Analysis

Category Package Started Completed Duration Options Log
FILE exe 2019-11-08 21:58:13 2019-11-08 22:01:56 223 seconds Show Options Show Log
route = internet
procdump = 1
2019-11-08 21:58:14,000 [root] INFO: Date set to: 11-08-19, time set to: 21:58:14, timeout set to: 200
2019-11-08 21:58:14,015 [root] DEBUG: Starting analyzer from: C:\wikhjvq
2019-11-08 21:58:14,015 [root] DEBUG: Storing results at: C:\hOvzrs
2019-11-08 21:58:14,015 [root] DEBUG: Pipe server name: \\.\PIPE\pGdUKFCxoR
2019-11-08 21:58:14,015 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-11-08 21:58:14,015 [root] INFO: Automatically selected analysis package "exe"
2019-11-08 21:58:14,312 [root] DEBUG: Started auxiliary module Browser
2019-11-08 21:58:14,312 [root] DEBUG: Started auxiliary module Curtain
2019-11-08 21:58:14,312 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-11-08 21:58:14,763 [modules.auxiliary.digisig] DEBUG: File is not signed.
2019-11-08 21:58:14,763 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-11-08 21:58:14,779 [root] DEBUG: Started auxiliary module DigiSig
2019-11-08 21:58:14,779 [root] DEBUG: Started auxiliary module Disguise
2019-11-08 21:58:14,779 [root] DEBUG: Started auxiliary module Human
2019-11-08 21:58:14,779 [root] DEBUG: Started auxiliary module Screenshots
2019-11-08 21:58:14,779 [root] DEBUG: Started auxiliary module Sysmon
2019-11-08 21:58:14,779 [root] DEBUG: Started auxiliary module Usage
2019-11-08 21:58:14,779 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2019-11-08 21:58:14,779 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2019-11-08 21:58:14,795 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\VAN_XATM_2.exe" with arguments "" with pid 332
2019-11-08 21:58:14,795 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-11-08 21:58:14,795 [lib.api.process] INFO: 32-bit DLL to inject is C:\wikhjvq\dll\vLBiGjJ.dll, loader C:\wikhjvq\bin\FQiYfRI.exe
2019-11-08 21:58:14,842 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\pGdUKFCxoR.
2019-11-08 21:58:14,842 [root] DEBUG: Loader: Injecting process 332 (thread 1308) with C:\wikhjvq\dll\vLBiGjJ.dll.
2019-11-08 21:58:14,842 [root] DEBUG: Process image base: 0x00F00000
2019-11-08 21:58:14,842 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\wikhjvq\dll\vLBiGjJ.dll.
2019-11-08 21:58:14,842 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x010FC000 - 0x77110000
2019-11-08 21:58:14,842 [root] DEBUG: InjectDllViaIAT: Allocated 0x160 bytes for new import table at 0x01100000.
2019-11-08 21:58:14,842 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-11-08 21:58:14,842 [root] DEBUG: Successfully injected DLL C:\wikhjvq\dll\vLBiGjJ.dll.
2019-11-08 21:58:14,842 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 332
2019-11-08 21:58:16,854 [lib.api.process] INFO: Successfully resumed process with pid 332
2019-11-08 21:58:16,854 [root] INFO: Added new process to list with pid: 332
2019-11-08 21:58:16,869 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-11-08 21:58:16,869 [root] DEBUG: Process dumps enabled.
2019-11-08 21:58:16,901 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-11-08 21:58:16,901 [root] INFO: Disabling sleep skipping.
2019-11-08 21:58:16,901 [root] INFO: Disabling sleep skipping.
2019-11-08 21:58:16,901 [root] INFO: Disabling sleep skipping.
2019-11-08 21:58:16,901 [root] INFO: Disabling sleep skipping.
2019-11-08 21:58:16,901 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 332 at 0x747e0000, image base 0xf00000, stack from 0x286000-0x290000
2019-11-08 21:58:16,917 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\VAN_XATM_2.exe".
2019-11-08 21:58:16,917 [root] INFO: Monitor successfully loaded in process with pid 332.
2019-11-08 21:58:18,164 [root] INFO: Announced 32-bit process name: java.exe pid: 1996
2019-11-08 21:58:18,164 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-11-08 21:58:18,164 [lib.api.process] INFO: 32-bit DLL to inject is C:\wikhjvq\dll\vLBiGjJ.dll, loader C:\wikhjvq\bin\FQiYfRI.exe
2019-11-08 21:58:18,164 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\pGdUKFCxoR.
2019-11-08 21:58:18,164 [root] DEBUG: Loader: Injecting process 1996 (thread 1704) with C:\wikhjvq\dll\vLBiGjJ.dll.
2019-11-08 21:58:18,164 [root] DEBUG: Process image base: 0x00FC0000
2019-11-08 21:58:18,164 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\wikhjvq\dll\vLBiGjJ.dll.
2019-11-08 21:58:18,164 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00FD6000 - 0x77110000
2019-11-08 21:58:18,164 [root] DEBUG: InjectDllViaIAT: Allocated 0x160 bytes for new import table at 0x00FE0000.
2019-11-08 21:58:18,164 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-11-08 21:58:18,164 [root] DEBUG: Successfully injected DLL C:\wikhjvq\dll\vLBiGjJ.dll.
2019-11-08 21:58:18,164 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1996
2019-11-08 21:58:18,164 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-11-08 21:58:18,257 [root] INFO: Announced 32-bit process name: java.exe pid: 1996
2019-11-08 21:58:18,257 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-11-08 21:58:18,257 [lib.api.process] INFO: 32-bit DLL to inject is C:\wikhjvq\dll\vLBiGjJ.dll, loader C:\wikhjvq\bin\FQiYfRI.exe
2019-11-08 21:58:18,273 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\pGdUKFCxoR.
2019-11-08 21:58:18,273 [root] DEBUG: Loader: Injecting process 1996 (thread 1704) with C:\wikhjvq\dll\vLBiGjJ.dll.
2019-11-08 21:58:18,273 [root] DEBUG: Process image base: 0x00FC0000
2019-11-08 21:58:18,273 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\wikhjvq\dll\vLBiGjJ.dll.
2019-11-08 21:58:18,273 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2019-11-08 21:58:18,273 [root] DEBUG: Successfully injected DLL C:\wikhjvq\dll\vLBiGjJ.dll.
2019-11-08 21:58:18,273 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1996
2019-11-08 21:58:18,305 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-11-08 21:58:18,305 [root] DEBUG: Process dumps enabled.
2019-11-08 21:58:18,305 [root] INFO: Disabling sleep skipping.
2019-11-08 21:58:18,305 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-11-08 21:58:18,305 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1996 at 0x747e0000, image base 0xfc0000, stack from 0x3c6000-0x3d0000
2019-11-08 21:58:18,305 [root] DEBUG: Commandline: C:\Windows\Temp\java.exe.
2019-11-08 21:58:18,305 [root] INFO: Added new process to list with pid: 1996
2019-11-08 21:58:18,305 [root] INFO: Monitor successfully loaded in process with pid 1996.
2019-11-08 21:58:18,305 [root] DEBUG: DLL unloaded from 0x74AF0000.
2019-11-08 21:58:18,382 [root] INFO: Announced 32-bit process name: javaupdate.exe pid: 2684
2019-11-08 21:58:18,382 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-11-08 21:58:18,382 [lib.api.process] INFO: 32-bit DLL to inject is C:\wikhjvq\dll\vLBiGjJ.dll, loader C:\wikhjvq\bin\FQiYfRI.exe
2019-11-08 21:58:18,382 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\pGdUKFCxoR.
2019-11-08 21:58:18,382 [root] DEBUG: Loader: Injecting process 2684 (thread 2708) with C:\wikhjvq\dll\vLBiGjJ.dll.
2019-11-08 21:58:18,382 [root] DEBUG: Process image base: 0x00BC0000
2019-11-08 21:58:18,382 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\wikhjvq\dll\vLBiGjJ.dll.
2019-11-08 21:58:18,382 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00D9F000 - 0x77110000
2019-11-08 21:58:18,382 [root] DEBUG: InjectDllViaIAT: Allocated 0x160 bytes for new import table at 0x00DA0000.
2019-11-08 21:58:18,382 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-11-08 21:58:18,382 [root] DEBUG: Successfully injected DLL C:\wikhjvq\dll\vLBiGjJ.dll.
2019-11-08 21:58:18,382 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2684
2019-11-08 21:58:18,398 [root] INFO: Announced 32-bit process name: javaupdate.exe pid: 2684
2019-11-08 21:58:18,398 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-11-08 21:58:18,398 [lib.api.process] INFO: 32-bit DLL to inject is C:\wikhjvq\dll\vLBiGjJ.dll, loader C:\wikhjvq\bin\FQiYfRI.exe
2019-11-08 21:58:18,398 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\pGdUKFCxoR.
2019-11-08 21:58:18,398 [root] DEBUG: Loader: Injecting process 2684 (thread 2708) with C:\wikhjvq\dll\vLBiGjJ.dll.
2019-11-08 21:58:18,398 [root] DEBUG: Process image base: 0x00BC0000
2019-11-08 21:58:18,398 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\wikhjvq\dll\vLBiGjJ.dll.
2019-11-08 21:58:18,398 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2019-11-08 21:58:18,398 [root] DEBUG: Successfully injected DLL C:\wikhjvq\dll\vLBiGjJ.dll.
2019-11-08 21:58:18,398 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2684
2019-11-08 21:58:18,398 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 332
2019-11-08 21:58:18,398 [root] DEBUG: GetHookCallerBase: thread 1308 (handle 0x0), return address 0x00F040D8, allocation base 0x00F00000.
2019-11-08 21:58:18,398 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00F00000.
2019-11-08 21:58:18,398 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-11-08 21:58:18,398 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00F00000.
2019-11-08 21:58:18,398 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-11-08 21:58:18,398 [root] DEBUG: DumpProcess: Module entry point VA is 0x00001757.
2019-11-08 21:58:18,398 [root] DEBUG: Process dumps enabled.
2019-11-08 21:58:18,414 [root] INFO: Disabling sleep skipping.
2019-11-08 21:58:18,414 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-11-08 21:58:18,414 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2684 at 0x747e0000, image base 0xbc0000, stack from 0x2e6000-0x2f0000
2019-11-08 21:58:18,414 [root] DEBUG: Commandline: C:\Windows\Temp\javaupdate.exe C:\Users\user\AppData\Local\Temp\VAN_XATM_2.exe.
2019-11-08 21:58:18,414 [root] INFO: Added new process to list with pid: 2684
2019-11-08 21:58:18,414 [root] INFO: Monitor successfully loaded in process with pid 2684.
2019-11-08 21:58:18,430 [root] INFO: Added new CAPE file to list with path: C:\hOvzrs\CAPE\332_13906070301838096112019
2019-11-08 21:58:18,430 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1f7e00.
2019-11-08 21:58:18,430 [root] DEBUG: DLL unloaded from 0x75140000.
2019-11-08 21:58:18,430 [root] INFO: Notified of termination of process with pid 332.
2019-11-08 21:58:18,446 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\syswow64\WinInet (0xf5000 bytes).
2019-11-08 21:58:18,476 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2019-11-08 21:58:18,492 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-11-08 21:58:18,507 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-11-08 21:58:18,523 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-11-08 21:58:18,523 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-11-08 21:58:18,555 [root] DEBUG: DLL loaded at 0x749B0000: C:\Windows\system32\Iphlpapi (0x1c000 bytes).
2019-11-08 21:58:18,569 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-11-08 21:58:18,585 [root] DEBUG: DLL loaded at 0x749A0000: C:\Windows\system32\WINNSI (0x7000 bytes).
2019-11-08 21:58:19,335 [root] DEBUG: DLL loaded at 0x75D00000: C:\Windows\syswow64\ws2_32 (0x35000 bytes).
2019-11-08 21:58:19,349 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-11-08 21:58:19,349 [root] DEBUG: DLL loaded at 0x74BF0000: C:\Windows\system32\mswsock (0x3c000 bytes).
2019-11-08 21:58:19,349 [root] DEBUG: DLL loaded at 0x74BE0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2019-11-08 21:58:19,647 [root] INFO: Announced 32-bit process name: VAN_XATM_2.exe pid: 1856
2019-11-08 21:58:19,647 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-11-08 21:58:19,647 [lib.api.process] INFO: 32-bit DLL to inject is C:\wikhjvq\dll\vLBiGjJ.dll, loader C:\wikhjvq\bin\FQiYfRI.exe
2019-11-08 21:58:19,647 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\pGdUKFCxoR.
2019-11-08 21:58:19,661 [root] DEBUG: Loader: Injecting process 1856 (thread 3024) with C:\wikhjvq\dll\vLBiGjJ.dll.
2019-11-08 21:58:19,661 [root] DEBUG: Process image base: 0x00400000
2019-11-08 21:58:19,661 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\wikhjvq\dll\vLBiGjJ.dll.
2019-11-08 21:58:19,661 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x007DC000 - 0x77110000
2019-11-08 21:58:19,661 [root] DEBUG: InjectDllViaIAT: Allocated 0x32c bytes for new import table at 0x007E0000.
2019-11-08 21:58:19,661 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-11-08 21:58:19,694 [root] DEBUG: Successfully injected DLL C:\wikhjvq\dll\vLBiGjJ.dll.
2019-11-08 21:58:19,694 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1856
2019-11-08 21:58:19,709 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-11-08 21:58:19,709 [root] INFO: Announced 32-bit process name: VAN_XATM_2.exe pid: 1856
2019-11-08 21:58:19,709 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-11-08 21:58:19,709 [lib.api.process] INFO: 32-bit DLL to inject is C:\wikhjvq\dll\vLBiGjJ.dll, loader C:\wikhjvq\bin\FQiYfRI.exe
2019-11-08 21:58:19,724 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\pGdUKFCxoR.
2019-11-08 21:58:19,724 [root] DEBUG: Loader: Injecting process 1856 (thread 3024) with C:\wikhjvq\dll\vLBiGjJ.dll.
2019-11-08 21:58:19,724 [root] DEBUG: Process image base: 0x00400000
2019-11-08 21:58:19,724 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\wikhjvq\dll\vLBiGjJ.dll.
2019-11-08 21:58:19,724 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2019-11-08 21:58:19,724 [root] DEBUG: Successfully injected DLL C:\wikhjvq\dll\vLBiGjJ.dll.
2019-11-08 21:58:19,724 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1856
2019-11-08 21:58:19,724 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2684
2019-11-08 21:58:19,740 [root] DEBUG: GetHookCallerBase: thread 2708 (handle 0x0), return address 0x00BC4B2A, allocation base 0x00BC0000.
2019-11-08 21:58:19,740 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00BC0000.
2019-11-08 21:58:19,740 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-11-08 21:58:19,740 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00BC0000.
2019-11-08 21:58:19,740 [root] DEBUG: DumpProcess: Module entry point VA is 0x00001D51.
2019-11-08 21:58:19,772 [root] INFO: Added new CAPE file to list with path: C:\hOvzrs\CAPE\2684_10094012001938096112019
2019-11-08 21:58:19,772 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1d8600.
2019-11-08 21:58:19,772 [root] DEBUG: DLL unloaded from 0x75140000.
2019-11-08 21:58:19,772 [root] INFO: Notified of termination of process with pid 2684.
2019-11-08 22:01:37,627 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-11-08 22:01:37,627 [root] INFO: Created shutdown mutex.
2019-11-08 22:01:38,641 [lib.api.process] INFO: Terminate event set for process 1996
2019-11-08 22:01:38,641 [root] DEBUG: Terminate Event: Attempting to dump process 1996
2019-11-08 22:01:38,641 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00FC0000.
2019-11-08 22:01:38,641 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-11-08 22:01:38,641 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00FC0000.
2019-11-08 22:01:38,641 [root] DEBUG: DumpProcess: Module entry point VA is 0x000028E7.
2019-11-08 22:01:38,655 [root] INFO: Added new CAPE file to list with path: C:\hOvzrs\CAPE\1996_19039283673812285112019
2019-11-08 22:01:38,655 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x11600.
2019-11-08 22:01:38,671 [lib.api.process] INFO: Termination confirmed for process 1996
2019-11-08 22:01:38,671 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 1996
2019-11-08 22:01:38,671 [root] INFO: Terminate event set for process 1996.
2019-11-08 22:01:38,671 [root] INFO: Terminating process 1996 before shutdown.
2019-11-08 22:01:38,671 [root] INFO: Shutting down package.
2019-11-08 22:01:38,671 [root] INFO: Stopping auxiliary modules.
2019-11-08 22:01:38,671 [root] INFO: Finishing auxiliary modules.
2019-11-08 22:01:38,671 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-11-08 22:01:38,671 [root] WARNING: File at path "C:\hOvzrs\debugger" does not exist, skip.
2019-11-08 22:01:38,671 [root] WARNING: Monitor injection attempted but failed for process 1856.
2019-11-08 22:01:38,671 [root] INFO: Analysis completed.

