.- - -----÷M÷E÷N÷U÷------------------------------------------------------------- --- ---- -------------.
! WALL ! STATS ! GOODIES ! YARA ! FAQ ! RSS ! EMV !
`-------------- - --- ---------- -------- -------- -------- -------- ----------------- - ---- ---- --'
ATM MALWARE NOTICE
ac8e8216e71e078198ef67d4cb48118767d0696610a02137492814422153d3c6
Date...........: 2013-11-13
Family.........: Trojan.Skimer.18
File name......: dump.mem
File size......: 42.86 KB
Type file......: DLL/Windows
Virscan........: VT - HA
Documentation..: https://news.drweb.com/show/?p=0&c=5&lng=en&i=4167
Additional note: Have imports with uladi2.dll (Ulysses)
Entropy:
Binary Histogram:
=== SCREENSHOT ===
=== PEDUMP REPORT ===
=== MZ Header ===
signature: "MZ"
bytes_in_last_block: 80 0x50
blocks_in_file: 2 2
num_relocs: 0 0
header_paragraphs: 4 4
min_extra_paragraphs: 15 0xf
max_extra_paragraphs: 65535 0xffff
ss: 0 0
sp: 184 0xb8
checksum: 0 0
ip: 0 0
cs: 0 0
reloc_table_offset: 64 0x40
overlay_number: 26 0x1a
reserved0: 0 0
oem_id: 0 0
oem_info: 0 0
reserved2: 0 0
reserved3: 0 0
reserved4: 0 0
reserved5: 0 0
reserved6: 0 0
lfanew: 256 0x100
=== DOS STUB ===
00000000: ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 |........!..L.!..|
00000010: 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 |This program mus|
00000020: 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 |t be run under W|
00000030: 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 |in32..$7........|
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
=== PE Header ===
signature: "PE\x00\x00"
# IMAGE_FILE_HEADER:
Machine: 332 0x14c x86
NumberOfSections: 7 7
TimeDateStamp: "1992-06-19 22:22:17"
PointerToSymbolTable: 0 0
NumberOfSymbols: 0 0
SizeOfOptionalHeader: 224 0xe0
Characteristics: 41358 0xa18e EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO
32BIT_MACHINE, DLL, BYTES_REVERSED_HI
# IMAGE_OPTIONAL_HEADER32:
Magic: 267 0x10b 32-bit executable
LinkerVersion: 2.25
SizeOfCode: 31232 0x7a00
SizeOfInitializedData: 9728 0x2600
SizeOfUninitializedData: 0 0
AddressOfEntryPoint: 35028 0x88d4
BaseOfCode: 4096 0x1000
BaseOfData: 36864 0x9000
ImageBase: 33554432 0x2000000
SectionAlignment: 4096 0x1000
FileAlignment: 512 0x200
OperatingSystemVersion: 4.0
ImageVersion: 0.0
SubsystemVersion: 4.0
Reserved1: 0 0
SizeOfImage: 61440 0xf000
SizeOfHeaders: 1024 0x400
CheckSum: 0 0
Subsystem: 2 2 WINDOWS_GUI
DllCharacteristics: 1 1 0x01
SizeOfStackReserve: 0 0
SizeOfStackCommit: 0 0
SizeOfHeapReserve: 1048576 0x100000
SizeOfHeapCommit: 4096 0x1000
LoaderFlags: 0 0
NumberOfRvaAndSizes: 16 0x10
=== DATA DIRECTORY ===
EXPORT rva:0x c000 size:0x 61
IMPORT rva:0x b000 size:0x d00
RESOURCE rva:0x e000 size:0x a10
EXCEPTION rva:0x 0 size:0x 0
SECURITY rva:0x 0 size:0x 0
BASERELOC rva:0x d000 size:0x 794
DEBUG rva:0x 0 size:0x 0
ARCHITECTURE rva:0x 0 size:0x 0
GLOBALPTR rva:0x 0 size:0x 0
TLS rva:0x 0 size:0x 0
LOAD_CONFIG rva:0x 0 size:0x 0
Bound_IAT rva:0x 0 size:0x 0
IAT rva:0x 0 size:0x 0
Delay_IAT rva:0x 0 size:0x 0
CLR_Header rva:0x 0 size:0x 0
rva:0x 0 size:0x 0
=== SECTIONS ===
NAME RVA VSZ RAW_SZ RAW_PTR nREL REL_PTR nLINE LINE_PTR FLAGS
CODE 1000 79c8 7a00 400 0 0 0 0 60000020 R-X CODE
DATA 9000 17c 200 7e00 0 0 0 0 c0000040 RW- IDATA
BSS a000 ea1 0 8000 0 0 0 0 c0000000 RW-
.idata b000 d00 e00 8000 0 0 0 0 c0000040 RW- IDATA
.edata c000 61 200 8e00 0 0 0 0 50000040 R-- IDATA SHARED
.reloc d000 794 800 9000 0 0 0 0 50000040 R-- IDATA SHARED
.rsrc e000 a10 c00 9800 0 0 0 0 50000040 R-- IDATA SHARED
=== RESOURCES ===
FILE_OFFSET CP LANG SIZE TYPE NAME
0x9858 1252 0 2487 RCDATA #1
=== IMPORTS ===
MODULE_NAME HINT ORD FUNCTION_NAME
kernel32.dll 0 DeleteCriticalSection
kernel32.dll 0 LeaveCriticalSection
kernel32.dll 0 EnterCriticalSection
kernel32.dll 0 InitializeCriticalSection
kernel32.dll 0 VirtualFree
kernel32.dll 0 VirtualAlloc
kernel32.dll 0 LocalFree
kernel32.dll 0 LocalAlloc
kernel32.dll 0 GetVersion
kernel32.dll 0 GetCurrentThreadId
kernel32.dll 0 GetThreadLocale
kernel32.dll 0 GetStartupInfoA
kernel32.dll 0 GetLocaleInfoA
kernel32.dll 0 GetCommandLineA
kernel32.dll 0 FreeLibrary
kernel32.dll 0 ExitProcess
kernel32.dll 0 CreateThread
kernel32.dll 0 WriteFile
kernel32.dll 0 UnhandledExceptionFilter
kernel32.dll 0 RtlUnwind
kernel32.dll 0 RaiseException
kernel32.dll 0 GetStdHandle
user32.dll 0 GetKeyboardType
user32.dll 0 MessageBoxA
advapi32.dll 0 RegQueryValueExA
advapi32.dll 0 RegOpenKeyExA
advapi32.dll 0 RegCloseKey
kernel32.dll 0 TlsSetValue
kernel32.dll 0 TlsGetValue
kernel32.dll 0 TlsFree
kernel32.dll 0 TlsAlloc
kernel32.dll 0 LocalFree
kernel32.dll 0 LocalAlloc
advapi32.dll 0 RegQueryValueExA
advapi32.dll 0 RegOpenKeyExA
advapi32.dll 0 RegEnumKeyExA
advapi32.dll 0 RegDeleteKeyA
advapi32.dll 0 RegCloseKey
advapi32.dll 0 OpenProcessToken
advapi32.dll 0 LookupPrivilegeValueA
