Analysis Date2014-12-21 18:58:53
MD519053a15bf986a490e95bd5e21ec054c
SHA1ff63e3bc7b8459692afe0583fc7fc0832013d976

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 984dfeff737935f78877d3d08b82ef95 sha1: d37c898578b52c62ca8c93757e64b07939999701 size: 72192
Section.rdata md5: 0fb0a72395723950e1915d6bf373f506 sha1: 904ad0342509a0b37abfcefd6606a12adbdc7707 size: 7680
Section.data md5: 11ffdfc240c81dfe9d957f6bf1761f00 sha1: f0f691437eb067b4de686e8b7225b8e4127cb275 size: 512
Section.CRT md5: a5ba361df79e0a565f00bd42dc501625 sha1: a91ea47a0eb05af400245bce0fd66b2bec2b6335 size: 512
Section.rsrc md5: e8361b30ce89bbcbd20f5259ba0d1651 sha1: 6ea54f703afa0764129aa77b5225fb9c5a51920a size: 14336
Timestamp2011-05-28 16:04:29
Pdb pathd:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
PEhash1cf04187c6dae87696573dfe9bf930be7ddaf01c
IMPhashdbb1eb5c3476069287a73206929932fd
AV360 Safeno_virus
AVAd-AwareTrojan.Generic.7489813
AVAlwil (avast)Diltacs [Trj]
AVArcabit (arcavir)Trojan.Generic.7489813
AVAuthentiumW32/VBTrojan.Downloader.1D!Maxi
AVAvira (antivir)no_virus
AVBullGuardTrojan.Generic.7489813
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVWin.Trojan.Agent-196343
AVDr. WebTrojan.Click2.9131
AVEmsisoftTrojan.Generic.7489813
AVEset (nod32)no_virus
AVFortinetW32/AGENT.VRZ!tr
AVFrisk (f-prot)W32/VBTrojan.Downloader.1D!Maxi
AVF-Secureno_virus
AVGrisoft (avg)Clicker.AVOC
AVIkarusTrojan.Win32.Spy
AVK7Trojan ( 0042c8971 )
AVKasperskyTrojan-Clicker.Win32.Agent.aaua
AVMalwareBytesTrojan.Danginex
AVMcafeeno_virus
AVMicrosoft Security EssentialsTrojan:Win32/Danginex
AVMicroWorld (escan)Trojan.Generic.7489813[ZP]
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend MicroTROJ_PSEUDOSI.BY
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\WinRAR SFX\C%%Program Files ➝
C:\Program Files\\x00
Creates Fileweb7b_1224\y.exe
Creates Fileweb7b_1224\lags.exe
Creates File__tmp_rar_sfx_access_check_75234
Creates Fileweb7b_1224\web7b.ini
Creates Fileweb7b_1224
Deletes File__tmp_rar_sfx_access_check_75234
Creates ProcessC:\Program Files\web7b_1224\y.exe

Process
↳ C:\Program Files\web7b_1224\lags.exe

Creates FilePIPE\ROUTER
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Program Files\web7b_1224\web7b.ini
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Program Files\7b
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Starts ServiceRASMAN

Process
↳ C:\Program Files\web7b_1224\y.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\custsat ➝
C:\Program Files\web7b_1224\lags.exe
Creates ProcessC:\Program Files\web7b_1224\lags.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 812

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\wkssvc
Creates FileWANARP
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates MutexGlobal\RAS_MO_01
Creates MutexRAS_MO_02

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1848

Process
↳ Pid 1144

Network Details:

DNSdnspod-free.mydnspod.net
Type: A
119.28.48.228
DNSwww.web7b.cn
Type: A
HTTP GEThttp://www.web7b.cn/banben.asp?banben=2.2.9.8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP POSThttp://www.web7b.cn/soft/login0.asp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 119.28.48.228:80
Flows TCP192.168.1.1:1032 ➝ 119.28.48.228:80

