Analysis Date2014-03-03 15:21:49
MD57194010a21b15956da673436ea05e0a2
SHA1e59452bc22db0a06ac00cc67292b10a651bce3ab

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 7c114daa3ff057c87fb4d833d0a78972 sha1: 114dddee282f19b9a3358e29452efa7a97d77e61 size: 39424
Section.data md5: 99858e86526942a66950c7139f78a725 sha1: 4031ea1fec36456937a750320b5b44764cfea07e size: 1024
Section.rsrc40 md5: 003d9750d323b4029d8c26d78b09e05d sha1: 06821cfd084b885ca6feb5916e7b357124f7206c size: 401408
Timestamp2004-08-04 06:01:37
Pdb pathwextract.pdb
VersionLegalCopyright: © Microsoft Corporation. All rights reserved.
InternalName: Wextract
FileVersion: 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
CompanyName:
ProductName: Microsoft® Windows® Operating System
ProductVersion: 6.00.2900.2180
FileDescription:
OriginalFilename: WEXTRACT.EXE
PackerMicrosoft CAB SFX
PEhash00643738dbc8456b4c07901b71c7501bc7cb1107
IMPhash0ebb3c09b06b1666d307952e824c8697
AVavgGeneric15.BOIX
AVmsseWorm:Win32/VB.EB
AVclamavTrojan.VB-56020
AVaviraTR/Dropper.Gen

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 ➝
rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\"\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\TMP4351$.TMP
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\Free2.exe
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\Free.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\Free2.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\Free2.exe

RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\FreeSMS\Settings\RegionalID ➝
0\\x00
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\for-ever[1].htm
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSfor-ever.us
Winsock DNSwww.box.net

Network Details:

DNSwww.box.net
Type: A
74.112.185.83
DNSwww.box.net
Type: A
74.112.184.83
DNSfor-ever.us
Type: A
61.155.149.85
DNSfor-ever.us
Type: A
222.216.190.60
HTTP GEThttp://www.box.net/shared/static/i27yxm9qkf.xml
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://for-ever.us/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 74.112.185.83:80
Flows TCP192.168.1.1:1033 ➝ 61.155.149.85:80
Flows TCP192.168.1.1:1034 ➝ 61.155.149.85:80

Raw Pcap
0x00000000 (00000)   47455420 2f736861 7265642f 73746174   GET /shared/stat
0x00000010 (00016)   69632f69 32377978 6d39716b 662e786d   ic/i27yxm9qkf.xm
0x00000020 (00032)   6c204854 54502f31 2e310d0a 41636365   l HTTP/1.1..Acce
0x00000030 (00048)   70743a20 2a2f2a0d 0a416363 6570742d   pt: */*..Accept-
0x00000040 (00064)   456e636f 64696e67 3a20677a 69702c20   Encoding: gzip, 
0x00000050 (00080)   6465666c 6174650d 0a557365 722d4167   deflate..User-Ag
0x00000060 (00096)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000070 (00112)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x00000080 (00128)   49452036 2e303b20 57696e64 6f777320   IE 6.0; Windows 
0x00000090 (00144)   4e542035 2e313b20 5356313b 202e4e45   NT 5.1; SV1; .NE
0x000000a0 (00160)   5420434c 5220322e 302e3530 37323729   T CLR 2.0.50727)
0x000000b0 (00176)   0d0a486f 73743a20 7777772e 626f782e   ..Host: www.box.
0x000000c0 (00192)   6e65740d 0a436f6e 6e656374 696f6e3a   net..Connection:
0x000000d0 (00208)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000020 (00032)   6570742d 4c616e67 75616765 3a20656e   ept-Language: en
0x00000030 (00048)   2d75730d 0a416363 6570742d 456e636f   -us..Accept-Enco
0x00000040 (00064)   64696e67 3a20677a 69702c20 6465666c   ding: gzip, defl
0x00000050 (00080)   6174650d 0a557365 722d4167 656e743a   ate..User-Agent:
0x00000060 (00096)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000070 (00112)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000080 (00128)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000090 (00144)   2e313b20 5356313b 202e4e45 5420434c   .1; SV1; .NET CL
0x000000a0 (00160)   5220322e 302e3530 37323729 0d0a486f   R 2.0.50727)..Ho
0x000000b0 (00176)   73743a20 666f722d 65766572 2e75730d   st: for-ever.us.
