Analysis Date2015-04-30 04:30:13
MD501b16dff4a49a1f368c547e3a7bed9ce
SHA11e03bf5075553c4b1c43836a71f839c52ec7568d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a8692f5ba740240ef0f9a827376f76f9 sha1: 41f3c4b70ff31dfc1b3352173567cb857c3f7cb3 size: 74752
Section.rdata md5: d4f36accffde0bf520f52486679ccf0d sha1: 891cbdf18a460a41df342f7f806a2dca0a68bea1 size: 7680
Section.data md5: b6c7edb5b7fec47a37a622cc5d71f3f4 sha1: 6e76e64e9fec63232a0ae118666c0588b4543be1 size: 512
Section.CRT md5: 439411041ee0b8261668525c5c132cd9 sha1: 817c1d9c0c3df118ce4391ba48b5f5285b01916c size: 512
Section.rsrc md5: 38e3446eab35f1f55c604f6ff94f0d26 sha1: 748fc69b0b7d27cf2d4120fc8d13174196260c24 size: 17920
Timestamp2012-06-09 13:19:49
Pdb pathd:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
PEhashcb385bf8318649ee79bbf62407cdac7940bcf68d
IMPhash3c98c11017e670673be70ad841ea9c37
AVAd-AwareTrojan.Generic.KDV.848382
AVAlwil (avast)Malware-gen:PlugX-D [Trj]:VBS:Malware-gen
AVArcabit (arcavir)Trojan.Generic.KDV.848382
AVAuthentiumW32/Trojan.JCOO-2025
AVAvira (antivir)BDS/Plugx.A.89
AVBitDefenderTrojan.Generic.KDV.848382
AVBullGuardTrojan.Generic.KDV.848382
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.Click2.48826
AVEmsisoftTrojan.Generic.KDV.848382
AVEset (nod32)Win32/Korplug.AF
AVFortinetW32/Korplug.AF!tr
AVFrisk (f-prot)no_virus
AVF-Secureno_virus
AVGrisoft (avg)no_virus
AVIkarusWin32.Malware
AVK7Riskware ( 0040eff71 )
AVKasperskyBackdoor.Win32.Gulpix.ae:Backdoor.Win32.Gulpix.a
AVMalwareBytesno_virus
AVMcafeeRDN/Generic BackDoor!bc3
AVMicrosoft Security EssentialsBackdoor:Win32/Plugx.A
AVMicroWorld (escan)Trojan.Generic.KDV.848382[ZP]
AVPadvishTrojan.Win32.Plugx.b
AVRisingTrojan.Win32.Malware.bms
AVSophosno_virus
AVSymantecBackdoor.Korplug
AVTrend MicroTROJ_PLUGX.BE
AVTwisterBackdoor.FD820158A1F33AA0
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileNv.exe
Creates FileNvSmartMax.dll
Creates File__tmp_rar_sfx_access_check_73171
Creates FileNvSmartMax.dll.url
Deletes File__tmp_rar_sfx_access_check_73171
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\RarSFX0\Nv.exe

Process
↳ C:\Program Files\Common Files\Nv.exe

Creates ProcessC:\WINDOWS\system32\svchost.exe 201 0

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\RarSFX0\Nv.exe

RegistryHKEY_LOCAL_MACHINE\Software\CLASSES\FAST\CLSID ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\Program Files\Common Files\NvSmartMax.dll.url
Creates File\Device\Afd\Endpoint
Creates FileC:\Program Files\Common Files\Nv.exe
Creates FileC:\Program Files\Common Files\NvSmartMax.dll
Deletes FileC:\malware.exe
Creates MutexDoInstPrepare
Creates MutexDBWinMutex

Process
↳ C:\Program Files\Common Files\Nv.exe

Creates ServiceSxS - C:\Program Files\Common Files\Nv.exe 200 0

Process
↳ C:\WINDOWS\system32\svchost.exe 201 0

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates ProcessC:\WINDOWS\system32\msiexec.exe 209 1708
Creates MutexDBWinMutex
Winsock DNSshuimengluosuo.freetcp.com

