| Analysis Date | 2015-07-24 05:56:51 |
|---|---|
| MD5 | e60d277a7e7eb551d254eb2f715b2c36 |
| SHA1 | f4e20c8366dc2a1251365511db1f6796c6110345 |
Static Details:
| File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
|---|---|---|
| Section | CODE md5: 146a85996ec983140cace6b8e1c5e83f sha1: 1ce44091521a5e990427fa229336bf1560d7981c size: 19192 | |
| Section | .data md5: 61e2864b5f89ec0f6c294c5c6717326e sha1: c8d7c088c06a61b01ebfe1551e24a2789c7b3516 size: 170384 | |
| Section | .rsrc md5: 616d25b4d6b22b2bccf1a51a19bc7f51 sha1: 9e2842c7b606270acb13dddc699d4eff4e9bc5c2 size: 1952 | |
| Section | .idata2 md5: de557d7c4177caf67c6461f82c4d050e sha1: acf7bf1a05bfeac8df16cde96282494c90192735 size: 2048 | |
| Timestamp | 2010-07-14 22:03:32 | |
| Version | LegalCopyright: (C) Microsoft Corporation. All rights reserved. InternalName: SPUNINST.EXE FileVersion: 6.3.0004.1 built by: dnsrv CompanyName: Microsoft Corporation ProductName: Microsoft(R) Windows(R) Operating System ProductVersion: 6.3.0004.1 FileDescription: Windows Service Pack Uninstall OriginalFilename: SPUNINST.EXE | |
| Packer | Microsoft Visual C++ v6.0 | |
| PEhash | a8ec5e4b89a39f53a29705d2a472f883fb5008c6 | |
| IMPhash | c509dbcf0dade053e5588087a4d64742 | |
| AV | Rising | Backdoor.Win32.GenFxj.c |
| AV | CA (E-Trust Ino) | Win32/Zegost.CJ |
| AV | F-Secure | Backdoor:W32/Bjlog.D |
| AV | Dr. Web | BackDoor.Zegost.48 |
| AV | ClamAV | Trojan.Spy-76825 |
| AV | Arcabit (arcavir) | Backdoor.Generic.413692 |
| AV | BullGuard | Backdoor.Generic.413692 |
| AV | Padvish | no_virus |
| AV | VirusBlokAda (vba32) | TrojanPSW.Bjlog |
| AV | CAT (quickheal) | TrojanDropper.Zegost.C5 |
| AV | Trend Micro | TROJ_BJ.7C63AE6E |
| AV | Kaspersky | Trojan-PSW.Win32.Bjlog.dtwr |
| AV | Zillya! | no_virus |
| AV | Emsisoft | Backdoor.Generic.413692 |
| AV | Ikarus | Trojan-PWS.Win32.Bjlog |
| AV | Frisk (f-prot) | W32/Zegost.C.gen!Eldorado |
| AV | Authentium | W32/Zegost.C.gen!Eldorado |
| AV | MalwareBytes | Backdoor.Zegost |
| AV | MicroWorld (escan) | Backdoor.Generic.413692 |
| AV | Microsoft Security Essentials | TrojanDropper:Win32/Zegost.B |
| AV | K7 | Password-Stealer ( 001947491 ) |
| AV | BitDefender | Backdoor.Generic.413692 |
| AV | Fortinet | W32/Bjlog.LBY!tr.pws |
| AV | Symantec | Trojan Horse |
| AV | Grisoft (avg) | Dropper.Generic2.ABMZ |
| AV | Eset (nod32) | Win32/Redosdru.GL |
| AV | Alwil (avast) | Zegost-D [Drp]:Zegost-E [Drp] |
| AV | Ad-Aware | Backdoor.Generic.413692 |
| AV | Twister | Trojan.0620A8F6C2540BE5 |
| AV | Avira (antivir) | TR/PSW.Bjlog.lfzb |
| AV | Mcafee | BackDoor-CEP.gen.cn |
Runtime Details:
| Screenshot |  |
|---|
Process
↳ C:\malware.exe
| Creates File | c:\edmcfsvqit |
|---|---|
| Creates Process | C:\malware.exe a -sc:\malware.exe |
Process
↳ C:\malware.exe a -sc:\malware.exe
