| Analysis Date | 2015-07-25 08:29:40 |
|---|---|
| MD5 | e79b68771df524bb55148d2daec83fe1 |
| SHA1 | f51235b97dac1a7202c2ef2944d181d26e88af0e |
Static Details:
| File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
|---|---|---|
| Section | CODE md5: 146a85996ec983140cace6b8e1c5e83f sha1: 1ce44091521a5e990427fa229336bf1560d7981c size: 19192 | |
| Section | .data md5: 61e2864b5f89ec0f6c294c5c6717326e sha1: c8d7c088c06a61b01ebfe1551e24a2789c7b3516 size: 170384 | |
| Section | .rsrc md5: 616d25b4d6b22b2bccf1a51a19bc7f51 sha1: 9e2842c7b606270acb13dddc699d4eff4e9bc5c2 size: 1952 | |
| Section | .idata2 md5: de557d7c4177caf67c6461f82c4d050e sha1: acf7bf1a05bfeac8df16cde96282494c90192735 size: 2048 | |
| Timestamp | 2010-07-14 22:03:32 | |
| Version | LegalCopyright: (C) Microsoft Corporation. All rights reserved. InternalName: SPUNINST.EXE FileVersion: 6.3.0004.1 built by: dnsrv CompanyName: Microsoft Corporation ProductName: Microsoft(R) Windows(R) Operating System ProductVersion: 6.3.0004.1 FileDescription: Windows Service Pack Uninstall OriginalFilename: SPUNINST.EXE | |
| Packer | Microsoft Visual C++ v6.0 | |
| PEhash | 4ff5f505dd36d1486dc7d482d5bde2e3ae1fcf5b | |
| IMPhash | c509dbcf0dade053e5588087a4d64742 | |
| AV | Rising | Backdoor.Win32.GenFxj.c |
| AV | Mcafee | BackDoor-CEP.gen.cn |
| AV | Avira (antivir) | TR/PSW.Bjlog.lfzb |
| AV | Twister | Trojan.0620A8F6C2540BE5 |
| AV | Ad-Aware | Backdoor.Generic.413692 |
| AV | Alwil (avast) | Zegost-D [Drp]:Zegost-E [Drp] |
| AV | Eset (nod32) | Win32/Redosdru.GL |
| AV | Grisoft (avg) | Dropper.Generic2.ABMZ |
| AV | Symantec | Trojan Horse |
| AV | Fortinet | W32/Bjlog.LBY!tr.pws |
| AV | BitDefender | Backdoor.Generic.413692 |
| AV | K7 | Password-Stealer ( 001947491 ) |
| AV | Microsoft Security Essentials | TrojanDropper:Win32/Zegost.B |
| AV | MicroWorld (escan) | Backdoor.Generic.413692 |
| AV | MalwareBytes | Backdoor.Zegost |
| AV | Authentium | W32/Zegost.C.gen!Eldorado |
| AV | Frisk (f-prot) | W32/Zegost.C.gen!Eldorado |
| AV | Ikarus | Trojan-PWS.Win32.Bjlog |
| AV | Emsisoft | Backdoor.Generic.413692 |
| AV | Zillya! | no_virus |
| AV | Kaspersky | Trojan-PSW.Win32.Bjlog.dtwr |
| AV | Trend Micro | TROJ_BJ.7C63AE6E |
| AV | CAT (quickheal) | TrojanDropper.Zegost.C5 |
| AV | VirusBlokAda (vba32) | TrojanPSW.Bjlog |
| AV | Padvish | no_virus |
| AV | BullGuard | Backdoor.Generic.413692 |
| AV | Arcabit (arcavir) | Backdoor.Generic.413692 |
| AV | ClamAV | Trojan.Spy-76825 |
| AV | Dr. Web | BackDoor.Zegost.48 |
| AV | F-Secure | Backdoor:W32/Bjlog.D |
| AV | CA (E-Trust Ino) | Win32/Zegost.CJ |
Runtime Details:
| Screenshot |  |
|---|
Process
↳ C:\malware.exe
| Creates File | c:\ejcujjlmpt |
|---|---|
| Creates Process | C:\malware.exe a -sc:\malware.exe |
Process
↳ C:\malware.exe a -sc:\malware.exe