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice
Creates FilePIPE\lsarpc

Process
↳ C:\WINDOWS\System32\alg.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\services.exe

Creates Filepipe\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
Creates FilePIPE\lsarpc

Process
↳ C:\WINDOWS\system32\msiexec.exe 209 1708

Network Details:

DNSshuimengluosuo.freetcp.com
Type: A
87.98.185.133
DNSshuimengluosuo.freetcp.com
Type: A
87.98.185.133
HTTP POSThttp://shuimengluosuo.freetcp.com:5566/update?id=002d6a30
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; SV1)
HTTP POSThttp://shuimengluosuo.freetcp.com:5566/update?id=002d6a30
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; SV1)
Flows UDP192.168.1.1:53 ➝ 192.168.1.1:53
Flows TCP192.168.1.1:1032 ➝ 87.98.185.133:5566
Flows TCP192.168.1.1:1033 ➝ 87.98.185.133:5566
Flows TCP192.168.1.1:1034 ➝ 87.98.185.133:5566
Flows UDP192.168.1.1:1035 ➝ 87.98.185.133:5566
Flows TCP192.168.1.1:1036 ➝ 87.98.185.133:5566
Flows TCP192.168.1.1:1037 ➝ 87.98.185.133:5566
Flows UDP192.168.1.1:1038 ➝ 87.98.185.133:5566

Raw Pcap
0x00000000 (00000)   c82d9769 713c182e 0b82339b b6fa963b   .-.iq<....3....;
0x00000010 (00016)   9d75c6bd fd70656e f254339b dddf4bec   .u...pen.T3...K.
0x00000020 (00032)   47e4f6af 80b0a5a0 cc                  G........

0x00000000 (00000)   892205cf c90681bb ec627055 4830ce7f   .".......bpUH0..
0x00000010 (00016)   5d25ccf7 6388d925 674a8f55 d054e959   ]%..c..%gJ.U.T.Y
0x00000020 (00032)   501886af 80b0a5a0 cc                  P........

0x00000000 (00000)   504f5354 202f7570 64617465 3f69643d   POST /update?id=
0x00000010 (00016)   30303264 36613330 20485454 502f312e   002d6a30 HTTP/1.
0x00000020 (00032)   300d0a41 63636570 743a202a 2f2a0d0a   0..Accept: */*..
0x00000030 (00048)   582d5365 7373696f 6e3a2030 0d0a582d   X-Session: 0..X-
0x00000040 (00064)   53746174 75733a20 300d0a58 2d53697a   Status: 0..X-Siz
0x00000050 (00080)   653a2036 31343536 0d0a582d 536e3a20   e: 61456..X-Sn: 
0x00000060 (00096)   310d0a55 7365722d 4167656e 743a204d   1..User-Agent: M
0x00000070 (00112)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000080 (00128)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x00000090 (00144)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x000000a0 (00160)   3b202e4e 45542043 4c522032 2e302e35   ; .NET CLR 2.0.5
0x000000b0 (00176)   30373237 3b205356 31290d0a 486f7374   0727; SV1)..Host
0x000000c0 (00192)   3a207368 75696d65 6e676c75 6f73756f   : shuimengluosuo
0x000000d0 (00208)   2e667265 65746370 2e636f6d 3a353536   .freetcp.com:556
0x000000e0 (00224)   360d0a43 6f6e7465 6e742d4c 656e6774   6..Content-Lengt
0x000000f0 (00240)   683a2030 0d0a436f 6e6e6563 74696f6e   h: 0..Connection
0x00000100 (00256)   3a204b65 65702d41 6c697665 0d0a5072   : Keep-Alive..Pr
0x00000110 (00272)   61676d61 3a206e6f 2d636163 68650d0a   agma: no-cache..
0x00000120 (00288)   0d0a                                  ..

