Hostile Data — The Trojan.Agent-59561
The header as received
This started at IP address 221.11.4.20, assigned to CNC Group CHINA169 Shanxi Province Network. That host forged a relay step through smtp.secureserver.net, but it really sent it directly to mail.nanohub.org. Remember, read the "Received" fields bottom to top for the relay sequence.
Note the X-Mailer line — so much malware is spread by something identifying itself as "The Bat! Personal".
From mailman-bounces@nanohub.org Tue Nov 4 07:26:42 2008 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on fairway.ecn.purdue.edu X-Spam-Level: * X-Spam-Status: No, score=1.8 required=5.0 tests=BAYES_50,SPF_SOFTFAIL autolearn=no version=3.2.5 X-Envelope-From: mailman-bounces@nanohub.org Received: from mx05.ecn.purdue.edu (mx05.ecn.purdue.edu [128.46.136.91]) by fairway.ecn.purdue.edu (8.14.2/8.14.2) with ESMTP id mA4CQf7C007144 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <target@fairway.ecn.purdue.edu>; Tue, 4 Nov 2008 07:26:41 -0500 (EST) Received: from mail.nanohub.org (mail.nanohub.org [128.46.18.132]) by mx05.ecn.purdue.edu (8.14.3/8.14.3) with ESMTP id mA4CMTDW008631; Tue, 4 Nov 2008 07:22:49 -0500 Received: by mail.nanohub.org (Postfix, from userid 65534) id 936DC58100; Tue, 4 Nov 2008 07:22:29 -0500 (EST) Received: from ldap.nanohub.org (localhost [127.0.0.1]) by mail.nanohub.org (Postfix) with ESMTP id 39EA9580F1; Tue, 4 Nov 2008 07:22:29 -0500 (EST) X-Original-To: nano501-owner@nanohub.org Delivered-To: nano501-owner@nanohub.org Received: by mail.nanohub.org (Postfix, from userid 65534) id 797A9580F1; Tue, 4 Nov 2008 07:22:27 -0500 (EST) Received: from [221.11.4.20] (unknown [221.11.4.20]) by mail.nanohub.org (Postfix) with ESMTP id EEDB0580E4; Tue, 4 Nov 2008 07:22:22 -0500 (EST) Received: from [221.11.4.20] by smtp.secureserver.net; Tue, 4 Nov 2008 20:22:21 +0800 Date: Tue, 4 Nov 2008 20:22:21 +0800 From: "Emma Leslie" <jon@blondechick.com> X-Mailer: The Bat! (v2.00.7) Personal Reply-To: jon@blondechick.com X-Priority: 3 (Normal) Message-ID: <398849053.24608524057824@blondechick.com> To: nano501-owner@nanohub.org Subject: Recovery KEYS for your account MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------A14D3C098FB256" Sender: mailman-bounces@nanohub.org Errors-To: mailman-bounces@nanohub.org X-ECN-MailServer-VirusScanned: by amavisd-new X-ECN-MailServer-Origination: mail.nanohub.org [128.46.18.132] X-ECN-MailServer-SpamScanAdvice: DoScan Status: R Content-Length: 34943
The clumsy message content
The message opens with a clumsy automated greeting, "Nano" is really the name of a project, not a person. Other reports have seen "Dear Valued Customer," (comma included) instead of "Dear".
It then says something vague about keys to "recover a personal account", whatever that might mean. It finishes with typically broken English about "preserve them in a sure place".
The closing seems to vary.
This one says:
Glad to help you any time, Emma Leslie
Other reports
include:
Till next time, Ferdinand Meeks
------------A14D3C098FB256 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Good evening, Nano There are the keys to recover your personal account. In order to use them later, please, preserve them in a sure place. Glad to help you any time, Emma Leslie ------------A14D3C098FB256 Content-Type: application/zip; name="the_Keys.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="the_Keys.zip"
The attachment
This was followed by an attached zip file
named
the_Keys.zip,
which contained a file that might appear to be named
The_Keys.doc.
That is, if you weren't careful to notice that "doc"
was followed by 88 space characters and then ".exe".
$ % unzip the_Keys.zip Archive: the_Keys.zip inflating: The_Keys.doc .exe $ ls -l total 132 -rw-r--r-- 1 cromwell cromwell 37038 2008-11-12 00:56 original-message -rw-r--r-- 1 cromwell cromwell 43008 2008-11-04 14:28 The_Keys.doc .exe -rw-r--r-- 1 cromwell cromwell 25506 2008-11-12 00:57 the_Keys.zip
The executable contents
GNU utilities such as file, strings,
and hexdump are useful for
getting some limited idea about
what this malicious code might do.
The file utility reports that this executable
is:
PE32 executable for MS Windows (GUI) Intel 80386 32-bit
The following is partial output for running
hexdump -C The_Keys.doc*
under Linux or BSD.
