HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Generic.15099347 (B) (Emsisoft), Trojan.Generic.15099347 (AdAware), Backdoor.Win32.Farfli.FD, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: d1fd8cc62a8f1ba3ede9cb9f178c07b9
SHA1: 777077f08bf94c30be886a149dafbc19c374575c
SHA256: 0829552607353fb00b60d9ac3b4648f97131a01248ce5ac152f2e1028d8459b4
SSDeep: 6144:P3owmzBVkz3bBmFOgIoK5st2hcy1Wn0CnH1qK2k0SlLboizcL7r:P3lmzjk/wFo5smcy1W0 HXp1LxALP
Size: 327782 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2015-04-24 20:39:42
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
mofcomp.exe:4092
WindowsXP-KB968930-x86-ENG.exe:900
ngen.exe:3760
ngen.exe:3984
ngen.exe:3616
ngen.exe:1932
ngen.exe:3940
ngen.exe:4004
ngen.exe:3744
ngen.exe:3908
ngen.exe:3800
ngen.exe:3840
ngen.exe:4064
ngen.exe:3892
ngen.exe:2072
ngen.exe:1144
ngen.exe:1232
PSCustomSetupUtil.exe:2928
PSCustomSetupUtil.exe:1096
PSCustomSetupUtil.exe:3204
PSCustomSetupUtil.exe:2336
PSCustomSetupUtil.exe:2484
PSCustomSetupUtil.exe:2996
PSCustomSetupUtil.exe:2856
PSCustomSetupUtil.exe:1876
PSCustomSetupUtil.exe:3152
PSCustomSetupUtil.exe:2268
PSCustomSetupUtil.exe:2412
PSCustomSetupUtil.exe:3096
PSCustomSetupUtil.exe:828
PSCustomSetupUtil.exe:3308
PSCustomSetupUtil.exe:2532
PSCustomSetupUtil.exe:328
PSCustomSetupUtil.exe:2160
wsmanhttpconfig.exe:2900
wsmanhttpconfig.exe:3492
%original file name%.exe:524
%original file name%.exe:1612
The Trojan injects its code into the following process(es):
update.exe:1196
mscorsvw.exe:3620
svchost.exe:168
svchost.exe:272
svchost.exe:372
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process mofcomp.exe:4092 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\wbem\Logs\mofcomp.log (1068 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (1 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (0 bytes)
The process WindowsXP-KB968930-x86-ENG.exe:900 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\1a581e7121a380047c3556\wsmtxt.xsl (2 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.commands.utility.dll (9684 bytes)
C:\1a581e7121a380047c3556\registry.format.ps1xml (20 bytes)
C:\1a581e7121a380047c3556\compiledcomposition.microsoft.powershell.gpowershell.dll (1737 bytes)
C:\1a581e7121a380047c3556\about_logical_operators.help.txt (2 bytes)
C:\1a581e7121a380047c3556\about_functions.help.txt (586 bytes)
C:\1a581e7121a380047c3556\winrmprov.mof (789 bytes)
C:\1a581e7121a380047c3556\microsoft.backgroundintelligenttransfer.management.interop.dll (1532 bytes)
C:\1a581e7121a380047c3556\about_comparison_operators.help.txt (11 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.security.dll (1145 bytes)
C:\1a581e7121a380047c3556\diagnostics.format.ps1xml (590 bytes)
C:\1a581e7121a380047c3556\about_types.ps1xml.help.txt (481 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.gpowershell.dll (9738 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.editor.dll (14450 bytes)
C:\1a581e7121a380047c3556\about_language_keywords.help.txt (11 bytes)
C:\1a581e7121a380047c3556\microsoft.backgroundintelligenttransfer.management.resources.dll (7 bytes)
C:\1a581e7121a380047c3556\powershellcore.format.ps1xml (1492 bytes)
C:\1a581e7121a380047c3556\about_preference_variables.help.txt (37 bytes)
C:\1a581e7121a380047c3556\about_functions_advanced_methods.help.txt (9 bytes)
C:\1a581e7121a380047c3556\wsmplpxy.dll (603 bytes)
C:\1a581e7121a380047c3556\microsoft.backgroundintelligenttransfer.management.dll (1537 bytes)
C:\1a581e7121a380047c3556\winrs.exe (1154 bytes)
C:\1a581e7121a380047c3556\wtrinstaller.ico (4803 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.commands.management.resources.dll (508 bytes)
C:\1a581e7121a380047c3556\about_break.help.txt (792 bytes)
C:\1a581e7121a380047c3556\about_hash_tables.help.txt (6 bytes)
C:\1a581e7121a380047c3556\about_command_precedence.help.txt (8 bytes)
C:\1a581e7121a380047c3556\about_debuggers.help.txt (21 bytes)
C:\1a581e7121a380047c3556\about_wmi_cmdlets.help.txt (8 bytes)
C:\1a581e7121a380047c3556\about_requires.help.txt (2 bytes)
C:\1a581e7121a380047c3556\about_parameters.help.txt (9 bytes)
C:\1a581e7121a380047c3556\wsmanhttpconfig.exe (3009 bytes)
C:\1a581e7121a380047c3556\about_trap.help.txt (10 bytes)
C:\1a581e7121a380047c3556\winrm.ini (1956 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.gpowershell.resources.dll (408 bytes)
C:\1a581e7121a380047c3556\about_job_details.help.txt (824 bytes)
C:\1a581e7121a380047c3556\windowspowershellhelp.chm (26041 bytes)
C:\1a581e7121a380047c3556\about_transactions.help.txt (1011 bytes)
C:\1a581e7121a380047c3556\about_path_syntax.help.txt (5 bytes)
C:\1a581e7121a380047c3556\getevent.types.ps1xml (15 bytes)
C:\1a581e7121a380047c3556\wsmprovhost.exe (657 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.commands.diagnostics.dll (998 bytes)
C:\1a581e7121a380047c3556\about_profiles.help.txt (457 bytes)
C:\1a581e7121a380047c3556\about_regular_expressions.help.txt (5 bytes)
C:\1a581e7121a380047c3556\about_prompts.help.txt (7 bytes)
C:\1a581e7121a380047c3556\spupdsvc.exe (287 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.commands.diagnostics.resources.dll (470 bytes)
C:\1a581e7121a380047c3556\wsmsvc.dll (15909 bytes)
C:\1a581e7121a380047c3556\system.management.automation.dll-help.xml (16567 bytes)
C:\1a581e7121a380047c3556\update\update.ver (14 bytes)
C:\1a581e7121a380047c3556\winrssrv.dll (12 bytes)
