Analysis Date2014-11-15 04:01:38
MD508ab0fbea9aa30ffe7ac67bb52c8d14f
SHA1175279ef5b4e6563b6319af1460a10881b652dc3

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a6199c3211ad6b379695057846114921 sha1: 13a2df6d7ebf24e2bbf9c88e6a0b1605fe20b83b size: 12288
Section.rdata md5: 12933bf774ed4bab5188cc43b538b82b sha1: 5afae767d8dbe04eef2c5f8c657b614e24411a28 size: 4096
Section.data md5: 3ed569458cc3aa7a48c2847841df3cde sha1: 2c6d82e0cb114d728046a645a1f2c75e6429f152 size: 4096
Section.rsrc md5: cad4084d1a1640677199e5351b7c2f78 sha1: 51a277dd4dbc8c5c2b15fa9e32cf0f51d7805679 size: 385024
Timestamp2010-02-12 18:45:10
PEhashee2a9f4e7308f591536dce3f343ab72192bf49c0
IMPhashca24d4e19e6835b8470fcd3223329599
AV360 SafeGen:Trojan.Heur.zqX@y5C8B2ab
AVAd-AwareGen:Trojan.Heur.zqX@y5C8B2ab
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Heuristic-210!Eldorado
AVAvira (antivir)TR/Crypt.CFI.Gen
AVBullGuardGen:Trojan.Heur.zqX@y5C8B2ab
AVCA (E-Trust Ino)Win32/Oflwr.A!crypt
AVCAT (quickheal)TrojanDropper.Droj.r4
AVClamAVSuspect.Trojan.Generic.FD-4
AVDr. WebTrojan.Siggen4.23846
AVEmsisoftGen:Trojan.Heur.zqX@y5C8B2ab
AVEset (nod32)Win32/Agent.UJM
AVFortinetW32/Droj.B!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Trojan.Heur.zqX@y5C8B2ab
AVGrisoft (avg)Dropper.Generic6.AOWF
AVIkarusBackdoor.Win32.FlyAgent
AVK7Backdoor ( 04c504571 )
AVKasperskyTrojan-Dropper.Win32.Droj.b
AVMalwareBytesTrojan.Agent.PCI
AVMcafeeRDN/Generic.dx!dg3
AVMicrosoft Security EssentialsTrojan:Win32/Sisproc!gmb
AVMicroWorld (escan)Gen:Trojan.Heur.zqX@y5C8B2ab
AVNormanGen:Trojan.Heur.zqX@y5C8B2ab
AVRisingTrojan.Win32.Generic.11F1ABB1
AVSophosMal/EncPk-BA
AVSymantecTrojan.Gen
AVTrend MicroCryp_MEW-11
AVVirusBlokAda (vba32)Trojan.Genome.ag

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\malware.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\subfile.jpg
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\\malware.exe
Creates Processcmd.exe /c start C:\Documents and Settings\Administrator\Local Settings\Temp\subfile.jpg

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\subfile.jpg

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\subfile.jpg
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\subfile.jpg

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\APP Paths\CMD.exe\ ➝
C:\WINDOWS\system32\CMD.bat\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{AA7BE134-9ACE-2457-ABD0-3AE14579BDE1}\StubPath ➝
C:\WINDOWS\system32\conme.vbs\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\APP Paths\Regedit.exe\ ➝
C:\WINDOWS\system32\Regedit.bat\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings\JITDebug ➝
NULL
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\APP Paths\msconfig.exe\ ➝
C:\WINDOWS\system32\msconfig.bat\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\360Safe\safemon\LeakShowed ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\APP Paths\Taskmgr.exe\ ➝
C:\WINDOWS\system32\Taskmgr.bat\\x00
Creates FileC:\WINDOWS\system32\Taskmgr.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\WINDOWS\system32\msconfig.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\wghai[2].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\WINDOWS\system32\conme.vbs
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates Filec:\breg.dll
Creates FileC:\WINDOWS\system32\wings.bak
Creates FileC:\WINDOWS\system32\Txplatfrom.exe
Creates FileC:\WINDOWS\system32\CMD.bat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\Regedit.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\wghai[1].htm
Creates ProcessC:\WINDOWS\system32\Txplatfrom.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSwww.zwscl.com.cn
Winsock DNSwww.wghai.com