0x00000000 (00000)   cc9f9ae5 98ed0139 8b1337de 7e811af5   .......9..7.~...
0x00000010 (00016)   7daaf590 a9e07eb1 45e4dfde d1d3ae5a   }.....~.E......Z
0x00000020 (00032)   e61e9e4d e06b81dc 6e3a202a 2f2a0d0a   ...M.k..n: */*..
0x00000030 (00048)   582d5365 7373696f 6e3a2030 0d0a582d   X-Session: 0..X-
0x00000040 (00064)   53746174 75733a20 300d0a58 2d53697a   Status: 0..X-Siz
0x00000050 (00080)   653a2036 31343536 0d0a582d 536e3a20   e: 61456..X-Sn: 
0x00000060 (00096)   310d0a55 7365722d 4167656e 743a204d   1..User-Agent: M
0x00000070 (00112)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000080 (00128)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x00000090 (00144)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x000000a0 (00160)   3b202e4e 45542043 4c522032 2e302e35   ; .NET CLR 2.0.5
0x000000b0 (00176)   30373237 3b205356 31290d0a 486f7374   0727; SV1)..Host
0x000000c0 (00192)   3a207368 75696d65 6e676c75 6f73756f   : shuimengluosuo
0x000000d0 (00208)   2e667265 65746370 2e636f6d 3a353536   .freetcp.com:556
0x000000e0 (00224)   360d0a43 6f6e7465 6e742d4c 656e6774   6..Content-Lengt
0x000000f0 (00240)   683a2030 0d0a436f 6e6e6563 74696f6e   h: 0..Connection
0x00000100 (00256)   3a204b65 65702d41 6c697665 0d0a5072   : Keep-Alive..Pr
0x00000110 (00272)   61676d61 3a206e6f 2d636163 68650d0a   agma: no-cache..
0x00000120 (00288)   0d0a                                  ..

0x00000000 (00000)   504f5354 202f7570 64617465 3f69643d   POST /update?id=
0x00000010 (00016)   30303264 36613330 20485454 502f312e   002d6a30 HTTP/1.
0x00000020 (00032)   300d0a41 63636570 743a202a 2f2a0d0a   0..Accept: */*..
0x00000030 (00048)   582d5365 7373696f 6e3a2030 0d0a582d   X-Session: 0..X-
0x00000040 (00064)   53746174 75733a20 300d0a58 2d53697a   Status: 0..X-Siz
0x00000050 (00080)   653a2036 31343536 0d0a582d 536e3a20   e: 61456..X-Sn: 
0x00000060 (00096)   310d0a55 7365722d 4167656e 743a204d   1..User-Agent: M
0x00000070 (00112)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000080 (00128)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x00000090 (00144)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x000000a0 (00160)   3b202e4e 45542043 4c522032 2e302e35   ; .NET CLR 2.0.5
0x000000b0 (00176)   30373237 3b205356 31290d0a 486f7374   0727; SV1)..Host
0x000000c0 (00192)   3a207368 75696d65 6e676c75 6f73756f   : shuimengluosuo
0x000000d0 (00208)   2e667265 65746370 2e636f6d 3a353536   .freetcp.com:556
0x000000e0 (00224)   360d0a43 6f6e7465 6e742d4c 656e6774   6..Content-Lengt
0x000000f0 (00240)   683a2030 0d0a436f 6e6e6563 74696f6e   h: 0..Connection
0x00000100 (00256)   3a204b65 65702d41 6c697665 0d0a5072   : Keep-Alive..Pr
0x00000110 (00272)   61676d61 3a206e6f 2d636163 68650d0a   agma: no-cache..
0x00000120 (00288)   0d0a                                  ..