C:\1a581e7121a380047c3556\about_assignment_operators.help.txt (379 bytes)
C:\1a581e7121a380047c3556\pwrshsip.dll (24 bytes)
C:\1a581e7121a380047c3556\about_format.ps1xml.help.txt (17 bytes)
C:\1a581e7121a380047c3556\about_while.help.txt (2 bytes)
C:\1a581e7121a380047c3556\about_command_syntax.help.txt (5 bytes)
C:\1a581e7121a380047c3556\wsmauto.mof (4 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.graphicalhost.dll (4408 bytes)
C:\1a581e7121a380047c3556\spmsg.dll (495 bytes)
C:\1a581e7121a380047c3556\about_type_operators.help.txt (5 bytes)
C:\1a581e7121a380047c3556\eventforwarding.adm (2 bytes)
C:\1a581e7121a380047c3556\about_functions_advanced.help.txt (3 bytes)
C:\1a581e7121a380047c3556\about_if.help.txt (3 bytes)
C:\1a581e7121a380047c3556\powershelltrace.format.ps1xml (344 bytes)
C:\1a581e7121a380047c3556\microsoft.wsman.runtime.dll (33 bytes)
C:\1a581e7121a380047c3556\spuninst.exe (3787 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.editor.resources.dll (562 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.commands.utility.dll-help.xml (20810 bytes)
C:\1a581e7121a380047c3556\about_remote_output.help.txt (887 bytes)
C:\1a581e7121a380047c3556\about_switch.help.txt (489 bytes)
C:\1a581e7121a380047c3556\about_eventlogs.help.txt (5 bytes)
C:\1a581e7121a380047c3556\about_arithmetic_operators.help.txt (168 bytes)
C:\1a581e7121a380047c3556\about_remote_requirements.help.txt (6 bytes)
C:\1a581e7121a380047c3556\about_script_internationalization.help.txt (9 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.consolehost.dll-help.xml (900 bytes)
C:\1a581e7121a380047c3556\about_aliases.help.txt (6 bytes)
C:\1a581e7121a380047c3556\winrm.vbs (2727 bytes)
C:\1a581e7121a380047c3556\pscustomsetuputil.exe (316 bytes)
C:\1a581e7121a380047c3556\update\eula.txt (586 bytes)
C:\1a581e7121a380047c3556\default.help.txt (2 bytes)
C:\1a581e7121a380047c3556\about_windows_powershell_ise.help.txt (6 bytes)
C:\1a581e7121a380047c3556\about_history.help.txt (3 bytes)
C:\1a581e7121a380047c3556\pssetupnativeutils.exe (9 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.consolehost.resources.dll (778 bytes)
C:\1a581e7121a380047c3556\update\kb968930xp.cat (512 bytes)
C:\1a581e7121a380047c3556\windowsremotemanagement.adm (574 bytes)
C:\1a581e7121a380047c3556\bitstransfer.psd1 (950 bytes)
C:\1a581e7121a380047c3556\about_join.help.txt (2 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.commands.utility.resources.dll (508 bytes)
C:\1a581e7121a380047c3556\about_operators.help.txt (770 bytes)
C:\1a581e7121a380047c3556\about_scripts.help.txt (12 bytes)
C:\1a581e7121a380047c3556\wsmres.dll (6164 bytes)
C:\1a581e7121a380047c3556\about_throw.help.txt (5 bytes)
C:\1a581e7121a380047c3556\about_remote.help.txt (7 bytes)
C:\1a581e7121a380047c3556\about_signing.help.txt (12 bytes)
C:\1a581e7121a380047c3556\about_quoting_rules.help.txt (659 bytes)
C:\1a581e7121a380047c3556\about_script_blocks.help.txt (3 bytes)
C:\1a581e7121a380047c3556\winrshost.exe (22 bytes)
C:\1a581e7121a380047c3556\dotnettypes.format.ps1xml (266 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.commands.management.dll (3386 bytes)
C:\1a581e7121a380047c3556\about_remote_troubleshooting.help.txt (146 bytes)
C:\1a581e7121a380047c3556\microsoft.backgroundintelligenttransfer.management.dll-help.xml (2472 bytes)
C:\1a581e7121a380047c3556\about_jobs.help.txt (12 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.commands.diagnostics.dll-help.xml (2301 bytes)
C:\1a581e7121a380047c3556\wsmpty.xsl (1 bytes)
C:\1a581e7121a380047c3556\about_escape_characters.help.txt (2 bytes)
C:\1a581e7121a380047c3556\about_return.help.txt (3 bytes)
C:\1a581e7121a380047c3556\about_session_configurations.help.txt (276 bytes)
C:\1a581e7121a380047c3556\winrsmgr.dll (2 bytes)
C:\1a581e7121a380047c3556\about_split.help.txt (10 bytes)
C:\1a581e7121a380047c3556\update\spcustom.dll (23 bytes)
C:\1a581e7121a380047c3556\about_foreach.help.txt (10 bytes)
C:\1a581e7121a380047c3556\about_core_commands.help.txt (221 bytes)
C:\1a581e7121a380047c3556\about_variables.help.txt (6 bytes)
C:\1a581e7121a380047c3556\bitstransfer.format.ps1xml (16 bytes)
C:\1a581e7121a380047c3556\about_execution_policies.help.txt (13 bytes)
C:\1a581e7121a380047c3556\profile.ps1 (772 bytes)
C:\1a581e7121a380047c3556\system.management.automation.dll (38414 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.security.dll-help.xml (1797 bytes)
C:\1a581e7121a380047c3556\about_reserved_words.help.txt (1 bytes)
C:\1a581e7121a380047c3556\about_ref.help.txt (1 bytes)
C:\1a581e7121a380047c3556\about_wildcards.help.txt (3 bytes)
C:\1a581e7121a380047c3556\about_continue.help.txt (1 bytes)
C:\1a581e7121a380047c3556\winrm.cmd (35 bytes)
C:\1a581e7121a380047c3556\about_redirection.help.txt (2 bytes)
C:\1a581e7121a380047c3556\about_locations.help.txt (794 bytes)
C:\1a581e7121a380047c3556\about_bits_cmdlets.help.txt (7 bytes)
C:\1a581e7121a380047c3556\wsmwmipl.dll (2816 bytes)
C:\1a581e7121a380047c3556\about_ws-management_cmdlets.help.txt (405 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.graphicalhost.resources.dll (16 bytes)
C:\1a581e7121a380047c3556\powershell.exe.mui (10 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.security.resources.dll (9 bytes)
C:\1a581e7121a380047c3556\about_pssession_details.help.txt (9 bytes)
C:\1a581e7121a380047c3556\certificate.format.ps1xml (155 bytes)
C:\1a581e7121a380047c3556\filesystem.format.ps1xml (133 bytes)