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\subfile.jpg

Process
↳ C:\WINDOWS\system32\Txplatfrom.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\APP Paths\CMD.exe\ ➝
C:\WINDOWS\system32\CMD.bat\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\APP Paths\Regedit.exe\ ➝
C:\WINDOWS\system32\Regedit.bat\\x00
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{AA7BE134-9ACE-2457-ABD0-3AE14579BDE1}\StubPath ➝
C:\WINDOWS\system32\conme.vbs\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\APP Paths\msconfig.exe\ ➝
C:\WINDOWS\system32\msconfig.bat\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\APP Paths\Taskmgr.exe\ ➝
C:\WINDOWS\system32\Taskmgr.bat\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\360Safe\safemon\LeakShowed ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\system32\Taskmgr.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\WINDOWS\system32\msconfig.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\WINDOWS\system32\conme.vbs
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\wghai[1].htm
Creates FileC:\WINDOWS\system32\CMD.bat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\Regedit.bat
Winsock DNSwww.zwscl.com.cn
Winsock DNSwww.wghai.com

Network Details:

DNSwww.for-ever.cn
Type: A
208.73.211.245
DNSwww.for-ever.cn
Type: A
208.73.211.245
DNSwww.zwscl.com.cn
Type: A
DNSwww.wghai.com
Type: A
HTTP GEThttp://www.wghai.com/?fromuid=2787477
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP GEThttp://www.wghai.com/?fromuid=2787477
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1032 ➝ 208.73.211.245:80
Flows TCP192.168.1.1:1033 ➝ 208.73.211.245:80

Raw Pcap
0x00000000 (00000)   47455420 2f3f6672 6f6d7569 643d3237   GET /?fromuid=27
0x00000010 (00016)   38373437 37204854 54502f31 2e310d0a   87477 HTTP/1.1..
0x00000020 (00032)   41636365 70743a20 696d6167 652f6769   Accept: image/gi
0x00000030 (00048)   662c2069 6d616765 2f782d78 6269746d   f, image/x-xbitm
0x00000040 (00064)   61702c20 696d6167 652f6a70 65672c20   ap, image/jpeg, 
0x00000050 (00080)   696d6167 652f706a 7065672c 20617070   image/pjpeg, app
0x00000060 (00096)   6c696361 74696f6e 2f782d73 686f636b   lication/x-shock
0x00000070 (00112)   77617665 2d666c61 73682c20 6170706c   wave-flash, appl
0x00000080 (00128)   69636174 696f6e2f 766e642e 6d732d65   ication/vnd.ms-e
0x00000090 (00144)   7863656c 2c206170 706c6963 6174696f   xcel, applicatio
0x000000a0 (00160)   6e2f766e 642e6d73 2d706f77 6572706f   n/vnd.ms-powerpo
0x000000b0 (00176)   696e742c 20617070 6c696361 74696f6e   int, application
0x000000c0 (00192)   2f6d7377 6f72642c 202a2f2a 0d0a5265   /msword, */*..Re
0x000000d0 (00208)   66657265 723a2068 7474703a 2f2f7777   ferer: http://ww
0x000000e0 (00224)   772e7767 6861692e 636f6d2f 3f66726f   w.wghai.com/?fro
0x000000f0 (00240)   6d756964 3d323738 37343737 0d0a4163   muid=2787477..Ac
0x00000100 (00256)   63657074 2d4c616e 67756167 653a207a   cept-Language: z
0x00000110 (00272)   682d636e 0d0a5573 65722d41 67656e74   h-cn..User-Agent
0x00000120 (00288)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000130 (00304)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000140 (00320)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000150 (00336)   352e3029 0d0a486f 73743a20 7777772e   5.0)..Host: www.
0x00000160 (00352)   77676861 692e636f 6d0d0a43 61636865   wghai.com..Cache
0x00000170 (00368)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x00000180 (00384)   68650d0a 0d0a                         he....