Raw Pcap

Strings
\_
.\
:\\
...
010A___
.
.
x
S
%08x
(&A)
about:blank
ASKNEXTVOL
</b> 
 <b>
(&B)...
<br>
<br><br> <li>
b<style>body{font-family:"Arial,
%c:\
(&C)
 %d 
(&D)
Delete
(&E):
EDIT
-el -s2 "-d%s" "-p%s" "-sp%s"
.exe
";font-size:12;}</style><ul><li>
GETPASSWORD1
<head><meta http-equiv="content-type" content="text/html; charset=
hRichEdit20W
</html>
<html>
.inf
Install
jmsctls_progress32
kernel32
(&L)
</li>
</li><br><br>)<li>
</li><br><br>)<ul><li>
License
LICENSEDLG
LICENSEDLG	RENAMEDLG
</li></ul>
.lnk
*messages***
(&N)
@&nbsp;
Overwrite
</p>
Path
Presetup
ProgramFilesDir
(&R)
.rar
RarHtmlClassName
RarSFX
RENAMEDLG
REPLACEFILEDLG
riched20.dll
riched32.dll
r%.*s(%d)%s
rtmp%d
runas
 %s 
"%s"
SavePath
 %s CRC 
%s CRC 
%s.%d.tmp
SeRestorePrivilege
SeSecurityPrivilege
Setup
sfxcmd
sfxname
Shell.Explorer
Shortcut
Silent
Software\Microsoft\Windows\CurrentVersion
Software\WinRAR SFX
%s %s
%s%s%d
%s %s %s
STARTDLG
STATIC
</style>
<style>
<style>body{font-family:"Arial";font-size:12;}</style>
TempMode
Text
Title
__tmp_rar_sfx_access_check_%u
Update
utf-8"></head>
(&W)...
 Windows 
WinRAR 
winrarsfxmappingfile.tmp
(&Y)
=*!;'/
?*<>|"
&'()*+,-.
{03w#_
04:2#o
]0$67QuD[v
 (08@P`p
?0A+cr0
0(CRZp
0#j8xu
0k5V%C
%0(l+=
0Ma?q<
0O,f(/c
0o&"g~`!9
0~}P4<
]0_RnHZ_
0t~vn+
=//0+w
0%XI*6
1$`0W`
11|R_q"
1<bWhK
-_1da9M
1E%)RR
-`1H]^
1h22FC
,(%1HLE
1<H;yQ
1^MFsQ
1n3j1"
1P{Kv7
1<~)pWqo7
1P,y#@
1vALfz
1/y9{].
.21St7
[/2[9~
2.'AI(
2~$HNa
:2KE).w
2pErP]
\?2Q[>a
2VzIS?
33!D	3
37.uUn
3b$#xbV
!3d8t&
:3'EuQ}
?3`FaO
3gy5\*o
?]3TIS!
<3\u1WV
)3v8Ei
3%vc'J
3wVVq??
$.3xI'
!40q9x
44G3Ae@[0
45v-I{?mi
46w.yTc
}*?4'A
4dK}F 
:4jA[!F
(&4Kc9oP
&4$^m5
4M*K6_
4`N-OR
4ptzW@\Y
~4/<.ql
-4s/Da(G
4	TYzPghg
4v+L*-F
_4v y@
}4&Y7w
4ycC\^
4Y_cOW
4Y_cOW	
=$53kE
57GB[P
)5%~I0
5o	JC}
5O'%R&
|5t MT
5Uop6t
62Q0QX
64h!,n
65GqF`
68W]o1V
=?%)6A
6:dFLT>
6^Hko]jn
6iM<H[
6QGn,F
$6sdAxX
`6tI8}
6wJ2n6A
6wMF\>
6-/x{kD
6yL(9K
`?75&@
768Y`6
7h$%e@
7NEL>Q|
7ogR14
7s/'rr
7u6C6o
83wFz[&F]M
8'5dz3
;{89'f
8b,,7 L\
8bQbUy
!8?Go`
8jMa|	
!8!]`KJ
,8(oB6j
';!8Oj
8 R,~iW
96tDc<r
:9:7ty
|98pn 
9/?a;xL[u
(/.>9B>2
9DHw6L
9eIk.,
9h$_S]
"9I`Qf0
	(9JgG
?9^m8j
<]+9nD
9n(GT3m
9o>jrs
9pb9pQ
9TJhD^
!	9zb`
A3dcDa
A,3W)CF
a>{.5J
^a}aiIZF
AanJ}0
^_`abcdefghijk
AB i?a
\a,.bx#
AD"2^J
AdjustTokenPrivileges
ADVAPI32.dll
