Analysis Date2015-04-02 18:29:48
MD531d0e421894004393c48de1769744687
SHA14f0eb746d81a616fb9bdff058997ef47a4209a76

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a8692f5ba740240ef0f9a827376f76f9 sha1: 41f3c4b70ff31dfc1b3352173567cb857c3f7cb3 size: 74752
Section.rdata md5: d4f36accffde0bf520f52486679ccf0d sha1: 891cbdf18a460a41df342f7f806a2dca0a68bea1 size: 7680
Section.data md5: b6c7edb5b7fec47a37a622cc5d71f3f4 sha1: 6e76e64e9fec63232a0ae118666c0588b4543be1 size: 512
Section.CRT md5: 439411041ee0b8261668525c5c132cd9 sha1: 817c1d9c0c3df118ce4391ba48b5f5285b01916c size: 512
Section.rsrc md5: 1985e53126d0ad6f4d4b10eecc715c77 sha1: 189d5acfe8681cd52a40a363513c1c304db7d26b size: 23552
Timestamp2012-06-09 13:19:49
Pdb pathd:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
PEhashaff829790819949374434f522309fa64209a2e3e
IMPhash3c98c11017e670673be70ad841ea9c37
AV360 Safeno_virus
AVAd-AwareError Scanning File
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Gen:Variant.Symmi.50061
AVAuthentiumW32/Trojan.VSQD-1927
AVAvira (antivir)BDS/Plugx.266990
AVBullGuardGen:Variant.Symmi.50061
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftGen:Variant.Symmi.50061
AVEset (nod32)Win32/Korplug.CF
AVFortinetW32/FakeAV.CX
AVFrisk (f-prot)no_virus
AVF-Secureno_virus
AVGrisoft (avg)Generic11_c.CDQL
AVIkarusTrojan.SuspectCRC:Backdoor.Win32.Gulpix
AVK7Riskware ( 0040eff71 )
AVKaspersky 2015Trojan.Win32.Generic:Backdoor.Win32.Gulpix.yk
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security EssentialsBackdoor:Win32/Plugx
AVMicroWorld (escan)Gen:Variant.Symmi.50061[ZP]
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Filemcs.exe
Creates File__tmp_rar_sfx_access_check_96296
Creates Filemcutil.dllsys
Creates Filemcutil.dll
Deletes File__tmp_rar_sfx_access_check_96296
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\RarSFX0\mcs.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\RarSFX0\mcs.exe

Creates FileC:\Documents and Settings\All Users\DRM\IcdSysSvc\mcutil.dllsys
Creates FileC:\Documents and Settings\All Users\DRM\IcdSysSvc\mcutil.dll
Creates FileC:\Documents and Settings\All Users\DRM\IcdSysSvc\mcs.exe
Creates MutexGlobal\aemsasmpe
Creates MutexGlobal\irtewkkpi
Creates ServiceImage capturing device. - C:\Documents and Settings\All Users\DRM\IcdSysSvc\mcs.exe

Process
↳ C:\Documents and Settings\All Users\DRM\IcdSysSvc\mcs.exe

Creates ProcessC:\WINDOWS\system32\svchost.exe
Creates Process

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates Filepipe\winlogonrpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\All Users\DRM\IcdSysSvc\nprqyjadoqkp
Creates ProcessC:\WINDOWS\System32\msiexec.exe
Creates MutexGlobal\uecpg
Creates MutexGlobal\ommdvtuqnjwvdfajh
Creates MutexGlobal\aemsasmpe
Creates MutexGlobal\mxufovgpujrelcqpp
Creates MutexGlobal\ssmuagced
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\qdskyukco
Creates MutexGlobal\mschu
Creates MutexGlobal\kcczs
Creates MutexGlobal\mwlcxdaufjyvznwql
Creates MutexGlobal\aabhnqurdbfoh
Creates MutexGlobal\ylkhkxsuxcpzk
Creates MutexGlobal\khuzkeoaogodbtwzx
Creates MutexGlobal\qzijz
Creates MutexGlobal\irtewkkpi
Creates MutexGlobal\stuxkwabijxwwaxrh
Creates Mutexsdfsdf3w
Creates MutexGlobal\wubqw
Creates Mutexc:!documents and settings!administrator!cookies!
Creates MutexGlobal\uimnyxkbx
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexGlobal\mwmjwuuwpuvcczsph
Creates MutexGlobal\aelgflwcvvytstumy
Creates MutexGlobal\egbhmpyceumde
Winsock DNShpservice.homepc.it
Winsock DNSfacebook.controlliamo.com

