Analysis Date2015-02-08 14:49:06
MD5940ab1768ab6d7c21467e169197559e6
SHA1b3aec526092b4514d272a9ddb47e3f02b2d3f9ba

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a8692f5ba740240ef0f9a827376f76f9 sha1: 41f3c4b70ff31dfc1b3352173567cb857c3f7cb3 size: 74752
Section.rdata md5: d4f36accffde0bf520f52486679ccf0d sha1: 891cbdf18a460a41df342f7f806a2dca0a68bea1 size: 7680
Section.data md5: b6c7edb5b7fec47a37a622cc5d71f3f4 sha1: 6e76e64e9fec63232a0ae118666c0588b4543be1 size: 512
Section.CRT md5: 439411041ee0b8261668525c5c132cd9 sha1: 817c1d9c0c3df118ce4391ba48b5f5285b01916c size: 512
Section.rsrc md5: e038efcb7bd8930787f4e321791d381f sha1: 3044ac80e5c2ec9d9c135eeabbf3c083a84963b4 size: 14336
Timestamp2012-06-09 13:19:49
Pdb pathd:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
PEhash2ce2bce7b59da3076f86182be32d7384aad1ac93
IMPhash3c98c11017e670673be70ad841ea9c37
AV360 Safeno_virus
AVAd-AwareTrojan.Generic.12613775
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Trojan.Generic.12613775
AVAuthentiumW32/Trojan.KXVA-9207
AVAvira (antivir)BDS/Plugx.441061
AVBullGuardTrojan.Generic.12613775
AVCA (E-Trust Ino)Win32/Tnega.XAYB!suspicious
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.Generic.12613775
AVEset (nod32)Win32/Kryptik.BYG
AVFortinetW32/Kryptik.BYG!tr
AVFrisk (f-prot)no_virus
AVF-Secureno_virus
AVGrisoft (avg)Crypt3.BVYN
AVIkarusTrojan.Win32.Crypt
AVK7no_virus
AVKasperskyBackdoor.Win32.Zegost.demu
AVMalwareBytesno_virus
AVMcafeeRDN/Generic BackDoor!bbn
AVMicrosoft Security EssentialsBackdoor:Win32/Plugx.gen!B
AVMicroWorld (escan)Trojan.Generic.12613775[ZP]
AVRisingno_virus
AVSophosno_virus
AVSymantecTrojan Horse
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileWINMM.dll
Creates Filemscormmc.cfg
Creates FileDNSBench.EXE
Creates File__tmp_rar_sfx_access_check_74218
Deletes File__tmp_rar_sfx_access_check_74218
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\RarSFX0\DNSBench.EXE

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\RarSFX0\DNSBench.EXE

Creates FileC:\Documents and Settings\All Users\Juniper Networks\DNSBench.EXE
Creates FileC:\Documents and Settings\All Users\Juniper Networks\mscormmc.cfg
Creates FileC:\Documents and Settings\All Users\Juniper Networks\WINMM.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\RarSFX0\mscormmc.cfg
Creates MutexGlobal\DelSelf(000004CC)
Creates MutexGlobal\DelSelf(000000F4)
Creates ServicedsNcService - C:\Documents and Settings\All Users\Juniper Networks\DNSBench.EXE