| Registry | HKEY_LOCAL_MACHINE\sOFtwaRe\pogccldtws\DependOnService ➝ NULL |
|---|---|
| Registry | HKEY_LOCAL_MACHINE\sOFtwaRe\pogccldtw\seRVicemAIN ➝ NPGetResourceParent\\x00 |
| Creates File | pogccldtw |
| Creates File | c:\Documents and Settings\Administrator\Local Settings\temp\pkjcpcbheg.dat |
| Creates File | C:\WINDOWS\system32\f5859b27.rdb |
| Deletes File | pogccldtw |
| Deletes File | c:\malware.exe |
| Starts Service | HidServ |
Process
↳ C:\WINDOWS\system32\svchost.exe
| Creates File | PIPE\lsarpc |
|---|---|
| Creates File | \Device\Afd\Endpoint |
Process
↳ Pid 800
Process
↳ Pid 848
Process
↳ C:\WINDOWS\System32\svchost.exe
| Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝ NULL |
|---|---|
| Creates File | PhysicalDrive0 |
| Creates File | kkdvomlefx |
| Creates File | C:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG |
| Creates File | \Device\Afd\Endpoint |
| Creates File | C:\WINDOWS\system32\WBEM\Logs\wbemess.log |
| Deletes File | kkdvomlefx |
| Deletes File | c:\edmcfsvqit |
| Creates Mutex | Global\b405763378_8086j |
| Creates Mutex | eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-18 |
Process
↳ Pid 1204
Process
↳ C:\WINDOWS\system32\spoolsv.exe
| Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL |
|---|---|
| Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7 |
| Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL |
| Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00 |
Process
↳ Pid 1868
Process
↳ Pid 1132
Network Details:
Raw Pcap
0x00000000 (00000) 63623173 744302 cb1stC.
Strings
i
U
\
\
R
Goba\ki
r
.X
s
f.F
d
.jz\cMd.eXE
.
i.
{
.
v..
g
.
s
@
`@.
.p..
.
.
\
[
cb1s
.
y
.|..
~x
u
.
t}
w
.{pe
hh
.
.
d
.
.
.
.
.
.
.
XI
080404B0
!1Aa
#+3;CScs
6.3.0004.1
6.3.0004.1 built by: dnsrv
(C) Microsoft Corporation. All rights reserved.
CompanyName
FileDescription
FileVersion
InternalName
jjjj
jjjjj
LegalCopyright
Microsoft Corporation
Microsoft(R) Windows(R) Operating System
OriginalFilename
ProductName
ProductVersion
SPUNINST.EXE
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
Windows Service Pack Uninstall
(#!'-
'',)*+
" "
&,?;,<*
###/ "
0,0`0k0
0'0=0O0w0~0
$0/0.181]1g1
&0[0b0
0;0h0q0
0:0P0X0^0j0
0"121W1
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvw
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
0123'567?9:;<=>?@ABCDEFG
;01;%>6>z
0'1i1}1
0`1l1s1
0'1M1u1
034567
040@0H0x0
=0=>=e=
0H0_0f0
;*<0<I<U<a<
;0<J<]<
.0J0Q0
>$>0>L>U>f>r>
@0T0i0
0U0[0`0m0
0V1\1`1d1h1l1p1t1x1|1
$0Y0_0d0
1 1<1H1d1l1x1
1!1=1n1x1
1-171?1E1h1y1
1!181O1[1g1s1
1.2.3
1&232p2
1&2T2Z2g2m2s2x2
131:1?1E1K1Q1W1]1c1i1o1u1
1317131?1317131/
+ 13!75,1d&*.>`,?<RS7&s3v=/9=s0:
$(17%+%";i9.8MNO9?$28<2w40.>.<2p
:*:1:7:J:g:l:
=1=7=l=r=
<<:)1*_@abc
<1<A<Q<i<
1C2R2W2^2d2j2r2{2
1H2L2P2T2X2\2`2d2h2l2p2
=%>1>K>P>l>x>
1O1Z1y1
1_St<ShH?
??1type_info@@UAE@XZ
%1:[$ u
>%?,?2?