| Registry | HKEY_LOCAL_MACHINE\sOFtwaRe\xdcdxkfeo\seRVicemAIN ➝ NPGetResourceParent\\x00 |
|---|---|
| Registry | HKEY_LOCAL_MACHINE\sOFtwaRe\xdcdxkfeou\DependOnService ➝ NULL |
| Creates File | c:\Documents and Settings\Administrator\Local Settings\temp\gcjiveigvx.dat |
| Creates File | C:\WINDOWS\system32\f5859b27.rdb |
| Creates File | xdcdxkfeo |
| Deletes File | c:\malware.exe |
| Deletes File | xdcdxkfeo |
| Starts Service | HidServ |
Process
↳ C:\WINDOWS\system32\svchost.exe
Process
↳ Pid 808
Process
↳ Pid 856
Process
↳ C:\WINDOWS\System32\svchost.exe
| Registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Comhidserv70\Description ➝ Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start.\\x00 |
|---|---|
| Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝ NULL |
| Creates File | PhysicalDrive0 |
| Creates File | bgmdioxcrr |
| Creates File | C:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG |
| Creates File | \Device\Afd\Endpoint |
| Creates File | C:\WINDOWS\system32\WBEM\Logs\wbemess.log |
| Deletes File | bgmdioxcrr |
| Deletes File | c:\ejcujjlmpt |
| Creates Mutex | Global\b405763378_8086j |
| Creates Mutex | eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-18 |
Process
↳ Pid 1212
Process
↳ C:\WINDOWS\system32\spoolsv.exe
| Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL |
|---|---|
| Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7 |
| Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL |
| Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00 |
Process
↳ Pid 1860
Process
↳ Pid 1168
Network Details:
Raw Pcap
0x00000000 (00000) 63623173 744a02 cb1stJ.
Strings
i
U
\
\
R
Goba\ki
r
.X
s
f.F
d
.jz\cMd.eXE
.
i.
{
.
v..
g
.
s
@
`@.
.p..
.
.
\
[
cb1s
.
y
.|..
~x
u
.
t}
w
.{pe
hh
.
.
d
.
.
.
.
.
.
.
XI
080404B0
!1Aa
#+3;CScs
6.3.0004.1
6.3.0004.1 built by: dnsrv
(C) Microsoft Corporation. All rights reserved.
CompanyName
FileDescription
FileVersion
InternalName
jjjj
jjjjj
LegalCopyright
Microsoft Corporation
Microsoft(R) Windows(R) Operating System
OriginalFilename
ProductName
ProductVersion
SPUNINST.EXE
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
Windows Service Pack Uninstall
(#!'-
'',)*+
" "
&,?;,<*
###/ "
0,0`0k0
0'0=0O0w0~0
$0/0.181]1g1
&0[0b0
0;0h0q0
0:0P0X0^0j0
0"121W1
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvw
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
0123'567?9:;<=>?@ABCDEFG
;01;%>6>z
0'1i1}1
0`1l1s1
0'1M1u1
034567
040@0H0x0
=0=>=e=
0H0_0f0
;*<0<I<U<a<
;0<J<]<
.0J0Q0
>$>0>L>U>f>r>
@0T0i0
0U0[0`0m0
0V1\1`1d1h1l1p1t1x1|1
$0Y0_0d0
1 1<1H1d1l1x1
1!1=1n1x1
1-171?1E1h1y1
1!181O1[1g1s1
1.2.3
1&232p2
1&2T2Z2g2m2s2x2
131:1?1E1K1Q1W1]1c1i1o1u1
1317131?1317131/
+ 13!75,1d&*.>`,?<RS7&s3v=/9=s0:
$(17%+%";i9.8MNO9?$28<2w40.>.<2p
:*:1:7:J:g:l:
=1=7=l=r=
<<:)1*_@abc
<1<A<Q<i<
1C2R2W2^2d2j2r2{2
1H2L2P2T2X2\2`2d2h2l2p2
=%>1>K>P>l>x>
1O1Z1y1
1_St<ShH?
??1type_info@@UAE@XZ
%1:[$ u
>%?,?2?