Process
↳ C:\Documents and Settings\All Users\Juniper Networks\DNSBench.EXE

Creates ProcessC:\WINDOWS\system32\svchost.exe 201 0

Process
↳ C:\WINDOWS\system32\svchost.exe 201 0

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\CLASSES\FAST\CLSID ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates ProcessC:\WINDOWS\system32\msiexec.exe 209 1724
Creates MutexGlobal\DelSelf(000004CC)
Creates MutexGlobal\DelSelf(000003C0)
Creates MutexGlobal\DelSelf(00000328)
Creates MutexGlobal\DelSelf(000000F4)
Creates MutexGlobal\DelSelf(00000530)
Creates MutexGlobal\DelSelf(00000400)
Creates MutexGlobal\DelSelf(000004BC)
Creates MutexGlobal\DelSelf(00000224)
Creates MutexGlobal\DelSelf(00000268)
Creates MutexGlobal\DelSelf(000001EC)
Creates MutexGlobal\DelSelf(00000274)
Creates MutexGlobal\DelSelf(0000045C)
Creates MutexGlobal\DelSelf(000000E8)
Creates MutexGlobal\DelSelf(0000013C)
Creates MutexDBWinMutex
Creates MutexGlobal\DelSelf(000006BC)
Creates MutexGlobal\DelSelf(00000490)
Creates MutexGlobal\DelSelf(0000023C)
Creates MutexGlobal\DelSelf(000006E0)
Creates MutexGlobal\DelSelf(00000358)
Creates MutexGlobal\DelSelf(00000474)
Creates MutexGlobal\DelSelf(0000073C)
Winsock DNSwww.similar-name.com

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates FileWMIDataDevice

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ C:\WINDOWS\System32\alg.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\services.exe

Creates Filepipe\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
Creates FilePIPE\lsarpc

Process
↳ C:\WINDOWS\system32\msiexec.exe 209 1724

Network Details:

DNSsimilar-name.com
Type: A
118.193.213.214
DNSwww.similar-name.com
Type: A
HTTP POSThttp://www.similar-name.com/update?id=00310e78
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; SV1)
Flows UDP192.168.1.1:1031 ➝ 8.8.8.8:53
Flows UDP192.168.1.1:53 ➝ 192.168.1.1:53
Flows UDP192.168.1.1:1031 ➝ 8.8.8.8:53
Flows TCP192.168.1.1:1032 ➝ 118.193.213.214:80
Flows TCP192.168.1.1:1033 ➝ 118.193.213.214:80
Flows UDP192.168.1.1:1034 ➝ 8.8.8.8:53

Raw Pcap
0x00000000 (00000)   1f97b124 fdae1e83 032ffdc1 56f67b96   ...$...../..V.{.
0x00000010 (00016)   defa2af2 75eda658                     ..*.u..X

0x00000000 (00000)   504f5354 202f7570 64617465 3f69643d   POST /update?id=
0x00000010 (00016)   30303331 30653738 20485454 502f312e   00310e78 HTTP/1.
0x00000020 (00032)   300d0a41 63636570 743a202a 2f2a0d0a   0..Accept: */*..
0x00000030 (00048)   4f6c6453 65727665 723a2030 0d0a4368   OldServer: 0..Ch
0x00000040 (00064)   65636b3a 20300d0a 506f7374 53697a65   eck: 0..PostSize
0x00000050 (00080)   3a203631 3435360d 0a506f73 74536572   : 61456..PostSer
0x00000060 (00096)   69616c3a 20310d0a 55736572 2d416765   ial: 1..User-Age
0x00000070 (00112)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x00000080 (00128)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x00000090 (00144)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x000000a0 (00160)   5420352e 313b202e 4e455420 434c5220   T 5.1; .NET CLR 
0x000000b0 (00176)   322e302e 35303732 373b2053 5631290d   2.0.50727; SV1).
0x000000c0 (00192)   0a486f73 743a2077 77772e73 696d696c   .Host: www.simil
0x000000d0 (00208)   61722d6e 616d652e 636f6d0d 0a436f6e   ar-name.com..Con
0x000000e0 (00224)   74656e74 2d4c656e 6774683a 20300d0a   tent-Length: 0..
0x000000f0 (00240)   50726167 6d613a20 6e6f2d63 61636865   Pragma: no-cache
0x00000100 (00256)   0d0a0d0a                              ....


