.- - -----÷M÷E÷N÷U÷------------------------------------------------------------- --- ---- -------------.
! WALL ! STATS ! GOODIES ! YARA ! FAQ ! RSS ! EMV !
`-------------- - --- ---------- -------- -------- -------- -------- ----------------- - ---- ---- --'
ATM MALWARE NOTICE
dff7ee95100ffaec5848a73a7b306eaaee94ae691dfccff9fe6ce0a8f3b82c56
Date...........: 2014-02-03
Family.........: SkimerWC
File name......: Dumped
File size......: 60.50 KB
Type file......: DLL/Windows
Virscan........: VT (FIRST RACE!) - HA
Documentation..: https://vms.drweb.com/virus/?i=3763670
Additional note: Dumped of e267fb3044c31256f06dd712c7aeae97ad148fd3157995a7e536e5473c1a2bc0
Entropy:
Binary Histogram:
=== SCREENSHOT ===
=== PEDUMP REPORT ===
=== MZ Header ===
signature: "MZ"
bytes_in_last_block: 80 0x50
blocks_in_file: 2 2
num_relocs: 0 0
header_paragraphs: 4 4
min_extra_paragraphs: 15 0xf
max_extra_paragraphs: 65535 0xffff
ss: 0 0
sp: 184 0xb8
checksum: 0 0
ip: 0 0
cs: 0 0
reloc_table_offset: 64 0x40
overlay_number: 26 0x1a
reserved0: 0 0
oem_id: 0 0
oem_info: 0 0
reserved2: 0 0
reserved3: 0 0
reserved4: 0 0
reserved5: 0 0
reserved6: 0 0
lfanew: 256 0x100
=== DOS STUB ===
00000000: ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 |........!..L.!..|
00000010: 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 |This program mus|
00000020: 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 |t be run under W|
00000030: 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 |in32..$7........|
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
=== PE Header ===
signature: "PE\x00\x00"
# IMAGE_FILE_HEADER:
Machine: 332 0x14c x86
NumberOfSections: 7 7
TimeDateStamp: "1992-06-19 22:22:17"
PointerToSymbolTable: 0 0
NumberOfSymbols: 0 0
SizeOfOptionalHeader: 224 0xe0
Characteristics: 41358 0xa18e EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO
32BIT_MACHINE, DLL, BYTES_REVERSED_HI
# IMAGE_OPTIONAL_HEADER32:
Magic: 267 0x10b 32-bit executable
LinkerVersion: 2.25
SizeOfCode: 31232 0x7a00
SizeOfInitializedData: 7680 0x1e00
SizeOfUninitializedData: 0 0
AddressOfEntryPoint: 34836 0x8814
BaseOfCode: 4096 0x1000
BaseOfData: 36864 0x9000
ImageBase: 50331648 0x3000000
SectionAlignment: 4096 0x1000
FileAlignment: 512 0x200
OperatingSystemVersion: 4.0
ImageVersion: 0.0
SubsystemVersion: 4.0
Reserved1: 0 0
SizeOfImage: 64512 0xfc00
SizeOfHeaders: 1024 0x400
CheckSum: 0 0
Subsystem: 2 2 WINDOWS_GUI
DllCharacteristics: 1 1 0x01
SizeOfStackReserve: 0 0
SizeOfStackCommit: 0 0
SizeOfHeapReserve: 1048576 0x100000
SizeOfHeapCommit: 4096 0x1000
LoaderFlags: 0 0
NumberOfRvaAndSizes: 16 0x10
=== DATA DIRECTORY ===
EXPORT rva:0x 0 size:0x 0
IMPORT rva:0x f000 size:0x a92
RESOURCE rva:0x e000 size:0x 600
EXCEPTION rva:0x 0 size:0x 0
SECURITY rva:0x 0 size:0x 0
BASERELOC rva:0x d000 size:0x 758
DEBUG rva:0x 0 size:0x 0
ARCHITECTURE rva:0x 0 size:0x 0
GLOBALPTR rva:0x 0 size:0x 0
TLS rva:0x 0 size:0x 0
LOAD_CONFIG rva:0x 0 size:0x 0
Bound_IAT rva:0x 0 size:0x 0
IAT rva:0x 0 size:0x 0
Delay_IAT rva:0x 0 size:0x 0
CLR_Header rva:0x 0 size:0x 0
rva:0x 0 size:0x 0
=== SECTIONS ===
NAME RVA VSZ RAW_SZ RAW_PTR nREL REL_PTR nLINE LINE_PTR FLAGS
CODE 1000 7980 7980 1000 0 0 0 0 60000020 R-X CODE
DATA 9000 368 368 9000 0 0 0 0 c0000040 RW- IDATA
BSS a000 148d 148d a000 0 0 0 0 c0000000 RW-
.idata c000 a92 a92 c000 0 0 0 0 c0000040 RW- IDATA
.reloc d000 758 758 d000 0 0 0 0 50000040 R-- IDATA SHARED
.rsrc e000 600 600 e000 0 0 0 0 50000040 R-- IDATA SHARED
.idata2 f000 1000 c00 e600 0 0 0 0 c0000040 RW- IDATA
=== RESOURCES ===
FILE_OFFSET CP LANG SIZE TYPE NAME
0xe150 0 0x419 744 ICON #1
0xe438 0 0 16 RCDATA DVCLAL
0xe448 0 0 60 RCDATA PACKAGEINFO
0xe484 0 0x419 20 GROUP_ICON MAINICON
=== IMPORTS ===
MODULE_NAME HINT ORD FUNCTION_NAME
kernel32.dll 80 DeleteCriticalSection
kernel32.dll 244 LeaveCriticalSection
kernel32.dll 97 EnterCriticalSection
kernel32.dll 219 InitializeCriticalSection
kernel32.dll 372 VirtualFree
kernel32.dll 36f VirtualAlloc
kernel32.dll 24f LocalFree
kernel32.dll 24b LocalAlloc
kernel32.dll 1de GetVersion
kernel32.dll 13f GetCurrentThreadId
kernel32.dll 1d0 GetThreadLocale
kernel32.dll 1af GetStartupInfoA
kernel32.dll 16c GetLocaleInfoA
kernel32.dll 10a GetCommandLineA
kernel32.dll f1 FreeLibrary
kernel32.dll b7 ExitProcess
kernel32.dll 390 WriteFile
kernel32.dll 35c UnhandledExceptionFilter
kernel32.dll 2c8 RtlUnwind
kernel32.dll 29a RaiseException
kernel32.dll 1b1 GetStdHandle
user32.dll 128 GetKeyboardType
user32.dll 1dd MessageBoxA
advapi32.dll 1ef RegQueryValueExA
advapi32.dll 1e5 RegOpenKeyExA
advapi32.dll 1cb RegCloseKey
kernel32.dll 353 TlsSetValue
kernel32.dll 352 TlsGetValue
kernel32.dll 351 TlsFree
kernel32.dll 350 TlsAlloc
kernel32.dll 24f LocalFree
kernel32.dll 24b LocalAlloc
advapi32.dll 1ab OpenProcessToken
advapi32.dll 14e LookupPrivilegeValueA
advapi32.dll 135 InitiateSystemShutdownA
advapi32.dll 1e AdjustTokenPrivileges
kernel32.dll 3b7 lstrlen
kernel32.dll 3b1 lstrcpy
kernel32.dll 3b0 lstrcmpiW
kernel32.dll 3ae lstrcmpi
kernel32.dll 3ab lstrcmp
kernel32.dll 3a8 lstrcat
kernel32.dll 399 WriteProcessMemory
kernel32.dll 390 WriteFile
kernel32.dll 37f WaitForSingleObject
kernel32.dll 375 VirtualProtect
kernel32.dll 373 VirtualFreeEx
kernel32.dll 370 VirtualAllocEx
kernel32.dll 343 Sleep
kernel32.dll 30e SetFileTime
kernel32.dll 30a SetFilePointer
kernel32.dll 2a7 ReadFile
kernel32.dll 28d PulseEvent
kernel32.dll 278 OpenProcess
kernel32.dll 268 MultiByteToWideChar
kernel32.dll 24f LocalFree
kernel32.dll 24b LocalAlloc
kernel32.dll 245 LoadLibraryA
kernel32.dll 1e9 GetWindowsDirectoryA
kernel32.dll 1e1 GetVolumeInformationA
kernel32.dll 1c1 GetSystemTimeAsFileTime
kernel32.dll 199 GetProcAddress
kernel32.dll 177 GetModuleHandleA
kernel32.dll 175 GetModuleFileNameA
kernel32.dll 169 GetLastError
kernel32.dll 15c GetFileSize
kernel32.dll 154 GetExitCodeThread
kernel32.dll 13c GetCurrentProcess
kernel32.dll ec FormatMessageA
kernel32.dll c3 FileTimeToLocalFileTime
kernel32.dll b7 ExitProcess
kernel32.dll 82 DeleteFileA
kernel32.dll 6d CreateThread
kernel32.dll 68 CreateRemoteThread
kernel32.dll 50 CreateFileA
kernel32.dll 4c CreateEventA
kernel32.dll 32 CloseHandle
gdi32.dll 210 SelectObject