0x00000000 (00000)   47455420 2f3f6672 6f6d7569 643d3237   GET /?fromuid=27
0x00000010 (00016)   38373437 37204854 54502f31 2e310d0a   87477 HTTP/1.1..
0x00000020 (00032)   41636365 70743a20 696d6167 652f6769   Accept: image/gi
0x00000030 (00048)   662c2069 6d616765 2f782d78 6269746d   f, image/x-xbitm
0x00000040 (00064)   61702c20 696d6167 652f6a70 65672c20   ap, image/jpeg, 
0x00000050 (00080)   696d6167 652f706a 7065672c 20617070   image/pjpeg, app
0x00000060 (00096)   6c696361 74696f6e 2f782d73 686f636b   lication/x-shock
0x00000070 (00112)   77617665 2d666c61 73682c20 6170706c   wave-flash, appl
0x00000080 (00128)   69636174 696f6e2f 766e642e 6d732d65   ication/vnd.ms-e
0x00000090 (00144)   7863656c 2c206170 706c6963 6174696f   xcel, applicatio
0x000000a0 (00160)   6e2f766e 642e6d73 2d706f77 6572706f   n/vnd.ms-powerpo
0x000000b0 (00176)   696e742c 20617070 6c696361 74696f6e   int, application
0x000000c0 (00192)   2f6d7377 6f72642c 202a2f2a 0d0a5265   /msword, */*..Re
0x000000d0 (00208)   66657265 723a2068 7474703a 2f2f7777   ferer: http://ww
0x000000e0 (00224)   772e7767 6861692e 636f6d2f 3f66726f   w.wghai.com/?fro
0x000000f0 (00240)   6d756964 3d323738 37343737 0d0a4163   muid=2787477..Ac
0x00000100 (00256)   63657074 2d4c616e 67756167 653a207a   cept-Language: z
0x00000110 (00272)   682d636e 0d0a5573 65722d41 67656e74   h-cn..User-Agent
0x00000120 (00288)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000130 (00304)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000140 (00320)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000150 (00336)   352e3029 0d0a486f 73743a20 7777772e   5.0)..Host: www.
0x00000160 (00352)   77676861 692e636f 6d0d0a43 61636865   wghai.com..Cache
0x00000170 (00368)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x00000180 (00384)   68650d0a 0d0a                         he....


