Analysis Date2014-10-12 01:28:11
MD5642b12cdda124e1f70b548d126600f98
SHA112981f7ebf0cbbcd6d2498f1ddef11ab7b854658

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a8692f5ba740240ef0f9a827376f76f9 sha1: 41f3c4b70ff31dfc1b3352173567cb857c3f7cb3 size: 74752
Section.rdata md5: d4f36accffde0bf520f52486679ccf0d sha1: 891cbdf18a460a41df342f7f806a2dca0a68bea1 size: 7680
Section.data md5: b6c7edb5b7fec47a37a622cc5d71f3f4 sha1: 6e76e64e9fec63232a0ae118666c0588b4543be1 size: 512
Section.CRT md5: 439411041ee0b8261668525c5c132cd9 sha1: 817c1d9c0c3df118ce4391ba48b5f5285b01916c size: 512
Section.rsrc md5: c85d91f71d186ae0f814bef3d123ca3c sha1: bc88c199ee5cc2658cbed909a4a19817514c6879 size: 12800
Timestamp2012-06-09 13:19:49
Pdb pathd:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
PEhashbf9eb75592e94c63c87d5ad32c87321fd8cdc256
IMPhash3c98c11017e670673be70ad841ea9c37
AV360 Safeno_virus
AVAd-AwareTrojan.Generic.11329274
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)BDS/Plugx.A.227
AVBullGuardTrojan.Generic.11329274
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Backdoor.Zegost.r5
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.Generic.11329274
AVEset (nod32)Win32/Korplug.CC
AVFortinetW32/Zegost.YVN!tr.bdr
AVFrisk (f-prot)no_virus
AVF-Secureno_virus
AVGrisoft (avg)Agent4.BVOS
AVIkarusTrojan.Agent4
AVK7Trojan ( 0049ab1e1 )
AVKasperskyBackdoor.Win32.Zegost.yvn
AVMalwareBytesTrojan.Agent.MC
AVMcafeeRDN/Generic BackDoor!yo
AVMicrosoft Security EssentialsBackdoor:Win32/Plugx.A
AVMicroWorld (escan)Trojan.Generic.11329274[ZP]
AVNormanwinpe/Troj_Generic.VJEEI:winpe/Troj_Generic.UEKDJ
AVRisingno_virus
AVSophosno_virus
AVSymantecTrojan.ADH
AVTrend MicroTROJ_SPNR.15FI14
AVVirusBlokAda (vba32)no_virus
AVYara APTno_virus
AVZillya!Backdoor.Gulpix.Win32.72

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileMc.exe
Creates FileMcUtil.dll
Creates File__tmp_rar_sfx_access_check_73921
Creates FileMcUtil.dll.url
Deletes File__tmp_rar_sfx_access_check_73921
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\RarSFX0\Mc.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\RarSFX0\Mc.exe

Creates FileC:\Documents and Settings\All Users\WowSys\McUtil.dll.url
Creates FileC:\Documents and Settings\All Users\WowSys\McUtil.dll
Creates FileC:\Documents and Settings\All Users\WowSys\Mc.exe
Creates MutexGlobal\DelSelf(000006DC)
Creates MutexGlobal\DelSelf(00000544)
Creates ServiceWowSys - C:\Documents and Settings\All Users\WowSys\Mc.exe

Process
↳ C:\Documents and Settings\All Users\WowSys\Mc.exe

Creates ProcessC:\WINDOWS\system32\svchost.exe 201 0

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates FileWMIDataDevice

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe 201 0

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\CLASSES\FAST\CLSID ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates Filepipe\winlogonrpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\WINDOWS\system32\msiexec.exe 209 948
Creates MutexGlobal\DelSelf(0000074C)
Creates MutexGlobal\DelSelf(00000464)
Creates MutexGlobal\DelSelf(00000538)
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\DelSelf(00000224)
Creates MutexGlobal\DelSelf(00000268)
Creates MutexGlobal\DelSelf(0000014C)
Creates MutexGlobal\DelSelf(000001EC)
Creates MutexGlobal\DelSelf(00000544)
Creates MutexGlobal\DelSelf(00000408)
Creates MutexGlobal\DelSelf(000003DC)
Creates MutexGlobal\DelSelf(00000360)
Creates MutexGlobal\DelSelf(00000274)
Creates MutexGlobal\DelSelf(000003B4)
Creates Mutexc:!documents and settings!administrator!cookies!
Creates MutexGlobal\DelSelf(000006DC)
Creates MutexDBWinMutex
Creates MutexGlobal\DelSelf(000004A8)
Creates MutexGlobal\DelSelf(0000023C)
Creates MutexGlobal\DelSelf(000004B8)
Creates MutexGlobal\DelSelf(00000330)
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexGlobal\DelSelf(000004C4)
Creates MutexGlobal\DelSelf(00000100)
Winsock DNSnss.e-mail-ru.org

