Analysis Date2014-08-22 19:28:48
MD5a2821e68b9280e5911ebb69a30aaeac4
SHA178f1186db320057b6ca01f5c37a8c88779b70313

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4d6ee990222ce3dd64d8245349aa3c52 sha1: 1dcf0e9a38914c98717343fb2a7d954c91fa4d9c size: 237568
Section.rdata md5: 8041391088e0a7d22ac126a481823d02 sha1: baf59934541696eddb21ec83122fa9f9f570242c size: 49152
Section.data md5: 34aec60a549e359cd091f7247d88e649 sha1: ec6423f5538f2a742da0c0d6cb8da65fd455d598 size: 20480
Section.idata md5: c9a4d4aafbee9d69c1e8518baf9bf4fe sha1: acc74a1f321639d0617e589d665a426ef0e849fd size: 12288
Section.rsrc md5: f4f02f97c62848100240f169ca729007 sha1: 6b01da66086959650582aff839049f7b6f92e8c8 size: 16384
Timestamp2008-04-14 16:10:04
VersionLegalCopyright: © Microsoft Corporation. All rights reserved.
InternalName: mstsc.exe
FileVersion: 6.0.6001.22840 (vistasp1_ldr.110124-0245)
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
ProductVersion: 6.0.6001.22840
FileDescription: Remote Desktop Connection
OriginalFilename: mstsc.exe
PEhash73df57211638fd7e33de63405a8e9d12efe5be19
IMPhash16088879bd9cd43d00070bab7aa1d007

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify ➝
1
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start ➝
4
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\xwf.exe
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Application Data\xwf.exe" -gav C:\malware.exe
Creates Mutexir4cnxm3oi333

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Application Data\xwf.exe" -gav C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe ➝
C:\WINDOWS\system32\ctfmon.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\ ➝
IEXPLORE.EXE
RegistryHKEY_CLASSES_ROOT\exefile\ ➝
Application
RegistryHKEY_CLASSES_ROOT\.exe\ ➝
exefile
RegistryHKEY_CURRENT_USER\Software\Microsoft\GDIPlus\FontCachePath ➝
C:\Documents and Settings\Administrator\Local Settings\Application Data\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\Identity ➝
132127511
Creates FileC:\Documents and Settings\Administrator\Templates\55mb573d40mf4t250hy45eeh315b75t4q3yil4d4ciww180
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\55mb573d40mf4t250hy45eeh315b75t4q3yil4d4ciww180
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\55mb573d40mf4t250hy45eeh315b75t4q3yil4d4ciww180
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\Application Data\55mb573d40mf4t250hy45eeh315b75t4q3yil4d4ciww180
Deletes FileC:\malware.exe
Creates Mutex{C9A34C77-4D69-45EC-A07D-83242376045D}D68DDC3A-831F-4FAE-9E44-DA132C1ACF46
Creates Mutexir4cnxm3oi333

Network Details:

DNStimypahisoxur.com
Type: A
69.43.161.174
DNSsewibonypar.com
Type: A
208.73.210.205
DNSsewibonypar.com
Type: A
208.73.211.173
DNSsewibonypar.com
Type: A
208.73.211.246
DNSsewibonypar.com
Type: A
208.73.211.249
DNSsewibonypar.com
Type: A
208.73.210.203
DNSmicrosoft.com
Type: A
134.170.185.46
DNSmicrosoft.com
Type: A
134.170.188.221
DNSmicrosoft.com
Type: A
134.170.185.46
DNSmicrosoft.com
Type: A
134.170.188.221
DNSsocihizizacowo.com
Type: A
208.73.211.246
DNSsocihizizacowo.com
Type: A
208.73.210.219
DNSsocihizizacowo.com
Type: A
208.73.211.174
DNSsocihizizacowo.com
Type: A
208.73.211.233
DNSsocihizizacowo.com
Type: A
208.73.211.235
DNSmixolyzegito.com
Type: A
208.73.211.246
DNSmixolyzegito.com
Type: A
208.73.210.219
DNSmixolyzegito.com
Type: A
208.73.211.174
DNSmixolyzegito.com
Type: A
208.73.211.233
DNSmixolyzegito.com
Type: A
208.73.211.235
DNSlofocigeced.com
Type: A
208.73.211.175
DNSlofocigeced.com
Type: A
208.73.211.193
DNSlofocigeced.com
Type: A
208.73.211.242
DNSlofocigeced.com
Type: A
208.73.211.163
DNSlofocigeced.com
Type: A
208.73.211.174
DNSbipojizikagec.com
Type: A
208.73.211.246
DNSbipojizikagec.com
Type: A
208.73.211.249
