Analysis Date2015-05-10 14:27:55
MD513ae229f9d176d2e243d0d306a881073
SHA1ce97346b996a6cb67ad02a82381c07db47fe2002

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ead411693117dae8deb088f5bb4a85fa sha1: b8e6aeccd3d0c302590d34bca7cf66da33daca52 size: 72192
Section.rdata md5: e70f56667b8e99a1ec239fd12b1640b4 sha1: fba2ce613ec7c4a7ba1b9d0c03ad0c3ba3aa1a67 size: 7680
Section.data md5: 11ffdfc240c81dfe9d957f6bf1761f00 sha1: f0f691437eb067b4de686e8b7225b8e4127cb275 size: 512
Section.CRT md5: acdfc3df6b189cbcd09b1c888f95fe9a sha1: d3f914de25aed7a125b6c83ebe2a497878fc22d1 size: 512
Section.rsrc md5: ce05a0f9de14c961f10cf5a6dfa0c9a8 sha1: 2e98ecda8b48b2509c44efeebfb8433bbe753711 size: 174080
Timestamp2011-03-02 07:40:24
Pdb pathd:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
PEhash159719808922aa9c4ff149865c54884243fc7697
IMPhashdbb1eb5c3476069287a73206929932fd
AVAd-Awareno_virus
AVAlwil (avast)no_virus
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)BDS/Plugx.588917
AVBitDefenderno_virus
AVBullGuardno_virus
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftno_virus
AVEset (nod32)no_virus
AVFortinetno_virus
AVFrisk (f-prot)no_virus
AVF-Secureno_virus
AVGrisoft (avg)no_virus
AVIkarusno_virus
AVK7no_virus
AVKasperskyBackdoor.Win32.Zegost.dgwu
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security EssentialsBackdoor:Win32/Plugx.L
AVMicroWorld (escan)no_virus
AVPadvishno_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVTwisterno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Filemcs.exe
Creates FileMcAltLib.dll
Creates File__tmp_rar_sfx_access_check_72875
Creates Filemcs.cvt
Deletes File__tmp_rar_sfx_access_check_72875
Creates Processmcs
Creates Processmcs

Process
↳ mcs

Creates FileC:\Documents and Settings\All Users\DRM\mcsync\mcs.exe
Creates FileC:\Documents and Settings\All Users\Application Data\McAfee\MCLOGS\McSync\mcs\mcs000.log
Creates FileC:\Documents and Settings\All Users\DRM\mcsync\mcs.cvt
Creates FileC:\Documents and Settings\All Users\DRM\mcsync\McAltLib.dll
Creates Mutexmcs_CAD0E02E86CD4436B6318C111B9092AC
Creates MutexGlobal\kibln
Creates MutexGlobal\agagpebowztkv
Creates Servicemcsync - C:\Documents and Settings\All Users\DRM\mcsync\mcs.exe

Process
↳ mcs

Creates FileC:\Documents and Settings\All Users\Application Data\McAfee\MCLOGS\McSync\mcs\mcs000.log
Creates ProcessC:\WINDOWS\system32\svchost.exe
Creates Mutexmcs_CAD0E02E86CD4436B6318C111B9092AC

Process
↳ C:\WINDOWS\system32\svchost.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates Filepipe\winlogonrpc
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\DRM\mcsync\kzqucedolaoac
Creates ProcessC:\WINDOWS\System32\msiexec.exe
Creates MutexGlobal\eqldtqqeg
Creates MutexGlobal\irond
Creates MutexGlobal\yuldtjearipywjfpj
Creates MutexGlobal\akmptrlke
Creates MutexGlobal\qiluuxuyvilavolxn
Creates MutexGlobal\mxtia
Creates MutexGlobal\irothjoiquwia
Creates MutexGlobal\wemnhvtih
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\altiyzvvqplqrsorj
Creates MutexGlobal\embahvmdzraqw
Creates MutexGlobal\mybxylfeypaxo
Creates MutexGlobal\ordefamblbyvoxdzw
Creates Mutexc:!documents and settings!administrator!cookies!
Creates MutexGlobal\sxzfpnxmf
Creates MutexGlobal\caldqcspsihpexqvk
Creates MutexGlobal\agagpebowztkv
Creates MutexMy_Name
Creates MutexGlobal\welxlcdyczgarwjiy
Creates MutexGlobal\mbdlmpnpzvyvxjgfu
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexGlobal\undqqwznr
Creates MutexGlobal\ghtulfvfg
Creates MutexGlobal\kibln
Winsock DNS127.0.0.1