advapi32.dll 0 InitiateSystemShutdownA
advapi32.dll 0 AdjustTokenPrivileges
kernel32.dll 0 lstrlenA
kernel32.dll 0 lstrcpyA
kernel32.dll 0 lstrcmpiW
kernel32.dll 0 lstrcmpiA
kernel32.dll 0 lstrcmpA
kernel32.dll 0 WriteFile
kernel32.dll 0 WaitForSingleObject
kernel32.dll 0 VirtualProtect
kernel32.dll 0 TerminateThread
kernel32.dll 0 SuspendThread
kernel32.dll 0 Sleep
kernel32.dll 0 SizeofResource
kernel32.dll 0 SetFilePointer
kernel32.dll 0 ResumeThread
kernel32.dll 0 ReadFile
kernel32.dll 0 OpenProcess
kernel32.dll 0 MultiByteToWideChar
kernel32.dll 0 LocalFree
kernel32.dll 0 LocalAlloc
kernel32.dll 0 LoadResource
kernel32.dll 0 LoadLibraryA
kernel32.dll 0 GetVolumeInformationA
kernel32.dll 0 GetSystemTimeAsFileTime
kernel32.dll 0 GetProcAddress
kernel32.dll 0 GetModuleHandleA
kernel32.dll 0 GetModuleFileNameA
kernel32.dll 0 GetLastError
kernel32.dll 0 GetFileSize
kernel32.dll 0 GetExitCodeThread
kernel32.dll 0 GetCurrentThreadId
kernel32.dll 0 GetCurrentProcess
kernel32.dll 0 FormatMessageA
kernel32.dll 0 FindResourceA
kernel32.dll 0 FileTimeToLocalFileTime
kernel32.dll 0 ExitProcess
kernel32.dll 0 DeleteFileA
kernel32.dll 0 CreateThread
kernel32.dll 0 CreateProcessA
kernel32.dll 0 CreateMutexA
kernel32.dll 0 CreateFileA
kernel32.dll 0 CloseHandle
gdi32.dll 0 SelectObject
gdi32.dll 0 Rectangle
gdi32.dll 0 GetTextMetricsA
gdi32.dll 0 GetDeviceCaps
gdi32.dll 0 DeleteObject
gdi32.dll 0 DeleteDC
gdi32.dll 0 CreateSolidBrush
gdi32.dll 0 CreateDCA
user32.dll 0 CreateWindowExA
user32.dll 0 UnregisterClassA
user32.dll 0 TranslateMessage
user32.dll 0 SetTimer
user32.dll 0 SetFocus
user32.dll 0 SendMessageA
user32.dll 0 RegisterClassA
user32.dll 0 PostMessageA
user32.dll 0 PeekMessageA
user32.dll 0 MessageBoxA
user32.dll 0 LoadIconA
user32.dll 0 LoadCursorA
user32.dll 0 InvalidateRect
user32.dll 0 GetWindowTextA
user32.dll 0 GetWindowDC
user32.dll 0 GetMessageA
user32.dll 0 GetDesktopWindow
user32.dll 0 GetClientRect
user32.dll 0 DrawTextA
user32.dll 0 DispatchMessageA
user32.dll 0 DestroyWindow
user32.dll 0 DefWindowProcA
msxfs.dll 0 WFSCancelAsyncRequest
msxfs.dll 0 WFSDeregister
msxfs.dll 0 WFSRegister
msxfs.dll 0 WFSGetInfo
msxfs.dll 0 WFSAsyncExecute
msxfs.dll 0 WFSExecute
msxfs.dll 0 WFSUnlock
msxfs.dll 0 WFSFreeResult
msxfs.dll 0 WFSLock
msxfs.dll 0 WFSClose
msxfs.dll 0 WFSOpen
msxfs.dll 0 WFSStartUp
uladi2.dll 0 AdiLookupName
uladi2.dll 0 AdiTerminate
uladi2.dll 0 AdiInitialise
uladi2x.dll 0 AdiFreeResponseHandle
uladi2x.dll 0 AdiGetTdata
uladi2x.dll 0 AdiGetTlength
uladi2x.dll 0 AdiExTimedReceiveResponse
uladi2x.dll 0 AdiExSend
ntdll.dll 0 NtQueryInformationThread
kernel32.dll 0 OpenThread
user32.dll 0 wsprintfA
=== EXPORTS ===
# module "netncr.dll"
# flags=0x0 ts="1970-01-01 00:00:00" version=0.0 ord_base=1
# nFuncs=2 nNames=2
ORD ENTRY_VA NAME
1 8868 DecoderEnd
2 86e4 DllEntrypoint2
File pos Mem pos ID Text
======== ======= == ====
000000000050 000002000050 0 This program must be run under Win32
000000000270 000002000270 0 .idata
000000000298 000002000298 0 .edata
0000000002BF 0000020002BF 0 P.reloc
0000000002E7 0000020002E7 0 P.rsrc
000000000594 000002001194 0 SVWUQ
0000000007B5 0000020013B5 0 w;;t$
0000000008C0 0000020014C0 0 SVWUQ
000000001A73 000002002673 0 ~KxI[)
000000001B9C 00000200279C 0 SOFTWARE\Borland\Delphi\RTL
000000001BB8 0000020027B8 0 FPUMaskValue
000000001C05 000002002805 0 PPRTj
000000001D7F 00000200297F 0 YZXtp
000000001EF6 000002002AF6 0 t=HtN
000000002528 000002003128 0 USVW1
000000002EF8 000002003AF8 0 kernel32.dll
000000002F08 000002003B08 0 VirtualAllocEx
000000002F18 000002003B18 0 VirtualFreeEx
000000002F28 000002003B28 0 WriteProcessMemory
000000002F3C 000002003B3C 0 CreateRemoteThread
000000002F50 000002003B50 0 CreateToolhelp32Snapshot
000000002F6C 000002003B6C 0 Process32First
000000002F7C 000002003B7C 0 Process32Next
000000002F8C 000002003B8C 0 Thread32First
000000002F9C 000002003B9C 0 Thread32Next
000000002FAC 000002003BAC 0 Module32First
000000002FBC 000002003BBC 0 Module32Next
000000002FCC 000002003BCC 0 user32.dll
000000002FD8 000002003BD8 0 CloseDesktop
000000002FE8 000002003BE8 0 CloseWindowStation
000000002FFC 000002003BFC 0 CreateDesktopA
00000000300C 000002003C0C 0 GetProcessWindowStation
000000003024 000002003C24 0 GetThreadDesktop
000000003038 000002003C38 0 OpenDesktopA
000000003048 000002003C48 0 OpenWindowStationA
00000000305C 000002003C5C 0 SetProcessWindowStation
000000003074 000002003C74 0 SetThreadDesktop
000000003088 000002003C88 0 SwitchDesktop
0000000030D8 000002003CD8 0 SVWQ3
000000003380 000002003F80 0 D$1PV
0000000033B4 000002003FB4 0 .DEFAULT\XFS\LOGICAL_SERVICES
0000000033D4 000002003FD4 0 class
00000000343C 00000200403C 0 CreateFile
000000003484 000002004084 0 WFSStartUp %d
000000003608 000002004208 0 t find EPP
000000003614 000002004214 0 WFSOpen(%s) %d
