Skip navigation.
Home

ldpinch info stealer

|

33062263798ce319e6b7bf71d79fa80b

Found at:

http://www.bingoguideonline.com/_private/get.php?file=exe
UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo

AntiVir 7.3.0.21 01.05.2007 TR/PSW.LdPinch.BU.1
Authentium 4.93.8 12.30.2006 could be infected with an unknown virus
Avast 4.7.892.0 12.30.2006 no virus found
AVG 386 01.06.2007 PSW.Ldpinch.DBV
BitDefender 7.2 01.06.2007 Trojan.PWS.LdPinch.BU
CAT-QuickHeal 9.00 01.06.2007 TrojanPSW.LdPinch.bhp
ClamAV devel-20060426 01.06.2007 no virus found
DrWeb 4.33 01.06.2007 Trojan.PWS.LDPinch.1389
eSafe 7.0.14.0 01.05.2007 Win32.LdPinch.bhp
eTrust-InoculateIT 23.73.107 01.06.2007 Win32/SillyDL.4qy!Trojan
eTrust-Vet 30.3.3307 01.06.2007 no virus found
Ewido 4.0 01.06.2007 Trojan.LdPinch.bhp
Fortinet 2.82.0.0 01.06.2007 W32/LdPinch.BHP!tr.pws
F-Prot 3.16f 01.05.2007 security risk named W32/Ldpinch.AOI
F-Prot4 4.2.1.29 01.05.2007 W32/Ldpinch.AOI
Ikarus T3.1.0.27 01.06.2007 Trojan-PSW.Win32.LdPinch.apk
Kaspersky 4.0.2.24 01.06.2007 Trojan-PSW.Win32.LdPinch.bhp
McAfee 4933 01.05.2007 no virus found
Microsoft 1.1904 01.06.2007 Win32/Ldpinch
NOD32v2 1960 01.06.2007 Win32/PSW.LdPinch.BHP
Norman 5.80.02 12.31.2007 no virus found
Panda 9.0.0.4 01.06.2007 Bck/Bifrose.AJN
Prevx1 V2 01.06.2007 no virus found
Sophos 4.13.0 01.05.2007 Mal/Behav-016
Sunbelt 2.2.907.0 01.05.2007 Infostealer.Ldpinch
TheHacker 6.0.3.143 01.05.2007 Trojan/PSW.LdPinch.bhp
UNA 1.83 01.06.2007 Trojan.PSW.Win32.LdPinch.6E1E
VBA32 3.11.1 01.06.2007 Trojan.PWS.LDPinch.1389
VirusBuster 4.3.19:9 01.06.2007 no virus found

13183067 > 61 POPAD
13183068 .- E9 7768FCFF JMP get.131498E4

looks like OEP

dumped it but had RVA problems for some reason with importrec however still managed to get the IAT.

Does a WriteFile and creates c:\hrshsg
Then calls DeleteFileA
0012FFBC 13149926 /CALL to DeleteFileA from get.13149921
0012FFC0 1314E344 \FileName = "C:\\hrshsg"

C:\>copy hrshsg evil.exe
1 file(s) copied.

C:\>md5sum "get.php@file=exe"
33062263798ce319e6b7bf71d79fa80b *get.php@file=exe

C:\>md5sum BOO.txt
33062263798ce319e6b7bf71d79fa80b *BOO.txt

C:\>md5sum "get.php@file=exe"
33062263798ce319e6b7bf71d79fa80b *get.php@file=exe

01/06/2007 02:23 PM 35,328 evil.exe
01/06/2007 02:23 PM 35,328 get.php@file=exe
01/06/2007 02:23 PM 35,328 hrshsg

So basically it just makes a copy of itself. get.php@file=exe is the orginal exe i downloaded from the site with wget. All the md5sum match.

Then it creates some registry keys.