MalScore

10.0

Malicious

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-11-08 21:58:13 2019-11-08 22:01:52

File Details

File Name VAN_XATM_2.exe
File Size 2063872 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 d28b66a8d6ba58f8632612423b502e05
SHA1 6a6a8523679f3f8eb858d2f9136b83a1fbff332a
SHA256 480b0eb4636d6a78b62e7b52b773ec0a4e92fe4a748f9f9e8bd463a3b8dd0d83
SHA512 cb051ccad77defcad198cc16102f247f073c044ec9923b069525af87ef40a3861a58ca418080426c22778cff7db5739d091fdc3e0ebe39cca72e5085bcd68fd7
CRC32 57F892C1
Ssdeep 24576:P1iTtBsHeCOKM3x5w90rvRd5GDRY1gJtoeuvpoVRtNJV5N6zySL44s:P8XuMhG+lD4Rqeu2tV5N6l44s
TrID
  • 31.8% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
  • 23.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
  • 21.1% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 10.0% (.SCR) Windows screen saver (13101/52/3)
  • 5.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
ClamAV None matched
Yara
  • shellcode_stack_strings - Match x86 that appears to be stack string creation.
CAPE Yara None matched
Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Attempts to connect to a dead IP:Port (1 unique times)
IP: 211.238.32.129:443 (Korea, Republic of)
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 332 trigged the Yara rule 'shellcode_stack_strings'
Hit: PID 2684 trigged the Yara rule 'shellcode_stack_strings'
Hit: PID 0 trigged the Yara rule 'shellcode_stack_strings'
The PE file contains a PDB path
pdbpath: F:\Work\card\Van_XATM\Release\Van_XATM.pdb
Possible date expiration check, exits too soon after checking local time
process: VAN_XATM_2.exe, PID 332
Dynamic (imported) function loading detected
DynamicLoader: ADVAPI32.dll/GetUserNameA
DynamicLoader: ws2_32.dll/closesocket
DynamicLoader: ws2_32.dll/send
DynamicLoader: ws2_32.dll/recv
DynamicLoader: ws2_32.dll/select
DynamicLoader: ws2_32.dll/__WSAFDIsSet
DynamicLoader: ws2_32.dll/WSAEnumNetworkEvents
DynamicLoader: ws2_32.dll/WSAWaitForMultipleEvents
DynamicLoader: ws2_32.dll/WSAEventSelect
DynamicLoader: ws2_32.dll/WSACreateEvent
DynamicLoader: ws2_32.dll/WSACleanup
DynamicLoader: ws2_32.dll/WSAStartup
DynamicLoader: ws2_32.dll/htons
DynamicLoader: ws2_32.dll/inet_addr
DynamicLoader: ws2_32.dll/socket
DynamicLoader: ws2_32.dll/connect
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: WinInet.dll/InternetOpenA
DynamicLoader: WinInet.dll/InternetCloseHandle
DynamicLoader: WinInet.dll/InternetReadFile
DynamicLoader: WinInet.dll/DeleteUrlCacheEntry
DynamicLoader: WinInet.dll/HttpAddRequestHeadersA
DynamicLoader: WinInet.dll/HttpSendRequestA
DynamicLoader: WinInet.dll/HttpSendRequestExA
DynamicLoader: WinInet.dll/HttpQueryInfoA
DynamicLoader: WinInet.dll/HttpOpenRequestA
DynamicLoader: WinInet.dll/InternetWriteFile
DynamicLoader: WinInet.dll/InternetConnectA
DynamicLoader: WinInet.dll/HttpEndRequestA
DynamicLoader: WinInet.dll/InternetCrackUrlA
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/SetFileTime
DynamicLoader: kernel32.dll/GetFileTime
DynamicLoader: kernel32.dll/GetWindowsDirectoryA
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/DeleteFileA
DynamicLoader: Iphlpapi.dll/GetAdaptersInfo
Drops a binary and executes it
binary: C:\Windows\Temp\java.exe
binary: C:\Windows\Temp\javaupdate.exe
A process attempted to delay the analysis task by a long amount of time.
Process: java.exe tried to sleep 3602 seconds, actually delayed analysis time by 0 seconds

Screenshots


Hosts

Direct IP Country Name
Y 211.238.32.129 [VT] Korea, Republic of

DNS

No domains contacted.


Summary

C:\Windows\Temp\javaupdate.exe
C:\Windows\Temp\java.exe
C:\Users\user\AppData\Local\Temp\VAN_XATM_2.exe
C:\Windows\Temp\javaupdate.exe
C:\Windows\Temp\java.exe
C:\Users\user\AppData\Local\Temp\VAN_XATM_2.exe
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
advapi32.dll.GetUserNameA
ws2_32.dll.closesocket
ws2_32.dll.send
ws2_32.dll.recv
ws2_32.dll.select
ws2_32.dll.__WSAFDIsSet
ws2_32.dll.WSAEnumNetworkEvents
ws2_32.dll.WSAWaitForMultipleEvents
ws2_32.dll.WSAEventSelect
ws2_32.dll.WSACreateEvent
ws2_32.dll.WSACleanup
ws2_32.dll.WSAStartup
ws2_32.dll.htons
ws2_32.dll.inet_addr
ws2_32.dll.socket
ws2_32.dll.connect
wininet.dll.InternetOpenA
wininet.dll.InternetCloseHandle
wininet.dll.InternetReadFile
wininet.dll.DeleteUrlCacheEntry
wininet.dll.HttpAddRequestHeadersA
wininet.dll.HttpSendRequestA
wininet.dll.HttpSendRequestExA
wininet.dll.HttpQueryInfoA
wininet.dll.HttpOpenRequestA
wininet.dll.InternetWriteFile
wininet.dll.InternetConnectA
wininet.dll.HttpEndRequestA
wininet.dll.InternetCrackUrlA
kernel32.dll.CreateFileA
kernel32.dll.WriteFile
kernel32.dll.CreateThread
kernel32.dll.CloseHandle
kernel32.dll.ReadFile
kernel32.dll.SetFileTime
kernel32.dll.GetFileTime
kernel32.dll.GetWindowsDirectoryA
kernel32.dll.GetTempPathA
kernel32.dll.DeleteFileA
iphlpapi.dll.GetAdaptersInfo
c:\windows\temp\java.exe
c:\windows\temp\javaupdate.exe C:\Users\user\AppData\Local\Temp\VAN_XATM_2.exe
C:\Users\user\AppData\Local\Temp\VAN_XATM_2.exe

PE Information

Image Base 0x00400000
Entry Point 0x00401757
Reported Checksum 0x0020793c
Actual Checksum 0x0020793c
Minimum OS Version 5.1
PDB Path F:\Work\card\Van_XATM\Release\Van_XATM.pdb
Compile Time 2017-02-28 07:40:44
Import Hash 1c112133a48a1d931523aa9c02b6d186

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00008d5a 0x00008e00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.53
.rdata 0x0000a000 0x0000242c 0x00002600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.70
.data 0x0000d000 0x001ebe8c 0x001ea200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 5.00
.rsrc 0x001f9000 0x00000328 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.64
.reloc 0x001fa000 0x00001fb8 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 2.31

Imports

Library KERNEL32.dll:
0x40a000 GetModuleFileNameA
0x40a004 Sleep
0x40a008 CreateProcessA
0x40a00c GetCommandLineA
0x40a010 HeapSetInformation
0x40a014 GetStartupInfoW
0x40a018 TerminateProcess
0x40a01c GetCurrentProcess
0x40a028 IsDebuggerPresent
0x40a038 EncodePointer
0x40a03c DecodePointer
0x40a040 RtlUnwind
0x40a044 GetLastError
0x40a048 WriteFile
0x40a04c WideCharToMultiByte
0x40a050 GetConsoleCP
0x40a054 GetConsoleMode
0x40a058 HeapFree
0x40a05c CloseHandle
0x40a060 GetProcAddress
0x40a064 GetModuleHandleW
0x40a068 ExitProcess
0x40a06c GetStdHandle
0x40a070 GetModuleFileNameW
0x40a07c SetHandleCount
0x40a080 GetFileType
0x40a088 TlsAlloc
0x40a08c TlsGetValue
0x40a090 TlsSetValue
0x40a094 TlsFree
0x40a09c SetLastError
0x40a0a0 GetCurrentThreadId
0x40a0a8 HeapCreate
0x40a0b0 GetTickCount
0x40a0b4 GetCurrentProcessId
0x40a0bc CreateFileA
0x40a0c0 SetFilePointer
0x40a0c4 WriteConsoleW
0x40a0c8 MultiByteToWideChar
0x40a0cc SetStdHandle
0x40a0d0 FlushFileBuffers
0x40a0d8 GetCPInfo
0x40a0dc GetACP
0x40a0e0 GetOEMCP
0x40a0e4 IsValidCodePage
0x40a0e8 LoadLibraryW
0x40a0ec HeapAlloc
0x40a0f0 HeapReAlloc
0x40a0f4 SetEndOfFile
0x40a0f8 GetProcessHeap
0x40a0fc ReadFile
0x40a100 CreateFileW
0x40a104 GetStringTypeW
0x40a108 LCMapStringW
0x40a10c HeapSize