Strings
..
.
DEFAULT_ICON
MYEXE1
MYEXE2(
TEXTINCLUDE
  ""++
"! $! $! $! $! $! $! $! $ 
$! !  !"
$! $! #! $! $
$! %#"%! $ 
$[|: <
#! $! $ 
#! $! $! $
#! $! $! $ 
#! $! $! $! $! $! $! $ 
#! $! $! $! $! $! $! $! $! $! $! $! $! $! $! $! $! $ 
#! $#"&! $! $! #! $! $ 
=]0%=2dEE+$
`~?0-b
0cZ#C<
>0e[~O
!#0e(X
?0kzmZ
0"+OUC
0r2p{U
0}r]PK9r
!	0v~>q5
0z?g#3
/0Z*nq
104659POS#"&KJNLKO! $TSV215215_^a0/2LKM
:12Fk<
13sa)9
19wV,g
1\G _,
1$gh pEO
1i3!8g?]Bl
/+&\>2@<
%2*>:}
2\=%3I
?&26<b
2 9yuh
2BcDV}bw
2e2lP(
"<2=Fh
?2@`>G
"2m&2Cc
2o.}='
2_/>su
	2UA;h4
>2'VEX<R*
:+2'x2v
2xY8_`!\
31hHl+~|(
35hxUN
[3"+7$
3<#7$R<
3$9?301
.&3cdF
3dIn$-+
/3%$/dn
}3f}Z`
=3G4/neq
3Krc%rT[
.3R:(M
3!V`o0
`3w2]=
3}xl7Ne
??3@YAXPAX@Z
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
4?7,iu
4-)cv/
%-~4fH
4gUwD\
'4h'4h
4JaqY)
4jw\Q:
4{]LWE
{4ogm8
4""&>P`	
4|P!Zp
<~4QZ=
4Sas,$}
 "$5:3
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
570l["
5c\2fF&
{5D3%3\!
5He<J0
5? K7k
<"5oD:U
5p6C+Z
""5p%I
5r\dn-W+
5\T_M?
5VPx?RC
`6_0EP
61hXC(
\6!bRx
6$H.Ow
6|J=K8_/Z
6Q70mN
6(R m3
6RQ\cWz
/6z1$o
#[6:ZI
7{}7.u
78wNA8
 "7AhL
7aVUu!
""7~b;
,7Gjux
7Ju`az
7NQ+Tgq
"@7!nX$qX$pW#pW#qX$pX$oX#pX$pX$pX#oX#pX#pX#qW$rX#0-" 
7$pO<b
{7ZqgC
8b2ZZ5
8>d"*v
8,h;@h
8L<)Ch
?8SZ#6^'$
8Tbt?J
92nPyk
&93F"$U
|\9+"|{A
9bsN	jt
=9?C^mg
_9EFy2
}9kA[i[
9`^Kix
9KruQ=
;\9lMj>
*9U*9U0X
*9U,KpEw
>9W(Y}
9Z']#]?
=9"(zq
?[A_26
A8<yr$
#_^a_^a 
A]CX8H
aDcB)+1
AE84RjV7
aPLn5;
Aqk,7*
@A !qUo{
aT'`{!
a'`U=9
	'auJEn{
AvnFg`
bc?<p' rq
b,g*G$
bJ5#s 
BJ(6[@
!#++,bL<
bq<KV	
B,$s+x
/bTZkv
| ^'&bw
b;WA2|
B~YO$(Iws
[:!BYT_
C'=]<*+\
C4A0`J/
c+6X*=
C<89D 
CallWindowProcA
CBD0020/30/20/30/30/30/30/30/30/20/30/30/20/20/20/20/30/30/20/20/30/30/30/30/30/2A@C
CC.$I>
**{:CDY
"	c#=G
<ChgF}
C<jOk &\
ck5x/a9
ckWHvNr
CloseHandle
CLSIDqg3
cmd.exe /c 
CmM~(?!
command.com /c 
CoR0zW
co{v%x
CqAJ	|
,~~CqHb
C"R?'?
CreateFileA
CreatePipe
CreateProcessA
Ct\6+x
C,W@t!S
cw	WU^km
=CXcMe
-cY$2!b
$c$zUdA0
cz#Xn.Q
+(./{d
d=2#jE
d|352F
+D<&#6
d8e=Gj
d.~&9*
@.data
d(E0.2
dE;6}n
;-$DGY
<>DIim
DispatchMessageA
dk-jtF
d<lFKrC
d\mOF$
do1^7A
 *DOp^
"^DpLL
dR6av<+
~d>:<	sgo(
d,V>F.
dXJIVs
E>0	{%
E7-a/w
E9	oXy
EAUTMq
]>ed8T
{ED}t2
EDuU0pwHI
EeN;6`F
\Ee\,sC7
eG}g98
^ell0T
e<n2Uf
(!eNU=H>
eQ]Piy
e=RPGy
ESAcGyam
e$SI@"c
Et~nPG
eu>'@$;
 !!/e+W
ExitProcess