gdi32.dll 1f8 Rectangle
gdi32.dll 1be GetTextMetricsA
gdi32.dll 16d GetDeviceCaps
gdi32.dll 90 DeleteObject
gdi32.dll 8d DeleteDC
gdi32.dll 51 CreateSolidBrush
gdi32.dll 2f CreateDCA
user32.dll 61 CreateWindowExA
user32.dll 2b4 UnregisterClassA
user32.dll 2ab TranslateMessage
user32.dll 27b SetTimer
user32.dll 257 SetFocus
user32.dll 23c SendMessageA
user32.dll 217 RegisterClassA
user32.dll 200 PostMessageA
user32.dll 1fe PeekMessageA
user32.dll 1bc LoadIconA
user32.dll 1b8 LoadCursorA
user32.dll 194 InvalidateRect
user32.dll 178 GetWindowTextA
user32.dll 16d GetWindowDC
user32.dll 13b GetMessageA
user32.dll 10f GetDesktopWindow
user32.dll 100 GetClientRect
user32.dll bd DrawTextA
user32.dll a2 DispatchMessageA
user32.dll 9a DestroyWindow
user32.dll 8f DefWindowProcA
kernel32.dll 375 VirtualProtect
user32.dll 2d9 wsprintfA
psapi.dll d GetModuleBaseNameA
psapi.dll 6 EnumProcesses
File pos Mem pos ID Text
======== ======= == ====
000000000050 000003000050 0 This program must be run under Win32
000000000270 000003000270 0 .idata
000000000298 000003000298 0 .reloc
0000000002BF 0000030002BF 0 P.rsrc
0000000002E7 0000030002E7 0 P.idata2
00000000118C 00000300118C 0 SVWUQ
0000000013AD 0000030013AD 0 w;;t$
0000000014B8 0000030014B8 0 SVWUQ
000000002667 000003002667 0 ~KxI[)
000000002790 000003002790 0 SOFTWARE\Borland\Delphi\RTL
0000000027AC 0000030027AC 0 FPUMaskValue
0000000027F9 0000030027F9 0 PPRTj
000000002973 000003002973 0 YZXtp
000000002AEA 000003002AEA 0 t=HtN
0000000030AC 0000030030AC 0 USVW1
000000003A90 000003003A90 0 DISPLAY
000000003D18 000003003D18 0 CSCWIDU.DLL
000000003D24 000003003D24 0 LoadLibrary(CSCWIDU.DLL)
000000003D40 000003003D40 0 CscIduOpen
000000003D4C 000003003D4C 0 CscIduClose
000000003D58 000003003D58 0 CscIduInit
000000003D64 000003003D64 0 CscIduEntry
000000003D70 000003003D70 0 CscIduEject
000000003D7C 000003003D7C 0 CscIduChipCard
000000003D8C 000003003D8C 0 CscIduChipMode
000000003D9C 000003003D9C 0 CscIduChipProtT0
000000003DB0 000003003DB0 0 CscIduCancel
000000003DC0 000003003DC0 0 CscIduStatus
000000003DD0 000003003DD0 0 CscIduGetRelease
000000003DE4 000003003DE4 0 CSCWEDM.DLL
000000003DF0 000003003DF0 0 LoadLibrary(CSCWEDM.DLL)
000000003E0C 000003003E0C 0 CscEdmOpen
000000003E18 000003003E18 0 CscEdmDecryptEx
000000003E28 000003003E28 0 CscEdmClose
000000003FD4 000003003FD4 0 GetProcAddress
000000004374 000003004374 0 ATMDialog
000000004380 000003004380 0 hello
000000004388 000003004388 0 STATIC
0000000046C8 0000030046C8 0 Agent %s
0000000046D8 0000030046D8 0 Transactions %d
0000000046E9 0000030046E9 0 Cards %d
0000000046FD 0000030046FD 0 KEYs %d
000000004710 000003004710 0 Agent status
00000000486C 00000300486C 0 TOKEN_ADJUST_PRIVILEGES
000000004884 000003004884 0 OpenProcessToken
000000004898 000003004898 0 LookupPrivilegeValue
0000000048B0 0000030048B0 0 AdjustTokenPrivileges
0000000048F8 0000030048F8 0 SeShutdownPrivilege
000000004910 000003004910 0 InitiateSystemShutdown
000000004944 000003004944 0 ProAgent
0000000049AC 0000030049AC 0 Error in %s Class:%.8X Code:%.8X Warning:%.8X Action:%.8X
0000000049EC 0000030049EC 0 ProAgent Error
000000004B0C 000003004B0C 0 CscIduChipProtT0
0000000052A8 0000030052A8 0 CscIduEntry
0000000052B4 0000030052B4 0 CscIduChipMode(READ)
0000000052CC 0000030052CC 0 CscIduChipMode(write)
0000000052E4 0000030052E4 0 CscIduChipCard
0000000052F4 0000030052F4 0 CscIduEject
000000005384 000003005384 0 CscEdmDecryptEx
000000005484 000003005484 0 APPL01
File pos Mem pos ID Text
======== ======= == ====
00000000548C 00000300548C 0 CscEdmOpen
000000005498 000003005498 0 CscEdmClose
0000000055F4 0000030055F4 0 =MASTER A-KEY
000000005AAC 000003005AAC 0 =COMM KEY
00000000631A 00000300631A 0 ;TK*u
000000006320 000003006320 0 ;DK&vO
000000006AB8 000003006AB8 0 CscIduCancel
000000006BC0 000003006BC0 0 No decoded info
000000006CE8 000003006CE8 0 CscIduCancel
000000006F25 000003006F25 0 B hdp
000000006FE4 000003006FE4 0 kernel32
000000006FF0 000003006FF0 0 DeleteFileA
000000006FFC 000003006FFC 0 FreeLibrary
000000007008 000003007008 0 GetModuleHandleA
00000000701C 00000300701C 0 CreateFileA
000000007028 000003007028 0 Sleep
000000007030 000003007030 0 WriteFile
00000000703C 00000300703C 0 CloseHandle
000000007048 000003007048 0 LocalFree
000000007054 000003007054 0 LoadLibraryA
000000007064 000003007064 0 GetLastError
000000007074 000003007074 0 c:\log123
000000007148 000003007148 0 EnumProcesses
000000007660 000003007660 0 SeDebugPrivilege
000000007674 000003007674 0 OpenProcess
000000007680 000003007680 0 LoadLibraryA
000000007690 000003007690 0 kernel32.dll
0000000076A0 0000030076A0 0 GetExitCodeThread
0000000076B4 0000030076B4 0 VirtualFreeEx
000000007836 000003007836 0 ~*h8r
00000000786C 00000300786C 0 kernel32.dll
00000000787C 00000300787C 0 CreateFileA
000000007888 000003007888 0 GetFileTime
000000007894 000003007894 0 SetFileTime
0000000078A0 0000030078A0 0 GetFileSize
0000000078AC 0000030078AC 0 ReadFile
0000000078B8 0000030078B8 0 WriteFile
0000000078C4 0000030078C4 0 SetFilePointer
0000000078D4 0000030078D4 0 CloseHandle
0000000078E0 0000030078E0 0 LocalAlloc
0000000078EC 0000030078EC 0 LocalFree
0000000078F8 0000030078F8 0 ExitThread
000000007904 000003007904 0 VirtualFree
000000007910 000003007910 0 Sleep
000000007918 000003007918 0 DeleteFileA
000000007998 000003007998 0 explorer.exe
000000007BE4 000003007BE4 0 *716046#X
000000007DC8 000003007DC8 0 =COMM KEY
000000008164 000003008164 0 CscEdmKcRead
000000008174 000003008174 0 cscwedm.dll
000000008180 000003008180 0 CscEdmImport
000000008190 000003008190 0 CscEdmPinGetEx
0000000081A0 0000030081A0 0 CscIduEntry
0000000081AC 0000030081AC 0 cscwidu.dll
0000000081B8 0000030081B8 0 CscIduGetRelease
0000000081CC 0000030081CC 0 CscIduRead
0000000081D8 0000030081D8 0 66#m{
000000008324 000003008324 0 TagEndDecoder
0000000083B5 0000030083B5 0 33333
0000000083D7 0000030083D7 0 UUUU3
File pos Mem pos ID Text
======== ======= == ====
000000008529 000003008529 0 VWUSQ
000000008571 000003008571 0 33333
000000008593 000003008593 0 UUUU3
000000008647 000003008647 0 UUUU3
0000000086A5 0000030086A5 0 VWUSQ
00000000875C 00000300875C 0 UUUU3
000000008859 000003008859 0 8NTFS