000000003624 000002004224 0 WFSLock %d
000000003630 000002004230 0 WFSRegister %d
000000003640 000002004240 0 WFSExecute %d
00000000382A 00000200442A 0 D$\8>
0000000039B0 0000020045B0 0 |$4{u
000000003A7C 00000200467C 0 WinSta0
000000003A84 000002004684 0 MyDesktop
000000003A9C 00000200469C 0 ATMDialog
000000003AA8 0000020046A8 0 hello
000000003AB0 0000020046B0 0 STATIC
000000003AC8 0000020046C8 0 default
000000003B00 000002004700 0 Error
000000003B58 000002004758 0 Error
000000003BB0 0000020047B0 0 Error
File pos Mem pos ID Text
======== ======= == ====
000000003C18 000002004818 0 Error
000000003D88 000002004988 0 WFSOpen( %s ) = %d
000000003D9C 00000200499C 0 WFSLock(%s)=%d
000000003DAC 0000020049AC 0 WFSExecute(%s,%d)=%d
000000003DEC 0000020049EC 0 $PSh$J
000000003E2C 000002004A2C 0 Error
000000003E5F 000002004A5F 0 $PVSh
000000003E98 000002004A98 0 %s %s
000000003EA4 000002004AA4 0 Error
000000003F14 000002004B14 0 t find SIU
000000004074 000002004C74 0 %s%.2X
00000000407C 000002004C7C 0 ExchangeKey
000000004260 000002004E60 0 ENCRYPTOR
000000004368 000002004F68 0 Incorrect COM Key name
0000000043B0 000002004FB0 0 =t AJu
000000004540 000002005140 0 SVWUQ
000000004BAD 0000020057AD 0 ;C&v=
000000004E84 000002005A84 0 t find CardReader
000000004E98 000002005A98 0 WFSOpen %d
000000004EA4 000002005AA4 0 STATIC
000000004EAC 000002005AAC 0 WFSRegister %d
000000004EBC 000002005ABC 0 WFSLock %d
000000004F34 000002005B34 0 WFSExecute(WFS_CMD_IDC_READ_RAW_DATA) %d
000000005000 000002005C00 0 WFSExecute %d
0000000050E8 000002005CE8 0 WFSExecute(WFS_CMD_IDC_CHIP_IO) %d
00000000510C 000002005D0C 0 Select:Invalid ResCode Len
00000000521C 000002005E1C 0 WFSExecute(WFS_CMD_IDC_CHIP_IO) Error=%d
000000005248 000002005E48 0 Select:Invalid ResCode Len
00000000536C 000002005F6C 0 WFSExecute(WFS_CMD_IDC_CHIP_IO) %d
000000005390 000002005F90 0 WriteRec:Invalid ResCode Len
0000000054B0 0000020060B0 0 WFSExecute(WFS_CMD_IDC_CHIP_IO) %d
0000000054D4 0000020060D4 0 ReadRec:Invalid ResCode Len
000000005690 000002006290 0 Select Err: %.4X
0000000056A4 0000020062A4 0 GetResponce Err: %.4X
0000000056BC 0000020062BC 0 WriteRec Err: %.4X
0000000056D0 0000020062D0 0 ReadRec Err: %.4X
000000005BE0 0000020067E0 0 DISPLAY
000000005E9E 000002006A9E 0 D$-Ph
000000005ED8 000002006AD8 0 SOFTWARE\NCR\APTRA\Aggregate Installer\Progress
000000005F08 000002006B08 0 ItemVersion
000000005F18 000002006B18 0 APTRA %s
000000005F28 000002006B28 0 Transactions %d
000000005F39 000002006B39 0 Cards %d
000000005F4D 000002006B4D 0 Non Local %d
000000005F61 000002006B61 0 Mode %d
000000005F75 000002006B75 0 ComKey %d
000000006080 000002006C80 0 OpenProcessToken
000000006094 000002006C94 0 LookupPrivilegeValue
0000000060AC 000002006CAC 0 AdjustTokenPrivileges
000000006210 000002006E10 0 SeDebugPrivilege
000000006224 000002006E24 0 OpenProcess
000000006230 000002006E30 0 GetExitCodeThread
000000006244 000002006E44 0 VirtualFreeEx
000000006280 000002006E80 0 SeShutdownPrivilege
000000006298 000002006E98 0 InitiateSystemShutdown
00000000651D 00000200711D 0 F,hDr
00000000652B 00000200712B 0 F hPr
000000006539 000002007139 0 F(h\r
000000006547 000002007147 0 F0hhr
000000006555 000002007155 0 F$htr
File pos Mem pos ID Text
======== ======= == ====
000000006563 000002007163 0 F4h|r
0000000065D0 0000020071D0 0 kernel32.dll
0000000065E0 0000020071E0 0 CreateFileA
0000000065EC 0000020071EC 0 GetFileTime
0000000065F8 0000020071F8 0 SetFileTime
000000006604 000002007204 0 GetFileSize
000000006610 000002007210 0 ReadFile
00000000661C 00000200721C 0 WriteFile
000000006628 000002007228 0 SetFilePointer
000000006638 000002007238 0 CloseHandle
000000006644 000002007244 0 LocalAlloc
000000006650 000002007250 0 LocalFree
00000000665C 00000200725C 0 ExitThread
000000006668 000002007268 0 VirtualFree
000000006674 000002007274 0 Sleep
00000000667C 00000200727C 0 DeleteFileA
000000006688 000002007288 0 GetLastError
000000006718 000002007318 0 SOFTWARE\Microsoft\nAgent
000000006734 000002007334 0 applicationcore.exe
000000006890 000002007490 0 Invalid Data Size
0000000068A4 0000020074A4 0 Error
000000006BC8 0000020077C8 0 GetProcAddress
000000006BD8 0000020077D8 0 hook.VirtualProtect
000000006D15 000002007915 0 C h8z
000000006DB8 0000020079B8 0 kernel32
000000006DC4 0000020079C4 0 DeleteFileA
000000006DD0 0000020079D0 0 FreeLibrary
000000006DDC 0000020079DC 0 GetModuleHandleA
000000006DF0 0000020079F0 0 CreateFileA
000000006DFC 0000020079FC 0 Sleep
000000006E04 000002007A04 0 WriteFile
000000006E10 000002007A10 0 CloseHandle
000000006E1C 000002007A1C 0 LocalFree
000000006E28 000002007A28 0 LoadLibraryA
000000006E38 000002007A38 0 user32
000000006E40 000002007A40 0 ExitWindowsEx
000000006E50 000002007A50 0 SeShutdownPrivilege
000000006F20 000002007B20 0 Not executable file !