0x000000c0 (00192)   0a436f6e 6e656374 696f6e3a 204b6565   .Connection: Kee
0x000000d0 (00208)   702d416c 6976650d 0a0d0a0d 0a0d0a     p-Alive........


Strings
|
\
\
"
\
.GE
 
o.
.
"
.4
. .@
..
j
.
..8Lx
i
..6
7
.
n
v
.
c=b
4
E
.F.
..
>
+.U
.p
v
..
....
Q
                                   
040904B0
4Please select a folder to store the extracted files.
6.00.2900.2180
6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
8Unable to retrieve operating system version information.!Memory allocation request failed.
ADMQCMD
&Browse...
CABINET
Cabinet is not valid.
Cancel
&Cancel
/C:<Cmd> -- Override Install Command defined by author.
/C -- Extract files only to the folder when used also with /T.
CFailed to get disk space information from: %s.
Command line options:
;Command line option syntax error. Type Command /? for Help.
CompanyName
&Continue
Could not create folder '%s'
Could not find the file: %s.
Do you accept all of the terms of the preceding License Agreement? If you choose No, Install will close. To install you must accept this agreement.
Do you still want to continue?
Do you want to continue?
Do you want to overwrite the file:
Do you want to restart your computer now?
eAnother copy of the '%s' package is already running on your system.  Do you want to run another copy?
(Error creating process <%s>.  Reason: %s1The cluster size in this system is not supported.,A required resource appears to be corrupted.QWindows 95 or Windows NT 4.0 Beta 2 or greater is required for this installation.
Error loading %shGetProcAddress() failed on function '%s'.  Possible reason: incorrect version of advpack.dll being used./Windows 95 or Windows NT is required to install
Error retrieving Windows folder
E&xit
Extract
Extracting
EXTRACTOPT	FILESIZES	FINISHMSG
FileDescription
Filetable full.%Can not change to destination folder.
FileVersion
Generic1
Initializing... Please wait...
InternalName
LegalCopyright
License
LICENSE
Microsoft
 Microsoft Corporation. All rights reserved.
msctls_progress32
MS Shell Dlg
$NT Shutdown: OpenProcessToken error.)NT Shutdown: AdjustTokenPrivileges error.!NT Shutdown: ExitWindowsEx error.}Extracting file failed.  It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file.aThe setup program could not retrieve the volume information for drive (%s) . 
 Operating System
OriginalFilename
Overwrite file
PACKINSTSPACE
Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement.
Please type the location where you want to place the extracted files.
POSTRUNPROGRAM
ProductName
ProductVersion
/Q -- Quiet modes for package,
REBOOT
RUNPROGRAM
Setup could not find a drive with %s KB free disk space to install the program. Please free up some space first and press RETRY or press CANCEL to exit setup.KThat folder is invalid. Please make sure the folder exists and is writable.IYou must specify a folder with fully qualified pathname or choose Cancel.!Could not update folder edit box.5Could not load functions required for browser dialog.7Could not load Shell32.dll required for browser dialog.
SHOWWINDOW
.SThe '%s' package is not compatible with the version of the file: %s on your system.
StringFileInfo
sYou must restart your computer before the new settings will take effect.
SysAnimate32
System Message: %s.&A required resource cannot be located. Are you sure you want to cancel?
System message: %s.xSetup could not find a drive with %s KB free disk space to install the program. Please free up some space and try again.eThe installation program appears to be damaged or corrupted.  Contact the vendor of this application.
Temporary folder
/T:<full path> -- Specifies temporary working folder,
:The folder '%s' does not exist.  Do you want to create it?hAnother copy of the '%s' package is already running on your system. You can only run one copy at a time.OThe '%s' package is not compatible with the version of Windows you are runni
TITLE
To install this program, you need %s KB disk space on drive %s. It is recommended that you free up the required disk space before you continue. 
Translation
#Unable to create extraction thread.
UPROMPT
User1
USRQCMD
VarFileInfo
VS_VERSION_INFO
Warning
Wextract                
WEXTRACT.EXE            
 Windows
&Yes
Yes To &All
You do not have administrator privileges on this machine. Some installations cannot be completed correctly unless they are run by an administrator.