Strings
\_
.\
:\\
010A___
@
.
.
x
...
S
?*<>|"
%08x
(&A)
about:blank
A&nbsp;
ASKNEXTVOL
</b> 
 <b>
(&B)...
<br>
<br><br> <li>
b<style>body{font-family:"Arial,
%c:\
(&C)
ccpp
Crypt32.dll
 %d 
(&D)
Delete
(&E):
EDIT
-el -s2 "-d%s" "-p%s" "-sp%s"
.exe
";font-size:12;}</style><ul><li>
GETPASSWORD1
<head><meta http-equiv="content-type" content="text/html; charset=
hRichEdit20W
</html>
<html>
.inf
Install
jmsctls_progress32
kernel32
(&L)
</li>
</li><br><br>)<li>
</li><br><br>)<ul><li>
License
LICENSEDLG
LICENSEDLG	RENAMEDLG
</li></ul>
.lnk
*messages***
(&N)
Overwrite
</p>
Path
Presetup
ProgramFilesDir
(&R)
.rar
RarHtmlClassName
RarSFX
RENAMEDLG
REPLACEFILEDLG
riched20.dll
riched32.dll
r%.*s(%d)%s
rtmp%d
runas
 %s 
"%s"
SavePath
 %s CRC 
%s CRC 
%s.%d.tmp
SeRestorePrivilege
SeSecurityPrivilege
Setup
SetupCode
sfxcmd
sfxname
Shell.Explorer
Shortcut
Silent
Software\Microsoft\Windows\CurrentVersion
Software\WinRAR SFX
%s %s
%s%s%d
%s %s %s
STARTDLG
STATIC
</style>
<style>
<style>body{font-family:"Arial";font-size:12;}</style>
TempMode
Text
Title
__tmp_rar_sfx_access_check_%u
Update
utf-8"></head>
(&W)...
 Windows 
WinRAR 
winrarsfxmappingfile.tmp
(&Y)
 !"#$%&
?*<>|"
/?]	?|
{{{{{{{{{
@\&_/"
#{~|<(
+(`*$	
01f3|3
 (08@P`p
+0E\[%
\}0Md?
.0NWBV
.0n:?Z
/'[,\\0]^_\\\Q
_!1~.#
1%IB|:
1i'Y{xPJ
|#1MCUbRZ
} 1M,)d
{1P&@'
1r5O4rr
1T.A)p6$
1V""0b
1Wd )q
)1[wm1
1wWMR^L
2^4/#U{
2CcMhBC
'(*-2H|;
~2hm.L
2I	=@CjX#
@`2L71l~K
~2	nh|
2R%|ie
$3+3=~bq
33!D	3
3,45657879
(3`>a0(
3aLN}f
3aPfo#U*
3GQX_aU
3]k-zI-b
3L6]~\
3+N^+i
3?q<Z~
3>v#m_
:(,4;<=>;?@
4[ 2FS
44[P"4
46;9.&>
!#(4Ck}
}^``4Dc
4D$v:	
4i,%PNM)
4(-kCp@
4o[vO\f
4}T_C^
4tiJ*?
4t-r-y
4Y_cOW
4Y_cOW	
\=.5;.
"551E{
5E.bNpkW
-:&5fH
5H:2k$:
~<)5[$i
%5<?m7
5M=iw6
5([ned8k
5Nxt1v
5$vW2O9
5WD=P%W
$5"XBmn
5z8^,'a
68|)F6
6AaBF,#
6AiyyiYS
-'6a%Z^
%6BQ_7E
6D(z*xTzfhP
&6Eb0Jb
6[N1	^G{V
_6^oEqRm
6_$Oxv
6RX]@-n
,6|Sb8 %
7C57;!.c
7+C9j!
7<F#4O9<
7nA3*D
7Q<<BIl
7TDq-<
?'%7.z
}` 8	<
8888888888887
8888888888{x7
@ "8g&
.8L}sJ
)8oMW>
~'9"&'
!:9	@\
90a^D1
^9=0IB
9:#3?W
9Cu8,+
	^@.9iS
9jr3$B
~9NeS8
9NhMK2
9RxQ:d
9U.`U2
?9V^Zr
9ype%CY
;a+!=_
?(%A]{
<a0~]F
a0(Fh$|
a!34uh
'A,4;BC
A8anp 
A9QaO>
aaaaaaaaaaaaaaaaaaaaf~leQmux
a<BP2N7
acfQV9
:*%,ad
AdjustTokenPrivileges
ADVAPI32.dll
aF(u}:D