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Creates FilePIPE\lsarpc

Process
↳ C:\WINDOWS\System32\alg.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\services.exe

Creates Filepipe\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
Creates FilePIPE\lsarpc

Process
↳ C:\WINDOWS\system32\msiexec.exe 209 948

Network Details:

DNSnss.e-mail-ru.org
Type: A
198.200.50.162
HTTP POSThttp://nss.e-mail-ru.org:443/29CE9C17/BD68ADC1/8E49BAA5
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; SV1)
HTTP POSThttp://nss.e-mail-ru.org:443/A2DC2197/498BB61D/EC323B4C
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; SV1)
HTTP POSThttp://nss.e-mail-ru.org:443/02D7E271/5446E02C/FE64C4D5
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; SV1)
Flows UDP192.168.1.1:53 ➝ 192.168.1.1:53
Flows TCP192.168.1.1:1031 ➝ 198.200.50.162:443
Flows TCP192.168.1.1:1032 ➝ 198.200.50.162:443
Flows TCP192.168.1.1:1033 ➝ 198.200.50.162:443

Raw Pcap
0x00000000 (00000)   504f5354 202f3239 43453943 31372f42   POST /29CE9C17/B
0x00000010 (00016)   44363841 4443312f 38453439 42414135   D68ADC1/8E49BAA5
0x00000020 (00032)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000030 (00048)   743a202a 2f2a0d0a 582d5365 7373696f   t: */*..X-Sessio
0x00000040 (00064)   6e3a2030 0d0a582d 53746174 75733a20   n: 0..X-Status: 
0x00000050 (00080)   300d0a58 2d53697a 653a2036 31343536   0..X-Size: 61456
0x00000060 (00096)   0d0a582d 536e3a20 310d0a55 7365722d   ..X-Sn: 1..User-
0x00000070 (00112)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000080 (00128)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000090 (00144)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x000000a0 (00160)   73204e54 20352e31 3b202e4e 45542043   s NT 5.1; .NET C
0x000000b0 (00176)   4c522032 2e302e35 30373237 3b205356   LR 2.0.50727; SV
0x000000c0 (00192)   31290d0a 486f7374 3a206e73 732e652d   1)..Host: nss.e-
0x000000d0 (00208)   6d61696c 2d72752e 6f72670d 0a436f6e   mail-ru.org..Con
0x000000e0 (00224)   74656e74 2d4c656e 6774683a 20300d0a   tent-Length: 0..
0x000000f0 (00240)   436f6e6e 65637469 6f6e3a20 4b656570   Connection: Keep
0x00000100 (00256)   2d416c69 76650d0a 43616368 652d436f   -Alive..Cache-Co
0x00000110 (00272)   6e74726f 6c3a206e 6f2d6361 6368650d   ntrol: no-cache.
0x00000120 (00288)   0a0d0a                                ...

0x00000000 (00000)   504f5354 202f4132 44433231 39372f34   POST /A2DC2197/4
0x00000010 (00016)   39384242 3631442f 45433332 33423443   98BB61D/EC323B4C
0x00000020 (00032)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000030 (00048)   743a202a 2f2a0d0a 582d5365 7373696f   t: */*..X-Sessio
0x00000040 (00064)   6e3a2030 0d0a582d 53746174 75733a20   n: 0..X-Status: 
0x00000050 (00080)   300d0a58 2d53697a 653a2036 31343536   0..X-Size: 61456
0x00000060 (00096)   0d0a582d 536e3a20 310d0a55 7365722d   ..X-Sn: 1..User-
0x00000070 (00112)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000080 (00128)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000090 (00144)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x000000a0 (00160)   73204e54 20352e31 3b202e4e 45542043   s NT 5.1; .NET C
0x000000b0 (00176)   4c522032 2e302e35 30373237 3b205356   LR 2.0.50727; SV
0x000000c0 (00192)   31290d0a 486f7374 3a206e73 732e652d   1)..Host: nss.e-
0x000000d0 (00208)   6d61696c 2d72752e 6f72670d 0a436f6e   mail-ru.org..Con
0x000000e0 (00224)   74656e74 2d4c656e 6774683a 20300d0a   tent-Length: 0..
0x000000f0 (00240)   436f6e6e 65637469 6f6e3a20 4b656570   Connection: Keep
0x00000100 (00256)   2d416c69 76650d0a 43616368 652d436f   -Alive..Cache-Co
0x00000110 (00272)   6e74726f 6c3a206e 6f2d6361 6368650d   ntrol: no-cache.
0x00000120 (00288)   0a0d0a                                ...