C:\1a581e7121a380047c3556\about_windows_powershell_2.0.help.txt (453 bytes)
C:\1a581e7121a380047c3556\winrmprov.dll (591 bytes)
C:\1a581e7121a380047c3556\about_parsing.help.txt (2 bytes)
C:\1a581e7121a380047c3556\about_automatic_variables.help.txt (14 bytes)
C:\1a581e7121a380047c3556\windowsremoteshell.adm (12 bytes)
C:\1a581e7121a380047c3556\wsman.format.ps1xml (837 bytes)
C:\1a581e7121a380047c3556\about_scopes.help.txt (76 bytes)
C:\1a581e7121a380047c3556\about_pipelines.help.txt (411 bytes)
C:\1a581e7121a380047c3556\$shtdwn$.req (788 bytes)
C:\1a581e7121a380047c3556\about_comment_based_help.help.txt (595 bytes)
C:\1a581e7121a380047c3556\powershell_ise.resources.dll (4 bytes)
C:\1a581e7121a380047c3556\about_functions_cmdletbindingattribute.help.txt (3 bytes)
C:\1a581e7121a380047c3556\update\update.inf (2457 bytes)
C:\1a581e7121a380047c3556\about_line_editing.help.txt (1 bytes)
C:\1a581e7121a380047c3556\about_remote_faq.help.txt (775 bytes)
C:\1a581e7121a380047c3556\update\update.exe (10748 bytes)
C:\1a581e7121a380047c3556\about_pssnapins.help.txt (6 bytes)
C:\1a581e7121a380047c3556\pspluginwkr.dll (1756 bytes)
C:\1a581e7121a380047c3556\microsoft.wsman.management.resources.dll (13 bytes)
C:\1a581e7121a380047c3556\system.management.automation.resources.dll (3153 bytes)
C:\1a581e7121a380047c3556\powershell_ise.exe (2526 bytes)
C:\1a581e7121a380047c3556\about_environment_variables.help.txt (417 bytes)
C:\1a581e7121a380047c3556\about_do.help.txt (2 bytes)
C:\1a581e7121a380047c3556\pwrshplugin.dll (802 bytes)
C:\1a581e7121a380047c3556\about_providers.help.txt (59 bytes)
C:\1a581e7121a380047c3556\update\updspapi.dll (5940 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.commands.management.dll-help.xml (28236 bytes)
C:\1a581e7121a380047c3556\about_functions_advanced_parameters.help.txt (962 bytes)
C:\1a581e7121a380047c3556\about_modules.help.txt (13 bytes)
C:\1a581e7121a380047c3556\about_pssessions.help.txt (9 bytes)
C:\1a581e7121a380047c3556\winrscmd.dll (2907 bytes)
C:\1a581e7121a380047c3556\about_commonparameters.help.txt (12 bytes)
C:\1a581e7121a380047c3556\about_remote_jobs.help.txt (13 bytes)
C:\1a581e7121a380047c3556\about_properties.help.txt (7 bytes)
C:\1a581e7121a380047c3556\about_data_sections.help.txt (5 bytes)
C:\1a581e7121a380047c3556\about_try_catch_finally.help.txt (7 bytes)
C:\1a581e7121a380047c3556\wsmauto.dll (1842 bytes)
C:\1a581e7121a380047c3556\powershell.exe (7339 bytes)
C:\1a581e7121a380047c3556\importallmodules.psd1 (438 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.consolehost.dll (3118 bytes)
C:\1a581e7121a380047c3556\about_arrays.help.txt (8 bytes)
C:\1a581e7121a380047c3556\help.format.ps1xml (3947 bytes)
C:\1a581e7121a380047c3556\about_for.help.txt (146 bytes)
C:\1a581e7121a380047c3556\about_methods.help.txt (6 bytes)
C:\1a581e7121a380047c3556\about_special_characters.help.txt (3 bytes)
C:\1a581e7121a380047c3556\pwrshmsg.dll (4 bytes)
C:\1a581e7121a380047c3556\wevtfwd.dll (3351 bytes)
C:\1a581e7121a380047c3556\about_objects.help.txt (2 bytes)
C:\1a581e7121a380047c3556\microsoft.wsman.management.dll-help.xml (8740 bytes)
C:\1a581e7121a380047c3556\microsoft.wsman.management.dll (5010 bytes)
C:\1a581e7121a380047c3556\types.ps1xml (2510 bytes)
The Trojan deletes the following file(s):
C:\_444218_ (0 bytes)
The process ngen.exe:3760 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1220 bytes)
The process ngen.exe:3984 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1104 bytes)
The process ngen.exe:3616 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (596 bytes)
The process ngen.exe:1932 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (800 bytes)
The process ngen.exe:3940 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (772 bytes)
The process ngen.exe:4004 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1450 bytes)
The process ngen.exe:3744 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (896 bytes)
The process ngen.exe:3908 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (494 bytes)
The process ngen.exe:3800 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (554 bytes)
The process ngen.exe:3840 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (866 bytes)
The process ngen.exe:4064 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (770 bytes)
The process ngen.exe:3892 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1186 bytes)
The process ngen.exe:2072 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (784 bytes)
The process ngen.exe:1144 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1114 bytes)
The process ngen.exe:1232 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (468 bytes)
The process update.exe:1196 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\SETBF.tmp (42 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (16 bytes)
%System%\SET12.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET3E.tmp (1281 bytes)
%System%\GroupPolicy\Adm\SET35.tmp (12 bytes)
%System%\SETC.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (36 bytes)
%System%\WindowsPowerShell\v1.0\SET51.tmp (14022 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SET46.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET41.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (950 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETC9.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET48.tmp (4 bytes)
%System%\SET2D.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (17 bytes)