0012FF6C 77DD28E9 /CALL to RegCreateKeyExA from advapi32.77DD28E4
0012FF70 80000002 |hKey = HKEY_LOCAL_MACHINE
0012FF74 131519D1 |Subkey = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer\\Run"
0012FF78 00000000 |Reserved = 0
0012FF7C 00000000 |Class = NULL
0012FF80 00000000 |Options = REG_OPTION_NON_VOLATILE
0012FF84 02000000 |Access = 2000000
0012FF88 00000000 |pSecurity = NULL
0012FF8C 0012FFA8 |pHandle = 0012FFA8
0012FF90 00000000 \pDisposition = NULL
0012FF94 /0012FFB4
0012FF98 |1314698F RETURN to get.1314698F from get.1314B9B0
0012FF9C |80000002
0012FFA0 |131519D1 ASCII "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer\\Run"
0012FFA4 |0012FFA8

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKLM\SOFTWARE
HKLM\SOFTWARE\Microsoft
HKLM\SOFTWARe
HKLM\SOFTWARE\Microsoft\Windows
HKLM\SOFTWARE\Microsoft
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
HKLM\SOFTWARE\Microsoft\Windows
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ExplorER
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

Some more writefile:

0012F46C 77E710EC /CALL to WriteFile from kernel32.77E710E7
0012F470 000000B0 |hFile = 000000B0
0012F474 00B30000 |Buffer = 00B30000
0012F478 00008A00 |nBytesToWrite = 8A00 (35328.)
0012F47C 0012F4BC |pBytesWritten = 0012F4BC
0012F480 00000000 \pOverlapped = NULL

Then it looks like it messes with the event log:

C:\WINDOWS\system32\config\software.LOG
C:\WINDOWS\system32\config\software.LOG
C:\WINDOWS\system32\config\software.LOG
C:\WINDOWS\system32\config\software.LOG