DNSbipojizikagec.com
Type: A
208.73.210.203
DNSbipojizikagec.com
Type: A
208.73.210.205
DNSbipojizikagec.com
Type: A
208.73.211.173
DNStyfifopojax.com
Type: A
DNSwywenybazyxyq.com
Type: A
DNSzyfovubyv.com
Type: A
DNSxijifilunaq.com
Type: A
DNSdaralytagyc.com
Type: A
DNSxofokusutecyd.com
Type: A
DNSgofegucobeqevi.com
Type: A
DNSpoquwaluj.com
Type: A
DNSjiqixylexut.com
Type: A
DNSnipygevydor.com
Type: A
DNSqiculeqity.com
Type: A
DNSxojalyfudux.com
Type: A
DNShiqalotajadyfa.com
Type: A
DNSsumywygifi.com
Type: A
DNSbodylarozityd.com
Type: A
DNSpududigulerewy.com
Type: A
DNStygemimarowic.com
Type: A
DNSjicohewihihot.com
Type: A
DNSwipujuvajyr.com
Type: A
DNSfakiwijow.com
Type: A
DNSryqixafumigeqe.com
Type: A
DNSqehynytezyn.com
Type: A
DNStewitavubu.com
Type: A
DNSjafuwadycylew.com
Type: A
DNSpogavoliqamyb.com
Type: A
DNSwygehasunupi.com
Type: A
DNSdotecukihilavy.com
Type: A
DNSfehosoxukyk.com
Type: A
DNSsonewenazo.com
Type: A
DNSwarupegacotate.com
Type: A
DNSzenybijywyrade.com
Type: A
DNSrohyjikyf.com
Type: A
HTTP GEThttp://mixolyzegito.com/1015002913
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP GEThttp://lofocigeced.com/1015002913
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP GEThttp://bipojizikagec.com/1015002913
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Flows TCP192.168.1.1:1042 ➝ 134.170.185.46:80
Flows TCP192.168.1.1:1064 ➝ 134.170.185.46:80
Flows TCP192.168.1.1:1057 ➝ 134.170.185.46:80
Flows TCP192.168.1.1:1058 ➝ 134.170.185.46:80
Flows TCP192.168.1.1:1065 ➝ 134.170.185.46:80
Flows TCP192.168.1.1:1059 ➝ 134.170.185.46:80
Flows TCP192.168.1.1:1070 ➝ 134.170.185.46:80
Flows TCP192.168.1.1:1060 ➝ 134.170.185.46:80
Flows TCP192.168.1.1:1068 ➝ 134.170.185.46:80
Flows TCP192.168.1.1:1061 ➝ 134.170.185.46:80
Flows TCP192.168.1.1:1066 ➝ 134.170.185.46:80
Flows TCP192.168.1.1:1062 ➝ 134.170.185.46:80
Flows TCP192.168.1.1:1043 ➝ 134.170.185.46:80
Flows TCP192.168.1.1:1067 ➝ 134.170.185.46:80
Flows TCP192.168.1.1:1044 ➝ 134.170.185.46:80
Flows TCP192.168.1.1:1069 ➝ 134.170.185.46:80
Flows TCP192.168.1.1:1045 ➝ 134.170.185.46:80
Flows TCP192.168.1.1:1063 ➝ 134.170.185.46:80
Flows TCP192.168.1.1:1055 ➝ 134.170.185.46:80
Flows TCP192.168.1.1:1046 ➝ 134.170.185.46:80
Flows TCP192.168.1.1:1051 ➝ 208.73.211.246:80
Flows TCP192.168.1.1:1047 ➝ 134.170.185.46:80
Flows TCP192.168.1.1:1049 ➝ 69.43.161.174:80
Flows TCP192.168.1.1:1048 ➝ 134.170.185.46:80
Flows TCP192.168.1.1:1052 ➝ 134.170.185.46:80
Flows TCP192.168.1.1:1056 ➝ 134.170.185.46:80
Flows TCP192.168.1.1:1053 ➝ 134.170.185.46:80
Flows TCP192.168.1.1:1054 ➝ 134.170.185.46:80
Flows TCP192.168.1.1:1050 ➝ 208.73.210.205:80
Flows TCP192.168.1.1:1071 ➝ 134.170.185.46:80
Flows TCP192.168.1.1:1072 ➝ 208.73.211.246:80
Flows TCP192.168.1.1:1073 ➝ 208.73.211.175:80
Flows TCP192.168.1.1:1074 ➝ 208.73.211.246:80

Raw Pcap
0x00000000 (00000)   47455420 2f313031 35303032 39313320   GET /1015002913 
0x00000010 (00016)   48545450 2f312e30 0d0a486f 73743a20   HTTP/1.0..Host: 
0x00000020 (00032)   6d69786f 6c797a65 6769746f 2e636f6d   mixolyzegito.com
0x00000030 (00048)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000040 (00064)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x00000050 (00080)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x00000060 (00096)   2057696e 646f7773 204e5420 352e3129    Windows NT 5.1)
0x00000070 (00112)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000080 (00128)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000090 (00144)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f313031 35303032 39313320   GET /1015002913 
0x00000010 (00016)   48545450 2f312e30 0d0a486f 73743a20   HTTP/1.0..Host: 
0x00000020 (00032)   6c6f666f 63696765 6365642e 636f6d0d   lofocigeced.com.
