!This program cannot be run in DOS mode.
`.rdata
@.data
NHSUWj
F09^(u
QSUVWh
QWRh8tA
WQh8tA
WPh8tA
uChXtA
t$hXtA
T$8PQRh
u\hXtA
uChXtA
t$hXtA
u5hHyA
PQh\zA
F09^(u
uch\}A
D$,PQSV
D$4PQUV
D$4PQUV
D$,t5h
l$,VW3
L$<9L$
t+;\$8}Ch
QQSVWd
t.;t$$t(
PPPPPPPP
t!SS9]
t%<.u(
t"9]|t
sVS;7|B;w
VC20XC00U
HHt`HHt\
btFHt+
QQSVW3
t#SSUP
t$$VSS
_^][YY
WWWWVSW
t2WWVPVSW
zu^SSS
Yt:SVW
YY_^][
E PjPVj
E$PjQVj
E*PjTVS
E+PjUVS
E,PjVVS
E-PjWVS
E.PjRVS
E/PjSVS
It[IItM
PPPPPPPP
HHtXHHtF
u+WWSW
t!VV9u
bad cast
Failed to dump cache (the text returned follows):
Cache dumped successfully
%s.cachedump
successfully removed
Warning: cachedump did not complete in a timely manner - exiting
-c -n %s %s "%s\cachedump64.exe" -v
-c -n %s %s "%s\cachedump.exe" -v
%s\cachedump64.exe
%s\cachedump.exe
No text available for this message
ERROR %s: %d - %s
netmsg.dll
127.0.0.1
Source file already specified: did you mistakenly use -f *AND* -H?
Starting dump on %s
%d-%02d-%02d-%02d-%02d-%02d
Terminating thread %08x (lpszServer is NULL)
Error dumping server %s, see previous messages for details
>> A new worker thread has been created with the ID: %08x <<
Total successful: %d
Total failed: %d
Successful servers:
Failed servers:
-----Summary-----
Unexpected error reading from the file (error %d)
The line '%s' is not of the correct 'host:user:pwd' format, skipping this entry
The file %s was not found. Sorry, no potato.
Symantec detected locally
McAfee detected locally
cachedump64.exe
lsremora64.dll
servpw64.exe
pstgdump.exe
cachedump.exe
fgexec.exe
lsremora.dll
pwdump.exe
servpw.exe
--- Session ID: %s ---
.fgdump-log
.failed
ERROR: Could not get a session ID. This is very odd...I'd better quit.
ERROR: You cannot specify -c *and* -w, unless you use -t
Please specify the password to use:
ERROR: you must specify a filename to use!
ERROR: you must specify a server and username!
Unable to establish a writable connection to %s, cachedump will not be performed
Failed to install fgexec service on %s
WARNING: Unable to uninstall the fgexec service, you may have to do it by hand!
Failed to start fgexec service on %s, uninstalling
Successfully started fgexec service on %s
fgexec
Execution path of fgexec is %s
%s\%s -s -n %s
Unable to copy fgexec to target path!
WARNING: failed to stop fgexec service on %s! You may need to stop it and uninstall it by hand!!
Successfully stopped fgexec service on %s
Failed to dump cache
Failed to dump protected storage
Unable to start AV services (Symantec)
Unable to start AV services (McAfee)
Unable to start AV services (Sophos)
Unable to start AV services (Trend)
Unable to stop fgexec service
Protected storage dump failed - check error log
Cachedump failed - check error log
PWDump failed - check error log
Unable to start the fgexec service
Symantec is installed on this box, but not currently running. Leaving the service alone but proceeding with pwdump and cachedump
Symantec is running on this machine.
Symantec AV was running but could not be stopped
Symantec is running on this machine, shutting it down for a bit...
Symantec AV was in an unknown state
Symantec is installed on this box, but is in an unknown state. Aborting the pwdump.
Symantec is installed on this box, but is in an unknown state. Not attempting to stop it, but continuing.
McAfee is installed on this box, but not currently running. Leaving the service alone but proceeding with pwdump and cachedump
McAfee is running on this machine.
McAfee AV was running but could not be stopped
McAfee is running on this machine, shutting it down for a bit...
McAfee AV was in an unknown state
McAfee is installed on this box, but is in an unknown state. Aborting the pwdump.
McAfee is installed on this box, but is in an unknown state. Not attempting to stop it, but continuing.
Sophos is installed on this box, but not currently running. Leaving the service alone but proceeding with pwdump and cachedump
Sophos is running on this machine.
Sophos AV was running but could not be stopped
Sophos is running on this machine, shutting it down for a bit...
Sophos AV was in an unknown state
Sophos is installed on this box, but is in an unknown state. Aborting the pwdump.
Sophos is installed on this box, but is in an unknown state. Not attempting to stop it, but continuing.
Trend is installed on this box, but not currently running. Leaving the service alone.
Trend is running on this machine.
Trend AV was running but could not be stopped
Trend is running on this machine, shutting it down for a bit...
Trend AV was in an unknown state
Trend is installed on this box, but is in an unknown state. Aborting the pwdump.
Trend is installed on this box, but is in an unknown state. Not attempting to stop it, but continuing.
%s.pwdump
Error retrieving service information. Remote registry may not be running (for remote hosts), simple file sharing may be enabled, or the account may not have 'Log On as Batch Job' permission.
CRITICAL: Error retrieving service information. Remote registry may not be running (for remote hosts), simple file sharing may be enabled, or the account may not have 'Log On as Batch Job' permission. Skipping this host.