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ C:\WINDOWS\System32\alg.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 0

Process
↳ C:\WINDOWS\System32\msiexec.exe

Network Details:

DNShpservice.homepc.it
Type: A
8.8.8.8
DNShpservice.homepc.it
Type: A
8.8.8.8
DNShpservice.homepc.it
Type: A
8.8.8.8
DNSfacebook.controlliamo.com
Type: A
HTTP POSThttp://hpservice.homepc.it:443/ECD1DDF3DB23B04B4BE5C5ED
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; SV1)
Flows UDP192.168.1.1:1031 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:53 ➝ 192.168.1.1:53
Flows UDP192.168.1.1:1032 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1033 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1034 ➝ 8.8.8.8:53
Flows TCP192.168.1.1:1035 ➝ 8.8.8.8:443
Flows TCP192.168.1.1:1036 ➝ 8.8.8.8:443
Flows UDP192.168.1.1:1037 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:1038 ➝ 8.8.8.8:443

Raw Pcap
0x00000000 (00000)   bf29ebcd 0c2a1d74 68d69f7a ba27fcec   .)...*.th..z.'..
0x00000010 (00016)                                         

0x00000000 (00000)   504f5354 202f4543 44314444 46334442   POST /ECD1DDF3DB
0x00000010 (00016)   32334230 34423442 45354335 45442048   23B04B4BE5C5ED H
0x00000020 (00032)   5454502f 312e310d 0a416363 6570743a   TTP/1.1..Accept:
0x00000030 (00048)   202a2f2a 0d0a5841 3a20300d 0a584c3a    */*..XA: 0..XL:
0x00000040 (00064)   20300d0a 58573a20 36313435 360d0a58    0..XW: 61456..X
0x00000050 (00080)   4d3a2031 0d0a5573 65722d41 67656e74   M: 1..User-Agent
0x00000060 (00096)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000070 (00112)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000080 (00128)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000090 (00144)   352e313b 202e4e45 5420434c 5220322e   5.1; .NET CLR 2.
0x000000a0 (00160)   302e3530 3732373b 20535631 290d0a48   0.50727; SV1)..H
0x000000b0 (00176)   6f73743a 20687073 65727669 63652e68   ost: hpservice.h
0x000000c0 (00192)   6f6d6570 632e6974 0d0a436f 6e74656e   omepc.it..Conten
0x000000d0 (00208)   742d4c65 6e677468 3a20300d 0a436f6e   t-Length: 0..Con
0x000000e0 (00224)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x000000f0 (00240)   6976650d 0a436163 68652d43 6f6e7472   ive..Cache-Contr
0x00000100 (00256)   6f6c3a20 6e6f2d63 61636865 0d0a0d0a   ol: no-cache....
0x00000110 (00272)                                         