%System%\SET25.tmp (1281 bytes)
%System%\SET13.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4E.tmp (673 bytes)
%System%\SET20.tmp (2 bytes)
%System%\SET14.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (49 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (673 bytes)
%WinDir%\inf\SET32.tmp (38 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (3 bytes)
%System%\GroupPolicy\Adm\SET34.tmp (38 bytes)
%System%\SET2A.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET3C.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (10 bytes)
%System%\SET7.tmp (35 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\updspapi.dll (4145 bytes)
%System%\WindowsPowerShell\v1.0\SET3D.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (15 bytes)
%System%\SET22.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (673 bytes)
%System%\spmsg.dll (14 bytes)
%System%\WindowsPowerShell\v1.0\SETC8.tmp (7385 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (10 bytes)
%System%\GroupPolicy\Adm\SET1A.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (7 bytes)
%System%\SET2B.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (40 bytes)
%WinDir%\inf\SET18.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SETC7.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (3 bytes)
%System%\SETE.tmp (22 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.inf (7641 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (7 bytes)
%System%\SET6.tmp (2 bytes)
%System%\GroupPolicy\Adm\SET36.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (5 bytes)
%System%\wbem\SET4.tmp (4 bytes)
%System%\SET17.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (6 bytes)
%System%\SETA.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (7 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.txt (29 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (13 bytes)
%System%\config\SYSTEM.LOG (6201 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (3 bytes)
%System%\SET27.tmp (601 bytes)
%System%\GroupPolicy\Adm\SET1B.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (9 bytes)
%System%\SET11.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETCA.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET3F.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET4F.tmp (24 bytes)
%System%\config (200 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4B.tmp (20 bytes)
%System%\SET8.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (61 bytes)
%System%\SETF.tmp (1281 bytes)
%System%\SET10.tmp (2 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (7971 bytes)
%System%\SET26.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (9 bytes)
%System%\SET21.tmp (35 bytes)
%System%\config\system (3198 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET38.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET49.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (31 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET4A.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET4D.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET44.tmp (57 bytes)
%System%\GroupPolicy\Adm\SET1C.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (3 bytes)
%System%\SET16.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (3361 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (15 bytes)
%System%\CatRoot2\dberr.txt (1579 bytes)
%WinDir%\inf\oem11.PNF (10040 bytes)
%System%\SETB.tmp (1281 bytes)
%System%\SET1F.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (6 bytes)
%System%\spupdsvc.exe (23 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (22 bytes)
%System%\SET28.tmp (22 bytes)
%System%\SET5.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET45.tmp (2321 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (1 bytes)
%System%\SET31.tmp (673 bytes)
%System%\SET2E.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (10 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe (2497 bytes)
%System%\WindowsPowerShell\v1.0\SET3A.tmp (601 bytes)
%System%\SET29.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (21 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (6 bytes)
%System%\SET2C.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (16 bytes)
%WinDir%\KB968930.log (220274 bytes)
%System%\SET15.tmp (789 bytes)
%System%\WindowsPowerShell\v1.0\SET4C.tmp (18248 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (438 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (22 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (12 bytes)
%System%\SET24.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET52.tmp (10177 bytes)
%System%\WindowsPowerShell\v1.0\SET43.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (19 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (17 bytes)
%System%\WindowsPowerShell\v1.0\SET50.tmp (1425 bytes)
%WinDir%\KB968930xp.cat (59 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (9 bytes)
%System%\winrm\0409\SET1D.tmp (601 bytes)
%System%\SETD.tmp (601 bytes)
%WinDir%\inf\SET19.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET47.tmp (18 bytes)
%System%\SET9.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SETC6.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (12 bytes)
%System%\winrm\0409\SET37.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (10 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (40 bytes)