Strings
\_
.\
:\\
010A___
@
.
.
x
...
S
?*<>|"
%08x
(&A)
about:blank
A&nbsp;
ASKNEXTVOL
</b> 
 <b>
(&B)...
<br>
<br><br> <li>
b<style>body{font-family:"Arial,
%c:\
(&C)
Crypt32.dll
 %d 
(&D)
Delete
(&E):
EDIT
-el -s2 "-d%s" "-p%s" "-sp%s"
.exe
";font-size:12;}</style><ul><li>
GETPASSWORD1
<head><meta http-equiv="content-type" content="text/html; charset=
hRichEdit20W
</html>
<html>
.inf
Install
jmsctls_progress32
kernel32
(&L)
</li>
</li><br><br>)<li>
</li><br><br>)<ul><li>
License
LICENSEDLG
LICENSEDLG	RENAMEDLG
</li></ul>
.lnk
*messages***
(&N)
Overwrite
</p>
Path
Presetup
ProgramFilesDir
(&R)
.rar
RarHtmlClassName
RarSFX
RENAMEDLG
REPLACEFILEDLG
riched20.dll
riched32.dll
r%.*s(%d)%s
rtmp%d
runas
 %s 
"%s"
SavePath
 %s CRC 
%s CRC 
%s.%d.tmp
SeRestorePrivilege
SeSecurityPrivilege
Setup
SetupCode
sfxcmd
sfxname
Shell.Explorer
Shortcut
Silent
Software\Microsoft\Windows\CurrentVersion
Software\WinRAR SFX
%s %s
%s%s%d
%s %s %s
STARTDLG
STATIC
</style>
<style>
<style>body{font-family:"Arial";font-size:12;}</style>
TempMode
Text
Title
__tmp_rar_sfx_access_check_%u
Update
utf-8"></head>
(&W)...
 Windows 
WinRAR 
winrarsfxmappingfile.tmp
(&Y)
:///////
:////////
?*<>|"
////////
/////////
......
.......
........
['@\` 
04WyTEs"
 (08@P`p
0Au}0V~
0@CDIMWY]agiqry~
"+0:?GP^d
0s3Es%
12 +YQ
!#(*14
!&*-169=ADLNUT[chj
",169>CDJNRX]cekprx}
 %)-169>@CHMRX
1H@ {C
1`nShV#
1QryOo
1	U0*G
?1U4oE
1@=|wu
(?1$;^x.
 #',/26;ABHLQW\_e
2)A/{S
33!D	3
.3]4-`
#&(-36;
4,0j#	
44(((((((    2222UdXnnnnnnnnnnnnl
44(((((((   22UdXnnnnnnnnnnnnj
44(((((((((   22UdXnnnnnnnnnnnnj
444((((((( VaXnnnnnnnnnnnnQ
44((((((((   UdXnnnnnnnnnnnnj
44((((((((  UgXnnnnnnnnnnnnj
44(((((((VaXnnnnnnnnnnnnQ
44(((WaXnnnnnnnnnnnnP
44WfXnnnnnnnnnnnnF
44((WfXnnnnnnnnnnnnP
!&)/46;@BCKQWZ]
"46=@CFKRSX_cjknxy
#'*-47;>E
#&,-489@BIJOWY]chkn
4c~'Z~
<4|/f6
4fYLta
4Phz[B1ZDw	
4(((((VaXnnnnnnnnnnnnh
4((((((VaXnnnnnnnnnnnnh
4)VS!3f>
4W_XnnnnnnnnnnnnF
4Y_cOW
4Y_cOW	
)*.57;ABHNQR\`eilrx
5a^p#E
]5uLac
*5>'X2T
&5X;wwbw4o
***6600555===>>>GGBInnnnnnnnnnnnnn
:)6.Fb
6R~;eU
6s3dC/
6S*B++
6.U_M|`
=$6-w>
#{75g!
]85l/0
8jGDXI<j^
8tkw-R#uh
8wqad2u
^9=0IB
+9=ADJLQW\cgilrw{
\	*)9O
?&a>aH
aa~i	;4
AdjustTokenPrivileges
ADVAPI32.dll
AGP2?a
a:{M~b5
a#mS/<
  </application>
  <application>
AQJD{a
</asmv3:application>
<asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3">
  </asmv3:windowsSettings>
  <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