STRINGS

00000228 13140228 0 .newIID
0000E310 1314E310 0 Content
0000E318 1314E318 0 Content
0000E33A 1314E33A 0 C:\hrshsg
0000E344 1314E344 0 C:\hrshsg
00012210 13152210 0 Installed explorer hook (cookie): %d
00012238 13152238 0 Explorer window closed
00012250 13152250 0 image
00012258 13152258 0 button
00012260 13152260 0 reset
00012268 13152268 0 %s(select): %s [checked]
00012284 13152284 0 %s(textarea): %s
0001229C 1315229C 0 [unchecked]
000122AC 131522AC 0 [checked]
000122B8 131522B8 0 checkbox
000122C4 131522C4 0 radio
000122CC 131522CC 0 %s(%s): %s
000122D8 131522D8 0 Method: %s
000122E8 131522E8 0 Action: %s
000122F8 131522F8 0 New Form Intercepted
0001230D 1315230D 0 --------------------
00012324 13152324 0 URL: %s
00012330 13152330 0 Submit event fired
00012348 13152348 0 Released explorer hook (cookie): %d
00012370 13152370 0 Can't connect DShellWindowsEvents sink
0001239C 1315239C 0 Can't create IShellWindows instance
000123C4 131523C4 0 %s\explorer.exe
000123D4 131523D4 0 Uninstalled Success
000123EC 131523EC 0 Wait for thread finished
00012408 13152408 0 Uninstall...
00012418 13152418 0 Installed Success
0001242C 1315242C 0 Install Error
000125C0 131525C0 0 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECFD0D1D2D3D4D5D6D7D8D9DADBDCDDDEDFE0E1E2E3E4E5E6E7E8E9EAEBECEDEEEFF0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF
000127C4 131527C4 0 aPLib v0.43 - the smaller the better :)
000127EF 131527EF 0 Copyright (c) 1998-2005 by Joergen Ibsen, All Rights Reserved.
00012831 13152831 0 This copy of aPLib is free for non-commercial use.
00012867 13152867 0 More information: http://www.ibsensoftware.com/
00012A01 13152A01 0 Qkkbal
00012C5D 13152C5D 0 wn>Jj
00041009 13181009 0 SetThreadLocale
0004101A 1318101A 0 GetThreadLocale
0004102B 1318102B 0 RemoveDirectoryA
0004103D 1318103D 0 SetEvent
00041047 13181047 0 SystemTimeToFileTime
0004105D 1318105D 0 GetFileTime
0004106A 1318106A 0 TerminateThread
0004107B 1318107B 0 WaitForSingleObject
00041090 13181090 0 GetCurrentThreadId
000410A4 131810A4 0 CreateEventA
000410B2 131810B2 0 InterlockedDecrement
000410C8 131810C8 0 ReadFile
000410D2 131810D2 0 lstrlenW
000410DC 131810DC 0 Process32First
000410EC 131810EC 0 OpenProcess
000410F9 131810F9 0 OpenMutexA
00041105 13181105 0 MultiByteToWideChar
0004111A 1318111A 0 MoveFileA
00041125 13181125 0 MapViewOfFile
00041134 13181134 0 LocalFree
0004113F 1318113F 0 LocalAlloc
0004114B 1318114B 0 SetFileTime
00041158 13181158 0 InterlockedIncrement
0004116E 1318116E 0 SetFileAttributesA
00041182 13181182 0 LoadLibraryA
00041190 13181190 0 GlobalMemoryStatus
000411A4 131811A4 0 GlobalFree
000411B0 131811B0 0 lstrlenA
000411BA 131811BA 0 lstrcpynA
000411C5 131811C5 0 lstrcpyA
000411CF 131811CF 0 lstrcmpiA
000411DA 131811DA 0 lstrcmpA
000411E4 131811E4 0 lstrcatA
000411EE 131811EE 0 RtlMoveMemory
000411FD 131811FD 0 _lopen
00041205 13181205 0 WriteFile
00041210 13181210 0 WinExec
00041219 13181219 0 WideCharToMultiByte
0004122E 1318122E 0 UnmapViewOfFile
0004123F 1318123F 0 TerminateProcess
00041251 13181251 0 Sleep
00041258 13181258 0 SetProcessPriorityBoost
00041271 13181271 0 SetPriorityClass
00041283 13181283 0 SetFilePointer