0x00000030 (00048)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000040 (00064)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000050 (00080)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000060 (00096)   57696e64 6f777320 4e542035 2e31290d   Windows NT 5.1).
0x00000070 (00112)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000080 (00128)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000090 (00144)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f313031 35303032 39313320   GET /1015002913 
0x00000010 (00016)   48545450 2f312e30 0d0a486f 73743a20   HTTP/1.0..Host: 
0x00000020 (00032)   6269706f 6a697a69 6b616765 632e636f   bipojizikagec.co
0x00000030 (00048)   6d0d0a55 7365722d 4167656e 743a204d   m..User-Agent: M
0x00000040 (00064)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000050 (00080)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x00000060 (00096)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x00000070 (00112)   290d0a41 63636570 743a202a 2f2a0d0a   )..Accept: */*..
0x00000080 (00128)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000090 (00144)   650d0a0d 0a                           e....


Strings
..
.w
...
.
.
.
.
.
.
N.
.f
.
..
Lg
.
.P
.R
E
040904B0
%*+5MOW_efghmnoqsuw{
6.0.6001.22840
6.0.6001.22840 (vistasp1_ldr.110124-0245)
:active
:after
:before
canplay
canplaythrough
:checked
CompanyName
:default
Deleting
:disabled
durationchange
emptied
:empty
:enabled
ended
en-US
FileDescription
FileVersion
:first-child
:first-letter
:first-line
:first-of-type
:focus
:hover
images-in-buttons
images-in-menus
:indeterminate
:in-range
InternalName
:invalid
LabelMouseDownPtProperty
:lang
:last-child
:last-of-type
LegalCopyright
:link
loadeddata
loadedmetadata
loadstart
mac-graphite-theme
maemo-classic
menubar-drag
Microsoft
Microsoft Corporation
 Microsoft Corporation. All rights reserved.
:-moz-anonymous-block
:-moz-anonymous-positioned-block
:-moz-any
:-moz-any-link
:-moz-bound-element
:-moz-broken
:-moz-button-content
:-moz-buttonlabel
:-moz-canvas
:-moz-cell-content
:-moz-column-content
-moz-device-orientation
-moz-device-pixel-ratio
:-moz-display-comboboxcontrol-frame
:-moz-drag-over
:-moz-dropdown-list
:-moz-empty-except-children-with-localname
:-moz-fieldset-content
:-moz-first-node
:-moz-focus-inner
:-moz-focus-outer
:-moz-focusring
:-moz-frameset-blank
:-moz-handler-blocked
:-moz-handler-crashed
:-moz-handler-disabled
:-moz-has-handlerref
:-moz-hframeset-border
-moz-images-in-buttons
-moz-images-in-menus
:-moz-inline-table
:-moz-is-html
:-moz-last-node
:-moz-line-frame
:-moz-list-bullet
:-moz-list-number
:-moz-loading
:-moz-locale-dir
:-moz-lwtheme
:-moz-lwtheme-brighttext
:-moz-lwtheme-darktext
-moz-mac-graphite-theme
-moz-maemo-classic
:-moz-math-anonymous
:-moz-math-increment-script-level
:-moz-mathml-anonymous-block
:-moz-math-stretchy
-moz-menubar-drag
:-moz-non-element
:-moz-only-whitespace
:-moz-page
:-moz-pagebreak
:-moz-pagecontent
:-moz-page-sequence
:-moz-placeholder
:-moz-read-only
:-moz-read-write
-moz-scrollbar-end-backward
-moz-scrollbar-end-forward
-moz-scrollbar-start-backward