RemoteRegistry
Overriding target architecture - using 64-bit (-O was used)
Overriding target architecture - using 32-bit (-O was used)
Unable to determine OS version, see previous error for details
OS (%s): %s %s
(64-bit)
Skipping impersonation (no user provided)
Impersonation failed
Skipping: nothing to do
Skipping: nothing to do
INFO: skipping dump of protected storage secrets on %s because %s exists or I was told to skip LSA dumps
%s.lsadump
INFO: skipping cachedump on %s because %s exists or I was told to skip cache dumps
INFO: skipping pwdump on %s because %s exists or I was told to skip pwdumps
** Beginning dump on server %s **
** Beginning local dump **
vector<T> too long
list<T> too long
%s|%d|%d|%s
Error opening failed output log file %s, disabling further log writing. Error code returned was %d
--- Command line used: %s ---
--- fgdump session started on %d/%d/%d at %0.2d:%0.2d:%0.2d ---
Error opening output log file %s, disabling further log writing. Error code returned was %d
** As of version 1.4.0, you can run fgdump with no parameters to dump the local box (no impersonation or binding)
-O manually sets whether the target is a 32- or 64-bit OS. Note that this applies to all hosts specified.
-a will not attempt to detect or shut down antivirus, even if it is present
-o skips pwdump history dumps
-H reads host:username:password from a line-separated file (per-host credentials)
-f reads hosts from a line-separated file
-h is the name of the single host to perform the dumps against
-T runs fgdump with the specified number of parallel threads
-l logs all output to logfile
-k keeps the pwdump/cachedump going even if antivirus is in an unknown state
-v makes output more verbose. Use twice for greater effect
-r forgets about existing pwdump/cachedump files. The default behavior is to skip a host if these files already exist.
-s performs the protected storage dump
-w skips the password dump
-c skips the cache dump
-t will test for the presence of antivirus without actually running the password dumps
-? displays help (you're looking at it!)
where Username and Password have administrator credentials
%s [-?][-t][-c][-w][-s][-r][-v][-k][-o][-a][-O 32|64][-l logfile][-T threads] [{{-h Host | -f filename} -u Username -p Password | -H filename}]
fgdump
Usage:
The parameter to -O must be 32 or 64
The number of threads specified must be greater than or equal to 1
The path specified for the -H argument is greater than the maximum allowed.
The path specified for the -f argument is greater than the maximum allowed.
Ignoring unknown option '%c'
h:tf:H:u:p:l:T:O:cwrvskoa?
No parameters specified, doing a local dump. Specify -? if you are looking for help.
more information.
under certain conditions; see the COPYING and README files for
This is free software, and you are welcome to redistribute it
fgdump comes with ABSOLUTELY NO WARRANTY!
Copyright(C) 2008 fizzgig and foofus.net
Written to make j0m0kun's life just a bit easier
fgDump 2.1.0 - fizzgig and the mighty group at foofus.net
Network Associates McShield
mcshield
McAfeeFramework
McTaskManager
AlertManager
Unable to stop any McAfee services, see previous errors for details.
Stopped McAfee service "%s" successfully
Unable to start any McAfee services, see previous errors for details.
Started McAfee service "%s" successfully
NetUse
Unable to log on to host
\\%s\ipc$
Unable to unbind from IPC$ on %s (YOU MAY NEED TO DO THIS BY HAND!) Error %d
Failed to dump protected storage (the text returned follows):
Protected storage dumped successfully
%s.pstgdump
Successfully dumped
Warning: protected storage dump did not complete in a timely manner - exiting
-c -n %s %s "%s\pstgdump.exe" -q -u %s -p %s
Failed to dump passwords: %s
Passwords dumped successfully
Completed
Warning: pwdump did not complete in a timely manner - exiting
-o "%s\%s.pwdump" -u "%s" -p "%s" %s
-x -o "%s\%s.pwdump" -u "%s" -p "%s" %s
-n -o "%s\%s.pwdump" -u "%s" -p "%s" %s
-n -x -o "%s\%s.pwdump" -u "%s" -p "%s" %s
Skipping password histories for this server
Unknown
Professional
Server
ServerNT
Microsoft Windows %s %s %s (Build %s)
Microsoft Windows %s %s (Build %s)
RegQueryValueEx(CSDVersion)
CSDVersion
RegQueryValueEx(BuildNumber)
CurrentBuildNumber
RegQueryValueEx(CurrentVersion)
CurrentVersion
RegQueryValueEx(ProductType)
ProductType
RegOpenKey(Options)
SYSTEM\CurrentControlSet\Control\ProductOptions
RegOpenKey(Version)
SOFTWARE\Microsoft\Windows NT\CurrentVersion
WARNING: Could not determine target processor type - assuming 32-bit. If you have trouble, try overriding the target type for this host with -O (no PA value)
WARNING: Could not determine target processor type - assuming 32-bit. If you have trouble, try overriding the target type for this host with -O (zero-len PA value)
WARNING: Could not determine target processor type - assuming 32-bit. If you have trouble, try overriding the target type for this host with -O (invalid PA value)
PROCESSOR_ARCHITECTURE
SYSTEM\CurrentControlSet\Control\Session Manager\Environment
SOFTWARE\Wow6432Node
RegConnectRegistry
GetOSVersion
I noticed %s already exists, I will just use that file
Unable to lock resource, exiting
Unable to load resource from the executable
Unable to find resource %d in the executable
QueryServiceStatus
OpenSCManager
Could not connect to service manager: this may be a Win95, 98, SNAP or other non-NT-based system.
'%s' was already running on %s
OpenService
StartService
StopService
Successfully installed service '%s' on %s
CreateService
'%s' was already installed on %s, using that service
InstallService
Successfully uninstalled service '%s' on %s
DeleteService
UninstallService
Unable to create/open share finding mutex! Throwing an error now.