00041293 13181293 0 SetErrorMode
000412A1 131812A1 0 Process32Next
000412B0 131812B0 0 GlobalAlloc
000412BD 131812BD 0 GetWindowsDirectoryA
000412D3 131812D3 0 GetVolumeInformationA
000412EA 131812EA 0 GetVersionExA
000412F9 131812F9 0 GetTickCount
00041307 13181307 0 GetTempPathA
00041315 13181315 0 GetSystemDirectoryA
0004132A 1318132A 0 GetShortPathNameA
0004133D 1318133D 0 GetProcAddress
0004134D 1318134D 0 GetPrivateProfileStringA
00041367 13181367 0 GetPrivateProfileSectionNamesA
00041387 13181387 0 GetPrivateProfileIntA
0004139E 1318139E 0 GetModuleFileNameA
000413B2 131813B2 0 GetLogicalDrives
000413C4 131813C4 0 GetLocaleInfoA
000413D4 131813D4 0 GetLocalTime
000413E2 131813E2 0 GetLastError
000413F0 131813F0 0 GetFileSize
000413FD 131813FD 0 GetFileAttributesA
00041411 13181411 0 GetEnvironmentVariableA
0004142A 1318142A 0 GetDriveTypeA
00041439 13181439 0 GetDiskFreeSpaceA
0004144C 1318144C 0 GetCurrentProcessId
00041461 13181461 0 GetCurrentProcess
00041474 13181474 0 GetCurrentDirectoryA
0004148A 1318148A 0 GetComputerNameA
0004149C 1318149C 0 FindNextFileA
000414AB 131814AB 0 FindFirstFileA
000414BB 131814BB 0 FindClose
000414C6 131814C6 0 FileTimeToSystemTime
000414DC 131814DC 0 FileTimeToLocalFileTime
000414F5 131814F5 0 ExpandEnvironmentStringsA
00041510 13181510 0 ExitProcess
0004151D 1318151D 0 DeleteFileA
0004152A 1318152A 0 CreateToolhelp32Snapshot
00041544 13181544 0 CreateThread
00041552 13181552 0 CreateMutexA
00041560 13181560 0 CreateFileMappingA
00041574 13181574 0 CreateFileA
00041581 13181581 0 CreateDirectoryA
00041593 13181593 0 CopyFileA
0004159E 1318159E 0 CompareStringA
000415AE 131815AE 0 CloseHandle
000415BB 131815BB 0 ExitThread
000415D0 131815D0 0 OpenProcessToken
000415E2 131815E2 0 RegSetValueExA
000415F2 131815F2 0 RegQueryValueExA
00041604 13181604 0 RegOpenKeyExA
00041613 13181613 0 RegOpenKeyA
00041620 13181620 0 RegEnumValueA
0004162F 1318162F 0 RegEnumKeyExA
0004163E 1318163E 0 RegDeleteKeyA
0004164D 1318164D 0 RegCreateKeyA
0004165C 1318165C 0 RegCloseKey
00041669 13181669 0 OpenServiceA
00041677 13181677 0 OpenSCManagerA
00041687 13181687 0 LookupPrivilegeValueA
0004169E 1318169E 0 GetUserNameA
000416AC 131816AC 0 ControlService
000416BC 131816BC 0 CloseServiceHandle
000416D0 131816D0 0 ChangeServiceConfigA
000416E6 131816E6 0 AdjustTokenPrivileges
00041706 13181706 0 CryptUnprotectData
00041723 13181723 0 GetDeviceCaps
0004173B 1318173B 0 __CxxFrameHandler
0004174E 1318174E 0 ??2@YAPAXI@Z
0004175C 1318175C 0 ??3@YAXPAX@Z
0004176A 1318176A 0 fopen
00041771 13181771 0 fprintf
0004177A 1318177A 0 fflush
00041782 13181782 0 ftell
00041789 13181789 0 fclose
000417A0 131817A0 0 _vsnprintf
000417AC 131817AC 0 _chkstk
000417B5 131817B5 0 wcslen
000417BD 131817BD 0 RtlUnwind
000417C8 131817C8 0 _strcmpi
000417DB 131817DB 0 OleUninitialize
000417EC 131817EC 0 OleInitialize
000417FB 131817FB 0 CreateStreamOnHGlobal
00041812 13181812 0 CoUninitialize
00041822 13181822 0 CoInitialize
00041830 13181830 0 CoCreateInstance
0004184B 1318184B 0 VariantCopy
00041858 13181858 0 SysFreeString
00041867 13181867 0 VariantClear
00041875 13181875 0 VariantInit
0004188B 1318188B 0 GetModuleFileNameExA
000418A1 131818A1 0 EnumProcesses