a $} _>gW
^a`h>|F
(^A(hy
]aiiaV
A I+x6
AjH#;o
akT	y5
A?l+vqlP
-AMyc4
AoeeY5
  </application>
  <application>
AQUaiquuqk
</asmv3:application>
<asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3">
  </asmv3:windowsSettings>
  <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
</assembly>
<assemblyIdentity
    <assemblyIdentity
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
A;S\w(I
 !a+[?u
AUVyZy
_avjx=
Av<y_P
A=W\]Mf
/ax`!?|
a]X)Wn
b1m%&F
`B6=@8
B%?7Jl}Q
bad allocation
)(bb%;
B:EbM|
be^v@u+
(B`F_^
@b	gck(W
<B@II;
,<[BJ4
B}l~py
BLR[fp2
b^]$]m
BMM?6d
b.*Mn|
Bm$nE6
B~PcFk
B)>PKX
bPqIu)  
'B,P~u
BT}sj]
 bzD52W
CajI1R5
C]cl#%
_Cc>ZrMU
ceQ&^	gdk
CharToOemA
CharToOemBuffA
CharToOemBuffW
CharUpperA
CharUpperW
%ChQ}5<
chReu 
ci %\2
!C)	Iy
%C@l-lfr
c|lN4{
CloseHandle
CLSIDFromString
CMT	AP
-cnNS]
cO*8z@
CoCreateInstance
COMCTL32.dll
COMDLG32.dll
CommDlgExtendedError
CompareStringA
CompareStringW
</compatibility>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
CopyRect
Cp1PTw
CreateCompatibleBitmap
CreateCompatibleDC
CreateDirectoryA
CreateDirectoryW
CreateFileA
CreateFileMappingW
CreateFileW
CreateStreamOnHGlobal
CreateWindowExW
C%Rj{"'
@CR)uTf
CryptProtectMemory
CryptProtectMemory failed
CryptUnprotectMemory
CryptUnprotectMemory failed
CxK?^	
)cxM$F*v
/cZ$tI
 D[+,|
D 1;89
D!3s:G
''''''''''''''''''DaJKHPam
@.data
dAyA%,C
dB	#F/,.
$`DcS"A'
~d,Cz|
ddddddd
dddddddd
DefWindowProcW
DeleteDC
DeleteFileA
DeleteFileW
DeleteObject
</dependency>
<dependency>
  </dependentAssembly>
  <dependentAssembly>
<description>WinRAR SFX module</description>
DestroyIcon
DestroyWindow
DialogBoxParamW
dinBg{
DispatchMessageW
dIW@4S
dmGXz=
DNSBench.EXE
DosDateTimeToFileTime
    <dpiAware>true</dpiAware>
Dp~!Qec(
d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
DQ0|zZ"Ux 
d(s&c_
{dSMUP7
dxL<wh
;E]	/"
e0~v8O
e1kW@x
E}4AX hlO
e+|8`(
%e!c{;>
Eeq]A(
eGbkRw
(E$?GF>
EH37+W
`E;|]Hc
EiJ1C"
e]@KEJ
! ekHo
eL&&v~
[E(m7J
EnableWindow
EndDialog
EnN^*Gk
)eNovU
(>?_eQ
}E*s/6h~
e_}U:+
eWMKT_k
ExitProcess
ex_m`z
ExpandEnvironmentStringsW
?>E\zJp
F _^[]
F|-27B
?F-&2x
>F5Q}kn
f8G+*S
f9=ZIB
f$9Z!wX
fbc:N:
Fblr&=
F-cl(iWh
f@EJv@$T
FFF))EE	FFFF))))))
fFFVV?
fH>"^Bl
Fhpo*Kl
fiENG7VP2I