-moz-scrollbar-start-forward
-moz-scrollbar-thumb-proportional
:-moz-scrolled-canvas
:-moz-scrolled-content
:-moz-scrolled-page-sequence
:-moz-selection
:-moz-submit-invalid
:-moz-suppressed
:-moz-svg-foreign-content
:-moz-system-metric
:-moz-table
:-moz-table-border-nonzero
:-moz-table-cell
:-moz-table-column
:-moz-table-column-group
:-moz-table-outer
:-moz-table-row
:-moz-table-row-group
-moz-touch-enabled
:-moz-tree-cell
:-moz-tree-cell-text
:-moz-tree-checkbox
:-moz-tree-column
:-moz-tree-drop-feedback
:-moz-tree-image
:-moz-tree-indentation
:-moz-tree-line
:-moz-tree-progressmeter
:-moz-tree-row
:-moz-tree-separator
:-moz-tree-twisty
:-moz-type-unsupported
:-moz-ui-invalid
:-moz-ui-valid
:-moz-user-disabled
:-moz-vframeset-border
:-moz-viewport
:-moz-viewport-scroll
:-moz-window-inactive
-moz-windows-classic
-moz-windows-compositor
-moz-windows-default-theme
-moz-windows-theme
:-moz-xul-anonymous-block
mstsc.exe
:not
:nth-child
:nth-last-child
:nth-last-of-type
:nth-of-type
oncanplay
oncanplaythrough
ondurationchange
onemptied
onended
onloadeddata
onloadedmetadata
onloadstart
:only-child
:only-of-type
onMozAudioAvailable
onpause
onplay
onplaying
onprogress
onratechange
onseeked
onseeking
onstalled
onsuspend
ontimeupdate
onvolumechange
onwaiting
 Operating System
:optional
OriginalFilename
:out-of-range
pause
play
playing
ProductName
ProductVersion
QuoteNodeProperty
ratechange
remote
Remote Desktop Connection
_remote_id
:required
:root
scrollbar-end-backward
scrollbar-end-forward
scrollbar-start-backward
scrollbar-start-forward
scrollbar-thumb-proportional
seeked
seeking
stalled
StringFileInfo
suspend
SVGAFrame
SVGClipPathFrame
SVGDefsFrame
SVGFilterFrame
SVGForeignObjectFrame
SVGGenericContainerFrame
SVGGFrame
SVGGlyphFrame
SVGGradientFrame
SVGImageFrame
SVGInnerSVGFrame
SVGLinearGradientFrame
SVGMarkerFrame
SVGMaskFrame
SVGOuterSVGFrame
SVGPathGeometryFrame
SVGPatternFrame
SVGRadialGradientFrame
SVGStopFrame
SVGSwitchFrame
SVGTextFrame
SVGTextPathFrame
SVGTSpanFrame
SVGUseFrame
TableOuterFrame
TableRowFrame
TableRowGroupFrame
:target
TextFrame
TextInputFrame
timeupdate
touch-enabled
TransitionsOfAfterProperty
TransitionsOfBeforeProperty
TransitionsProperty
Translation
Typing
:valid
VarFileInfo
VideoFrame
ViewportFrame
:visited
volumechange
VS_VERSION_INFO
waiting
 Windows
windows-classic
windows-compositor
windows-default-theme
windows-theme-aero
windows-theme-generic
windows-theme-luna-blue
windows-theme-luna-olive
windows-theme-luna-silver
windows-theme-royale
windows-theme-zune
XULLabelFrame
x-unicode
zh-CN
zh-HK
zh-TW
`$`$`$
|*|*|*
-!-!-!
;,;,;,
?%?%?%
((((((
\+\+\+
%&'()*+
0123456
02V?Je
0c%%\\))8?GlQV
0?&?Eh
0K/)^	
)0KM]grf
0=@wN*
&0yn	K
0yRGhV
0*ZIWuF<
15\>dm
]1AvH)T$
1,C9cw
1dX[c@
1+K;C B
1Rjvj]
1_`s6/
&1Xks{
$1"yxY
2*2*2*
2"&,\45>
+#-28<
2kVV"i
2qh;e	g#AL
2Shi\_bh
2Sz=l9'
2%U2'm0/#a^K
|2VhL[
^2VNQj%h
3~1BQh
'%3b,E
"+$3BWd
3Ef|_]
3FUc!~
3iS_Ko
3%+lAf[r
3.`S1<-8xll
$(.469+A
$(.469=EFHJ
$(.469=EFM
$(.469=ET
$(.469F
$(.46%A
$(.46J
4C;zHJ
4G2f9>
%4n6J	
4W.aa2m|h
4x>E9;
']	54N
@`5#\B
5E'x(?KN
5	jh1YGh
,5t'/*wEref
5}!Tx.