000000006F38 000002007B38 0 C:\SSDS\inst.exe
00000000706C 000002007C6C 0 Raport error enabled
0000000070EC 000002007CEC 0 suspendthread
0000000070FC 000002007CFC 0 resumethread
00000000710C 000002007D0C 0 Openthread
000000007190 000002007D90 0 D$ PU
000000007275 000002007E75 0 t<;t$
000000007348 000002007F48 0 ApplicationCore.EXE
000000007418 000002008018 0 ApplicationCore.EXE
000000007430 000002008030 0 Enter Command:
000000007868 000002008468 0 UlySxExecCommandAsync
000000007880 000002008480 0 ulcorcom.dll
000000007890 000002008490 0 UlySxRetrieveMessage
000000007976 000002008576 0 8NTFS
0000000079B0 0000020085B0 0 C:\SSDS\dll\autosave:descriptor
0000000079D4 0000020085D4 0 C:\SSDS\dll\autosave\instal.log
000000007AB0 0000020086B0 0 Bound Import %s
000000007AC0 0000020086C0 0 LoadLibrary %s
000000007AD0 0000020086D0 0 GetProcAddress %s
000000007B68 000002008768 0 SVWUQ
000000007DA4 0000020089A4 0 ApplicationCore.EXE
000000007DBC 0000020089BC 0 rtl32syss
File pos Mem pos ID Text
======== ======= == ====
000000007E4C 00000200904C 0 Error
000000007E54 000002009054 0 Runtime error at 00000000
000000007E74 000002009074 0 0123456789ABCDEF
000000007EB0 0000020090B0 0 SeTtInGs3.02.07
000000007EC0 0000020090C0 0 russian federa
000000008384 00000200B384 0 kernel32.dll
000000008394 00000200B394 0 DeleteCriticalSection
0000000083AC 00000200B3AC 0 LeaveCriticalSection
0000000083C4 00000200B3C4 0 EnterCriticalSection
0000000083DC 00000200B3DC 0 InitializeCriticalSection
0000000083F8 00000200B3F8 0 VirtualFree
000000008406 00000200B406 0 VirtualAlloc
000000008416 00000200B416 0 LocalFree
000000008422 00000200B422 0 LocalAlloc
000000008430 00000200B430 0 GetVersion
00000000843E 00000200B43E 0 GetCurrentThreadId
000000008454 00000200B454 0 GetThreadLocale
000000008466 00000200B466 0 GetStartupInfoA
000000008478 00000200B478 0 GetLocaleInfoA
00000000848A 00000200B48A 0 GetCommandLineA
00000000849C 00000200B49C 0 FreeLibrary
0000000084AA 00000200B4AA 0 ExitProcess
0000000084B8 00000200B4B8 0 CreateThread
0000000084C8 00000200B4C8 0 WriteFile
0000000084D4 00000200B4D4 0 UnhandledExceptionFilter
0000000084F0 00000200B4F0 0 RtlUnwind
0000000084FC 00000200B4FC 0 RaiseException
00000000850E 00000200B50E 0 GetStdHandle
00000000851C 00000200B51C 0 user32.dll
00000000852A 00000200B52A 0 GetKeyboardType
00000000853C 00000200B53C 0 MessageBoxA
000000008548 00000200B548 0 advapi32.dll
000000008558 00000200B558 0 RegQueryValueExA
00000000856C 00000200B56C 0 RegOpenKeyExA
00000000857C 00000200B57C 0 RegCloseKey
000000008588 00000200B588 0 kernel32.dll
000000008598 00000200B598 0 TlsSetValue
0000000085A6 00000200B5A6 0 TlsGetValue
0000000085B4 00000200B5B4 0 TlsFree
0000000085BE 00000200B5BE 0 TlsAlloc
0000000085CA 00000200B5CA 0 LocalFree
0000000085D6 00000200B5D6 0 LocalAlloc
0000000085E2 00000200B5E2 0 advapi32.dll
0000000085F2 00000200B5F2 0 RegQueryValueExA
000000008606 00000200B606 0 RegOpenKeyExA
000000008616 00000200B616 0 RegEnumKeyExA
000000008626 00000200B626 0 RegDeleteKeyA
000000008636 00000200B636 0 RegCloseKey
000000008644 00000200B644 0 OpenProcessToken
000000008658 00000200B658 0 LookupPrivilegeValueA
000000008670 00000200B670 0 InitiateSystemShutdownA
00000000868A 00000200B68A 0 AdjustTokenPrivileges
0000000086A0 00000200B6A0 0 kernel32.dll
0000000086B0 00000200B6B0 0 lstrlenA
0000000086BC 00000200B6BC 0 lstrcpyA
0000000086C8 00000200B6C8 0 lstrcmpiW
0000000086D4 00000200B6D4 0 lstrcmpiA
0000000086E0 00000200B6E0 0 lstrcmpA
0000000086EC 00000200B6EC 0 WriteFile
0000000086F8 00000200B6F8 0 WaitForSingleObject
File pos Mem pos ID Text
======== ======= == ====
00000000870E 00000200B70E 0 VirtualProtect
000000008720 00000200B720 0 TerminateThread
000000008732 00000200B732 0 SuspendThread
000000008742 00000200B742 0 Sleep
00000000874A 00000200B74A 0 SizeofResource
00000000875C 00000200B75C 0 SetFilePointer
00000000876E 00000200B76E 0 ResumeThread
00000000877E 00000200B77E 0 ReadFile
00000000878A 00000200B78A 0 OpenProcess
000000008798 00000200B798 0 MultiByteToWideChar
0000000087AE 00000200B7AE 0 LocalFree
0000000087BA 00000200B7BA 0 LocalAlloc
0000000087C8 00000200B7C8 0 LoadResource
0000000087D8 00000200B7D8 0 LoadLibraryA
0000000087E8 00000200B7E8 0 GetVolumeInformationA
000000008800 00000200B800 0 GetSystemTimeAsFileTime
00000000881A 00000200B81A 0 GetProcAddress
00000000882C 00000200B82C 0 GetModuleHandleA
000000008840 00000200B840 0 GetModuleFileNameA
000000008856 00000200B856 0 GetLastError
000000008866 00000200B866 0 GetFileSize
000000008874 00000200B874 0 GetExitCodeThread
000000008888 00000200B888 0 GetCurrentThreadId
00000000889E 00000200B89E 0 GetCurrentProcess
0000000088B2 00000200B8B2 0 FormatMessageA
0000000088C4 00000200B8C4 0 FindResourceA
0000000088D4 00000200B8D4 0 FileTimeToLocalFileTime
0000000088EE 00000200B8EE 0 ExitProcess
0000000088FC 00000200B8FC 0 DeleteFileA
00000000890A 00000200B90A 0 CreateThread
00000000891A 00000200B91A 0 CreateProcessA
00000000892C 00000200B92C 0 CreateMutexA
00000000893C 00000200B93C 0 CreateFileA
00000000894A 00000200B94A 0 CloseHandle
000000008956 00000200B956 0 gdi32.dll
000000008962 00000200B962 0 SelectObject
000000008972 00000200B972 0 Rectangle
00000000897E 00000200B97E 0 GetTextMetricsA
000000008990 00000200B990 0 GetDeviceCaps
0000000089A0 00000200B9A0 0 DeleteObject
0000000089B0 00000200B9B0 0 DeleteDC
0000000089BC 00000200B9BC 0 CreateSolidBrush
0000000089D0 00000200B9D0 0 CreateDCA
0000000089DA 00000200B9DA 0 user32.dll
0000000089E8 00000200B9E8 0 CreateWindowExA
0000000089FA 00000200B9FA 0 UnregisterClassA
000000008A0E 00000200BA0E 0 TranslateMessage
000000008A22 00000200BA22 0 SetTimer
000000008A2E 00000200BA2E 0 SetFocus
000000008A3A 00000200BA3A 0 SendMessageA
000000008A4A 00000200BA4A 0 RegisterClassA
000000008A5C 00000200BA5C 0 PostMessageA
000000008A6C 00000200BA6C 0 PeekMessageA
000000008A7C 00000200BA7C 0 MessageBoxA
000000008A8A 00000200BA8A 0 LoadIconA
000000008A96 00000200BA96 0 LoadCursorA
000000008AA4 00000200BAA4 0 InvalidateRect
000000008AB6 00000200BAB6 0 GetWindowTextA
000000008AC8 00000200BAC8 0 GetWindowDC
000000008AD6 00000200BAD6 0 GetMessageA
File pos Mem pos ID Text
======== ======= == ====
000000008AE4 00000200BAE4 0 GetDesktopWindow
000000008AF8 00000200BAF8 0 GetClientRect
000000008B08 00000200BB08 0 DrawTextA
000000008B14 00000200BB14 0 DispatchMessageA
000000008B28 00000200BB28 0 DestroyWindow
000000008B38 00000200BB38 0 DefWindowProcA
000000008B48 00000200BB48 0 msxfs.dll
000000008B54 00000200BB54 0 WFSCancelAsyncRequest
000000008B6C 00000200BB6C 0 WFSDeregister
000000008B7C 00000200BB7C 0 WFSRegister
000000008B8A 00000200BB8A 0 WFSGetInfo
000000008B98 00000200BB98 0 WFSAsyncExecute
000000008BAA 00000200BBAA 0 WFSExecute
000000008BB8 00000200BBB8 0 WFSUnlock
000000008BC4 00000200BBC4 0 WFSFreeResult
000000008BD4 00000200BBD4 0 WFSLock
000000008BDE 00000200BBDE 0 WFSClose
000000008BEA 00000200BBEA 0 WFSOpen
000000008BF4 00000200BBF4 0 WFSStartUp
000000008C00 00000200BC00 0 uladi2.dll
000000008C0E 00000200BC0E 0 AdiLookupName
000000008C1E 00000200BC1E 0 AdiTerminate
000000008C2E 00000200BC2E 0 AdiInitialise
000000008C3C 00000200BC3C 0 uladi2x.dll
000000008C4A 00000200BC4A 0 AdiFreeResponseHandle
000000008C62 00000200BC62 0 AdiGetTdata
000000008C70 00000200BC70 0 AdiGetTlength
000000008C80 00000200BC80 0 AdiExTimedReceiveResponse
000000008C9C 00000200BC9C 0 AdiExSend
000000008CA6 00000200BCA6 0 ntdll.dll
000000008CB2 00000200BCB2 0 NtQueryInformationThread
000000008CCC 00000200BCCC 0 kernel32.dll
000000008CDC 00000200BCDC 0 OpenThread
000000008CE8 00000200BCE8 0 user32.dll
000000008CF6 00000200BCF6 0 wsprintfA
000000008E3C 00000200C03C 0 netncr.dll
000000008E47 00000200C047 0 DecoderEnd
000000008E52 00000200C052 0 DllEntrypoint2
00000000900F 00000200D00F 0 0"0*020:0B0J0R0Z0b0j0r0z0
000000009055 00000200D055 0 4%515L5
00000000905D 00000200D05D 0 5.7j7
00000000907D 00000200D07D 0 8$8,8>8J8Y8e8m8x8~8
0000000090A9 00000200D0A9 0 9'929S9k9
0000000090BB 00000200D0BB 0 :O:o:
0000000090CD 00000200D0CD 0 <(<3<<<C<R<Y<{<
0000000090EF 00000200D0EF 0 >Z>c>y>
0000000090FF 00000200D0FF 0 ?*?T?]?m?u?{?