02J=ee
06oG}y
0cGnLh>
0cG/>q
0C.VYF
0<Drf:>
0GBijA
0IM!pi
0K'p2f
0kPG$rA
0{n7J`
0o<Cbp
%$0rm8
0_u9ppO
<0X+iz
195/- I
19wfWM
1fb~s&
1g0OR4
~1K{K~}
	&1o#F
>1!^qd
]1!RIB
1'T!7v
2)9OO(L<
2#c_y~
2DBkW4(
.;2e_^y
2la&>u
(2o8ia
2Ow^wvz
`2R!;VSK
2-w%fV
2y,8l1
2YW/ne
30!MX!X
39,	;N
3b1wF4w
`3!Cl|
3g4D}W
*%3H+<
].:3iix<Cj
*;-3n@y
3YYMe,1
4Ac\S$
4 FX"*
*4g#E{
@(4L#T
4SVWhD
4Tj'5N
^4\to7
~\/4u`r_
~4v$h>
4[=vV6
4[@wQU
#&[4*yB
.:4ZAVe
4Z&t9[kA`
 =5F/h
5k>@;)K
5LJ-l'
5mQD@r
>'5nK^
(5p=9k
},5tf2v@_
5tl4,+
5Un~A+
5VPgkN
5xFC}GD
60WqPN{
6!DwRC
6Hfq"CBj
6i(%D,SMTo
$6ivUZ
#6lj==7l
6M13T#
.6M'$]E'
6&PjQo-
.6py>Y(b
6@raN^3
6t0H,C
6zf<m<
7=1m>7
7dFuUj-
^7g|#~s
7I0JW]x
`7.i!=+C
;7Ln<%
7P |qe?
"]7r/T
7T$(k{
|7u4p,
7'ukw=8
7,	WWv$
7%?YV0
'800Ue
88=j*f##
|?#8F^
8& F!`
8@FH/H
8@H @9
8H:^pA-O
8?Ixb5
(8K3%h
8;k5$D4
/.`8k.o
8LDICt
.[8+m<
8;PiDq
=9*!\#)
(	9[`)
9 )114kcJEksBAks10kk!
97966K
9fS(4U
	[]9g,
9:h/%4
	9?Igbf
9LDICt
9MhM:E
a_"_[^
A*5u&Pz
a8aZv0
A94f(o
A`bo^]
A~Cg.l!
Ad$gJv
AdjustTokenPrivileges
ADMQCMD
AdvancedINF
advapi32.dll
ADVAPI32.dll
advpack.dll
*ADX8#
<=~aE.
a&FKM~;<&
A#hA 1A
A|hn'@
AIT? d
AllocateAndInitializeSid
ap%HUo
AQ9'zj
A\T{n^^
}&a--v
A;Vbr)
AVI LIST
:aWhrZN
!Ax8{{
&AZAZ@
	}	b2M@>
b9Am;u
B9N(tU
BAkliE
Bb[weW
Bf>?<)
bgY!vM
b$+!@h
	(-bI5
,B+)j`
{b&|jdS
b|l,TO~(
	BM .E
b<+Mp 
BO$DP(!
BOnEC6
B}v;PQi
b-~+Xj
B.YPV@=
B[Yq.R)(
bZc[_u
~=~	=c~
c(0mF@jC
c'2S}*%
}c7yw*\
CABINET
CallWindowProcA
cBv'a}
cc'qFgWC
C"E_G#Qo
C{EK=%
-`c=g{
cgE*!y
CharNextA
CharPrevA
CharUpperA
CheckTokenMembership
CHpxn`
CloseHandle
}{CMM&
C"mSLn
cM@x:$!
COMCTL32.dll
Command.com /c %s
Control Panel\Desktop\ResourceLocale
cpD[~h
%c|pYQ\
 cq<h4
CreateDirectoryA
CreateEventA
CreateFileA
CreateMutexA
CreateProcessA
CreateThread
:Ct=B+
C'u_eh
C+W1iN
D'1[Hq
D/(2@0$
D4:`*L
[d4q:6
D7L4S*
`.data
DB8mi\:
DecryptFileA
DefaultInstall
DeleteFileA
DelNodeRunDLL32
>Df*_1i
D.gwqw
'dhuYi
DialogBoxIndirectParamA
d/$	IBq&
 dIdP&
DispatchMessageA
dL&c'D
%dL	No
Dm?k'[
Dnf74!/
DoInfInstall
DosDateTimeToFileTime
<Dp_F2
dS-.lL
/dYrC#
dYts	0
dzp/73
E5eor/
e7tXnQ
!e<9#*7
EA8q;[
e ajmh
e*@>cM
Ec<\*n<
eLn,k$
^	.E[M
e|M6]M
em!A\~
E|Me|6
EnableWindow
EndDialog
EnumResourceLanguagesA
E'o4:U
E}@o5G
E#odtTW
Eo Lmy-
'_E"Oy
/e+qkd
EqualSid
&%?ES"
Et"HHt
EVuWVCC`
ExitProcess
ExitWindowsEx
ExpandEnvironmentStringsA
EXTRACTOPT
\$<>f$
?|F+3$
!F;5c!A'
F.,8fS
F%9#pM
`FblyI"
FgNu.?