%System%\WindowsPowerShell\v1.0\SET39.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET40.tmp (1281 bytes)
%System%\SET2F.tmp (789 bytes)
%WinDir%\Help\SETC5.tmp (12287 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (8 bytes)
%WinDir%\inf\oem11.inf (673 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (23 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (2 bytes)
%System%\SET30.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (6 bytes)
%System%\wbem\SET1E.tmp (4 bytes)
%System%\SET23.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET3B.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\SET42.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (10 bytes)
%WinDir%\inf\SET33.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (7 bytes)
The Trojan deletes the following file(s):
%System%\SETBF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (0 bytes)
%System%\SET12.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3E.tmp (0 bytes)
%WinDir%\_000003_.tmp.dll (0 bytes)
%System%\GroupPolicy\Adm\SET35.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (0 bytes)
%System%\SETC.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET46.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET41.tmp (0 bytes)
%System%\_000002_.tmp.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (0 bytes)
%System%\wevtfwd.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET48.tmp (0 bytes)
%WinDir%\inf\windowsremotemanagement.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (0 bytes)
%System%\SET25.tmp (0 bytes)
%System%\SET13.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4E.tmp (0 bytes)
%System%\SET20.tmp (0 bytes)
%System%\SET14.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (0 bytes)
%WinDir%\inf\SET32.tmp (0 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (0 bytes)
%System%\SET7.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET34.tmp (0 bytes)
%System%\SET2A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (0 bytes)
%System%\WsmWmiPl.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (0 bytes)
%System%\GroupPolicy\Adm\WindowsRemoteShell.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (0 bytes)
%System%\winrm\0409\winrm.ini (0 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (0 bytes)
%System%\winrscmd.dll (0 bytes)
%System%\SET2B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (0 bytes)
%System%\SET2E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC7.tmp (0 bytes)
%System%\wsmanhttpconfig.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (0 bytes)
%System%\winrm.cmd (0 bytes)
%System%\SETE.tmp (0 bytes)
%System%\winrm.vbs (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (0 bytes)
%System%\SET6.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET36.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (0 bytes)
%System%\wbem\SET4.tmp (0 bytes)
%System%\SET17.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (0 bytes)
%System%\SETA.tmp (0 bytes)
%System%\SET22.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET51.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (0 bytes)
%System%\SET27.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (0 bytes)
%System%\SET11.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCA.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4F.tmp (0 bytes)
%System%\WsmAuto.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4B.tmp (0 bytes)
%System%\SET8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (0 bytes)
%System%\SETF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC9.tmp (0 bytes)
%System%\wbem\wsmAuto.mof (0 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (0 bytes)
%System%\wsmplpxy.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (0 bytes)
%System%\SET26.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (0 bytes)
%System%\SET21.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET38.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET49.tmp (0 bytes)
%System%\SET16.tmp (0 bytes)
%System%\GroupPolicy\Adm\windowsremotemanagement.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4A.tmp (0 bytes)
%System%\GroupPolicy\Adm\EventForwarding.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4D.tmp (0 bytes)
%System%\winrmprov.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET44.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (0 bytes)
%System%\wsmprovhost.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (0 bytes)
%System%\winrmprov.mof (0 bytes)
%System%\SETB.tmp (0 bytes)
%System%\SET1F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (0 bytes)
%System%\SET28.tmp (0 bytes)
%System%\SET5.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET45.tmp (0 bytes)
%System%\winrshost.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (0 bytes)
%System%\SET31.tmp (0 bytes)
%WinDir%\inf\SET18.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (0 bytes)
%System%\WsmPty.xsl (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (0 bytes)
%System%\SET29.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (0 bytes)
%System%\WsmRes.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (0 bytes)
%WinDir%\Temp\UPD3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (0 bytes)
%System%\SET2C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (0 bytes)
%System%\SET15.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4C.tmp (0 bytes)
%System%\wbem\SET1E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (0 bytes)
