExitProcess
0000000043AE 000000404FAE 0 Sleep
0000000043B6 000000404FB6 0 InitializeCriticalSection
0000000043D2 000000404FD2 0 LeaveCriticalSection
0000000043EA 000000404FEA 0 EnterCriticalSection
000000004402 000000405002 0 CreateMutexW
000000004412 000000405012 0 CreateRemoteThread
000000004428 000000405028 0 OpenProcess
000000004436 000000405036 0 VirtualFreeEx
000000004446 000000405046 0 OpenMutexW
000000004454 000000405054 0 VirtualAllocEx
000000004466 000000405066 0 Process32FirstW
000000004478 000000405078 0 Process32NextW
00000000448A 00000040508A 0 CreateToolhelp32Snapshot
0000000044A6 0000004050A6 0 DuplicateHandle
0000000044B8 0000004050B8 0 GetCurrentProcessId
0000000044CE 0000004050CE 0 WriteProcessMemory
0000000044E4 0000004050E4 0 GetProcAddress
0000000044F6 0000004050F6 0 LoadLibraryA
000000004506 000000405106 0 GetTickCount
000000004516 000000405116 0 InterlockedExchange
00000000452C 00000040512C 0 InterlockedCompareExchange
00000000454A 00000040514A 0 GetStartupInfoA
00000000455C 00000040515C 0 TerminateProcess
000000004570 000000405170 0 UnhandledExceptionFilter
00000000458C 00000040518C 0 SetUnhandledExceptionFilter
0000000045AA 0000004051AA 0 GetModuleHandleA
0000000045BE 0000004051BE 0 QueryPerformanceCounter
0000000045D8 0000004051D8 0 GetCurrentThreadId
0000000045EE 0000004051EE 0 GetSystemTimeAsFileTime
000000004606 000000405206 0 KERNEL32.dll
000000004616 000000405216 0 DispatchMessageW
00000000462A 00000040522A 0 DefWindowProcW
00000000463C 00000040523C 0 UpdateWindow
00000000464C 00000040524C 0 SendMessageW
00000000465C 00000040525C 0 CreateWindowExW
00000000466E 00000040526E 0 ShowWindow
00000000467C 00000040527C 0 SetWindowPos
00000000468C 00000040528C 0 RedrawWindow
00000000469C 00000040529C 0 CreateWindowExA
0000000046AE 0000004052AE 0 SetRect
0000000046B8 0000004052B8 0 LoadIconW
0000000046C4 0000004052C4 0 RegisterClassExW
0000000046D8 0000004052D8 0 TranslateMessage
0000000046EC 0000004052EC 0 BeginPaint
0000000046FA 0000004052FA 0 SetFocus
000000004706 000000405306 0 LoadCursorW
File pos Mem pos ID Text
======== ======= == ====
000000004714 000000405314 0 DrawTextW
000000004720 000000405320 0 FillRect
00000000472C 00000040532C 0 PostQuitMessage
00000000473E 00000040533E 0 GetMessageW
00000000474C 00000040534C 0 DestroyWindow
00000000475C 00000040535C 0 EndPaint
000000004766 000000405366 0 USER32.dll
000000004A4E 00000040624E 0 z?aUY
000000004A90 000000406290 0 zc%C1
000000004AE3 0000004062E3 0 -64OS
000000006060 00000040B060 0 <?xml version='1.0' encoding='UTF-8' standalone='yes'?>
000000006099 00000040B099 0 <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
0000000060E4 00000040B0E4 0 <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
00000000611C 00000040B11C 0 <security>
00000000612C 00000040B12C 0 <requestedPrivileges>
000000006149 00000040B149 0 <requestedExecutionLevel level='asInvoker' uiAccess='false' />
000000006191 00000040B191 0 </requestedPrivileges>
0000000061AF 00000040B1AF 0 </security>
0000000061C0 00000040B1C0 0 </trustInfo>
0000000061D0 00000040B1D0 0 </assembly>
000000006209 00000040C009 0 0%010=1X2
000000006219 00000040C019 0 3"3'3,31363<3D3L3c3
000000006247 00000040C047 0 4 4(4>4C4
000000006263 00000040C063 0 4 505;5A5
00000000628D 00000040C08D 0 6#6*61686?6F6M6U6]6e6q6z6
0000000062BD 00000040C0BD 0 778E8
0000000062CB 00000040C0CB 0 9_9d9~9
0000000062D5 00000040C0D5 0 9,:O:\:h:p:x:
0000000062F9 00000040C0F9 0 <.<8<L<
000000006307 00000040C107 0 <'=4=F=[=h=|=
000000006317 00000040C117 0 ==>k>
00000000632D 00000040C12D 0 ?%?/?H?X?
000000006343 00000040C143 0 0 0A0M0]0e0r0{0
000000006363 00000040C163 0 101K1Y1
00000000637F 00000040C17F 0 2,2P2
00000000639B 00000040C19B 0 30363A3R3X3j3p3{3
0000000063CB 00000040C1CB 0 4)4F4U4k4
0000000063F3 00000040C1F3 0 5C5S5[5|5
00000000640D 00000040C20D 0 6W6b6i6z6
000000006421 00000040C221 0 7P7|7
00000000643D 00000040C23D 0 7A8\8p8
000000006455 00000040C255 0 9)9X9d9j9~9
000000006477 00000040C277 0 :":(:1:8:=:D:~:
000000006497 00000040C297 0 =d=l=
0000000064BF 00000040C2BF 0 2 2W2
0000000064CD 00000040C2CD 0 3I4a4
0000000064E1 00000040C2E1 0 6%7.9
0000000064E7 00000040C2E7 0 9,:L:l:
0000000064F3 00000040C2F3 0 ;&;.;>;Z;c;t;|;
00000000652B 00000040C32B 0 ="=(=-=4=:=?=F=L=Q=X=
000000006541 00000040C341 0 =c=j=p=u=|=
000000006565 00000040C365 0 >#>*>0>=>W>
000000006571 00000040C371 0 >d>q>
00000000658F 00000040C38F 0 ?'?A?H?N?]?v?
0000000065CF 00000040C3CF 0 ;,;0;
000000003868 000000404468 0 Global\%08X%08X
000000003898 000000404498 0 S:(ML;;NW;;;LW)D:(A;;0x1FFFFF;;;WD)(A;;0x1FFFFF;;;S-1-15-2-1)
000000003914 000000404514 0 D:(A;;0x1FFFFF;;;WD)
000000004B20 000000406320 0 NO_TOKEN
000000004B34 000000406334 0 win32app