F@.gw1
FILESIZES
FindClose
FindFirstFileA
FindNextFileA
FindResourceA
FINISHMSG
fN"#wo
FormatMessageA
fo~Uy$
FP};G#x
fQ*!GU5y
Free2.exe
Free.exe
FreeLibrary
FreeResource
FreeSid
FreeSMS 1.4.8
fswz"H
FUoJ>g
F WWWWWW
fwYe%2
*(fx`,
fy3"rLg
->fZ$	
g	<7x5
GaQ3MF
/gcX(c=
GDI32.dll
G_D`-V
gEJFU[
GetCommandLineA
GetCurrentDirectoryA
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDesktopWindow
GetDeviceCaps
GetDiskFreeSpaceA
GetDlgItem
GetDlgItemTextA
GetDriveTypeA
GetExitCodeProcess
GetFileAttributesA
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetLastError
GetModuleFileNameA
GetModuleHandleA
GetPrivateProfileIntA
GetPrivateProfileStringA
GetProcAddress
GetShortPathNameA
GetStartupInfoA
GetSystemDirectoryA
GetSystemInfo
GetSystemMetrics
GetSystemTimeAsFileTime
GetTempFileNameA
GetTempPathA
GetTickCount
GetTokenInformation
GetVersionExA
GetVolumeInformationA
GetWindowLongA
GetWindowRect
GetWindowsDirectoryA
G"f;Fjr
;gIH !
 gIO1P
"GiR:X
g]}J;+A$
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
"g#lWD
gMB\Bt
?gm*i(Z
)gN/rh	
gn.*tw|
GqL//^b
gR	~FK]u
Grfn9!*
Grk*u'
;Gs\4-%|
+{Gub|
H3h!	l
 H)57[
\$h_8x
[HB1Sj^-B;
:?'hB]9
H_#bhq#i<
HCs=~)y
hdrlavih8
hev4Bv
;,;hEW!
h"Ha	[
HI2eB\m
|!-h!n
HO=I_-z)D
?hOX4)Q
HT0~xghG
HteHt3H
Ht	HttHt
HtiHt<Ht
HtmHtEHt
h(uEO>6
HUk)v|
i1~_k9
i2D|@jO
i&3559Jc|
'$<I4$
=iA}=V
i<[b0N
Ib8]1Y
$iFha=
IG+]d+
?i*gSS
i}$H,2
IIQM&H
iJ:jZ.
i_MB@W
i >nqZ;
INSTANCECHECK
:ioFDo
I>.$r?
IR^Sl@
$i@<rY
IsDBCSLeadByte
I{Tx`EbO
/,@iU;
=i>W/B
IXP%03d.TMP
i}|ZiA
I,-Z_V:q
J6zIk8
J8tP'Qb]vU
:JC4J)
jge%@9
&^J<H*&
)JI/%E(
J&jcNb
*JjM?A
j{?jzd'
JK"g!d
jKi^IY$:AI
j\K*M>W.
jl+1Ai\
j)N4M!|
jPIP-%
J^pj+/
JQ"WiUn;
J_QXI 
J'{)RN
j SVh$
j"TcV'
jUSo%-R
JwDto#*
j WVhJ
j*xo}g5
JzlK6O
	k.,_1
K2yK* :
KC7<8~
KCoYqhpE
*	%`kD
%<k>eekLz
#KeF)ZE
KERNEL32.dll
kF2QK^
Kh#)7L
?kJ;AA J
kKmI]8
k;M$}R
KN|rpr
>kQdj&
<k}qE|[
KQwG7o
	-<kT3[
kY"Sc"6
}L1;pma:o
 ,L:4M
L<*7=[
l82e;Pa
^<l!}8kg,
Lb:lV++
LBR%%\O
l;Cg7i
_lclose
>LDICt
l.!eM4
lfGkMR
Lg?@9~V
LICENSE
LISTv$
_llseek
L>N*zD
LoadLibraryA
LoadLibraryExA
LoadResource
LoadStringA
LoadString() Error.  Could not load string resource.