%System%\SET2D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (0 bytes)
%System%\SET24.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET52.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET43.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET50.tmp (0 bytes)
%System%\winrssrv.dll (0 bytes)
%WinDir%\inf\WindowsRemoteShell.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (0 bytes)
%System%\winrm\0409\SET1D.tmp (0 bytes)
%System%\SETD.tmp (0 bytes)
%System%\SET10.tmp (0 bytes)
%WinDir%\inf\SET19.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET47.tmp (0 bytes)
%System%\SET9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC6.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (0 bytes)
%System%\winrm\0409\SET37.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (0 bytes)
%System%\winrs.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET39.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET40.tmp (0 bytes)
%System%\SET2F.tmp (0 bytes)
%WinDir%\Help\SETC5.tmp (0 bytes)
%System%\WsmSvc.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (0 bytes)
%System%\winrsmgr.dll (0 bytes)
%System%\SET30.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1A.tmp (0 bytes)
%System%\SET23.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET42.tmp (0 bytes)
%System%\WsmTxt.xsl (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (0 bytes)
%WinDir%\inf\SET33.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (0 bytes)
The process PSCustomSetupUtil.exe:2928 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\7Y38EJOT\Microsoft.PowerShell.Commands.Management.resources.dll (1552 bytes)
The process PSCustomSetupUtil.exe:1096 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\SKPUZ49F\Microsoft.PowerShell.Commands.Utility.dll (20624 bytes)
The process PSCustomSetupUtil.exe:3204 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\KBGLQW16\Microsoft.WSMan.Management.resources.dll (13 bytes)
The process PSCustomSetupUtil.exe:2336 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\H8EJOTY3\Microsoft.WSMan.Runtime.dll (7 bytes)
The process PSCustomSetupUtil.exe:2484 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\LDINSW15\Microsoft.BackgroundIntelligentTransfer.Management.dll (1856 bytes)
The process PSCustomSetupUtil.exe:2996 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\7Y38DINT\Microsoft.PowerShell.Commands.Utility.resources.dll (1552 bytes)
The process PSCustomSetupUtil.exe:2856 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\KMSX27CH\Microsoft.PowerShell.ConsoleHost.resources.dll (1552 bytes)
The process PSCustomSetupUtil.exe:1876 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\OFKPV17C\Microsoft.PowerShell.ConsoleHost.dll (7192 bytes)
The process PSCustomSetupUtil.exe:3152 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\XOTY37CG\Microsoft.PowerShell.Commands.Diagnostics.resources.dll (10 bytes)
The process PSCustomSetupUtil.exe:2268 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\DBHNSX38\Microsoft.PowerShell.Commands.Diagnostics.dll (3616 bytes)
The process PSCustomSetupUtil.exe:2412 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\RJPUZ49E\Microsoft.WSMan.Management.dll (9608 bytes)
The process PSCustomSetupUtil.exe:3096 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\ZQV05AFK\Microsoft.PowerShell.Security.resources.dll (9 bytes)
The process PSCustomSetupUtil.exe:828 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\KBGLQV05\System.Management.Automation.dll (81046 bytes)
The process PSCustomSetupUtil.exe:3308 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\SJOTY38D\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll (7 bytes)
The process PSCustomSetupUtil.exe:2532 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\MEJPUZ49\System.Management.Automation.resources.dll (9320 bytes)
The process PSCustomSetupUtil.exe:328 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\E6BGMRW1\Microsoft.PowerShell.Commands.Management.dll (9320 bytes)
The process PSCustomSetupUtil.exe:2160 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\5W16BGLQ\Microsoft.PowerShell.Security.dll (2392 bytes)
The process mscorsvw.exe:3620 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (514 bytes)
The process %original file name%.exe:1612 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Start Menu\Programs\Startupx\system.pif (2105 bytes)
Registry activity
The process mofcomp.exe:4092 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 0C 49 D4 BB 15 10 F7 4B 93 38 E9 F9 12 92 95"
The process WindowsXP-KB968930-x86-ENG.exe:900 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 FF 2D CC B3 BF 22 98 97 47 48 7F B9 9C 83 06"
The process ngen.exe:3760 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 D1 5A 46 01 04 04 1C 70 D4 1D 31 35 9B F6 9E"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
The process ngen.exe:3984 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 23 60 7F EB C7 3F D6 3A 48 C1 64 D1 E4 71 C0"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"
The process ngen.exe:3616 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 5C 04 9E E3 05 0C 07 6A C3 01 A5 4F 46 08 37"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots]
"WorkPending" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
The process ngen.exe:1932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 5A 05 29 20 36 07 65 90 0A 4B EC 4F 6A 99 24"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
