Analysis Date2014-11-19 22:02:40
MD5a799082815270fb8014dbbff75f50333
SHA13756f220bd5deecebef8fae9c719bbb381a08541

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 894f17ef0a4e766fe486a080522d2539 sha1: a5a5f63920f73ebabc66aae4b8f0ddca81d71ef1 size: 73216
Section.rdata md5: 76315cc3ce7c7f34b89c00e96fd3d919 sha1: 1afac004428678a6a4cd633958611c8d7ac590b0 size: 7680
Section.data md5: 6f9415022853d8e925bcb178dd62e322 sha1: 5e1e363d8ab4a38995c8ce4a2e2cfa4388b9bb79 size: 512
Section.CRT md5: d8690a66757c8eeab6988f4a858f4dcd sha1: 68d36d3a231c043e8da6819ccbb59260702101e4 size: 512
Section.rsrc md5: 2949e1284c3723af5de5cd5df098fdbb sha1: e1f845235587b66b5139047ac0693286d9b8dad1 size: 14336
Timestamp2012-02-17 14:55:21
Pdb pathd:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
PEhash90d7075fbcd517f739d725dbede06b7481d5c23a
IMPhash553ef6236c6cb4268814330cd1e93c7d
AV360 SafeTrojan.Generic.8796766
AVAd-AwareTrojan.Generic.8796766
AVAlwil (avast)no_virus
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Trojan.HRVC-7328
AVAvira (antivir)TR/Dropper.Gen
AVBullGuardTrojan.Generic.8796766
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVWin.Trojan.Agent-36611
AVDr. WebTrojan.Click2.9131
AVEmsisoftTrojan.Generic.8796766
AVEset (nod32)no_virus
AVFortinetno_virus
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Generic.8796766
AVGrisoft (avg)Clicker.AVOC
AVIkarusTrojan.Win32.Chifrax
AVK7Trojan ( 001d712b1 )
AVKasperskyTrojan.Win32.Generic:Trojan-Clicker.Win32.Agent.aaua
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Trojan.Generic.8796766
AVRisingno_virus
AVSophosno_virus
AVSymantecTrojan.Gen
AVTrend Microno_virus
AVVirusBlokAda (vba32)TrojanPSW.Magania

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Fileweb7b.ini
Creates Filesvch0st.exe
Creates File$wdd.bat
Creates Filesc.vbs
Creates File$wdd.vbs
Creates File__tmp_rar_sfx_access_check_75734
Creates File2.mp3
Deletes File__tmp_rar_sfx_access_check_75734

Process
↳ C:\WINDOWS\system32\reg.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctfmon ➝
c:\config\dr\svch0st.exe\\x00

Process
↳ c:\config\dr\svch0st.exe

RegistryHKEY_CURRENT_USER\RemoteAccess\Profile\06201023218\AutoConnect ➝
NULL
Creates FilePIPE\ROUTER
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates Filec:\config\dr\web7b.ini
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Program Files\7b
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Starts ServiceRASMAN

Process
↳ Pid 816

Process
↳ Pid 864

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\wkssvc
Creates FileWANARP
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates MutexGlobal\RAS_MO_01
Creates MutexRAS_MO_02

Process
↳ Pid 1124

Process
↳ Pid 1220

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1860

Process
↳ Pid 1196

Network Details:

DNSdnspod-free.mydnspod.net
Type: A
119.28.48.229
DNSdnspod-free.mydnspod.net
Type: A
119.28.48.228
DNSwww.web7b.cn
Type: A
DNSw.web7b.cn
Type: A
HTTP GEThttp://www.web7b.cn/banben.asp?banben=2.2.9.8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP POSThttp://www.web7b.cn/soft/login0.asp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP POSThttp://www.web7b.cn/soft/login0.asp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 119.28.48.229:80
Flows TCP192.168.1.1:1032 ➝ 119.28.48.229:80
Flows TCP192.168.1.1:1033 ➝ 119.28.48.229:80

Raw Pcap
0x00000000 (00000)   47455420 2f62616e 62656e2e 6173703f   GET /banben.asp?
0x00000010 (00016)   62616e62 656e3d32 2e322e39 2e382048   banben=2.2.9.8 H
0x00000020 (00032)   5454502f 312e310d 0a557365 722d4167   TTP/1.1..User-Ag
0x00000030 (00048)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000040 (00064)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x00000050 (00080)   49452036 2e303b20 57696e64 6f777320   IE 6.0; Windows 
0x00000060 (00096)   4e542035 2e30290d 0a416363 6570743a   NT 5.0)..Accept:
0x00000070 (00112)   202a2f2a 0d0a486f 73743a20 7777772e    */*..Host: www.
0x00000080 (00128)   77656237 622e636e 0d0a4361 6368652d   web7b.cn..Cache-
0x00000090 (00144)   436f6e74 726f6c3a 206e6f2d 63616368   Control: no-cach
0x000000a0 (00160)   650d0a0d 0a                           e....

0x00000000 (00000)   504f5354 202f736f 66742f6c 6f67696e   POST /soft/login
0x00000010 (00016)   302e6173 70204854 54502f31 2e310d0a   0.asp HTTP/1.1..
0x00000020 (00032)   41636365 70743a20 696d6167 652f6769   Accept: image/gi
0x00000030 (00048)   662c2069 6d616765 2f782d78 6269746d   f, image/x-xbitm
0x00000040 (00064)   61702c20 696d6167 652f6a70 65672c20   ap, image/jpeg, 
0x00000050 (00080)   696d6167 652f706a 7065672c 20617070   image/pjpeg, app
0x00000060 (00096)   6c696361 74696f6e 2f782d73 686f636b   lication/x-shock
0x00000070 (00112)   77617665 2d666c61 73682c20 6170706c   wave-flash, appl
0x00000080 (00128)   69636174 696f6e2f 766e642e 6d732d65   ication/vnd.ms-e
0x00000090 (00144)   7863656c 2c206170 706c6963 6174696f   xcel, applicatio
0x000000a0 (00160)   6e2f766e 642e6d73 2d706f77 6572706f   n/vnd.ms-powerpo
0x000000b0 (00176)   696e742c 20617070 6c696361 74696f6e   int, application
0x000000c0 (00192)   2f6d7377 6f72642c 202a2f2a 0d0a5265   /msword, */*..Re
0x000000d0 (00208)   66657265 723a2068 7474703a 2f2f7777   ferer: http://ww
0x000000e0 (00224)   772e7765 6237622e 636e2f73 6f66742f   w.web7b.cn/soft/
0x000000f0 (00240)   6c6f6769 6e302e61 73700d0a 41636365   login0.asp..Acce
0x00000100 (00256)   70742d4c 616e6775 6167653a 207a682d   pt-Language: zh-
0x00000110 (00272)   636e0d0a 436f6e74 656e742d 54797065   cn..Content-Type
0x00000120 (00288)   3a206170 706c6963 6174696f 6e2f782d   : application/x-
0x00000130 (00304)   7777772d 666f726d 2d75726c 656e636f   www-form-urlenco
0x00000140 (00320)   6465640d 0a436f6e 74656e74 2d4c656e   ded..Content-Len
0x00000150 (00336)   6774683a 2034320d 0a557365 722d4167   gth: 42..User-Ag
0x00000160 (00352)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000170 (00368)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x00000180 (00384)   49452036 2e303b20 57696e64 6f777320   IE 6.0; Windows 
0x00000190 (00400)   4e542035 2e30290d 0a486f73 743a2077   NT 5.0)..Host: w
0x000001a0 (00416)   77772e77 65623762 2e636e0d 0a436163   ww.web7b.cn..Cac
0x000001b0 (00432)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x000001c0 (00448)   61636865 0d0a0d0a 75736572 6e616d65   ache....username
0x000001d0 (00464)   3d353638 33303133 26706173 73776f72   =5683013&passwor
0x000001e0 (00480)   643d3563 32393066 66386566 35396166   d=5c290ff8ef59af
0x000001f0 (00496)   6139                                  a9