E|=$>Z
e# z}j%
<F08Rq
;f_)2 
$"+F$3g!1_!#8
f3iOv[t
^_>F"b
 fc5=Lnl
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
FG2/$v5
f#<Hv<
FindResourceA
fJ)xmDz[x~e_
;F[#=k
FKZT_Q
!FL!\P
^=FMt$q
FN\];Y
f&#-NYZq5
f-P[|_
fpF:vL[
FPM9r,q
f]{Q`n
F[sO	bb
fsv_S|-
Fvl'k_o
.fx46w
+_fXSi
  /f(Y
(G2lp1
G;%B,h
&#g`D[
GDupli
GetCommandLineA
GetEnvironmentVariableA
GetExitCodeProcess
GetMessageA
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetProcessHeap
GetStartupInfoA
GetVersionExA
$).geVS
GFHGGIHGIHGJHGJHGJHGJHGJHGJHGJHGKHGJHGJGFJHGJGFJGFJHGKGFJHGKHGJHGJGFJHGJHGJHGJHGJHGKHGKHGKHGJFEF 
gH>ETF
g,*@Jw
	`g_+nf
g++pfT\
gpMr+[
@(g_R1
G)tV'=AC
gw@mR%
Gxj:]:
<h	/>{(
H\%0xL7
h1;FrTs^*
h7e"bpH`GO
H}97Ow:
	*Ha	U
|)hCzb
hdr>5O
HeapAlloc
HeapFree
HeapReAlloc
,[(Hg*
#]hH()Lq
.HJv"f
\>'H)k
H[^kFg
hkN>zu
h~!>|o0j
>H}OnT
h+P3^^
HSlO$g)f
h)	sO4
HU_"+;
"*.;<I
-.#I%2
%!i3|A
I8.+GU4e
I8oXHHs
i8Y@Ux
,i-b-f*
idR$):H
i:eIl2
IerE/B7
ifrzp^8
IhEY@S
I-H:GX
I"\id	
IiQ9bo
?i;-k\
I]@/L'
?i)l\XL
\IR5KW
I=sB}2Co
IsBadReadPtr
iV&(",
iv`3V:
iWYQ#r
IXjq^k`49
^_iz.0
j1""J%
j2Jm$Y_
j5Ys<w
+j6S7W
\J8yVm
jdgpC*
jd]jd"
~ J}%F$
jF;2G5
J,;:gD_
J?H8&%N
JIyRH,
jJ.J$G:
=}JN	A
J>Pwn9/1k
j{p'z\
^jRB!c
JTa$#i
[Jt_]No
{JtTom
jvz2>g
JZGts#
,~K,^'
(K0%PX7
k:1~c&
	?K1.[m
k4c"E0
K9~YU<
kaU}qm
{Kaw{y
-KAZ#k
kCJU'	s
K)c!lR
KERN0L32.8dl
kernel32
kernel32.dll
KERNEL32.dll
keW"t#zV
kh"'&@
k].meZY
;kmVT7
KoUu4v
K#:Trg:
ktsn"P
KubdYA
Kum"h4
kV~^ht
K~_vIKi
K-}W2y
!|~")L .
[L5{-V8
	l!~5Z2,
<LDo7(
L.DRVT
LE.q3n7\
lknONP
:LLKnM
=L{n~d#
LoadLibraryA
LoadResource
LockResource
LpSD~y-
l-! Qa
lstrcpyn
L):t25
l_u_6CP
l!U$;I
luZ2i9-
&LVR;&zn
Lv>{(xm
"&Lw*u
{lXkwLf
ly!&wp
*M2}/^
)m2[+F
	m4ZSA
M5i3D=*
	m:5rB
^M88E%
m? D%g:
m d,O'
me\MIZ
memmove
MessageBoxA
,MFfIg
?,Mf}o/ig
m~("fQ{
M!JfwM
mk4}6]O
m\k?V"
#/ML:=
MlU(zG
#mm/1J
|MogOCX')slf
Mpd[?&
mQ'n=F
M'R79S
MSVCRT.dll
MuCtiBy
mVZ	6O!
`{.mX!
MYEXE1
MYEXE2
}mYPI6
!}MY[#q7
N;:0dW
%n2piG
>-n^2v
N4v%>T
;n8g'mv
N\8q*5
n"9hOD
NA&M~;
nAOfFi
n*B5_![Ns
) nC$*
NI)@D%
-NiexY
NN}Op%PlM
N*NZgk 
\Nq;ExO
nq{g0IC
[`Nv\C0
_&nvEA[&
&nv`^"rK
{nyb2[{
O2qx8fH
+o3Y]s&!
!o6>k!
)o\9x4
oae2Hq
<O%~BOZ
=oe%Y0
Oi@^p?
O["M3F
O#\ma >
oM?"U*}
oOlp4ti
o{o#+N
o&}P(H
+ORm D
oT ?(`
]O?\Wd~
OX&AqdL
O<xocd
P9^l:C'
$P9,sH&y
')+?pA
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGwingbywings_jpg   