00000000912B 00000200D12B 0 0 080D0L0c0r0
000000009145 00000200D145 0 0$1H1f1v1|1
00000000915D 00000200D15D 0 2m2t2
00000000917F 00000200D17F 0 4#4G4g4
00000000918D 00000200D18D 0 4:5B5
000000009199 00000200D199 0 737Q7g7~7
0000000091AD 00000200D1AD 0 8,8:8n8
0000000091BF 00000200D1BF 0 8$9-9_9h9
0000000091DB 00000200D1DB 0 ; <(<3<_<t<
0000000091ED 00000200D1ED 0 =,=2=8=>=C=I=R=b=g=l=q=v=
000000009215 00000200D215 0 >#>@>J>o>y>
000000009235 00000200D235 0 ?)?=?
000000009253 00000200D253 0 2B2I2[2y2
File pos Mem pos ID Text
======== ======= == ====
000000009265 00000200D265 0 3;3G3N3X3b3y3
00000000928D 00000200D28D 0 3&4;4L4V4
000000009297 00000200D297 0 4f4n4v4~4
0000000092AD 00000200D2AD 0 5#5H5P5
0000000092B5 00000200D2B5 0 5c5|5
0000000092CD 00000200D2CD 0 6"6/6;6H6Z6b6j6r6z6
0000000092FF 00000200D2FF 0 7"7*727:7B7J7R7Z7b7j7r7z7
00000000933F 00000200D33F 0 8"8*828:8B8J8R8Z8b8j8r8z8
000000009385 00000200D385 0 :*:2:::B:J:R:Z:b:j:r:z:
0000000093D8 00000200D3D8 0 *0N0V0n0
0000000093F1 00000200D3F1 0 1:1\1
000000009409 00000200D409 0 2"3P3
000000009415 00000200D415 0 4!4-4
000000009421 00000200D421 0 5!5K5
00000000942B 00000200D42B 0 6$62686A6H6S6
000000009443 00000200D443 0 7/7D7w7
000000009461 00000200D461 0 :d:z:
00000000947F 00000200D47F 0 <4<B<
00000000948D 00000200D48D 0 =.=J=q=
0000000094AB 00000200D4AB 0 ?#?*?9?F?M?[?
0000000094D7 00000200D4D7 0 :!:E:
0000000094F9 00000200D4F9 0 141m1
000000009501 00000200D501 0 2:2G2
000000009519 00000200D519 0 7)7I7e7p7z7
00000000953D 00000200D53D 0 898G8R8
00000000955D 00000200D55D 0 <%<b<&=2=R=t=
000000009573 00000200D573 0 =U>v>
000000009595 00000200D595 0 1 1.1<1J1X1f1t1
0000000095C9 00000200D5C9 0 525B5F5
0000000095DB 00000200D5DB 0 5]7~7
0000000095E3 00000200D5E3 0 8#8+858T8d8j8
000000009607 00000200D607 0 9$929C9
000000009617 00000200D617 0 :S;];
00000000962F 00000200D62F 0 <-<:<@<E<S<]<
000000009647 00000200D647 0 =A>P>o>
000000009657 00000200D657 0 ?%?p?
000000009668 00000200D668 0 P0a0i0"111:1D1O1\1b1k1u1
000000009695 00000200D695 0 2'282A2J2[2f2r2
0000000096B7 00000200D6B7 0 3#3/3
0000000096C9 00000200D6C9 0 4#4(4-474<4A4F4P4U4Z4
0000000096ED 00000200D6ED 0 5*5D5d5~5
000000009739 00000200D739 0 9)9.939F9K9W9m9s9
000000009754 00000200D754 0 $0(0,0
000000009781 00000200D781 0 1 1$1(1,1014181x1
000000009F02 00000200E702 0 ,C._%a
000000009F0D 00000200E70D 0 Gv;-@
00000000A20F 00000200EA0F 0 PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
00000000A40C 00000200A40C 0 $C:\memo.txt
00000000A419 00000200A419 0 \CustomisationLayer.exe
00000000A50C 00000200A50C 0 !Z:\SSDS\APPS\ApplicationCore.exe
000000004060 000002004C60 0 MyProg
0000000041A4 000002004DA4 0 MyProg
00000000424C 000002004E4C 0 MyProg
000000000050 000002000050 0 This program must be run under Win32
000000000270 000002000270 0 .idata
000000000298 000002000298 0 .edata
0000000002BF 0000020002BF 0 P.reloc
0000000002E7 0000020002E7 0 P.rsrc
000000000594 000002001194 0 SVWUQ
0000000007B5 0000020013B5 0 w;;t$
File pos Mem pos ID Text
======== ======= == ====
0000000008C0 0000020014C0 0 SVWUQ
000000001A73 000002002673 0 ~KxI[)
000000001B9C 00000200279C 0 SOFTWARE\Borland\Delphi\RTL
000000001BB8 0000020027B8 0 FPUMaskValue
000000001C05 000002002805 0 PPRTj
000000001D7F 00000200297F 0 YZXtp
000000001EF6 000002002AF6 0 t=HtN
000000002528 000002003128 0 USVW1
000000002EF8 000002003AF8 0 kernel32.dll
000000002F08 000002003B08 0 VirtualAllocEx
000000002F18 000002003B18 0 VirtualFreeEx
000000002F28 000002003B28 0 WriteProcessMemory
000000002F3C 000002003B3C 0 CreateRemoteThread
000000002F50 000002003B50 0 CreateToolhelp32Snapshot
000000002F6C 000002003B6C 0 Process32First
000000002F7C 000002003B7C 0 Process32Next
000000002F8C 000002003B8C 0 Thread32First
000000002F9C 000002003B9C 0 Thread32Next
000000002FAC 000002003BAC 0 Module32First
000000002FBC 000002003BBC 0 Module32Next
000000002FCC 000002003BCC 0 user32.dll
000000002FD8 000002003BD8 0 CloseDesktop
000000002FE8 000002003BE8 0 CloseWindowStation
000000002FFC 000002003BFC 0 CreateDesktopA
00000000300C 000002003C0C 0 GetProcessWindowStation
000000003024 000002003C24 0 GetThreadDesktop
000000003038 000002003C38 0 OpenDesktopA
000000003048 000002003C48 0 OpenWindowStationA
00000000305C 000002003C5C 0 SetProcessWindowStation
000000003074 000002003C74 0 SetThreadDesktop
000000003088 000002003C88 0 SwitchDesktop
0000000030D8 000002003CD8 0 SVWQ3
000000003380 000002003F80 0 D$1PV
0000000033B4 000002003FB4 0 .DEFAULT\XFS\LOGICAL_SERVICES
0000000033D4 000002003FD4 0 class
00000000343C 00000200403C 0 CreateFile
000000003484 000002004084 0 WFSStartUp %d
000000003608 000002004208 0 t find EPP
000000003614 000002004214 0 WFSOpen(%s) %d
000000003624 000002004224 0 WFSLock %d
000000003630 000002004230 0 WFSRegister %d