The interesting stuff appears, among many other places,
around addresses
0x00001b50 through 0x00001caf and
0x00001e40 through 0x00001fcf,
where many shared library calls appear.
These include several which examine and manipulate registry
settings.
For example,
RegQueryValue(), RegDeleteKey(), RegLoadKey(), etc.
00000000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 |MZ..............|
00000010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 |........@.......|
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 |................|
00000040 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 |........!..L.!Th|
00000050 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f |is program canno|
00000060 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 |t be run in DOS |
00000070 6d 6f 64 65 2e 0d 0d 0a 00 00 00 00 00 00 00 00 |mode............|
00000080 c8 1f 59 f8 be 27 70 00 66 12 52 81 30 58 8e ee |..Y..'p.f.R.0X..|
00000090 4e a2 91 e2 17 e8 46 0f 0b ac 1d e9 b7 bc cd 45 |N.....F........E|
000000a0 21 42 94 29 5a 19 ce 83 77 a3 1a 90 16 a5 77 23 |!B.)Z...w.....w#|
000000b0 09 ce 08 08 f3 03 5d 4e ea 96 81 20 55 ec 2c 74 |......]N... U.,t|
000000c0 52 69 63 68 6e e6 f9 69 00 00 00 00 00 00 00 00 |Richn..i........|
000000d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000e0 50 45 00 00 4c 01 04 00 6c 1f 1f 48 00 00 00 00 |PE..L...l..H....|
000000f0 00 00 00 00 e0 00 0f 01 0b 01 07 0c 00 0e 00 00 |................|
[....]
00001830 6b 33 00 00 7b 33 00 00 85 33 00 00 91 33 00 00 |k3..{3...3...3..|
00001840 a5 33 00 00 b1 33 00 00 c2 33 00 00 d2 33 00 00 |.3...3...3...3..|
00001850 df 33 00 00 ed 33 00 00 fc 33 00 00 17 34 00 00 |.3...3...3...4..|
00001860 2a 34 00 00 00 00 00 00 db a9 49 6d 61 67 65 4c |*4........ImageL|
00001870 69 73 74 5f 4c 6f 61 64 49 6d 61 67 65 57 00 00 |ist_LoadImageW..|
00001880 b0 46 49 6d 61 67 65 4c 69 73 74 5f 47 65 74 44 |.FImageList_GetD|
00001890 72 61 67 49 6d 61 67 65 00 00 30 3c 49 6d 61 67 |ragImage..0<Imag|
000018a0 65 4c 69 73 74 5f 44 65 73 74 72 6f 79 00 00 79 |eList_Destroy..y|
000018b0 25 49 6e 69 74 43 6f 6d 6d 6f 6e 43 6f 6e 74 72 |%InitCommonContr|
000018c0 6f 6c 73 00 00 21 b8 49 6d 61 67 65 4c 69 73 74 |ols..!.ImageList|
000018d0 5f 44 72 61 67 4d 6f 76 65 00 00 36 17 49 6d 61 |_DragMove..6.Ima|
000018e0 67 65 4c 69 73 74 5f 41 64 64 4d 61 73 6b 65 64 |geList_AddMasked|
000018f0 00 00 5d da 49 6d 61 67 65 4c 69 73 74 5f 47 65 |..].ImageList_Ge|
00001900 74 49 63 6f 6e 00 00 e6 4a 49 6d 61 67 65 4c 69 |tIcon...JImageLi|
00001910 73 74 5f 41 64 64 49 63 6f 6e 00 00 c3 63 49 6d |st_AddIcon...cIm|
00001920 61 67 65 4c 69 73 74 5f 4d 65 72 67 65 00 00 8b |ageList_Merge...|
00001930 6a 49 6d 61 67 65 4c 69 73 74 5f 45 6e 64 44 72 |jImageList_EndDr|
00001940 61 67 00 00 9c ba 49 6d 61 67 65 4c 69 73 74 5f |ag....ImageList_|