 |a(E'7
a"F+]A
A\G<kcK
A-HdtC
a$HL:;
ah[]l{t
@A~k~	
aL;\nU
Am,2-xT
am56@ki
aOHk5-
  </application>
  <application>
'A}R?E[2
-|A[rZNT
aSC![i
</asmv3:application>
<asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3">
  </asmv3:windowsSettings>
  <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
</assembly>
<assemblyIdentity
    <assemblyIdentity
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
aUL)`/
(AWXG".<
;]aXtVo
a"zaVJ
bad allocation
bA.::I!f
\BBiI1
BB)stQ
_Bc:q~H
Bdg7<'
bEWY?)
@b	gck(W
bgDcJg
BH?P<$
B?i{0\
Bi3>}:a
<B@II;
B%IVJ{
b>k(I&
BLLHsl
^b#mN/
bs{bZK
}BTVe>
bXbEo=
>c-0E?
/+(c0,f/
<-C%3+Eh
C7O/sG
$?.c{a
C&AN'W
_Cc#cT
ceQ&^	gdk
CFsN1F
CharToOemA
CharToOemBuffA
CharToOemBuffW
CharUpperA
CharUpperW
c!?/jy]
Cl48hG
CloseHandle
=c lqL
CLSIDFromString
ClTI]6E
:C&M0=k
CoCreateInstance
COMCTL32.dll
COMDLG32.dll
CommDlgExtendedError
CompareStringA
CompareStringW
</compatibility>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
CopyRect
&C%PFZ
|$?;[cR
CreateCompatibleBitmap
CreateCompatibleDC
CreateDirectoryA
CreateDirectoryW
CreateFileA
CreateFileMappingW
CreateFileW
CreateStreamOnHGlobal
CreateWindowExW
%c?S1,
?Cuf/{
CVR(G|
\(CW>@
C-,wPD
cYa{oW{
([cY*L
cZ}tNI
,D><2qn2
<D4L,T
@.data
DaU>Yd
|%dAX'
.:db24/
,DBb	IR
dBr{ue
DefWindowProcW
DeleteDC
DeleteFileA
DeleteFileW
DeleteObject
</dependency>
<dependency>
  </dependentAssembly>
  <dependentAssembly>
<description>WinRAR SFX module</description>
DestroyIcon
DestroyWindow
^}D?f%k
d$gcXf*
dgEdhd
{d]$gU
*D:(hi8
DialogBoxParamW
<diP t
DispatchMessageW
D]l8]k
DosDateTimeToFileTime
    <dpiAware>true</dpiAware>
d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
d,quFR?
\d.U.1
Duzs6l
_|dW(ik
DWoE|(
+Dx'3`
++dZ[,
E3N/4R!
#E\<_9r
",eA[1
eB=utK
 /)eE[
EEo:rnVQ
E(<GqvN'
}e.!j6
.|Ek9X
elcu`	
/%[Em@
EnableWindow
EndDialog
E	OP	p(
&;eRU=
eVs"ky:
	*E>wZS
ExitProcess
ExpandEnvironmentStringsW
eZ1.eO?
F _^[]
F1db/A
f,2B,;
|F2E[ 
!- f:3
f:@$"6
f90u2h
~f)ANv )
fbc:N:
-(fC/2
f].C	-CaO
fczbx8
FDx&y-
~)F,f.
)&fFa-
FFF))EE	FFFF))))))
FgOR;>
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
FindFirstFileW
FindNextFileA
FindNextFileW
FindResourceW
FindWindowExW
]F&I)u
F\K2Dt
	[^_F<N9
f$N`gjc9
Fn	K3<R
f Nw%D
FreeLibrary
{#fRIYY6-
F`SaOX
<F"t	@f9
^&!F]v
fxRY\1n
;Fy;:iU<YRG