0x00000000 (00000)   504f5354 202f736f 66742f6c 6f67696e   POST /soft/login
0x00000010 (00016)   302e6173 70204854 54502f31 2e310d0a   0.asp HTTP/1.1..
0x00000020 (00032)   41636365 70743a20 696d6167 652f6769   Accept: image/gi
0x00000030 (00048)   662c2069 6d616765 2f782d78 6269746d   f, image/x-xbitm
0x00000040 (00064)   61702c20 696d6167 652f6a70 65672c20   ap, image/jpeg, 
0x00000050 (00080)   696d6167 652f706a 7065672c 20617070   image/pjpeg, app
0x00000060 (00096)   6c696361 74696f6e 2f782d73 686f636b   lication/x-shock
0x00000070 (00112)   77617665 2d666c61 73682c20 6170706c   wave-flash, appl
0x00000080 (00128)   69636174 696f6e2f 766e642e 6d732d65   ication/vnd.ms-e
0x00000090 (00144)   7863656c 2c206170 706c6963 6174696f   xcel, applicatio
0x000000a0 (00160)   6e2f766e 642e6d73 2d706f77 6572706f   n/vnd.ms-powerpo
0x000000b0 (00176)   696e742c 20617070 6c696361 74696f6e   int, application
0x000000c0 (00192)   2f6d7377 6f72642c 202a2f2a 0d0a5265   /msword, */*..Re
0x000000d0 (00208)   66657265 723a2068 7474703a 2f2f7777   ferer: http://ww
0x000000e0 (00224)   772e7765 6237622e 636e2f73 6f66742f   w.web7b.cn/soft/
0x000000f0 (00240)   6c6f6769 6e302e61 73700d0a 41636365   login0.asp..Acce
0x00000100 (00256)   70742d4c 616e6775 6167653a 207a682d   pt-Language: zh-
0x00000110 (00272)   636e0d0a 436f6e74 656e742d 54797065   cn..Content-Type
0x00000120 (00288)   3a206170 706c6963 6174696f 6e2f782d   : application/x-
0x00000130 (00304)   7777772d 666f726d 2d75726c 656e636f   www-form-urlenco
0x00000140 (00320)   6465640d 0a436f6e 74656e74 2d4c656e   ded..Content-Len
0x00000150 (00336)   6774683a 2034320d 0a557365 722d4167   gth: 42..User-Ag
0x00000160 (00352)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000170 (00368)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x00000180 (00384)   49452036 2e303b20 57696e64 6f777320   IE 6.0; Windows 
0x00000190 (00400)   4e542035 2e30290d 0a486f73 743a2077   NT 5.0)..Host: w
0x000001a0 (00416)   77772e77 65623762 2e636e0d 0a436163   ww.web7b.cn..Cac
0x000001b0 (00432)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x000001c0 (00448)   61636865 0d0a0d0a 75736572 6e616d65   ache....username
0x000001d0 (00464)   3d353638 33303133 26706173 73776f72   =5683013&passwor
0x000001e0 (00480)   643d3563 32393066 66386566 35396166   d=5c290ff8ef59af
0x000001f0 (00496)   6139                                  a9