00001950 52 65 70 6c 61 63 65 00 00 c6 d2 49 6d 61 67 65 |Replace....Image|
00001960 4c 69 73 74 5f 4c 6f 61 64 49 6d 61 67 65 00 00 |List_LoadImage..|
00001970 1b 58 49 6d 61 67 65 4c 69 73 74 5f 52 65 61 64 |.XImageList_Read|
00001980 00 00 de 6b 49 6d 61 67 65 4c 69 73 74 5f 43 72 |...kImageList_Cr|
00001990 65 61 74 65 00 00 00 91 49 6d 61 67 65 4c 69 73 |eate....ImageLis|
000019a0 74 5f 44 72 61 67 53 68 6f 77 4e 6f 6c 6f 63 6b |t_DragShowNolock|
000019b0 00 00 6a 4e 49 6d 61 67 65 4c 69 73 74 5f 4c 6f |..jNImageList_Lo|
000019c0 61 64 49 6d 61 67 65 41 00 00 76 6c 49 6d 61 67 |adImageA..vlImag|
000019d0 65 4c 69 73 74 5f 47 65 74 49 6d 61 67 65 43 6f |eList_GetImageCo|
000019e0 75 6e 74 00 00 20 13 49 6d 61 67 65 4c 69 73 74 |unt.. .ImageList|
000019f0 5f 47 65 74 49 63 6f 6e 53 69 7a 65 00 00 78 c6 |_GetIconSize..x.|
00001a00 49 6d 61 67 65 4c 69 73 74 5f 44 72 61 77 45 78 |ImageList_DrawEx|
00001a10 00 00 69 60 49 6d 61 67 65 4c 69 73 74 5f 52 65 |..i`ImageList_Re|
00001a20 70 6c 61 63 65 49 63 6f 6e 00 00 71 7b 49 6d 61 |placeIcon..q{Ima|
00001a30 67 65 4c 69 73 74 5f 44 72 61 77 49 6e 64 69 72 |geList_DrawIndir|
00001a40 65 63 74 00 00 d5 c9 49 6d 61 67 65 4c 69 73 74 |ect....ImageList|
00001a50 5f 47 65 74 49 6d 61 67 65 52 65 63 74 00 00 63 |_GetImageRect..c|
00001a60 6f 6d 63 74 6c 33 32 2e 64 6c 6c 00 00 c8 e0 49 |omctl32.dll....I|
00001a70 73 4d 65 6e 75 00 00 87 b4 47 65 74 44 6c 67 49 |sMenu....GetDlgI|
00001a80 74 65 6d 00 00 96 ea 43 6f 70 79 49 6d 61 67 65 |tem....CopyImage|
00001a90 00 00 20 81 43 72 65 61 74 65 49 63 6f 6e 00 00 |.. .CreateIcon..|
00001aa0 c6 20 41 70 70 65 6e 64 4d 65 6e 75 41 00 00 e5 |. AppendMenuA...|
00001ab0 06 44 69 61 6c 6f 67 42 6f 78 50 61 72 61 6d 57 |.DialogBoxParamW|
00001ac0 00 00 39 7e 44 69 61 6c 6f 67 42 6f 78 50 61 72 |..9~DialogBoxPar|
00001ad0 61 6d 41 00 00 0a 45 4c 6f 61 64 43 75 72 73 6f |amA...ELoadCurso|
00001ae0 72 41 00 00 d6 92 45 6e 64 44 69 61 6c 6f 67 00 |rA....EndDialog.|
00001af0 00 6a 66 47 65 74 4d 65 6e 75 00 00 8e 55 47 65 |.jfGetMenu...UGe|
00001b00 74 46 6f 63 75 73 00 00 14 99 47 65 74 57 69 6e |tFocus....GetWin|
00001b10 64 6f 77 54 65 78 74 41 00 00 a9 0d 47 65 74 43 |dowTextA....GetC|
00001b20 75 72 73 6f 72 00 00 72 1e 43 6f 70 79 49 63 6f |ursor..r.CopyIco|
00001b30 6e 00 00 0d 2b 44 72 61 77 49 63 6f 6e 45 78 00 |n...+DrawIconEx.|
00001b40 00 fe 29 49 73 57 69 6e 64 6f 77 00 00 32 db 41 |..)IsWindow..2.A|
00001b50 70 70 65 6e 64 4d 65 6e 75 57 00 00 75 73 65 72 |ppendMenuW..user|
00001b60 33 32 2e 64 6c 6c 00 00 b6 f3 52 65 67 44 65 6c |32.dll....RegDel|
00001b70 65 74 65 56 61 6c 75 65 41 00 00 07 35 52 65 67 |eteValueA...5Reg|
00001b80 4c 6f 61 64 4b 65 79 41 00 00 d7 a0 52 65 67 44 |LoadKeyA....RegD|
00001b90 65 6c 65 74 65 4b 65 79 41 00 00 ec 07 52 65 67 |eleteKeyA....Reg|