2 2$2(2
2!2-292E2Q2]2i2x2
2&2:2g2}2
222J2P2\2c2l2w2
2*282T2l2s2
2+2G2[2
2<2N2c2n2u2
2 3%373C3H3k3
2)3d3k3x3
2^3p3v3{3
242@2\2h2
&2*8.233-_3
>$>2>A>
:2;=;D;
<2=>=I=
:2NWM!3\Yr]bY"5;Qq+##TZC
2R6X6^6d6j6p6v6|6
~2<S% &y)1w7>s=0
:$2;\%#t
??2@YAPAXI@Z
< 3)):0
#"32-,/.)(+*%$'&!F;{
3#3/3>3J3V3b3n3z3
3@3`3v3
3,343@3\3h3
3/3a3j3{3
3 3d3m5r5
3=3H3l3
3,434M4S4X4j4t4
3(444<4H4P4
3$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5|5
<3=<=C=
<,=3=D=^=
3d3j3u3
?(?3?f?m?
?3?P?a?g?m?x?
-&4(;&,?
/!"#$%&'()*+4
424K4g4
445:5D5K5Q5V5[5a5
4%484H4Q4[4s4
4<4A4T4^4i4p4
4)4C4J4]4m4
4 5.5?5e5
4 5<5s5y5
4(5A5`5k5r5
4*5F5S5
>$>,>4>:>C>o>
4D5R5h5
4"-IJK
> >4>M>n>
4=swlh~n)d eyp|ty|x9{vw
:4:T:x:
515R5X5{5
54!&$8LMNO
5(5 =$=
5&5\5{5
5-5:5N5S5]5l5{5
5 5(5X5l5x5
5'575C5T5h5p5
5:5J5Q5o5
5 6>6E6
5+6B6J6j6
595G5v5{5
=/=5=F=c=w=
:5;:;?;I;P;u;};
=5>=>L>W>a>
<[(5M<O
61qbb`(dgd
627H7Y7_7f7m7
63696C6N6|6
6/666K6Y6a6
666K6v6
6</+<,:<&,68
6:6B6I6
6(6D6P6l6t6|6
6 6P6s6
676J6[6l6w6
6$7=7H7Y7p8v8
6b7p7x7~7
/6bc47/17 $88?;,$8==tuvw17.$3+;-
6K6^6r6
?*?6?R?[?o?{?
7#7)707E7P7]7c7q7
7$777A7h7
7 7<7D7P7l7x7
7:7@7v7
7*787<7@7D7H7L7P7T7
<7@7D7H7X7\7`7d7h7x7
7>7H7O7k7~7
7>7N7W7l7
7;7T7Z7c7y7
7.848v8
7#8?8E8Z8d8
7%8^8k8w8
<%=7=U=
+;'> 8
80868L8
>?<812 <99x
83!&bc
>$8&<456TUVW
.84<iir923`
8 82888>8D8J8P8V8\8b8h8n8t8z8
8%838C8T8`8k8
8*868Z8l8y8
8-878L8^8
8%8+828<8A8G8M8R8W8^8y8
8 8$8(8,80848H8X8\8`8d8h8
8)8g8o8u8
8 8T8Z8n8
898P8d8{8
8/9E9d9
89:;wWYQ
8A9e9{9
8E9L9_9u9
919S9j9
939>9E9M9S9c9j9z9
9):4:@:P:^:{:
=,=9=6>S>u>
996<9/520,<
9*979P9Z9
9!9(989P9
9 9$9(9
9&9J9Y9z9
9A:I:Q:`:
9D9Y9|9
9D:J:[:w:
9G9a9|9
9P9T9X9\9`9d9h9l9p9
~(9~$u
`abc-)*"/(&4%#=;"$1'=:8w9+(:%"<0
_`abcdefghijklmnopqrstuvwxyz{|}~
`abcdefghijklmnoPQRSTUVWXYZ[\]^_@ABCDEFG89:;<=>?JABC ,0?