0x00000000 (00000)   504f5354 202f3032 44374532 37312f35   POST /02D7E271/5
0x00000010 (00016)   34343645 3032432f 46453634 43344435   446E02C/FE64C4D5
0x00000020 (00032)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000030 (00048)   743a202a 2f2a0d0a 582d5365 7373696f   t: */*..X-Sessio
0x00000040 (00064)   6e3a2030 0d0a582d 53746174 75733a20   n: 0..X-Status: 
0x00000050 (00080)   300d0a58 2d53697a 653a2036 31343536   0..X-Size: 61456
0x00000060 (00096)   0d0a582d 536e3a20 310d0a55 7365722d   ..X-Sn: 1..User-
0x00000070 (00112)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000080 (00128)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000090 (00144)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x000000a0 (00160)   73204e54 20352e31 3b202e4e 45542043   s NT 5.1; .NET C
0x000000b0 (00176)   4c522032 2e302e35 30373237 3b205356   LR 2.0.50727; SV
0x000000c0 (00192)   31290d0a 486f7374 3a206e73 732e652d   1)..Host: nss.e-
0x000000d0 (00208)   6d61696c 2d72752e 6f72670d 0a436f6e   mail-ru.org..Con
0x000000e0 (00224)   74656e74 2d4c656e 6774683a 20300d0a   tent-Length: 0..
0x000000f0 (00240)   436f6e6e 65637469 6f6e3a20 4b656570   Connection: Keep
0x00000100 (00256)   2d416c69 76650d0a 43616368 652d436f   -Alive..Cache-Co
0x00000110 (00272)   6e74726f 6c3a206e 6f2d6361 6368650d   ntrol: no-cache.
0x00000120 (00288)   0a0d0a                                ...