00001ba0 45 6e 75 6d 56 61 6c 75 65 41 00 00 7d a0 52 65 |EnumValueA..}.Re|
00001bb0 67 43 72 65 61 74 65 4b 65 79 57 00 00 8a 42 52 |gCreateKeyW...BR|
00001bc0 65 67 45 6e 75 6d 4b 65 79 45 78 57 00 00 46 a3 |egEnumKeyExW..F.|
00001bd0 52 65 67 51 75 65 72 79 56 61 6c 75 65 45 78 41 |RegQueryValueExA|
00001be0 00 00 48 94 52 65 67 51 75 65 72 79 56 61 6c 75 |..H.RegQueryValu|
00001bf0 65 45 78 57 00 00 03 bc 52 65 67 43 72 65 61 74 |eExW....RegCreat|
00001c00 65 4b 65 79 45 78 41 00 00 72 f0 52 65 67 52 65 |eKeyExA..r.RegRe|
00001c10 70 6c 61 63 65 4b 65 79 41 00 00 18 4d 52 65 67 |placeKeyA...MReg|
00001c20 4f 70 65 6e 4b 65 79 45 78 57 00 00 79 04 52 65 |OpenKeyExW..y.Re|
00001c30 67 4f 70 65 6e 4b 65 79 45 78 41 00 00 27 79 52 |gOpenKeyExA..'yR|
00001c40 65 67 51 75 65 72 79 49 6e 66 6f 4b 65 79 41 00 |egQueryInfoKeyA.|
00001c50 00 d3 12 52 65 67 51 75 65 72 79 56 61 6c 75 65 |...RegQueryValue|
00001c60 57 00 00 0b af 52 65 67 46 6c 75 73 68 4b 65 79 |W....RegFlushKey|
00001c70 00 00 65 0a 52 65 67 51 75 65 72 79 49 6e 66 6f |..e.RegQueryInfo|
00001c80 4b 65 79 57 00 00 59 e8 52 65 67 44 65 6c 65 74 |KeyW..Y.RegDelet|
00001c90 65 4b 65 79 57 00 00 84 ae 52 65 67 45 6e 75 6d |eKeyW....RegEnum|
00001ca0 4b 65 79 45 78 41 00 00 61 64 76 61 70 69 33 32 |KeyExA..advapi32|
00001cb0 2e 64 6c 6c 00 00 db 1e 49 6d 61 67 65 4c 69 73 |.dll....ImageLis|
00001cc0 74 5f 47 65 74 49 6d 61 67 65 49 6e 66 6f 00 00 |t_GetImageInfo..|
00001cd0 e3 45 49 6d 61 67 65 4c 69 73 74 5f 44 72 61 77 |.EImageList_Draw|
00001ce0 00 00 c3 a8 49 6d 61 67 65 4c 69 73 74 5f 45 6e |....ImageList_En|
00001cf0 64 44 72 61 67 00 00 0d 1f 49 6d 61 67 65 4c 69 |dDrag....ImageLi|
00001d00 73 74 5f 44 65 73 74 72 6f 79 00 00 8c 64 49 6d |st_Destroy...dIm|
00001d10 61 67 65 4c 69 73 74 5f 43 72 65 61 74 65 00 00 |ageList_Create..|
00001d20 3c 57 49 6d 61 67 65 4c 69 73 74 5f 4c 6f 61 64 |<WImageList_Load|
00001d30 49 6d 61 67 65 57 00 00 b8 34 49 6d 61 67 65 4c |ImageW...4ImageL|
00001d40 69 73 74 5f 44 72 61 67 53 68 6f 77 4e 6f 6c 6f |ist_DragShowNolo|
00001d50 63 6b 00 00 b3 44 49 6d 61 67 65 4c 69 73 74 5f |ck...DImageList_|
00001d60 44 72 61 67 4d 6f 76 65 00 00 f8 10 49 6d 61 67 |DragMove....Imag|
00001d70 65 4c 69 73 74 5f 41 64 64 49 63 6f 6e 00 00 df |eList_AddIcon...|
00001d80 bf 49 6d 61 67 65 4c 69 73 74 5f 43 6f 70 79 00 |.ImageList_Copy.|
00001d90 00 5b 35 49 6d 61 67 65 4c 69 73 74 5f 47 65 74 |.[5ImageList_Get|
00001da0 49 63 6f 6e 53 69 7a 65 00 00 e1 d6 49 6d 61 67 |IconSize....Imag|
00001db0 65 4c 69 73 74 5f 4c 6f 61 64 49 6d 61 67 65 41 |eList_LoadImageA|
00001dc0 00 00 98 89 49 6d 61 67 65 4c 69 73 74 5f 4c 6f |....ImageList_Lo|
00001dd0 61 64 49 6d 61 67 65 00 00 64 4d 49 6d 61 67 65 |adImage..dMImage|
00001de0 4c 69 73 74 5f 47 65 74 44 72 61 67 49 6d 61 67 |List_GetDragImag|
00001df0 65 00 00 91 89 49 6e 69 74 43 6f 6d 6d 6f 6e 43 |e....InitCommonC|