</assembly>
<assemblyIdentity
    <assemblyIdentity
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
A&Z'Vm]S9
bad allocation
BdQ	Ia
@b	gck(W
:BHJQW\cghlouy
<B@II;
BjFy"7m
B"~=P.
bsqggB
bW48z]w3
[bXnnnnnnnnnnnnE
c \}6fx
C7W6sw
}<c8.N
^_c}(e
ceQ&^	gdk
CharToOemA
CharToOemBuffA
CharToOemBuffW
CharUpperA
CharUpperW
@ci=70
CloseHandle
CLSIDFromString
]]Cm0F
CoCreateInstance
COMCTL32.dll
COMDLG32.dll
CommDlgExtendedError
CompareStringA
CompareStringW
</compatibility>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
CopyRect
;+cR]>
CreateCompatibleBitmap
CreateCompatibleDC
CreateDirectoryA
CreateDirectoryW
CreateFileA
CreateFileMappingW
CreateFileW
CreateStreamOnHGlobal
CreateWindowExW
CryptProtectMemory
CryptProtectMemory failed
CryptUnprotectMemory
CryptUnprotectMemory failed
|C?~"u
cyM(\^
$**D:`_
D?;72-)#!
@.data
DefWindowProcW
DeleteDC
DeleteFileA
DeleteFileW
DeleteObject
</dependency>
<dependency>
  </dependentAssembly>
  <dependentAssembly>
<description>WinRAR SFX module</description>
DestroyIcon
DestroyWindow
#d`G^!
DialogBoxParamW
DispatchMessageW
dL6~FL
|dOHDB
+D['*ok
DosDateTimeToFileTime
    <dpiAware>true</dpiAware>
d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
DroEt7
dscKpu
]Dt8dR
D<Tf{'
d`\VPLGA=9$
DZH[d	a
d)Zig_s>
EcYqHz
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
....eDXnnnnnnnnnnnn3
#eeX$r
EnableWindow
EndDialog
eRal8{
.E+|s0
eT7P+&
%EV,fmC
e[!xHw
ExitProcess
ExpandEnvironmentStringsW
eY=16AG.
.....eZXnnnnnnnnnnnn3
F _^[]
f031@p
F9;J(6
f9=ZIB
Fa?+u;2
fbc:N:
f.dRCf1Yx
FFF))EE	FFFF))))))
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
FindFirstFileW
FindNextFileA
FindNextFileW
FindResourceW
FindWindowExW
FlushFileBuffers
FreeLibrary
&[Fs).
F|[;S|W
<F"t	@f9
fu*^1`
g33WwQ
G48ONV
G&~6MX_
GbB6zC
G~B:@(c
Gb|#Xu
gCc-7%]
G]ceiqty~
GDI32.dll
Gehiqr|
GetClassNameW
GetClientRect
GetCommandLineW
GetCPInfo
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentProcessId
GetDateFormatW
GetDeviceCaps
GetDlgItem
GetDlgItemTextW
GetExitCodeProcess
GetFileAttributesA
GetFileAttributesW
GetFileType
GetFullPathNameA
GetFullPathNameW
GetLastError
GetLocaleInfoW
GetMessageW
GetModuleFileNameW
GetModuleHandleW
GetNumberFormatW
GetObjectW
GetOpenFileNameW
GetParent
GetProcAddress
GetProcessHeap
GetSaveFileNameW
GetStdHandle
GetSysColor
GetSystemMetrics
GetSystemTime
GetTempPathW
GetTickCount
GetTimeFormatW
GetVersionExW
GetWindow
GetWindowLongW