000000008948 000003008948 0 \desktop.ini:userA
00000000895C 00000300895C 0 \desktop.ini:userB
000000008970 000003008970 0 \userA
000000008978 000003008978 0 \userB
00000000904C 00000300904C 0 Error
000000009054 000003009054 0 Runtime error at 00000000
000000009074 000003009074 0 0123456789ABCDEF
0000000090B0 0000030090B0 0 $1%2&3445566D7E8F9T*U0V#'
0000000090D2 0000030090D2 0 <o:o:_;OPO
0000000090E1 0000030090E1 0 OLONO
0000000090ED 0000030090ED 0 O!O%O
000000009220 000003009220 0 <4,$?7/'
000000009266 000003009266 0 !"#$%&'()*+,-./012345678
0000000092B1 0000030092B1 0 (3-!0
0000000092B8 0000030092B8 0 ,1'8"5
00000000C2D4 00000300C2D4 0 kernel32.dll
00000000C2E4 00000300C2E4 0 DeleteCriticalSection
00000000C2FC 00000300C2FC 0 LeaveCriticalSection
00000000C314 00000300C314 0 EnterCriticalSection
00000000C32C 00000300C32C 0 InitializeCriticalSection
00000000C348 00000300C348 0 VirtualFree
00000000C356 00000300C356 0 VirtualAlloc
00000000C366 00000300C366 0 LocalFree
00000000C372 00000300C372 0 LocalAlloc
00000000C380 00000300C380 0 GetVersion
00000000C38E 00000300C38E 0 GetCurrentThreadId
00000000C3A4 00000300C3A4 0 GetThreadLocale
00000000C3B6 00000300C3B6 0 GetStartupInfoA
00000000C3C8 00000300C3C8 0 GetLocaleInfoA
00000000C3DA 00000300C3DA 0 GetCommandLineA
00000000C3EC 00000300C3EC 0 FreeLibrary
00000000C3FA 00000300C3FA 0 ExitProcess
00000000C408 00000300C408 0 WriteFile
00000000C414 00000300C414 0 UnhandledExceptionFilter
00000000C430 00000300C430 0 RtlUnwind
00000000C43C 00000300C43C 0 RaiseException
00000000C44E 00000300C44E 0 GetStdHandle
00000000C45C 00000300C45C 0 user32.dll
00000000C46A 00000300C46A 0 GetKeyboardType
00000000C47C 00000300C47C 0 MessageBoxA
00000000C488 00000300C488 0 advapi32.dll
00000000C498 00000300C498 0 RegQueryValueExA
00000000C4AC 00000300C4AC 0 RegOpenKeyExA
00000000C4BC 00000300C4BC 0 RegCloseKey
00000000C4C8 00000300C4C8 0 kernel32.dll
00000000C4D8 00000300C4D8 0 TlsSetValue
00000000C4E6 00000300C4E6 0 TlsGetValue
00000000C4F4 00000300C4F4 0 TlsFree
00000000C4FE 00000300C4FE 0 TlsAlloc
00000000C50A 00000300C50A 0 LocalFree
00000000C516 00000300C516 0 LocalAlloc
00000000C522 00000300C522 0 advapi32.dll
00000000C532 00000300C532 0 OpenProcessToken
File pos Mem pos ID Text
======== ======= == ====
00000000C546 00000300C546 0 LookupPrivilegeValueA
00000000C55E 00000300C55E 0 InitiateSystemShutdownA
00000000C578 00000300C578 0 AdjustTokenPrivileges
00000000C58E 00000300C58E 0 kernel32.dll
00000000C59E 00000300C59E 0 lstrlenA
00000000C5AA 00000300C5AA 0 lstrcpyA
00000000C5B6 00000300C5B6 0 lstrcmpiW
00000000C5C2 00000300C5C2 0 lstrcmpiA
00000000C5CE 00000300C5CE 0 lstrcmpA
00000000C5DA 00000300C5DA 0 lstrcatA
00000000C5E6 00000300C5E6 0 WriteProcessMemory
00000000C5FC 00000300C5FC 0 WriteFile
00000000C608 00000300C608 0 WaitForSingleObject
00000000C61E 00000300C61E 0 VirtualProtect
00000000C630 00000300C630 0 VirtualFreeEx
00000000C640 00000300C640 0 VirtualAllocEx
00000000C652 00000300C652 0 Sleep
00000000C65A 00000300C65A 0 SetFileTime
00000000C668 00000300C668 0 SetFilePointer
00000000C67A 00000300C67A 0 ReadFile
00000000C686 00000300C686 0 PulseEvent
00000000C694 00000300C694 0 OpenProcess
00000000C6A2 00000300C6A2 0 MultiByteToWideChar
00000000C6B8 00000300C6B8 0 LocalFree
00000000C6C4 00000300C6C4 0 LocalAlloc
00000000C6D2 00000300C6D2 0 LoadLibraryA
00000000C6E2 00000300C6E2 0 GetWindowsDirectoryA
00000000C6FA 00000300C6FA 0 GetVolumeInformationA
00000000C712 00000300C712 0 GetSystemTimeAsFileTime
00000000C72C 00000300C72C 0 GetProcAddress
00000000C73E 00000300C73E 0 GetModuleHandleA
00000000C752 00000300C752 0 GetModuleFileNameA
00000000C768 00000300C768 0 GetLastError
00000000C778 00000300C778 0 GetFileSize
00000000C786 00000300C786 0 GetExitCodeThread
00000000C79A 00000300C79A 0 GetCurrentProcess
00000000C7AE 00000300C7AE 0 FormatMessageA
00000000C7C0 00000300C7C0 0 FileTimeToLocalFileTime
00000000C7DA 00000300C7DA 0 ExitProcess
00000000C7E8 00000300C7E8 0 DeleteFileA
00000000C7F6 00000300C7F6 0 CreateThread
00000000C806 00000300C806 0 CreateRemoteThread
00000000C81C 00000300C81C 0 CreateFileA
00000000C82A 00000300C82A 0 CreateEventA
00000000C83A 00000300C83A 0 CloseHandle
00000000C846 00000300C846 0 gdi32.dll
00000000C852 00000300C852 0 SelectObject
00000000C862 00000300C862 0 Rectangle
00000000C86E 00000300C86E 0 GetTextMetricsA
00000000C880 00000300C880 0 GetDeviceCaps
00000000C890 00000300C890 0 DeleteObject
00000000C8A0 00000300C8A0 0 DeleteDC
00000000C8AC 00000300C8AC 0 CreateSolidBrush
00000000C8C0 00000300C8C0 0 CreateDCA
00000000C8CA 00000300C8CA 0 user32.dll
00000000C8D8 00000300C8D8 0 CreateWindowExA
00000000C8EA 00000300C8EA 0 UnregisterClassA
00000000C8FE 00000300C8FE 0 TranslateMessage
00000000C912 00000300C912 0 SetTimer
00000000C91E 00000300C91E 0 SetFocus
File pos Mem pos ID Text
======== ======= == ====
00000000C92A 00000300C92A 0 SendMessageA
00000000C93A 00000300C93A 0 RegisterClassA
00000000C94C 00000300C94C 0 PostMessageA
00000000C95C 00000300C95C 0 PeekMessageA
00000000C96C 00000300C96C 0 LoadIconA
00000000C978 00000300C978 0 LoadCursorA
00000000C986 00000300C986 0 InvalidateRect
00000000C998 00000300C998 0 GetWindowTextA
00000000C9AA 00000300C9AA 0 GetWindowDC
00000000C9B8 00000300C9B8 0 GetMessageA
00000000C9C6 00000300C9C6 0 GetDesktopWindow
00000000C9DA 00000300C9DA 0 GetClientRect
00000000C9EA 00000300C9EA 0 DrawTextA
00000000C9F6 00000300C9F6 0 DispatchMessageA
00000000CA0A 00000300CA0A 0 DestroyWindow
00000000CA1A 00000300CA1A 0 DefWindowProcA
00000000CA2A 00000300CA2A 0 kernel32.dll
00000000CA3A 00000300CA3A 0 VirtualProtect
00000000CA4A 00000300CA4A 0 user32.dll
00000000CA58 00000300CA58 0 wsprintfA
00000000CA62 00000300CA62 0 PSAPI.DLL
00000000CA6E 00000300CA6E 0 GetModuleBaseNameA
00000000CA84 00000300CA84 0 EnumProcesses
00000000D00F 00000300D00F 0 0"0*020:0B0J0R0Z0b0j0r0z0
00000000D055 00000300D055 0 5)5D5
00000000D05B 00000300D05B 0 5&7b7
00000000D07D 00000300D07D 0 8$868B8Q8]8e8p8v8
00000000D0A9 00000300D0A9 0 9*9K9c9
00000000D0B9 00000300D0B9 0 9G:g:
00000000D0CB 00000300D0CB 0 < <+<4<;<J<Q<s<
00000000D0DD 00000300D0DD 0 <Y=w=|=
00000000D0ED 00000300D0ED 0 >R>[>q>
00000000D0FD 00000300D0FD 0 ?"?L?U?e?m?s?|?