00001e00 6f 6e 74 72 6f 6c 73 00 00 bc 36 49 6d 61 67 65 |ontrols...6Image|
00001e10 4c 69 73 74 5f 52 65 70 6c 61 63 65 00 00 98 95 |List_Replace....|
00001e20 49 6d 61 67 65 4c 69 73 74 5f 4d 65 72 67 65 00 |ImageList_Merge.|
00001e30 00 63 6f 6d 63 74 6c 33 32 2e 64 6c 6c 00 00 c5 |.comctl32.dll...|
00001e40 0a 52 65 67 47 65 74 4b 65 79 53 65 63 75 72 69 |.RegGetKeySecuri|
00001e50 74 79 00 00 29 ec 52 65 67 4f 70 65 6e 4b 65 79 |ty..).RegOpenKey|
00001e60 45 78 41 00 00 00 5e 52 65 67 52 65 70 6c 61 63 |ExA...^RegReplac|
00001e70 65 4b 65 79 41 00 00 17 78 52 65 67 4f 70 65 6e |eKeyA...xRegOpen|
00001e80 4b 65 79 41 00 00 d8 f3 52 65 67 45 6e 75 6d 56 |KeyA....RegEnumV|
00001e90 61 6c 75 65 57 00 00 4c 65 52 65 67 51 75 65 72 |alueW..LeRegQuer|
00001ea0 79 49 6e 66 6f 4b 65 79 57 00 00 1e c6 52 65 67 |yInfoKeyW....Reg|
00001eb0 51 75 65 72 79 56 61 6c 75 65 45 78 41 00 00 bc |QueryValueExA...|
00001ec0 e3 52 65 67 46 6c 75 73 68 4b 65 79 00 00 12 e7 |.RegFlushKey....|
00001ed0 52 65 67 45 6e 75 6d 4b 65 79 57 00 00 20 f3 52 |RegEnumKeyW.. .R|
00001ee0 65 67 44 65 6c 65 74 65 4b 65 79 57 00 00 9a 63 |egDeleteKeyW...c|
00001ef0 52 65 67 44 65 6c 65 74 65 4b 65 79 41 00 00 80 |RegDeleteKeyA...|
00001f00 53 52 65 67 43 72 65 61 74 65 4b 65 79 45 78 57 |SRegCreateKeyExW|
00001f10 00 00 79 91 52 65 67 51 75 65 72 79 56 61 6c 75 |..y.RegQueryValu|
00001f20 65 45 78 57 00 00 c2 15 52 65 67 45 6e 75 6d 4b |eExW....RegEnumK|
00001f30 65 79 45 78 57 00 00 9f 11 52 65 67 51 75 65 72 |eyExW....RegQuer|
00001f40 79 56 61 6c 75 65 57 00 00 b7 94 52 65 67 51 75 |yValueW....RegQu|
00001f50 65 72 79 56 61 6c 75 65 41 00 00 e7 50 52 65 67 |eryValueA...PReg|
00001f60 45 6e 75 6d 56 61 6c 75 65 41 00 00 63 2a 52 65 |EnumValueA..c*Re|
00001f70 67 45 6e 75 6d 4b 65 79 45 78 41 00 00 e4 09 52 |gEnumKeyExA....R|
00001f80 65 67 44 65 6c 65 74 65 56 61 6c 75 65 41 00 00 |egDeleteValueA..|
00001f90 62 8e 52 65 67 4c 6f 61 64 4b 65 79 57 00 00 87 |b.RegLoadKeyW...|
00001fa0 48 52 65 67 44 65 6c 65 74 65 56 61 6c 75 65 57 |HRegDeleteValueW|
00001fb0 00 00 c1 c1 52 65 67 43 72 65 61 74 65 4b 65 79 |....RegCreateKey|
00001fc0 57 00 00 61 64 76 61 70 69 33 32 2e 64 6c 6c 00 |W..advapi32.dll.|
00001fd0 00 c4 44 49 6d 61 67 65 4c 69 73 74 5f 52 65 61 |..DImageList_Rea|
00001fe0 64 00 00 b2 91 49 6d 61 67 65 4c 69 73 74 5f 44 |d....ImageList_D|
00001ff0 72 61 77 00 00 8a 23 49 6d 61 67 65 4c 69 73 74 |raw...#ImageList|
00002000 5f 4c 6f 61 64 49 6d 61 67 65 41 00 00 cb 5d 49 |_LoadImageA...]I|
00002010 6d 61 67 65 4c 69 73 74 5f 43 6f 70 79 00 00 99 |mageList_Copy...|
00002020 dd 49 6e 69 74 43 6f 6d 6d 6f 6e 43 6f 6e 74 72 |.InitCommonContr|
00002030 6f 6c 73 00 00 dd bf 49 6d 61 67 65 4c 69 73 74 |ols....ImageList|
00002040 5f 47 65 74 49 6d 61 67 65 43 6f 75 6e 74 00 00 |_GetImageCount..|