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FilePIPE\lsarpc

Process
↳ C:\WINDOWS\System32\alg.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\services.exe

Creates Filepipe\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
Creates FilePIPE\lsarpc

Process
↳ C:\WINDOWS\System32\msiexec.exe

Network Details:


Raw Pcap

Strings
\_
.\
:\\
...
010A___
.
.
x
S
.
.LQ:S

%08x
about:blank
Accept
ASKNEXTVOL
<br>
&Browse...
Bro&wse...
bytes
%c:\
Cancel
&Cancel
Cannot create folder %sDCRC failed in the encrypted file %s. Corrupt file or wrong password.
Cannot create %s
Cannot open %s
Close
Confirm file replace
CRC failed in %s
Decline
Delete
&Destination folder
EDIT
-el -s2 "-d%s" "-p%s" "-sp%s"
Enter password
&Enter password for the encrypted file:
ErroraErrors encountered while performing the operation
E<ul><li>Press <b>Install</b> button to start extraction.</li><br><br>E<ul><li>Press <b>Extract</b> button to start extraction.</li><br><br>6<li>Use <b>Browse</b> button to select the destination4folder from the folders tree. It can be also entered
.exe
Extract
Extracting files to %s folder$Extracting files to temporary folder
Extracting from %s
Extracting %s
Extraction progress
File close error
folder is not accessiblelSome files could not be created.
GETPASSWORD1
<head><meta http-equiv="content-type" content="text/html; charset=
hRichEdit20W
</html>
<html>
.inf
Insert a disk with this volume and press "OK" to try again or press "Cancel" to break extraction
Install
Installation progress
jmsctls_progress32
kernel32
License
LICENSEDLG
LICENSEDLG	RENAMEDLG
.lnk
Look at the information window for more details
manually.</li><br><br>8<li>If the destination folder does not exist, it will be2created automatically before extraction.</li></ul>
*messages***
modified on
MS Shell Dlg 2
@&nbsp;
Next volume
Next volume is required
Not enough memory
No to A&ll
Overwrite
</p>
Packed data CRC failed in %s
Path
Please close all applications, reboot Windows and restart this installation\Some installation files are corrupt.
Please download a fresh copy and retry the installation	All files
Presetup
ProgramFilesDir
.rar
RarHtmlClassName
RarSFX
Read error in the file %s
Rename
&Rename
RENAMEDLG
Rename file
REPLACEFILEDLG
riched20.dll
riched32.dll
r%.*s(%d)%s
rtmp%d
runas
"%s"
SavePath
%s.%d.tmp
Select destination folder
SeRestorePrivilege
SeSecurityPrivilege
Setup
sfxcmd
sfxname
Shell.Explorer
Shortcut
Silent
Skipping %s