LocalAlloc
LocalFileTimeToFileTime
LocalFree
LockResource
LookupPrivilegeValueA
_lopen
`&lP5F?
lQ3d^n
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpyA
lstrcpynA
lstrlenA
l/,U/CU
lyl1<ce
lyyxHq
m/1ami
M3qy<J
#M4r@C"
M4z4U+
'M=~)C3a
M\>e.'
"?MeBJto
*MEMCAB
MessageBeep
MessageBoxA
me;Te2
&MFc~`
MIM"nO
M!ip1x3
*}Mjn6
-M)`lM2
M(LP&:
} M_o'
m+o@B7
movi00dc(
mP?u] Zay
M_'Q~Z-
m=r=j=i=h=p=q=
\M/()s
msdownld.tmp
MsgWaitForMultipleObjects
ms(ZCv
MulDiv
.mvL~ iD
mVvNdHJ
M_XdY=#
"'n%("\
n1jc)x1
n7H6dP
.~#n9M
n^9W;@
?`/N"c
n|EmuleSpread|FrostSpread|LimeWireSpreadKBSFe8564tysdgsd89r6456e4hye2^Y
]$)@nm
nmj/ub
nMq[R$
<None>
NO`'NV
Nr;,0t
NRt].@
nr&:vc
NTDLL.DLL
N{Ts<L
N+{!VNgz
nVo>aG
-nV- tUu
!/NXs=
n$^y:h
NYOflAI
n+]y vj
$Ny~Wa
Nza,?#
O3nxQ'j
}o$4,jw
<@O8D}
*o9TKj
	O?BwJ6n
<OEFM6l
o@FEk9Q<
O<-J(8
:okZmA<iC
oL6ep9XB
on*Vvu
OpenProcessToken
#.'*OR
:o/SxI
o({t`$3
\oT71R
<%othqAixg3U
+o:u1V
oUCv3?I
O_w)AK/
OWPd(:
OW[RLz
oWWWW3
.*p>=_
p1fMH7*G
P5pE!Iv(DC
p6Y3$i
p9F3Oi
,+P 9)YI
PACKINSTSPACE
p]b[@M
P;"dA~
p:Dw;g
Pe)BIP
PeekMessageA
PendingFileRenameOperations
pg2WBaC
.pH;bU
p&`IRx\
pI$Y1D]
Pj@Phq
P	n`4"|
>PNtErI
POSTRUNPROGRAM
P_pjOB
PQVVj VVVSV
#%:,PR
PSSSSSSh 
PvhUMI
PVVVVVV
+Py{(*
_Pz_J9#
:^q+=0
/Q2{()
Q2!b8&
Q<4I'P
q6c$Q)
Q{7E}+D~
q7X'/t
\q?-8sV
Qb/xf4z
qdZoqj*
q@F$u(>
qHxrJA
QKgt,RI
qLSFy>AV
qMudE$r
-qN/=	u\
Q)`-)o
Q]$Rkd
Q-rtCd
QueryPerformanceCounter
~qu#@O
=Qv_+o
QyZ6z-z0
%qZfU_
"@r0"'fh
r20t~o
R2UbOZ
RC\/Gj
ReadFile
Reboot
REBOOT
RegCloseKey
RegCreateKeyExA
RegDeleteValueA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryValueExA
RegServer
RegSetValueExA
ReleaseDC
RemoveDirectoryA
ResetEvent
rF%XT3j
rGF1'1
{ri30_
;R%i_v
 RlUW<
Rm+@0V|
\R#O_gN
`rpbGh
RS8N<h
rS:Kb:
r<Sm`Z
r^UC{n-
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"
rundll32.exe %s,InstallHinfSection %s 128 %s
RUNPROGRAM
!Rz=S8
}s1jXwpei
{S3`hG:;
^-S5Dd
s#ba#z
%s /D:%s
SendDlgItemMessageA
SendMessageA
SeShutdownPrivilege
SetCurrentDirectoryA
SetDlgItemTextA
SetEvent
SetFileAttributesA
SetFilePointer
SetFileTime
SetForegroundWindow
SetUnhandledExceptionFilter
setupapi.dll
setupx.dll
SetWindowLongA
SetWindowPos
SetWindowTextA
S&fCWE
SHBrowseForFolder
SHELL32.DLL
SHGetPathFromIDList
SHGetSpecialFolderLocation
*SHh3i
ShowWindow
SHOWWINDOW
SizeofResource
Software\Microsoft\Windows\CurrentVersion\App Paths
Software\Microsoft\Windows\CurrentVersion\RunOnce
Soxm1s
s^o':Z
sRH6y`
sTOEpHa
strlstrh8
.Sue8K
-@sv5i
sve8"D
SvUIY3
SVU]~x
SxIBeD
System\CurrentControlSet\Control\Session Manager
System\CurrentControlSet\Control\Session Manager\FileRenameOperations
S"]<Zq
?/ T#0
[t5=hF
t6SWWW
=T['7)
t8WWhW=
t'9l"Nm%
!T	b,!