Strings
\_
.\
:\\
010A___
@
.
.
x
...
S
.
?*<>|"
%08x
about:blank
Accept
A&nbsp;
ASKNEXTVOL
<br>
&Browse...
Bro&wse...
bytes
%c:\
Cancel
&Cancel
Cannot create folder %sDCRC failed in the encrypted file %s. Corrupt file or wrong password.
Cannot create %s
Cannot open %s
Close
Confirm file replace
CRC failed in %s
Crypt32.dll
Decline
Delete
&Destination folder
EDIT
-el -s2 "-d%s" "-p%s" "-sp%s"
Enter password
&Enter password for the encrypted file:
ErroraErrors encountered while performing the operation
E<ul><li>Press <b>Install</b> button to start extraction.</li><br><br>E<ul><li>Press <b>Extract</b> button to start extraction.</li><br><br>6<li>Use <b>Browse</b> button to select the destination4folder from the folders tree. It can be also entered
.exe
Extract
Extracting files to %s folder$Extracting files to temporary folder
Extracting from %s
Extracting %s
Extraction progress
File close error
folder is not accessiblelSome files could not be created.
GETPASSWORD1
<head><meta http-equiv="content-type" content="text/html; charset=
hRichEdit20W
</html>
<html>
.inf
Insert a disk with this volume and press "OK" to try again or press "Cancel" to break extraction
Install
Installation progress
jmsctls_progress32
kernel32
License
LICENSEDLG
LICENSEDLG	RENAMEDLG
.lnk
Look at the information window for more details
manually.</li><br><br>8<li>If the destination folder does not exist, it will be2created automatically before extraction.</li></ul>
*messages***
modified on
MS Shell Dlg 2
Next volume
Next volume is required
Not enough memory
No to A&ll
Overwrite
</p>
Packed data CRC failed in %s
Path
Please close all applications, reboot Windows and restart this installation\Some installation files are corrupt.
Please download a fresh copy and retry the installation	All files
Presetup
ProgramFilesDir
.rar
RarHtmlClassName
RarSFX
Read error in the file %s
Rename
&Rename
RENAMEDLG
Rename file
REPLACEFILEDLG
riched20.dll
riched32.dll
r%.*s(%d)%s
rtmp%d
runas
"%s"
SavePath
%s.%d.tmp
Select destination folder
SeRestorePrivilege
SeSecurityPrivilege
Setup
SetupCode
sfxcmd
sfxname
Shell.Explorer
Shortcut
Silent
Skipping %s
Software\Microsoft\Windows\CurrentVersion
Software\WinRAR SFX
%s %s
%s%s%d
%s %s %s
STARTDLG
STATIC
</style>
<style>
<style>body{font-family:"Arial";font-size:12;}</style>
TempMode
Text
The archive comment is corrupt
The archive header is corrupt
The archive is corrupt
The file "%s" header is corrupt%The archive comment header is corrupt
The following file already exists
The required volume is absent2The archive is either in unknown format or damaged
Title
__tmp_rar_sfx_access_check_%u
=Total path and file name length must not exceed %d characters#Unsupported encryption method in %s
Unexpected end of archive
Unknown method in %s
Update
utf-8"></head>
WinRAR self-extracting archive
winrarsfxmappingfile.tmp
with this one?
Would you like to replace the existing file
Wrong password for %s5Write error in the file %s. Probably the disk is full
&Yes
Yes to &All
You need to have the following volume to continue extraction:
?*<>|"
0%|1=d
 (08@P`p
11_yeN
1\3nWF
]158n*
1~aH"w
\1nTb+
}|1zP&t
22xlRC
2Do?d@
2[L+$t
2 /! M
"2<mn	
2YVIV<a
33!D	3
<~38)X
3DA=&,
3dxGj	
3fWon%ke
3NDc^WI
3"PUw|q
,, : 4`
~=47pj
4%b/~F
4)I7DB
4vX5k&y
5dM6zsV
5EZR]@@
5MHYi&
5QD-9R\e
5qK\Nhd