Strings
\_
.\
:\\
010A___
@
.
.
x
...
S
?*<>|"
%08x
about:blank
Accept
A&nbsp;
ASKNEXTVOL
<br>
&Browse...
Bro&wse...
bytes
%c:\
Cancel
&Cancel
Cannot create folder %sDCRC failed in the encrypted file %s. Corrupt file or wrong password.
Cannot create %s
Cannot open %s
Close
Confirm file replace
CRC failed in %s
Crypt32.dll
Decline
Delete
&Destination folder
EDIT
-el -s2 "-d%s" "-p%s" "-sp%s"
Enter password
&Enter password for the encrypted file:
ErroraErrors encountered while performing the operation
E<ul><li>Press <b>Install</b> button to start extraction.</li><br><br>E<ul><li>Press <b>Extract</b> button to start extraction.</li><br><br>6<li>Use <b>Browse</b> button to select the destination4folder from the folders tree. It can be also entered
.exe
Extract
Extracting files to %s folder$Extracting files to temporary folder
Extracting from %s
Extracting %s
Extraction progress
File close error
folder is not accessiblelSome files could not be created.
GETPASSWORD1
<head><meta http-equiv="content-type" content="text/html; charset=
hRichEdit20W
</html>
<html>
.inf
Insert a disk with this volume and press "OK" to try again or press "Cancel" to break extraction
Install
Installation progress
jmsctls_progress32
kernel32
License
LICENSEDLG
LICENSEDLG	RENAMEDLG
.lnk
Look at the information window for more details
manually.</li><br><br>8<li>If the destination folder does not exist, it will be2created automatically before extraction.</li></ul>
*messages***
modified on
MS Shell Dlg 2
Next volume
Next volume is required
Not enough memory
No to A&ll
Overwrite
</p>
Packed data CRC failed in %s
Path
Please close all applications, reboot Windows and restart this installation\Some installation files are corrupt.
Please download a fresh copy and retry the installation	All files
Presetup
ProgramFilesDir
.rar
RarHtmlClassName
RarSFX
Read error in the file %s
Rename
&Rename
RENAMEDLG
Rename file
REPLACEFILEDLG
riched20.dll
riched32.dll
r%.*s(%d)%s
rtmp%d
runas
"%s"
SavePath
%s.%d.tmp
Select destination folder
SeRestorePrivilege
SeSecurityPrivilege
Setup
SetupCode
sfxcmd
sfxname
Shell.Explorer
Shortcut
Silent
Skipping %s
Software\Microsoft\Windows\CurrentVersion
Software\WinRAR SFX
%s %s
%s%s%d
%s %s %s
STARTDLG
STATIC
</style>
<style>
<style>body{font-family:"Arial";font-size:12;}</style>
TempMode
Text
The archive comment is corrupt
The archive header is corrupt
The archive is corrupt
The file "%s" header is corrupt%The archive comment header is corrupt
The following file already exists
The required volume is absent2The archive is either in unknown format or damaged
Title
__tmp_rar_sfx_access_check_%u
=Total path and file name length must not exceed %d characters#Unsupported encryption method in %s
Unexpected end of archive
Unknown method in %s
Update
utf-8"></head>
WinRAR self-extracting archive
winrarsfxmappingfile.tmp
with this one?
Would you like to replace the existing file
Wrong password for %s5Write error in the file %s. Probably the disk is full
&Yes
Yes to &All
You need to have the following volume to continue extraction:
?*<>|"
]>	-^`
0%|1=d
 (08@P`p
0(WWyOP
,~1)24
!1;> 2-X
1\3nWF
]158n*
*16o6$(
$,1q4@
1"qCc(CzP
22xlRC
2Do?d@
2 /! M
2YVIV<a
^/2`z3D?kB
33!D	3
3CfsM>
3DA=&,
3NDc^WI
3"PUw|q
40\\Z>}
~=47pj
4umQ$p
4vu{W-
4vX5k&y
(-56Af