2 2$2(2
2!2-292E2Q2]2i2x2
2&2:2g2}2
222J2P2\2c2l2w2
2*282T2l2s2
2+2G2[2
2<2N2c2n2u2
2 3%373C3H3k3
2)3d3k3x3
2^3p3v3{3
242@2\2h2
&2*8.233-_3
>$>2>A>
:2;=;D;
<2=>=I=
:2NWM!3\Yr]bY"5;Qq+##TZC
2R6X6^6d6j6p6v6|6
~2<S% &y)1w7>s=0
:$2;\%#t
??2@YAPAXI@Z
< 3)):0
#"32-,/.)(+*%$'&!F;{
3#3/3>3J3V3b3n3z3
3@3`3v3
3,343@3\3h3
3/3a3j3{3
3 3d3m5r5
3=3H3l3
3,434M4S4X4j4t4
3(444<4H4P4
3$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5|5
<3=<=C=
<,=3=D=^=
3d3j3u3
?(?3?f?m?
?3?P?a?g?m?x?
-&4(;&,?
/!"#$%&'()*+4
424K4g4
445:5D5K5Q5V5[5a5
4%484H4Q4[4s4
4<4A4T4^4i4p4
4)4C4J4]4m4
4 5.5?5e5
4 5<5s5y5
4(5A5`5k5r5
4*5F5S5
>$>,>4>:>C>o>
4D5R5h5
4"-IJK
> >4>M>n>
4=swlh~n)d eyp|ty|x9{vw
:4:T:x:
515R5X5{5
54!&$8LMNO
5(5 =$=
5&5\5{5
5-5:5N5S5]5l5{5
5 5(5X5l5x5
5'575C5T5h5p5
5:5J5Q5o5
5 6>6E6
5+6B6J6j6
595G5v5{5
=/=5=F=c=w=
:5;:;?;I;P;u;};
=5>=>L>W>a>
<[(5M<O
61qbb`(dgd
627H7Y7_7f7m7
63696C6N6|6
6/666K6Y6a6
666K6v6
6</+<,:<&,68
6:6B6I6
6(6D6P6l6t6|6
6 6P6s6
676J6[6l6w6
6$7=7H7Y7p8v8
6b7p7x7~7
/6bc47/17 $88?;,$8==tuvw17.$3+;-
6K6^6r6
?*?6?R?[?o?{?
7#7)707E7P7]7c7q7
7$777A7h7
7 7<7D7P7l7x7
7:7@7v7
7*787<7@7D7H7L7P7T7
<7@7D7H7X7\7`7d7h7x7
7>7H7O7k7~7
7>7N7W7l7
7;7T7Z7c7y7
7.848v8
7#8?8E8Z8d8
7%8^8k8w8
<%=7=U=
+;'> 8
80868L8
>?<812 <99x
83!&bc
>$8&<456TUVW
.84<iir923`
8 82888>8D8J8P8V8\8b8h8n8t8z8
8%838C8T8`8k8
8*868Z8l8y8
8-878L8^8
8%8+828<8A8G8M8R8W8^8y8
8 8$8(8,80848H8X8\8`8d8h8
8)8g8o8u8
8 8T8Z8n8
898P8d8{8
8/9E9d9
89:;wWYQ
8A9e9{9
8E9L9_9u9
919S9j9
939>9E9M9S9c9j9z9
9):4:@:P:^:{:
=,=9=6>S>u>
996<9/520,<
9*979P9Z9
9!9(989P9
9 9$9(9
9&9J9Y9z9
9A:I:Q:`:
9D9Y9|9
9D:J:[:w:
9G9a9|9
9P9T9X9\9`9d9h9l9p9
~(9~$u
`abc-)*"/(&4%#=;"$1'=:8w9+(:%"<0
_`abcdefghijklmnopqrstuvwxyz{|}~
`abcdefghijklmnoPQRSTUVWXYZ[\]^_@ABCDEFG89:;<=>?JABC ,0?