Strings
\_
.\
:\\
...
010A___
.
.
x
S..
%08x
333f3
(&A)
about:blank
ASKNEXTVOL
</b> 
 <b>
(&B)...
<br>
<br><br> <li>
b<style>body{font-family:"Arial,
%c:\
(&C)
 %d 
(&D)
Delete
(&E):
EDIT
-el -s2 "-d%s" "-p%s" "-sp%s"
.exe
f3fff
";font-size:12;}</style><ul><li>
GETPASSWORD1
<head><meta http-equiv="content-type" content="text/html; charset=
hRichEdit20W
</html>
<html>
.inf
Install
jmsctls_progress32
kernel32
(&L)
</li>
</li><br><br>)<li>
</li><br><br>)<ul><li>
License
LICENSEDLG
LICENSEDLG	RENAMEDLG
</li></ul>
.lnk
*messages***
(&N)
@&nbsp;
Overwrite
</p>
Path
Presetup
ProgramFilesDir
(&R)
.rar
RarHtmlClassName
RarSFX
RENAMEDLG
REPLACEFILEDLG
riched20.dll
riched32.dll
r%.*s(%d)%s
rtmp%d
runas
 %s 
"%s"
SavePath
 %s CRC 
%s CRC 
%s.%d.tmp
SeRestorePrivilege
SeSecurityPrivilege
Setup
SetupCode
sfxcmd
sfxname
Shell.Explorer
Shortcut
Silent
Software\Microsoft\Windows\CurrentVersion
Software\WinRAR SFX
%s %s
%s%s%d
%s %s %s
STARTDLG
STATIC
</style>
<style>
<style>body{font-family:"Arial";font-size:12;}</style>
TempMode
Text
Title
__tmp_rar_sfx_access_check_%u
Update
utf-8"></head>
(&W)...
 Windows 
WinRAR 
winrarsfxmappingfile.tmp
(&Y)
=*!;'/
 &]`@$
-;<~-\
-&!'*,
?_\@-}
?*<>|"
"""""/
=&0}\`
*0,?\:
02Cz$i
]032=i	
{03w#_
04:2#o
 0:52:21.43
@05ani
05U)du
]0$67QuD[v
 (08@P`p
?0A+cr0
0b"tfE
0C3Nd 
0cgePx
0(CRZp
0D3N;q
0#j8xu
0k5V%C
%0(l+=
'0LK+O
0l/pY ~NY
0Ma?q<
0N=A	9w
0NtL,C_
0O,f(/c
0o&"g~`!9
=0Onz[
0~}P4<
0pz)?u"
]0_RnHZ_
?}0t{]
0t~vn+
0tV>s6
=//0+w
\}]\+1
1$`0W`
11,h`;
)/11-Q
11|R_q"
12:29p
1}2i>,
13~A=n
158Uoi
1a"U0~
1!BiT&
1B*n,U
1b;Vx}.
1<bWhK
&$1(-By
,1<Cfz
1chz|Q
-_1da9M
1dI7]_
1E%)RR
1FN{lh
1g5Equ
1g,cs>#I
1G:FkC\
-`1H]^
1h22FC
,(%1HLE
1<H;yQ
1I1[6q
?+1ixU1
1jr	U8
1!\[lJ
1Ly?N$
1^MFsQ
|.1_&]n
1n3j1"
 1O"fd?
&1oX '
1P{Kv7
1<~)pWqo7
1P,y#@
'1QE5%|
1{Sffl
1vALfz
1w'cG|
1#-,wz
1/y9{].
2_(!(: 
{|20.t
.21St7
2=3~.B0_
24X,;k
25hI^a
2%6mVS
26&=TQ
[/2[9~
2.'AI(
2B3:W8
2_>B:9
2\BCo-
2;B^Ly
2:DbWc
2	Dx(r3
2G[21x
2~$HNa
2IOC|>
:2KE).w
2Ko0LY
^2KVD8
2M8}^z
2%"Pbm
2pErP]
\?2Q[>a
2^QFk"Nv?
2[.~Qy5
]"2SCV9Y
2TH--:
(2:	u	
|#>2v|@
2VzIS?
2_(W'f>06
2Z9L40Zk)
3^\<!$
3%27pG
33!D	3
351B<m
3*,_6(
37.uUn
3-9NK<
3"aBga
3avM8abT
3b$#xbV
!3d8t&
3eB&Bl
:3'EuQ}
?3`FaO
	&_3fB~
3fgbFGNn
{3@{g>
3gy5\*o
3HIB#/
(3%i&m1
3Jb4o+Ud
3;k!8>
+3&NIy<
~3N}xRq
#3p"|h
[3PxIp
3ri]+?:
+3r\k<
?]3TIS!
<3\u1WV
)3v8Ei
3%vc'J
3wVVq??
_3x:9N
$.3xI'
3X=Yi)
\3]YS'
~3yW1I
!40q9x
43js9^
44G3Ae@[0
45v-I{?mi
46*!kx
46w.yTc
47M:O1kb
48il1,
}*?4'A
4BYG9O4
4;C?2>
4cL9D6
|4<$cu
4C"u|a
4dK}F 
,4FJ(7
4GPX5mi
4I%z ;s
:4jA[!F
(&4Kc9oP
&4$^m5
4M*K6_
4Nn-|`Go
4`N-OR
4ptzW@\Y
_4PZD.-
)4QAGF
~4/<.ql
4R,hLXg
4R<_jc
4Rvg_+"X
-4s/Da(G
4	TYzPghg
?/4uvVmY(S
4v+L*-F
4~<Vug
_4v y@
4xhcI}
}4&Y7w
4ycC\^
4Y_cOW
4Y_cOW	
4yoB9H
5_,019
5"0<Z(Q
=$53kE
"55syb,
57GB[P
5[9k|9
5b)^{w
 |5d=~
5dt!ey
/5/%FG>E
5#@GwG
^5h7C[7
5HF?_U
)5%~I0
5k@|;^
*~,{5K
5k^J0atp9
5l&3#o
@5} ,-n15$
5o9j,<
5o	JC}
5!o+Zo
5/Q	N2)
{5Rich
+.5S8[
|5t MT
5Uop6t
5.wSF]OXy
5]y8}'i%X
5Y@#i3
62Q0QX
$63C['
6''4G%C7
64h!,n
65GqF`
6	5hCz
^&67z5
6| 8`|
68]-e;
68W]o1V
=?%)6A
6"=ag`
6bF_>v/
6bqay0
*@6(cd
;(=6dev
6:dFLT>
6eV#,f
6/}F4b
6g}	jw
6^Hko]jn
6iM<H[
6[;.Ix
6j}$ak7
6M#;f=
6`oX\}
@6$^:{q
6QGn,F
*.6Quy1
$6sdAxX
`6tI8}
6wJ2n6A
6wMF\>
6-/x{kD
6Y3ow&
?6yI#G
6yL(9K
>71&HzY
`?75&@
768Y`6
7a-g_~]
~7b#-8
7=_BS(
7@+Fl}2U
|7?fq>
!7G="K
7h$%e@
7i|Wf l
7l849`
7lk qs
7(MnEgu
7NEL>Q|
7^N"vc6y
7ogR14
7rqD2c
(7rtkx
7s/'rr
7u6C6o
7,v|6Uo
}7WTT]E
7@~xQc
-7y3/S
83wFz[&F]M
`8>4b$
	84STLh1
8'5dz3
{87'kh
?	8[|8u1
8b,,7 L\
8],B^G#}7
8bQbUy
8BV_NF
8C<"T:\
8.?Eo	
8f&{^]
8	~gfs
!8?Go`
(8]H,C_
8iAj!y
8jMa|	
8J'R^k
!8!]`KJ
8L;%Mx
,8(oB6j
';!8Oj
8=PMvG
8q{6Ju
8qNOHj
8 R,~iW
)+('8S
8Sf/{y
_8sMpS
8-|Ti_
8u Jf:B%
8%y}dM
91Y'|B
92EgPHJTy
96tDc<r
:9:7ty
"|98jr
|98pn 
[9a]%4^
- [9Aq
9aUJ2D
9/?a;xL[u
^9= +B
(/.>9B>2
9\Cm0{"
9cMmRyuI
9DHw6L
>9d'v~T
9eIk.,
(9}&flz
9gWV!>&
9hr-oY
9h$_S]