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
FindFirstFileW
FindNextFileA
FindNextFileW
FindResourceW
FindWindowExW
FlushFileBuffers
F%o;_/YU
^F%&q^
/F	QC}
FreeLibrary
FSF)YK
@{ft{9
<F"t	@f9
Ft$-&k
FVFjN?
Fvrm|7%
FwHHmC
?FX7eC<
	)F!YUA
g33WwQ
g)(*4|
`G_4OM
g>4X"!*
&G8dw.VSNw
Gb7A!s'
GDd4 J{
GDI32.dll
gd^VQ)
gDz>UfzdJ
G@Ei\r
GetClassNameW
GetClientRect
GetCommandLineW
GetCPInfo
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentProcessId
GetDateFormatW
GetDeviceCaps
GetDlgItem
GetDlgItemTextW
GetExitCodeProcess
GetFileAttributesA
GetFileAttributesW
GetFileType
GetFullPathNameA
GetFullPathNameW
GetLastError
GetLocaleInfoW
GetMessageW
GetModuleFileNameW
GetModuleHandleW
GetNumberFormatW
GetObjectW
GetOpenFileNameW
GetParent
GetProcAddress
GetProcessHeap
GetSaveFileNameW
GetStdHandle
GetSysColor
GetSystemMetrics
GetSystemTime
GetTempPathW
GetTickCount
GetTimeFormatW
GetVersionExW
GetWindow
GetWindowLongW
GetWindowRect
GetWindowTextW
GEv_	r\
gEzttOJ
Gj4|;T"z
"(GLOa
GlobalAlloc
gN:HH1h
@&&gQ8
g~TX 7
GU3Q/7
gWm(VBK
gwS3	3
gwS37%w`	
gZ}<Nd
H*3&<!P|
H4e_a(\7Z
hA,6aR9
!#Hb;Z(
]Hb`Zd
HeapAlloc
HeapFree
HeapReAlloc
\Hel8um
?HhD+"
HJK5!@
hk]E<(0	
h$&{Lk
HtCHt<Ht5H
HtEHt7
HtFHt8Ht*Ht
HtoHt>
HtOHt^HtBHu#
H-T&Y(
Huov:J6_
H_Vn[S
H^wT*<[
],	hyhU6
HY`~i3
 "=I-`
@//!I(.
I4VEts
iaM@u0m
I bZ7u
*ID\lh
I:^fb+
IJKL=MNOPQ
!iL:'8	
InitCommonControlsEx
{I]	`O
io<)Iz
I"Q&=~
IsDBCSLeadByte
IsWindow
IsWindowVisible
i%;vjq
IWj\_f9>u?f9~
IyQj	P
IzE~i~
i\Z&v#P
{J2Gm#
j2}-ws
|J#*6?
`_J69!:
j6_DALQ6
J6:-qnV"
,.J770
J92M"w
&JDy: .
*?JF=r 
#jG-*x
#ji(X~
JJJJJJJJJJJJJJJJJJJaieQRamu
/(J;	|L?8
_j,o3m
=j>R-K<
j~ruJi
j;sg~.
j Y+L$
-JZ|Fy`	3
Jz|G*B
({`&k%
K7_ML#
K&%$9#
kC&NGv
k==ds1't5ba#5U
k'!E2'
KERNEL32.dll
"]Kf C
/,	k~g
\K` g/cr
Kij8zj
*=KKFY
kkkkkkkkkkkjhjjjo
[kpc$,$
kp~Hg^Rj
k,T7`2
K?!%_^Vc
KW3MLQ" 
kX/mJ*
.ky,!}[
<l$2PQ
L2"r7a
L\52i+
L%5wS`
      language="*"/>
L*bAE?~
lbr|/q
LD*s!F
L;+e).v`p
lG.fm@
"LhrJZQ
)$l $m
l'~M7nI
l#@nZL5/<
LoadBitmapW
LoadCursorW
LoadIconW
LoadLibraryW
LoadStringW
?$LOc	
LocalFileTimeToFileTime
LookupPrivilegeValueW
L R }R+
l,@TIO
&L)TpI
}L%%Ud\I
%.LW8q
l(YAW_
lzFWo)
l|zk/Uh
lZT{L``y
!/M.:`
m0fG`h*
.M5/il>
MapViewOfFile
MapWindowPoints
maR^1_
meltu/
MessageBoxW
*messages***
.MF3aUw
mh62rk
?M;^hk
m^#|i3
m	)ip]
mJ2-bR>
m,&k*Hu
MkIj{W
mmrrrrs
)|M[N5
Mna`o=/
MoveFileExW
MoveFileW
!M$Pur#9
]M\\q;
	(MRg#
 m-RPU
mscormmc.cfg
mTxK.lP
m!u*^5
MultiByteToWideChar
;my,e1pp\
N4Y_cOW
      name="Microsoft.Windows.Common-Controls"
  name="WinRAR SFX"
NdfM_f
N!$ebxC
nHQ0^pg
<|Nk~~
n~|MHz-
NMz8|O
n".n.@
$"}nN*
NNu$j	
NQTVY[
nR,if7
/N~.}SR
*NW[&{
nW<zI]
n[{x[B
|nY`{Et
\nYH<#
]o1hw-
O~2_x,
O{4nP^
o,6~AO
O,6b 8|7
O6lV7N
O9JBgr^b
oaMa%]Q
o}bIyP$
"oBO<U
OB(Su cfS
OcBS5-B
%O"cj{i
OemToCharA
OemToCharBuffA
[<}Oey
`O/f&Tnx
@OH+}}
Oj*gTXB
o?l.*%
ole32.dll
OLEAUT32.dll
OleInitialize
OleUninitialize
o-l#W4b8
OpenFileMappingW
OpenProcessToken
O"Q?1)
?\Oqaq
OtI_;#
ozWJ+9S
p:	1?O"b
P2{mTs
P7BZ[<
P9]pu;
P9]pu+
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGRar!
/Pah1+3
P}/AS!
PA<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
(pbaei}r
>pb<dC
PClI?@
PeekMessageW
penc-N
pFi/P]
pGAUBS
Pi6tx.
p#nd&_
PostMessageW
	\ p	Qy,*\
      processorArchitecture="*"
  processorArchitecture="*"
pU5=1!M
      publicKeyToken="6595b64144ccf1df"
P|U%j}%
]pvfZb)+x
PWhtFA
^#PY20
p<Yp{Vh
Q4SQ_m4
Q^5PH8
!	QAiU
	 QB^8
_Q(bvoj
qCzGvw>
QD9] t
qe: $i
qh*F-i
q#IUm$
q"L`3kN
qMArhb
qNFF=_
Q*np{${w
q&p00P
/qQC93
]_QQsJ
QQSVWh
QskaOJ
qUfRniLk
<Q!UyGZkZ
qW%Y$m
'Q+X0c6
QXK[qy
!/=	r-0?
r 1p=?.
R1>P=$6
@R20,`
}r}2/o\NEu
(r7|Ni
r8z+>Y
r9(+n0X
__rar_
Rc?YnS
`.rdata
Rdi#N7
Rdo=J\0
ReadFile
RegCloseKey
RegCreateKeyExW
RegisterClassExW
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
ReleaseDC
      <requestedExecutionLevel level="asInvoker"            
    </requestedPrivileges>
    <requestedPrivileges>
rGe@_U
<R<g=t1*
RId|B6J
rK7(f6[L
~rkhrli
r,*M.&
r N<GF\
>~;rO?{
~rptKG
r*Pur-	
RQU @Z
RQ`-zz
RR+-~FO~
rrrrrmm
rrrrrr
rrrrrrr
rrrrrrrr
rrrrrrrrrrrrrppps
@.rsrc
RSTU0VWXYZH
rt}L,"
r$U'cW
RuJVNN
R[wNYO
Ry|Zj@
RZcg+W
-s20Z:
S>*8iF
%.*s(%d)%s
  </security>
  <security>
SelectObject
SendDlgItemMessageW
SendMessageW
SetCurrentDirectoryW
SetDlgItemTextW
SetDllDirectoryW
SetEndOfFile
SetEnvironmentVariableW
SetFileAttributesA
SetFileAttributesW
SetFilePointer
SetFileSecurityA
SetFileSecurityW
SetFileTime
SetFocus
SetForegroundWindow
SetLastError
SetWindowLongW
SetWindowPos
SetWindowTextW
sgzNR?
SHAutoComplete
SHBrowseForFolderW
SHChangeNotify