[:FZ= 
%=@g}=
g33WwQ
	#G3n8
G8>f:Qj:=
G*9,[x
G(b:THe
gc52,}
Gcd#T$ }
GDI32.dll
gEg)kI
GetClassNameW
GetClientRect
GetCommandLineW
GetCPInfo
GetCurrentDirectoryW
GetCurrentProcess
GetDateFormatW
GetDeviceCaps
GetDlgItem
GetDlgItemTextW
GetFileAttributesA
GetFileAttributesW
GetFileType
GetFullPathNameA
GetFullPathNameW
GetLastError
GetLocaleInfoW
GetMessageW
GetModuleFileNameW
GetModuleHandleW
GetNumberFormatW
GetObjectW
GetOpenFileNameW
GetParent
GetProcAddress
GetProcessHeap
GetSaveFileNameW
GetStdHandle
GetSysColor
GetSystemMetrics
GetSystemTime
GetTempPathW
GetTickCount
GetTimeFormatW
GetVersionExW
GetWindow
GetWindowLongW
GetWindowRect
GetWindowTextW
gga "^
g|iddc
gJ4LbS
gj:I^?
GlobalAlloc
GnY!W;pC5
gO>k,g_
Gp5plJ
gwS3	3
gwS37%w`	
gX$+j}IZ
G~z)"f
,H11Z*
h1?JgE
H1&k(z
H2&6FLw#
<h5LKC\
H6#C>:
H7t{u@;
H>9TY3f
(hBh&BT2A
@Hbk-*[
HeapAlloc
HeapFree
HeapReAlloc
-Hf~@s
Hgf+	k 
h)|,h	*
HhI$XEv
HHwtPI-
HJKgD=
hLDI.s
hnIv.z7+I
h"o|xL]
<:"hrn
Hs&-,K
HtCHt<Ht5H
HtEHt7
HtFHt8Ht*Ht
HtoHt>
HtOHt^HtBHu#
HXW!x$
H/xxu#r$
"\hZ[)
I2+%	<
~i+3eb
{i[Aa`l
&)i_BXUv
iD{aLh
~if|P0Y
Ig<AJ5
IJ0uv:{
i:,,Mf
i_m@~w|
InitCommonControlsEx
i_]OJ|'k
(\ip5Ss
__IPE!
Iq,=w]
IsDBCSLeadByte
IsWindow
IsWindowVisible
$i}$tb
:IT_?'K5G
ItvrXtI
iUy;sU
$IVnuYB
IWj\_f9>u?f9~
[<{J`0
J5o[8N)
:~J<-8
J)BH!d$
JC|/!{
&Jfn:KO%
<@(j&h
>	*JI,
=JKR=I
JmFgF#O
(js@rB
j]U7C>p
jv2.Y2
JvQv16
Jw5j99
~JXtiGp
j Y+L$
#jYR$O
""K_''
K0g qj
?k29A&
k7$$C$))
_K7XX[,
#|K,&B!
k'*E2}5(
KERNEL32.dll
kF6A	^
#kHJ_8
(k=i}C
::KI)f{#
-ki#qy(PR
:Kj##R
*kOF9t%_
k!	Sc)
kTeLXB
#kw:uw}L
KXIW7w
/	k/YM?
??(=*L
~'^L	0D
l1Of<vN
.#l1U"
L"1-:Z}
l=2kLN.
L5B@		
L^5"c3
L(8w{*_B
L]A@Exo
      language="*"/>
'leiT$
lfkbgG%
L\<Hw+z
l<	M{EyuE04
lmnopqrstuvw
LoadBitmapW
LoadCursorW
LoadIconW
LoadLibraryW
LoadStringW
LocalFileTimeToFileTime
LookupPrivilegeValueW
?LQ^g;
Lr0\g^"##
LrZ[6"s
LSjV,H?
l:tA1}6
,l"U}0
({l%W%
LYs VA/
lZpX^ l
m0}qgw\
m3v/pW
MapViewOfFile
MapWindowPoints
/@;mB@ a6
m!cXUk
M="#$E
MessageBoxW
*messages***
~mh~~>z
m:,m;2
mO8Oa=
Mo'C;'
m)OdN{
MoTO[ygo
MoveFileExW
MoveFileW
Mq6Az!
M`rsE+
Ms yr#y
M#tFMw
mtpU!#
MultiByteToWideChar
M<v)d#
m:vmQp
}My`>P
-m.Z2*}
n+2#7r3
n3o@nl
N4Y_cOW
+~N5m<
NAh%-/
      name="Microsoft.Windows.Common-Controls"
  name="WinRAR SFX"
=N?<b.
nCz\4'li
%*N=E&
*n:ew,
NfHoB$b