000000003640 000002004240 0 WFSExecute %d
00000000382A 00000200442A 0 D$\8>
0000000039B0 0000020045B0 0 |$4{u
000000003A7C 00000200467C 0 WinSta0
000000003A84 000002004684 0 MyDesktop
000000003A9C 00000200469C 0 ATMDialog
000000003AA8 0000020046A8 0 hello
000000003AB0 0000020046B0 0 STATIC
000000003AC8 0000020046C8 0 default
000000003B00 000002004700 0 Error
000000003B58 000002004758 0 Error
000000003BB0 0000020047B0 0 Error
000000003C18 000002004818 0 Error
000000003D88 000002004988 0 WFSOpen( %s ) = %d
000000003D9C 00000200499C 0 WFSLock(%s)=%d
000000003DAC 0000020049AC 0 WFSExecute(%s,%d)=%d
000000003DEC 0000020049EC 0 $PSh$J
000000003E2C 000002004A2C 0 Error
000000003E5F 000002004A5F 0 $PVSh
File pos Mem pos ID Text
======== ======= == ====
000000003E98 000002004A98 0 %s %s
000000003EA4 000002004AA4 0 Error
000000003F14 000002004B14 0 t find SIU
000000004074 000002004C74 0 %s%.2X
00000000407C 000002004C7C 0 ExchangeKey
000000004260 000002004E60 0 ENCRYPTOR
000000004368 000002004F68 0 Incorrect COM Key name
0000000043B0 000002004FB0 0 =t AJu
000000004540 000002005140 0 SVWUQ
000000004BAD 0000020057AD 0 ;C&v=
000000004E84 000002005A84 0 t find CardReader
000000004E98 000002005A98 0 WFSOpen %d
000000004EA4 000002005AA4 0 STATIC
000000004EAC 000002005AAC 0 WFSRegister %d
000000004EBC 000002005ABC 0 WFSLock %d
000000004F34 000002005B34 0 WFSExecute(WFS_CMD_IDC_READ_RAW_DATA) %d
000000005000 000002005C00 0 WFSExecute %d
0000000050E8 000002005CE8 0 WFSExecute(WFS_CMD_IDC_CHIP_IO) %d
00000000510C 000002005D0C 0 Select:Invalid ResCode Len
00000000521C 000002005E1C 0 WFSExecute(WFS_CMD_IDC_CHIP_IO) Error=%d
000000005248 000002005E48 0 Select:Invalid ResCode Len
00000000536C 000002005F6C 0 WFSExecute(WFS_CMD_IDC_CHIP_IO) %d
000000005390 000002005F90 0 WriteRec:Invalid ResCode Len
0000000054B0 0000020060B0 0 WFSExecute(WFS_CMD_IDC_CHIP_IO) %d
0000000054D4 0000020060D4 0 ReadRec:Invalid ResCode Len
000000005690 000002006290 0 Select Err: %.4X
0000000056A4 0000020062A4 0 GetResponce Err: %.4X
0000000056BC 0000020062BC 0 WriteRec Err: %.4X
0000000056D0 0000020062D0 0 ReadRec Err: %.4X
000000005BE0 0000020067E0 0 DISPLAY
000000005E9E 000002006A9E 0 D$-Ph
000000005ED8 000002006AD8 0 SOFTWARE\NCR\APTRA\Aggregate Installer\Progress
000000005F08 000002006B08 0 ItemVersion
000000005F18 000002006B18 0 APTRA %s
000000005F28 000002006B28 0 Transactions %d
000000005F39 000002006B39 0 Cards %d
000000005F4D 000002006B4D 0 Non Local %d
000000005F61 000002006B61 0 Mode %d
000000005F75 000002006B75 0 ComKey %d
000000006080 000002006C80 0 OpenProcessToken
000000006094 000002006C94 0 LookupPrivilegeValue
0000000060AC 000002006CAC 0 AdjustTokenPrivileges
000000006210 000002006E10 0 SeDebugPrivilege
000000006224 000002006E24 0 OpenProcess
000000006230 000002006E30 0 GetExitCodeThread
000000006244 000002006E44 0 VirtualFreeEx
000000006280 000002006E80 0 SeShutdownPrivilege
000000006298 000002006E98 0 InitiateSystemShutdown
00000000651D 00000200711D 0 F,hDr
00000000652B 00000200712B 0 F hPr
000000006539 000002007139 0 F(h\r
000000006547 000002007147 0 F0hhr
000000006555 000002007155 0 F$htr
000000006563 000002007163 0 F4h|r
0000000065D0 0000020071D0 0 kernel32.dll
0000000065E0 0000020071E0 0 CreateFileA
0000000065EC 0000020071EC 0 GetFileTime
0000000065F8 0000020071F8 0 SetFileTime
000000006604 000002007204 0 GetFileSize
000000006610 000002007210 0 ReadFile
File pos Mem pos ID Text
======== ======= == ====
00000000661C 00000200721C 0 WriteFile
000000006628 000002007228 0 SetFilePointer
000000006638 000002007238 0 CloseHandle
000000006644 000002007244 0 LocalAlloc
000000006650 000002007250 0 LocalFree
00000000665C 00000200725C 0 ExitThread
000000006668 000002007268 0 VirtualFree
000000006674 000002007274 0 Sleep
00000000667C 00000200727C 0 DeleteFileA
000000006688 000002007288 0 GetLastError
000000006718 000002007318 0 SOFTWARE\Microsoft\nAgent
000000006734 000002007334 0 applicationcore.exe
000000006890 000002007490 0 Invalid Data Size
0000000068A4 0000020074A4 0 Error
000000006BC8 0000020077C8 0 GetProcAddress
000000006BD8 0000020077D8 0 hook.VirtualProtect
000000006D15 000002007915 0 C h8z
000000006DB8 0000020079B8 0 kernel32
000000006DC4 0000020079C4 0 DeleteFileA
000000006DD0 0000020079D0 0 FreeLibrary
000000006DDC 0000020079DC 0 GetModuleHandleA
000000006DF0 0000020079F0 0 CreateFileA
000000006DFC 0000020079FC 0 Sleep
000000006E04 000002007A04 0 WriteFile
000000006E10 000002007A10 0 CloseHandle
000000006E1C 000002007A1C 0 LocalFree
000000006E28 000002007A28 0 LoadLibraryA
000000006E38 000002007A38 0 user32
000000006E40 000002007A40 0 ExitWindowsEx
000000006E50 000002007A50 0 SeShutdownPrivilege
000000006F20 000002007B20 0 Not executable file !