00000000D129 00000300D129 0 000<0D0[0j0z0
00000000D147 00000300D147 0 1n1t1|1
00000000D159 00000300D159 0 2e2l2|2
00000000D17D 00000300D17D 0 4?4_4z4
00000000D189 00000300D189 0 4.565
00000000D195 00000300D195 0 7'7E7[7r7
00000000D1A9 00000300D1A9 0 8 8.8b8~8
00000000D1BD 00000300D1BD 0 9!9S9\9
00000000D1CB 00000300D1CB 0 :/:w;
00000000D1DB 00000300D1DB 0 <'<S<h<
00000000D1E9 00000300D1E9 0 = =&=,=2=7===F=V=[=
00000000D1FD 00000300D1FD 0 =e=j=x=
00000000D213 00000300D213 0 >4>>>c>m>w>
00000000D26F 00000300D26F 0 3"3&3,30363=3A3[3d3m3y3
00000000D29B 00000300D29B 0 424\4w4
00000000D2B5 00000300D2B5 0 5!5-5;5E5c5h5{5
00000000D2E1 00000300D2E1 0 6&6.666>6F6N6V6
00000000D2F1 00000300D2F1 0 6f6n6v6~6
00000000D321 00000300D321 0 7&7.767>7F7N7V7
00000000D331 00000300D331 0 7f7n7v7~7
00000000D361 00000300D361 0 8&8>8
00000000D36B 00000300D36B 0 9&9.969D9P9Y9a9u9{9
00000000D395 00000300D395 0 :%:,:7:>:I:U:c:j:w:
00000000D3E3 00000300D3E3 0 <'<,<1<<<A<F<Q<V<[<f<k<p<{<
00000000D438 00000300D438 0 y0_1g1
00000000D443 00000300D443 0 2V2g2l2
00000000D44B 00000300D44B 0 2;3H3X3
File pos Mem pos ID Text
======== ======= == ====
00000000D45B 00000300D45B 0 6,7C7
00000000D47D 00000300D47D 0 ;d<u=
00000000D485 00000300D485 0 >t>x?
00000000D499 00000300D499 0 091E1|1
00000000D4A9 00000300D4A9 0 1K2W2~2
00000000D4B1 00000300D4B1 0 2_3p3
00000000D4BF 00000300D4BF 0 3<4a4m4
00000000D4C7 00000300D4C7 0 4G5N:
00000000D4DD 00000300D4DD 0 :(:3:<:B:T:
00000000D4F5 00000300D4F5 0 <n<t<}<
00000000D50B 00000300D50B 0 =.>4>O>h>u>
00000000D525 00000300D525 0 ?(?<?O?
00000000D53F 00000300D53F 0 1f1p1z1
00000000D55D 00000300D55D 0 1<3A3
00000000D575 00000300D575 0 7,7@7T7h7|7
00000000D58B 00000300D58B 0 798>8D8>9p9|9
00000000D5A3 00000300D5A3 0 :C:S:W:
00000000D5BD 00000300D5BD 0 :G;\;q;|;
00000000D5DF 00000300D5DF 0 =!=-=2=7=\=
00000000D5F3 00000300D5F3 0 ='>/>:>P>U>d>j>w>
00000000D611 00000300D611 0 ?#?B?O?_?g?r?
00000000D63D 00000300D63D 0 070?0J0
00000000D645 00000300D645 0 0c0n0{0
00000000D671 00000300D671 0 1%1*1/141>1C1H1M1
00000000D693 00000300D693 0 4,444L4[4e4n4y4
00000000D6C7 00000300D6C7 0 6 6+6
00000000D6D9 00000300D6D9 0 7 7&7,72787C7
00000000D6FF 00000300D6FF 0 8&81868;8F8T8a8k8z8
00000000D739 00000300D739 0 9#9)9/9
00000000D748 00000300D748 0 $0(0,0
00000000E1CA 00000300E1CA 0 33331
00000000E1E9 00000300E1E9 0 33333
00000000E20A 00000300E20A 0 33331
00000000E22F 00000300E22F 0 Gggfv@
00000000E23F 00000300E23F 0 &vvggd
00000000E24F 00000300E24F 0 wwgbvt
00000000E25D 00000300E25D 0 1wwwr"gf@
00000000E26D 00000300E26D 0 1wwwr"vv@
00000000E27F 00000300E27F 0 wr""gf@
00000000E28F 00000300E28F 0 wr""&f@
00000000E29F 00000300E29F 0 ww"w""@
00000000E2B0 00000300E2B0 0 wr'""@
00000000E2CE 00000300E2CE 0 1rwr"
00000000E349 00000300E349 0 3333;
00000000E359 00000300E359 0 33333
00000000E455 00000300E455 0 Pwinstr
00000000E45E 00000300E45E 0 UTypes
00000000E467 00000300E467 0 System
00000000E470 00000300E470 0 SysInit
00000000E479 00000300E479 0 KWindows
00000000E6F0 00000300F0F0 0 kernel32.dll
00000000E6FF 00000300F0FF 0 DeleteCriticalSection
00000000E717 00000300F117 0 LeaveCriticalSection
00000000E72E 00000300F12E 0 EnterCriticalSection
00000000E745 00000300F145 0 InitializeCriticalSection
00000000E761 00000300F161 0 VirtualFree
00000000E76F 00000300F16F 0 VirtualAlloc
00000000E77E 00000300F17E 0 LocalFree
00000000E78A 00000300F18A 0 LocalAlloc
00000000E797 00000300F197 0 GetVersion
File pos Mem pos ID Text
======== ======= == ====
00000000E7A4 00000300F1A4 0 GetCurrentThreadId
00000000E7B9 00000300F1B9 0 GetThreadLocale
00000000E7CB 00000300F1CB 0 GetStartupInfoA
00000000E7DD 00000300F1DD 0 GetLocaleInfoA
00000000E7EE 00000300F1EE 0 GetCommandLineA
00000000E800 00000300F200 0 FreeLibrary
00000000E80E 00000300F20E 0 ExitProcess
00000000E81C 00000300F21C 0 WriteFile
00000000E828 00000300F228 0 UnhandledExceptionFilter
00000000E843 00000300F243 0 RtlUnwind
00000000E84F 00000300F24F 0 RaiseException
00000000E860 00000300F260 0 GetStdHandle
00000000E86D 00000300F26D 0 user32.dll
00000000E87A 00000300F27A 0 GetKeyboardType
00000000E88C 00000300F28C 0 MessageBoxA
00000000E898 00000300F298 0 advapi32.dll
00000000E8A7 00000300F2A7 0 RegQueryValueExA
00000000E8BA 00000300F2BA 0 RegOpenKeyExA
00000000E8CA 00000300F2CA 0 RegCloseKey
00000000E8D6 00000300F2D6 0 kernel32.dll
00000000E8E5 00000300F2E5 0 TlsSetValue
00000000E8F3 00000300F2F3 0 TlsGetValue
00000000E901 00000300F301 0 TlsFree
00000000E90B 00000300F30B 0 TlsAlloc
00000000E916 00000300F316 0 LocalFree
00000000E922 00000300F322 0 LocalAlloc
00000000E92D 00000300F32D 0 advapi32.dll
00000000E93C 00000300F33C 0 OpenProcessToken
00000000E94F 00000300F34F 0 LookupPrivilegeValueA
00000000E967 00000300F367 0 InitiateSystemShutdownA
00000000E981 00000300F381 0 AdjustTokenPrivileges
00000000E997 00000300F397 0 kernel32.dll
00000000E9A6 00000300F3A6 0 lstrlen
00000000E9B0 00000300F3B0 0 lstrcpy
00000000E9BA 00000300F3BA 0 lstrcmpiW
00000000E9C6 00000300F3C6 0 lstrcmpi
00000000E9D1 00000300F3D1 0 lstrcmp
00000000E9DB 00000300F3DB 0 lstrcat
00000000E9E5 00000300F3E5 0 WriteProcessMemory
00000000E9FA 00000300F3FA 0 WriteFile
00000000EA06 00000300F406 0 WaitForSingleObject
00000000EA1C 00000300F41C 0 VirtualProtect
00000000EA2D 00000300F42D 0 VirtualFreeEx
00000000EA3D 00000300F43D 0 VirtualAllocEx
00000000EA4E 00000300F44E 0 Sleep
00000000EA56 00000300F456 0 SetFileTime
00000000EA64 00000300F464 0 SetFilePointer