00002050 29 42 49 6d 61 67 65 4c 69 73 74 5f 47 65 74 49 |)BImageList_GetI|
00002060 6d 61 67 65 52 65 63 74 00 00 8d 42 49 6d 61 67 |mageRect...BImag|
00002070 65 4c 69 73 74 5f 47 65 74 49 6d 61 67 65 49 6e |eList_GetImageIn|
00002080 66 6f 00 00 5a d7 49 6d 61 67 65 4c 69 73 74 5f |fo..Z.ImageList_|
00002090 44 72 61 67 45 6e 74 65 72 00 00 26 51 49 6d 61 |DragEnter..&QIma|
000020a0 67 65 4c 69 73 74 5f 52 65 70 6c 61 63 65 00 00 |geList_Replace..|
000020b0 e1 4c 49 6d 61 67 65 4c 69 73 74 5f 42 65 67 69 |.LImageList_Begi|
000020c0 6e 44 72 61 67 00 00 63 46 49 6d 61 67 65 4c 69 |nDrag..cFImageLi|
000020d0 73 74 5f 44 72 61 77 45 78 00 00 76 dd 49 6d 61 |st_DrawEx..v.Ima|
000020e0 67 65 4c 69 73 74 5f 44 72 61 67 53 68 6f 77 4e |geList_DragShowN|
000020f0 6f 6c 6f 63 6b 00 00 27 c9 49 6d 61 67 65 4c 69 |olock..'.ImageLi|
00002100 73 74 5f 4c 6f 61 64 49 6d 61 67 65 57 00 00 eb |st_LoadImageW...|
00002110 69 49 6d 61 67 65 4c 69 73 74 5f 4d 65 72 67 65 |iImageList_Merge|
00002120 00 00 5c cd 49 6d 61 67 65 4c 69 73 74 5f 44 65 |..\.ImageList_De|
00002130 73 74 72 6f 79 00 00 f1 dc 49 6d 61 67 65 4c 69 |stroy....ImageLi|
00002140 73 74 5f 45 6e 64 44 72 61 67 00 00 63 64 49 6d |st_EndDrag..cdIm|
00002150 61 67 65 4c 69 73 74 5f 47 65 74 49 63 6f 6e 53 |ageList_GetIconS|
00002160 69 7a 65 00 00 fc 90 49 6d 61 67 65 4c 69 73 74 |ize....ImageList|
00002170 5f 44 72 61 77 49 6e 64 69 72 65 63 74 00 00 ec |_DrawIndirect...|
00002180 5b 49 6d 61 67 65 4c 69 73 74 5f 43 72 65 61 74 |[ImageList_Creat|
00002190 65 00 00 63 6f 6d 63 74 6c 33 32 2e 64 6c 6c 00 |e..comctl32.dll.|
000021a0 00 bf 91 49 6d 61 67 65 4c 69 73 74 5f 41 64 64 |...ImageList_Add|
000021b0 4d 61 73 6b 65 64 00 00 0b 4b 49 6d 61 67 65 4c |Masked...KImageL|
000021c0 69 73 74 5f 44 72 61 67 4d 6f 76 65 00 00 3c b9 |ist_DragMove..<.|
000021d0 49 6d 61 67 65 4c 69 73 74 5f 44 72 61 67 53 68 |ImageList_DragSh|
000021e0 6f 77 4e 6f 6c 6f 63 6b 00 00 d8 6c 49 6d 61 67 |owNolock...lImag|
000021f0 65 4c 69 73 74 5f 44 65 73 74 72 6f 79 00 00 5e |eList_Destroy..^|
00002200 64 49 6d 61 67 65 4c 69 73 74 5f 44 72 61 67 4c |dImageList_DragL|
00002210 65 61 76 65 00 00 0e 55 49 6d 61 67 65 4c 69 73 |eave...UImageLis|
00002220 74 5f 41 64 64 49 63 6f 6e 00 00 89 dd 49 6d 61 |t_AddIcon....Ima|
00002230 67 65 4c 69 73 74 5f 43 6f 70 79 00 00 5c 76 49 |geList_Copy..\vI|
00002240 6d 61 67 65 4c 69 73 74 5f 43 72 65 61 74 65 00 |mageList_Create.|
00002250 00 b8 33 49 6d 61 67 65 4c 69 73 74 5f 47 65 74 |..3ImageList_Get|
00002260 44 72 61 67 49 6d 61 67 65 00 00 64 6b 49 6d 61 |DragImage..dkIma|
00002270 67 65 4c 69 73 74 5f 44 72 61 77 49 6e 64 69 72 |geList_DrawIndir|
00002280 65 63 74 00 00 ef 12 49 6d 61 67 65 4c 69 73 74 |ect....ImageList|
00002290 5f 44 72 61 77 00 00 9f 4a 49 6d 61 67 65 4c 69 |_Draw...JImageLi|
000022a0 73 74 5f 4d 65 72 67 65 00 00 37 e7 49 6d 61 67 |st_Merge..7.Imag|