000000006F38 000002007B38 0 C:\SSDS\inst.exe
00000000706C 000002007C6C 0 Raport error enabled
0000000070EC 000002007CEC 0 suspendthread
0000000070FC 000002007CFC 0 resumethread
00000000710C 000002007D0C 0 Openthread
000000007190 000002007D90 0 D$ PU
000000007275 000002007E75 0 t<;t$
000000007348 000002007F48 0 ApplicationCore.EXE
000000007418 000002008018 0 ApplicationCore.EXE
000000007430 000002008030 0 Enter Command:
000000007868 000002008468 0 UlySxExecCommandAsync
000000007880 000002008480 0 ulcorcom.dll
000000007890 000002008490 0 UlySxRetrieveMessage
000000007976 000002008576 0 8NTFS
0000000079B0 0000020085B0 0 C:\SSDS\dll\autosave:descriptor
0000000079D4 0000020085D4 0 C:\SSDS\dll\autosave\instal.log
000000007AB0 0000020086B0 0 Bound Import %s
000000007AC0 0000020086C0 0 LoadLibrary %s
000000007AD0 0000020086D0 0 GetProcAddress %s
000000007B68 000002008768 0 SVWUQ
000000007DA4 0000020089A4 0 ApplicationCore.EXE
000000007DBC 0000020089BC 0 rtl32syss
000000007E4C 00000200904C 0 Error
000000007E54 000002009054 0 Runtime error at 00000000
000000007E74 000002009074 0 0123456789ABCDEF
000000007EB0 0000020090B0 0 SeTtInGs3.02.07
000000007EC0 0000020090C0 0 russian federa
000000008384 00000200B384 0 kernel32.dll
000000008394 00000200B394 0 DeleteCriticalSection
File pos Mem pos ID Text
======== ======= == ====
0000000083AC 00000200B3AC 0 LeaveCriticalSection
0000000083C4 00000200B3C4 0 EnterCriticalSection
0000000083DC 00000200B3DC 0 InitializeCriticalSection
0000000083F8 00000200B3F8 0 VirtualFree
000000008406 00000200B406 0 VirtualAlloc
000000008416 00000200B416 0 LocalFree
000000008422 00000200B422 0 LocalAlloc
000000008430 00000200B430 0 GetVersion
00000000843E 00000200B43E 0 GetCurrentThreadId
000000008454 00000200B454 0 GetThreadLocale
000000008466 00000200B466 0 GetStartupInfoA
000000008478 00000200B478 0 GetLocaleInfoA
00000000848A 00000200B48A 0 GetCommandLineA
00000000849C 00000200B49C 0 FreeLibrary
0000000084AA 00000200B4AA 0 ExitProcess
0000000084B8 00000200B4B8 0 CreateThread
0000000084C8 00000200B4C8 0 WriteFile
0000000084D4 00000200B4D4 0 UnhandledExceptionFilter
0000000084F0 00000200B4F0 0 RtlUnwind
0000000084FC 00000200B4FC 0 RaiseException
00000000850E 00000200B50E 0 GetStdHandle
00000000851C 00000200B51C 0 user32.dll
00000000852A 00000200B52A 0 GetKeyboardType
00000000853C 00000200B53C 0 MessageBoxA
000000008548 00000200B548 0 advapi32.dll
000000008558 00000200B558 0 RegQueryValueExA
00000000856C 00000200B56C 0 RegOpenKeyExA
00000000857C 00000200B57C 0 RegCloseKey
000000008588 00000200B588 0 kernel32.dll
000000008598 00000200B598 0 TlsSetValue
0000000085A6 00000200B5A6 0 TlsGetValue
0000000085B4 00000200B5B4 0 TlsFree
0000000085BE 00000200B5BE 0 TlsAlloc
0000000085CA 00000200B5CA 0 LocalFree
0000000085D6 00000200B5D6 0 LocalAlloc
0000000085E2 00000200B5E2 0 advapi32.dll
0000000085F2 00000200B5F2 0 RegQueryValueExA
000000008606 00000200B606 0 RegOpenKeyExA
000000008616 00000200B616 0 RegEnumKeyExA
000000008626 00000200B626 0 RegDeleteKeyA
000000008636 00000200B636 0 RegCloseKey
000000008644 00000200B644 0 OpenProcessToken
000000008658 00000200B658 0 LookupPrivilegeValueA
000000008670 00000200B670 0 InitiateSystemShutdownA
00000000868A 00000200B68A 0 AdjustTokenPrivileges
0000000086A0 00000200B6A0 0 kernel32.dll
0000000086B0 00000200B6B0 0 lstrlenA
0000000086BC 00000200B6BC 0 lstrcpyA
0000000086C8 00000200B6C8 0 lstrcmpiW
0000000086D4 00000200B6D4 0 lstrcmpiA
0000000086E0 00000200B6E0 0 lstrcmpA
0000000086EC 00000200B6EC 0 WriteFile
0000000086F8 00000200B6F8 0 WaitForSingleObject
00000000870E 00000200B70E 0 VirtualProtect
000000008720 00000200B720 0 TerminateThread
000000008732 00000200B732 0 SuspendThread
000000008742 00000200B742 0 Sleep
00000000874A 00000200B74A 0 SizeofResource
00000000875C 00000200B75C 0 SetFilePointer
00000000876E 00000200B76E 0 ResumeThread
File pos Mem pos ID Text
======== ======= == ====
00000000877E 00000200B77E 0 ReadFile
00000000878A 00000200B78A 0 OpenProcess
000000008798 00000200B798 0 MultiByteToWideChar
0000000087AE 00000200B7AE 0 LocalFree
0000000087BA 00000200B7BA 0 LocalAlloc
0000000087C8 00000200B7C8 0 LoadResource
0000000087D8 00000200B7D8 0 LoadLibraryA
0000000087E8 00000200B7E8 0 GetVolumeInformationA
000000008800 00000200B800 0 GetSystemTimeAsFileTime
00000000881A 00000200B81A 0 GetProcAddress
00000000882C 00000200B82C 0 GetModuleHandleA
000000008840 00000200B840 0 GetModuleFileNameA
000000008856 00000200B856 0 GetLastError
000000008866 00000200B866 0 GetFileSize
000000008874 00000200B874 0 GetExitCodeThread
000000008888 00000200B888 0 GetCurrentThreadId
00000000889E 00000200B89E 0 GetCurrentProcess
0000000088B2 00000200B8B2 0 FormatMessageA
0000000088C4 00000200B8C4 0 FindResourceA
0000000088D4 00000200B8D4 0 FileTimeToLocalFileTime
0000000088EE 00000200B8EE 0 ExitProcess
0000000088FC 00000200B8FC 0 DeleteFileA
00000000890A 00000200B90A 0 CreateThread
00000000891A 00000200B91A 0 CreateProcessA
00000000892C 00000200B92C 0 CreateMutexA
00000000893C 00000200B93C 0 CreateFileA
00000000894A 00000200B94A 0 CloseHandle
000000008956 00000200B956 0 gdi32.dll
000000008962 00000200B962 0 SelectObject
000000008972 00000200B972 0 Rectangle
00000000897E 00000200B97E 0 GetTextMetricsA
000000008990 00000200B990 0 GetDeviceCaps
0000000089A0 00000200B9A0 0 DeleteObject
0000000089B0 00000200B9B0 0 DeleteDC
0000000089BC 00000200B9BC 0 CreateSolidBrush