5X^Vy'
|{`[6'
6(\5#2P
6#6#6#
69`kj%J=
6AD}II
@{6GQ#
>6kH=5	/m`
~,6{%Q/4
6w.9V%
7;4H!4
& 7$#8
789:;<
7)*f3P
7FpoEo
7sj+PT<
(%7[tN
7/Tzj-*
7VPh5@
}8`1nW
|=81?U
;8721^.
8C|x7WzI4
8E$z'w
=//8-fO
?[8?GOQY
+\8Hc8
8{hE=1
8nDDbih/[g
8Ox$UV
8`rgll:
8Ud*1Vk	
.-]8VZo
8X&u V
^8y,<$<
8z2haC+Z
9)4(,k
=:953,&
/953,&
]:953,&
95t@yM&
~9eseQ
9&kj&~
+['@9$l
9[WPTjV
;9WQl$
9WTj)R
9]Z82\22X
&~[ a7
@aCJ$-=
AdjustWindowRectEx
ADVAPI32.dll
<Ae<BN~Ms
a?eUww
Ah1{qh0"
:AN(*k
an#t/+o
</assembly>
      <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
?AS&[Y
_a^WUh
AYQVF^
A:yTJL
a~zCmb^3f
\A]Zfb
B$1_`ajbgA
B'4:p8q
B7e)%S
b7+i}b
|b,BGN
bindtextdomain
bind_textdomain_codeset
bInRbe
b_o	9}.9
B"pqJ.
*btjft
BUza54
bwXfv9
b%)+xd
C3fbOt
C&:51+
=C5/NH&{
^{C]9PS
*c:AEK
CallNextHookEx
CallWindowProcA
CDJW#3r
CE=+FU
CFjwxD9
CharNextA
CharUpperA
CheckMenuItem
C#[/>iiD>8!#7
ClientToScreen
CloseHandle
ClosePrinter
CLSIDFromProgID
CLSIDFromString
CLu	9{p
CoFreeUnusedLibraries
CoGetClassObject
COMCTL32.dll
comdlg32.dll
CompareStringA
CompareStringW
CopyAcceleratorTableA
CopyRect
CoRegisterMessageFilter
CoRevokeClassObject
CoTaskMemAlloc
CoTaskMemFree
c]pib'
CreateBitmap
CreateDialogIndirectParamA
CreateFileA
CreateILockBytesOnHGlobal
CreateWindowExA
C[[_Rhvk
cSjFPQj
cSw+zV;
CTc$$5
Cu]2zNb1
C[VRjM
CWTj<Rj
|`CX{.W
._cyZE]E
!d"(.469=EFHJMTr
D4Xldb
d5[=g%
[D6^FN1
DA`~n2
@.data
dcgettext
dcngettext
DefWindowProcA
DeleteCriticalSection
DeleteDC
DeleteFileA
DeleteObject
  </dependency>
  <dependency>
    </dependentAssembly>
    <dependentAssembly>
?Derd&
DestroyMenu
DestroyWindow
$D.#|fbw
dgettext
DispatchMessageA
D(_)kP
DK	PQRUh
dngettext
DnNe\`
dnzzqqmhcd
D#("O}.
DocumentPropertiesA
DPtoLP
DqT<YXk
DrawTextA
DrN\B(
)#(dSQ
+dt_>"
duA4{'
DuplicateHandle
duPQ!A
DVQTj>SV
DXBC~K
d@yd3%
DZ{)|$
ed))dd++ee///^^^O
$e&E ^
EH-i{!