000418B0 131818B0 0 EnumProcessModules
000418CD 131818CD 0 RasEnumEntriesA
000418DE 131818DE 0 RasGetEntryDialParamsA
000418F6 131818F6 0 RasGetEntryPropertiesA
00041917 13181917 0 SHGetFolderPathA
00041929 13181929 0 ShellExecuteA
00041938 13181938 0 ShellExecuteExA
00041952 13181952 0 StrCmpNA
0004195C 1318195C 0 StrRChrA
00041966 13181966 0 StrStrIA
00041970 13181970 0 PathFileExistsA
00041981 13181981 0 StrChrA
00041993 13181993 0 wsprintfA
0004199E 1318199E 0 GetDC
000419A5 131819A5 0 OpenWindowStationA
000419B9 131819B9 0 PostThreadMessageA
000419CD 131819CD 0 GetMessageA
000419DA 131819DA 0 DispatchMessageA
000419EC 131819EC 0 TranslateMessage
000419FE 131819FE 0 SetProcessWindowStation
00041A17 13181A17 0 SetActiveWindow
00041A28 13181A28 0 ReleaseDC
00041A3C 13181A3C 0 InternetGetConnectedState
00041A60 13181A60 0 WSAIoctl
00041BA5 13181BA5 0 .text
00041BCD 13181BCD 0 .rdata
00041BF4 13181BF4 0 @.data
00041FFB 13181FFB 0 Installed e9lor
0004200F 1318200F 0 hook!c
00042025 13182025 0 wind/
00042035 13182035 0 'ageok
0004203C 1318203C 0 wObutton"
00042054 13182054 0 [chk
00042080 13182080 0 cadio
00042095 13182095 0 #Actn
000423A0 131823A0 0 m:)*Copyright
0004292C 1318292C 0 Locale
00042933 13182933 0 GRemoveDiEE
00042941 13182941 0 ctoryA3
00042952 13182952 0 TimeToFi-
00042962 13182962 0 Termina&UT
00042979 13182979 0 g#ObjV2
00042984 13182984 0 CurrT&I(C
00042991 13182991 0 k6itu@
000429BE 131829BE 0 rs#Opn{
000429CA 131829CA 0 MuJxRs
000429D4 131829D4 0 ltiBy
000429DA 131829DA 0 oWideChar
000429EB 131829EB 0 apViewOfa
00042A10 13182A10 0 ib|sABm
00042A1C 13182A1C 0 raRG3bQ
00042A36 13182A36 0 A cpy
00042A3E 13182A3E 0 >, mpi
00042A4A 13182A4A 0 atRtl
00042A82 13182A82 0 io_yBo
00042ABB 13182ABB 0 VoluqI
00042AEE 13182AEE 0 t#Na]
00042B23 13182B23 0 t2giwD1eZ
00042B59 13182B59 0 lwpTyp
00042B60 13182B60 0 iskaI
00042C91 13182C91 0 vnp]t
00042CAD 13182CAD 0 __Cxx
00042CB8 13182CB8 0 |]??2@YAPAXI@Z
00042CCF 13182CCF 0 fkf5Z
00042CF7 13182CF7 0 m?_chk
00042D12 13182D12 0 :!dO#
00042D2F 13182D2F 0 mOnHYe5
00042D3B 13182D3B 0 4o6If
00042D71 13182D71 0 lg,sAB
00042D8F 13182D8F 0 +Pp!L
00042DBF 13182DBF 0 NA RChr
000441DC 131841DC 0 KERNEL32.DLL
000441E9 131841E9 0 advapi32.dll
000441F6 131841F6 0 crypt32.dll
00044202 13184202 0 gdi32.dll
0004420C 1318420C 0 MSVCRT.dll
00044217 13184217 0 ntdll.dll
00044221 13184221 0 ole32.dll
0004422B 1318422B 0 oleaut32.dll
00044238 13184238 0 psapi.dll
00044242 13184242 0 rasapi32.dll
0004424F 1318424F 0 SHELL32.dll
0004425B 1318425B 0 shlwapi.dll
00044267 13184267 0 user32.dll
00044272 13184272 0 wininet.dll
0004427E 1318427E 0 ws2_32.dll
00044289 13184289 0 WSOCK32.dll
00044296 13184296 0 LoadLibraryA
000442A4 131842A4 0 GetProcAddress
000442B4 131842B4 0 ExitProcess
000442C2 131842C2 0 RegOpenKeyA
000442D0 131842D0 0 CryptUnprotectData
000442E4 131842E4 0 GetDeviceCaps
000442FA 131842FA 0 wcslen
00044302 13184302 0 CoInitialize
00044310 13184310 0 VariantCopy
0004431E 1318431E 0 EnumProcesses
0004432E 1318432E 0 RasEnumEntriesA
00044340 13184340 0 ShellExecuteA
00044350 13184350 0 StrChrA
0004435A 1318435A 0 GetDC
00044362 13184362 0 InternetGetConnectedState
0004437E 1318437E 0 WSAIoctl