00000000EA75 00000300F475 0 ReadFile
00000000EA80 00000300F480 0 PulseEvent
00000000EA8D 00000300F48D 0 OpenProcess
00000000EA9B 00000300F49B 0 MultiByteToWideChar
00000000EAB1 00000300F4B1 0 LocalFree
00000000EABD 00000300F4BD 0 LocalAlloc
00000000EACA 00000300F4CA 0 LoadLibraryA
00000000EAD9 00000300F4D9 0 GetWindowsDirectoryA
00000000EAF0 00000300F4F0 0 GetVolumeInformationA
00000000EB08 00000300F508 0 GetSystemTimeAsFileTime
00000000EB22 00000300F522 0 GetProcAddress
00000000EB33 00000300F533 0 GetModuleHandleA
00000000EB46 00000300F546 0 GetModuleFileNameA
File pos Mem pos ID Text
======== ======= == ====
00000000EB5B 00000300F55B 0 GetLastError
00000000EB6A 00000300F56A 0 GetFileSize
00000000EB78 00000300F578 0 GetExitCodeThread
00000000EB8C 00000300F58C 0 GetCurrentProcess
00000000EBA0 00000300F5A0 0 FormatMessageA
00000000EBB1 00000300F5B1 0 FileTimeToLocalFileTime
00000000EBCB 00000300F5CB 0 ExitProcess
00000000EBD9 00000300F5D9 0 DeleteFileA
00000000EBE7 00000300F5E7 0 CreateThread
00000000EBF6 00000300F5F6 0 CreateRemoteThread
00000000EC0B 00000300F60B 0 CreateFileA
00000000EC19 00000300F619 0 CreateEventA
00000000EC28 00000300F628 0 CloseHandle
00000000EC34 00000300F634 0 gdi32.dll
00000000EC40 00000300F640 0 SelectObject
00000000EC4F 00000300F64F 0 Rectangle
00000000EC5B 00000300F65B 0 GetTextMetricsA
00000000EC6D 00000300F66D 0 GetDeviceCaps
00000000EC7D 00000300F67D 0 DeleteObject
00000000EC8C 00000300F68C 0 DeleteDC
00000000EC97 00000300F697 0 CreateSolidBrush
00000000ECAA 00000300F6AA 0 CreateDCA
00000000ECB4 00000300F6B4 0 user32.dll
00000000ECC1 00000300F6C1 0 CreateWindowExA
00000000ECD3 00000300F6D3 0 UnregisterClassA
00000000ECE6 00000300F6E6 0 TranslateMessage
00000000ECF9 00000300F6F9 0 SetTimer
00000000ED04 00000300F704 0 SetFocus
00000000ED0F 00000300F70F 0 SendMessageA
00000000ED1E 00000300F71E 0 RegisterClassA
00000000ED2F 00000300F72F 0 PostMessageA
00000000ED3E 00000300F73E 0 PeekMessageA
00000000ED4D 00000300F74D 0 LoadIconA
00000000ED59 00000300F759 0 LoadCursorA
00000000ED67 00000300F767 0 InvalidateRect
00000000ED78 00000300F778 0 GetWindowTextA
00000000ED89 00000300F789 0 GetWindowDC
00000000ED97 00000300F797 0 GetMessageA
00000000EDA5 00000300F7A5 0 GetDesktopWindow
00000000EDB8 00000300F7B8 0 GetClientRect
00000000EDC8 00000300F7C8 0 DrawTextA
00000000EDD4 00000300F7D4 0 DispatchMessageA
00000000EDE7 00000300F7E7 0 DestroyWindow
00000000EDF7 00000300F7F7 0 DefWindowProcA
00000000EE06 00000300F806 0 kernel32.dll
00000000EE15 00000300F815 0 VirtualProtect
00000000EE24 00000300F824 0 user32.dll
00000000EE31 00000300F831 0 wsprintfA
00000000EE3B 00000300F83B 0 psapi.dll
00000000EE47 00000300F847 0 GetModuleBaseNameA
00000000EE5C 00000300F85C 0 EnumProcesses
00000000E140 00000300E140 0 MAINICON(
000000000050 000003000050 0 This program must be run under Win32
000000000270 000003000270 0 .idata
000000000298 000003000298 0 .reloc
0000000002BF 0000030002BF 0 P.rsrc
0000000002E7 0000030002E7 0 P.idata2
00000000118C 00000300118C 0 SVWUQ
0000000013AD 0000030013AD 0 w;;t$
0000000014B8 0000030014B8 0 SVWUQ
File pos Mem pos ID Text
======== ======= == ====
000000002667 000003002667 0 ~KxI[)
000000002790 000003002790 0 SOFTWARE\Borland\Delphi\RTL
0000000027AC 0000030027AC 0 FPUMaskValue
0000000027F9 0000030027F9 0 PPRTj
000000002973 000003002973 0 YZXtp
000000002AEA 000003002AEA 0 t=HtN
0000000030AC 0000030030AC 0 USVW1
000000003A90 000003003A90 0 DISPLAY
000000003D18 000003003D18 0 CSCWIDU.DLL
000000003D24 000003003D24 0 LoadLibrary(CSCWIDU.DLL)
000000003D40 000003003D40 0 CscIduOpen
000000003D4C 000003003D4C 0 CscIduClose
000000003D58 000003003D58 0 CscIduInit
000000003D64 000003003D64 0 CscIduEntry
000000003D70 000003003D70 0 CscIduEject
000000003D7C 000003003D7C 0 CscIduChipCard
000000003D8C 000003003D8C 0 CscIduChipMode
000000003D9C 000003003D9C 0 CscIduChipProtT0
000000003DB0 000003003DB0 0 CscIduCancel
000000003DC0 000003003DC0 0 CscIduStatus
000000003DD0 000003003DD0 0 CscIduGetRelease
000000003DE4 000003003DE4 0 CSCWEDM.DLL
000000003DF0 000003003DF0 0 LoadLibrary(CSCWEDM.DLL)
000000003E0C 000003003E0C 0 CscEdmOpen
000000003E18 000003003E18 0 CscEdmDecryptEx
000000003E28 000003003E28 0 CscEdmClose
000000003FD4 000003003FD4 0 GetProcAddress
000000004374 000003004374 0 ATMDialog
000000004380 000003004380 0 hello
000000004388 000003004388 0 STATIC
0000000046C8 0000030046C8 0 Agent %s
0000000046D8 0000030046D8 0 Transactions %d
0000000046E9 0000030046E9 0 Cards %d
0000000046FD 0000030046FD 0 KEYs %d
000000004710 000003004710 0 Agent status
00000000486C 00000300486C 0 TOKEN_ADJUST_PRIVILEGES
000000004884 000003004884 0 OpenProcessToken
000000004898 000003004898 0 LookupPrivilegeValue
0000000048B0 0000030048B0 0 AdjustTokenPrivileges
0000000048F8 0000030048F8 0 SeShutdownPrivilege
000000004910 000003004910 0 InitiateSystemShutdown
000000004944 000003004944 0 ProAgent
0000000049AC 0000030049AC 0 Error in %s Class:%.8X Code:%.8X Warning:%.8X Action:%.8X
0000000049EC 0000030049EC 0 ProAgent Error
000000004B0C 000003004B0C 0 CscIduChipProtT0
0000000052A8 0000030052A8 0 CscIduEntry
0000000052B4 0000030052B4 0 CscIduChipMode(READ)
0000000052CC 0000030052CC 0 CscIduChipMode(write)
0000000052E4 0000030052E4 0 CscIduChipCard
0000000052F4 0000030052F4 0 CscIduEject
000000005384 000003005384 0 CscEdmDecryptEx
000000005484 000003005484 0 APPL01
00000000548C 00000300548C 0 CscEdmOpen