}5.^9V
5dM6zsV
5KgMKZ
5MHYi&
5QOVWR
65_pU^b.
6M*Gmv
6xP/Fg
`#_)7[
7*9?/D
7adO$c
7bt5<q"
82~W*a^
|8D:wE_
8F+9$ 
@8IkHY
8M)v.\t)q
8xrydC"
^9=0IB
9^AAP,I}
a7MO_g
a 9oT/
AdjustTokenPrivileges
ADVAPI32.dll
A$`gKa
ahX\FN
A<L:-$
%:<aOgDr
  </application>
  <application>
]!ar8B
</asmv3:application>
<asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3">
  </asmv3:windowsSettings>
  <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
</assembly>
<assemblyIdentity
    <assemblyIdentity
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
atM%l(sM
AW18E/jG
AY$X<P-
b#,=&0we
bad allocation
%b}cWH
~BFIOl
BhU]0c
<B@II;
` "B!L
B\m"[bQX
Bp%\_'Dg
&B%Rk7fP
[b!	Z	
c^20+3+
CAq}f@4i
*-	cC{
\{{ceX
CharToOemA
CharToOemBuffA
CharToOemBuffW
CharUpperA
CharUpperW
CloseHandle
CLSIDFromString
(CNokv
CoCreateInstance
COMCTL32.dll
COMDLG32.dll
CommDlgExtendedError
CompareStringA
CompareStringW
</compatibility>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
CopyRect
CreateCompatibleBitmap
CreateCompatibleDC
CreateDirectoryA
CreateDirectoryW
CreateFileA
CreateFileMappingW
CreateFileW
CreateStreamOnHGlobal
CreateWindowExW
CryptProtectMemory
CryptProtectMemory failed
CryptUnprotectMemory
CryptUnprotectMemory failed
%csQ*S
cSy-k=
Cx)0;"
@.data
DDDDDO
dD^JIq\
DDT]1&
DefWindowProcW
DeleteDC
DeleteFileA
DeleteFileW
DeleteObject
</dependency>
<dependency>
  </dependentAssembly>
  <dependentAssembly>
<description>WinRAR SFX module</description>
DestroyIcon
DestroyWindow
]$D[.f
:&{Dg	(1
DialogBoxParamW
DispatchMessageW
D%;N=)
DosDateTimeToFileTime
    <dpiAware>true</dpiAware>
d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
'@dqf8
dVNP f
dXzd8qtE
dy>6s~
[e23T2
eel,,Lcv
EF~OZJ
EnableWindow
EndDialog
e-NXEip
{ep,8{H
epNa/8
eU]#~H
ExitProcess
ExpandEnvironmentStringsW
F _^[]
f9=ZIB
FFF))EE	FFFF))))))
	F&fNn
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
FindFirstFileW
FindNextFileA
FindNextFileW
FindResourceW
FindWindowExW
FlushFileBuffers
fnO}-JtZ
FQ	=q)
frd!1Zc
FreeLibrary
fSq5J?
<F"t	@f9
fw.IvAn
$G.'['
g33WwQ
GDI32.dll
gECD8P
GetClassNameW
GetClientRect
GetCommandLineW
GetCPInfo
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentProcessId
GetDateFormatW
GetDeviceCaps
GetDlgItem
GetDlgItemTextW
GetExitCodeProcess
GetFileAttributesA
GetFileAttributesW
GetFileType
GetFullPathNameA
GetFullPathNameW
GetLastError
GetLocaleInfoW
GetMessageW
GetModuleFileNameW
GetModuleHandleW
GetNumberFormatW
GetObjectW
GetOpenFileNameW
GetParent
GetProcAddress
GetProcessHeap
GetSaveFileNameW
GetStdHandle
GetSysColor
GetSystemMetrics
GetSystemTime
GetTempPathW
GetTickCount
GetTimeFormatW
GetVersionExW
GetWindow
GetWindowLongW
GetWindowRect
GetWindowTextW
>G@|jQ;
+#G\jQ0>
GlobalAlloc
G=NF?"
_@;#]Gp%4)
G?pe!nsZ
;?`g@Q 
(GQNg`
gwS3	3
gwS37%w`	
G@zwM1{
H61.cl%Q
H6\{nm
"H^9)>
HBCP `
Hbm:5|
HeapAlloc
HeapFree
HeapReAlloc
 H(jAS
Hk43-_
/(HM q
Hru;L8;
HtCHt<Ht5H
'!HtD0
HtEHt7
HtFHt8Ht*Ht
HtoHt>
HtOHt^HtBHu#
huaF+0
	hvt4e
H`wR"u
hy#xhd
i3>GZS
I+(3W+
I4Z*>:X
I##C$q
InitCommonControlsEx
iqK>:1
IR	 +Y
I=S:	&
IsDBCSLeadByte
IsWindow
IsWindowVisible
iTO#;!
"?iU{4
I(vkA:X
IWj\_f9>u?f9~
iX]'K&
({ixV]Y@
(-]j1h
 j5|]]
\J-5E?
j[ko$Z
JUp, ]
j Y+L$
(K;{#*
k)1VX{G
k2e6r,c
KA+.n6
k*#d\Q
"k=E[Q
KERNEL32.dll
ki_go`=
_?kl{ 
klPk<*
<KxRHWiZ
	=l16g
.;l2bW
-:l3)L
L*4cJrS