The process ngen.exe:3940 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 2E 55 79 5A 4C D0 01 03 CC EF 49 E1 36 DE CB"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
"Scenario" = "32"
The process ngen.exe:4004 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 60 67 A9 21 BC 0B 59 B4 E7 4F CF 3D 00 2C A1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:3744 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B7 AF 58 DD 5A 9A 80 C5 E7 BC 25 EB 57 F0 1A B1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"
The process ngen.exe:3908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 8C C4 77 3D A0 58 5F 2C 99 61 0C 26 AA 59 DB"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
"Status" = "3"
The process ngen.exe:3800 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 4A D0 D4 67 9A 31 ED 87 A0 01 D9 53 F5 42 C8"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"
The process ngen.exe:3840 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 C5 00 E1 C2 72 DE 7A 87 A9 7C 1F D6 23 5E A2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:4064 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 34 A8 30 15 0D 3A C8 FA E4 C3 17 A2 EA 8C 27"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
The process ngen.exe:3892 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC 23 52 1F 2F 8A 1F 1F B8 CC F7 3E CF AC 50 C5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
The process ngen.exe:2072 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 64 BA DE 0E C4 1F F2 31 02 44 35 A8 B6 CE 05"
The process ngen.exe:1144 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 CF 30 56 49 48 70 B4 38 30 F5 5C FF 89 91 A0"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:1232 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "69 51 7E 48 13 85 48 59 78 FE C4 82 76 D1 B6 AC"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process update.exe:1196 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}\NumMethods]
"(Default)" = "6"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Description" = "Windows Management Framework Core"
[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"StackVersion" = "2.0"
[HKCR\Microsoft.PowerShellModule.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"
[HKCR\.psc1]
"(Default)" = "Microsoft.PowerShellConsole.1"
[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}]
"(Default)" = "IWSManHostEntrySink"
[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsGetSignature"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\Typelib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\Typelib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"PSCompatibleVersion" = "1.0,2.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"NoModify" = "1"
[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\AppID\{3feb2f63-0eec-4b96-84ab-da1307e0117c}]
"(Default)" = "Microsoft Windows WSMan Provider Host"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\KB968930]
"TypesSupported" = "7"
[HKCR\Microsoft.PowerShellModule.1]
"EditFlags" = "131072"
[HKCR\WSMan.InternalAutomation\CurVer]
"(Default)" = "WSMan.InternalAutomation.1"
[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}]
"(Default)" = "IWSManResourceLocator"
[HKCR\.ps1xml]
"PerceivedType" = "Text"
[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}]
"(Default)" = "IWSManConnectionOptions"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"CategoryCount" = "8"
[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\FLAGS]
"(Default)" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"LogLevel" = "536870912"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKCR\Microsoft.PowerShellScript.1]
"EditFlags" = "131072"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"WINRM" = "WINRM"
[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"file" = "%WinDir%\System32\config\WindowsPowerShell.evt"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKCR\Microsoft.PowerShellScript.1\shell\Run with PowerShell\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell.exe -file %1"
[HKCR\AppID\{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}]
"LaunchPermission" = "01 00 04 80 98 00 00 00 A4 00 00 00 00 00 00 00"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"EventMessageFile" = "%systemroot%\system32\WsmRes.dll"
[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}\LocalServer32]
"ServerExecutable" = "%System%\wsmprovhost.exe"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\InprocServer32]
"(Default)" = "%System%\winrssrv.dll"
[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"PSModulePath" = "%System%\WindowsPowerShell\v1.0\Modules\"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\WINRM]
"CoInitializeSecurityParam" = "1"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]
"Path" = "%System%\WindowsPowerShell\v1.0\powershell.exe"
[HKCR\Microsoft.PowerShellConsole.1]
"FriendlyTypeName" = "Windows PowerShell Console File"
[HKCR\Microsoft.PowerShellModule.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell_ise.exe %1"
[HKCR\WSMan.InternalAutomation]
"(Default)" = "WSMan InternalAutomation Class"
[HKCR\Microsoft.PowerShellData.1]
"FriendlyTypeName" = "Windows PowerShell Data File"
[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}\LocalServer32]
"(Default)" = "%System%\wsmprovhost.exe"