eHwL`)
EKkINB_
)::::EMT
EnableMenuItem
EnableWindow
EndDialog
EnterCriticalSection
eqZ/,g
ErT,-468
Escape
ExitProcess
ExtCreatePen
ExtTextOutA
"_,f2'2w
F|+5{8
F/5N":
F $BK2
FBnX=Vl
FCeIw1
fD1h%.q&/E4
F$;G$r
F ;G w
fhT'BU
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
FindResourceA
F	 <KEM
fLayerColor
fLayerOpacity
FlushFileBuffers
fMf}e`X
FormatMessageA
:FpzjP
fq2v==
)F@qD5t
F^Qh)Mq]Ph
fRAr{$
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
F;sW('
ftnXv\
^FtSw7
FTz^r:
;,FwFG
:fz	`O+jC|
)G1Ek~
(G aWr
G.AXRyC
`gbe:^*e
GDI32.dll
$g^D$t
GDvhs0
GetACP
GetActiveWindow
GetBkColor
GetCapture
GetClassInfoA
GetClassLongA
GetClassNameA
GetClientRect
GetClipBox
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetCurrentThread
GetCurrentThreadId
GetCursorPos
GetDesktopWindow
GetDeviceCaps
GetDlgCtrlID
GetDlgItem
GetEnvironmentStringsA
GetEnvironmentStringsW
GetFileAttributesA
GetFileSize
GetFileTime
GetFileTitleA
GetFileType
GetFocus
GetForegroundWindow
GetFullPathNameA
GetKeyState
GetLastActivePopup
GetLastError
GetMapMode
GetMenu
GetMenuCheckMarkDimensions
GetMenuItemCount
GetMenuItemID
GetMenuState
GetMessageA
GetMessagePos
GetMessageTime
GetModuleFileNameA
GetModuleHandleA
GetNextDlgGroupItem
GetNextDlgTabItem
GetObjectA
GetOEMCP
GetParent
GetProcAddress
GetProcessVersion
GetPropA
GetShortPathNameA
GetStartupInfoA
GetStdHandle
GetStockObject
GetStringTypeA
GetStringTypeW
GetSubMenu
GetSysColor
GetSysColorBrush
GetSystemMetrics
GetTempFileNameA
GetTempPathA
gettext
GetTextColor
GetThreadLocale
GetTickCount
GetTimeZoneInformation
GetTopWindow
GetVersion
GetViewportExtEx
GetVolumeInformationA
GetWindow
GetWindowDC
GetWindowExtEx
GetWindowLongA
GetWindowPlacement
GetWindowRect
GetWindowTextA
GHctpa
gLL?7<
g]lNJR
GlobalAddAtomA
GlobalAlloc
GlobalDeleteAtom
GlobalFindAtomA
GlobalFlags
GlobalFree
GlobalGetAtomNameA
GlobalHandle
GlobalLock
GlobalReAlloc
GlobalUnlock
$!g=LS
{g	MW~
	{GN0Wn
gNw -8
Gqn846
GrayStringA
gSCf[|
g,(sC.H
G,SwQlg`
g\tRVk
GuW<[9
^G*w_WB
G+XK%Y
.Gy:'a
gz{L0m
H0Z,-?1$
H]7n*OoI
h9d&:\y
hATG)\$
HB@`+%@
h\\::De
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
HEB=:`^[@
HEB=:953-\2
HEB=:953,&"\f
H#G~n_Di
[hHI'rh
h#|jQj
HqQh<a
hU9QTh
h[v_RPj&UhM
"%._"i
<i!0.]6
)i:1F)
I<5i!Lf
i=:953,&H
i=;:953,M
.idata
^I/d;lW
ig&`d_	
IH-XiWp
i&i&i&
I'I'I'
Imprad
InitializeCriticalSection
InterlockedDecrement
InterlockedIncrement
intl.dll
ioAWgR
IO huh
ipm^Qj)
IQ2@[I
IsBadCodePtr
IsBadReadPtr
IsBadWritePtr
IsChild
IsDialogMessageA
IsIconic
IsWindow
IsWindowEnabled
IsWindowVisible
!%,iV-"
`jcRhF
jfjBj9Tjdj
=j?iVS{
j}jXRj
#JLpbk
jLVRh{
JO	C*"
jpTB~x
jRDqoD
j~Uq/@
K1~YM,
[~K5T:
$k#6{	
KBQR%:
Ke@E@T+
kelLV`
KERNEL32.dll
=KH`|mK
KKKKQKT
]\.klu
|K.nUE
(KR8C&
K[VWQj
KwQVVU
L3%QTQ
\L8mwR
LayerTextureSamplerLinear
LayerTextureSamplerPoint
`l	 bM
lc%%\\))dd++ee//>nl
LCMapStringA
LCMapStringW
Ld}F<TH{m
LeaveCriticalSection
libintl_bindtextdomain
libintl_bind_textdomain_codeset
libintl_dcgettext
libintl_dcngettext
libintl_dgettext
libintl_dngettext
libintl_fprintf
libintl_gettext
libintl_ngettext
libintl_printf
libintl_snprintf
libintl_sprintf
libintl_textdomain
libintl_vfprintf
libintl_vprintf
libintl_vsnprintf
libintl_vsprintf
l'i]bK
	lk[tI
LlQqB]0
LoadBitmapA
LoadCursorA
LoadIconA
LoadLibraryA
LoadResource
LoadStringA
LocalAlloc
LocalFree
LocalReAlloc
LockFile
LockResource
L$p_^][3
LPtoDP
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpyA
lstrcpynA
lstrlenA
lstrlenW
LU"Qq"2u
luunniiDu
'L:uUP
L=-(xE
^::::::;M
^">M<	
!"%,[M
]:::::::M
M>`!A<
MapDialogRect
MapWindowPoints
.*M~"-E
M/e,.6
MessageBeep
MessageBoxA
`mgV}?