Global\FGDUMP_SHARE_MTX
Found share %S, whose physical path is %S
EnumerateShares returned an error of %ld
Error writing the test file to %s, skipping this share (error %d)
success
NETLOGON
SYSVOL
BindUploadShareToLocalDrive returned an error of %ld
Able to write to this directory, using location %s for cachedump
%s\test.fgdump
Sophos Message Router
Sophos AutoUpdate Service
Sophos Agent
SAVAdminService
Unable to stop any Sophos services, see previous errors for details.
Stopped Sophos service "%s" successfully
Unable to start any Sophos services, see previous errors for details.
Started Sophos service "%s" successfully
Symantec AntiVirus Client
navapsvc
Norton AntiVirus Auto-Protect Service
Symantec AntiVirus
Unable to stop any Symantec services, see previous errors for details. Stopping pwdump.
Stopped Symantec service "%s" successfully
Unable to start any Symantec services, see previous errors for details. Stopping pwdump.
Started Symantec service "%s" successfully
ofcservice
SpntSvc
EarthAgent
tmlisten
ntrtscan
Unable to stop any Trend services, see previous errors for details.
Stopped Trend service "%s" successfully
Unable to start any Trend services, see previous errors for details.
Started Trend service "%s" successfully
ios_base::eofbit set
ios_base::failbit set
ios_base::badbit set
invalid string position
string too long
bad allocation
Unknown exception
CorExitProcess
mscoree.dll
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
LC_TIME
LC_NUMERIC
LC_MONETARY
LC_CTYPE
LC_COLLATE
LC_ALL
Microsoft Visual C++ Runtime Library
Program:
<program name unknown>
A buffer overrun has been detected which has corrupted the program's
internal state. The program cannot safely continue execution and must
now be terminated.
Buffer overrun detected!
A security error of unknown cause has been detected which has
corrupted the program's internal state. The program cannot safely
continue execution and must now be terminated.
Unknown security failure detected!
`h````
ppxxxx
(null)
CONIN$
CONOUT$
runtime error
TLOSS error
SING error
DOMAIN error
- This application cannot run using the active version of the Microsoft .NET Runtime
Please contact the application's support team for more information.
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
- not enough space for environment
- not enough space for arguments
- floating point not loaded
Runtime Error!
Program:
Paraguay
Uruguay
Ecuador
Argentina
Colombia
Venezuela
Dominican Republic
South Africa
Panama
Luxembourg
Costa Rica
Switzerland
Guatemala
Canada
Spanish - Modern Sort
Australia
English
Austria
German
Belgium
Mexico
Spanish
Basque
Sweden
Swedish
Iceland
Icelandic
France
French
Finland
Finnish
Spanish - Traditional Sort
united-states
united-kingdom
trinidad & tobago
south-korea
south-africa
south korea
south africa
slovak
puerto-rico
pr-china
pr china
new-zealand
hong-kong
holland
great britain
england
britain
america
swedish-finland
spanish-venezuela
spanish-uruguay
spanish-puerto rico
spanish-peru
spanish-paraguay
spanish-panama
spanish-nicaragua
spanish-modern
spanish-mexican
spanish-honduras
spanish-guatemala
spanish-el salvador
spanish-ecuador
spanish-dominican republic
spanish-costa rica
spanish-colombia
spanish-chile
spanish-bolivia
spanish-argentina
portuguese-brazilian
norwegian-nynorsk
norwegian-bokmal
norwegian
italian-swiss
irish-english
german-swiss
german-luxembourg
german-lichtenstein
german-austrian
french-swiss
french-luxembourg
french-canadian
french-belgian
english-usa
english-us
english-uk
english-trinidad y tobago
english-south africa
english-nz
english-jamaica
english-ire
english-caribbean
english-can
english-belize
english-aus
english-american
dutch-belgian
chinese-traditional
chinese-singapore
chinese-simplified
chinese-hongkong
chinese
canadian
belgian
australian
american-english
american english
american
Norwegian-Nynorsk
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
c:\source\fgdump\Release\fgdump.pdb
NetApiBufferFree
NetShareEnum
NETAPI32.dll
WNetAddConnection2A
WNetCancelConnection2A
MPR.dll
WaitForSingleObject
FreeLibrary
FormatMessageA
LoadLibraryExA
InitializeCriticalSection
DeleteCriticalSection
SetEvent
ResetEvent
LeaveCriticalSection
WaitForMultipleObjects
EnterCriticalSection
GetSystemTime
GetCurrentThreadId
CreateThread
CreateEventA
GetLastError
GetTempPathA
CopyFileA
DeleteFileA
InterlockedIncrement
GetCommandLineA
GetLocalTime
CloseHandle
CreateProcessA
ReadFile
DuplicateHandle
GetCurrentProcess
CreatePipe
GetStdHandle
GetCurrentDirectoryA
FreeResource
SizeofResource
LockResource
LoadResource
FindResourceA
CreateMutexA
KERNEL32.dll
wsprintfA
USER32.dll
RegCloseKey
RegQueryValueExA
RegOpenKeyA
RegConnectRegistryA
QueryServiceStatus
CloseServiceHandle
OpenServiceA
OpenSCManagerA
StartServiceA
ControlService
CreateServiceA
DeleteService
ADVAPI32.dll
StringFromGUID2
CoCreateGuid
ole32.dll
HeapFree
RtlUnwind
RaiseException
ExitProcess
GetProcAddress
GetModuleHandleA
TerminateProcess
HeapAlloc
WriteConsoleA
ReadConsoleInputA
SetConsoleMode
GetConsoleMode
MultiByteToWideChar
WideCharToMultiByte
GetVersionExA
LCMapStringA
LCMapStringW
GetCPInfo
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
HeapReAlloc
IsBadWritePtr
SetUnhandledExceptionFilter
WriteFile
FlushFileBuffers
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
GetModuleFileNameA
SetFilePointer
CreateFileA
VirtualProtect
GetSystemInfo
VirtualQuery
SetHandleCount
GetFileType
GetStartupInfoA
HeapSize
GetACP
GetOEMCP
UnhandledExceptionFilter
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetLocaleInfoA
GetStringTypeA
GetStringTypeW
GetUserDefaultLCID
EnumSystemLocalesA
IsValidLocale
IsValidCodePage
IsBadReadPtr
IsBadCodePtr
SetStdHandle
LoadLibraryA
InterlockedExchange
GetLocaleInfoW
SetEndOfFile
.?AVexception@@
.?AVbad_cast@@
.?AVlogic_error@std@@
.?AVlength_error@std@@
.?AVfacet@locale@std@@
.?AV_Locimp@locale@std@@
.?AV?$_Iosb@H@std@@
.?AVios_base@std@@
.?AVruntime_error@std@@
.?AVfailure@ios_base@std@@
.?AVout_of_range@std@@
Copyright (c) 1992-2001 by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.
.?AVbad_alloc@std@@
.?AVtype_info@@
!This program cannot be run in DOS mode.
`.rdata
@.data
D40<(t
D<0<(t
T$XRhP
L$$SUVWh
PPPPPPPP
QQSVWd
t.;t$$t(
VC20XC00U
HHt`HHt\
sVS;7|B;w
QQSVW3
t#SSUP
t$$VSS
_^][YY
D$$VP3
t!SS9]
SVWj ^
HHtXHHtF
WWWWVSW
t2WWVPVSW
+t HHt
+tzHHtj
kPOP3 Password2
POP3 Server
POP3 User Name
HTTPMail Password2
Hotmail
HTTPMail User Name
Unable to enumerate Outlook Express accounts: could not open HKCU\%s
Software\Microsoft\Internet Account Manager\Accounts
%s|%s|%s|%s
Identity
IdentitiesPass
Username
Identities
Unknown
89c39569
AutoComplete Passwords
IE Auto Complete Fields
https:/
http:/
:String
StringIndex
e161255a
MSN Explorer Signup
b9819c52
ERROR DECRYPTING
IE Password-Protected Site
ftp://
DPAPI:
5e7e8100
Outlook Express Account
Deleted Outlook Express Account
220d5cc1
Unable to read protected storage item %S (error code %X)
Unable to enumerate protected storage items for GUID %S (error code %X)
Unable to enumerate protected storage subtypes for GUID %S (error code %X)
Unable to enumerate protected storage types (error code %X)
Unable to create protected storage instance (error code %X)
Unable to obtain handle to PStoreCreateInstance in pstorec.dll
PStoreCreateInstance
pstorec.dll
more information.
under certain conditions; see the COPYING and README files for
This is free software, and you are welcome to redistribute it
pstgdump comes with ABSOLUTELY NO WARRANTY!
Copyright (C) 2006 fizzgig and foofus.net
*** THIS IS A BETA VERSION, YOU HAVE BEEN WARNED ***
pstgdump 0.1.0-BETA2 - fizzgig and the mighty group at foofus.net
-p password to use in conjunction with -u
-u username to impersonate (if not provided, the currently logged in user is used)
-q supresses the program information - useful when running as a batch job or saving to a file
-h displays this usage information
ptsgdump [-h][-q][-u Username][-p Password]
Usage:
Successfully dumped protected storage
Failed to dump all protected storage items - see previous messages for details
Failed to impersonate user (ImpersonateLoggedOnUser failed): error %d
Failed to impersonate user (LogonUser failed): error %d
Attempting to impersonate user '%s'
You must specify a password when you specify a user to impersonate. Exiting.
Ignoring unknown option '%c'
u:p:hq
CorExitProcess
mscoree.dll
`h````
ppxxxx
(null)
Microsoft Visual C++ Runtime Library
Program:
<program name unknown>
A buffer overrun has been detected which has corrupted the program's
internal state. The program cannot safely continue execution and must
now be terminated.
Buffer overrun detected!
A security error of unknown cause has been detected which has
corrupted the program's internal state. The program cannot safely
continue execution and must now be terminated.
Unknown security failure detected!
runtime error
TLOSS error
SING error
DOMAIN error
- This application cannot run using the active version of the Microsoft .NET Runtime
Please contact the application's support team for more information.
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
- not enough space for environment
- not enough space for arguments
- floating point not loaded
Runtime Error!
Program:
GAIsProcessorFeaturePresent
KERNEL32
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
1#QNAN
1#SNAN
c:\Source\fgdump\pstgdump\Release\pstgdump.pdb
CryptUnprotectData
CRYPT32.dll
lstrcpyA
GetProcAddress
LoadLibraryA
CloseHandle
GetLastError
KERNEL32.dll
IsCharAlphaNumericA
wsprintfA
USER32.dll
RegCloseKey
RegQueryValueExA
RegEnumKeyExA
RegOpenKeyExA
RevertToSelf
ImpersonateLoggedOnUser
LogonUserA
ADVAPI32.dll
LocalFree
HeapFree
HeapReAlloc
HeapAlloc
ExitProcess
RtlUnwind
GetModuleHandleA
TerminateProcess
GetCurrentProcess
GetCommandLineA
GetVersionExA
RaiseException
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
IsBadWritePtr
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
GetModuleFileNameA
GetACP
GetOEMCP
GetCPInfo
WriteFile
GetStdHandle
UnhandledExceptionFilter
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
SetHandleCount
GetFileType
GetStartupInfoA
SetUnhandledExceptionFilter
InterlockedExchange
VirtualQuery
SetFilePointer
IsBadReadPtr
IsBadCodePtr
HeapSize
LCMapStringA
MultiByteToWideChar
LCMapStringW
GetStringTypeA
GetStringTypeW
FlushFileBuffers
SetStdHandle
GetLocaleInfoA
VirtualProtect
GetSystemInfo
OLEAUT32.dll
.?AV_com_error@@
.?AVtype_info@@
!This program cannot be run in DOS mode.
`.rdata
@.data
L$4QPRV
<ctb<nt
L$,QRh
QQSVWd
t.;t$$t(
sVS;7|B;w
HHt`HHt\
VC20XC00U
QQSVW3
t#SSUP
t$$VSS
_^][YY
t!SS9]
HHtXHHtF
WWWWVSW
t2WWVPVSW
Exec failed, GetLastError returned %d
fgexec
fgexec CallNamedPipe failed with error %d (pipe name %s)
%s||%s
Run as a client, causing command to be executed on target.
The FULL PATH (including extension) must be passed for the command.
fgexec -c [-n pipename] target command [arguments]
-n is an optional pipename (needed if running multiple client instances)
Run as a service (use this on the target machine)
fgexec -s [-n pipename]
Usage:
fizzgig and the mighty foofus.net team
fgexec Remote Process Execution Tool v2.1.0
\\%s\pipe\%s
fgexecpipe
WARNING: Pipe name is greater than MAX_PATH characters, name may be truncated
Ignoring unknown option '%c'
bad allocation
Unknown exception
`h````
ppxxxx
(null)
Microsoft Visual C++ Runtime Library
Program:
<program name unknown>
A buffer overrun has been detected which has corrupted the program's
internal state. The program cannot safely continue execution and must
now be terminated.
Buffer overrun detected!
A security error of unknown cause has been detected which has
corrupted the program's internal state. The program cannot safely
continue execution and must now be terminated.
Unknown security failure detected!
CorExitProcess
mscoree.dll
runtime error
TLOSS error
SING error
DOMAIN error
- This application cannot run using the active version of the Microsoft .NET Runtime
Please contact the application's support team for more information.
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
- not enough space for environment
- not enough space for arguments
- floating point not loaded
Runtime Error!
Program:
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
c:\Source\fgdump\fgexec\Release\fgexec.pdb
WaitForSingleObject
CreateFileA
SetEvent
CloseHandle
DisconnectNamedPipe
FlushFileBuffers
WriteFile
ReadFile
GetLastError
ConnectNamedPipe
CreateNamedPipeA
CreateEventA
CallNamedPipeA
CreateProcessA
DuplicateHandle
GetCurrentProcess
CreatePipe
GetStdHandle
KERNEL32.dll
SetServiceStatus
RegisterServiceCtrlHandlerA
StartServiceCtrlDispatcherA
ADVAPI32.dll
RtlUnwind
ExitProcess
GetModuleHandleA
GetCommandLineA
GetVersionExA
HeapAlloc
RaiseException
HeapFree
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
GetModuleFileNameA
GetACP
GetOEMCP
GetCPInfo
GetProcAddress
TerminateProcess
UnhandledExceptionFilter
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
SetHandleCount
GetFileType
GetStartupInfoA
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
HeapReAlloc
IsBadWritePtr
HeapSize
SetUnhandledExceptionFilter
IsBadReadPtr
IsBadCodePtr
SetFilePointer
LoadLibraryA
InterlockedExchange
VirtualQuery
LCMapStringA
MultiByteToWideChar
LCMapStringW
GetStringTypeA
GetStringTypeW
SetStdHandle
GetLocaleInfoA
VirtualProtect
GetSystemInfo
.?AVexception@@
.?AVbad_alloc@std@@
.?AVtype_info@@
!This program cannot be run in DOS mode.
`.rdata
@.data
.pdata
UVWATAUH
66666666I
\\\\\\\\L
66666666I
\\\\\\\\H
A]A\_^]
t$ WATAUAVAW
A_A^A]A\_
VWATAUAVH
\$4fff
PA^A]A\_^
SUVWATAUAVAWH
(A_A^A]A\_^][
\$@t*E;
@SUVWATAUAWH
0A_A]A\_^][
L$ SWH
D$Xt&A
MZu6Hc
WATAUH
MZuSHc
0A]A\_
@UVWATAVAWH
|$`t>H
|$`t:H
|$hD+|$PD+
A_A^A\_^]
|$ ATAUAVH
0A^A]A\
|$ ATH
@SUVWH
@8l$&H
ATAUAVH
0A^A]A\
L$ SUVWATH
0A\_^][
@SUATH
l$huGH
@SVWATAUAVH
A^A]A\_^[
@SVWATH
\$ UVWATAUAVAWH
L$8t M
A_A^A]A\_^]
WATAUAVAWH
@A_A^A]A\_
|$ ATAUAVH
A^A]A\
@UATAUAVAWH
e A_A^A]A\]
D$PH;5+
|$ ATH
D$Ht#A
u"8D$Xt
WATAUH
0A]A\_
|$ ATAUAVH
A^A]A\
Hct$@H
shHcD$HH
d$ AUAVAWH
A_A^A]
|$ ATH
|$ ATH
WATAUH
A]A\_
ATAUAVH
0A^A]A\
WATAUH
A]A\_
|$ ATH
L$ VWATAUH
hA]A\_^
hA]A\_^
hA]A\_^
D$0L;%
@UVWATAVAWH
|$`t>H
|$`t:H
|$hD+|$PD+
A_A^A\_^]
<dtS<it4<ot0<ut,<xt(<Xt$A
Xul<dt
@VATAUAVAWH
HcD$@H
t$Hu A
l$\s.E
|$PD+|$\E+
A_A^A]A\^
L$ UATAUAVAWH
A_A^A]A\]
D$@H;5
t$ ATAUAVH
|$`t H
(<;u I
@A^A]A\
t$ ATAUAVH
@A^A]A\
[ UVWAUAWH
D$P~K@8l$~tDH
A_A]_^]
D9T$0t~I
|$ ATH
@UATAUAVAWH
e A_A^A]A\]
tRL9+vM
VWATAUAVH
D$Ht#A
D8d$Xt
D8d$Xt
D8t$Xt
`A^A]A\_^
t$ ATAUAVH
A^A]A\
@SVWAUAVAWH
HA_A^A]_^[
@USVWATAUAVAWH
eHA_A^A]A\_^[]
VATAUH
A]A\^
ATAUAVH
A^A]A\
LcA<E3
WATAUAVAWH
@A_A^A]A\_
@SUVWAUAVAWH
A_A^A]_^][
|$ ATH
UVWAUAVH
PA^A]_^]
VWATAUAVH
0A^A]A\_^
@SUVWATAVH
|$Hfff
f;D$@uhA
f;D$@u:A
t2HcD$DH
t2HcD$DH
A^A\_^][
VWATAUAVH
0A^A]A\_^
|$ ATH
|$ ATH
|$ ATH
|$ ATH
|$ ATH
|$ ATH
ATAUAVH
PA^A]A\
@8t$Ht
PA^A]A\
SVWATAUAVH
XA^A]A\_^[
D$8t#A
D$8t#A
\$`fff
@UATAUAVAWH
e A_A^A]A\]
D$@H;5
T$(t#A
T$(t#A
T$(t#A
T$(t#A
T$(t#A
T$(t#A
T$(t#A
T$(t#A
T$(t#A
T$(t#A
T$(t#A
T$(t#A
T$(t#A
T$(t#A
T$(t#A
T$(t#A
T$(t#A
T$(t#A
T$(t#A
T$(t#A
T$(t#A
T$(t#A
@UATAUAVAWH
A_A^A]A\]
D$0H;5^
@UATAUAVAWH
A_A^A]A\]
D$0H;5^
d$ AUH
d$ AUAVAWH
gfffffffH
@A_A^A]
u*LcEHI
D$8t#A
d$ AUH
d$ AUH
ATAUAWH
`A_A]A\
`A_A]A\
D$PtyL
@USVWATAUAVAWH
e8A_A^A]A\_^[]
D$@H;=r
u 8\$Xt
@SATAWH
@A_A\[
H9 tzH
@A_A\[
|$ ATH
ERROR %s (code %d)
Invalid Cache entries number. Shouldn't happen.
Failed to alloc a Heap.
Invalid LSA key...
HeapCreate
Kill CacheDump service (shouldn't be used)
cacheDump [-v | -vv | -K]
Verbose
Very verbose
CacheDump 1.4 - Dump Cache Entries
OpenSCManager function failed
DeleteService failed. Sure service running ?
Service successfully removed.
Can't stop the service. Try to remove it.
Retry in 2 sec
ControlService failed to STOP the service.
Service currently active. Stopping service...
QueryServiceStatus fails!
OpenService function failed
LSA Key:
NL$%d(%d):
Pipe connected.
ConnectNamedPipe function failed.
Service started.
StartService function failed
Are you Administrator ? Is cacheDump executed from a local drive ? Service still runnning ?
Service already running. Shouldn't happen. try -K flag.
Pipe %s created.
CreateNamedPipe function failed. Dumping cache do not seems too work.
\\.\pipe\%ls
CacheDump service successfully installed.
CreateService function failed
Service not found. Installing CacheDump Service (%s)
Try to kill CacheDump service.
No CacheDump service found !
RtlCompareUnicodeString
NtQuerySystemInformation
Failed to read LSASS memory.
Unable to open LSASS.EXE process
Unable to find LSASS pid.
Unable to GetModuleInformation
Unable to LoadLibrary lsasrv.dll
lsasrv.dll
CacheDump
Can't compute LSA Cipher Key SystemFunction005
Failed to send LSA Cipher Key WriteFile
Failed to retrieve LSA Cipher Key value RegQueryValue
Failed to retrieve LSA Cipher Key by RegOpenKeyEx
SECURITY\Policy\Secrets\NL$KM\CurrVal
Failed to retrieved LSA Cipher key
Failed to GetProcAddress SystemFunction005
SystemFunction005
Failed to load LoadLibrary advapi32.dll
advapi32.dll
Incorrect MSV Version (only v1.4 supported)
NL$Control
Failed to open key SECURITY\Cache in RegOpenKeyEx. Is service running as SYSTEM ? Do you ever log on domain ?
SECURITY\CACHE
(null)
`h````
xpxxxx
LC_TIME
LC_NUMERIC
LC_MONETARY
LC_CTYPE
LC_COLLATE
LC_ALL
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
.mixcrt
EncodePointer
KERNEL32.DLL
DecodePointer
CorExitProcess
mscoree.dll
runtime error
TLOSS error
SING error
DOMAIN error
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
- not enough space for locale information
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
- CRT not initialized
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
- not enough space for environment
- not enough space for arguments
- floating point support not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program:
`h`hhh
xppwpp
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
united-states
united-kingdom
trinidad & tobago
south-korea
south-africa
south korea
south africa
slovak
puerto-rico
pr-china
pr china
new-zealand
hong-kong
holland
great britain
england
britain
america
swedish-finland
spanish-venezuela
spanish-uruguay
spanish-puerto rico
spanish-peru
spanish-paraguay
spanish-panama
spanish-nicaragua
spanish-modern
spanish-mexican
spanish-honduras
spanish-guatemala
spanish-el salvador
spanish-ecuador
spanish-dominican republic
spanish-costa rica
spanish-colombia
spanish-chile
spanish-bolivia
spanish-argentina
portuguese-brazilian
norwegian-nynorsk
norwegian-bokmal
norwegian
italian-swiss
irish-english
german-swiss
german-luxembourg
german-lichtenstein
german-austrian
french-swiss
french-luxembourg
french-canadian
french-belgian
english-usa
english-us
english-uk
english-trinidad y tobago
english-south africa
english-nz
english-jamaica
english-ire
english-caribbean
english-can
english-belize
english-aus
english-american
dutch-belgian
chinese-traditional
chinese-singapore
chinese-simplified
chinese-hongkong
chinese
canadian
belgian
australian
american-english
american english
american
Norwegian-Nynorsk
SystemFunction036
ADVAPI32.DLL
InitializeCriticalSectionAndSpinCount
kernel32.dll
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
CONIN$
CONOUT$
c:\source\fgdump\cachedump\x64\Release x64\cachedump64.pdb
FormatMessageA
GetLastError
ExitProcess
HeapAlloc
GetProcessHeap
HeapCreate
DisconnectNamedPipe
ReadFile
ConnectNamedPipe
CloseHandle
CreateNamedPipeA
GetModuleFileNameA
FreeLibrary
GetProcAddress
LoadLibraryA
__C_specific_handler
ReadProcessMemory
OpenProcess
GetCurrentProcess
ExitThread
FlushFileBuffers
WriteFile
CreateFileA
WaitNamedPipeA
CreateThread
KERNEL32.dll
wsprintfA
USER32.dll
StartServiceCtrlDispatcherA
OpenSCManagerA
CloseServiceHandle
DeleteService
ControlService
QueryServiceStatus
StartServiceA
CreateServiceA
OpenServiceA
SetServiceStatus
RegQueryValueExA
RegOpenKeyExA
RegisterServiceCtrlHandlerA
ADVAPI32.dll
StringFromGUID2
CoCreateGuid
ole32.dll
GetModuleInformation
PSAPI.DLL
HeapFree
GetCommandLineA
GetVersionExA
EnterCriticalSection
LeaveCriticalSection
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RtlCaptureContext
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
GetModuleHandleA
FlsGetValue
TlsAlloc
FlsSetValue
TlsFree
FlsFree
SetLastError
GetCurrentThreadId
TlsSetValue
GetCurrentThread
FlsAlloc
LCMapStringA
WideCharToMultiByte
MultiByteToWideChar
LCMapStringW
RtlVirtualUnwind
RtlLookupFunctionEntry
GetStdHandle
HeapSetInformation
HeapDestroy
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
GetFileType
GetStartupInfoA
DeleteCriticalSection
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
FatalAppExitA
GetStringTypeA
GetStringTypeW
GetDateFormatA
GetTimeFormatA
GetUserDefaultLCID
GetLocaleInfoA
EnumSystemLocalesA
IsValidLocale
SetConsoleCtrlHandler
InitializeCriticalSection
SetFilePointer
GetConsoleCP
GetConsoleMode
HeapReAlloc
GetTimeZoneInformation
HeapSize
GetLocaleInfoW
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
CompareStringA
CompareStringW
SetEnvironmentVariableA
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
!This program cannot be run in DOS mode.
`.rdata
@.data
uK9D$$u19D$
tFhD1B
QWWhP0@
HHt@HHt
2If90t
0A@@Ju
t^9(uZ
tD9(u@
Y9>t7j
teh`r@
YYuTVWh
URPQQh
>=Yt/j
t#SSUP
t$$VSS
_^][YY
j8j ^V
YYu-9D$
^SSSSS
j"^SSSSS
HHtAHHt
<dtN<it.<ot*<ut&<xt"<Xt
Xu_<dt
8$u 9}hu
}l9]luHj
*uo9}lu
<dt[<itW<otS<utO<xtK<XtG
tt9}lu
]p9}lu?
@t:9}lu
@t29}lu
6If98t
]@+](+]8
uJ9}huE3
C PjPV
C$PjQV
C*PjTV
C+PjUV
C,PjVV
C-PjWV
C.PjRV
C/PjSV
.;1s(N
HHt4HHt
Ht\Ht,
teHtFHt&Hu
ty<%tA
0SSSSS
PPPPPPPP
0SSSSS
0SSSSS
u|Vj@h@
t.8 t*W
PPPPPPPP
t+WWVPV
_VVVVV
_VVVVV
zukSSS
;t$,v-
UQPXY]Y[
^SSSSS
^SSSSS
>:u8FV
.VVVVVSRSSj
VVVVVj
^SSSSS
^SSSSS
0SSSSS
tb9} u
u,VVWV
^SSSSS
^WWWWW
0SSSSS
8VVVVV
YYt\VV
YYt SVW
ERROR %s (code %d)
Invalid Cache entries number. Shouldn't happen.
Failed to alloc a Heap.
Invalid LSA key...
HeapCreate
Kill CacheDump service (shouldn't be used)
cacheDump [-v | -vv | -K]
Verbose
Very verbose
CacheDump 1.4 - Dump Cache Entries
OpenSCManager function failed
DeleteService failed. Is the service running?
Service successfully removed.
Can't stop the service. Try to remove it.
Retry in 2 sec
ControlService failed to STOP the service.
Service currently active. Stopping service...
QueryServiceStatus failed
OpenService function failed
LSA Key:
NL$%d(%d):
Pipe connected.
ConnectNamedPipe function failed.
Service started.
StartService function failed
Are you Administrator? Is cacheDump executed from a local drive? Service still runnning?
Service already running. Shouldn't happen. try -K flag.
Pipe %s created.
CreateNamedPipe function failed. Dumping cache do not seems to work.
\\.\pipe\%ls
CacheDump service successfully installed.
Try to kill CacheDump service.
No CacheDump service found !
CreateService function failed
Service not found. Installing CacheDump Service (%s)
RtlCompareUnicodeString
NtQuerySystemInformation
Failed to read LSASS memory.
Unable to open LSASS.EXE process
Unable to find LSASS pid.