GetWindowRect
GetWindowTextW
GfMij?
	g/g;>H	O{
GlobalAlloc
@G#"nF
g !tz<(N=T
~>.>gu
gwS3	3
gwS37%w`	
Gx	XP,X
!h[0A,}
H(27gv
h433Z)
Hc>*	V 
HeapAlloc
HeapFree
HeapReAlloc
HHIIIIYcjXnnnnnnnnnnnn+
H;~iu<YL
:HNRT\cfiovy}
hR>4p	
HtCHt<Ht5H
HtEHt7
HtFHt8Ht*Ht
HtoHt>
HtOHt^HtBHu#
HyM3om
i122N)
i3hQqlJ
i686xWA
i~BL~O
IdL@>Z
igoRLLN
InitCommonControlsEx
iQ06M1pG
IsDBCSLeadByte
IsWindow
IsWindowVisible
=IU~/R
I,v6<N;
IWj\_f9>u?f9~
J2Y+%J
J_aGoG
J~e8&ji
JF@<83.(%"
j)kvJR
)?+jKw%
>j*naeu
_?__/Jr,N
`JXnnnnnnnnnnnn?
`JXnnnnnnnnnnnn7
j Y+L$
k5gM0y
K7Q`Mm
??&K^a
kaip{I
{k~A^kq
kCqBI0v
>|K|"DeM
KERNEL32.dll
K\X.(h
?l0.lN#T
-l*:9#_
      language="*"/>
 le.:d@S
lfb]XSMHB>'
 lf)@}S
l&%j6Pz:
LoadBitmapW
LoadCursorW
LoadIconW
LoadLibraryW
LoadStringW
LocalFileTimeToFileTime
LookupPrivilegeValueW
lPoiG0
lT4T\R
LT{z|l
ly.8"=
m \6+Y-
MapViewOfFile
MapWindowPoints
}MBV> 
MessageBoxW
*messages***
*/MfX(
mfXt[}J
m=]Gpq3
mlc;m=A
MoveFileExW
MoveFileW
|mRyD~
MS$] {
mS!pt0
?MSX]chmqty}
MultiByteToWideChar
.mW27#H
MzYXBRf
}n;@"&
n	-2V3
N4Y_cOW
n@7^XK
      name="Microsoft.Windows.Common-Controls"
  name="WinRAR SFX"
nAzM{6
nB?%L'
nhSYw,
=ni0ct
n)n0sg
nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXnnnnnnnnnnnnkkaaaaagddddddddddddddddddddddddiiiXnnnnnnnnnnnnlTUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU!iXnnnnnnnnnnnnl
NNu$j	
n|O&uO
N(S8'|
&>&N&T
Nv.exe
NvSmartMax.dll
NvSmartMax.dll.url
*NW[&{
NWI{?2
n@W(L-
NW'PSO
.n+Z{#
O:?"2(
(O#$5N
O8=_s^
O8v(z3M
>Ob`~D
OB_WaIW
OemToCharA
OemToCharBuffA
OExq^DW6+
%oF0Sp
`O/f&Tnx
ole32.dll
OLEAUT32.dll
OleInitialize
OleUninitialize
)}Omu4
-OnNWG
OpenFileMappingW
OpenProcessToken
o|r}0"^|Ee
ORRQjt
oSSTZE
OV^]~1
Ox}ch:
OYrNL3
oy`XNW
O;ZsDHjW
p/6.D\
P9]pu;
P9]pu+
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADRar!
pd8M|J
PeekMessageW
penc-N
p;hR<k7
p]J3+l
Pjnqw~
pkQ?4)
pL!2;~
Po!3xi
PostMessageW
{p#&PF,
ppSX{U	
      processorArchitecture="*"
  processorArchitecture="*"
      publicKeyToken="6595b64144ccf1df"
PWhtFA
q93/Qhg
QD9] t
Q-G86Q
q^{g;r
QQSVWh
,|qshA
Q(tqZR
%q{]?W
r6nRwF(
__rar_
`.rdata
ReadFile
RegCloseKey
RegCreateKeyExW
RegisterClassExW
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
ReleaseDC
      <requestedExecutionLevel level="asInvoker"            
    </requestedPrivileges>
    <requestedPrivileges>
Rh/sdWRC
RjPG:z
RLIB>:5/*&
rmic^YUOJD,
r]oZ]pY
]/r P>9
R*QEi~
@.rsrc
)S]1+lF
s4tte@
Sbjkp(
@SBLN_R<
%.*s(%d)%s
",sE%@