`abcdefghijklmnoPQRSTUVWXYZ[\]^_@ABCDEFGHIJKLMNO0123456789:;<=>? !"#$%&'()*+,-./
_acmdln
AddAccessAllowedAce
AddAce
_adjust_fdiv
AdjustTokenPrivileges
Advapi32
ADVAPI32.dll
AecivreSnepO
AemaNyalpsiDecivreSteG
AemaNyeKecivreSteG
;';A;J;
AllocateAndInitializeSid
>#>A>M>
<AtG<BtC
.?AVtype_info@@
b`}09:WQYZ
#/BC )h6 d&)b.!"PQRS09xdni)::8p<
}bdpfa8stu
_beginthreadex
bh{}?gcptbr6*,+o|xz
:-;B;I;a;s;
*!"#bIG@[
BKD)J2^.
BlockInput
BMN$%&'_^]
bRJTi^NKW\%adc* 2vh<9.>m):5"&s{423x
Btimzj--
=B=_=w=
C4u ^]
CallNextHookEx
cba9jpirrz0|OL
cc|efg
ChangeServiceConfig2A
ChangeServiceConfigA
CloseClipboard
CloseHandle
CloseServiceHandle
closesocket
<%<c<n<
_controlfp
ControlService
CopyFileA
CreateCompatibleBitmap
CreateDirectoryA
CreateEventA
CreateFileA
CreateProcessA
CreateServiceA
CreateThread
CreateToolhelp32Snapshot
c@TD^V>5672z[WP
@"!C !"#t@HCAGMmEAK}U_S^QzFRJXNRSSM
__CxxFrameHandler
D$ _^][
D$0UVP
D$0WPj
D$4_^][
D$4PSSSSSU
D$(8D*
D$8jdPV
D$8j$Pj
D$8RPj
`.data
DD]A]Z\BZF
_^defg
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
DeleteCriticalSection
DeleteFileA
DeleteService
Description
D$(_^]f
D$.f;C4t#f=
D$ GBf;
D$@hHD
D$@j0PQ
D$,jdPV
D$,j.P
: :D:K:h:n:
D$LRPV
D$,PUUWQ
:#:D:Q:\:
D$ Qhp
D$,RPj
D$,RPQ
drprov.dll
D$$SPhdivxhvidc
DSpQPj
D$$SUV
D$ UPj
D$ UPQ
eEQZ;DE#%8SO[T5do3"H6=%LRHM"AYMF'
;-<E<L<
eludom
EnumWindows
>E?O?a?z?
:E:o:u:
eQpjrljbol
EqualSid
ES6&OP-
es"`vf&jazgjxnf
<E<U<q<
ewh/?y
_except_handler3
ExitProcess
ExitThread
ExpandEnvironmentStringsA
eyroegu)fl~
f9s4tG
fegConnectRegistryA
F{fpws
FlashWindow
Flf+Fp
FLvidc
;.<f<n<
f;n4}N
fODL\WiSRJ
;;?=>?Fr@CVvDGHIJKT
FreeLibrary
FreeSid
FTj RP
:$;F;W;
fXDAYN@X
GDI32.dll
GetAce
GetAclInformation
GetActiveWindow
GetCommandLineA
GetConsoleTitleA
GetCurrentDirectoryA
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetExitCodeThread
GetFileAttributesA
GetFileSecurityA
GetFileSize
GetLastError
GetLengthSid
GetLocalTime
GetLogicalDriveStringsA
__getmainargs
GetModuleFileNameA
GetModuleHandleA
GetPrivateProfileStringA
GetProcAddress
GetProcessHeap
GetProfilesDirectoryA
getprotobynumber
GetSecurityDescriptorControl
GetSecurityDescriptorDacl
GetStartupInfoA
GetSystemDirectoryA
GetSystemInfo
GetSystemMetrics
GetTempPathA
GetTickCount
GetUserProfileDirectoryA
GetVolumeInformationA
GetWindowTextA
g@HSZHF{^BMJCB]Ah
GK&'[M_[A
;.<G<Q<Z<
>G?V?d?
GX]_[Y
@~`gZ`{u}k
H*0"ZOW
hdivxhvidc
>(?<?H?d?p?
@H@HDY
:':H:h:l:p:t:x:|:
_hLnszgcDg
HLRBZHF
>H?W?_?