000000005498 000003005498 0 CscEdmClose
0000000055F4 0000030055F4 0 =MASTER A-KEY
000000005AAC 000003005AAC 0 =COMM KEY
00000000631A 00000300631A 0 ;TK*u
000000006320 000003006320 0 ;DK&vO
000000006AB8 000003006AB8 0 CscIduCancel
000000006BC0 000003006BC0 0 No decoded info
File pos Mem pos ID Text
======== ======= == ====
000000006CE8 000003006CE8 0 CscIduCancel
000000006F25 000003006F25 0 B hdp
000000006FE4 000003006FE4 0 kernel32
000000006FF0 000003006FF0 0 DeleteFileA
000000006FFC 000003006FFC 0 FreeLibrary
000000007008 000003007008 0 GetModuleHandleA
00000000701C 00000300701C 0 CreateFileA
000000007028 000003007028 0 Sleep
000000007030 000003007030 0 WriteFile
00000000703C 00000300703C 0 CloseHandle
000000007048 000003007048 0 LocalFree
000000007054 000003007054 0 LoadLibraryA
000000007064 000003007064 0 GetLastError
000000007074 000003007074 0 c:\log123
000000007148 000003007148 0 EnumProcesses
000000007660 000003007660 0 SeDebugPrivilege
000000007674 000003007674 0 OpenProcess
000000007680 000003007680 0 LoadLibraryA
000000007690 000003007690 0 kernel32.dll
0000000076A0 0000030076A0 0 GetExitCodeThread
0000000076B4 0000030076B4 0 VirtualFreeEx
000000007836 000003007836 0 ~*h8r
00000000786C 00000300786C 0 kernel32.dll
00000000787C 00000300787C 0 CreateFileA
000000007888 000003007888 0 GetFileTime
000000007894 000003007894 0 SetFileTime
0000000078A0 0000030078A0 0 GetFileSize
0000000078AC 0000030078AC 0 ReadFile
0000000078B8 0000030078B8 0 WriteFile
0000000078C4 0000030078C4 0 SetFilePointer
0000000078D4 0000030078D4 0 CloseHandle
0000000078E0 0000030078E0 0 LocalAlloc
0000000078EC 0000030078EC 0 LocalFree
0000000078F8 0000030078F8 0 ExitThread
000000007904 000003007904 0 VirtualFree
000000007910 000003007910 0 Sleep
000000007918 000003007918 0 DeleteFileA
000000007998 000003007998 0 explorer.exe
000000007BE4 000003007BE4 0 *716046#X
000000007DC8 000003007DC8 0 =COMM KEY
000000008164 000003008164 0 CscEdmKcRead
000000008174 000003008174 0 cscwedm.dll
000000008180 000003008180 0 CscEdmImport
000000008190 000003008190 0 CscEdmPinGetEx
0000000081A0 0000030081A0 0 CscIduEntry
0000000081AC 0000030081AC 0 cscwidu.dll
0000000081B8 0000030081B8 0 CscIduGetRelease
0000000081CC 0000030081CC 0 CscIduRead
0000000081D8 0000030081D8 0 66#m{
000000008324 000003008324 0 TagEndDecoder
0000000083B5 0000030083B5 0 33333
0000000083D7 0000030083D7 0 UUUU3
000000008529 000003008529 0 VWUSQ
000000008571 000003008571 0 33333
000000008593 000003008593 0 UUUU3
000000008647 000003008647 0 UUUU3
0000000086A5 0000030086A5 0 VWUSQ
00000000875C 00000300875C 0 UUUU3
000000008859 000003008859 0 8NTFS
000000008948 000003008948 0 \desktop.ini:userA
File pos Mem pos ID Text
======== ======= == ====
00000000895C 00000300895C 0 \desktop.ini:userB
000000008970 000003008970 0 \userA
000000008978 000003008978 0 \userB
00000000904C 00000300904C 0 Error
000000009054 000003009054 0 Runtime error at 00000000
000000009074 000003009074 0 0123456789ABCDEF
0000000090B0 0000030090B0 0 $1%2&3445566D7E8F9T*U0V#'
0000000090D2 0000030090D2 0 <o:o:_;OPO
0000000090E1 0000030090E1 0 OLONO
0000000090ED 0000030090ED 0 O!O%O
000000009220 000003009220 0 <4,$?7/'
000000009266 000003009266 0 !"#$%&'()*+,-./012345678
0000000092B1 0000030092B1 0 (3-!0
0000000092B8 0000030092B8 0 ,1'8"5
00000000C2D4 00000300C2D4 0 kernel32.dll
00000000C2E4 00000300C2E4 0 DeleteCriticalSection
00000000C2FC 00000300C2FC 0 LeaveCriticalSection
00000000C314 00000300C314 0 EnterCriticalSection
00000000C32C 00000300C32C 0 InitializeCriticalSection
00000000C348 00000300C348 0 VirtualFree
00000000C356 00000300C356 0 VirtualAlloc
00000000C366 00000300C366 0 LocalFree
00000000C372 00000300C372 0 LocalAlloc
00000000C380 00000300C380 0 GetVersion
00000000C38E 00000300C38E 0 GetCurrentThreadId
00000000C3A4 00000300C3A4 0 GetThreadLocale
00000000C3B6 00000300C3B6 0 GetStartupInfoA
00000000C3C8 00000300C3C8 0 GetLocaleInfoA
00000000C3DA 00000300C3DA 0 GetCommandLineA
00000000C3EC 00000300C3EC 0 FreeLibrary
00000000C3FA 00000300C3FA 0 ExitProcess
00000000C408 00000300C408 0 WriteFile
00000000C414 00000300C414 0 UnhandledExceptionFilter
00000000C430 00000300C430 0 RtlUnwind
00000000C43C 00000300C43C 0 RaiseException
00000000C44E 00000300C44E 0 GetStdHandle
00000000C45C 00000300C45C 0 user32.dll
00000000C46A 00000300C46A 0 GetKeyboardType
00000000C47C 00000300C47C 0 MessageBoxA
00000000C488 00000300C488 0 advapi32.dll
00000000C498 00000300C498 0 RegQueryValueExA
00000000C4AC 00000300C4AC 0 RegOpenKeyExA
00000000C4BC 00000300C4BC 0 RegCloseKey
00000000C4C8 00000300C4C8 0 kernel32.dll
00000000C4D8 00000300C4D8 0 TlsSetValue
00000000C4E6 00000300C4E6 0 TlsGetValue
00000000C4F4 00000300C4F4 0 TlsFree
00000000C4FE 00000300C4FE 0 TlsAlloc
00000000C50A 00000300C50A 0 LocalFree
00000000C516 00000300C516 0 LocalAlloc
00000000C522 00000300C522 0 advapi32.dll
00000000C532 00000300C532 0 OpenProcessToken
00000000C546 00000300C546 0 LookupPrivilegeValueA
00000000C55E 00000300C55E 0 InitiateSystemShutdownA
00000000C578 00000300C578 0 AdjustTokenPrivileges
00000000C58E 00000300C58E 0 kernel32.dll
00000000C59E 00000300C59E 0 lstrlenA
00000000C5AA 00000300C5AA 0 lstrcpyA
00000000C5B6 00000300C5B6 0 lstrcmpiW
00000000C5C2 00000300C5C2 0 lstrcmpiA
File pos Mem pos ID Text
======== ======= == ====
00000000C5CE 00000300C5CE 0 lstrcmpA
00000000C5DA 00000300C5DA 0 lstrcatA
00000000C5E6 00000300C5E6 0 WriteProcessMemory