  </security>
  <security>
SelectObject
SendDlgItemMessageW
SendMessageW
SetCurrentDirectoryW
SetDlgItemTextW
SetDllDirectoryW
SetEndOfFile
SetEnvironmentVariableW
SetFileAttributesA
SetFileAttributesW
SetFilePointer
SetFileSecurityA
SetFileSecurityW
SetFileTime
SetFocus
SetForegroundWindow
SetLastError
SetWindowLongW
SetWindowPos
SetWindowTextW
s^gVldZ(
SHAutoComplete
SHBrowseForFolderW
SHChangeNotify
SHELL32.dll
ShellExecuteExW
SHFileOperationW
SHGetFileInfoW
SHGetMalloc
SHGetPathFromIDListW
SHGetSpecialFolderLocation
SHLWAPI.dll
ShowWindow
)sNi*$lE{
&SSDW5
SSh|EA
StretchBlt
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
(SVWj 
`SVWjh
\_sX?n
SystemTimeToFileTime
"^\-`t
t0VSSj
T0WN>`
T7qa/>
.t9&/%
@tDyfmM
TE779_C
t	FAA;t$
    <!--The ID below indicates application support for Windows 7 -->
    <!--The ID below indicates application support for Windows Vista -->
!This program cannot be run in DOS mode.
t!hxCA
/til=-
;;TND+
tPh,HA
_[TPJF@<74 
t&&*PPkl5
TQ]wDz
TranslateMessage
TRI$oT
>TR!Oi
</trustInfo>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
 tSj X
t<SSSS
<*t*<?t
\tV77i
`Tx.fu
}TXu,j:
T|ykxP
      type="win32"
  type="win32"/>
tZZ	7$?
(<\u$8F
u\9]pt
@uAj'Y
#UcyAok:
U.	H\!
u|h(EA
u hlCA
u!hlFA
      uiAccess="false"/>
~uL~eN
UnmapViewOfFile
UpdateWindow
uq6s<a
USER32.dll
uv8C7J
*`.uZ*7
/U**zfZ
v1/R!Ed
V4D_>~
V@@AAf
VDzBt4
  version="1.0.0.0"
      version="6.0.0.0"
v^-K<2
v	N+D$
V}=||S
?vVj@_+
w=-4Iy
w5WWWW
' =wa7d
WaitForInputIdle
WaitForSingleObject
$wbG4w
w!b/wiD
W[[^^`eYXnnnnnnnnnnnn,
WideCharToMultiByte
WINRAR.SFX
Wj<_WS
WK&4f<
]}!WLzE
|wqmhEE
WriteFile
WSNIC?;61-
W	vf&.
wvsprintfA
wvsprintfW
Wwgu"'P
WwR"'P
WwS7'u
wwwwwwwwwq
w]Y`F;
X7[!l,
^x%~Al
:%`xaqrE
?X\cgiltw}
x;.D"d
]xfWhWjWQ
[xj}N6
xm,#J3
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
X ^]MT,
)x|(N}
:/^\Xnnnnnnnnnnnn;
:////^]Xnnnnnnnnnnnn<
://///[]Xnnnnnnnnnnnn<
///^]Xnnnnnnnnnnnn;
`\Xnnnnnnnnnnnn8
^\Xnnnnnnnnnnnn8
://////[]XnnnnnnnnnnnnC
////////[]XnnnnnnnnnnnnC
[]XnnnnnnnnnnnnE
-Xnnnnnnnnnnnnn+
&Xnnnnnnnnnnnnnn1
%Xnnnnnnnnnnnnnnn1
$Xnnnnnnnnnnnnnnnn"
#Xnnnnnnnnnnnnnnnnn"
'Xnnnnnnnnnnnnnnnnnn!
Xnnnnnnnnnnnnnnnnnnn!(( )))
[_XnnnnnnnnnnnnO
Xpx\?c
/XR:0%
xrB4?b
XrR)0w
xsojeaZVPK0
Xt!VW|
{XVb!C
#X@!Wg
~;>xWU
=|@y:c
YFi=b]U
yGs3JJ
YHU,inR
Y/J&i9@(
YNANRC
\yoy>2j
yQ1wqN2f
.Yr3<Oo
yS_"jj]B
Z2fQ`^-A
`Z3O5J
Z}`B<Qg
Z>B\"r
'Z+I5e
ZIJRj$
zU,lS&x
zvpkga[WQ+
ZWgw.L
Zw&$H1
`ZXnnnnnnnnnnnn7RS