|	5.]Y
5yu:5=
65_pU^b.
69O`*R^
$69+z,
6d#wug
6(MhqM
6xP/Fg
`#_)7[
7*9?/D
7bt5<q"
7cVi>S[?
7e1Od_
7f*c(.
<7'YfxZ
7YVO=x
82~W*a^
88+V,n
8dKS9@
8f&T	u
?8jw2XF
8M)v.\t)q
8o`CjA
8WRBmq:B
^9=0IB
9o8o:)P
9+sTc#
9tT!Z:
a8ZGWXH"?"
a 9oT/
a(>de`0
AdjustTokenPrivileges
ADVAPI32.dll
.An9nynfmf|6e
%:<aOgDr
  </application>
  <application>
aQ%P2E
</asmv3:application>
<asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3">
  </asmv3:windowsSettings>
  <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
</assembly>
<assemblyIdentity
    <assemblyIdentity
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
A>-xe;
~B1%oS
(B4l zjs
bad allocation
%b}cWH
BEOFe?aR
<B@II;
` "B!L
BOINv 
&B%Rk7fP
bThmE	.
B	T~ox
c`5pwN
*-	cC{
CgK'mRQ^
CharToOemA
CharToOemBuffA
CharToOemBuffW
CharUpperA
CharUpperW
ch|;|jR
cl|3owf
CloseHandle
CLSIDFromString
CoCreateInstance
COMCTL32.dll
COMDLG32.dll
CommDlgExtendedError
CompareStringA
CompareStringW
</compatibility>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
CopyRect
CreateCompatibleBitmap
CreateCompatibleDC
CreateDirectoryA
CreateDirectoryW
CreateFileA
CreateFileMappingW
CreateFileW
CreateStreamOnHGlobal
CreateWindowExW
C	^RW"B
CryptProtectMemory
CryptProtectMemory failed
CryptUnprotectMemory
CryptUnprotectMemory failed
%csQ*S
cSy-k=
cUE\_;[I
@cu!gS%
C$ vkb
Cx)0;"
c#z)LE
 /d-|[`
}^D27o
D3BjEAc
@.data
DDT]1&
DefWindowProcW
DeleteDC
DeleteFileA
DeleteFileW
DeleteObject
</dependency>
<dependency>
  </dependentAssembly>
  <dependentAssembly>
<description>WinRAR SFX module</description>
DestroyIcon
DestroyWindow
DialogBoxParamW
di$LEo+
DispatchMessageW
dKa13OF
dMo6Ea
D%;N=)
DosDateTimeToFileTime
    <dpiAware>true</dpiAware>
d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
D-/XoS
|E{B@@r
e]Cgz"
eel,,Lcv
EEQs}Br
EnableWindow
EndDialog
e-NXEip
eps|<b
EpyXN#y
eU]#~H
}Exa<n
ExitProcess
ExpandEnvironmentStringsW
F _^[]
f9=ZIB
;FC&+OH[@
FFF))EE	FFFF))))))
	F&fNn
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
FindFirstFileW
FindNextFileA
FindNextFileW
FindResourceW
FindWindowExW
 F~'jT
%F,K }
FlushFileBuffers
FQ	=q)
FreeLibrary
<F"t	@f9
fw.IvAn
fy20T~
fZyj+Y
g33WwQ
')gcZ&
GDI32.dll
gECD8P
GetClassNameW
GetClientRect
GetCommandLineW
GetCPInfo
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentProcessId
GetDateFormatW
GetDeviceCaps
GetDlgItem
GetDlgItemTextW
GetExitCodeProcess
GetFileAttributesA
GetFileAttributesW
GetFileType
GetFullPathNameA
GetFullPathNameW
GetLastError
GetLocaleInfoW
GetMessageW
GetModuleFileNameW
GetModuleHandleW
GetNumberFormatW
GetObjectW
GetOpenFileNameW
GetParent
GetProcAddress
GetProcessHeap
GetSaveFileNameW
GetStdHandle
GetSysColor
GetSystemMetrics
GetSystemTime
GetTempPathW
GetTickCount
GetTimeFormatW
GetVersionExW
GetWindow
GetWindowLongW
GetWindowRect
GetWindowTextW
?gIL$^	
GlobalAlloc
g~"Pt&
Gq!)\1^
(GQNg`
gwS3	3
gwS37%w`	
G@zwM1{
|<>H%0S
H61.cl%Q
<(HdFw"
HeapAlloc
HeapFree
HeapReAlloc
HG;&mG>
HgwXOp
/(HM q
HtCHt<Ht5H
'!HtD0
HtEHt7
HtFHt8Ht*Ht
HtoHt>
HtOHt^HtBHu#
huaF+0
H`wR"u
H Y'\s
hy#xhd
	_I]0s
i3>GZS
I##C$q
InitCommonControlsEx
i+]qXw
IsDBCSLeadByte
IsWindow
IsWindowVisible
"?iU{4
^iV5]&
IWj\_f9>u?f9~
iX]'K&
 j5|]]
\J-5E?
J71/Bl
J8"s*Jt
!&Jk(,
/jk~o'g
j[ko$Z
!	JK{Q
J=sPST
j>_Tl$8:
JVV<:*
j Y+L$
k*#d\Q
KERNEL32.dll
ki_go`=
klPk<*
k!!'m\
ku'\LZg
[`L0\=
	=l16g
-:l3)L
      language="*"/>
LoadBitmapW
LoadCursorW
LoadIconW
LoadLibraryW
LoadStringW
LocalFileTimeToFileTime
LookupPrivilegeValueW
@LR@`0
lrBD)NqPC
"Lu'?d
<m7rv~2}
m8IC^RO
M;A?mm
MapViewOfFile
MapWindowPoints
mcs.exe
mcutil.dll
mcutil.dllsys
MessageBoxW
*messages***
 MI	9q
m$Iyy[
M\(KKY
MoveFileExW
MoveFileW
m!Rjy2x
MultiByteToWideChar
MV6?F4
<mW>'G
mY5*O	P$>
      name="Microsoft.Windows.Common-Controls"
  name="WinRAR SFX"
NIZriI<L	!Hq8
nM8g\u
nma:_X
n,mD=q
NNu$j	
npY+zbn
n&[{,v
n{wBDG
nZ\m;/
o0(>_hZ
o1>0&&#'
o1poXlP
O!9W&_
^OC[bf
OemToCharA
OemToCharBuffA
]oJy{ni
ole32.dll
OLEAUT32.dll
OleInitialize
OleUninitialize
{O;lgp
\omS]X
o`,OSf
OpenFileMappingW
OpenProcessToken
)O@Pr]
OTsqip
p;3G]r
P78<}J
p96M66
:p99^pL
P9]pu;
P9]pu+
'P<{a~
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDRar!
PeekMessageW
.pFRzq
pNoTf8g
PostMessageW
      processorArchitecture="*"
  processorArchitecture="*"
PRRUIR
P~tdqw
}ptL8B
      publicKeyToken="6595b64144ccf1df"
PWhtFA
Q29Kmd
QB=L$	C
Qc`h+*
QD9] t
QoMC)u
QQSVWh
Q$+`sm
<*q,Y@
 R5qEH\
__rar_
rB}*u,NW
r!c?'GN*
`.rdata
ReadFile
RegCloseKey
RegCreateKeyExW
RegisterClassExW
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
ReleaseDC
      <requestedExecutionLevel level="asInvoker"            
    </requestedPrivileges>
    <requestedPrivileges>
rItB)=R]0
rMEMoW1
@.rsrc
R-wy+xB
}s-|,]
(s0@^$5
!s#60:r-
=s6R+G*U
s{8f*B)
SBlZCO
%.*s(%d)%s
  </security>
  <security>
SelectObject
SendDlgItemMessageW
SendMessageW
SetCurrentDirectoryW
SetDlgItemTextW
SetDllDirectoryW
SetEndOfFile
SetEnvironmentVariableW
SetFileAttributesA
SetFileAttributesW
SetFilePointer
SetFileSecurityA
SetFileSecurityW
SetFileTime
SetFocus
SetForegroundWindow
SetLastError
SetWindowLongW
SetWindowPos
SetWindowTextW
SHAutoComplete
SHBrowseForFolderW
SHChangeNotify
SHELL32.dll
ShellExecuteExW
SHFileOperationW
SHGetFileInfoW
SHGetMalloc
SHGetPathFromIDListW
SHGetSpecialFolderLocation
SHLWAPI.dll
ShowWindow
`-S	^J
SNp:: 
S	=, O
SQan0~
SSh|EA
StretchBlt
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
(SVWj 
`SVWjh
SW	)bng
SystemTimeToFileTime
t0VSSj
#t ,1\`6C7
$tA84mD
TC(ERC+P
teQ@[ZXier
t	FAA;t$
    <!--The ID below indicates application support for Windows 7 -->
    <!--The ID below indicates application support for Windows Vista -->
!This program cannot be run in DOS mode.
t!hxCA
/TIhZ(`
;tJtE7?
TkBgu6
tPh,HA
TranslateMessage
</trustInfo>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
 tSj X
t<SSSS
<*t*<?t
TuJq34
twLo+#E
}<T]X.
Tx,brx
}TXu,j:
      type="win32"
  type="win32"/>
U<*@:]
u%6XWJ
(<\u$8F
u\9]pt
@uAj'Y
ugV]>5
u|h(EA
u hlCA
u!hlFA
      uiAccess="false"/>
UnmapViewOfFile
UpdateWindow
USER32.dll
U(u;4,
.uw]R"
"v@4ew
V@@AAf
  version="1.0.0.0"
      version="6.0.0.0"
(|v|gid
VgyJXI&
vI	:'4$
vi/d5U
V&k2}[=
v	N+D$
v<NG./
V?*N	Q
v?Qmlq!1
'`<vTQ1""<
?vVj@_+
VY,Y#1
-*`<{w
w01_l*
w5WWWW
WaitForInputIdle
WaitForSingleObject
W%%&d>B
.wG<D-
WideCharToMultiByte
WINRAR.SFX
Wj<_WS
W&L$R&
WmFz2=
WriteFile
wvsprintfA
wvsprintfW
wvXVxM
Wwgu"'P
WwR"'P
WwS7'u
w; YEu
**wz *
>\:?X^
X34^]CWV
_x3Elf
-_x58	o
xbYU3!i[
@xe!&O7?VS
.:~XFHa
X?iAldx
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
Xn#I~x
xvi0hi
})Y01b%k
y2=g&i
(>Y6Qm
+?Y>C6
Y?cz4O
 "YG#S
YNANRC
*YnYz\
yOo5-P
=+y}Rd
yREK-$PU
/y,}TV
-{y-uB
Z2fQ`^-A
zc'357
~:%(zk,
\ZM]`?-Pg
-*Zs6d
Z#vkGm5`
z)X^~	g