.text
`.rdata
@.data
.rsrc
@.reloc
YQPVh
t hx~_
Rh6#@
uTVWhkM@
9=l~_
SVWUj
;5L}_
UTF-8
UTF-16LE
UNICODE
(null)
`h````
CorExitProcess
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
GetProcessWindowStation
GetUserObjectInformationW
GetLastActivePopup
GetActiveWindow
MessageBoxW
c:\windows\temp\javaupdate.exe
%s %s
c:\windows\temp\java.exe
F:\Work\card\Van_XATM\Release\Van_XATM.pdb
GetModuleFileNameA
Sleep
CreateProcessA
KERNEL32.dll
GetCommandLineA
HeapSetInformation
GetStartupInfoW
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
EncodePointer
DecodePointer
RtlUnwind
GetLastError
WriteFile
WideCharToMultiByte
GetConsoleCP
GetConsoleMode
HeapFree
CloseHandle
GetProcAddress
GetModuleHandleW
ExitProcess
GetStdHandle
GetModuleFileNameW
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
GetFileType
DeleteCriticalSection
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
HeapCreate
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
CreateFileA
SetFilePointer
WriteConsoleW
MultiByteToWideChar
SetStdHandle
FlushFileBuffers
IsProcessorFeaturePresent
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
LoadLibraryW
HeapAlloc
HeapReAlloc
SetEndOfFile
GetProcessHeap
ReadFile
CreateFileW
GetStringTypeW
LCMapStringW
HeapSize
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
.text
`.rdata
@.data
.rsrc
@.reloc
YQPVh
SVWUj
(null)
`h````
UTF-8
UTF-16LE
UNICODE
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
CorExitProcess
GetProcessWindowStation
GetUserObjectInformationW
GetLastActivePopup
GetActiveWindow
MessageBoxW
Complete Object Locator'
Class Hierarchy Descriptor'
Base Class Array'
Base Class Descriptor at (
Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
delete[]
new[]
`local vftable constructor closure'
`local vftable'
`RTTI
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
delete
__unaligned
__restrict
__ptr64
__eabi
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
V2luSW5ldC5kbGw=
SW50ZXJuZXRPcGVuQQ==
SW50ZXJuZXRDbG9zZUhhbmRsZQ==
SW50ZXJuZXRSZWFkRmlsZQ==
RGVsZXRlVXJsQ2FjaGVFbnRyeQ==
SHR0cEFkZFJlcXVlc3RIZWFkZXJzQQ==
SHR0cFNlbmRSZXF1ZXN0QQ==
HttpSendRequestExA
SHR0cFF1ZXJ5SW5mb0E=
SHR0cE9wZW5SZXF1ZXN0QQ==
SW50ZXJuZXRXcml0ZUZpbGU=
SW50ZXJuZXRDb25uZWN0QQ==
SHR0cEVuZFJlcXVlc3RB
SW50ZXJuZXRDcmFja1VybEE=
a2VybmVsMzIuZGxs
Q3JlYXRlRmlsZUE=
V3JpdGVGaWxl
Q3JlYXRlVGhyZWFk
Q2xvc2VIYW5kbGU=
UmVhZEZpbGU=
U2V0RmlsZVRpbWU=
R2V0RmlsZVRpbWU=
R2V0V2luZG93c0RpcmVjdG9yeUE=
R2V0VGVtcFBhdGhB
RGVsZXRlRmlsZUE=
SXBobHBhcGkuZGxs
R2V0QWRhcHRlcnNJbmZv
Sleep
GetProcAddress
LoadLibraryA
InitializeCriticalSection
CreateProcessA
DeleteCriticalSection
CreateFileA
SetFilePointer
GetCurrentProcess
WriteFile
ReadFile
GetLastError
GetFileType
CloseHandle
KERNEL32.dll
GetCommandLineA
HeapSetInformation
GetStartupInfoW
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
DecodePointer
EncodePointer
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
RtlUnwind
HeapFree
HeapAlloc
WideCharToMultiByte
GetConsoleCP
GetConsoleMode
GetCPInfo
InterlockedIncrement
InterlockedDecrement
GetACP
GetOEMCP
IsValidCodePage
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetModuleHandleW
SetLastError
GetCurrentThreadId
ExitProcess
GetStdHandle
GetModuleFileNameW
GetModuleFileNameA
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
HeapCreate
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
SetStdHandle
FlushFileBuffers
HeapSize
WriteConsoleW
MultiByteToWideChar
IsProcessorFeaturePresent
LCMapStringW
GetStringTypeW
LoadLibraryW
HeapReAlloc
SetEndOfFile
GetProcessHeap
CreateFileW
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
.text
`.rdata
@.data
.idata
.reloc
RhTSY
Ph@SY
Ph|YY
Ph@[Y
jdh|ZY
jnhdZY
RhHZY
Qhl[Y
Qh`[Y
Qh`[Y
Rht\Y
QhL\Y
Qh,\Y
Rhx[Y
Qh ]Y
#Qhd]Y
Ph<_Y
t:h`_Y
#Phd]Y
#Rhd]Y
#Phd]Y
#Rhd]Y
B"PhpaY
#PhXbY
#Qhd]Y
#QhXbY
#QhXbY
#PhXbY
uOhhbY
Ph`bY
RhTSY
PhpcY
Qh`bY
RhTSY
Qh@dY
Qh4dY
PhxdY
Rh`bY
QhheY
unhhbY
u`hhbY
uRhhbY
uvh4fY
u]hhbY
"hxfY
Rh\jY
Ph<jY
RhMQc
Rh%Qc
QhkQc
QhmQc
QhoQc
QhBRc
RhMQc
RheRc
Qh*Tc
RhXlY
Ph@lY
Qh0lY
Rh lY
Ph<_Y
Ph<_Y
Qh%Qc
Ph%Qc
RhBRc
PhBRc
Vh|vY
Rh|vY
PhtvY
Qh<_Y
3Ph<_Y
Vh|vY
Ph|vY
Rh<vY
PhpuY
RhhuY
Ph`uY
Ph\uY
PhTuY
PhPuY
PhHuY
Ph\uY
Ph@uY
PhPuY
Ph8uY
Ph\uY
Ph0uY
PhPuY
Ph(uY
Ph\uY
Ph uY
PhPuY
Ph\uY
PhPuY
Ph\uY
PhPuY
Ph\uY
PhPuY
Ph\uY
PhPuY
Ph\uY
PhPuY
Ph\uY
PhPuY
Ph\uY
PhxtY
PhPuY
PhptY
RhTtY
PhLtY
j heRc
QjdheRc
j heRc
PjdheRc
j heRc
Qh8tY
Qh0tY
Ph$tY
Ph`bY
Ph`bY
Rh8hY
Ph`bY
Ph`bY
Qh0hY
Ph`bY
Ph`bY
Ph`bY
Ph`bY
Ph`bY
Ph`bY
Ph`bY
Ph`bY
Qh(hY
QhpsY
PhhsY
Ph`bY
Ph`bY
Ph`bY
Ph`bY
Ph`bY
Ph`bY
Ph`bY
Ph`bY
Ph`bY
Ph`bY
Ph`bY
Ph`bY
Ph`bY
Ph`bY
Ph`bY
Ph`bY
Ph`bY
Ph`bY
Ph`bY
Ph`bY
Ph`bY
Ph`bY
Ph`bY
Ph`bY
Ph`bY
Ph`bY
Ph`bY
QhhgY
Ph`bY
Ph`bY
Ph`bY
Ph`bY
Ph`bY
Ph`bY
Ph`bY
Ph`bY
Ph`bY
Ph`bY
Ph`bY
Ph`bY
Ph`bY
QhXgY
QhHgY
u.h<rY
t.h,rY
u.h$rY
1u3hpqY
u3h`qY
u3hPqY
u3h@qY
1u3h$qY
PhtpY
)hppY
QhhpY
)hTSY
)hTSY
Qh`pY
QhXpY
PhPpY
Rh,pY
Rh,pY
Qh,pY
u.hppY
)hTSY
)hTSY
Rh|oY
RhtoY
RhloY
RhdoY
Rh@oY
QhxnY
QhpnY
Rh@Vc
PhTvY
RhTvY
Qh@Vc
Ph`bY
Qh4wY
Ph wY
Ph(xY
Rh Uc
j h`\d
RhtxY
jBjIj
jCjIj
jDjIj
|IhhzY
tahhzY
jEjIj
Phl}Y
Qh }Y
Rh||Y
j0h@fc
PhTSY
uLhX~Y
j(j0h`Tc
j(j0h`Tc
j(j0h`Tc
RhD&d
Rh@&d
PhhpY
PhLPY
QhLPY
RhLPY
PhhaY
QhhaY
RhTSY
RhTSY
Rh\uY
QhTSY
Ph`bY
RhI6d
"hMQc
PhMQc
u)huPc
'huPc
uMh4fY
uMh4fY
QhPuY
RhPuY
Ph`Pc
j4hhHd
Rh2Oc
u?h`Pc
7h@Vc
u$hsPc
"hsPc
Ph\uY
u$hsPc
"hsPc
PhMQc
PhMQc
PhMQc
PhMQc
Ph<_Y
Ph\uY
Ph\uY
Ph\uY
bu&h`Pc
Ph`bY
Ph\uY
Ph\uY
QhiPc
tGjdj
tPjdj
t~jdj
t~jdj
PhMQc
t/h`Pc
Rh2Oc
j-hO6d
QhMQc
Rh\uY
Rhn>c
Ch@\d
Ph@\d
Rh@\d
Rh@\d
Rh@\d
Rh@\d
Rh@\d
Rh@\d
Rh@\d
Rhn>c
Phn>c
uoh`Pc
#ulh`Pc
Ph\uY
Qh\uY
Qh\uY
Rh\uY
Vh\uY
u=hhbY
Rh`Pc
.h`Pc
Ph`Pc
.h`Pc
Ph`Pc
.h`Pc
Rh`Pc
.h`Pc
Ph`Pc
.h`Pc
RhMQc
.hMQc
PhMQc
.hMQc
RhTSY
uChxuY
Ph\uY
Ph\uY
Ph\uY
QhXbd
VRhTUZ
QhXbd
VRhTUZ
VPhXUZ
RPh@od
UQh\UZ
SRhdUZ
SQhdUZ
Qh@pd
Qh@qd
Rh@qd
t$(h`fd
Uh kd
D$(PSh"kd
Ph kd
Qh@cZ
WhplZ
Wh\lZ
WhHlZ
u#h4lZ
Wh lZ
RPVh8nZ
RhdmZ
Ph8mZ
L$.hxnZ
T$*hxnZ
D$*hxnZ
RPh@dY
nh(oZ
>hLPY
RhtpZ
Qh`pZ
PhLpZ
SVWj8h(qZ
j0h0qZ
j0h0qZ
t^j0h0qZ
j0h0qZ
j0h0qZ
tJj0h0qZ
tDj0h0qZ
t:j0h0qZ
t]j0h0qZ
t.j0h0qZ
t5j0h0qZ
tmj0h0qZ
trj0h0qZ
j0h0qZ
j8h(qZ
Qh$qZ
j8h(qZ
Rh$qZ
t*j0h0qZ
tgj0h0qZ
RQShLrZ
Vh(rZ
Qh<zZ
Ph<zZ
D$ph<zZ
PQh<zZ
T$ph\zZ
QRh<zZ
D$ThHzZ
jZh<zZ
j8h(qZ
0h<_Y
0h<_Y
T$Dhh{Z
L$`h\{Z
D$Dhh{Z
T$`h\{Z
L$Dhh{Z
D$`h\{Z
D$8Pj
L$8Qj
L$8Qj
L$,hp{Z
L$,hp{Z
Ph`'v
L$<Pj
T$thQ
j8h(qZ
Wh@|Z
PVWUhX|Z
PVh||Z
L$@Pj
L$dQj
RPhx}Z
PQh,~Z
IUhp{Z
PUhp{Z
Qhp{Z
9-tFr
uYh@qs
Vh@qs
[h@qs
Sh@qs
Ph`Oq
D$Thb
T$Ph
SRPh`Oq
Rhp{Z
Rhp{Z
Qhp{Z
T$$Rh,qZ
RhhqZ
RhhqZ
T$$Rh,qZ
D$8x{Z
D$<0{Z
D$PXoZ
D$p rZ
D$xpnZ
Rh@cZ
Qh@cZ
D$(x{Z
D$,0{Z
D$@XoZ
D$\4{Z
D$` rZ
D$<x{Z
D$@0{Z
D$p4{Z
D$tpnZ
D$| rZ
L$Hh`bY
L$Hh`bY
D$4h`bY
VWj@h(qZ
T$$h<_Y
Vh,{Z
Vh,{Z
Php{Z
Php{Z
Php{Z
Php{Z
Rhp{Z
Ph\uY
RhTSY
D$XPhTSY
L$XQhTSY
T$XRhTSY
D$XPhTSY
QhTSY
T$LRhTSY
D$LPhTSY
PhTSY
QhTSY
RhTSY
QhTSY
RhTSY
PhTSY
QhTSY
D$$h<_Y
D$(h<_Y
D$$h<_Y
D$$h<_Y
L$$Ph`bY
t1Wh,{Z
D$,hp{Z
Qh`bY
L$*Php{Z
Hhjtd
\$\}-j
VpPRj
D$DSj
SVWUj
t!h$ Z
jJh$!Z
j\h0!Z
j^h0!Z
j`h0!Z
jbh0!Z
t_h0,Z
t?h(,Z
t*h ,Z
0000000000000000
COM_BANK_NAME
ENG_COM_BANK_NAME
CREDIT_FREFIX
d:\chvan\cardinfo.ini
99999
00000000000
09649640
20050603
20001006
000000
09649646
CHECK_SANGHOBANK
944095
480400
GSInf90K.swf
%04d.%02d.%02d %02d:%02d:%02d-%03d
D:\CHVAN\KIUP_CI.jpg
View256(%s)
MPEGVideo
AD003.mpg
AD039_knb.mpg
AD003_ibk.mpg
yv000.wav
yv000_e.wav
dx%03d.swf
dx008.swf
dx002.swf
dx003.swf
dx007.swf
process.swf
process_e.swf
scr000.jpg
scr000_e.jpg
scr000-7.jpg
scr000-7_e.jpg
scr000-39.jpg
scr000-39_e.jpg
scr000-3.jpg
scr000-3_e.jpg
sdraw(%d)
** %s **
%s ~ %s
EMV_ProcessOnline() = %x
EMV_AnalysisTerminalAction() = %x
EMV_ManageTerminalRisk() = %x
EMV_VerifyCardHolder() = %x
EMV_RestrictProcessing() = %x
EMV_AuthOfflineData() = %x
EMV_ReadApplicationData() = %x
EMV_GetProcessingOptions() = %x
EMV_selectUserApplication1() = %x
EMV_SelectApplication() = %x
EMV_Init() = %x
Start_EMV_Kernel(%d)
szEncData=%s
59003=0
d:\chvan\WOORIB.ENC
04%.4s
d:\chvan\certkey\ctkeyt.enc
d:\chvan\certkey\ctkeyo.enc
1A2B3C4D5E6F7F8B2B3C91A1FF09AA953C4D82B2E018BB064D5E73C3D127CCA75E6F64D4C236DDB86F7055E6B345EEC9708146F7A454F0DA81922708957309EC92A31819868218FD03B4092A7791272EFA2B3C485E6F7F81EB3C91A9FF09AA92DC4D82BAE018BB03CD5E73CBD127CCA4BE6F64DCC236DDB5AF7055EDB345EEC6908146FEA454F0D77192270F957309E862A31810868218F963B409217791272A
%.4s %.16s
TranEncryption() Called
d:\chvan\certkey\shStkeyt.enc
d:\chvan\certkey\shStkeyo.enc
d:\chvan\certkey\VAN_CH.key
d:\chvan\certkey\shCDkeyo.enc
d:\chvan\certkey\shCDkeyt.enc
0000%.12s
d:\chvan\certkey\nhCDkey.enc
d:\chvan\certkey\hnCDkeyo.enc
d:\chvan\certkey\hnCDkeyt.enc
d:\chvan\certkey\CTCD_keykey.enc