00045168 13185168 0 msvcrt.dll
00045175 13185175 0 __CxxFrameHandler
00045189 13185189 0 ??2@YAPAXI@Z
00045198 13185198 0 ??3@YAXPAX@Z
000451A7 131851A7 0 fopen
000451AF 131851AF 0 fprintf
000451B9 131851B9 0 fflush
000451C2 131851C2 0 ftell
000451CA 131851CA 0 fclose
000451D8 131851D8 0 SHELL32.dll
000451E6 131851E6 0 SHGetFolderPathA
000451F9 131851F9 0 ShellExecuteA
00045209 13185209 0 ShellExecuteEx
00045218 13185218 0 WS2_32.dll
00045225 13185225 0 gethostbyname
00045235 13185235 0 connect
0004523F 1318523F 0 closesocket
00045254 13185254 0 accept
0004525D 1318525D 0 __WSAFDIsSet
0004526C 1318526C 0 WSAStartup
00045279 13185279 0 gethostname
00045287 13185287 0 WSACleanup
00045294 13185294 0 shutdown
0004529F 1318529F 0 socket
000452A8 131852A8 0 htons
000452B0 131852B0 0 listen
000452B9 131852B9 0 getsockname
000452C5 131852C5 0 WSOCK32.dll
000452D8 131852D8 0 WS2_32.dll
000452E5 131852E5 0 select
000452F5 131852F5 0 htonl
000452FB 131852FB 0 advapi32.dll
0004530A 1318530A 0 OpenProcessToken
0004531D 1318531D 0 RegSetValueExA
0004532E 1318532E 0 RegQueryValueExA
00045341 13185341 0 RegOpenKeyExA
00045351 13185351 0 RegOpenKeyA
0004535F 1318535F 0 RegEnumValueA
0004536F 1318536F 0 RegEnumKeyExA
0004537F 1318537F 0 RegDeleteKeyA
0004538F 1318538F 0 RegCreateKeyA
0004539F 1318539F 0 RegCloseKey
000453AD 131853AD 0 OpenServiceA
000453BC 131853BC 0 OpenSCManagerA
000453CD 131853CD 0 LookupPrivilegeValueA
000453E5 131853E5 0 GetUserNameA
000453F4 131853F4 0 ControlService
00045405 13185405 0 CloseServiceHandle
0004541A 1318541A 0 ChangeServiceConfigA
00045431 13185431 0 AdjustTokenPrivileges
00045447 13185447 0 crypt32.dll
00045455 13185455 0 CryptUnprotectData
00045468 13185468 0 GDI32.dll
00045474 13185474 0 GetDeviceCaps
00045482 13185482 0 kernel32.dll
00045491 13185491 0 SetThreadLocale
000454A3 131854A3 0 GetThreadLocale
000454B5 131854B5 0 RemoveDirectoryA
000454C8 131854C8 0 SetEvent
000454D3 131854D3 0 SystemTimeToFileTime
000454EA 131854EA 0 GetFileTime
000454F8 131854F8 0 TerminateThread
0004550A 1318550A 0 WaitForSingleObject
00045520 13185520 0 GetCurrentThreadId
00045535 13185535 0 CreateEventA
00045544 13185544 0 InterlockedDecrement
0004555B 1318555B 0 ReadFile
00045566 13185566 0 lstrlenW
00045571 13185571 0 Process32First
00045582 13185582 0 OpenProcess
00045590 13185590 0 OpenMutexA
0004559D 1318559D 0 MultiByteToWideChar
000455B3 131855B3 0 MoveFileA
000455BF 131855BF 0 MapViewOfFile
000455CF 131855CF 0 LocalFree
000455DB 131855DB 0 LocalAlloc
000455E8 131855E8 0 SetFileTime
000455F6 131855F6 0 InterlockedIncrement
0004560D 1318560D 0 SetFileAttributesA
00045622 13185622 0 LoadLibraryA
00045631 13185631 0 GlobalMemoryStatus
00045646 13185646 0 GlobalFree
00045653 13185653 0 lstrlen
0004565D 1318565D 0 lstrcpyn
00045668 13185668 0 lstrcpy
00045672 13185672 0 lstrcmpi
0004567D 1318567D 0 lstrcmp
00045687 13185687 0 lstrcat
00045691 13185691 0 RtlMoveMemory
000456A1 131856A1 0 _lopen
000456AA 131856AA 0 WriteFile
000456B6 131856B6 0 WinExec
000456C0 131856C0 0 WideCharToMultiByte
000456D6 131856D6 0 UnmapViewOfFile
000456E8 131856E8 0 TerminateProcess
000456FB 131856FB 0 Sleep
00045703 13185703 0 SetProcessPriorityBoost