\@9ht')
"9I`Qf0
9iX:PQ
	(9JgG
@9@!)K
9(K6`G
)9kKVd
?9^m8j
9n{=-.
>9N5ul
<]+9nD
9n(GT3m
9o>jrs
9pb9pQ
9TJhD^
!	9zb`
*A2`3(
%A2XVD
A3dcDa
A,3W)CF
A4Kfq;
A4?zM}/
:	\%a5\5
a>{.5J
^a}aiIZF
aA&}lJ#
AanJ}0
}{*Aao
aA vWY
AB i?a
\a,.bx#
Acs"^8
^aD'%;]	
AD"2^J
ada:K+
AdjustTokenPrivileges
a%@dRK
ADVAPI32.dll
 |a(E'7
?-'A(F.
a"F+]A
aG8YtS
A\G<kcK
ag@[veO
$['ah$
%AhbQM
AH/DP5
A-HdtC
ah[]l{t
Ah>Z%T
(aJ>i{
A-jvW$"
@A~k~	
AL7eye
aL;\nU
Am,2-xT
am56@ki
>amXnpw
+ao>#@
aOHk5-
Ap?Abd
  </application>
  <application>
Approximate round trip times in milli-seconds:
a>q?mcP)
'A}R?E[2
a!re}c
a*~RSE:"
-|A[rZNT
*As4=8
aSC![i
a-]S'j
</asmv3:application>
<asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3">
  </asmv3:windowsSettings>
  <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
</assembly>
<assemblyIdentity
    <assemblyIdentity
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
asylsc[~
aTC#Jz
A/tdGF
?^ATJVr
{;At t:n
aUD54	
AuFTaP
aUL)`/
a+uxb~
Av2CxX
_	Ave:
AVy&3[%
(AWXG".<
=A##X  
A~XDS}
;]aXtVo
aylgFht
AZZJmr
='!b|=
B'@0|j
B22#:/
B[2E#f
b!`2MoM
#> b@<3
B3qLs;
b!4j)[R
.`B77-5S
 b8m,dn
#[>b9jg
bad allocation
bA.::I!f
?bA(\tmDQ
$bAwgh
B:,a	Z
@bB(1A
\BBiI1
BB)stQ
+Bc*2&
BCB)lT
_Bc:q~H
b$cZ|i@
Bdg7<'
-BD/JPj
bE<d|_
Beta8`
bEWY?)
B<e =x
BFc0Q]
+BFfaOB
@b	gck(W
bgDcJg
b-<GS(BKe
BH~1$)
BHmNSn
BH?P<$
]bhq<H
-Bh"w6
B?i{0\
Bi3>}:a
bIb^jPK~
<B@II;
{biP:L
Bi>%rF
B%IVJ{
bJrsn(
Bk?8IY
b>k(I&
Bktl^@
BLLHsl
?blruf
^b#mN/
_B[^N;1
BN a<W
.bo~dS
bOHtteAK
;B)Ow-
`\Bp?_
~?-BqN
BrqFau
bs{bZK
<bSFL="
Bsj!IT FTX
B}T6WO
bT(gJjw
}BTVe>
:bV0lMS!
<B	vtv
B.wJ:m
<b'WLz
bWxIuv
Bw=y@V
=B-X	'
(Bx7a8
bXA fv
bXbEo=
|BYfS?
BY:;^r
"B$Zb\\u
;);{!c
C:^@[<
>c-0E?
/+(c0,f/
c1gsN+
c!3d-S
<-C%3+Eh
C4.eh]P9
'|?c5;
C;%;!?" 51
%#c.<7
C7O/sG
=C7Pz@q
$%c8%fs
C~9=gCM
$?.c{a
cAjvcm
C&AN'W
cBbKou
_Cc#cT
cD4hXt*fQ
C(_>:dSr
ceQ&^	gdk
\}C	f"]
;CfDkU
CFsN1F
<#.CGz
CharToOemA
CharToOemBuffA
CharToOemBuffW
CharUpperA
CharUpperW
ChWKW	
\c*i-x
cjDPA@u
c!?/jy]
Cl48hG
CloseHandle
=c lqL
CLSIDFromString
ClTI]6E
C$LZ*t
:C&M0=k
 cm!jY
CN#t;H
CoCreateInstance
COMCTL32.dll
COMDLG32.dll
CommDlgExtendedError
CompareStringA
CompareStringW
</compatibility>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
CopyRect
cOr/~M
Cp#68Z'
C	Pbak
C;pF:rm
&C%PFZ
C! :pSL
c[Q:CDv
|$?;[cR
CreateCompatibleBitmap
CreateCompatibleDC
CreateDirectoryA
CreateDirectoryW
CreateFileA
CreateFileMappingW
CreateFileW
CreateStreamOnHGlobal
CreateWindowExW
crS`c`
%c?S1,
^-csdH
]cTL/C
?Cuf/{
;cuzb,
{cV@_C
c}_+VpB
CVR(G|
\(CW>@
C-,wPD
C	>w|&t
CXQrUd-
C\+!Y4
cYa{oW{
([cY*L
CysG4ms
cZ}tNI
d0$Q@?o
d0Rzp1
,D><2qn2
D3mb.czS
D3/#W{}
D4I%T9
<D4L,T
?D*'*5
D5|pv*
d6CC`m
],d9-MG
.d&'$a!
@.data
DaU>Yd
|%dAX'
.:db24/
,DBb	IR
DC>$g)
DcU9$.
dd6nbL
DefWindowProcW
DeleteDC
DeleteFileA
DeleteFileW
DeleteObject
</dependency>
<dependency>
  </dependentAssembly>
  <dependentAssembly>
<description>WinRAR SFX module</description>
DestroyIcon
DestroyWindow
dF4b,UQO8
^}D?f%k
d#FNNs
d-fX /
d%<g{!
d$gcXf*
dgEdhd
DgjU"sS
{d]$gU
dg#>W+7%
*D:(hi8
>dHXD9
dHYiS1
*Di6/9-+
DialogBoxParamW
dia	(yv
DidP,)?
<diP t
DispatchMessageW
D"k"]$
D]l8]k
D}lp]CzM
d.m|2Z
dn:Y5i	
^^dnZ6_
'%.D.[O'
DosDateTimeToFileTime
DOzr(wA
)D;p[!
    <dpiAware>true</dpiAware>
d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
}D-Q~UA
d,quFR?
$D!**?R
Ds\qwp
\d.U.1
du"i,B
Duzs6l
Dv|;1GZ$dmx
d~VGzL(
d{^}vM
dvZALs
/dWF\os}<
_|dW(ik
+Dx'3`
dxA4O:B0
++dZ[,
dz5!9-
.Dz)7Yg
@E')]#
=(E  1O
e1zO]U
E3N/4R!
e6I}q(
:>,E6O
"E7Pu*
e"9aYn
#E\<_9r
:e9ths
E{ 9:&W
",eA[1
EA2~%9$
e	a=)R
EBfS*2
eB=utK
ecT$UL%mK
EDF=pZ]
 /)eE[
EEo:rnVQ
e:FNjo
EhB5PB
E#Ho1\
EI74rw
E>#II2v
e;i[Vo
}e.!j6
e"Jb4b
Ej>oU?K
E:~K6B4
.|Ek9X
elcu`	
/%[Em@
eM"bYY6k
e^Meva
eM@g=X
emL&!J
emZ~=}
EnableWindow
EndDialog
eO5@]p
EO|*.$E
EOhGM]
E	OP	p(
E	P4-*
eP|;iTmc
$Eq^6"
eRiLCP
&;eRU=
`e<Sj1 
eS{KN)<
Et	f{\p
}eujJf
eVs"ky:
E=vv:|
	*E>wZS