d:\chvan\certkey\CTCD_key.enc
d:\chvan\certkey\FCardkeyo.enc
d:\chvan\certkey\FCardkeyt.enc
WOORIINFO
d:\chvan\woorienc.ini
%.128s
%.32s
d:\chvan\certkey\KoreaSEnc.enc
d:\chvan\certkey\KoreaSKey.enc
D:\chvan\powercnt.txt
BRU_CASH_CNT
REWRITE_CNT
d:\chvan\powerset.ini
cancel.dat
TEXT_CNT
RECIEPT_TEXT
TEXT_%02d
d:\chvan\rcptText.ini
VERSION
10002
d:\chvan\Time.tim
FB_AP_INFO
StartTime
%04d%02d%02d%02d%02d%02d
d:\chvan\cdmset.ini
%.14s
00000000000000
POWER_CNT
powercnt
D:\chvan\M_XSREG.swf
D:\chvan\Flash\MOP\M_XSREG.swf
D:\chvan\M_FBSREG.swf
D:\chvan\Flash\MOP\M_FBSREG.swf
REBOOT_OK
EPP_CNT
REBOOT_CNT
CRW_CNT
d:\LOG_DATA\ER%02d%02d.log
VAR_UNUSABLE_TIME
%.24s
d:\chvan\unusable.ini
d:JAMCODE.TXT
d:version.fil
d:powdate.txt
d:ERRCODE.TXT
d:insum.dat
d:outsum.dat
d:telinfo.fil
D:SAVEINP.DAT
%08ld
Complete_Proc()
HI_Initial_Load_Proc(%d)
HI_Load_Proc(%d)
CHECK SUM=%02x,%02x
CHECK SUM=%02x,%02x
SUCCESS : AP recv %dbyte OK
ERROR : AP recv pending %dbyte, error %dbyte waiting VPN response
ERROR : AP recv pending %dbyte, error %dbyte, VPN recv overtime occured
BID KEY REQUEST
REBOOT REQUEST(BID)
BID H_OPEN
BID RECEIVE!!!
d:\chvan\PIFFInfo.ini
d:\chvan\PIFFInfo.bak
PRICE_INFO
GRADE_INFO
BLOCK_INFO
STORY_INFO
77
66
88
N;
MACHINE
PASSBOOK
%.10s
d:\fkmapp\vanunit.ini
XAtmB8
Y;
%.4s%4s
%.100s
%.49s
%436s
%419s
%459s
%136s
A0000000651010
A0000001523010
D4100000012010
A0000000041010
error_device
full
full
%-100s
%100s
%.5s%5s
%.12s%8s
%.2s:%.2s~%.2s:%.2s
ENVIRON_INFO
error_datetime
D:\chvan\kiup_env.ini
%.55s
%.12s
%02d0120
%020s
%02d06
%02d5007070107
%02d08
%-20s
%02d%02d%02d0620070602
%02d05
%-50s
%%-%ds
%02d50060601
%.3s%.4s
00000000
02%04d
01%04d
04%04d
03%04d
000000000
%05d0000
MakeCancelData(%d) Called
%02d%.5s
APDU_Recv %04X
DF_Select %04X
000000
000000000
00000
*0
*0
00000000
d:\LOG_DATA
%04d%02d%02d
KXATM
DLL_VER
FTP_KXATM_DIR
//autm_down/kxatm
FTP_LIST
FTP_IPADDRESS
211.55.3.251
d:\CH_INFO\FTPDOWN.INI
20170223
ERROR MODE:%02x
REBOOT REQUEST(TID)
IALL OK
ALL:OK
Com_Initial NG=%d
MCC_Init()
EPP_TMK_TPK_Write OK
B6E610FA
EPP_TPK_Write
EPP_TMK_Write
ERROR Detail:
LINE ERROR:%02x
039F%02x
ERROR Detail:
FILE ERROR:0x%02x
DvrFlag
D:\chvan\Flash\INI\UsbCam.ini
Change Out_Of_Service !!!
ALL_Mecha_Reset(%02x,%02x,%02x)!!!
Door Open => OUT_OF_SERVICE !!!
SAFE DOOR OPEN
Device_Status Error(%02x,%02x,%02x)!!!
TRANSACTION START !!!
OFF_LINE_MAIN => IN_SERVICE
Online_Print OK!!!
OFF_LINE_MAIN OK!!!
NG(%.03s)
SCREEN_MSG
D:\chvan\response.ini
: %.3s
Time Over
:%.4s
:%.4s
:%.14s
:%.14s
[%d] Online_Request
Online_Request Call
error
REBOOT REQUEST(POLL)
POLL WAIT
HOST DISCONNECTED
OUT OF SERVICE DUMMY READ
:%.3s-%.5s
:%.6s
ONLINE_REQUEST SUCESS!!!
TRAiy.T0030 OK!!!
TRAiy.T0310 OK!!!
TRAiy.T0020 OK!!!
TRAiy.T0010 OK!!!
00000
0D1E77
%02x%.2s
0000000
a2.jpg
a1.jpg
%d.%d.%d.%d
SUCCESS : AP send data %dbyte
ERROR : AP send data %dbyte, VPN send error, wait VPN sending time
ERROR : AP send data %dbyte, VPN send error
ERROR : AP send data %dbyte, VPN send over time occured, not trans %dbyte
026400
Pb_Expel():%d
reset
SendX100Status:[%.70s]
BeforeX100Status:[%.70s]
%.3s-%.3s
06a-000
06F-000
06E-000
066-000
0CB-000
0CA-000
00B-000
%.6s%.4s
%.2s%.5s/%s
ERRDATE.TXT
%.5s/%s
ERRLIST.TXT
%.5s %s
%.4s/%.2s/%.2s %.5s
B6E610FA
00000000000000000000000000000000
(ERROR CODE) : 0D1E77
0000000000000000000
RRRRRRRRRRRRRR
-%05d
+%05d
%.4s/%.2s/%.2s-%.2s:%.2s:%.2s
%s%02d.txt
Test2_%03d.jpg
D:\PKGIMG\CUSTOMER\%04d%02d\%02d\%s
Test1_%03d.jpg
XAtmB8
10.1.1.15
0.0.0.0
:%.6s
HOST Port
HOST IP
P/G VERSION : %s
PPR F/W VERSION : %.4s
CIP F/W VERSION : %.4s
BV F/W VERSION : %.4s
BRU F/W VERSION : %.4s
HOST PORT : %.5s
HOST IP : %.12s
: %.2s
: %.3s(%.4s)
: %.3s(%.4s)
: %.12s
: [%.4s/%.2s/%.2s-%.5s]
: [%.14s]
=================================
CDMSET.ini Set Data : 0x%04
FTP_VERSION
FBXATM
PRO_CNT.TXT
FILEERROR:%02x
DEPMAX_COUNT
OUTMAX_COUNT
OCHUN
DEPOSIT
TICKET
HOSTPORT
20001
HOSTIP
010001001015
MACSER
000000000000
ATM_KIND
JEHUE_INFO
PLACE_TYPE2
PLACE_TYPE
BRAND_TYPE2
BRAND_TYPE
GIBUN
ACHV0000000000
POWER OFF....
Shut Down
ProcessShutDown(%d)
BILL_mode_set([QBRU_BV_Set(%d)])
PPR_Pg_ID_Read() OK
PPR_Fp_Set() Error
PPR_Pg_Reset() Error
BDU_ERRORSET(%.2x, %.2x)
D:\chvan\F100B.bin
D:\chvan\VBduDown.exe
D:\chvan\VBduDown.exe D:\chvan\F100B.bin
D:\chvan\EPPMain(3E).bin
D:\chvan\Epp-XMain(XA).bin
D:\chvan\XEppDown2.exe
D:\chvan\XEppDown2.exe D:\chvan\Epp-XMain(XA).bin 5
D:\chvan\RPU7000_V05.bin
D:\chvan\RpuDown.exe
D:\chvan\RpuDown.exe D:\chvan\RPU7000_V05.bin
D:\chvan\HCIPV0417.bin
D:\chvan\HCIPdown.exe
D:\chvan\HCIPdown.exe f D:\chvan\HCIPV0417.bin
D:\chvan\AtIsp.dll
D:\FKMAPP\AtIsp.dll
D:\chvan\AtRs232.dll
D:\FKMAPP\AtRs232.dll
D:\chvan\VER205_20110309.hex
D:\FKMAPP\VER205_20110309.hex
D:\chvan\McrwFwDn.exe
D:\FKMAPP\McrwFwDn.exe
D:\chvan\McrwFwDn.exe D:\chvan\VER205_20110309.hex
DATA_%03d
OFFLINE_BANKERMODE
COUNT
D:\chvan\DevInfo.bak
D:\chvan\DevInfo.ini
%.15s
******
ACCOUNT NUMBER :
TRANSACTION TYPE :
\1,000(%d)
\5,000(%d)
\10,000(%d)
\50,000(%d)
: [%.4s/%.2s/%.2s-%.8s]
: [%.4s/%.2s/%.2s-%.2s:%.2s:%.2s]
: [%.4s/%.2s/%.2s-%.2s:%.2s:%.2s]
DEPERR.TXT
CANCELF.TXT
:%.3s]
D:\chvan\DEPERR.TXT
--> %d
GSSub01K.swf
: %d
00000000000000010000
GSInf01k.swf
TK_MenuProc(%d)
GSSub02K.swf
: %d, %d , %d
TK_ItemProc(%d)
TK_ListProc(%d)
GSSub10K.swf
GSSub03K.swf
%.02s:%.02s
TK_ScheduleProc(%d)
GSSub04K.swf
00000000000000001000
00000000000000011000
TK_NoticProc(%d)
GSSub05K.swf
TK_ZoneProc(%d)
GSSub06K.swf
: %.8s
GSPkg31K.swf
TK_DateProc
: %.8s
: %X , %i
%s %s %s %s %s
%s %s
(%s) %.02s:%.02s %s %s
GSPkg30K.swf
GSSub07K.swf
TK_MediaProc(%d)
GSSubx08K.swf
00000000000000110000
TK_CardConfirmProc(%d)
GSCnPx1K.swf
TK_CardProc(%d)
GSNum02K.swf
GSNum01K.swf
TK_InsertNumProc(%d)
GSSUb09k.swf
PKGA_Info_Call(%s)
PKGA_SubMenu_Call(%s)
PPR_RESET ERROR!!!
PPR_RESET OK!!!
PPR_Insert Error !!!
Invoke_Customer() BOOK INSERT
Invoke_Customer() CARD INSERT
StateA_EventTR(%d)
QCIP_Ms_Read=%d
Check_IC_Setting=%d
SYSiy.TKEY=%x
ERROR
StateF_DataSend
503E03
505E05
504E04
(ERROR CODE) : %.3s
842B88
%04d-%04d-XXXX-XXXX-XXXX
819C00
After_CASH_out=%d
%03d%03d000
%04d-%04d-%04d-0000-XXXX %04d-%04d-%04d
%04d-%04d-XXXX-XXXX-XXXX
After_CASH_out(%d, %d)
CASH_out(%d, %d)
StateP_ContentsProc(%x, %d, %d))
: %d
: %d
%04d-%04d-%04d-%04d-XXXX %04d-%04d
000000000000000000000
Auto Reset (BRU)
d:\chvan\KSNET.ENC
(%d)
D:\chvan\certkey\dbMKT.enc
Convert TransBuffer NG(%d)!!
NG(%d)!!
)NG(%d)!!
Tran Convert NG(%d)!!
NG(%d)!!
OK!!
) START!!
OK!!
vK9GCbVdV4Mer5pmPKEdxIh3RGztbQdDo7+m6HhGNGWLDf6r+9Hr0P20g51xyL1i
Convert TransBuffer OK!!
) START!!
KB Key Init Err(%d)
d:\chvan\qbank_cert.scb
KIUP KEY Enc Fail(%d)
d:\chvan\test-cert.cer
NH ISA chello Err(%d)
NH ISA HANDLE FAIL(%d)
d:\chvan\nh_cli.key
OK!!
(%d)
D:\chvan\certkey\hwMKT.enc
D:\chvan\certkey\wrMKT.enc
Re-Auto Reset (BRU)
Balance : %s Won
Amount Deposit : %s Won
Surhcarge : %s Won
Amount of input : %s Won
: %s
Account Number : %s
: %s
Deposit Bank : %s
%.6s******%.4s
Balance : %s Won
Surhcarge : %s Won
Amount : %s Won
: %s
: %s
Name : %s
Account Number : %s
: %s
Transfer Bank : %s
%.14s%.6s%d.%s%s
%.20s%8s%d.%s%s
Apr :
(Year)
Balance Amount : %s Won
Surcharge Amount : %s Won
%12ld
: %.6s******%.4s
Card Number : %.6s******%.4s
: %s
Account Number : %s
: %s
Bank Name : %s
Bank Name : Foreign Card
conversion or its Disclosure.
I will have no recourse against MasterCard concerning the currency
I have chosen not to use the MasterCard currency conversion process and
Transaction Amount: %.3s %s
(%.3s %s)
KRW%s
Terminal Exchange Rate :
Total Amount : KRW%s
Access Fee : KRW%s
Cash Withdrawal : KRW%s
currency
You may pay for this transaction in your home
You may pay for this transaction in your home currency.
No receipt.
Requested Amount : %s Won
ORGBANK_TO_COMBANK
00700000
00500000
00400000
00300000
00200000
00150000
00100000
00050000
00030000
00010000
(sheets)AVAILABLE
50,000:%2d
10,000:%2d
Minimum:%3d, Maximum:%3d
fifty thousand won bill
There is not enough
0
%3d0,000
6,000,000
740000000
730000000
720000000
710000000
%.6s******%.4s (Checking Account)
%.6s******%.4s (Saving Account)
%.6s******%.4s (Credit Account)
Foreign Card
:
%.12s%.s%.5s%s
surcharge :
On-Business Hours : *700 Won
Off-Business Hours : *900 Won
On-Business Hours : *800 Won
On-Business Time : 09:00 ~ 16:00
Off-Business Hours : *1,300 Won
On-Business Hours : *1,100 Won
On-Business Time : 09:30 ~ 16:30
WITHDRAWAL
%.16s
%.6s%d.%s%s
%.8s%d.%s%s
%.20s%.8s%d.%s%s
Apr :
On-Business Hours *800 Won,Off-Business Hours *900 Won
Surhcarge : On-Business Time(09:00~16:00)
: %s