000022b0 65 4c 69 73 74 5f 52 65 61 64 00 00 9b d2 49 6d |eList_Read....Im|
000022c0 61 67 65 4c 69 73 74 5f 47 65 74 49 63 6f 6e 53 |ageList_GetIconS|
000022d0 69 7a 65 00 00 61 2d 49 6d 61 67 65 4c 69 73 74 |ize..a-ImageList|
000022e0 5f 4c 6f 61 64 49 6d 61 67 65 57 00 00 59 3f 49 |_LoadImageW..Y?I|
000022f0 6d 61 67 65 4c 69 73 74 5f 52 65 70 6c 61 63 65 |mageList_Replace|
00002300 00 00 2a e5 49 6d 61 67 65 4c 69 73 74 5f 4c 6f |..*.ImageList_Lo|
00002310 61 64 49 6d 61 67 65 00 00 a4 ea 49 6d 61 67 65 |adImage....Image|
00002320 4c 69 73 74 5f 44 72 61 77 45 78 00 00 b9 ae 49 |List_DrawEx....I|
00002330 6d 61 67 65 4c 69 73 74 5f 47 65 74 49 6d 61 67 |mageList_GetImag|
00002340 65 43 6f 75 6e 74 00 00 c3 c8 49 6e 69 74 43 6f |eCount....InitCo|
00002350 6d 6d 6f 6e 43 6f 6e 74 72 6f 6c 73 00 00 59 c9 |mmonControls..Y.|
00002360 49 6d 61 67 65 4c 69 73 74 5f 42 65 67 69 6e 44 |ImageList_BeginD|
00002370 72 61 67 00 00 da 2f 49 6d 61 67 65 4c 69 73 74 |rag.../ImageList|
00002380 5f 52 65 6d 6f 76 65 00 00 63 6f 6d 63 74 6c 33 |_Remove..comctl3|
00002390 32 2e 64 6c 6c 00 00 f8 fb 49 6d 61 67 65 4c 69 |2.dll....ImageLi|
000023a0 73 74 5f 44 65 73 74 72 6f 79 00 00 c1 73 49 6d |st_Destroy...sIm|
000023b0 61 67 65 4c 69 73 74 5f 44 72 61 77 00 00 e5 f7 |ageList_Draw....|
000023c0 49 6d 61 67 65 4c 69 73 74 5f 4c 6f 61 64 49 6d |ImageList_LoadIm|
000023d0 61 67 65 41 00 00 51 89 49 6d 61 67 65 4c 69 73 |ageA..Q.ImageLis|
000023e0 74 5f 44 72 61 67 45 6e 74 65 72 00 00 b8 14 49 |t_DragEnter....I|
000023f0 6d 61 67 65 4c 69 73 74 5f 41 64 64 4d 61 73 6b |mageList_AddMask|
00002400 65 64 00 00 4c 6b 49 6d 61 67 65 4c 69 73 74 5f |ed..LkImageList_|
00002410 44 72 61 67 4c 65 61 76 65 00 00 64 e8 49 6d 61 |DragLeave..d.Ima|
00002420 67 65 4c 69 73 74 5f 47 65 74 49 6d 61 67 65 52 |geList_GetImageR|
00002430 65 63 74 00 00 66 30 49 6d 61 67 65 4c 69 73 74 |ect..f0ImageList|
00002440 5f 4c 6f 61 64 49 6d 61 67 65 00 00 ee 48 49 6d |_LoadImage...HIm|
00002450 61 67 65 4c 69 73 74 5f 44 72 61 67 53 68 6f 77 |ageList_DragShow|
00002460 4e 6f 6c 6f 63 6b 00 00 23 f5 49 6d 61 67 65 4c |Nolock..#.ImageL|
00002470 69 73 74 5f 52 65 70 6c 61 63 65 00 00 3b 45 49 |ist_Replace..;EI|
00002480 6d 61 67 65 4c 69 73 74 5f 44 72 61 67 4d 6f 76 |mageList_DragMov|
00002490 65 00 00 84 bd 49 6d 61 67 65 4c 69 73 74 5f 44 |e....ImageList_D|
000024a0 72 61 77 49 6e 64 69 72 65 63 74 00 00 e7 a8 49 |rawIndirect....I|
000024b0 6d 61 67 65 4c 69 73 74 5f 42 65 67 69 6e 44 72 |mageList_BeginDr|
000024c0 61 67 00 00 b3 91 49 6d 61 67 65 4c 69 73 74 5f |ag....ImageList_|
000024d0 52 65 6d 6f 76 65 00 00 3b 3b 49 6d 61 67 65 4c |Remove..;;ImageL|
000024e0 69 73 74 5f 4d 65 72 67 65 00 00 35 26 49 6d 61 |ist_Merge..5&Ima|
000024f0 67 65 4c 69 73 74 5f 52 65 61 64 00 00 83 2b 49 |geList_Read...+I|