Ex};at
ExitProcess
ExpandEnvironmentStringsW
#e"Y![
Ey&-CC
eyl<O9
eZ1.eO?
EZ8h^3
EzxAql?P?
&f*}/_
F _^[]
f[02>}
f0T]jM]
F1db/A
f,2B,;
|F2E[ 
@F2q7+
f2W@!kGU
!- f:3
~f4z	w:
f:@$"6
-F6:av
F7PbgI
f90u2h
F9v:|5
~f)ANv )
fbc:N:
f}bO;O
-(fC/2
fC36_}#-uQ
f].C	-CaO
FcL%d9
fczbx8
FDx&y-
FE; nk
Fez_kf
~)F,f.
)&fFa-
FFF))EE	FFFF))))))
FFI^)A@t
ffX?u 
f:+!g*
F*gCr9
FgOR;>
]fGTw{
]Fh^fq
Fi?6JVD
F@{IB?
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
FindFirstFileW
FindNextFileA
FindNextFileW
FindResourceW
FindWindowExW
]F&I)u
f]JsYrik?%r ,
F\K2Dt
fkNKp !
,Fl1*F
% -fL7
['FL{$S
fMl_qA
	[^_F<N9
f$N`gjc9
Fn	K3<R
f Nw%D
fOT6)0
^fo>Z*
,Fp9~l
(Fpk$)
;f]\qz~
+/FR5B
FreeLibrary
{#fRIYY6-
fRmG9)
]:FrmH
,f!rVU8Wq
F`SaOX
F<!SYK
F;t(!34oG
<F"t	@f9
f<t=zzN
FU-,[`*
fuIHJ~tD
^&!F]v
Fv;`4O
Fv]-(U
F.;~/W
f^Wu;3;
f=x['c
f|xF;2
fxRY\1n
.f}xYj
;Fy;:iU<YRG
&F#Y!m
Fy.qal
F*}_yzK
[:FZ= 
)Fz9A[
fzC+c|
fz^YTc
^g^."\
}|>@g_(]
%=@g}=
^@=G+;
~\?-G%
<(g*18
g33WwQ
;`g3)K
;g4jbx4#1
	`G5Dd
`g7KM=
),~@G8
G8>f:Qj:=
g9kj2r
g9m&'N
G*9,[x
g*;.aC
|=GaKX@
Ga:.nS
g)b	a/R
g"bSu&D
{g?_BU
G@*bY<'E
gc52,}
Gcd#T$ }
GdBdv8
&gDc;h
	g-DEZ
GDI32.dll
"gDo)g$
gdpzf}
gDu\'rZN1
ge"D2JmGQ
gEg)kI
GetClassNameW
GetClientRect
GetCommandLineW
GetCPInfo
GetCurrentDirectoryW
GetCurrentProcess
GetDateFormatW
GetDeviceCaps
GetDlgItem
GetDlgItemTextW
GetExitCodeProcess
GetFileAttributesA
GetFileAttributesW
GetFileType
GetFullPathNameA
GetFullPathNameW
GetLastError
GetLocaleInfoW
GetMessageW
GetModuleFileNameW
GetModuleHandleW
GetNumberFormatW
GetObjectW
GetOpenFileNameW
GetParent
GetProcAddress
GetProcessHeap
GetSaveFileNameW
GetStdHandle
GetSysColor
GetSystemMetrics
GetSystemTime
GetTempPathW
GetTickCount
GetTimeFormatW
GetVersionExW
GetWindow
GetWindowLongW
GetWindowRect
GetWindowTextW
GE,V"4
Gfw[Oh~
gga "^
ggM%nc
g|iddc
gIXGGb
gJ4LbS
gJFPp%Y
gj:I^?
G@$	/L
g$l)L	
GlobalAlloc
g$|lPv{
}<g?Lz[
GNWh,0^
GnY!W;pC5
gor)s^#)"
$gP 5\
Gp5plJ
GpD	^1
* gSgZw/
g|S@_^m{
)<Gtq9
g]#['vF
?G#v(H
?G+VL4
g v_+s
G(^WBx
gwS3	3
gwS37%w`	
")	g^xgY`
-g`XHr
gX$+j}IZ
GXlXOuJ
gy3z`\
~{GyvH
~G\Z#!\
G~z)"f
%gZ">I
gzRe_&
+%/)[h
h0Pe<i
,H11Z*
h1?JgE
>=	h*!2
.h2`}@
H2&6FLw#
>H2[`l
h,2>R"g
,	-`h*3
h~3'1"mH
h3g8{S
H4\PJM@
*H #5'L
<h5LKC\
H6#C>:
H7t{u@;
<h9du+
!h9^EJ
H	9F	a
H!9G_%=
<h9mOe
h9*rU0
H>9TY3f
haCcdq
@Hbk-*[
<<Hc[b
H|c.N~
	HcYPh
Hd`m/F
HE2'9J
HeapAlloc
HeapFree
HeapReAlloc
he`@tK
HfN2OF
-Hf~@s
Hgf+	k 
h)|,h	*
Hh{CH/
HhI$XEv
H]H$M	^}
HHwtPI-
HIW&|Zy
HJ-5OM
HJKgD=
+h	k<!
_Hk&2a
h`k)fKaMQ
hLDI.s
HLsv0L
H?ME=e
hnIv.z7+I
h"o|xL]
H|rbkN
hr^I>I.
<:"hrn
Hs&-,K
[&^HT%
HtCHt<Ht5H
HtEHt7
HtFHt8Ht*Ht
HtoHt>
HtOHt^HtBHu#
h)u}~]
hujx)Tl
@"H|v5
hvkD<H/\
%H>wL 9D
!hXB/z
HXW!x$
H/xxu#r$
.'hY(^
"\hZ[)
)#!Hz7
HzaaiTd
H"zPz6~
hZu\tA
<&:_i}
^i1,be^r
i1'cG&
!`{i^^2
I2+%	<
I2]mR1
I-2pw7ORd
I4:d=0a
}i4	^x
i+6vOE
^{I^7:
[i9J^'+xJ
;I9{U&
ia1bQz
%'iaA5
{i[Aa`l
I}A/,.K
(iAyS}
/Ib'91
)ibAj_
&)i_BXUv
Ice-S%
IcWsy@
icy*kFZYf
iD{aLh
I>dUDG
~if|P0Y
Ig<AJ5
)\i=*I_
i+!IZ4h \
IJ0uv:{
iJ6*\a
Ik4s=-
#iK-TN
=ikV!Pg
I]!lJm[d
i:,,Mf
Imk|y0
i_m@~w|
}I:[n~
In`27q+
InitCommonControlsEx
I}nL9C
IO_9uA
i_]OJ|'k
* IO<R
IoxB6^
(\ip5Ss
__IPE!
;i+pU>
i^qAuW
I*qSxvX
Iq,=w]
!&[iS =
i?}sBP
IsDBCSLeadByte
IsHlR?
IsWindow
IsWindowVisible
$i}$tb
:IT_?'K5G
ItvrXtI
I"U?j"
!iuk}^n
iUy;sU
$IVnuYB
IWj\_f9>u?f9~
IwJzrJ
ix2TfM6'|
Ix)CaV
"[IX@(vZ|z
i~Y$1}v
I Yb9>b
IY?qMqZ-&
,J%|=^
[<{J`0
J08=I0(!
J0eV<\d2j
j<0HEW
J1v0[p
_j@{2s
J_4"HJ
j5<	>e
J5o[8N)
(|j6_>
j71{_[N
J78</,
?J7!m~ck
:~J<-8
J8r~Da
j[9$\fxz
J-aT~U
J)BH!d$
J@B!zW
<J~_C#
JC|/!{
JCcriT{0c
Jc}V,*
Jf5QJ<
=JFfu{
&Jfn:KO%
JFR]=d
<:]jg,
jGcNOwE
jgtBvJ
<@(j&h
 *J[+?H3
=jH*<N
>	*JI,
JiOMIvrT
j,>-J;
jJ2x5$
J;_j;M
J\JO%{
Jj^]qr
:jK{+.\
jkb?<#
=+JM*]
JmFgF#O
,.JmIBeL
__J'ND
jP>Nq^D}g*
jpoU>%
+)JQ::F
|JqQfX
`jR65;
J?=Rgv
[j rnZ5
^_jr]u
(js@rB
JT4.Py
j]U7C>p
jv2.Y2
jvO72S<
JvQv16
JVv-J/
Jw5j99
>-j:x[
Jx(	%nQ
J{XP6D{	lW
~JXtiGp
j]^"xv
&JYF+Q