`abcdefghijklmnoPQRSTUVWXYZ[\]^_@ABCDEFGHIJKLMNO0123456789:;<=>? !"#$%&'()*+,-./
_acmdln
AddAccessAllowedAce
AddAce
_adjust_fdiv
AdjustTokenPrivileges
Advapi32
ADVAPI32.dll
AecivreSnepO
AemaNyalpsiDecivreSteG
AemaNyeKecivreSteG
;';A;J;
AllocateAndInitializeSid
>#>A>M>
<AtG<BtC
.?AVtype_info@@
b`}09:WQYZ
#/BC )h6 d&)b.!"PQRS09xdni)::8p<
}bdpfa8stu
_beginthreadex
bh{}?gcptbr6*,+o|xz
:-;B;I;a;s;
*!"#bIG@[
BKD)J2^.
BlockInput
BMN$%&'_^]
bRJTi^NKW\%adc* 2vh<9.>m):5"&s{423x
Btimzj--
=B=_=w=
C4u ^]
CallNextHookEx
cba9jpirrz0|OL
cc|efg
ChangeServiceConfig2A
ChangeServiceConfigA
CloseClipboard
CloseHandle
CloseServiceHandle
closesocket
<%<c<n<
_controlfp
ControlService
CopyFileA
CreateCompatibleBitmap
CreateDirectoryA
CreateEventA
CreateFileA
CreateProcessA
CreateServiceA
CreateThread
CreateToolhelp32Snapshot
c@TD^V>5672z[WP
@"!C !"#t@HCAGMmEAK}U_S^QzFRJXNRSSM
__CxxFrameHandler
D$ _^][
D$0UVP
D$0WPj
D$4_^][
D$4PSSSSSU
D$(8D*
D$8jdPV
D$8j$Pj
D$8RPj
`.data
DD]A]Z\BZF
_^defg
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
DeleteCriticalSection
DeleteFileA
DeleteService
Description
D$(_^]f
D$.f;C4t#f=
D$ GBf;
D$@hHD
D$@j0PQ
D$,jdPV
D$,j.P
: :D:K:h:n:
D$LRPV
D$,PUUWQ
:#:D:Q:\:
D$ Qhp
D$,RPj
D$,RPQ
drprov.dll
D$$SPhdivxhvidc
DSpQPj
D$$SUV
D$ UPj
D$ UPQ
eEQZ;DE#%8SO[T5do3"H6=%LRHM"AYMF'
;-<E<L<
eludom
EnumWindows
>E?O?a?z?
:E:o:u:
eQpjrljbol
EqualSid
ES6&OP-
es"`vf&jazgjxnf
<E<U<q<
ewh/?y
_except_handler3
ExitProcess
ExitThread
ExpandEnvironmentStringsA
eyroegu)fl~
f9s4tG
fegConnectRegistryA
F{fpws
FlashWindow
Flf+Fp
FLvidc
;.<f<n<
f;n4}N
fODL\WiSRJ
;;?=>?Fr@CVvDGHIJKT
FreeLibrary
FreeSid
FTj RP
:$;F;W;
fXDAYN@X
GDI32.dll
GetAce
GetAclInformation
GetActiveWindow
GetCommandLineA
GetConsoleTitleA
GetCurrentDirectoryA
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetExitCodeThread
GetFileAttributesA
GetFileSecurityA
GetFileSize
GetLastError
GetLengthSid
GetLocalTime
GetLogicalDriveStringsA
__getmainargs
GetModuleFileNameA
GetModuleHandleA
GetPrivateProfileStringA
GetProcAddress
GetProcessHeap
GetProfilesDirectoryA
getprotobynumber
GetSecurityDescriptorControl
GetSecurityDescriptorDacl
GetStartupInfoA
GetSystemDirectoryA
GetSystemInfo
GetSystemMetrics
GetTempPathA
GetTickCount
GetUserProfileDirectoryA
GetVolumeInformationA
GetWindowTextA
g@HSZHF{^BMJCB]Ah
GK&'[M_[A
;.<G<Q<Z<
>G?V?d?
GX]_[Y
@~`gZ`{u}k
H*0"ZOW
hdivxhvidc
>(?<?H?d?p?
@H@HDY
:':H:h:l:p:t:x:|:
_hLnszgcDg
HLRBZHF
>H?W?_?