0000000089D0 00000200B9D0 0 CreateDCA
0000000089DA 00000200B9DA 0 user32.dll
0000000089E8 00000200B9E8 0 CreateWindowExA
0000000089FA 00000200B9FA 0 UnregisterClassA
000000008A0E 00000200BA0E 0 TranslateMessage
000000008A22 00000200BA22 0 SetTimer
000000008A2E 00000200BA2E 0 SetFocus
000000008A3A 00000200BA3A 0 SendMessageA
000000008A4A 00000200BA4A 0 RegisterClassA
000000008A5C 00000200BA5C 0 PostMessageA
000000008A6C 00000200BA6C 0 PeekMessageA
000000008A7C 00000200BA7C 0 MessageBoxA
000000008A8A 00000200BA8A 0 LoadIconA
000000008A96 00000200BA96 0 LoadCursorA
000000008AA4 00000200BAA4 0 InvalidateRect
000000008AB6 00000200BAB6 0 GetWindowTextA
000000008AC8 00000200BAC8 0 GetWindowDC
000000008AD6 00000200BAD6 0 GetMessageA
000000008AE4 00000200BAE4 0 GetDesktopWindow
000000008AF8 00000200BAF8 0 GetClientRect
000000008B08 00000200BB08 0 DrawTextA
000000008B14 00000200BB14 0 DispatchMessageA
000000008B28 00000200BB28 0 DestroyWindow
000000008B38 00000200BB38 0 DefWindowProcA
000000008B48 00000200BB48 0 msxfs.dll
File pos Mem pos ID Text
======== ======= == ====
000000008B54 00000200BB54 0 WFSCancelAsyncRequest
000000008B6C 00000200BB6C 0 WFSDeregister
000000008B7C 00000200BB7C 0 WFSRegister
000000008B8A 00000200BB8A 0 WFSGetInfo
000000008B98 00000200BB98 0 WFSAsyncExecute
000000008BAA 00000200BBAA 0 WFSExecute
000000008BB8 00000200BBB8 0 WFSUnlock
000000008BC4 00000200BBC4 0 WFSFreeResult
000000008BD4 00000200BBD4 0 WFSLock
000000008BDE 00000200BBDE 0 WFSClose
000000008BEA 00000200BBEA 0 WFSOpen
000000008BF4 00000200BBF4 0 WFSStartUp
000000008C00 00000200BC00 0 uladi2.dll
000000008C0E 00000200BC0E 0 AdiLookupName
000000008C1E 00000200BC1E 0 AdiTerminate
000000008C2E 00000200BC2E 0 AdiInitialise
000000008C3C 00000200BC3C 0 uladi2x.dll
000000008C4A 00000200BC4A 0 AdiFreeResponseHandle
000000008C62 00000200BC62 0 AdiGetTdata
000000008C70 00000200BC70 0 AdiGetTlength
000000008C80 00000200BC80 0 AdiExTimedReceiveResponse
000000008C9C 00000200BC9C 0 AdiExSend
000000008CA6 00000200BCA6 0 ntdll.dll
000000008CB2 00000200BCB2 0 NtQueryInformationThread
000000008CCC 00000200BCCC 0 kernel32.dll
000000008CDC 00000200BCDC 0 OpenThread
000000008CE8 00000200BCE8 0 user32.dll
000000008CF6 00000200BCF6 0 wsprintfA
000000008E3C 00000200C03C 0 netncr.dll
000000008E47 00000200C047 0 DecoderEnd
000000008E52 00000200C052 0 DllEntrypoint2
00000000900F 00000200D00F 0 0"0*020:0B0J0R0Z0b0j0r0z0
000000009055 00000200D055 0 4%515L5
00000000905D 00000200D05D 0 5.7j7
00000000907D 00000200D07D 0 8$8,8>8J8Y8e8m8x8~8
0000000090A9 00000200D0A9 0 9'929S9k9
0000000090BB 00000200D0BB 0 :O:o:
0000000090CD 00000200D0CD 0 <(<3<<<C<R<Y<{<
0000000090EF 00000200D0EF 0 >Z>c>y>
0000000090FF 00000200D0FF 0 ?*?T?]?m?u?{?
00000000912B 00000200D12B 0 0 080D0L0c0r0
000000009145 00000200D145 0 0$1H1f1v1|1
00000000915D 00000200D15D 0 2m2t2
00000000917F 00000200D17F 0 4#4G4g4
00000000918D 00000200D18D 0 4:5B5
000000009199 00000200D199 0 737Q7g7~7
0000000091AD 00000200D1AD 0 8,8:8n8
0000000091BF 00000200D1BF 0 8$9-9_9h9
0000000091DB 00000200D1DB 0 ; <(<3<_<t<
0000000091ED 00000200D1ED 0 =,=2=8=>=C=I=R=b=g=l=q=v=
000000009215 00000200D215 0 >#>@>J>o>y>
000000009235 00000200D235 0 ?)?=?
000000009253 00000200D253 0 2B2I2[2y2
000000009265 00000200D265 0 3;3G3N3X3b3y3
00000000928D 00000200D28D 0 3&4;4L4V4
000000009297 00000200D297 0 4f4n4v4~4
0000000092AD 00000200D2AD 0 5#5H5P5
0000000092B5 00000200D2B5 0 5c5|5
0000000092CD 00000200D2CD 0 6"6/6;6H6Z6b6j6r6z6
0000000092FF 00000200D2FF 0 7"7*727:7B7J7R7Z7b7j7r7z7
File pos Mem pos ID Text
======== ======= == ====
00000000933F 00000200D33F 0 8"8*828:8B8J8R8Z8b8j8r8z8
000000009385 00000200D385 0 :*:2:::B:J:R:Z:b:j:r:z:
0000000093D8 00000200D3D8 0 *0N0V0n0
0000000093F1 00000200D3F1 0 1:1\1
000000009409 00000200D409 0 2"3P3
000000009415 00000200D415 0 4!4-4
000000009421 00000200D421 0 5!5K5
00000000942B 00000200D42B 0 6$62686A6H6S6
000000009443 00000200D443 0 7/7D7w7
000000009461 00000200D461 0 :d:z:
00000000947F 00000200D47F 0 <4<B<
00000000948D 00000200D48D 0 =.=J=q=
0000000094AB 00000200D4AB 0 ?#?*?9?F?M?[?
0000000094D7 00000200D4D7 0 :!:E:
0000000094F9 00000200D4F9 0 141m1
000000009501 00000200D501 0 2:2G2
000000009519 00000200D519 0 7)7I7e7p7z7
00000000953D 00000200D53D 0 898G8R8
00000000955D 00000200D55D 0 <%<b<&=2=R=t=
000000009573 00000200D573 0 =U>v>
000000009595 00000200D595 0 1 1.1<1J1X1f1t1
0000000095C9 00000200D5C9 0 525B5F5
0000000095DB 00000200D5DB 0 5]7~7
0000000095E3 00000200D5E3 0 8#8+858T8d8j8
000000009607 00000200D607 0 9$929C9
000000009617 00000200D617 0 :S;];
00000000962F 00000200D62F 0 <-<:<@<E<S<]<
000000009647 00000200D647 0 =A>P>o>
000000009657 00000200D657 0 ?%?p?
000000009668 00000200D668 0 P0a0i0"111:1D1O1\1b1k1u1
000000009695 00000200D695 0 2'282A2J2[2f2r2
0000000096B7 00000200D6B7 0 3#3/3
0000000096C9 00000200D6C9 0 4#4(4-474<4A4F4P4U4Z4
0000000096ED 00000200D6ED 0 5*5D5d5~5
000000009739 00000200D739 0 9)9.939F9K9W9m9s9
000000009754 00000200D754 0 $0(0,0
000000009781 00000200D781 0 1 1$1(1,1014181x1
000000009F02 00000200E702 0 ,C._%a
000000009F0D 00000200E70D 0 Gv;-@
00000000A20F 00000200EA0F 0 PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
00000000A40C 00000200A40C 0 $C:\memo.txt
00000000A419 00000200A419 0 \CustomisationLayer.exe
00000000A50C 00000200A50C 0 !Z:\SSDS\APPS\ApplicationCore.exe
000000004060 000002004C60 0 MyProg
0000000041A4 000002004DA4 0 MyProg
00000000424C 000002004E4C 0 MyProg