GSTakx1K.swf
(%.6s)
2M5111
B%02x
929C00
919C00
CIP EJECT ERROR !!!
949B08
MI
CASH TAKEN DISPENSE NG
CASH TAKEN DISPENSE OK
SHUTTER OPEN - OK
SHUTTER OPEN - NG
SHUTTER CLOSE - OK
SHUTTER CLOSE - NG
0000000000000000000000
=%.3s
: IDLE
[PPR_Fp_Set NG]
[PPR_Pg_Reset NG]
[PPR Port Init NG]
[PPR Port Init OK]
ERROR!!!
ERROR
(%.6s)
(%.6s)
2J1111
(%.6s)
%04d-%04d-%04d-%04d-XXXX %07d
%04d-%04d-%04d-%04d-XXXX %07d
(%.6s)
%04d-%04d-%04d-%04d-XXXX XXXXXXX
(%.6s)
(%02x%02x)
(%02x%02x)
(%02x%02x)
1000000000000000000000
!!!!
%04d-%04d-%04d-%04d %04d-%04d-%04d-%04d
(%.6s)**
3J1111
Check_MS_Setting=%d
IST2=%.4s
IST3=%.4s
or Magnetic Stripe Error
Passbook Read Error
BOOK=%s
Insert_IC_Set() [IC Set]=%d
Ms_Book_Read=%02x %02x
Ms_Book_i:%d
NOT 0~999
leng=%d,MK=%s
Ms_Book_err3=%02x %02x
Ms_Book_err2=%02x %02x
Ms_Book_err1=%02x %02x
%.2s%.2s%.2s
:%.8s - %.8s
%.3s %s
OK !!!
No Data to Update your Passbook
This passbook was carried over
startline=%d, gunsu=%d
StateR_NormalBook()
Book_Expel=%02x %02x
979D00
TEST !!!
:1577-0068
SERVICE TRANSFER
SERVICE BALANCE
AVAILABLE CASH
ADVANCE IN CASH
Apr
DEPOSIT
DEPOSIT FEE
BALANCE INQUIRY
TRANSFER
WITHDRAWAL
WITHDRAWAL FEE
(RETRY)
CANCELLATION
************
==> %s, %s, %x
%s\%s
D:\PKGIMG\CUSTOMER\%.6s\%.2s
D:\PKGIMG\CUSTOMER_MPG\%.6s\%.2s
%.6s%06d003.idx
%.6s%06d002.jpg
%.6s%06d001.jpg
D:\chvan\CANCELF.TXT
Save_Data_Write(%d)
%09ld
%06ld
%05ld
Please check the amount to deposit
No cash
and surcharge
Please check the amount to deposit
A fee will be charged for the transaction
%d0,000
20130328003000
VPN_ID
VPN_IP
211.55.3.31
C:\sslvpn.ini
D:\sslvpn.ini
%012d
[%02d/%02d %02d:%02d:%02d]
[%02d/%02d %02d:%02d:%02d]
d:\LOG_DATA\EJ%02d%02d%02d.log
-----
-
%02X
- %02X
%06ld| %02X
d:\LOG_DATA\SR%.6s.log
FIX_UNUSABLE_TIME
d:\FTPDOWN\FTPDOWN.EXE
d:\FTPDOWN.EXE
REBOOT REQUEST(AUTO)
%.02d%.02d
%.04s
%.08s
%.02s
MONITOR POWER OFF
MONITOR POWER ON
%02d%02d%02d
c:\ip\ip.txt
1723131
%d%d%d
%03d.%03d.%03d.%03d
000.000.000.000
%04d%02d%02d%02d%02d%02d%03d
D:\FILEJNL\j%.2s\%.8s.jnl
BuildLab
CurrentBuildNumber
SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProcessorNameString
Hardware\Description\System\CentralProcessor\0
%.06d
%.07d
C:\Program Files\Hauri\VRIS70\hVrMalSvc.exe
C:\Program Files\Hauri\VRIS2011\hVrMalSvc.exe
C:\Program Files\Hauri\ViRobot Desktop 5.5\hcontain.exe
%.09d
C:\Program Files\SecuwaySSL3\bin\SecuwayClient-Setup.exe
warning.wav
keybd.wav
SeShutdownPrivilege
%s\*.*
%c:\Image\%s
%c:\Image\*.
D:\LOG_DATA\ER%02d%02d.log
D:\LOG_DATA\EJ%02d%02d%02d.log
D:\LOG_DATA\SR%02d%02d%02d.log
%c:\FILEJNL\j%02d
%c:\FILEJNL
EXIT AP PROGRAM
ERROR
d:eduterr.cod
d:bduxerr.cod
d:cipxerr.cod
d:fileerr.cod
D:\%s\
D:\FILEJNL
Line Error
VCRW_FP Error
VCRW_RT Error
VRPR_RT Error
I/F Error
I/F Error
I/F Error
I/F Error
c%0.6s
; %s
%.12s%.6s%d.%s%s
:
Apr :
%d.%s
%d.00
%%0%dld
%%%dld
0
_e.jpg
d:\chvan\ENGLISH\%s
d:\chvan\ENGLISH\*.jpg
%08lX
CHVAN
Socket Close
@ AP POWER ON >>>
======================================================
FKM Input Control
static
D:\CHVAN
[%.2s/%.2s:%.2s:%.2s.%.3s]
NIGHT
KP00.log
SeTimeZonePrivilege
[%ld]
ScheduledInstallDate
NextDetectionTime
[%ld]
[%ld]
AutoUpdateSettingChange(%ld)
AUOptions
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
0031%.14s%.3s.%.3s.%.3s.%.3s00
\jdrawpicture\stdafx.cpp
5?i386\chkesp.c
The value of ESP was not properly saved across a function call. This is usually a result of calling a function declared with one calling convention with a function pointer declared with a different calling convention.
format != NULL
sprintf.c
string != NULL
Client
Ignore
Normal
dbgheap.c
_CrtCheckMemory()
_pFirstBlock == pOldBlock
_pLastBlock == pOldBlock
fRealloc || (!fRealloc && pNewBlock == pOldBlock)
_BLOCK_TYPE(pOldBlock->nBlockUse)==_BLOCK_TYPE(nBlockUse)
pOldBlock->nLine == IGNORE_LINE && pOldBlock->lRequest == IGNORE_REQ
_CrtIsValidHeapPointer(pUserData)
_pFirstBlock == pHead
_pLastBlock == pHead
pHead->nBlockUse == nBlockUse
pHead->nLine == IGNORE_LINE && pHead->lRequest == IGNORE_REQ
_BLOCK_TYPE_IS_VALID(pHead->nBlockUse)
DAMAGED
{%ld}
%hs(%d) :
#File Error#(%d) :
%.2X
vsprintf.c
fclose.c
stream != NULL
str != NULL
*mode != _T('\0')
mode != NULL
*file != _T('\0')
fopen.c
file != NULL
ftell.c
fseek.c
fprintf.c
fgets.c
fgetc.c
rewind.c
printf.c
sscanf.c
Assertion Failed
Error
Warning
%s(%d) : %s
Assertion failed!
Assertion failed:
_CrtDbgReport: String too long or IO Error
wsprintfA
user32.dll
Microsoft Visual C++ Debug Library
(Press Retry to debug the application)
Module:
File:
Line:
Expression:
failure, see the Visual C++ documentation on asserts.
<program name unknown>
dbgrpt.c
szUserMessage != NULL
("inconsistent IOB fields", stream->_ptr - stream->_base >= 0)
_flsbuf.c
`h````
(null)
output.c
ch != _T('\0')
IsProcessorFeaturePresent
KERNEL32
e+000
mlock.c
__GLOBAL_HEAP_SELECTED
__MSVCRT_HEAP_SELECT
_file.c
_freebuf.c
_filbuf.c
_open.c
filename != NULL
stream.c
osfinfo.c
ioinit.c
chsize.c
size >= 0
tidtable.c
_sftbuf.c
flag == 0 || flag == 1
stdenvp.c
stdargv.c
a_env.c
runtime error
Microsoft Visual C++ Runtime Library
Program:
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
tzset.c
gmtime.c
input.c
wtombenv.c
winsig.c
GetLastActivePopup
GetActiveWindow
MessageBoxA
_getbuf.c
mbtowc.c
MB_CUR_MAX == 1 || MB_CUR_MAX == 2
ungetc.c
a_cmp.c
cchCount1==0 && cchCount2==1 || cchCount1==1 && cchCount2==0
setenv.c
LC_TIME
LC_NUMERIC
LC_MONETARY
LC_CTYPE
LC_COLLATE
LC_ALL
setlocal.c
1#QNAN
1#INF
1#IND
1#SNAN
inittime.c
initnum.c
initmon.c
initctyp.c
Paraguay
Uruguay
Chile
Ecuador
Argentina
Colombia
Venezuela
Dominican Republic
South Africa
Panama
Luxembourg
Costa Rica
Switzerland
Guatemala
Canada
Spanish - Modern Sort
Australia
English
Austria
German
Belgium
Mexico
Spanish
Basque
Sweden
Swedish
Iceland
Icelandic
France
French
Finland
Finnish
Spain
Spanish - Traditional Sort
united-states
united-kingdom
trinidad & tobago
south-korea
south-africa
south korea
south africa
slovak
puerto-rico
pr-china
pr china
new-zealand
hong-kong
holland
great britain
england
czech
china
britain
america
swiss
swedish-finland
spanish-venezuela
spanish-uruguay
spanish-puerto rico
spanish-peru
spanish-paraguay
spanish-panama
spanish-nicaragua
spanish-modern
spanish-mexican
spanish-honduras
spanish-guatemala
spanish-el salvador
spanish-ecuador
spanish-dominican republic
spanish-costa rica
spanish-colombia
spanish-chile
spanish-bolivia
spanish-argentina
portuguese-brazilian
norwegian-nynorsk
norwegian-bokmal
norwegian
italian-swiss
irish-english
german-swiss
german-luxembourg
german-lichtenstein
german-austrian
french-swiss
french-luxembourg
french-canadian
french-belgian
english-usa
english-us
english-uk
english-trinidad y tobago
english-south africa
english-nz
english-jamaica
english-ire
english-caribbean
english-can
english-belize
english-aus
english-american
dutch-belgian
chinese-traditional
chinese-singapore
chinese-simplified
chinese-hongkong
chinese
canadian
belgian
australian
american-english
american english
american
H:mm:ss
dddd, MMMM dd, yyyy
M/d/yy
December
November
October
September
August
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
am/pm
inithelp.c
;:879
CHUNGHO VAN
ABC0123456789DEF
3036000000000000
===== EPP INIT [%s] =====
D:\FkmApp\Vanunit.ini
BSBIMCKBBKKCDEDDPEESEEGKSSBVFDLSEBBED1D3A1A2A3
@@\\.\COM%d
COM%d
%c%c%c%c%c%c%c%c
%s\%02d%02d%s.0%02d
D:\FKMJNL
[%02X]
:
MR :
KE :
ER :
RX :
TX :
EPP
#[%02d/%02d:%02d:%02d.%03d]
EPPdown
ATMLIB_q_memory
ATM_PKGJNL_MUTEX
\PkgJnl.exe SCR_PKG
BigDogPath323VMSnap
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SuspendEnable
System\CurrentControlSet\Services\F3DX5USB\Parameters
C:\FkmApp\OCRDemon\OCRDemon.exe
C:\FkmApp\OCRDemon
GCDU INIT : [%d]
XCHEK INIT : [%d]
V-CDU(Lan) Check OK
Shinko INIT : [%d]
JPR200 INIT : [%d]
HCIP INIT : [%d]
C:\FkmPM
K20UPSWin
C:\FkmApp\K20Ups.exe
CICInit JPR ERR : [%04X]
CICInit JPR
CICOpen JPR ERR : [%04X]
CICOpen JPR
CICInit RPR ERR : [%04X]
CICInit RPR
CICOpen RPR ERR : [%04X]
CICOpen RPR
CICInit CRW ERR : [%04X]
CICInit CRW
CICOpen CRW ERR : [%04X]
CICOpen CRW
CICInit BRU ERR : [%04X]
CICInit BRU
CICOpen BRU ERR : [%04X]
CICOpen BRU
CICClose [%d] ERR : [%04X][%04X]
CICSend [%d] ERR : [%04X][%04X]
C:\XBRU0000.SB
SeSystemtimePrivilege
C:\FkmPm\PPR00000.PM
C:\FkmPm\JPR00000.PM
C:\FkmPm\RPR00000.PM
C:\FkmPm\CRW00000.PM
C:\FkmPm\BRU00000.PM
C:\FkmPm\FSI_0000.VPP
C:\FkmPm\FSI_0000.VJP
C:\FkmPm\FSI_0000.VRP
C:\FkmPm\FSI_0000.VCR
C:\FkmPm\FSI_0000.MBR
C:\FkmPM\PmInfo.Env
Unit FW Kind
C:\FkmAPP\UnitInfo.ini
C:\FkmApp\FW\CDU\%s
C:\FkmApp\FW\PPR\%s