Unable to GetModuleInformation
Unable to LoadLibrary lsasrv.dll
lsasrv.dll
CacheDump
Can't compute LSA Cipher Key SystemFunction005
Failed to send LSA Cipher Key WriteFile
Failed to retrieve LSA Cipher Key value RegQueryValue
Failed to retrieve LSA Cipher Key by RegOpenKeyEx
SECURITY\Policy\Secrets\NL$KM\CurrVal
Failed to retrieved LSA Cipher key
Failed to GetProcAddress SystemFunction005
SystemFunction005
Failed to load LoadLibrary advapi32.dll
advapi32.dll
Incorrect MSV Version (only v1.4 supported)
NL$Control
Failed to open key SECURITY\Cache in RegOpenKeyEx. Is service running as SYSTEM ? Do you ever log on domain ?
SECURITY\CACHE
(null)
`h````
xpxxxx
LC_TIME
LC_NUMERIC
LC_MONETARY
LC_CTYPE
LC_COLLATE
LC_ALL
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
.mixcrt
EncodePointer
KERNEL32.DLL
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
CorExitProcess
mscoree.dll
runtime error
TLOSS error
SING error
DOMAIN error
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
- not enough space for locale information
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
- CRT not initialized
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
- not enough space for environment
- not enough space for arguments
- floating point support not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program:
`h`hhh
xppwpp
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
united-states
united-kingdom
trinidad & tobago
south-korea
south-africa
south korea
south africa
slovak
puerto-rico
pr-china
pr china
new-zealand
hong-kong
holland
great britain
england
britain
america
swedish-finland
spanish-venezuela
spanish-uruguay
spanish-puerto rico
spanish-peru
spanish-paraguay
spanish-panama
spanish-nicaragua
spanish-modern
spanish-mexican
spanish-honduras
spanish-guatemala
spanish-el salvador
spanish-ecuador
spanish-dominican republic
spanish-costa rica
spanish-colombia
spanish-chile
spanish-bolivia
spanish-argentina
portuguese-brazilian
norwegian-nynorsk
norwegian-bokmal
norwegian
italian-swiss
irish-english
german-swiss
german-luxembourg
german-lichtenstein
german-austrian
french-swiss
french-luxembourg
french-canadian
french-belgian
english-usa
english-us
english-uk
english-trinidad y tobago
english-south africa
english-nz
english-jamaica
english-ire
english-caribbean
english-can
english-belize
english-aus
english-american
dutch-belgian
chinese-traditional
chinese-singapore
chinese-simplified
chinese-hongkong
chinese
canadian
belgian
australian
american-english
american english
american
Norwegian-Nynorsk
InitializeCriticalSectionAndSpinCount
kernel32.dll
SystemFunction036
ADVAPI32.DLL
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
CONIN$
CONOUT$
c:\source\fgdump\cachedump\Release\cachedump.pdb
FormatMessageA
GetLastError
ExitProcess
HeapAlloc
GetProcessHeap
HeapCreate
DisconnectNamedPipe
ReadFile
ConnectNamedPipe
CloseHandle
CreateNamedPipeA
GetModuleFileNameA
FreeLibrary
GetProcAddress
LoadLibraryA
ReadProcessMemory
OpenProcess
GetCurrentProcess
ExitThread
FlushFileBuffers
WriteFile
CreateFileA
WaitNamedPipeA
CreateThread
KERNEL32.dll
wsprintfA
USER32.dll
StartServiceCtrlDispatcherA
OpenSCManagerA
CloseServiceHandle
DeleteService
ControlService
QueryServiceStatus
StartServiceA
CreateServiceA
OpenServiceA
SetServiceStatus
RegQueryValueExA
RegOpenKeyExA
RegisterServiceCtrlHandlerA
ADVAPI32.dll
StringFromGUID2
CoCreateGuid
ole32.dll
GetModuleInformation
PSAPI.DLL
HeapFree
GetCommandLineA
GetVersionExA
EnterCriticalSection
LeaveCriticalSection
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetCPInfo
InterlockedIncrement
InterlockedDecrement
GetACP
GetOEMCP
IsValidCodePage
GetModuleHandleA
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
SetLastError
GetCurrentThreadId
GetCurrentThread
LCMapStringA
WideCharToMultiByte
MultiByteToWideChar
LCMapStringW
DeleteCriticalSection
FatalAppExitA
VirtualFree
VirtualAlloc
HeapReAlloc
HeapDestroy
GetStdHandle
RtlUnwind
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
GetFileType
GetStartupInfoA
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
GetStringTypeA
GetStringTypeW
GetTimeFormatA
GetDateFormatA
GetUserDefaultLCID
GetLocaleInfoA
EnumSystemLocalesA
IsValidLocale
InitializeCriticalSection
SetConsoleCtrlHandler
InterlockedExchange
SetFilePointer
GetConsoleCP
GetConsoleMode
GetTimeZoneInformation
HeapSize
GetLocaleInfoW
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
CompareStringA
CompareStringW
SetEnvironmentVariableA
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPAD
!This program cannot be run in DOS mode.
`.rdata
@.data
.pdata
@.reloc
WATAUH
A]A\_
WATAUH
|$ fff
0A]A\_
|$ ATH
@UVWATAVAWH
|$`t>H
|$`t:H
|$hD+|$PD+
A_A^A\_^]
WATAUH
0A]A\_
|$ ATAUAVH
A^A]A\
|$ ATH
|$ ATH
d$ AUAVAWH
A_A^A]
|$ ATAUAVH
A^A]A\
Hct$@H
shHcD$HH
WATAUAVAWH
D$8A9}
A_A^A]A\_
VWATAUAVH
0A^A]A\_^
@SUVWATAVH
|$Hfff
f;D$@uhA
f;D$@u:A
t2HcD$DH
t2HcD$DH
A^A\_^][
VWATAUAVH
0A^A]A\_^
|$ ATH
@SUVWH
@8l$&H
ATAUAVH
0A^A]A\