0004571D 1318571D 0 SetPriorityClass
00045730 13185730 0 SetFilePointer
00045741 13185741 0 SetErrorMode
00045750 13185750 0 Process32Next
00045760 13185760 0 GlobalAlloc
0004576E 1318576E 0 GetWindowsDirectoryA
00045785 13185785 0 GetVolumeInformationA
0004579D 1318579D 0 GetVersionExA
000457AD 131857AD 0 GetTickCount
000457BC 131857BC 0 GetTempPathA
000457CB 131857CB 0 GetSystemDirectoryA
000457E1 131857E1 0 GetShortPathNameA
000457F5 131857F5 0 GetProcAddress
00045806 13185806 0 GetPrivateProfileStringA
00045821 13185821 0 GetPrivateProfileSectionNamesA
00045842 13185842 0 GetPrivateProfileIntA
0004585A 1318585A 0 GetModuleFileNameA
0004586F 1318586F 0 GetLogicalDrives
00045882 13185882 0 GetLocaleInfoA
00045893 13185893 0 GetLocalTime
000458A2 131858A2 0 GetLastError
000458B1 131858B1 0 GetFileSize
000458BF 131858BF 0 GetFileAttributesA
000458D4 131858D4 0 GetEnvironmentVariableA
000458EE 131858EE 0 GetDriveTypeA
000458FE 131858FE 0 GetDiskFreeSpaceA
00045912 13185912 0 GetCurrentProcessId
00045928 13185928 0 GetCurrentProcess
0004593C 1318593C 0 GetCurrentDirectoryA
00045953 13185953 0 GetComputerNameA
00045966 13185966 0 FindNextFileA
00045976 13185976 0 FindFirstFileA
00045987 13185987 0 FindClose
00045993 13185993 0 FileTimeToSystemTime
000459AA 131859AA 0 FileTimeToLocalFileTime
000459C4 131859C4 0 ExpandEnvironmentStringsA
000459E0 131859E0 0 ExitProcess
000459EE 131859EE 0 DeleteFileA
000459FC 131859FC 0 CreateToolhelp32Snapshot
00045A17 13185A17 0 CreateThread
00045A26 13185A26 0 CreateMutexA
00045A35 13185A35 0 CreateFileMappingA
00045A4A 13185A4A 0 CreateFileA
00045A58 13185A58 0 CreateDirectoryA
00045A6B 13185A6B 0 CopyFileA
00045A77 13185A77 0 CompareStringA
00045A88 13185A88 0 CloseHandle
00045A96 13185A96 0 ExitThread
00045AA1 13185AA1 0 kernel32.dll
00045AB0 13185AB0 0 _vsnprintf
00045ABD 13185ABD 0 _alloca_probe
00045ACD 13185ACD 0 wcslen
00045AD6 13185AD6 0 RtlUnwind
00045AE2 13185AE2 0 _strcmpi
00045AEB 13185AEB 0 ole32.dll
00045AF7 13185AF7 0 OleUninitialize
00045B09 13185B09 0 OleInitialize
00045B19 13185B19 0 CreateStreamOnHGlobal
00045B31 13185B31 0 CoUninitialize
00045B42 13185B42 0 CoInitialize
00045B51 13185B51 0 CoCreateInstance
00045B62 13185B62 0 oleaut32.dll
00045B71 13185B71 0 VariantCopy
00045B7F 13185B7F 0 SysFreeString
00045B8F 13185B8F 0 VariantClear
00045B9E 13185B9E 0 VariantInit
00045BAA 13185BAA 0 rasapi32.dll
00045BB9 13185BB9 0 RasEnumEntriesA
00045BCB 13185BCB 0 RasGetEntryDialParamsA
00045BE4 13185BE4 0 RasGetEntryPropertiesA
00045BFB 13185BFB 0 SHLWAPI.dll
00045C09 13185C09 0 StrCmpNA
00045C14 13185C14 0 StrRChrA
00045C1F 13185C1F 0 StrStrIA
00045C2A 13185C2A 0 PathFileExistsA
00045C3C 13185C3C 0 StrChrA
00045C44 13185C44 0 USER32.dll
00045C51 13185C51 0 wsprintfA
00045C5D 13185C5D 0 GetDC
00045C65 13185C65 0 OpenWindowStationA
00045C7A 13185C7A 0 PostThreadMessageA
00045C8F 13185C8F 0 GetMessageA
00045C9D 13185C9D 0 DispatchMessageA
00045CB0 13185CB0 0 TranslateMessage
00045CC3 13185CC3 0 SetProcessWindowStation
00045CDD 13185CDD 0 SetActiveWindow
00045CEF 13185CEF 0 ReleaseDC
00045CF9 13185CF9 0 wininet.dll
00045D07 13185D07 0 InternetGetConnectedState
00045D21 13185D21 0 WS2_32.dll
00045D2E 13185D2E 0 WSAIoctl