C:\FkmApp\FW\CIP\%s
C:\FkmApp\FW\BRU\%s
C:\FkmApp\FW\CDU\*.PRG
C:\FkmApp\FW\PPR\*.PRG
C:\FkmApp\FW\CIP\*.PRG
C:\FkmApp\FW\BRU\*.PRG
TranNum.Bin
C:\CheckNH.bin
V0V1V2V3V4V5V6V7
03PM00R00003S00RA000C
C:\FkmApp\FW\PM\U_XBRPRM.DAT
C:\FkmApp\FW\PM\U_MBRPRM.DAT
BRU_CassetteNoteCntSet Ret : [%d]
BRU_CassetteNoteCntSet : [%d] [%d]=[%d] => [%d]
C:\PKGIMG\CARD
D:\PKGIMG\CARD
C:\EJNL\CMG
%s\Base.Pos
%s\%s.Dat
%s\%s.Idx
C:\EJNL\TXT
%s\%04d%02d%02d.Dat
%s\%04d%02d%02d.Idx
C:\PKGIMG
D:\PKGIMG
C:\EJNL
%04d%04d%04d%04d
518382
510000
718382
810000
?0018
TempCard.Cmg
%s\%s%s\%s\%s.cmg
%s\%s%s\%s
%s\%s%s
Temp_2.dat
Temp_1.dat
C:\FkmApp\Imsi.dat
%02X%04X%04X%02X
a0034009C
T%02X
a00000000
a00000000
6%04X
C:\FkmApp\FW\PM\ACIPPRM.DAT
FREE_Print_Image : %s
FREE_Print_Clip : (%d,%d) %s - %d
FREE_Print_End : %d, %d
FREE_Print_Clear
FREE_Print_Start - End : %d
FREE_Print_Start Retry : %d
FREE_Print_Start - Proc 2 %d,%d
FREE_Print_Start - Start
401E0
[H-CIP] Send EM Timeout
[H-CIP] Send ACK Timeout
[H-CIP] Send ENQ Timeout
[%02X][%02X][%02X][%02X][%02X][%02X][%02X][%02X][%02X][%02X]
[%02X]
Timeout
[%d]
[H-CIP] Recv ENQ Timeout [%d]
[H-CIP] Sensor : [%02X][%02X][%02X][%02X][%02X][%s][%s]
[H-CIP] Data Recv Timeout
CXImage_Jpg_Resize
CXImage_Jpg_Rotate
CXImage_Jpg2Bmp
CXImage_Bmp_UnsharpMask
CXImage_Bmp_Resize
CXImage_Bmp_Dither
CXImage_Bmp_Rotate
CXImage_Bmp2Jpg
CXImageDLL.dll
H-JPR
SELECT
C:\FkmApp\HJPR_INFO.INI
HTGet
HTPut
HTClose
HTOpen
HTUsbBP.dll
[H-CIP] USB I/F Retry2 OK
[H-CIP] USB I/F Retry2 Error
[H-CIP] USB I/F Retry OK
[H-CIP] USB I/F Retry Error
[H-CIP] USB I/F Retry
HCIP_Insert T2 = %d, T3 = %d
_HCIP_Ms_Read T2 = %d, T3 = %d
U3050000021C00FFFFFF
U2040010%06X000000
[JPR200] Recv Error [%d]
[JPR200] Send Error [%d]
\\.\COM11
C:\FkmApp\JPR200_LAST_IMAGE.bmp
K20UPS
UpsInit
C:\FkmApp\K20UPS.ini
K20UPS_LIB_EVENT
Send Timeout(NAK)
Send Timeout(ACK)
Send Timeout(Write)
Recv Timeout
%02d:%02d:%02d-%02d
GAZ Power Switch OFF
GAZ UPS Power OFF
GAZ System Shutdown [%d]
Power Switch On
Power Switch Off
Save Door Close
Save Door Open
Front Down Door Close
Front Down Door Open
Front Up Door Close
Front Up Door Open
UpsStatus
00/00:00:00
0000-00-00
C:\SETVATM.DAT
GetSetupInfo : [%d][%s][%s]
C:\FKMJNL2
C:\FKMJNL
D:\FKMJNL2
%s\%02d%02d%s.%c%02d
PBPR
J200
HCIP
GCDU
GAZ
CDU
VCDU
PPR
JPR
RPR
CRW
BRU
#[%02d/%02d:%02d:%02d.%03d] CIC -- : %s
#[%02d/%02d:%02d:%02d.%03d] FRE -- : %s
#[%02d/%02d:%02d:%02d.%03d] DBG -- : %s
D:\PKGJNL
%s\%02d%s.ERR
InitJnl : [%d][%s][%s]
C:\VCDU
C:\AppLog
%s%s%s\*.*
%s%s%s
%s\%s\%s
%s\%s\*.*
%04d%02d
D:\PKGDB
%s\%d
D:\FDVR
4%04X
_0101
_4101
C:\FkmApp\FW\PM\K_XPRPRM.dat
00%02X
[ShinkoPPR] Error [%02X][%c][%c][%c]
[ShinkoPPR] Sensor [%02X][%02X]
L%03d
%c:\%s\%d\%02d
%c:\%s\%d\*.*
%c:\%s\*.*
JnlImg
C:\PKGIMG\CUSTOMER_MPG
D:\PKGIMG\CUSTOMER_MPG
C:\PKGIMG\CUSTOMER
D:\PKGIMG\CUSTOMER
C:\JnlImg
CamFlag
PKG_Caption_K20StillCap
Caption_K20StillCap
CAM2_JPGPATH
CAM1_JPGPATH
C:\FkmApp\%s%d.jpg
PKGIMG\CUSTOMER
%c:\PKGIMG
%c:\%s\%s%s\%s\%s
%c:\%s\%s%s\%s
%c:\%s\%s%s
%c:\%s
SCANCnt
%c:\%s\%s\%s%s\%s
%c:\%s\%s\%s%s
%c:\%s\%s
PkgCap.exe
K20StillCap.exe
K20StillCap_Citi.exe
%s\PkgCap.exe SCR_PKG
C:\FKMAPP\K20StillCap.EXE
D:\FKMAPP\K20StillCap_Citi.EXE
NETWORK
SAVE_PATH
%s\Flash\INI\UsbCam.ini
C:\UsbCam.ini
C:\FkmApp\UsbCam.ini
CAM2_DVRTIME
CAM2_DVRPATH
CAM1_DVRTIME
CAM1_DVRPATH
PKGIMG\CUSTOMER_MPG
CHECK_RST
C:\VCDU\0000_000.MCR
C:\MICRINFO.HSD
%04d %02d %02d
C:\VCDU\0000_000.mcr
C:\FkmApp\OCRDemon\Result\%s
C:\FkmApp\OCRDemon\Result\*.*
[GCDU] Send ACK for Data Recv TimeOut
[GCDU] Send NAK for Data Recv Error
[GCDU] Send ACK for ENQ Recv TimeOut
[GCDU] Send ENQ TimeOut
[GCDU] Send CAN for ENQ Recv Error
[GCDU] Send NAK for ENQ Recv Error
No OCR F/W
[GCDU] Recv Data Overflow
[GCDU] Recv Data TimeOut
[GCDU] GCDU_MICR.DLL not found
gcdumicr_bufCall
GCDU_MICR.dll
Command Cancel TimeOut
Command Cancel Send
C:\VCDU\%04d%02d%02d_%02d%02d%02d_%03d_%c.mir
%04d %02d %02d
C:\VCDU\%04d%02d.sum
[GCDU] FW ['C'] Recv Data TimeOut
[GCDU] FW ['+'] Recv Data TimeOut
[GCDU] FW ['*'] Recv Data TimeOut
[GCDU] FW ['-'] Recv Data TimeOut
[GCDU] FW ['ACK'] Recv Data TimeOut
c:\FkmSys\hn24.fnt
c:\FkmSys\ps24.fnt
c:\FkmSys\moda.fnt
c:\FkmSys\an24s.fnt
\Device\Pioser0
hardware\devicemap\serialcomm
[%s]
R0 %.44s
L5 %.44s
L3 %.44s
L1 %.44s
-----------------------------------------------
[%s %s] - %.12s
#[%s.%03d] CDU == : 41MD00M000D600000000[%.12s]L1%.44sL3%.44sL5%.44sR0%.44s[M17v10]
#[%s.%03d] CDU == : 51MD00M000D600MD6A01[%.12s]L1%.44sL3%.44sL5%.44sR0%.44s[M17v10]
C:\VCDU\result.bak
C:\VCDU\result.hsd
Application transferred too many scanlines
Invalid SOS parameters for sequential JPEG
Corrupt JPEG data: found marker 0x%02x instead of RST%d
Premature end of JPEG file
Warning: unknown JFIF revision number %d.%02d
Corrupt JPEG data: bad Huffman code
Corrupt JPEG data: premature end of data segment
Corrupt JPEG data: %u extraneous bytes before marker 0x%02x
Inconsistent progression sequence for component %d coefficient %d
Unknown Adobe color transform code %d
Obtained XMS handle %u
Freed XMS handle %u
Unrecognized component IDs %d %d %d, assuming YCbCr
Opened temporary file %s
Closed temporary file %s
Ss=%d, Se=%d, Ah=%d, Al=%d
Component %d: dc=%d ac=%d
Start Of Scan: %d components
Start of Image
Component %d: %dhx%dv q=%d
Start Of Frame 0x%02x: width=%u, height=%u, components=%d
Smoothing not supported with nonstandard sampling ratios
RST%d
At marker 0x%02x, recovery action %d
Selected %d colors for quantization
Quantizing to %d colors
Quantizing to %d = %d*%d*%d colors
%4u %4u %4u %4u %4u %4u %4u %4u
Unexpected marker 0x%02x
Skipping marker 0x%02x, length %u
with %d x %d thumbnail image
Unknown JFIF minor revision number %d.%02d
Warning: thumbnail image size does not match data length %u
JFIF APP0 marker, density %dx%d %d
%3d %3d %3d %3d %3d %3d %3d %3d
End Of Image
Obtained EMS handle %u
Freed EMS handle %u
Define Restart Interval %u
Define Quantization Table %d precision %d
Define Huffman Table 0x%02x
Define Arithmetic Table 0x%02x: 0x%02x
Unknown APP14 marker (not Adobe), length %u
Unknown APP0 marker (not JFIF), length %u
Adobe APP14 marker: version %d, flags 0x%04x 0x%04x, transform %d
Caution: quantization tables are too coarse for baseline JPEG
6a 7-Feb-96
Copyright (C) 1996, Thomas G. Lane
Write to XMS failed
Read from XMS failed
Image too wide for this implementation
Virtual array controller messed up
Unsupported marker type 0x%02x
Application transferred too few scanlines
Write failed on temporary file --- out of disk space?
Seek failed on temporary file
Read failed on temporary file
Failed to create temporary file %s
Invalid JPEG file structure: SOS before SOF
Invalid JPEG file structure: two SOI markers
Unsupported JPEG process: SOF type 0x%02x
Invalid JPEG file structure: missing SOS marker
Invalid JPEG file structure: two SOF markers
Cannot quantize to more than %d colors
Cannot quantize to fewer than %d colors
Cannot quantize more than %d color components
Insufficient memory (case %d)
Not a JPEG file: starts with 0x%02x 0x%02x
Quantization table 0x%02x was not defined
JPEG datastream contains no image
Huffman table 0x%02x was not defined
Backing store not supported
Requested feature was omitted at compile time
Not implemented yet
Invalid color quantization mode change
Scan script does not transmit all data
Cannot transcode due to multiple use of quantization table %d
Premature end of input file
Empty input file
Maximum supported image dimension is %u pixels
Missing Huffman code table entry
Huffman code size table overflow
Fractional sampling not implemented yet
Output file write error --- out of disk space?
Input file read error
Didn't expect more than one scan
Write to EMS failed
Read from EMS failed
Empty JPEG image (DNL not supported)
Bogus DQT index %d
Bogus DHT index %d
Bogus DHT counts
Bogus DAC value 0x%x
Bogus DAC index %d
Unsupported color conversion request
Too many color components: %d, max %d
CCIR601 sampling not implemented yet
Suspension not allowed here
Buffer passed to JPEG library is too small
Bogus virtual array access
JPEG parameter struct mismatch: library thinks size is %u, caller expects %u
Improper call to JPEG library in state %d
Invalid scan script at entry %d
Bogus sampling factors
Invalid progressive parameters at scan script entry %d
Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d
Unsupported JPEG data precision %d
Invalid memory pool code %d
Sampling factors too large for interleaved scan
Wrong JPEG library version: library is %d, caller expects %d
Bogus marker length