j Y+L$
#jYR$O
Jz>qe_6m
>*K|^+
""K_''
K0g qj
K[`0l5
?k29A&
K5ci's
_.K6Oj
'k{6pL
K&<|7:*
k7$$C$))
k7l..|PP
_K7XX[,
K8,z"'
Ka<qa{
KA~Sc	
#|K,&B!
kC0MtC
KC.q`O8
!kcvz 
k'*E2}5(
%ke{Lv
KERNEL32.dll
\- keSBnu
kF6A	^
&*Kgmw
{kGYVu
K\&|h"+
#kHJ_8
(k=i}C
::KI)f{#
-ki#qy(PR
K+IYdy
kjBrd.
$:kJli
:Kj##R
KJZ?'l
K$)K7'
kKygDX
k@-NBJ.'
K+*NrH
K>NZxg
*kOF9t%_
KORcx1e
`k\PiT
^k= q5
k`qoiZ
K%R6-p@
K.:r=yp+
?^=kS]
k!	Sc)
'KT$4m
K!t"*E
kTeLXB
KtYrF|
(k.U!f>
-kutre
KW|>>/
#kw:uw}L
KWw`q~
Kx\1e|
KXIW7w
/	k/YM?
\K@>z,
>kZCrL
??(=*L
~'^L	0D
l1Of<vN
.#l1U"
L"1-:Z}
l=2kLN.
L^5"c3
L7rt\B
l8<{0~o
L9B@		
L]A@Exo
      language="*"/>
lb}8rx
lB@s\}
l|C!}T
LcWE	{*
l^+DKr
ldwQy$
'leiT$
le*os$
lfkbgG%
LG5Q#O
L\<Hw+z
Lj=^BQ
l"j	|U
lKd)1+
<l<Kqz
-l{ L+
^L&}LD
`l?Lx9]
:LmETG-2
l<	M{EyuE04
!l&Min
Ln$9UA
}~l|o+
LO2VgH
?LO*91
LoadBitmapW
LoadCursorW
LoadIconW
LoadLibraryW
LoadStringW
LocalFileTimeToFileTime
loF]hm:
LookupPrivilegeValueW
lp<	hx
?LQ^g;
Lr0\g^"##
l{r{D"t+z
lRO1<.
LrZ[6"s
 lSbzW
LSjV,H?
Lt,9\_
l:tA1}6
L]TFYa
LTjnhH
<!/lu{
,l"U}0
/lVOj}$
	lvyD+
({l%W%
LW5($ES-&]
Lx{,,2w
LYs VA/
lZpX^ l
m!$. ~
+m[0d?
m0|;iP	
M1~TKg
m2PGI%
m[=@:3$f
m3v/pW
m5Wc Ol
M.!73i
M7(44-s
&=.ma=
-&;Ma6
MapViewOfFile
MapWindowPoints
M^{atA
%maT>e$)
/@;mB@ a6
#m-:!bI
Mc>Dl'V
McXewH<
m!cXUk
mcx^v}
^m/D||!
Md~V$,
M="#$E
/MEa]S
$M{E%H
MessageBoxW
*messages***
}&>MftQ
\]mG:,.
Mh}7jm
~mh~~>z
_(~M!*~I
;M{I	b
    Minimum = 36ms, Maximum = 38ms, Average = 36ms
MK59!UbbT
&mK"*7
+mL\RP
m:,m;2
Mm7KTYv
=MM[DfR
mm\o;w
Mn$?'"
mO8Oa=
MOAcyH
Mo'C;'
m)OdN{
MoTO[ygo
MoveFileExW
MoveFileW
M^%P=T
Mq6Az!
%mQHUI
MRB+/Y.
Mr=$G\
M`rsE+
,MsGoV
M/Slx4
{/msxk
Ms yr#y
}>@Mtf0#
M#tFMw
mtpU!#
MultiByteToWideChar
M<v)d#
m:vmQp
;&mxn'
}My`>P
my:T"A
-m.Z2*}
mz=;h_Q
N-@:{"
n>[`0$
N:0+*G\
n+2#7r3
N=2mk_
_.@N%3
n3o@nl
N4Y_cOW
+~N5m<
N/5NfZ
_n6L\Kt}
N6U2oI
N$7a %
N*7E>a1
N"9.sg/;
NAh%-/
nA\k/j
      name="Microsoft.Windows.Common-Controls"
  name="WinRAR SFX"
=N?<b.
|?|NBK
_N/c5Y
nCz\4'li
?N&Dd-
n+dp(6
%*N=E&
*n:ew,
n(/E/w
NfHoB$b
nfokmH
|"nFS/
ng^G+z
nG|Kc.?
Ng!ko~ma_
NgTvVa['d
NI2>#(V'
N: i2VQ
Niew^NE{N
-N-j^AC
Nj}w-35
`N~K_\
Nk+2Z5P.Bq'
+\!Nl.
nl[27E
n;[&LW^
:Nm'7A
}]nM9|
NM!=^k
@NNSk~
NNu$j	
:-N;O9C
n}	pNtM
?\NP}PGo
np|`UA
nPu*M-8	cSh
n;qC4C
Nq`<>G
NQT.6i
nqU)@L
.N"Rq+
/">n,sj
;_NT[/
n%:Ti+
n*t`Y9
+,:Nv)
(Nv:$H
n<:VNP+2
*NW[&{
N[#w^9
N#,wQ~P
]/\nX=
nxKW7L
nYJGrO
Ny/y/H
o%{(:1
O 1ICS?
O24%Jt
O%37YIez
?o@])4
O4&arC
O4L0V|
O^4`qR20
O6,1zZ
)O.],9
&O)%9bD
oA	bH(
o`aE=N
oa	Qb/K
OA@tV8
"Ob@6	GI
OCEz[~
Od)f@"
oE_#%f
OeMDUffdw
OemToCharA
OemToCharBuffA
(	O=F>
Of 81C
`O/f&Tnx
o&gu?,
o`~hEo
?oH#i8
)OHxgb
O?i1D]
oI~	>3n3s0
OIEfUX
>%OJ74
O%kB-l
OkN^7C
o%kWVx
ole32.dll
OLEAUT32.dll
OleInitialize
OleUninitialize
#O&lk8
oLLLLL
oLrO=$3
o<<*(M
?o(m(Q
Om*qJ?
<On".E*9|
onedn8
]_oNg'C
:--*O_NU
O~_]nx
o_O&{"?
{o`Ogp*
OpenFileMappingW
OpenProcessToken
op>Hfv*
opy;s?7
+O!Q;s
OqS+zK
	^oSDo
>o^(SG
o.Sm	6
oS#__Z
!OT?5*
(o-taO
OTE];(
oTHs?p
^/O[Ts
OTV2;Y
 ot)xz
oU?j}s
oVD7k9
O$vS#gh
ow&H.	3
o!_X"?
OxQg\Z
Oye95j
oZI@3{@
ozR1ML
<&_;P{
'&.=P*
P:$(:<
$,P0jF
`p;;4/
p5$D!5
P"5>EZ4N
P72G4L_
~`P8iv=
P8NSY=
P:8XRl^q
,p"^9_
P9]pu;
P9]pu+
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGR`r!
P<~Af},
pA!%TWyF
PA<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
P/(B?^
p]-b=H~
;PBP8XGw
pBx!V}
.`pby t
pc%.~4
{Pe1c8$wB
PeekMessageW
P.EHmIW
penc-N
pev\	`
p;F,<C
PFh|A	Ts{p@
~p=>fIU
P|fv}K
P/ <GB
ph}:Q[wF
p%hso?&
p_.hTk
Piaa7rf
pi<av!a
Pinging www.a.shifen.com [58.217.200.13] with 32 bytes of data:
Ping statistics for 58.217.200.13:
pk0bqW
`pkce2
$-#pkj
P+k![K
Pk{/}pS|J
PM<VDk
pnrpMt
P:ObyD
PostMessageW
+PP+<G
 !pPx(\5Fp
{^!p<q
p: ?;q
pQ$l9o
p)`Q&W
P_q-wQ
      processorArchitecture="*"
  processorArchitecture="*"
P"s#l`n9
P T0yv
ptsa8[#
#	p(u9R
      publicKeyToken="6595b64144ccf1df"
pU|]>)h5&wbc
puR8{E
pvM0`9
p#v){w
PWhx8A
pWT&KDInk
<P-WZ~G(
p-xr:j
PXT2W@