:H:W:~;
@HXO[L\JLUW@WG_GLPUU@NglTDO
hxvidhvidc
i}4xsy{1
ICGetInfo
@.idata2
Idvkirtrx0oBJ"#
IiGM>nw
ImagePath
IMM32.dll
ImmGetCompositionStringA
ImmGetContext
ImmReleaseContext
imz~TD
inflate 1.2.3 Copyright 1995-2005 Mark Adler
InitializeAcl
InitializeCriticalSection
InitializeSecurityDescriptor
_initterm
InterlockedExchange
iogw*ajk
iphlpapi.dll
{is2SDNE
IsBadReadPtr
IsBadWritePtr
IsWow64Process
<I<U<`<
=I=x=7?
JAZPTT\\FXW[GVJ^N\P[ !"#mkpfd`ntdl`k|t23}{`vtp~dxtmo
JC\123
JEF,-./WE_
=jfy}ttvNtrGEQC
@J%&'@M
?'?J?p?
`j|" =pyz
@JwqsUCWMJHTt{n{
jX[\]^_H
>J>Y>x>
>.>K>^>{>
K[,3((Y[
kernel32
kerNEl32
kernel32.dll
KERNEL32.dll
k- exe.tsoh
kpdateCrc
KtQ5Zb
kyc"xzu=ucq9{vw
L$ _^]
L$0PQh
L$0RWPj
L$4QRPVShx#
L$4Vhx
l!;b F
L$ C_^f
L$d_^][d
L$D_^][d
LeaveCriticalSection
L$(@Ef;
leNyo_`
L$@EPQUh
,#l +(FG;-?;b~x
lfJk|9
l$,f;n4
:):L:i:
L$$j0QR
L$ jdQU
L![#j%G'E)O+,-./
lJKfcdO
L$,j Q
L\Lf9t\L
llX%ik\labolGs%s%
[-&LMb#{'
LMNO~n
;<=>?lNEJGDJ
LoadLibraryA
LocalAlloc
LocalSystem
LookupAccountNameA
LookupAccountSidA
LookupPrivilegeValueA
L$$PQj
L$@PQUh
LsaFreeMemory
L$ SQj
lstrcmpA
lstrcmpi
lstrcmpiA
L$\t8;
L$T9)t @
L$tjdQV
l$(tmWU
L$TPQj
L($./wwh#$%J
M@]123PZAYTV[_O
:M263u
malloc
M}~cyrsg}zx
M,-./e
memcpy
memmove
memset
MessageBoxA
Mij}uba345Peyt
mixerOpen
mj>zjZ
mkpfd`n+hd}{q
MK!")yNEFG
MNO~244TUVW<
MoveFileA
msCDY_TYMSTR
msvcrt.dll
MSVCRT.dll
MSVFW32.dll
|$$MZu'
=>?n3&!DEFGEC
NbRbhusx}i{PBKG@P%&'F]NG@
netsvcs
Netsvcs
Nfoeyalzf
Niamecivres
NIAmeciVRes
NPAddConnection
NPAddConnection3
NPCancelConnection
NPCloseEnum
NPEnumResource
NPGetCaps
NPGetConnection
NPGetResourceInformation
NPGetResourceParent
?*?N?U?
Nxf+Fd
o#(!'18*4
<%<:<O<d<
ODMKel~`QWTBF]iDBY\@\bWGhfSENPY^Oa
Oh?PCy26
ole32.dll
OLEAUT32.dll
+o-O/@1F3A5D7]9
OOFFNGBB
OOsQRSIfTW
OpenClipboard
OpenEventA
OpenEventLogA
OpenInputDesktop
OpenProcessToken
OpenSCManagerA
OpenServiceA
OT]+/:,>&cc|789V
:O:Z:k:
OZw3(?