PBtWI(^
P	DOaP
PeekMessageA
PeekNamedPipe
P}Ex-k
pFF!32
PF`IV:
P)Ig )
Pk~5l|
$pM2X8
pN''3	X
P;o^91
P.<Qqe
program internal error number is %d. (0x%Xh)
p&S?2?
P\s~IY
pT<>&,
*. PUYI
  (PV5
%:PW6=C
=pY[JL
P&&Z 2
p'Z]*Z
(q-{=>~-\_
q:#1[_X	
q_;=5G
QA,S0o
^Q`.Df
qdo}xEk
)q(d$T&
'~q^}E
QEg)>d
qGngv>X
qI};#V
"_Ql	}
Q&N`J4!l
}>qo#Z
qps#"&[Z\/.2$#'ZY[/.30/3_^aYX[.-1
QRK}I9
q~=si3
qU0-et
QV9S$kT
 QV!Ta
QW%*?J
/QXvqo
QY8,B<
(qZFy'
,%Qzi<M
r3|U96
`.rdata
rD'#n&
ReadFile
rIn$)r
r	i*TR
.(rjm1
@R?L?O
Rm_JAu
rNi_tWL?
RPWWWj
r>si	>
RsX8Mw
s(3, #
S4^~-8$
/s5dcU8
s6k7p@
s(agNo
/sauk}
sbx?9|/
Sf>d*NBQ
SfWS:R
Sfxgp8<	*
{+sg@b
S$Gnwpg
shg$"Z
)shqwY
SizeofResource
-S}*jz
^S	Kdx
sk'+<M
@s|LK6
S LttW
S_n-5 Z
SP>E5(
Sp)z?Y
start 
strncmp
strncpy
_strnicmp
Sub3I2
\subfile.jpg
subfile.jpg
sU,'?bS
S[uipD
)\/Sux
S@XVch
^}s^y%<Fv
sY+s1P
s*zF .,a7
T/2mfg
t3eC p$A@
\t4zR|
t5LV[s
t'9|$pt
_T,ak3K*U
tf~:-Mu
T)hC6p1]~
!This program cannot be run in DOS mode.
ti1XTg
tmqPag
Tn5Qxvch
TNp>e|e
##.T(P
TranslateMessage
t-r=CM
tsvRQS
*TTh+G
Tvt/CAStf
%tyjgo<
*TY,zzL~
&tz"7=
tZ[A8T
U^0Y22"
u3`+Ns4
$:U'B|
-Ue#E8N
Ue}JI:
U>EN8g
U\e_S_9
U?I,P"
u+IW+5
uj%_2'e+
UKycrL
+un\ID/6
u%{=Oce
u }qmt
u%)RKrXo
USER32.dll
]Us]]r
{Uuy-."
\$,UVW
UXD,e!
{Uz1#/y
'~(v+(
v41]4?
"V*4E\0
+]V4pY
'V;	`6E
~v7bED
v9G_+	
v9jcj%~_
}V9sS	EL
VcBN{TP
|Vg| 5%Wc<
VHJD6_
v'"I;dn
V;Lyy=
#^|VSW
V;Ti-"
[(VV'-n}<
VwsC<f
vxC1:)
| ?VXW
;w<3+,u7
W+3|#z>
WaitForSingleObject
\W'a>p
 WCPo2jnFF
WhD7:>
!!&-!W[&hl$PU!"( 
w/{K]ly
wk?O*t
[Wl$RP
'wmH2e
%'|WnhY
wop}wl[!q
[>WPb9
wp}E @
@@WP"llX
wQ15Hy8&
_wQJ)xn
WriteFile
WS2R_{
ws{'dwI;
wsprintfA
]w,Voq
wxs~i\
[wzYhPe
@x=$++
>=,}/X
}X6Q)f
XA-OT|
$xB1T'^
xcHR"{M:
XEc@LG
XhDem\.
x/h`G&
]x_Lfk[Wa
X[mMa*_
,("XR)
	XRfi5#v
xsJPxy
XtuU>JF
xupJb}
x	utje
X@(va!
XxjI&o
}=[	y$#
/Y%;^?
Y&0G?P
Y0RVY{
^$Y2U$
Y3l#H_C
y=3XK7
y5IY/E
Y81;3*
YagU&p
yca;6bx
YCUZ0I
Y	(Eps
)Yh*fg
&yh" T%<
|Yj-|C
yjf}G~B
yjLTF4=
YKG-e=0
YKNf~0
YMJKSxN)^'
+yNsC[
yO9e$ns:U
;yq>LMLA0U
;yRNF[U4
y")-s%9
yS!w@=
Yv\iWF
Y+V`SC$LC/El
#YW3"G
Yw]Ie0
?"yX( 
#YX[104GFJedg! #SRU?>B#"%ihl@?B98<RQUEDG547TSV[Z]('*sru;:>)(,rru98<769ZY]YX[A@C
yz<DN(
Z=D Uy
Zg+W6_
%%ZJiG
%z k$wlFd
Z[m:/6h
ZoO(Ny
<,+	ZrI
Zs+;&_@|+
z]SPxmt
"Zs=;Y
z%TG!3+!$#"'%"90$pX!
#zTO:t
#zu'I+$\
{zv)zy
<ZWl[X
Z";Z0%ajJ
zZkN>io