:H:W:~;
@HXO[L\JLUW@WG_GLPUU@NglTDO
hxvidhvidc
i}4xsy{1
ICGetInfo
@.idata2
Idvkirtrx0oBJ"#
IiGM>nw
ImagePath
IMM32.dll
ImmGetCompositionStringA
ImmGetContext
ImmReleaseContext
imz~TD
inflate 1.2.3 Copyright 1995-2005 Mark Adler
InitializeAcl
InitializeCriticalSection
InitializeSecurityDescriptor
_initterm
InterlockedExchange
iogw*ajk
iphlpapi.dll
{is2SDNE
IsBadReadPtr
IsBadWritePtr
IsWow64Process
<I<U<`<
=I=x=7?
JAZPTT\\FXW[GVJ^N\P[ !"#mkpfd`ntdl`k|t23}{`vtp~dxtmo
JC\123
JEF,-./WE_
=jfy}ttvNtrGEQC
@J%&'@M
?'?J?p?
`j|" =pyz
@JwqsUCWMJHTt{n{
jX[\]^_H
>J>Y>x>
>.>K>^>{>
K[,3((Y[
kernel32
kerNEl32
kernel32.dll
KERNEL32.dll
k- exe.tsoh
kpdateCrc
KtQ5Zb
kyc"xzu=ucq9{vw
L$ _^]
L$0PQh
L$0RWPj
L$4QRPVShx#
L$4Vhx
l!;b F
L$ C_^f
L$d_^][d
L$D_^][d
LeaveCriticalSection
L$(@Ef;
leNyo_`
L$@EPQUh
,#l +(FG;-?;b~x
lfJk|9
l$,f;n4
:):L:i:
L$$j0QR
L$ jdQU
L![#j%G'E)O+,-./
lJKfcdO
L$,j Q
L\Lf9t\L
llX%ik\labolGs%s%
[-&LMb#{'
LMNO~n
;<=>?lNEJGDJ
LoadLibraryA
LocalAlloc
LocalSystem
LookupAccountNameA
LookupAccountSidA
LookupPrivilegeValueA
L$$PQj
L$@PQUh
LsaFreeMemory
L$ SQj
lstrcmpA
lstrcmpi
lstrcmpiA
L$\t8;
L$T9)t @
L$tjdQV
l$(tmWU
L$TPQj
L($./wwh#$%J
M@]123PZAYTV[_O
:M263u
malloc
M}~cyrsg}zx
M,-./e
memcpy
memmove
memset
MessageBoxA
Mij}uba345Peyt
mixerOpen
mj>zjZ
mkpfd`n+hd}{q
MK!")yNEFG
MNO~244TUVW<
MoveFileA
msCDY_TYMSTR
msvcrt.dll
MSVCRT.dll
MSVFW32.dll
|$$MZu'
=>?n3&!DEFGEC
NbRbhusx}i{PBKG@P%&'F]NG@
netsvcs
Netsvcs
Nfoeyalzf
Niamecivres
NIAmeciVRes
NPAddConnection
NPAddConnection3
NPCancelConnection
NPCloseEnum
NPEnumResource
NPGetCaps
NPGetConnection
NPGetResourceInformation
NPGetResourceParent
?*?N?U?
Nxf+Fd
o#(!'18*4
<%<:<O<d<
ODMKel~`QWTBF]iDBY\@\bWGhfSENPY^Oa
Oh?PCy26
ole32.dll
OLEAUT32.dll
+o-O/@1F3A5D7]9
OOFFNGBB
OOsQRSIfTW
OpenClipboard
OpenEventA
OpenEventLogA
OpenInputDesktop
OpenProcessToken
OpenSCManagerA
OpenServiceA
OT]+/:,>&cc|789V
:O:Z:k:
OZw3(?