NgTvVa['d
-N-j^AC
Nk+2Z5P.Bq'
nl[27E
NNu$j	
n}	pNtM
nPu*M-8	cSh
nqU)@L
.N"Rq+
;_NT[/
n%:Ti+
n*t`Y9
(Nv:$H
*NW[&{
]/\nX=
nxKW7L
Ny/y/H
O4&arC
O6,1zZ
o`aE=N
oa	Qb/K
"Ob@6	GI
OemToCharA
OemToCharBuffA
Of 81C
`O/f&Tnx
#=o;+)H
)OHxgb
OIEfUX
OkN^7C
o%kWVx
ole32.dll
OLEAUT32.dll
OleInitialize
OleUninitialize
o<<*(M
?o(m(Q
On~3E%
onedn8
]_oNg'C
o_O&{"?
{o`Ogp*
op'DfbZ
OpenFileMappingW
OpenProcessToken
op>Hfv*
OPQRSETUVWXYZ[\]?@ABCDEFGHIJKLMN/0123456789:;<=> !"#$%
+O!Q;s
OqS+zK
oS#__Z
oVD7k9
O$vS#gh
OxQg\Z
Oye95j
'&.=P*
P7BLn".
P9]pu;
P9]pu+
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
P<~Af},
PA<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
p]-b=H~
pBx!V}
PeekMessageW
penc-N
pev\	`
PFh|A	Ts{p@
P/ <GB
Piaa7rf
pi<av!a
`pkce2
$-#pkj
P+k![K
Pk{/}pS|J
P:ObyD
PostMessageW
 !pPx(\5Fp
{^!p<q
p: ?;q
      processorArchitecture="*"
  processorArchitecture="*"
ptsa8[#
      publicKeyToken="6595b64144ccf1df"
puR8{E
PWhx8A
p-xr:j
pyh:2;
)p*z3$
`	pZt|j
"q0xb]+
:Q 1%H
Q1~S"Y9
q#^3g&D0
.q,#5{
QAkYcm
{#.~qd
QG3's/m
;?Q?Hv]
Q#Hx=(
  qjw^
QJ#zk	$q
Q.kg\Q
+Qm<Rd
qmvq!R
}.!Q>n
QnG'DS
<Qok{*
q^Ol?E
}qp;01
QP,k.?E?
qQ-lQTiu$;w
QQSVWh
QQ?Z.(G
Q@T,YsY
qW._&wp
qx'0/1
q`XbuI
q+xMPCKl
qX^VQ}!
Q*?Xy=
qZhpCc
R=-=2_
;R^4BsY$Cd
R:#5)W
#R7'$g
__rar_
|r[b?y
rd0t?)9
`.rdata
^RdIRr^
ReadFile
RegCloseKey
RegCreateKeyExW
RegisterClassExW
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
ReleaseDC
      <requestedExecutionLevel level="asInvoker"            
    </requestedPrivileges>
    <requestedPrivileges>
RgA-0ww
Rh}"F(
RN(%SJ-EYy1
rNZfrS
rOPelj66
+(R,=P!
)@rQWw
rrdMR|N)oN
rsca6#
@.rsrc
(RSw:{
R<tdI?T
R%U:9&
?.ruOzi
RU/qDJB%LD
r'.uVT
$`rVAK\
r.w%r?
R<xf=l
r{}x[k
RYADMab
s2M C{X
s75AA1<
s-8)R'
sa1S}Oq@
~sbg G
%.*s(%d)%s
  </security>
  <security>
$sE<gpuC
SelectObject
SendDlgItemMessageW
SendMessageW
SetCurrentDirectoryW
SetDlgItemTextW
SetDllDirectoryW
SetEndOfFile
SetEnvironmentVariableW
SetFileAttributesA
SetFileAttributesW
SetFilePointer
SetFileSecurityA
SetFileSecurityW
SetFileTime
SetFocus
SetForegroundWindow
SetLastError
SetWindowLongW
SetWindowPos
SetWindowTextW
;S^F}b
SGzH~}
SHAutoComplete
SHBrowseForFolderW
SHChangeNotify
SHELL32.dll
ShellExecuteExW
SHFileOperationW
SHGetFileInfoW
SHGetMalloc
SHGetPathFromIDListW
SHGetSpecialFolderLocation