SHELL32.dll
ShellExecuteExW
SHFileOperationW
SHGetFileInfoW
SHGetMalloc
SHGetPathFromIDListW
SHGetSpecialFolderLocation
SHLWAPI.dll
ShowWindow
_S{H^x
s" hz>
[sjiC(
SjN'B4
skl-:7
SL'q5_p
SMOFD-i
so%Tg_
"S~Q%.
SSh|EA
S#"^sq%
StretchBlt
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
(SVWj 
`SVWjh
sX"!;8
Sx@,slk
=s_Xu5
Sxw?VII=
=(@SXz
SystemTimeToFileTime
	}\>t*
t0VSSj
T35* o
t.+4d,
@t6I{C
t6R*G<
tBC[\O
T<cT|'
td/p40+U
t{'Dv5
t	FAA;t$
Tg,=F5
    <!--The ID below indicates application support for Windows 7 -->
    <!--The ID below indicates application support for Windows Vista -->
!This program cannot be run in DOS mode.
t!hxCA
&:tkTE!
=tL?_.a
t*!'LJ
&t/l<n=
t@$PHC
tPh,HA
tq!Am{G
tqmxzz
TranslateMessage
</trustInfo>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
 tSj X
TsKN\[
t<SSSS
<*t*<?t
tV#rOH
T{W9ud
}TXu,j:
      type="win32"
  type="win32"/>
@\)@[U
>u0&b)
u/?%-.2
(<\u$8F
u\9]pt
@uAj'Y
*U Bk?
Uc@F^]z
U$c=\s
uF^ORE
	uGJO*J
u|h(EA
u hlCA
u!hlFA
      uiAccess="false"/>
`)UimqiU(83
+ulaT{
ulx)q@
UnmapViewOfFile
%[Uo6;
UO[CM3
U):o/k
UpdateWindow
USER32.dll
U**	~U
$U&W0C^Q
U$Zvvof
{v1aKq
.v%~	2
V4*`!w
%\v@5Y
V7O>O<
V 8'h[
v/\+$;8t
_v92)l
V@@AAf
V'C#f6
v/!cQo
VdTwpr?|
\\`Ve}b
vE\g h
  version="1.0.0.0"
      version="6.0.0.0"
V"f3U?
v=.iXr
	vJnpc
_V*jPF
?vk;G6
VlICZ,o
vm0qgO@H
vN/30i
v	N+D$
VRNLLC
~vrrrrr
~vrrrrs
&*v,Sz
?vVj@_+
 w$~.[
#W)<;0
w5WWWW
!W7S7*
WaitForInputIdle
WaitForSingleObject
_	wC@>b
W:.?Cd%(
Wcvl+L
WD es~L
We\)Pg
<:W"+g]
w$+G?Mm
-W`>i}
WideCharToMultiByte
wihed ~
WINMM.dll
WINRAR.SFX
Wj<_WS
.wK49`
W"?L2Te,
WLBVZM
+[woDA
)wO,j9A
?Wpp_).
&%-Wq;
WriteFile
Wr`Lpx$
wvsprintfA
wvsprintfW
 W!/vu>	 
Wwgu"'P
WwR"'P
WwS7'u
wwwwwwww
#wy^lJ4
_X0Rn?
x0uqu<Ri
X|3>_s
&x+5MaH
/x,5sQ
X8Hm%3I
+x9K?'
)X$bp,XS
Xd)WXe
x:	e>3	
xE8/Z 
x?E:l~QA
X\~J@%
X $jVF'
Xj$%y;
(_xL>T
}x, M8
_XMY$I9
+X n,H
^XnQH:
[X)o7!
%xOia{
x]ou/x
X"``OV
x%p:}#
~XS0aM"K
XT`/F7M
_xTO:S
x)]y}y]4
XZc}hcbo
;^ "y5
yaVQ"r
y$a&wK
*#%Ybe
Y:(,%E
#Yf)_@
y.>g+A
.*YkL\j
@y|~n?
YNANRC
YO;Q#M
$YO)T'
yQGrbj
yrrrpps
yrrrps
~yr^X3
|>yUT1
y#V([!
YVXc~c
;yYAV?
yz=q0N<R"
z0iwP7(
Z2fQ`^-A
{(Z45G
&]Z4/H[
z^5bH6
Z7#~S9}
zA%I==zp
zcNk(;
zda,u}
zfaHf$
z_fj>{P
*!Z{H[
Z;h+s9)
Z/(o_J:z
Z`R+:t"?g9
{{<zVu*
{\zYCY
ZYv a[]:
'Z]YXqs