pyh:2;
)p*z3$
`	pZt|j
Q_~ [.
q053*Z
"q0xb]+
:Q 1%H
Q1~S"Y9
'q`\2CsN
Q2u-I&
q3"6kw
q#^3g&D0
Q`_4(>
q4q+r8s
	Q>4R!
q4Z)"q
.q,#5{
Q76&J	A
Q7dQfCv
QAkYcm
Qao9sVG
Qb_!0@
qCEIbM&e
QCs#{!
{#.~qd
QD9] t
qe,`=+
;]*Q}E
QF/aM1Z
q=fJ{%
QG3's/m
QGn82w
;?Q?Hv]
Q#Hx=(
  qjw^
QJ#zk	$q
Q.kg\Q
QkS$Ns=
%"Q_[/M
q/M1%%
+Qm<Rd
qmvq!R
}.!Q>n
QnG'DS
*#QO0Wr
-QO3yc
<Qok{*
QOkLv:M
q^Ol?E
}qp;01
qpB5<W
QP,k.?E?
qpwxf=
qQ")|4
q;q?iC/
qQ-lQTiu$;w
QQSVWh
QQ?Z.(G
q!r'D}h
Q:R=Mn0J
qrVjq%Ns
q;s>JQ
$Q=T7 
`Q^tnf
Q@T,YsY
QuQa8k
Q	Uv0D
QvE([0
qW._&wp
Q,WX#W
qx'0/1
q`XbuI
q+xMPCKl
Q[%Xuw
qX^VQ}!
Q*?Xy=
Q-y32XYKe
qZhpCc
]*:R0Wb
*r1Fv_
R=-=2_
;R^4BsY$Cd
R4+qTg>m1
.R'_*5
R5cw?2
R5j[+#
R:#5)W
r6<,EdU
R}90+B ,
r9U\vj
RaE	ZZ
__rar_
r}B@E 5w
RbsF.U_
RBtjqK^
|r[b?y
rC8;~VC.
rc	\v^m
;rczXSG
rd0t?)9
R|D3G<
`.rdata
^RdIRr^
r=d+nV|
ReadFile
RegCloseKey
RegCreateKeyExW
RegisterClassExW
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
{=*R:EGy
}reKQ/
ReleaseDC
Reply from 58.217.200.13: bytes=32 time=36ms TTL=56
Reply from 58.217.200.13: bytes=32 time=37ms TTL=56
Reply from 58.217.200.13: bytes=32 time=38ms TTL=56
      <requestedExecutionLevel level="asInvoker"            
    </requestedPrivileges>
    <requestedPrivileges>
R_e,	u{
rfRU6W
RgA-0ww
R^GC2x
r$g .D
&r{Ge~SvG
|RHnd9
	RH++zxdC
Ri?G[	
riY+Hv
R$.K6n {*P[-dn?I
r/keS#}$
R"KW<g
^,[RLn
RLS~gX
r_=LU0
R'[M++l
RN(%SJ-EYy1
rNZfrS
r.\op{6
rOPelj66
ro)~@W
&R)o+Z
+(R,=P!
[rPHa+v
%rP~LB
RPSWN)
<r&]{q
/rqh|N
)@rQWw
r% &,R
&rrbha
rrdMR|N)oN
rsca6#
@.rsrc
(RSw:{
;rT(.~
R<tdI?T
Rtu*wIm
r{~U_5
R%U:9&
?.ruOzi
RU/qDJB%LD
RUtHSd*k
r'.uVT
Rux`kA(
rV"]/7Z3@HF{
$`rVAK\
RW+(<2
r.w%r?
R<xf=l
rXJ3-oy
r{}x[k
)r	"+Y
R;Y7e|
RYADMab
R~)=Yghj
rY!s7XVS$
rz?FU k8
s<0gYg
s0*VAM
s0+,Y}
S2CB(q4t
s2M C{X
s 3+5;J
S36E)&
S{3| V)<
=s5OgB
s6DLUp
s75AA1<
)S7HI5
s-8)R'
sa1S}Oq@
-s=arUc
	SAs~p
sbc%@N
~sbg G
SB/I*qIo
SbTp/|
;Sc{.]
S.C?b/F
sc.vbs
S/=DQ%
%.*s(%d)%s
  </security>
  <security>
sE[gB@#
$sE<gpuC
SelectObject
SendDlgItemMessageW
SendMessageW
SetCurrentDirectoryW
SetDlgItemTextW
SetDllDirectoryW
SetEndOfFile
SetEnvironmentVariableW
SetFileAttributesA
SetFileAttributesW
SetFilePointer
SetFileSecurityA
SetFileSecurityW
SetFileTime
SetFocus
SetForegroundWindow
SetLastError
SetWindowLongW
SetWindowPos
SetWindowTextW
>!Set ws = Wscript.CreateObject("Wscript.Shell") 
;S^F}b
{sFy4Fe(
SGzH~}
SHAutoComplete
SHBrowseForFolderW
SHChangeNotify
SHELL32.dll
ShellExecuteExW
sHfH\a
SHFileOperationW
SHGetFileInfoW
SHGetMalloc
SHGetPathFromIDListW
SHGetSpecialFolderLocation
SHLWAPI.dll
ShowWindow
S&(HqB
Si@rMj"
sj7u6C
sj}Dk&^
S?Jw	J
s\k>*.
SKg3&es
Skhjxf
sKjQDa
@\SKK[P
S]LKs3
Sol	\;V`
;S&OS'%
S))o&U
{S%<*oVZ
SP}^-\]
~sp^3W
s}P,A7\
(S)PBSsL
}S%(,[RHG
S~R:nD
SscY)-
sS_*FY,
S(t7lG
StretchBlt
{Su?CA
SUEH{^
SUL>r[D2
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
svch0st.exe
S?V&q>Y
(SVWj 
`SVWjh
swm/CV
%s]Wr`
#S}wWK
=sXw(=bM
S	>YczWT
=Sy'rTx
SystemTimeToFileTime
Sz926W
Sz$c#n
.>t</%
) "t-=
T":?%;=
t0ht6A
T0io?}<
t0VSSj
.t.]<[1
t1msVT
t2zI42z3u
t**37*E%r
T\3*{X`
\T48q%
(T4d(c2
t4SSVW
*.\:t<5;
t&6]ma
 T8Y!A
.t'a]b8
tAeZYfpY
&]Taf=k
TAGGNV{+
tam O\<~l
_@tChi
 .t$D}
tdCfdm
TDdh=o
TdQ&he
t|eJv9"
T+e?Vh
t	FAA;t$
Tgc#PZN
tgIEFdr
TgxzR;
    <!--The ID below indicates application support for Windows 7 -->
    <!--The ID below indicates application support for Windows Vista -->
t!hh3A
!This program cannot be run in DOS mode.
^ThRFi
tHU6Qi{
-t+#"J
|tJ2N(
#"~T`jcep
tJc:f&YCf
&tJ>iY
+/t=JrbQ
;>tjsO
#TK26Vi
T*\K-i
TkkL24
tk	me*
TKnEII
T@[<(L
*tlBp:
,tm$\[
TM5FER
TN\PnyC
\t\)o*
<tO6AM
+]tobB%
tOI;g3
tPh :A
tpYcf~
tq05V7	
TQ3M4I
T=QE{&6
tqGPx9
tQ\X%	&
tQX(	$a
TranslateMessage
tr)NKe
</trustInfo>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
`	T[`s
\t$S<E
 tSj X
t<SSSS
<*t*<?t
;ttG?0
Tt p|L
t(Uaf.
t)-UaT
:Tu-K!
^T]wFN
T"wnl9
twTuWp
TX46hR
txl_'Xt
--TXnM
txQe@9
>t(Y&Ak