tBHt-Ht Ht
TD=.:L
tdvvN`!
T-D W#
tE`N\K V
TerminateProcess
TerminateThread
(t,F!w
TgHa%h
T*H#/=
!This program cannot be run in DOS mode.
< ti<	te<
+TJFN(md
TJR^a(
T$\"	m5
TM9CGG	
TMP4351$.TMP
	TN<1m
'(%*TO(v
TP0[fU
tPZq@s<&h
>t%/Sq\
t>U~DX
tU}mrw
t$W93t
t%`wI4
,u1SnL
/u4D9O
U9tOSgC6
!Uah]a
`_^}Ud
uEq:[q
u$f9=d
(Ug4t)
Uh/vbVc
UI.u=s{
.}Ujo*p
@U	Le0
)Ul%)"~L
 UlYTyC
UnhandledExceptionFilter
UPDFILE%lu
UPROMPT
u#P_%y
]ura1BI
USER32.dll
u)s{I!
USRQCMD
>\u	<\u
~uvOf\
u'VVVV
@u!x<}n
u,y<"'F
V1%8D#
	V/6?=>K
Vc<>"n
`VeAI~
VERCHECK
VerQueryValueA
Version
VERSION.dll
@V*G*_
	V{Gdo
=&%Vh)
vho'=s	
vidsRLE 
vJ]#g_
`vL@?Z
#;&v}mf
VNR.X{
vnw{\m)
Voq=5a7
\VphT+
v*r L	
VTFo`!
	'V.tX
v,_W`J
<VZiH'
vzk<dm
W6VQ]k
WaitForSingleObject
,WDc8_
W{D|{Z
WEXTRACT
wextract_cleanup%d
wextract.pdb
W.ftue7@e
wG\Rb@[,f+
WI~7dI(*
wininit.ini
WJf97~_Jp:wvz
wkD@>EwV
w\L=j"n
,wm:$)
`W!{MJ
WriteFile
WritePrivateProfileStringA
wsprintfA
w!"sxe
=@W%t'
w|u)cD
wvY/)I
WW3C8\
-W_z5V
:wz?Vm
X	0{Lp
x:>0Um
x3V_Am
:x5~s-|
X(8N4a
]XA>ll
$XdnWi,
?X_fqI4:
xFwKkw]q
<x:}G;
?!xH4W
x,iE6l
XJGXuC
xmcM+g
\xN9!u=
XNS0"N
XOw9Uw9
/(X^POns
xR*|:6
!XS(/+
x.#+(t[
>(X+wg
[	^Y,,
Y1b8-u
y7h):O
&y&8O+
Y9fGyIi
yA?nAo@c
Yc\ia[*
YDP|8< 
'y=I]%
yjasCg
YjVZ(]jhI
_Yr -.
!:{yRP*-
YV[ptBgs
yx@&8?m
yy3>Rw
YYt79^(t@
YYuhSj
z_*=;*
}z[5daS
z6{7E.v
ZcA|#w
ZDHod(b
Zdi"Zy|d:
Z]"f}=
`z\FF~
zkhfqwmh{6ul
z|K`Q 
"z)L=`
$ Z@\R
Z=vd=BP@
ZWyjO,
zY,Dvf: