Analysis Date2014-11-09 05:03:45
MD53177fbdad01d5080e193f9dd115c9651
SHA1d17463bcaf99b856451ebdf0163c813ff9b95e5c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a6199c3211ad6b379695057846114921 sha1: 13a2df6d7ebf24e2bbf9c88e6a0b1605fe20b83b size: 12288
Section.rdata md5: 12933bf774ed4bab5188cc43b538b82b sha1: 5afae767d8dbe04eef2c5f8c657b614e24411a28 size: 4096
Section.data md5: 3ed569458cc3aa7a48c2847841df3cde sha1: 2c6d82e0cb114d728046a645a1f2c75e6429f152 size: 4096
Section.rsrc md5: 8cc58412910c0020bb14f7e1d812b489 sha1: 76311e7f23428312ce99e3f9e7d01516b1c1f2fc size: 385024
Timestamp2010-02-12 18:45:10
PEhashee2a9f4e7308f591536dce3f343ab72192bf49c0
IMPhashca24d4e19e6835b8470fcd3223329599
AV360 SafeGen:Trojan.Heur.zqX@yHC7mccb
AVAd-AwareGen:Trojan.Heur.zqX@yHC7mccb
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Heuristic-210!Eldorado
AVAvira (antivir)TR/Crypt.CFI.Gen
AVBullGuardGen:Trojan.Heur.zqX@yHC7mccb
AVCA (E-Trust Ino)Win32/Oflwr.A!crypt
AVCAT (quickheal)no_virus
AVClamAVSuspect.Trojan.Generic.FD-4
AVDr. WebTrojan.Siggen4.23846
AVEmsisoftGen:Trojan.Heur.zqX@yHC7mccb
AVEset (nod32)Win32/Agent.UJM
AVFortinetW32/Pasta.JZ!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Trojan.Heur.zqX@yHC7mccb
AVGrisoft (avg)Dropper.Generic6.AOWF
AVIkarusBackdoor.Win32.FlyAgent
AVK7Backdoor ( 04c504571 )
AVKasperskyTrojan-Dropper.Win32.Droj.b
AVMalwareBytesTrojan.Agent.PCI
AVMcafeeRDN/Generic.dx!dg3
AVMicrosoft Security EssentialsTrojan:Win32/Sisproc!gmb
AVMicroWorld (escan)Gen:Trojan.Heur.zqX@yHC7mccb
AVNormanGen:Trojan.Heur.zqX@yHC7mccb
AVRisingTrojan.Win32.Generic.11F1ABB1
AVSophosMal/EncPk-BA
AVSymantecno_virus
AVTrend MicroCryp_MEW-11
AVVirusBlokAda (vba32)Trojan.Genome.ag

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\malware.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\subfile.jpg
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\\malware.exe
Creates Processcmd.exe /c start C:\Documents and Settings\Administrator\Local Settings\Temp\subfile.jpg

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\subfile.jpg

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\subfile.jpg
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\subfile.jpg

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\APP Paths\CMD.exe\ ➝
C:\WINDOWS\system32\CMD.bat\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{AA7BE134-9ACE-2457-ABD0-3AE14579BDE1}\StubPath ➝
C:\WINDOWS\system32\conme.vbs\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\APP Paths\Regedit.exe\ ➝
C:\WINDOWS\system32\Regedit.bat\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings\JITDebug ➝
NULL
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\APP Paths\msconfig.exe\ ➝
C:\WINDOWS\system32\msconfig.bat\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\360Safe\safemon\LeakShowed ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\APP Paths\Taskmgr.exe\ ➝
C:\WINDOWS\system32\Taskmgr.bat\\x00
Creates FileC:\WINDOWS\system32\Taskmgr.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\WINDOWS\system32\msconfig.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\wghai[2].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\WINDOWS\system32\conme.vbs
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates Filec:\breg.dll
Creates FileC:\WINDOWS\system32\wings.bak
Creates FileC:\WINDOWS\system32\Txplatfrom.exe
Creates FileC:\WINDOWS\system32\CMD.bat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\Regedit.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\wghai[1].htm
Creates ProcessC:\WINDOWS\system32\Txplatfrom.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSwww.zwscl.com.cn
Winsock DNSwww.wghai.com

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\subfile.jpg

Process
↳ C:\WINDOWS\system32\Txplatfrom.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\APP Paths\CMD.exe\ ➝
C:\WINDOWS\system32\CMD.bat\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\APP Paths\Regedit.exe\ ➝
C:\WINDOWS\system32\Regedit.bat\\x00
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{AA7BE134-9ACE-2457-ABD0-3AE14579BDE1}\StubPath ➝
C:\WINDOWS\system32\conme.vbs\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\APP Paths\msconfig.exe\ ➝
C:\WINDOWS\system32\msconfig.bat\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\APP Paths\Taskmgr.exe\ ➝
C:\WINDOWS\system32\Taskmgr.bat\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\360Safe\safemon\LeakShowed ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\system32\Taskmgr.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\WINDOWS\system32\msconfig.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\WINDOWS\system32\conme.vbs
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\wghai[1].htm
Creates FileC:\WINDOWS\system32\CMD.bat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\Regedit.bat
Winsock DNSwww.zwscl.com.cn
Winsock DNSwww.wghai.com

Network Details:

DNSwww.for-ever.cn
Type: A
208.73.211.245
DNSwww.for-ever.cn
Type: A
208.73.211.245
DNSwww.zwscl.com.cn
Type: A
DNSwww.wghai.com
Type: A
HTTP GEThttp://www.wghai.com/?fromuid=2787477
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP GEThttp://www.wghai.com/?fromuid=2787477
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1032 ➝ 208.73.211.245:80
Flows TCP192.168.1.1:1033 ➝ 208.73.211.245:80

Raw Pcap
0x00000000 (00000)   47455420 2f3f6672 6f6d7569 643d3237   GET /?fromuid=27
0x00000010 (00016)   38373437 37204854 54502f31 2e310d0a   87477 HTTP/1.1..
0x00000020 (00032)   41636365 70743a20 696d6167 652f6769   Accept: image/gi
0x00000030 (00048)   662c2069 6d616765 2f782d78 6269746d   f, image/x-xbitm
0x00000040 (00064)   61702c20 696d6167 652f6a70 65672c20   ap, image/jpeg, 
0x00000050 (00080)   696d6167 652f706a 7065672c 20617070   image/pjpeg, app
0x00000060 (00096)   6c696361 74696f6e 2f782d73 686f636b   lication/x-shock
0x00000070 (00112)   77617665 2d666c61 73682c20 6170706c   wave-flash, appl
0x00000080 (00128)   69636174 696f6e2f 766e642e 6d732d65   ication/vnd.ms-e
0x00000090 (00144)   7863656c 2c206170 706c6963 6174696f   xcel, applicatio
0x000000a0 (00160)   6e2f766e 642e6d73 2d706f77 6572706f   n/vnd.ms-powerpo
0x000000b0 (00176)   696e742c 20617070 6c696361 74696f6e   int, application
0x000000c0 (00192)   2f6d7377 6f72642c 202a2f2a 0d0a5265   /msword, */*..Re
0x000000d0 (00208)   66657265 723a2068 7474703a 2f2f7777   ferer: http://ww
0x000000e0 (00224)   772e7767 6861692e 636f6d2f 3f66726f   w.wghai.com/?fro
0x000000f0 (00240)   6d756964 3d323738 37343737 0d0a4163   muid=2787477..Ac
0x00000100 (00256)   63657074 2d4c616e 67756167 653a207a   cept-Language: z
0x00000110 (00272)   682d636e 0d0a5573 65722d41 67656e74   h-cn..User-Agent
0x00000120 (00288)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000130 (00304)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000140 (00320)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000150 (00336)   352e3029 0d0a486f 73743a20 7777772e   5.0)..Host: www.
0x00000160 (00352)   77676861 692e636f 6d0d0a43 61636865   wghai.com..Cache
0x00000170 (00368)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x00000180 (00384)   68650d0a 0d0a                         he....

0x00000000 (00000)   47455420 2f3f6672 6f6d7569 643d3237   GET /?fromuid=27
0x00000010 (00016)   38373437 37204854 54502f31 2e310d0a   87477 HTTP/1.1..
0x00000020 (00032)   41636365 70743a20 696d6167 652f6769   Accept: image/gi
0x00000030 (00048)   662c2069 6d616765 2f782d78 6269746d   f, image/x-xbitm
0x00000040 (00064)   61702c20 696d6167 652f6a70 65672c20   ap, image/jpeg, 
0x00000050 (00080)   696d6167 652f706a 7065672c 20617070   image/pjpeg, app
0x00000060 (00096)   6c696361 74696f6e 2f782d73 686f636b   lication/x-shock
0x00000070 (00112)   77617665 2d666c61 73682c20 6170706c   wave-flash, appl
0x00000080 (00128)   69636174 696f6e2f 766e642e 6d732d65   ication/vnd.ms-e
0x00000090 (00144)   7863656c 2c206170 706c6963 6174696f   xcel, applicatio
0x000000a0 (00160)   6e2f766e 642e6d73 2d706f77 6572706f   n/vnd.ms-powerpo
0x000000b0 (00176)   696e742c 20617070 6c696361 74696f6e   int, application
0x000000c0 (00192)   2f6d7377 6f72642c 202a2f2a 0d0a5265   /msword, */*..Re
0x000000d0 (00208)   66657265 723a2068 7474703a 2f2f7777   ferer: http://ww
0x000000e0 (00224)   772e7767 6861692e 636f6d2f 3f66726f   w.wghai.com/?fro
0x000000f0 (00240)   6d756964 3d323738 37343737 0d0a4163   muid=2787477..Ac
0x00000100 (00256)   63657074 2d4c616e 67756167 653a207a   cept-Language: z
0x00000110 (00272)   682d636e 0d0a5573 65722d41 67656e74   h-cn..User-Agent
0x00000120 (00288)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000130 (00304)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000140 (00320)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000150 (00336)   352e3029 0d0a486f 73743a20 7777772e   5.0)..Host: www.
0x00000160 (00352)   77676861 692e636f 6d0d0a43 61636865   wghai.com..Cache
0x00000170 (00368)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x00000180 (00384)   68650d0a 0d0a                         he....


Strings
..
.
DEFAULT_ICON
MYEXE1
MYEXE2(
TEXTINCLUDE
                                                                                                    
  ""++
"! $! $! $! $! $! $! $! $ 
$! !  !"
$! $! #! $! $
$! %#"%! $ 
$[|: <
#! $! $ 
#! $! $! $
#! $! $! $ 
#! $! $! $! $! $! $! $ 
#! $! $! $! $! $! $! $! $! $! $! $! $! $! $! $! $! $ 
#! $#"&! $! $! #! $! $ 
=]0%=2dEE+$
`~?0-b
0cZ#C<
>0e[~O
!#0e(X
0iF	u;
0"+OUC
0}r]PK9r
!	0v~>q5
0z?g#3
/0Z*nq
104659POS#"&KJNLKO! $TSV215215_^a0/2LKM
:12Fk<
13sa)9
19wV,g
1i3!8g?]Bl
1L+6>q
`1T4XW
%2*>:}
2013:12:15 13:38:22
2\=%3I
+24brG
?&26<b
2 9yuh
2BcDV}bw
2e2lP(
"<2=Fh
?2@`>G
2o.}='
2_/>su
	2UA;h4
>2'VEX<R*
:+2'x2v
2xY8_`!\
'#31fb
31hHl+~|(
35hxUN
[3"+7$
3<#7$R<
3$9?301
.&3cdF
/3%$/dn
3!V`o0
`3w2]=
3}xl7Ne
??3@YAXPAX@Z
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
4?7,iu
4}b9d'
4-)cv/
%-~4fH
4gUwD\
'4h'4h
4JaqY)
4jw\Q:
4K+kyg
4{]LWE
4|P!Zp
 "$5:3
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
570l["
5c\2fF&
{5D3%3\!
5e'b\#
5He<J0
5;iTU:
5? K7k
<"5oD:U
""5p%I
5r\dn-W+
5VPx?RC
`6_0EP
61hXC(
\6!bRx
,=6H0>
6$H.Ow
6|J=K8_/Z
6Q70mN
6(R m3
6RQ\cWz
/6z1$o
#[6:ZI
77l#&PQ
7{}7.u
7/!85v
78wNA8
 "7AhL
7aVUu!
""7~b;
,7Gjux
7Ju`az
7NQ+Tgq
"@7!nX$qX$pW#pW#qX$pX$oX#pX$pX$pX#oX#pX#pX#qW$rX#0-" 
{7ZqgC
8b2ZZ5
",/8b3
8>d"*v
8,h;@h
?8SZ#6^'$
8Tbt?J
92nPyk
&93F"$U
|\9+"|{A
_9EFy2
9;"]K#
}9kA[i[
9`^Kix
9KruQ=
;\9lMj>
9,sYZ}
*9U*9U0X
*9U,KpEw
>9W(Y}
9Z']#]?
=9"(zq
?[A_26
A55asU
A8<yr$
#_^a_^a 
A]CX8H
aDcB)+1
AE84RjV7
aPLn5;
@A !qUo{
aT'`{!
	'auJEn{
AvnFg`
bJ5#s 
BJ(6[@
bK9c/0"M
!#++,bL<
bq<KV	
B,$s+x
/bTZkv
| ^'&bw
b;WA2|
B~YO$(Iws
[:!BYT_
bz}*=:+
C'=]<*+\
C4A0`J/
c+6X*=
C<89D 
CallWindowProcA
CBD0020/30/20/30/30/30/30/30/30/20/30/30/20/20/20/20/30/30/20/20/30/30/30/30/30/2A@C
CC.$I>
C;dw=9
**{:CDY
C<jOk &\
ck5x/a9
ckWHvNr
CloseHandle
CLSIDqg3
cmd.exe /c 
]Cmm*\
CmM~(?!
Cmu#2[
c*NrEy
command.com /c 
CqAJ	|
,~~CqHb
C"R?'?
C$R^D]e2
CreateFileA
CreatePipe
CreateProcessA
c[RVF-
C,W@t!S
cw	WU^km
=CXcMe
+(./{d
d|352F
+D<&#6
d.~&9*
@.data
d(E0.2
dE;6}n
;-$DGY
<>DIim
DispatchMessageA
dk-jtF
d\mOF$
 *DOp^
"^DpLL
~d>:<	sgo(
dTP^G+eXs
d,V>F.
dXJIVs
E>0	{%
E7-a/w
E9	oXy
EAUTMq
=EAyo$q
{ED}t2
EDuU0pwHI
EeN;6`F
\Ee\,sC7
eG}g98
e(hr:&
e<n2Uf
e=RPGy
ESAcGyam
e$SI@"c
Et~nPG
eu>'@$;
 !!/e+W
ExitProcess
;f_)2 
f2$X@c
$"+F$3g!1_!#8
f3iOv[t
^_>F"b
 fc5=Lnl
fE*pE0
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
FindResourceA
fJ)xmDz[x~e_
fKCrQY
FKZT_Q
!FL!\P
FN\];Y
f&#-NYZq5
fpF:vL[
FPM9r,q
F[sO	bb
fsv_S|-
Fvl'k_o
.fx46w
+_fXSi
  /f(Y
(G2lp1
G;%B,h
&#g`D[
GDupli
!G*}E&
GetCommandLineA
GetEnvironmentVariableA
GetExitCodeProcess
GetMessageA
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetProcessHeap
GetStartupInfoA
GetVersionExA
GFHGGIHGIHGJHGJHGJHGJHGJHGJHGJHGKHGJHGJGFJHGJGFJGFJHGKGFJHGKHGJHGJGFJHGJHGJHGJHGJHGKHGKHGKHGJFEF 
gH>ETF
g,*@Jw
G,kGB6
	`g_+nf
GOT}KN
g++pfT\
gpMr+[
@(g_R1
G)tV'=AC
G?\W6*^
gw@mR%
Gxj:]:
{g=Y}G
<h	/>{(
H\%0xL7
H}97Ow:
	*Ha	U
|)hCzb
HeapAlloc
HeapFree
HeapReAlloc
 HeI6d
,[(Hg*
#]hH()Lq
.HJv"f
\>'H)k
H[^kFg
hkN>zu
h~!>|o0j
>H}OnT
h+P3^^
.HR#'99'
HSlO$g)f
h)	sO4
http://ns.adobe.com/xap/1.0/
HU_"+;
"*.;<I
%!i3|A
I8.+GU4e
I8oXHHs
i8Y@Ux
,i-b-f*
idR$):H
' id='W5M0MpCehiHzreSzNTczkc9d'?>
i:eIl2
IerE/B7
ifrzp^8
IhEY@S
I-H:GX
I"\id	
IiQ9bo
IIQivm
?i;-k\
I]@/L'
\IR5KW
I=sB}2Co
IsBadReadPtr
I'u.y^9
iV&(",
iv`3V:
iWYQ#r
IXjq^k`49
.<Iyo{
Iytgd%v
^_iz.0
j1""J%
j5Ys<w
+j6S7W
\J8yVm
jdgpC*
~ J}%F$
J,;:gD_
J?H8&%N
JIyRH,
jJ.J$G:
}Jk&[ws
=}JN	A
J>Pwn9/1k
j{p'z\
^jRB!c
{JtTom
jvz2>g
>)J!WgV
JZGts#
k:1~c&
	?K1.[m
k4c"E0
K6;c8'
k9O*\|
K9~YU<
kaU}qm
-KAZ#k
KbxPMJ 
K;{}CI
K)c!lR
KERN0L32.8dl
kernel32
kernel32.dll
KERNEL32.dll
keW"t#zV
Ki{skp$
k].meZY
KoUu4v
K#:Trg:
ktsn"P
KubdYA
Kum"h4
kV~^ht
K~_vIKi
K-}W2y
kxGSkmZ8
kz9	PI
!|~")L .
	l!~5Z2,
L.DRVT
*leE ^zf
LE.q3n7\
l";I#l`0l
LjMNA%
lknONP
:LLKnM
=L{n~d#
LoadLibraryA
LoadResource
LockResource
LpSD~y-
l-! Qa
lstrcpyn
L):t25
l_u_6CP
l!U$;I
luZ2i9-
Lv>{(xm
~lw9=~
lWco<:V
"&Lw*u
{lXkwLf
ly!&wp
)m2[+F
	m4ZSA
M5i3D=*
m:5i4y
	m:5rB
]m-Awc
m? D%g:
me\MIZ
memmove
MessageBoxA
,MFfIg
?,Mf}o/ig
m~("fQ{
|M}h#1
Microsoft Windows Photo Viewer 6.1.7600.16385
M!JfwM
m\k?V"
#/ML:=
MlU(zG
#mm/1J
Mo|aDMn
Mpd[?&
mQ'n=F
M'R79S
"mrT?d
MSVCRT.dll
MuCtiBy
mVZ	6O!
`{.mX!
MYEXE1
MYEXE2
}mYPI6
N;:0dW
%n2piG
>-n^2v
N4v%>T
;n8g'mv
N\8q*5
n"9hOD
NA&M~;
nAOfFi
n*B5_![Ns
) nC$*
NI)@D%
njdTYf
n'kH.|
NN}Op%PlM
n*=N:V
N=nxlZ+b"m
N*NZgk 
\Nq;ExO
nq{g0IC
N$tP>e=2}
_&nvEA[&
&nv`^"rK
{nyb2[{
O2qx8fH
+o3Y]s&!
!o6>k!
)o\9x4
oae2Hq
<O%~BOZ
OC\;kz
=oe%Y0
O["M3F
O#\ma >
oOlp4ti
OO	M1w
o&}P(H
+ORm D
oT ?(`
ou+-G|
'#(O|v=
:oW\`>
O<xocd
oYLPDAga
=Ozaf<
``(=p+
P9^l:C'
$P9,sH&y
')+?pA
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXwingbywings_jpg   
PBtWI(^
P	DOaP
PeekMessageA
PeekNamedPipe
pFF!32
PF`IV:
P)Ig )
$pM2X8
pN''3	X
P;o^91
ppv=:U=
P.<Qqe
program internal error number is %d. (0x%Xh)
p&S?2?
P\s~IY
pT<>&,
  (PV5
pv8+aiTV
%:PW6=C
[	"P~Y
=pY[JL
P&&Z 2
p'Z]*Z
(q-{=>~-\_
q:#1[_X	
{Q+*)c
^Q`.Df
qdo}xEk
)q(d$T&
qI};#V
QK +$A
"_Ql	}
Q&N`J4!l
}>qo#Z
qps#"&[Z\/.2$#'ZY[/.30/3_^aYX[.-1
QRK}I9
q~=si3
qU0-et
QV9S$kT
 QV!Ta
QW%*?J
/QXvqo
QY8,B<
(qZFy'
,%Qzi<M
r3|U96
`.rdata
rD'#n&
ReadFile
r	i*TR
.(rjm1
?RkN{1
@R?L?O
rNi_tWL?
ROn1TE
RPWWWj
RsX8Mw
s(3, #
S4^~-8$
/s5dcU8
s6k7p@
s(agNo
sbx?9|/
Sf>d*NBQ
SfWS:R
Sfxgp8<	*
{+sg@b
S$Gnwpg
shg$"Z
)shqwY
SizeofResource
-S}*jz
^S	Kdx
@s|LK6
S LttW
S_n-5 Z
SP>E5(
Sp)z?Y
}{S]sW
start 
strncmp
strncpy
_strnicmp
S'tTPx
Sub3I2
\subfile.jpg
subfile.jpg
S[uipD
S@XVch
sY+s1P
s*zF .,a7
T/2mfg
t3eC p$A@
\t4zR|
t5LV[s
T7&3'#"5
t'9|$pt
_T,ak3K*U
!This program cannot be run in DOS mode.
ti1XTg
tK+t )
tmqPag
##.T(P
Tqwq<P
TranslateMessage
tsvRQS
t:T6dK
+t`tzE
Tvt/CAStf
tXo-SS
*TY,zzL~
&tz"7=
U^0Y22"
u3`+Ns4
u<%9Sinyd
-Ue#E8N
Ue}JI:
U>EN8g
U\e_S_9
/+ug`:
U?I,P"
+un\ID/6
u%{=Oce
u }qmt
u%)RKrXo
USER32.dll
]Us]]r
\$,UVW
[U[Wkk
UXD,e!
{Uz1#/y
'~(v+(
v41]4?
"V*4E\0
+]V4pY
V5[z#JQW
'V;	`6E
~v7bED
v9G_+	
}V9sS	EL
V$C!g|
|Vg| 5%Wc<
VHJD6_
V;Lyy=
#^|VSW
[(VV'-n}<
vxC1:)
| ?VXW
;w<3+,u7
W+3|#z>
WaitForSingleObject
\W'a>p
 WCPo2jnFF
w=Eylp
wFnkfs0
!!&-!W[&hl$PU!"( 
:W%*\K
w/{K]ly
[Wl$RP
'wmH2e
%'|WnhY
wop}wl[!q
[>WPb9
@@WP"llX
wP$qGd
wQ15Hy8&
_wQJ)xn
WriteFile
WS2R_{
ws{'dwI;
wsprintfA
]w,Voq
wxs~i\
[wzYhPe
@x=$++
>=,}/X
}X6Q)f
XA-OT|
xD8`;zW
+[XDQ#6X 
XEc@LG
XhDem\.
x/h`G&
>xkT2C
X[mMa*_
<?xpacket begin='
                                                                   <?xpacket end='w'?>
,("XR)
	XRfi5#v
XtuU>JF
XUn0g^
xupJb}
x	utje
X@(va!
XxjI&o
<x:xmpmeta xmlns:x="adobe:ns:meta/"><rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:xmp="http://ns.adobe.com/xap/1.0/"><xmp:CreatorTool>Microsoft Windows Photo Viewer 6.1.7600.16385</xmp:CreatorTool></rdf:Description></rdf:RDF></x:xmpmeta>
}=[	y$#
/Y%;^?
Y&0G?P
Y0RVY{
^$Y2U$
Y3l#H_C
y5IY/E
Y81;3*
YagU&p
YCUZ0I
Y	(Eps
)Yh*fg
	Yhi9Y
&yh" T%<
yjf}G~B
yjLTF4=
YKG-e=0
YKNf~0
+yNsC[
yO9e$ns:U
;yq>LMLA0U
;yRNF[U4
y")-s%9
YsNGBP
yS!w@=
Yv\iWF
Y+V`SC$LC/El
Yw]Ie0
?"yX( 
#YX[104GFJedg! #SRU?>B#"%ihl@?B98<RQUEDG547TSV[Z]('*sru;:>)(,rru98<769ZY]YX[A@C
yz<DN(
=Z.5cu
?Zc.xa
Z=D Uy
Zf,fRW;
Zg+W6_
%%ZJiG
%z k$wlFd
ZoO(Ny
<,+	ZrI
z,`rk	+
Zs+;&_@|+
Zt3>	m
z%TG!3+!$#"'%"90$pX!
#zTO:t
#zu'I+$\
{zv)zy
<ZWl[X
Z";Z0%ajJ
zZkN>io