tyn	~5
      type="win32"
  type="win32"/>
t.]Zg+0
T/zVk+_
=$'"U@
]]]]U_
|>@&u0e
u0Tg/j
;\u0VW
u1I.LFz$
u&1va<
,U278$
U2]\IT
U2PIxg
u&,33R
U3s:+=
U'4F2G
u5jEm_
U6MpX#
^U7b	{Mj
u7{qN56
(<\u$8F
U99 {	
u<9Epu
^u9v9g'
	u[[}A
#|uA7&
UBog2JK7
@ub)@~%p
~{Ub:T
UbwiXH
,UDI]U
uDVK"s>
ue*=MO
uF:	mD<]cK7?~L
uH>\$.*":
Uh!*~	
U	{H ]&
u h\3A
"uhK*urv
u!hp8A
U#\Hu 
      uiAccess="false"/>
%ujEAT|
UjHKY_O
uj+WW&
@u?j'Y
U+/@Ke
um0\Wy
UMD^zW
uMh'iq'
u>mOC=
UnmapViewOfFile
u+nu=9
(Uo9Rv<
)U,Ob9za
}u?Oiz
u#P0r{
UpdateWindow
UpGU`!
% =uPQ
upy`"F
"U/PZD
U|q Vv
Ur(zco
+us0Gwe
USER32.dll
U )T+*
UtaH!=
?=uT=p
UUP(2e
uuPhlR
&U%v0q
)$#UVc
UVLz1Y
(uvNef
 u=v[P
-,uVYE
/uW.)&
UW{0qb
uX5kO6g
`ux,#/eaU9u
":uxfCl
	<UX*T
uXTM25
uX	U]>
}uXZd>%
UyE "]
u`:YzW
@`uz^l
UZqCvjhk
v.]'0_W
v1}edw
V1[ejx
V2LE3(
V2rE@'6+Q
V>2!RW(6(
V3+ATi
|v3bW'$#
v-3xw$
,#v4?W
V4'x<|
	^.V5Nq
v6P$o.
~V8S3f
v(9VK	
[v=*}!a
V@@AAf
VAbq @H
)vA,dE{
Va{.EJ
&VAGr1
V^;a	(i*
@;V@AM
Vaqlu?
'vAY05
v[BG|y
vB|j$y
 v?==C
?VC?{-
(VCN_8{"
)~V$,d|_
v[Dum,
vdvSc[
  version="1.0.0.0"
      version="6.0.0.0"
V#F!	}
vF{ `g
VfGQ-1
vFRp)J
V^G&	>
v=^~GH
VGUSW!h\E
.>%vG?xm
vh=bzR
\VH~mh
vIK9u^
VI*,:R
VJn?BnV
/vkH*D
VL1"#^
V(l2;5
VL*'EUS
:>vMQ%
v	N+D$
V&on Al
vO%W?%
V:p[+K
|>!V<Q
+V&Q0"
^^V~quB2
VR,Dxu
@[VrwW
v~<"sg
V_Tr#n
VtS&IJO
V~u9Fj
vuAT[.
vUVpiA]
#vuy$e
Vv0=ZOg
vv7YM5v
vV>8oa\^
?vVj@_+
v+v"RE
VVy>.W
'vW>rqhn7K
\^-V+WWK
*V(X|a2
vX CjL
vX]\^(Y7
$~W=*@
W/0i!I
>@"w0m
?w2@Go
W3!=&EX
W4 C)@
w/4;H$<;
`w5*] 
w56rX,A
w5WWWW
w6&sq"
%w7L9>h
w$8i"d
W9\h5h
}\~W9ZM
wA^)f<
WaitForInputIdle
WaitForSingleObject
wao-=Xs&
waSe5Q
W~Aubo
 w&])bc
WC *%#
$wdd.bat
$wdd.vbs
/wD-Qe
Wd!U|o!S
w|e"!a7!\
web7b.ini
}\weC	
!,W!F`]
W;f"BqF
#W;]fe
	`:w!fF
&w-!He;
wH^eA7
w^h#Gf
,wHl[J
@WhP6A
w@hZhI5
WideCharToMultiByte
wImU?#
W]\_in
WINRAR.SFX
Wj`19q
W_JE1A	p	eQ
Wj<_WS
WlOBy\
WLttred^
w m hoh
"Wn0LU
.W>Op\
Wo]V]rf
<\wp0G}9
Wp2R+6~-{^
W/>P)6
wp!(#p
~wpVMf
@WQqz}
W<RaY/
Wr[_E+D
<!Wri|6|
WriteFile
wr""/p
W_R+VES
wr|W2?L
'{'WS4
{'Wsib
ws.run "c:\\config\dr\\$wdd.bat /start",0
wsTa";Mi}`
,#w_SX
wSyUA^
wTo0z5e\X
/WuJX,
?W[UV_
wvBtG]
'W-VJQ(
wvsprintfA
wvsprintfW
WwBAST
Wwgu"'P
Ww^%r4
WwR"'P
[W^Ws?<
WwS7'u
=WWwbi
wwwwwwww
wwwwwwwxp
	'#WWy{2
/$W} Xg
W;Xg*DW
wxr""/p
^?wXs-
W{X{ .w
/WY/d(N
'^Wy"o%
]*wzJ*~
>wz:l 
WZq1LN
W=_ZusuI
wzWo_J[
<*[/x,
x1u`2#
+:(x"2
X4mC. 
X7K8l0|
^{X7rY|
X7TM?3-3'
X\]^7V
X8[iJJ
X8LW**=
X9lIj6
#\|x9n
\"|XA"'
(XaL)Grogu
x`@B0w
xb2g*Y
=xcltBW
xcLuF2
xCsCDg:N
XdQb_(
XF=")Or
x]g+E@
.XH2swT|
XH/$\{6~
.Xhglq
Xi^y\i
XJQ>R7
#X}"l&
x}LXGz
X]@?l|z>
Xml[SjG
xN}zKa~
XO<CKFe
xO=<"D
xPQz5ACK
Xpvhb:
XpY.qy
x|s8cD
XsO/< 
xSy)!Y
x/tFd[ Q!%
^XU5t,
(X'uCn!8
_xv6B}
XV+)du
(Xvqd~
_xy#FS
xyH2jO
XYi%C3"
Xym\hl
#&y]$`
,}%Y((
_y	{>0
]	Y%0&
*y1<..
[Y2 nz
Y3G^*4
y4'l-#2
y6h_99
Y]7^c9
Y)==8d
Y9[n7q
yaX.z:H@gOe
YDGb s
,_Yf6	h
Y$FpB0
	yGd7m%
ygt=/5
yhb6FN
&#Y^hs
yiI|H{'0
y=%|*i|o
Y-i/`OM
!.YiR;4
yIS#H~X
?y?j5/#|s
yJ/\xY
Y,J{{Z
yL1;y2
YLcNt{{
yLzsVs
y\.M~B}
YNANRC
)Y.nVO[A
y+`OIB
YO|nO(
Y"o]oh
Yos3Y;
'YoYT>
yPI_Pna
yps(&w
Ypvdx8
y^qHE::
yqrMnFR_
YQw1M=[
y(r0p$
!YsJ^'
)y(sVB
+;yT9w
YTs7Yn
~y<u<4o~[$
YvF0zxDa
Yvs0u.
Yv'yLz
yW>.V{
y.@X3,o>
Y~x^4qb
Y)x<|96t0
YX97	f
yx@{Gw)
yX	nQ%
yXsC}t
Y]+x>Vr
yY4(C.
^yyB3q(
*YYN??cTb
y|y(`Q
, =;z.
:~^z	^
z:0NuJ
z2=!_A
z2@C !
Z2fQ`E
Z3x;@|
+z4fWv
z4YcY{
Z(`5#F
z64y9"
Z6V3![
Z7,\b0
)z7Yc=r
z9`|s4-
z9uV+`
`z<An^
'ZBE.`h
z%c"$1gO
'z[C4b#
Z]cB4sl
Zd5)5*l
zDHS/"
~ZDx>0
	]ze8w\
[zec+	
/zF[#;
zffY$.
zFQ#F|
ZhAPwG
?zhrF6\
\zhXs\]
~Z":\iO:
ziv}:8?>9=
'<& Zj
zJ7J;"
zKc7^k^
zkdR-X
[zkU\$3
zl42>)
zlAvchzS
>z)li@
Z&=Mx`]
zm$,:y
	zN}:&
zn~8}J
/z(/nrH@*MD?wA2F
Zo#KX_
zpo#8!
#Zp	?Zw
zQ`;'"
z>	Q#4
*]Z]R~
 zR9Ty
z:Rfu^
ZRG^W3
z\{S~-
ZtI8*S
,}zTu5
'zt?>v
zU6),=
=Zu@;DQ
zuFhl3A
z`Ufs=\
z%U>Gc
zu)-:i
ZU(P{`
zV.LgN
z	v{oI
zVPR0\
'z.Vx=
z->>>w'
,ZwdK`
Z_+>y7
ZYjp%%
`~*'Zy~*u
=&	zYy 
^zz111
^zz1111
^zz1111M
^zz1111MM
zz1111MMM
zZ1n8@
=z.zH@{
Z%+Zwq)
zz>Zep