      language="*"/>
lm9wxE_
LoadBitmapW
LoadCursorW
LoadIconW
LoadLibraryW
LoadStringW
LocalFileTimeToFileTime
LookupPrivilegeValueW
@LR@`0
lrBD)NqPC
?Lt0${
"Lu'?d
<m7rv~2}
MapViewOfFile
MapWindowPoints
Mc.exe
McUtil.dll
McUtil.dll.url
m~e)i|
MessageBoxW
*messages***
mi=O!w
m$Iyy[
m{m>@O!y
MoveFileExW
MoveFileW
]%muCj0
MultiByteToWideChar
{MvM}`q
mY5*O	P$>
MZ8uuH
]"\\!N
      name="Microsoft.Windows.Common-Controls"
  name="WinRAR SFX"
NIZriI<L	!Hq8
NNu$j	
[NP5WVW
npY+zbn
'nr(km
n&[{,v
n{wBDG
_NZH<>
.NzIzXrt
nZ\m;/
o1>0&&#'
O6"vNpJ
OemToCharA
OemToCharBuffA
o"]|g@]
]oJy{ni
ole32.dll
OLEAUT32.dll
OleInitialize
OleUninitialize
(oM9[D
\omS]X
OpenFileMappingW
OpenProcessToken
o	<--v
o/<z-J
P9]pu;
P9]pu+
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGRar!
Pdt=k{A
PeekMessageW
.pFRzq
P(I2/R
pNoTf8g
PostMessageW
      processorArchitecture="*"
  processorArchitecture="*"
PRRUIR
      publicKeyToken="6595b64144ccf1df"
PWhtFA
P"wV1g
Q29Kmd
Qc`h+*
QD9] t
%;.%qg
QoMC)u
}]Qq/B
QQSVWh
Q*S1$m
[Qw{J5
<*q,Y@
__rar_
rArS6>p
:R_CoEe
`.rdata
ReadFile
RegCloseKey
RegCreateKeyExW
RegisterClassExW
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
ReleaseDC
rel}[xi
      <requestedExecutionLevel level="asInvoker"            
    </requestedPrivileges>
    <requestedPrivileges>
r:G}8rz
rMEMoW1
<R}ombY
r$'QlZ
@.rsrc
R-wy+xB
}s-|,]
S;4-N9h 
\$[s5U
S6hQBLQ
s{8f*B)
%.*s(%d)%s
  </security>
  <security>
SelectObject
SendDlgItemMessageW
SendMessageW
SErK[Ru
SetCurrentDirectoryW
SetDlgItemTextW
SetDllDirectoryW
SetEndOfFile
SetEnvironmentVariableW
SetFileAttributesA
SetFileAttributesW
SetFilePointer
SetFileSecurityA
SetFileSecurityW
SetFileTime
SetFocus
SetForegroundWindow
SetLastError
SetWindowLongW
SetWindowPos
SetWindowTextW
SHAutoComplete
SHBrowseForFolderW
SHChangeNotify
SHELL32.dll
ShellExecuteExW
SHFileOperationW
SHGetFileInfoW
SHGetMalloc
SHGetPathFromIDListW
SHGetSpecialFolderLocation
SHLWAPI.dll
ShowWindow
SJVPHNiY
sKDESN>6%
SNp:: 
SQan0~
SSh|EA
StretchBlt
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
(SVWj 
`SVWjh
SW	)bng
sx%z&5
SystemTimeToFileTime
SZ#}*8
t0VSSj
"tBC}&0U/t5
T ;c3m
TC(ERC+P
t	FAA;t$
    <!--The ID below indicates application support for Windows 7 -->
    <!--The ID below indicates application support for Windows Vista -->
!This program cannot be run in DOS mode.
$thUkEfO
t!hxCA
*tie@+
T`'-J^T+u
t@|[oRqcSE
tPh,HA
TranslateMessage
T'r\b=
</trustInfo>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
 tSj X
t<SSSS
<*t*<?t
twLo+#E
}<T]X.
)tXiEe
}TXu,j:
      type="win32"
  type="win32"/>
U<*@:]
(<\u$8F
u\9]pt
@uAj'Y
UFZmYj
ugV]>5
u|h(EA
u hlCA
u!hlFA
      uiAccess="false"/>
UnmapViewOfFile
UpdateWindow
]uq a!
UQN3Aim{
USER32.dll
U(u;4,
"v@4ew
V@@AAf
  version="1.0.0.0"
      version="6.0.0.0"
(|v|gid
VgyJXI&
vHpiy<
vi/d5U
V&k2}[=
$VKb!|x[
Vk;'.V
v	N+D$
vt44J#Itdm!
'`<vTQ1""<
(%}]VtsXJ
?vVj@_+
>	v.Yc
-*`<{w
w01_l*
w5WWWW
WaitForInputIdle
WaitForSingleObject
w?c0s-
WCH{,B
W%%&d>B
WideCharToMultiByte
WINRAR.SFX
Wj<_WS
WL4FaJ
W&L$R&
\\w;"O
WriteFile
wvsprintfA
wvsprintfW
wwDDDDDO
Wwgu"'P
W"W<Km
WwR"'P
WwS7'u
wwwwwwwp
wwwwwwxp
>\:?X^
-_x58	o
}xL^uad
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
x'~O&4
]y3#B|
<y_j8p~
yLzocA
YNANRC
yOo5-P
=+y}Rd
/y,}TV
YXh(YC
:%>)Yz
Z2fQ`^-A
Z5cPkh4L$
zc'357
z)X^~	g