Software\Microsoft\Windows\CurrentVersion
Software\WinRAR SFX
%s %s
%s%s%d
%s %s %s
STARTDLG
STATIC
</style>
<style>
<style>body{font-family:"Arial";font-size:12;}</style>
TempMode
Text
The archive comment is corrupt
The archive header is corrupt
The archive is corrupt
The file "%s" header is corrupt%The archive comment header is corrupt
The following file already exists
The required volume is absent2The archive is either in unknown format or damaged
Title
__tmp_rar_sfx_access_check_%u
=Total path and file name length must not exceed %d characters
Unexpected end of archive
Unknown method in %s
Update
utf-8"></head>
WinRAR self-extracting archive
winrarsfxmappingfile.tmp
with this one?
Would you like to replace the existing file
Wrong password for %s5Write error in the file %s. Probably the disk is full
&Yes
Yes to &All
You need to have the following volume to continue extraction:
=]./{?
?*<>|"
01K 2,
 (08@P`p
09PXTz
0<lk|y
0pS<s@
0V$3JZ
0	^xEs
#1#9]U
1Ft<l^C
=1^%G0
1l[GW2
!|,1+m
1.MxKyj;
1Q$QRIk
1QRx<C0k
:1uA}?
!1VgfiwOF
2%{%}1
2AOVM)
2b:cf@h
2D\\]-
2glMF}/
2\MDZgn
2py}![
2Q70K_UR
2Q*xe!8
2+RW^n
2	Vl6`S
2$Yuwy>
31M=Yj
33!D	3
;3<%C4
%3e;h"
3^m`(37v
3$q[9(
3|rO)r
<3\u1WV
]~3WK3
%40@4N+
_)4,G|0~S3
4M"Xczk [.
4[o3w<
?4Od3rm
])4$	S#
544$ddc{ddd
5*$CG)
5=f6A~
5g*QqA
5>j}(n
5QvA4o
`-%| 6
}$_62;a_
6f!kOf
6g8g{0
6jL{&q
+6oT@d
6O;^_X
6.Qo":X
6SWal_
+/6uw;o
$7Ix*x
7K.~)#$
7](]Mf
7>Ns~s
7R|eAG
>,7~RvL
7`Vs_vcuk
7W]QTXQ4
#7Zd~M
8?8"g|
8gXK=CC
8	<lbD
8'''U2
8weU6je
9@#2(,
_-/:9221
97Ep;|7
#=9Bs!
9FApoC
]+9Gogb;
9IUp"Y
9]k&8t
9n9~qa
#9?;	r
.9s|1M
~9T	@}
9#+WGt6
/9Y-T^c8
9Yuvo/
a\4D6:
/A> 4-Q
[a6lRx
a]9,`e
a_bS4e
AdjustTokenPrivileges
ADVAPI32.dll
	AENAB
Aeo[Yf
AGmj'v
<a=/m 
AO =Fs
a`ovi}
  </application>
  <application>
</asmv3:application>
<asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3">
  </asmv3:windowsSettings>
  <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
</assembly>
<assemblyIdentity
    <assemblyIdentity
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
AT&CqV]*
A?<|Uu
/ave1\a2oS
.<Ax#M
ay2VSgfa
A	!Z5G|
B16rAc{X
?B217'
b$&25.g
B6-3ht
bad allocation
bBCv<o
$BcSP_
++^BdG
b%ee*&e
Be{!k9
BfBWaf
<B@II;
bjaPD,
B=_Jhl
b <jif
b?L1HSF
b%pALV
BRRBRRBRRBRRBRRBRRBRRBRRBRQ
BRRBRRBRRBRRBRRBRS
()/b]S
Bu	I13
}bu@*kTz
BV3qN`
BxXmR1b
bzjbVS
c%0?#x
	(C+2m
^C55S+ 
C6'R42
[cC3(tA
C(fH'w
c_g5<8
CharToOemA
CharToOemBuffA
CharToOemBuffW
CharUpperA
CharUpperW
chc$Cw
	]>cJ?14o#
CK5{@+
CloseHandle
CLSIDFromString
CMT	UQ
CoCreateInstance
COMCTL32.dll