00002500 6d 61 67 65 4c 69 73 74 5f 52 65 70 6c 61 63 65 |mageList_Replace|
00002510 49 63 6f 6e 00 00 45 ab 49 6d 61 67 65 4c 69 73 |Icon..E.ImageLis|
00002520 74 5f 47 65 74 49 6d 61 67 65 43 6f 75 6e 74 00 |t_GetImageCount.|
00002530 00 63 6f 6d 63 74 6c 33 32 2e 64 6c 6c 00 00 7f |.comctl32.dll...|
00002540 95 43 72 65 61 74 65 53 6f 6c 69 64 42 72 75 73 |.CreateSolidBrus|
00002550 68 00 00 6a b8 47 65 74 43 75 72 72 65 6e 74 50 |h..j.GetCurrentP|
00002560 6f 73 69 74 69 6f 6e 45 78 00 00 ac c6 53 65 74 |ositionEx....Set|
00002570 54 65 78 74 43 6f 6c 6f 72 00 00 68 00 42 69 74 |TextColor..h.Bit|
00002580 42 6c 74 00 00 86 81 43 61 6e 63 65 6c 44 43 00 |Blt....CancelDC.|
00002590 00 0d 5f 41 64 64 46 6f 6e 74 52 65 73 6f 75 72 |.._AddFontResour|
000025a0 63 65 57 00 00 1b f6 44 65 6c 65 74 65 44 43 00 |ceW....DeleteDC.|
000025b0 00 9e 35 47 65 74 42 72 75 73 68 4f 72 67 45 78 |..5GetBrushOrgEx|
000025c0 00 00 8f 17 44 65 6c 65 74 65 4f 62 6a 65 63 74 |....DeleteObject|
000025d0 00 00 c5 bb 41 62 6f 72 74 50 61 74 68 00 00 4e |....AbortPath..N|
000025e0 6c 47 65 74 43 6c 69 70 42 6f 78 00 00 4b 3a 43 |lGetClipBox..K:C|
000025f0 6c 6f 73 65 46 69 67 75 72 65 00 00 32 03 41 64 |loseFigure..2.Ad|
00002600 64 46 6f 6e 74 52 65 73 6f 75 72 63 65 54 72 61 |dFontResourceTra|
00002610 63 6b 69 6e 67 00 00 0a e2 45 78 63 6c 75 64 65 |cking....Exclude|
00002620 43 6c 69 70 52 65 63 74 00 00 c1 e9 41 64 64 46 |ClipRect....AddF|
00002630 6f 6e 74 52 65 73 6f 75 72 63 65 45 78 41 00 00 |ontResourceExA..|
00002640 67 64 69 33 32 2e 64 6c 6c 00 00 00 00 00 00 00 |gdi32.dll.......|
00002650 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[....]
0000a610 0c 0f 0c 00 07 00 0c 07 0f ae 1e 1e 1e 0f 1b a0 |................|
0000a620 ae 0f 00 0c 00 0c 00 0c 0f ae 1e 0f 1e 0f 1b a0 |................|
0000a630 ae 0f 0c 0f 0c 00 0f 00 07 ae 1e 0f 1e 0f 1b a0 |................|
0000a640 ae 0c 00 0f 00 0c 0f 0c 00 ae 0f 0f 1e 0f 1b a0 |................|
0000a650 ae 00 0c 00 0c 00 0c 00 0c ae 1e 1e 1e 0f 1b a0 |................|
0000a660 ae 0f 0f 0f 0f 0f 0f 0f 0f ae 0f 0f 11 11 a0 a0 |................|
0000a670 ae ae ae ae ae ae ae ae ae ae 0f 0f 11 0f a0 00 |................|
0000a680 00 00 00 19 0f 0f 0f 0f 0f 0f 0f 0f 11 a0 00 00 |................|
0000a690 00 00 00 19 19 19 19 19 19 19 19 19 11 00 00 00 |................|
0000a6a0 e0 00 00 00 e0 00 00 00 e0 00 00 00 e0 00 00 00 |................|
0000a6b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
0000a6d0 00 00 00 00 00 01 00 00 e0 03 00 00 e0 07 00 00 |................|
0000a6e0 00 00 01 00 02 00 30 30 00 00 01 00 08 00 a8 0e |......00........|
0000a6f0 00 00 01 00 10 10 00 00 01 00 08 00 68 05 00 00 |............h...|
0000a700 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
0000a710 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
0000a800