]P-ABC"h5./'9e(8,.~?7'TUVW.0t+?lloN
\parameters
PathFileExistsA
__p__commode
__p__fmode
Phvidc
P~k{ea<vlpi
pqrsQDvwZ\K{Y
pqrstuvwxyz{|}~
PQRUSP
P[QS7QWLZPTZ
Process32First
Process32Next
PSAPI.DLL
pubzyxdjdbj
Q]4567K]OK
Qkkbal
QRSj j
qrs)uvwusz{#
QSSSSSSSSj
QSUVWj
QSVW`d
Qubf|lIyo
QueryServiceConfigA
QueryServiceStatus
qv4vys}
{r(">"
RaiseException
rameters
`.rdata
ReadConsoleOutputA
realloc
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryValueExA
RegRestoreKeyA
RegSaveKeyA
RegSetKeySecurity
RegSetValueExA
.reloc
rEmOtErEgastRY
Rhvidc
Rich);7
RPQhT!
RQhH?
rs',%#=4&8
_RS?'5/n0+2i)?-e/"#O7$ &z4 0v:56\]^_
r"'wr"w
^RY]_I
S,_^]3
%s a -s
Sdavvlr~
SeBackupPrivilege
SeRestorePrivilege
SESSIONNAME
%SESSIONNAME%
%SESSIONNAME%\
__set_app_type
SetClipboardData
SetConsoleCtrlHandler
SetConsoleOutputCP
SetConsoleScreenBufferSize
SetEnvironmentVariableA
SetFileAttributesA
SetFilePointer
SetFileSecurityA
SetFileTime
SetProcessWindowStation
SetSecurityDescriptorDacl
SetUnhandledExceptionFilter
__setusermatherr
SetWindowsHookExA
SHCopyKeyA
SHDeleteKeyA
SHELL32.dll
SHGetValueA
SHLWAPI.dll
SleepEx
sOFtwaRe\
SOFtWaRe\
SOFTWARE\mIcRoSoFt\wINDoWS nt\currentVerSioN\sVChoST
%sot%%\System32\svc%s %s%s%s
SSSSh ]
SSSShl
SSSVhP:
SSVhP=
StartServiceA
strcmp
strcpy
strncmp
_strupr
SUVWh0
SUVWj0PQ
SUVWjFhHD
SUVWP
SUVWPh
SUVWPhH
s]VfvhUbz
SYSTEM\CurrentControlSet\seRviCes\
%SystemRo
>:>S>Z>s>
><>T>|>
T$0j-R
T$0Rh?
;T$0sP;t$4sJ
T$4PRPP
T$4Qh?
T$4@QR
T$4RSS
T$4RVVVUP
T$9UUf
+;[TD>3
\temp\
^TF3UE_
T$,f;V4u
!This program cannot be run in DOS mode.
tJ<\u8
tKWWWWWWWWh
T$LQRP
~+tn{`dl"nab>r|
tolower
T$(PPRh4
T$@Qh?
T$<@QR
T$(QRU
T$<QRV
T$,Rh4
T$,RPQSUhx#
T$,RUQWP
=>=T=s=
ts9_ tn9_$ti
t\Shdivxhvidc
T$$SRh
tvmqoYEhfgohxdaacMbq
t$ WV2
u\]^_&
u5PPPPPP
u&9}$u!
*`ua`7{p2w}ih?fxnm
ua(dgmo%}df`
\U~I_lebTO
UPdatecXc
u&Ph\
USER32.dll
USERENV.dll
ush~LHF
VCS()*+ECM@BCWP@
VKMIH
vppppppppppppp
VW<7 :
V_:X1:
^VZ#*BC-+0&$ .k;$ +?&r =/3W-7153*0
W(9W$u
WaitForSingleObject
waveInGetDevCapsA
waveInOpen
waveOutOpen
waveOutReset
wcstombs
WdkwdlMymoljb
WININET.dll
WINMM.dll
Wj2WQj
w+OQvr
WPSVh`
WriteFile
WS2_32.dll
wsprintfA
WTSAPI32.dll
|$ WUSV
ww|yz{\I|
WZ[7ONM
_XcptFilter
{xIOVKV@GCMQ*+{D@C_V]]4567|WIiY^QM$
xvidumj
xyz{|}~
>$?:?Y?
_^][Y
y}{bx7p|{
y~k}##<wxy
Ylopqrs
yM_0123q[WUT\yTR^KM2$,7
yo>yL@EP
yS-=WC
yz{,}~
;!<Z<e<
)\ZEo^m/
ZvSvaw
;z=W?,A6C!E4GHIJK