SHLWAPI.dll
ShowWindow
S?Jw	J
SKg3&es
Skhjxf
Sol	\;V`
~sp^3W
(S)PBSsL
StretchBlt
{Su?CA
SUL>r[D2
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
(SVWj 
`SVWjh
#S}wWK
=sXw(=bM
SystemTimeToFileTime
) "t-=
T":?%;=
t0ht6A
T0io?}<
t0SSSj
t2zI42z3u
t**37*E%r
T\3*{X`
\T48q%
(T4d(c2
t4SSVW
*.\:t<5;
 T8Y!A
_@tChi
t	FAA;t$
Tgc#PZN
    <!--The ID below indicates application support for Windows 7 -->
    <!--The ID below indicates application support for Windows Vista -->
t!hh3A
!This program cannot be run in DOS mode.
tJc:f&YCf
tk	me*
,tm$\[
TN\PnyC
\t\)o*
T}~O-&
<tO6AM
+]tobB%
tOI;g3
tpYcf~
tqGPx9
TranslateMessage
tr)NKe
</trustInfo>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
`	T[`s
 tSj X
t<SSSS
<*t*<?t
;ttG?0
t)-UaT
:Tu-K!
^T]wFN
T"wnl9
twTuWp
txl_'Xt
txQe@9
      type="win32"
  type="win32"/>
t.]Zg+0
]]]]U_
;\u0VW
u&1va<
U2PIxg
u7{qN56
(<\u$8F
^u9v9g'
UBog2JK7
@ub)@~%p
UbwiXH
uH>\$.*":
U	{H ]&
u h\3A
"uhK*urv
u!hp8A
      uiAccess="false"/>
%ujEAT|
um0\Wy
uMh'iq'
UnmapViewOfFile
u#P0r{
UpdateWindow
% =uPQ
{URich
Ur(zco
+us0Gwe
USER32.dll
&U%v0q
":uxfCl
uXTM25
}uXZd>%
UyE "]
v.]'0_W
v1}edw
V1[ejx
V2LE3(
V>2!RW(6(
V4'x<|
	^.V5Nq
~V8S3f
v(9VK	
[v=*}!a
V@@AAf
VAbq @H
Vaqlu?
'vAY05
vdvSc[
  version="1.0.0.0"
      version="6.0.0.0"
VGUSW!h\E
\VH~mh
vIK9u^
VJn?BnV
VL1"#^
v	N+D$
?vNj@_+
vO%W?%
VPxee@
|>!V<Q
+V&Q0"
^^V~quB2
@[VrwW
VSSSSh
V_Tr#n
V~u9Fj
v+v"RE
\^-V+WWK
W/0i!I
>@"w0m
w/4;H$<;
`w5*] 
w56rX,A
w5SSSS
%w7L9>h
}\~W9ZM
wA^)f<
WaitForInputIdle
WaitForSingleObject
WAMMGz
W~Aubo
/wD-Qe
web7b_1224
web7b_1224\lags.exe
web7b_1224\web7b.ini
web7b_1224\y.exe
,wHl[J
@WhP6A
WideCharToMultiByte
W]\_in
WINRAR.SFX
Wj<_WS
"Wn0LU
~wpVMf
<!Wri|6|
WriteFile
W_R+VES
wTo0z5e\X
?W[UV_
wvBtG]
wvsprintfA
wvsprintfW
WwBAST
Wwgu"'P
Ww^%r4
WwR"'P
[W^Ws?<
WwS7'u
=WWwbi
>wz:l 
W=_ZusuI
wzWo_J[
X8LW**=
(XaL)Grogu
=xcltBW
xcLuF2
xCsCDg:N
XF=")Or
.XH2swT|
.Xhglq
#X}"l&
Xml[SjG
xPQz5ACK
_xy#FS
xyH2jO
xyz{|}~
#&y]$`
Y3G^*4
Y]7^c9
Y-i/`OM
!.YiR;4
Y,J{{Z
yL1;y2
y\.M~B}
YNANRC
Ypvdx8
YQw1M=[
!YsJ^'
Yvs0u.
Yv'yLz
y.@X3,o>
Y~x^4qb
Y)x<|96t0
YX97	f
yx@{Gw)
yX	nQ%
yY4(C.
z2@C !
Z2fQ`E
Z(`5#F
Z6V3![
Z7,\b0
'z[C4b#
[zec+	
zffY$.
zFQ#F|
\zhXs\]
'<& Zj
[zkU\$3
zlAvchzS
zn~8}J
#Zp	?Zw
z\{S~-
,}zTu5
'zt?>v
zuFhl3A
ZU(P{`
,ZwdK`
Z_+>y7
`~*'Zy~*u
Z%+Zwq)