Microsoft (R) HLSL Shader Compiler 9.27.952.3022
mj+jnj
'MjY{&=o
mK]1gG
mLayerTransform
m~{M=h
M M M 
MMMMMMMMMMMM
ModifyMenuA
MoveWindow
Mp"0|/
mProjection
m''q3%
m:::::::R
MSPj|R
MulDiv
MultiByteToWideChar
*M!VU1Ho
M_w80i
M;Z'S<Q
N+11Sj
/_]`n5>
 _`N5>E
NG1IF;)
ngettext
NL/2R>0O
nnnnnnnh
)^n^Q"Mn
N`qZYt
@nrSZoLY
NU@:z-
>(+NxO'
[:NYi<
[o?;!]
~,o778#
$'~o9I
OBR,#/
OeEm7^C
OffsetRect
OffsetViewportOrgEx
||offZZZJj
O<h^pph.
OJ\X:	
ole32.dll
OLEAUT32.dll
OleCreateFontIndirect
oledlg.dll
OleFlushClipboard
OleInitialize
OleIsCurrentClipboard
olepro32.dll
OleUIBusyA
OleUninitialize
~{onyR
OpenPrinterA
OQG:k)
Orr:O<u
?;[OSx
=^:O(:T@
.o:	U'
Ou1&}2
OVYRQY
ow[nr_I:	
PeekMessageA
PerLayer
PerLayerManager
PerOccasionalLayer
PhKDc}(9
@$Phsq$
pIj&hM
PjGShZ4
$Pj$hsiV
PjkSSh
PjNjUQhP
Pjxh7HAbPj
PjxVh7
p$|%o+
POSITION
PostMessageA
PostQuitMessage
PostThreadMessageA
P	P	P	
<Pp~:R
:,P!_Q
P\q E3
`#pqVh
[PRj:h
_PSj{Vh~
pt)B9I
PtInRect
PTjOTh
PtVisible
P_vBWQ{
pVgGQJ
!/pWfKn
[P@XRRUV
Pxx7*0
{{]^///^^^^Q
QAAYYQj
qfditTF
QG[%/i
Qh);^MVj
Qh)~,)Uh
Q@hy\#!
/Qi#6%v
qi\cR.
Q[IPhN
QjWh*]
Qj	Y9N
QjZjqj<h
Q p}cG
qqqqqqq)A
^QRh0e_
QRPhW.
QSTj]TP
q)v2^%
<Q,W)?
q,%(\X
qzF1bR
r,5OC>-0
R:953,&
RaiseException
R-!]`[b
R};c$?
`.rdata
ReadFile
Rectangle
RectVisible
RedrawWindow
RegCloseKey
RegCreateKeyExA
RegisterClassA
RegisterClipboardFormatA
RegisterWindowMessageA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
ReleaseDC
RemovePropA
RenderComponentAlphaLayer
RenderRGBALayerNonPremulPoint
RenderRGBALayerPremulPoint
RenderSolidColorLayer
RenderYCbCrLayer
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
      <requestedPrivileges>
RestoreDC
Rh5.uch
RHEB=:953,&
RichU]L
RIpcx2
rJ$|FqE
RkBDOpTs`
rM'))U
?rn'S8
R'o<mUT]
R)R)R)
?{RRSj<
RSjIh4)
RSj	Uj
RtlUnwind
RTRPhS
RVjXUQj
Rx,$-q@
RXvcph3
.r(yfJ
s5sKIB
$&S~7x
SaveDC
sBYl`U
ScaleViewportExtEx
ScaleWindowExtEx
[[SC[_QRj
    </security>
    <security>
SelectObject
SendDlgItemMessageA
SendMessageA
SetActiveWindow
SetBkColor
SetCursor
SetEndOfFile
SetEnvironmentVariableA
SetErrorMode
SetFilePointer
SetFocus
SetForegroundWindow
SetHandleCount
SetLastError
SetMapMode
SetMenuItemBitmaps
SetPropA
SetRect
set_relocation_prefix
SetStdHandle
SetTextColor
SetUnhandledExceptionFilter
SetViewportExtEx
SetViewportOrgEx
SetWindowContextHelpId
SetWindowExtEx
SetWindowLongA
SetWindowPos
SetWindowsHookExA
SetWindowTextA
s=Ga?Ic
\^(Sh'_
,$Shb}mP
?Shc8"BhF4
ShowWindow
[Sj^Sj%Sj
sm"`V|C
,sn>^,
snkEA.