]P-ABC"h5./'9e(8,.~?7'TUVW.0t+?lloN
\parameters
PathFileExistsA
__p__commode
__p__fmode
Phvidc
P~k{ea<vlpi
pqrsQDvwZ\K{Y
pqrstuvwxyz{|}~
PQRUSP
P[QS7QWLZPTZ
Process32First
Process32Next
PSAPI.DLL
pubzyxdjdbj
Q]4567K]OK
Qkkbal
QRSj j
qrs)uvwusz{#
QSSSSSSSSj
QSUVWj
QSVW`d
Qubf|lIyo
QueryServiceConfigA
QueryServiceStatus
qv4vys}
{r(">"
RaiseException
rameters
`.rdata
ReadConsoleOutputA
realloc
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryValueExA
RegRestoreKeyA
RegSaveKeyA
RegSetKeySecurity
RegSetValueExA
.reloc
rEmOtErEgastRY
Rhvidc
Rich);7
RPQhT!
RQhH?
rs',%#=4&8
_RS?'5/n0+2i)?-e/"#O7$ &z4 0v:56\]^_
r"'wr"w
^RY]_I
S,_^]3
%s a -s
Sdavvlr~
SeBackupPrivilege
SeRestorePrivilege
SESSIONNAME
%SESSIONNAME%
%SESSIONNAME%\
__set_app_type
SetClipboardData
SetConsoleCtrlHandler
SetConsoleOutputCP
SetConsoleScreenBufferSize
SetEnvironmentVariableA
SetFileAttributesA
SetFilePointer
SetFileSecurityA
SetFileTime
SetProcessWindowStation
SetSecurityDescriptorDacl
SetUnhandledExceptionFilter
__setusermatherr
SetWindowsHookExA
SHCopyKeyA
SHDeleteKeyA
SHELL32.dll
SHGetValueA
SHLWAPI.dll
SleepEx
sOFtwaRe\
SOFtWaRe\
SOFTWARE\mIcRoSoFt\wINDoWS nt\currentVerSioN\sVChoST
%sot%%\System32\svc%s %s%s%s
SSSSh ]
SSSShl
SSSVhP:
SSVhP=
StartServiceA
strcmp
strcpy
strncmp
_strupr
SUVWh0
SUVWj0PQ
SUVWjFhHD
SUVWP
SUVWPh
SUVWPhH
s]VfvhUbz
SYSTEM\CurrentControlSet\seRviCes\
%SystemRo
>:>S>Z>s>
><>T>|>
T$0j-R
T$0Rh?
;T$0sP;t$4sJ
T$4PRPP
T$4Qh?
T$4@QR
T$4RSS
T$4RVVVUP
T$9UUf
+;[TD>3
\temp\
^TF3UE_
T$,f;V4u
!This program cannot be run in DOS mode.
tJ<\u8
tKWWWWWWWWh
T$LQRP
~+tn{`dl"nab>r|
tolower
T$(PPRh4
T$@Qh?
T$<@QR
T$(QRU
T$<QRV
T$,Rh4
T$,RPQSUhx#
T$,RUQWP
=>=T=s=
ts9_ tn9_$ti
t\Shdivxhvidc
T$$SRh
tvmqoYEhfgohxdaacMbq
t$ WV2
u\]^_&
u5PPPPPP
u&9}$u!
*`ua`7{p2w}ih?fxnm
ua(dgmo%}df`
\U~I_lebTO
UPdatecXc
u&Ph\
USER32.dll
USERENV.dll
ush~LHF
VCS()*+ECM@BCWP@
VKMIH
vppppppppppppp
VW<7 :
V_:X1:
^VZ#*BC-+0&$ .k;$ +?&r =/3W-7153*0
W(9W$u
WaitForSingleObject
waveInGetDevCapsA
waveInOpen
waveOutOpen
waveOutReset
wcstombs
WdkwdlMymoljb
WININET.dll
WINMM.dll
Wj2WQj
w+OQvr
WPSVh`
WriteFile
WS2_32.dll
wsprintfA
WTSAPI32.dll
|$ WUSV
ww|yz{\I|
WZ[7ONM
_XcptFilter
{xIOVKV@GCMQ*+{D@C_V]]4567|WIiY^QM$
xvidumj
xyz{|}~
>$?:?Y?
_^][Y
y}{bx7p|{
y~k}##<wxy
Ylopqrs
yM_0123q[WUT\yTR^KM2$,7
yo>yL@EP
yS-=WC
yz{,}~
;!<Z<e<
)\ZEo^m/
ZvSvaw
;z=W?,A6C!E4GHIJK