Bogus JPEG colorspace
Bogus input colorspace
IDCT output block size %d not supported
Invalid component ID %d in SOS
Bogus buffer control mode
MAX_ALLOC_CHUNK is wrong, please fix
ALIGN_TYPE is wrong, please fix
Sorry, there are legal restrictions on arithmetic coding
Bogus message code %d
JPEG Error
%ld%c
JPEGMEM
GetPrivateProfileStringA
OutputDebugStringA
GetLocalTime
LeaveCriticalSection
EnterCriticalSection
GetCurrentDirectoryA
Sleep
FindClose
FindFirstFileA
WritePrivateProfileStringA
CloseHandle
ReadFile
GetFileSize
CreateFileA
FlushFileBuffers
WriteFile
FileTimeToSystemTime
SystemTimeToFileTime
GetTickCount
DeleteFileA
CopyFileA
SetFilePointer
InitializeCriticalSection
DeleteCriticalSection
TerminateThread
WaitForSingleObject
CreateProcessA
HeapReAlloc
HeapAlloc
GetProcessHeap
FileTimeToLocalFileTime
GetVersionExA
GlobalMemoryStatus
GetDiskFreeSpaceExA
SetLocalTime
GetCurrentProcess
SetCurrentDirectoryA
FindNextFileA
CreateDirectoryA
SetComputerNameA
GetLastError
GetComputerNameA
SetFileAttributesA
GetFileAttributesA
CreateEventA
GetModuleFileNameA
CreateThread
SetTimeZoneInformation
GetTimeZoneInformation
KERNEL32.dll
ReleaseDC
GetDC
FillRect
SetRect
ShowWindow
UpdateWindow
MoveWindow
SendMessageA
SetFocus
SetForegroundWindow
PostMessageA
SetWindowPos
ShowCursor
SystemParametersInfoA
ExitWindowsEx
DispatchMessageA
TranslateMessage
GetMessageA
CreateWindowExA
RegisterClassA
LoadCursorA
LoadIconA
DefWindowProcA
DestroyWindow
FindWindowA
SetTimer
PostQuitMessage
EndPaint
BeginPaint
USER32.dll
DeleteObject
Rectangle
RoundRect
SetROP2
SelectObject
CreatePen
CreateSolidBrush
GetPixel
BitBlt
CreateCompatibleBitmap
CreateCompatibleDC
DeleteDC
SetPixel
CreateBitmap
TextOutA
SetTextColor
SetBkMode
SetTextAlign
CreateFontA
GetStockObject
GDI32.dll
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegDeleteValueA
RegSetValueExA
ADVAPI32.dll
WS2_32.dll
mciSendCommandA
sndPlaySoundA
WINMM.dll
GetAdaptersInfo
iphlpapi.dll
ISA_cencrypt
ISA_Init
ISA_ckeyupdate_init
ISA_cfinish
ISA_chello
ISA_HANDLE_acquire
ISA_HANDLE_release
nh_isatm.dll
WR_EncSeed
WR_GetHashCode
WR_CKeyFinal
WR_CKeyInit
WREncClt.dll
HW_EncSeed
HW_GetHashCode
HW_CKeyFinal
HW_CKeyInit
HWEncClt.dll
DB_EncSeed
DB_GetHashCode
DB_CKeyFinal
DB_CKeyInit
DBEncClt.dll
HD_EncSeed
HD_GetHashCode
HD_CKeyInit
HDEncClt.dll
KiupEncryptMessage
KiupEncryptMessage2
KBEncryptMessage
NcfBankEncrypt
PostOfficeEncrypt
HnBankEncrypt
NffcBankEncrypt
KebBankEncrypt
BusanBankEncrypt
ChbBankEncrypt
JeonBukEncrypt
WooriBankEncrypt
ENCTDesData
DaeWooSeedEncryptData
ENCSHStockData
KftcEnc
DYPubSeedEncryptData
HyundaiCard
KebCardEncrypt
SamsungEncrypt
KMcardEncrypt
BcEncrypt
LotteCard
NffcCardEncrypt_New
AMEXEncrypt
ENCNHCardData
TDESCBC
ENCCTCardData
encodeString
ENSHDesData
ENSH2DesData
WooriCardEncrypt
KSNetEncrypt
KebBankKeyInit
KBEncryptKeyFinal
KBEncryptKeyInit
KiupEncryptKeyFinal
KiupEncryptKeyFinal2
KiupEncryptKeyInit
KiupEncryptKeyInit2
KBDecryptMessage
EZENC.dll
_TN_TCClientDecipher@8
_TN_TCConvertTransBuffer2UString@12
_TN_TCConvertUString2TransBuffer@16
_TN_TCDeleteMemoryUC@4
_TN_TCClientEncipher@8
_TN_TCSetUString@12
_TN_TCInitUString@4
_TN_TCClientDeleteSessionData@0
_TN_TCClientKeyShareFinal@4
_TN_TCClientKeyShareInit@12
tnATMCSTK.dll
SEED_Encrypt
SEED_KeySchedKey
KJEncClt.dll
CloseAllFlash
PlayFlash
Flash.dll
PKGG_X100_Status
PKGB_X100_Main
PKGF_Change_MOP
PKGG_MOP_TopControl
PKGG_MOP_KeyInput
PKGB_GS_SijeReg
PKGB_MOP_EJNL
PKGB_FB_Test
PKGA_Bank_Setting
PKGB_MOP_Setting
PKGG_UOP_Cancel
PKGG_UOP_ScrDisable
PKGA_FBSelect
PKGA_SubMenu
PKGG_UOP_KeyInput
PKGA_NumberIn
PKGA_Information
PKGG_FB_DB_Insert
PKGG_DVR2JPG
PKGA_Close
PKGA_Excute
SPkgDll.dll
CDU_LAN_LINE_INIT
BRU_LAN_LINE_INIT
CDU_Send
FkmTcpSend
CDU_Recv
FkmTcpRecv
FkmTcpRawRecv
FkmTcpGetVersion
FCduDrv.dll
FBruDrv.DLL
F3DXDCIC.dll
COMBI_to_KS
HAN_INPUT_KEY_BUFFER_COMBI_BufPrint
COMBI_Han_Input
COMBI_Key_to_HCODE
HAN_INPUT_KEY_BUFFER_Clear
HAN_INPUT_KEY_BUFFER_Create
hangul.dll
EMV_ProcessOnline
EMV_AnalysisTerminalAction
EMV_ManageTerminalRisk
EMV_VerifyCardHolder
EMV_RestrictProcessing
EMV_AuthOfflineData
EMV_ReadApplicationData
EMV_GetProcessingOptions
EMV_selectUserApplication
EMV_GetAppNameList
EMV_GetTransactionData
EMV_SelectApplication
EMV_Init
EMV_ST_Free
EMV2_V01.dll
MFC42D.DLL
lstrlenA
_lclose
_lread
OpenFile
EscapeCommFunction
SetCommState
GetCommState
SetCommTimeouts
PurgeComm
SetupComm
SetCommMask
ClearCommError
GetOverlappedResult
MapViewOfFile
OpenFileMappingA
CreateMutexA
WinExec
SetPriorityClass
SetSystemTime
FreeLibrary
GetProcAddress
LoadLibraryA
GetModuleHandleA
RemoveDirectoryA
GetDriveTypeA
TerminateProcess
GetExitCodeProcess
Process32Next
GetPriorityClass
OpenProcess
Process32First
CreateToolhelp32Snapshot
IsBadWritePtr
IsBadReadPtr
HeapValidate
GetFileType
MoveFileA
GetSystemTime
GetSystemTimeAsFileTime
GetStartupInfoA
GetCommandLineA
GetVersion
ExitProcess
DebugBreak
GetStdHandle
InterlockedDecrement
InterlockedIncrement
FatalAppExitA
RtlUnwind
HeapFree
VirtualFree
VirtualAlloc
GetEnvironmentVariableA
HeapDestroy
HeapCreate
SetStdHandle
SetHandleCount
SetEndOfFile
GetCurrentThreadId
TlsSetValue
TlsAlloc
TlsFree
SetLastError
TlsGetValue
GetCurrentThread
GetCPInfo
GetACP
GetOEMCP
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
MultiByteToWideChar
GetStringTypeA
GetStringTypeW
SetConsoleCtrlHandler
LCMapStringA
LCMapStringW
CompareStringA
CompareStringW
SetEnvironmentVariableA
IsValidLocale
IsValidCodePage
GetLocaleInfoA
EnumSystemLocalesA
GetUserDefaultLCID
GetLocaleInfoW
GetClientRect
wsprintfA
GetSystemMetrics
LoadImageA
GetWindowDC
MessageBoxA
GetActiveWindow
RealizePalette
SelectPalette
GetDeviceCaps
RestoreDC
GetTextMetricsA
CreateFontIndirectA
DPtoLP
SetWindowOrgEx
SetViewportOrgEx
ModifyWorldTransform
SetGraphicsMode
SaveDC
SetDIBitsToDevice
GetBitmapBits
PlgBlt
SetStretchBltMode
GetObjectA
GetTextAlign
PatBlt
SetTextCharacterExtra
StretchDIBits
RegCreateKeyExA
OLEAUT32.dll
GetFullPathNameA
>!>%>)>->1>5>9>
?=?G?U?
8"9&9*9.9
?-?1?5?9?=?A?E?I?M?Q?U?Y?]?a?e?
>u?y?}?
>2?;?
?m?q?u?y?}?
:.;2;6;:;>;B;F;J;
:':8:=:J:\:
;X;\;`;d;h;l;
>5?^?{?
<G?N?U?
363,454
*<1<9?G?
4m:t:M<T<m<v<}<
:$:D:
3C3]3f3
<]=A>
<H?w?
0W2n2>3`3
9 9,909
9 :(:,:0:4:
\VAN_XATM\Debug\VAN_XATM.pdb
http://www.minz.co.kr/xe/addons/mobile/mobile.php
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
.text
`.rdata
@.data
.rsrc
@.reloc
YQPVh
URPQQh8T@
SVWUj
(null)
`h````
CorExitProcess
runtime error
Microsoft Visual C++ Runtime Library
<program name unknown>
Program:
UTF-8
UTF-16LE
UNICODE
EncodePointer
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
CONOUT$
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
ws2_32.dll
closesocket
select
__WSAFDIsSet
WSAEnumNetworkEvents
WSAWaitForMultipleEvents
WSAEventSelect
WSACreateEvent
WSAStartup
htons
inet_addr
socket
connect
%s\cmd.exe /c echo | %s > %s
Advapi32.dll
GetUserNameA
%s*****%s
WSACleanup
211.238.32.129
GetTempPathA
GetComputerNameA
WaitForSingleObject
TerminateThread
Sleep
GetSystemDirectoryA
ExitThread
GetProcAddress
GetTempFileNameA
LoadLibraryA
WinExec
DeleteFileA
CreateThread
GetLastError
HeapFree
HeapAlloc
GetCommandLineA
GetStartupInfoA
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
HeapCreate
VirtualFree
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
VirtualAlloc
HeapReAlloc
GetModuleHandleW
ExitProcess
WriteFile
GetStdHandle
GetModuleFileNameA
RtlUnwind
MultiByteToWideChar
ReadFile
WideCharToMultiByte
GetConsoleCP
GetConsoleMode
CloseHandle
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
GetFileType
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
SetFilePointer
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
InitializeCriticalSectionAndSpinCount
CreateFileA
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
FlushFileBuffers
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
HeapSize
SetEndOfFile
GetProcessHeap
KERNEL32.dll
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
>C?c?
>`?d?
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
;$;,;4;<;D;L;T;\;d;
E(null)
mscoree.dll
runtime error
@Microsoft Visual C++ Runtime Library
<program name unknown>
Program:
KERNEL32.DLL
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
WUSER32.DLL
CONOUT$
](null)
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
nKERNEL32.DLL
mscoree.dll
runtime error
@Microsoft Visual C++ Runtime Library
<program name unknown>
Program:
WUSER32.DLL
@CONOUT$
(null)
A(null)
mscoree.dll
KERNEL32.DLL
&File
iE&xit
&Help
h&About ...
Van_XATM
VAN_XATM
This file is not on VirusTotal.