Sp>l*[;
SQh|%T
sr1}@9
SrZs+1$
_SSj{QTh~+
s(s(s(
SSSSSSSS
SSVPVh
StgCreateDocfileOnILockBytes
StgOpenStorageOnILockBytes
STj+jnh
StringFromCLSID
['su54
SV_Position
&_SVRZWQ
SV_Target
SVUjIj4S
svvvvvvvgA
Swwwj=B>
sYCc%Oy
SystemParametersInfoA
t 47@#A
]T6i?X
=t9^;r
TabbedTextOutA
T#{`bA
TerminateProcess
TEXCOORD
textdomain
TextOutA
TFB=:953,&
!This program cannot be run in DOS mode.
ThJ!K!>
TK!ZYSh
tLLD!.
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
|TNjf	
tO1fRu
TranslateMessage
tRGBWhite
T Rm#'
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
TvI6!;
T^Z/dK
<u5Ptc
U~b;:K
UCOm>K
uee*))))00
ulid\VL
UnhookWindowsHookEx
UnlockFile
UnregisterClassA
UpdateWindow
UQjPj/
USER32.dll
U:VjPj/h"qRKV
u;;w`tH
u|yC_L
)/Uyh>4
+V2VU,
v9-h1PG:|6
ValidateRect
|VcKv6
+~v\E>$
`vE??g
VeRVh G
VEy(T;
<[VhuR
VirtualAlloc
VirtualFree
vLayerQuad
^VPjqh<
_VPQQTjqh<_
V!PZX9
VQjjjAj
v[QRQh!j
V}"]qS?
vRenderTargetOffset
[VRjgh
^VSSQRh
vTextureCoords
[VUVj;j>R
vV@ICv
~~vvphh
~~vvpphc_
~~vvvlia<<
w$#5eH
+{W6.}
W7'''''7A
w:bk]P
w=G3N8
WGTTDb
 [[_Wh
Wh\BjtV
WideCharToMultiByte
WinExec
WinHelpA
WINSPOOL.DRV
WjajlVj
;Wj{j~
{{Wj~j
WjnQVR
Wq11H	
Wq#pWz
';&Wr,1
WriteFile
WritePrivateProfileStringA
$WRjdj
wsprintfA
_WSTj+
WTPh]2
WU'%]469=EFHJNl0#A
w!w!w!
W"W"W"
WWWtF>
wwwwww
wwwwwx
WY5)R8,K
**"(wz
X7al]/
Xah7qv|Q+
x]B4KK
Xc|_],z
x]f*Uc
xgsTMJ
xIJ5e7jv
X[iKFo@k
xk0{*U
.&x((Lq[
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
XP	NBmv
XQjohbL
xqWQj<
XRRh}S
X'>~,S
XSRJZPVh',
Xs{Zu]
xthbZQO;?
.XUVNF
:XVQQUj
XVQYWW
@XV^RVP
XVVUjESj
XYRj0Rj
XYYYYO#
#-*yD 
ydXFZSH
YJZSQh
YMOj$)+_
ynfA `
[YPHXXWj]j
Y >rJ|1
Y[Rj~j
yRV{[a
YRWSTh
Ysssssss
:Y$U#|
YUPUQFcWC
Y_^VPQj;
%YVPXWShc'
y!Wj,Sh
Yw!O7px
[Y^WSh
YX[RQh
YYQQh7
}}}yyyti=BF
}}}yyytt
}}}yyyttp
}}}yyyttpD
}}}yyyttppGW
!yz=j6
}:z')=
Z0D:U{
~^`z0J
}z5X=[
Z7GL3f
ZBSj^h%
{zg_T{
\zh%c?
ZHQn$^
-zio*[
zmg]/0
^ZRQUhk
ZrSTjpR
zRWj	j
^ZSCK[R
Z&SjMh
ZVSRjvQh]
zWif%(E
}zwmmhvLHFFHJMZ
ZXRVj}jXh
(zzX,g