00000000C5FC 00000300C5FC 0 WriteFile
00000000C608 00000300C608 0 WaitForSingleObject
00000000C61E 00000300C61E 0 VirtualProtect
00000000C630 00000300C630 0 VirtualFreeEx
00000000C640 00000300C640 0 VirtualAllocEx
00000000C652 00000300C652 0 Sleep
00000000C65A 00000300C65A 0 SetFileTime
00000000C668 00000300C668 0 SetFilePointer
00000000C67A 00000300C67A 0 ReadFile
00000000C686 00000300C686 0 PulseEvent
00000000C694 00000300C694 0 OpenProcess
00000000C6A2 00000300C6A2 0 MultiByteToWideChar
00000000C6B8 00000300C6B8 0 LocalFree
00000000C6C4 00000300C6C4 0 LocalAlloc
00000000C6D2 00000300C6D2 0 LoadLibraryA
00000000C6E2 00000300C6E2 0 GetWindowsDirectoryA
00000000C6FA 00000300C6FA 0 GetVolumeInformationA
00000000C712 00000300C712 0 GetSystemTimeAsFileTime
00000000C72C 00000300C72C 0 GetProcAddress
00000000C73E 00000300C73E 0 GetModuleHandleA
00000000C752 00000300C752 0 GetModuleFileNameA
00000000C768 00000300C768 0 GetLastError
00000000C778 00000300C778 0 GetFileSize
00000000C786 00000300C786 0 GetExitCodeThread
00000000C79A 00000300C79A 0 GetCurrentProcess
00000000C7AE 00000300C7AE 0 FormatMessageA
00000000C7C0 00000300C7C0 0 FileTimeToLocalFileTime
00000000C7DA 00000300C7DA 0 ExitProcess
00000000C7E8 00000300C7E8 0 DeleteFileA
00000000C7F6 00000300C7F6 0 CreateThread
00000000C806 00000300C806 0 CreateRemoteThread
00000000C81C 00000300C81C 0 CreateFileA
00000000C82A 00000300C82A 0 CreateEventA
00000000C83A 00000300C83A 0 CloseHandle
00000000C846 00000300C846 0 gdi32.dll
00000000C852 00000300C852 0 SelectObject
00000000C862 00000300C862 0 Rectangle
00000000C86E 00000300C86E 0 GetTextMetricsA
00000000C880 00000300C880 0 GetDeviceCaps
00000000C890 00000300C890 0 DeleteObject
00000000C8A0 00000300C8A0 0 DeleteDC
00000000C8AC 00000300C8AC 0 CreateSolidBrush
00000000C8C0 00000300C8C0 0 CreateDCA
00000000C8CA 00000300C8CA 0 user32.dll
00000000C8D8 00000300C8D8 0 CreateWindowExA
00000000C8EA 00000300C8EA 0 UnregisterClassA
00000000C8FE 00000300C8FE 0 TranslateMessage
00000000C912 00000300C912 0 SetTimer
00000000C91E 00000300C91E 0 SetFocus
00000000C92A 00000300C92A 0 SendMessageA
00000000C93A 00000300C93A 0 RegisterClassA
00000000C94C 00000300C94C 0 PostMessageA
00000000C95C 00000300C95C 0 PeekMessageA
00000000C96C 00000300C96C 0 LoadIconA
00000000C978 00000300C978 0 LoadCursorA
00000000C986 00000300C986 0 InvalidateRect
00000000C998 00000300C998 0 GetWindowTextA
File pos Mem pos ID Text
======== ======= == ====
00000000C9AA 00000300C9AA 0 GetWindowDC
00000000C9B8 00000300C9B8 0 GetMessageA
00000000C9C6 00000300C9C6 0 GetDesktopWindow
00000000C9DA 00000300C9DA 0 GetClientRect
00000000C9EA 00000300C9EA 0 DrawTextA
00000000C9F6 00000300C9F6 0 DispatchMessageA
00000000CA0A 00000300CA0A 0 DestroyWindow
00000000CA1A 00000300CA1A 0 DefWindowProcA
00000000CA2A 00000300CA2A 0 kernel32.dll
00000000CA3A 00000300CA3A 0 VirtualProtect
00000000CA4A 00000300CA4A 0 user32.dll
00000000CA58 00000300CA58 0 wsprintfA
00000000CA62 00000300CA62 0 PSAPI.DLL
00000000CA6E 00000300CA6E 0 GetModuleBaseNameA
00000000CA84 00000300CA84 0 EnumProcesses
00000000D00F 00000300D00F 0 0"0*020:0B0J0R0Z0b0j0r0z0
00000000D055 00000300D055 0 5)5D5
00000000D05B 00000300D05B 0 5&7b7
00000000D07D 00000300D07D 0 8$868B8Q8]8e8p8v8
00000000D0A9 00000300D0A9 0 9*9K9c9
00000000D0B9 00000300D0B9 0 9G:g:
00000000D0CB 00000300D0CB 0 < <+<4<;<J<Q<s<
00000000D0DD 00000300D0DD 0 <Y=w=|=
00000000D0ED 00000300D0ED 0 >R>[>q>
00000000D0FD 00000300D0FD 0 ?"?L?U?e?m?s?|?
00000000D129 00000300D129 0 000<0D0[0j0z0
00000000D147 00000300D147 0 1n1t1|1
00000000D159 00000300D159 0 2e2l2|2
00000000D17D 00000300D17D 0 4?4_4z4
00000000D189 00000300D189 0 4.565
00000000D195 00000300D195 0 7'7E7[7r7
00000000D1A9 00000300D1A9 0 8 8.8b8~8
00000000D1BD 00000300D1BD 0 9!9S9\9
00000000D1CB 00000300D1CB 0 :/:w;
00000000D1DB 00000300D1DB 0 <'<S<h<
00000000D1E9 00000300D1E9 0 = =&=,=2=7===F=V=[=
00000000D1FD 00000300D1FD 0 =e=j=x=
00000000D213 00000300D213 0 >4>>>c>m>w>
00000000D26F 00000300D26F 0 3"3&3,30363=3A3[3d3m3y3
00000000D29B 00000300D29B 0 424\4w4
00000000D2B5 00000300D2B5 0 5!5-5;5E5c5h5{5
00000000D2E1 00000300D2E1 0 6&6.666>6F6N6V6
00000000D2F1 00000300D2F1 0 6f6n6v6~6
00000000D321 00000300D321 0 7&7.767>7F7N7V7
00000000D331 00000300D331 0 7f7n7v7~7
00000000D361 00000300D361 0 8&8>8
00000000D36B 00000300D36B 0 9&9.969D9P9Y9a9u9{9
00000000D395 00000300D395 0 :%:,:7:>:I:U:c:j:w:
00000000D3E3 00000300D3E3 0 <'<,<1<<<A<F<Q<V<[<f<k<p<{<
00000000D438 00000300D438 0 y0_1g1
00000000D443 00000300D443 0 2V2g2l2
00000000D44B 00000300D44B 0 2;3H3X3
00000000D45B 00000300D45B 0 6,7C7
00000000D47D 00000300D47D 0 ;d<u=
00000000D485 00000300D485 0 >t>x?
00000000D499 00000300D499 0 091E1|1
00000000D4A9 00000300D4A9 0 1K2W2~2
00000000D4B1 00000300D4B1 0 2_3p3
00000000D4BF 00000300D4BF 0 3<4a4m4
00000000D4C7 00000300D4C7 0 4G5N:
File pos Mem pos ID Text
======== ======= == ====
00000000D4DD 00000300D4DD 0 :(:3:<:B:T:
00000000D4F5 00000300D4F5 0 <n<t<}<
00000000D50B 00000300D50B 0 =.>4>O>h>u>
00000000D525 00000300D525 0 ?(?<?O?
00000000D53F 00000300D53F 0 1f1p1z1
00000000D55D 00000300D55D 0 1<3A3
00000000D575 00000300D575 0 7,7@7T7h7|7
00000000D58B 00000300D58B 0 798>8D8>9p9|9
00000000D5A3 00000300D5A3 0 :C:S:W:
00000000D5BD 00000300D5BD 0 :G;\;q;|;
00000000D5DF 00000300D5DF 0 =!=-=2=7=\=
00000000D5F3 00000300D5F3 0 ='>/>:>P>U>d>j>w>
00000000D611 00000300D611 0 ?#?B?O?_?g?r?