Process Tree


VAN_XATM_2.exe, PID: 332, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\VAN_XATM_2.exe
Command Line: "C:\Users\user\AppData\Local\Temp\VAN_XATM_2.exe"
java.exe, PID: 1996, Parent PID: 332
Full Path: C:\Windows\Temp\java.exe
Command Line: c:\windows\temp\java.exe
javaupdate.exe, PID: 2684, Parent PID: 332
Full Path: C:\Windows\Temp\javaupdate.exe
Command Line: c:\windows\temp\javaupdate.exe C:\Users\user\AppData\Local\Temp\VAN_XATM_2.exe

Hosts

Direct IP Country Name
Y 211.238.32.129 [VT] Korea, Republic of

TCP

Source Source Port Destination Destination Port
192.168.35.21 49169 211.238.32.129 443

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name javaupdate.exe
Associated Filenames
C:\Windows\Temp\javaupdate.exe
File Size 1935872 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 a8641ac59a34d56a4fe3e0501f96506d
SHA1 e9fb1c2dc54bcfcac0351a16370e1586889243a2
SHA256 92f1c8f8982c3b08b4e909351874e371f6fd163b99a3981487665e6532f9ef41
CRC32 08CE5038
Ssdeep 24576:U1iTtBsHeCOKM3x5w90rvRd5GDRY1gJtoeuvpoVRtNJV5N6zySL4:U8XuMhG+lD4Rqeu2tV5N6l4
ClamAV None
Yara
  • shellcode_stack_strings - Match x86 that appears to be stack string creation.
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name java.exe
Associated Filenames
C:\Windows\Temp\java.exe
File Size 67584 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 45ee81f48959fc50320ae3a950d13a08
SHA1 7ac70cd985407ac2b65af7292c3dc80ab88a1cb7
SHA256 99010bc0fa1ceae22dfc1b69b2b6e3a75895b1bc13d7d08241fb8b9695425950
CRC32 376C9AB6
Ssdeep 1536:YgV+oaSGyoyfxZr3fCn9iaDSBrfaMU6A5kY:b2QZZPXq6A5kY
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name VAN_XATM_2.exe
Associated Filenames
C:\Users\user\AppData\Local\Temp\VAN_XATM_2.exe
File Size 1871958 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 04fe4ce5ff726c761a144ab632f54df8
SHA1 528141e85df2e4d92979b648fb1970ac9bf51a0d
SHA256 5577e139967078c9884dd982431ce066ae70402dd6f72749f26f8a875125d6af
CRC32 F58A4FCC
Ssdeep 24576:F1iTtBsHeCOKM3x5w90rvRd5GDRY1gJtoeuvpoVRtNJV5N6zySL4q:F8XuMhG+lD4Rqeu2tV5N6l4q
ClamAV None
Yara
  • shellcode_stack_strings - Match x86 that appears to be stack string creation.
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
Sorry! No CAPE files.
Process Name VAN_XATM_2.exe
PID 332
Dump Size 2063872 bytes
Module Path C:\Users\user\AppData\Local\Temp\VAN_XATM_2.exe
Type PE image: 32-bit executable
MD5 ca87062fe816603bfd16325dcca7a321
SHA1 f89f7c3980bb1e2323038c350d460a31bdb42ab4
SHA256 9c01342627a1ab9d3ce89a367409e072f291bfab1944ef85a3d26df64fde02f1
CRC32 43B3EAAF
Ssdeep 24576:/1iTtBsHeCOKM3x5w90rvRd5GDRY1gJtoeuvpoVRtNJV5N6zySL44s:/8XuMhG+lD4Rqeu2tV5N6l44s
ClamAV None
Yara
  • shellcode_stack_strings - Match x86 that appears to be stack string creation.
CAPE Yara None matched
Dump Filename 9c01342627a1ab9d3ce89a367409e072f291bfab1944ef85a3d26df64fde02f1
Process Name javaupdate.exe
PID 2684
Dump Size 1934848 bytes
Module Path C:\Windows\Temp\javaupdate.exe
Type PE image: 32-bit executable
MD5 49e851ef14148479ee5392cba218af70
SHA1 1ed3bb56bfafb86b63e7e347f4d57f6182219b4b
SHA256 23ca8f56181f947919fd6c4292706bd749b6f58f44e7b8aeb50f0838c55b6344
CRC32 517FDCAA
Ssdeep 24576:71iTtBsHeCOKM3x5w90rvRd5GDRY1gJtoeuvpoVRtNJV5N6zySL4:78XuMhG+lD4Rqeu2tV5N6l4
ClamAV None
Yara
  • shellcode_stack_strings - Match x86 that appears to be stack string creation.
CAPE Yara None matched
Dump Filename 23ca8f56181f947919fd6c4292706bd749b6f58f44e7b8aeb50f0838c55b6344
Process Name java.exe
PID 1996
Dump Size 71168 bytes
Module Path C:\Windows\Temp\java.exe
Type PE image: 32-bit executable
MD5 24dd46e315639466fa1c841b3df5d82f
SHA1 c344e5a3f41ccadb51d35e6a014148df69c698df
SHA256 112b98319cefddd7a4d883928830e5128aa32a8137094d326575a5f633837d69
CRC32 AF2CE2BB
Ssdeep 768:/o5uYXIsm/Afzo/SYI03Tcb/PkbjLRQ4bXPaazW0Qlf6RMhkLf5ISrKse355:/o5uYvmGoqnb/PKjzVzulfKM6M5
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 112b98319cefddd7a4d883928830e5128aa32a8137094d326575a5f633837d69

Comments



No comments posted

Processing ( 15.599 seconds )

  • 7.0 CAPE
  • 4.026 Dropped
  • 1.811 ProcDump
  • 1.377 Static
  • 0.924 TargetInfo
  • 0.275 TrID
  • 0.119 Strings
  • 0.033 Deduplicate
  • 0.02 BehaviorAnalysis
  • 0.008 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.001 Debug

Signatures ( 0.051 seconds )

  • 0.009 antiav_detectreg
  • 0.009 ransomware_files
  • 0.004 ransomware_extensions
  • 0.003 persistence_autorun
  • 0.003 antiav_detectfile
  • 0.003 infostealer_ftp
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_im
  • 0.002 infostealer_mail
  • 0.001 tinba_behavior
  • 0.001 rat_nanocore
  • 0.001 cerber_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antianalysis_detectreg
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 bot_drive
  • 0.001 modify_proxy
  • 0.001 disables_browser_warn
  • 0.001 masquerade_process_name

Reporting ( 0.0 seconds )

Task ID 108522
Mongo ID 5dc5e5e56d82384e386a21f4
Cuckoo release 1.3-CAPE
Delete