COMDLG32.dll
CommDlgExtendedError
CompareStringA
CompareStringW
</compatibility>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
CopyRect
CreateCompatibleBitmap
CreateCompatibleDC
CreateDirectoryA
CreateDirectoryW
CreateFileA
CreateFileMappingW
CreateFileW
CreateStreamOnHGlobal
CreateWindowExW
>Cs*[%
c)tCeBG
Ct;PE=YVLP'
-C uT~;
C"V#8N
{C)vTC&B
cwg+eoF,
@.data
dAX/w>
dEBI.) S
DefWindowProcW
DeleteDC
DeleteFileA
DeleteFileW
DeleteObject
</dependency>
<dependency>
  </dependentAssembly>
  <dependentAssembly>
<description>WinRAR SFX module</description>
DestroyIcon
DestroyWindow
df?\MP$
DialogBoxParamW
DispatchMessageW
d@j93v
dMe*XT
)D*N/}
DosDateTimeToFileTime
    <dpiAware>true</dpiAware>
d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
Dptq!i
dpua1q
[dPz4G+
Dq|f8;
dqM)556Z
D]q,WK
dT}Ll'
D&U~ayy
d\v,W}
>D+weC
Dxp[5|v
`E2\K[
e2;W/z
e3{`2c
E8,aP#
#Eb(&y)z
E`DJj9O`s
e	[>I]uf
EnableWindow
EndDialog
EO9IU<
$.eoA7 
Eq\En(
"EQ/o<
eQtz!N
ER*AaE
e^TkXx>
ExitProcess
ExpandEnvironmentStringsW
EY(fwH
EyT1tHIb
F _^[]
!F`1;4
};F>=3
}.F5'1
]f 6eo
f90u2h
|f~[a\}
fbjneSu
FC#wv'
"{,]/fD-STy
FFF))EE	FFFF))))))
ff#Xwy*
%{.&fgP
FHa!*&
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
FindFirstFileW
FindNextFileA
FindNextFileW
FindResourceW
FindWindowExW
fK1R/,U
)fL.40
.=F^MA*(
FreeLibrary
F'$&Rf
FSFs#8
<F"t	@f9
FW1xXQ|
FW>-h3
Fx3@j?
fyAZH'
FY;xiV
Fz-2>g
`g&*_ 
G0V}35`1
g33WwQ
 *G3+o)VK>
g5.tv;(b
gA/7-w{@
Gb?_?u
GDI32.dll
'>g[d&	s
GeIyh5`j
GetClassNameW
GetClientRect
GetCommandLineW
GetCPInfo
GetCurrentDirectoryW
GetCurrentProcess
GetDateFormatW
GetDeviceCaps
GetDlgItem
GetDlgItemTextW
GetFileAttributesA
GetFileAttributesW
GetFileType
GetFullPathNameA
GetFullPathNameW
GetLastError
GetLocaleInfoW
GetMessageW
GetModuleFileNameW
GetModuleHandleW
GetNumberFormatW
GetObjectW
GetOpenFileNameW
GetParent
GetProcAddress
GetProcessHeap
GetSaveFileNameW
GetStdHandle
GetSysColor
GetSystemMetrics
GetSystemTime
GetTempPathW
GetTickCount
GetTimeFormatW
GetVersionExW
GetWindow
GetWindowLongW
GetWindowRect
GetWindowTextW
`gg-6yW/z
*g%'IaFv
&g)J!e
GjuQB+U_f
gK7X7'
,GLJ`F
GlobalAlloc
GnL"EI
>GoC x
g)`RrM
GSjmUg
G?":_T[S
gu0gon
G^ujX!`
Gw4f[k
gwS3	3
gwS37%w`	
G)X"yn
.gyCvZ
!G/yV.
h$|3jT
h4Y1k9
?H6efe
H7CRAT
/H>b_D|
HcSP ~!
H-dz}=
>hE-++3
HeapAlloc
HeapFree
HeapReAlloc
h#@Gny
@HJJHJJHJJHJJx
&^HnO#
hoK,dU9
hP.u7`l,
_hssLb
HtCHt<Ht5H
HtEHt7
HtFHt8Ht*Ht
HtoHt>
HtOHt^HtBHu#
H.u$xC
_H*V!6
hv'8X?Y\
H}@[wrG|
HW\ZO[
hZ'FGc
I23t2N-R
-i|5j=
i6}~q`
I73&ZC
i7/}x5
iAbh%tHs
IAMZe":
icL*0WC
}!I*ct
>Ie39vN#
IF4]xl
=(I>h=
I<+.Kz
I%'mtK
IN#$aY
InitCommonControlsEx
iOTX2-
]I@:R_ph!
irq -Q`<k
IsDBCSLeadByte
IsWindow
IsWindowVisible
IUhWUq]
i&"VlUm
iWcXwU
IWj\_f9>u?f9~
ixQ17!
J>0?0U
J{0{ah
J*",`3o
+:J5n5
J6^Qh2.G
j9/!i{ocM
J9+oRi
jAS1 Cb
&Jbuj}
.j)d5)
jDoY^%
\jegQU
J/FEMm
JG{Cx>
$jhgR/8_ 
jhOW\7
'jI(9D
|JjRS'I{
j]N(OMYy
&joPd%1K`
J^+;pd
J|%%$q
...J---Q---S...S---S---S---S---S---S---S---S---S---S---S---S---S---S---S---S---S---S---S---S---S---S---S---S---S---S---S---S---S---S---S---S---S---S---S---S---S---R...K
Jtlq$\8
j Y+L$
^+K1ut*
K$3{Ky%,
k<5Ofk
]k}"BHI
KB:P:[
K`C;EOI$Cm
]{Kdh	
K-~d$oq)
Ke+CY$
KERNEL32.dll
kg0X%u
Kl;m	W
}&~/Km
!k[mkN@
K(|on\
ksJ?OW
K=sP:f
K)!s+YB
@<KU1OD
kv) 4V
]K)V\Dw
 kWH|e
l57^'U6_
L7"9Hb
laIIC8
      language="*"/>
lD\%6&
$.>LDA
l+!;	Ga'
ljg^D]
LlnYPW
LoadBitmapW
LoadCursorW
LoadIconW
LoadLibraryW
LoadStringW
LocalFileTimeToFileTime
LOd*|X
Lol|}7
LookupPrivilegeValueW
Lusvtp&
LV\Hx!\
;L>xKbH
lzUkJ~
m1%#d`
m3S3=9 
M	738mF
MapViewOfFile
MapWindowPoints
McAltLib.dll
mcQ.u^
mcs.cvt
mcs.exe
Me2ka>v
Me5i'[5
MessageBoxW
*messages***
%M"+fS
MJ552J6
'!Mmd;
MNvA];)
moCsj8
MoveFileExW
MoveFileW
`{mQyz
MultiByteToWideChar
`mZxa$
+N0Q<c
n,[40|m
n]#6Vb
      name="Microsoft.Windows.Common-Controls"
  name="WinRAR SFX"
nBz`:k
NF/"|%
n(f{qc
NfTP+7
`NJ7HB
}NKo1BL
n--nC?
Nn=G{P
N[nUG.)
NNu$j	
nr6*<Q.
nRviseL
n<`	)uJ,u[Y
nWt|$)
:NXT2$i
N`y8kj
oc3ZSa
od013>kS*=
OemToCharA
OemToCharBuffA
?OE,<R
"@^oGr-p
O!GS.OqO!
o|GzKW
oH~[n_
ojKr;Q
ole32.dll
OLEAUT32.dll
OleInitialize
OleUninitialize
O%\$N5Bx
oNT&#&
OpenFileMappingW
OpenProcessToken
Opr\ ]
oq3Y~B
^}OQ?KL
-])ov1
|Oyvv%w
p/6E'%
P9]pu;
P9]pu+
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADRar!
PA<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
]pB^hz
PeekMessageW
#'P*EU
PhPG=A
"p$Jh-(
P^jtt7R]DJ5x>
$pjYAY
pm]z wA
PostMessageW
P%}&:Q
      processorArchitecture="*"
  processorArchitecture="*"
      publicKeyToken="6595b64144ccf1df"
PWhx8A
?PZ+25AUv
q}cB'O8
QCK(kN
]qEPB"
QFeWfh<A
_:qfYs,
Q(gHn=
Q~HK5X
qja@Z*
Q=Jujd
qJXD#"
qK9Zje
%QK}DA
]"QLa?
QQSVWh
QR}/M&u
QxnsLPZ
 qy:0!
Q>!YPu9qbB
}@r6.1
R-9-Sp{
R#9Zv/
Ra8k^=
__rar_
`.rdata
ReadFile
RegCloseKey
RegCreateKeyExW
RegisterClassExW
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
ReleaseDC
      <requestedExecutionLevel level="asInvoker"            
    </requestedPrivileges>
    <requestedPrivileges>
\r_mRJ
^R\O4H
R.$&Rvn
R^S{cY
@.rsrc
rV57h}hI
RxiIYiy
}]rZ@)
S30^e[
%.*s(%d)%s
  </security>
  <security>
SelectObject
SendDlgItemMessageW
SendMessageW
s}e\q7
SetCurrentDirectoryW
SetDlgItemTextW
SetDllDirectoryW
SetEndOfFile
SetEnvironmentVariableW
SetFileAttributesA
SetFileAttributesW
SetFilePointer
SetFileSecurityA
SetFileSecurityW
SetFileTime
SetFocus
SetForegroundWindow
SetLastError
SetWindowLongW
SetWindowPos
SetWindowTextW
SHAutoComplete
SHBrowseForFolderW
SHChangeNotify
SHELL32.dll
ShellExecuteExW
SHFileOperationW
SHGetFileInfoW
SHGetMalloc
SHGetPathFromIDListW
SHGetSpecialFolderLocation
SHLWAPI.dll
ShowWindow
$SI)-;
Si8$Wa
!Si#c&.
SIm:@Y
SjQ67N
?SJthC
slWo;?
#SMI67
s]OGap%;f
S#.#Q\
srg~;0>	
StretchBlt
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
SV.A3*
(SVWj 
`SVWjh
=svw|L
SystemTimeToFileTime
\S\zGU
>t``]&
t0ht6A
t0SSSj
?(? T1 
=t3Y%4
t4SSVW
T#>5O1Y
t>B4>C
t~b4+OPJ 
tby-)v
TC9R.%
t	FAA;t$
T:,h[`
    <!--The ID below indicates application support for Windows 7 -->
    <!--The ID below indicates application support for Windows Vista -->
t!hh3A
!This program cannot be run in DOS mode.
t/i'Az?
t$J5>U
/>]TLcxG%mE
tQ-ssC
TranslateMessage
</trustInfo>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
 tSj X
/t<ss9
t<SSSS
<*t*<?t
TU?~ism
tv=?i{
tWJB#T
tXTr|]]
T#y[dq^
      type="win32"
  type="win32"/>
;\u0VW
U%$:-5hY
(<\u$8F
]!^uBh*
u h\3A
u!hp8A
      uiAccess="false"/>
@U+;iIT?}8
/}UJa|uj
\&-UkwU
UlZG:?
UnmapViewOfFile
]`u}^P|
UpdateWindow
UR22Xk
u.*\ra
{URich
USER32.dll
_UVVMV]
uXIS$N
u-yf44
*"]v@@
V5lhbM
V5xzOq
V6{R2u#
V8a"]b
V8yn,x<P
V9-:b8
V@@AAf
v$\A.u
(vBAl<Z
v[byI/
v[ccgZ
VCiPQ*)
VD!PBO+
.Vdrhf
  version="1.0.0.0"
      version="6.0.0.0"
V>f*XT
	?v^Gu
VG,,X~
vhq;0 (
]!VktZ_&
Vmq~?U
v	N+D$
?vNj@_+
#V}]?R
Vs) jB
v;|s^R
VSSSSh
vuYQbix'e
-' VV9z
V'x>*<
,(VY:m63Q
^w0aHW
W@20fa
w5SSSS
|w6RYg
W9VQPX
WaitForInputIdle
WaitForSingleObject
w*"c_=
wc4	f7BU
WdF4881;eq
)<WDph
WDw(K 
WG_%Gm
@WhP6A
WideCharToMultiByte
WINRAR.SFX
Wj<_WS
w!&\M&
wmqb1qK
WM:v7Q
WoEoX,
WpyhC[
(=Wr0JMV
WriteFile
W{rJAK
`WTe.x
W*Udu,
Wv'76R
wvsprintfA
wvsprintfW
Wwgu"'P
WwR"'P
WwS7'u
WyM//7
X5wQY7
X 7;=W_u
<x9YY 
XAxtti
x'cpGbJ
xd?|~J
xex@{e
xF:wvd
x.=I$q
X$kUOpV/
Xl6T;a+
<xr,c?
XTo 0G
] *[-x<U5
xU/C(E
XWU76F
+x/XVqH
;/XzRo
, y?>`
Y3}|tEeP
Y9	bm#
yaNxL8wI
Y)AuoIb
Y<bc[	.0
, y E3
;	,*?YF
@Yh||1R
Y}h3az
Yh-H{W
yh^uMR
Y(I'vRm
Y~?j$U
(Yn<@|
YNANRC
\,yp{#
y@R3AG
+YRy76
YW,B\Tb
yX8H?lB
%Yx<R%
Y=zVt;(
Z2fQ`E
Z9*E{;
_:ZAc:
ZAm<#6%
Z,}A^v
Z/H[Qn
~	zigZ	93tK
ZmU"Kt4
z-Qj#EB
<Z^.S;2
ZS~5+v]
ZspL9n
zuFhl3A
z=Vq3q
:zWztrs|W
,zZ	mD
]zz*'n&