00000000D63D 00000300D63D 0 070?0J0
00000000D645 00000300D645 0 0c0n0{0
00000000D671 00000300D671 0 1%1*1/141>1C1H1M1
00000000D693 00000300D693 0 4,444L4[4e4n4y4
00000000D6C7 00000300D6C7 0 6 6+6
00000000D6D9 00000300D6D9 0 7 7&7,72787C7
00000000D6FF 00000300D6FF 0 8&81868;8F8T8a8k8z8
00000000D739 00000300D739 0 9#9)9/9
00000000D748 00000300D748 0 $0(0,0
00000000E1CA 00000300E1CA 0 33331
00000000E1E9 00000300E1E9 0 33333
00000000E20A 00000300E20A 0 33331
00000000E22F 00000300E22F 0 Gggfv@
00000000E23F 00000300E23F 0 &vvggd
00000000E24F 00000300E24F 0 wwgbvt
00000000E25D 00000300E25D 0 1wwwr"gf@
00000000E26D 00000300E26D 0 1wwwr"vv@
00000000E27F 00000300E27F 0 wr""gf@
00000000E28F 00000300E28F 0 wr""&f@
00000000E29F 00000300E29F 0 ww"w""@
00000000E2B0 00000300E2B0 0 wr'""@
00000000E2CE 00000300E2CE 0 1rwr"
00000000E349 00000300E349 0 3333;
00000000E359 00000300E359 0 33333
00000000E455 00000300E455 0 Pwinstr
00000000E45E 00000300E45E 0 UTypes
00000000E467 00000300E467 0 System
00000000E470 00000300E470 0 SysInit
00000000E479 00000300E479 0 KWindows
00000000E6F0 00000300F0F0 0 kernel32.dll
00000000E6FF 00000300F0FF 0 DeleteCriticalSection
00000000E717 00000300F117 0 LeaveCriticalSection
00000000E72E 00000300F12E 0 EnterCriticalSection
00000000E745 00000300F145 0 InitializeCriticalSection
00000000E761 00000300F161 0 VirtualFree
00000000E76F 00000300F16F 0 VirtualAlloc
00000000E77E 00000300F17E 0 LocalFree
00000000E78A 00000300F18A 0 LocalAlloc
00000000E797 00000300F197 0 GetVersion
00000000E7A4 00000300F1A4 0 GetCurrentThreadId
00000000E7B9 00000300F1B9 0 GetThreadLocale
00000000E7CB 00000300F1CB 0 GetStartupInfoA
00000000E7DD 00000300F1DD 0 GetLocaleInfoA
00000000E7EE 00000300F1EE 0 GetCommandLineA
00000000E800 00000300F200 0 FreeLibrary
00000000E80E 00000300F20E 0 ExitProcess
00000000E81C 00000300F21C 0 WriteFile
File pos Mem pos ID Text
======== ======= == ====
00000000E828 00000300F228 0 UnhandledExceptionFilter
00000000E843 00000300F243 0 RtlUnwind
00000000E84F 00000300F24F 0 RaiseException
00000000E860 00000300F260 0 GetStdHandle
00000000E86D 00000300F26D 0 user32.dll
00000000E87A 00000300F27A 0 GetKeyboardType
00000000E88C 00000300F28C 0 MessageBoxA
00000000E898 00000300F298 0 advapi32.dll
00000000E8A7 00000300F2A7 0 RegQueryValueExA
00000000E8BA 00000300F2BA 0 RegOpenKeyExA
00000000E8CA 00000300F2CA 0 RegCloseKey
00000000E8D6 00000300F2D6 0 kernel32.dll
00000000E8E5 00000300F2E5 0 TlsSetValue
00000000E8F3 00000300F2F3 0 TlsGetValue
00000000E901 00000300F301 0 TlsFree
00000000E90B 00000300F30B 0 TlsAlloc
00000000E916 00000300F316 0 LocalFree
00000000E922 00000300F322 0 LocalAlloc
00000000E92D 00000300F32D 0 advapi32.dll
00000000E93C 00000300F33C 0 OpenProcessToken
00000000E94F 00000300F34F 0 LookupPrivilegeValueA
00000000E967 00000300F367 0 InitiateSystemShutdownA
00000000E981 00000300F381 0 AdjustTokenPrivileges
00000000E997 00000300F397 0 kernel32.dll
00000000E9A6 00000300F3A6 0 lstrlen
00000000E9B0 00000300F3B0 0 lstrcpy
00000000E9BA 00000300F3BA 0 lstrcmpiW
00000000E9C6 00000300F3C6 0 lstrcmpi
00000000E9D1 00000300F3D1 0 lstrcmp
00000000E9DB 00000300F3DB 0 lstrcat
00000000E9E5 00000300F3E5 0 WriteProcessMemory
00000000E9FA 00000300F3FA 0 WriteFile
00000000EA06 00000300F406 0 WaitForSingleObject
00000000EA1C 00000300F41C 0 VirtualProtect
00000000EA2D 00000300F42D 0 VirtualFreeEx
00000000EA3D 00000300F43D 0 VirtualAllocEx
00000000EA4E 00000300F44E 0 Sleep
00000000EA56 00000300F456 0 SetFileTime
00000000EA64 00000300F464 0 SetFilePointer
00000000EA75 00000300F475 0 ReadFile
00000000EA80 00000300F480 0 PulseEvent
00000000EA8D 00000300F48D 0 OpenProcess
00000000EA9B 00000300F49B 0 MultiByteToWideChar
00000000EAB1 00000300F4B1 0 LocalFree
00000000EABD 00000300F4BD 0 LocalAlloc
00000000EACA 00000300F4CA 0 LoadLibraryA
00000000EAD9 00000300F4D9 0 GetWindowsDirectoryA
00000000EAF0 00000300F4F0 0 GetVolumeInformationA
00000000EB08 00000300F508 0 GetSystemTimeAsFileTime
00000000EB22 00000300F522 0 GetProcAddress
00000000EB33 00000300F533 0 GetModuleHandleA
00000000EB46 00000300F546 0 GetModuleFileNameA
00000000EB5B 00000300F55B 0 GetLastError
00000000EB6A 00000300F56A 0 GetFileSize
00000000EB78 00000300F578 0 GetExitCodeThread
00000000EB8C 00000300F58C 0 GetCurrentProcess
00000000EBA0 00000300F5A0 0 FormatMessageA
00000000EBB1 00000300F5B1 0 FileTimeToLocalFileTime
00000000EBCB 00000300F5CB 0 ExitProcess
00000000EBD9 00000300F5D9 0 DeleteFileA
File pos Mem pos ID Text
======== ======= == ====
00000000EBE7 00000300F5E7 0 CreateThread
00000000EBF6 00000300F5F6 0 CreateRemoteThread
00000000EC0B 00000300F60B 0 CreateFileA
00000000EC19 00000300F619 0 CreateEventA
00000000EC28 00000300F628 0 CloseHandle
00000000EC34 00000300F634 0 gdi32.dll
00000000EC40 00000300F640 0 SelectObject
00000000EC4F 00000300F64F 0 Rectangle
00000000EC5B 00000300F65B 0 GetTextMetricsA
00000000EC6D 00000300F66D 0 GetDeviceCaps
00000000EC7D 00000300F67D 0 DeleteObject
00000000EC8C 00000300F68C 0 DeleteDC
00000000EC97 00000300F697 0 CreateSolidBrush
00000000ECAA 00000300F6AA 0 CreateDCA
00000000ECB4 00000300F6B4 0 user32.dll
00000000ECC1 00000300F6C1 0 CreateWindowExA
00000000ECD3 00000300F6D3 0 UnregisterClassA
00000000ECE6 00000300F6E6 0 TranslateMessage
00000000ECF9 00000300F6F9 0 SetTimer
00000000ED04 00000300F704 0 SetFocus
00000000ED0F 00000300F70F 0 SendMessageA
00000000ED1E 00000300F71E 0 RegisterClassA
00000000ED2F 00000300F72F 0 PostMessageA
00000000ED3E 00000300F73E 0 PeekMessageA
00000000ED4D 00000300F74D 0 LoadIconA
00000000ED59 00000300F759 0 LoadCursorA
00000000ED67 00000300F767 0 InvalidateRect
00000000ED78 00000300F778 0 GetWindowTextA
00000000ED89 00000300F789 0 GetWindowDC
00000000ED97 00000300F797 0 GetMessageA
00000000EDA5 00000300F7A5 0 GetDesktopWindow
00000000EDB8 00000300F7B8 0 GetClientRect
00000000EDC8 00000300F7C8 0 DrawTextA
00000000EDD4 00000300F7D4 0 DispatchMessageA
00000000EDE7 00000300F7E7 0 DestroyWindow
00000000EDF7 00000300F7F7 0 DefWindowProcA
00000000EE06 00000300F806 0 kernel32.dll
00000000EE15 00000300F815 0 VirtualProtect
00000000EE24 00000300F824 0 user32.dll
00000000EE31 00000300F831 0 wsprintfA
00000000EE3B 00000300F83B 0 psapi.dll
00000000EE47 00000300F847 0 GetModuleBaseNameA
00000000EE5C 00000300F85C 0 EnumProcesses
00000000E140 00000300E140 0 MAINICON(