[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0]
"(Default)" = "Microsoft WSMAN Automation V1.0 Library"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\WINRM]
"AuthenticationCapabilities" = "12320"
[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\TypeLib]
"Version" = "1.0"
[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"Retention" = "0"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\KB968930]
"EventMessageFile" = "%SystemRoot%\System32\spmsg.dll"
[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}]
"(Default)" = "PSFactoryBuffer"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PublishingGroup" = "Management and Infrastructure Group"
[HKCR\Microsoft.PowerShellConsole.1\shell\open\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell.exe -p %1"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"Retention" = "0"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsPutSignature"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"ParameterMessageFile" = "%systemroot%\system32\kernel32.dll"
[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem11.inf" = "1"
[HKLM\System\CurrentControlSet\Services\WinRM]
"DependOnService" = "RPCSS, HTTP, HTTPFilter"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"TypesSupported" = "7"
[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}]
"(Default)" = "IWSManEx"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"TSAware" = "1"
[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\AppID\{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}]
"(Default)" = "Microsoft Windows Remote Shell Host"
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\InprocServer32]
"(Default)" = "%System%\WSMAUTO.DLL"
[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ConsoleHostModuleName" = "%System%\WindowsPowerShell\v1.0\Microsoft.PowerShell.ConsoleHost.dll"
[HKCR\WSMan.Automation\CLSID]
"(Default)" = "{BCED617B-EC03-420b-8508-977DC7A686BD}"
[HKCR\WSMan.Automation.1\CLSID]
"(Default)" = "{BCED617B-EC03-420b-8508-977DC7A686BD}"
[HKLM\System\CurrentControlSet\Services\WinRM]
"Type" = "32"
[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational\EventForwarder-Operational]
"EventMessageFile" = "%systemroot%\system32\wevtfwd.dll"
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\VersionIndependentProgID]
"(Default)" = "WSMan.Automation"
[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\System\CurrentControlSet\Services\WinRM]
"DisplayName" = "Windows Remote Management (WS-Management)"
[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\TypeLib]
"Version" = "1.0"
[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\0\win32]
"(Default)" = "%System%\WsmAuto.dll"
[HKCR\Microsoft.PowerShellConsole.1]
"EditFlags" = "131072"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"ReleaseType" = "Software Update"
[HKCR\WSMan.InternalAutomation.1\CLSID]
"(Default)" = "{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}"
[HKCR\WSMan.Automation\CurVer]
"(Default)" = "WSMan.Automation.1"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\ProgID]
"(Default)" = "WSMan.InternalAutomation.1"
[HKCR\.ps1xml]
"(Default)" = "Microsoft.PowerShellXmlData.1"
[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKLM\System\CurrentControlSet\Services\WinRM]
"ImagePath" = "%WinDir%\System32\svchost.exe -k WinRM"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"MaxSize" = "15728640"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 0E E6 BA FD 5B DB 9D FF 5F CB 3A A2 24 3D 66"
[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}]
"(Default)" = "PSFactoryBuffer"
[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}]
"(Default)" = "PSFactoryBuffer"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"Sources" = "PowerShell"
[HKCR\AppID\{3feb2f63-0eec-4b96-84ab-da1307e0117c}]
"LaunchPermission" = "01 00 04 80 98 00 00 00 A4 00 00 00 00 00 00 00"
[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"MaxSize" = "20971520"
[HKLM\System\CurrentControlSet\Services\WinRM\Parameters]
"ServiceDll" = "%SystemRoot%\system32\WsmSvc.dll"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\1033]
"Install" = "1"
[HKCR\Microsoft.PowerShellScript.1\DefaultIcon]
"(Default)" = "%System%\WindowsPowerShell\V1.0\powershell_ise.exe,1"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\VersionIndependentProgID]
"(Default)" = "WSMan.InternalAutomation"
[HKCR\Microsoft.PowerShellData.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell_ise.exe %1"
[HKLM\System\CurrentControlSet\Services\WinRM\Parameters]
"seRVicemAIN" = "ServiceMain"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\EventForwarder]
"TypesSupported" = "7"
[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\TypeLib]
"Version" = "1.0"
[HKCR\Microsoft.PowerShellData.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"
[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}]
"AppID" = "{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstallerVersion" = "6.1.29.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"DisplayIcon" = "%System%\WindowsPowerShell\v1.0\WTRInstaller.ico"
[HKCR\.psc1]
"Content Type" = "application/PowerShell"
[HKCR\Microsoft.PowerShellXmlData.1]
"EditFlags" = "131072"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}]
"(Default)" = "WSMan InternalAutomation Class"
[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem11.PNF" = "1"
[HKCR\Microsoft.PowerShellData.1]
"EditFlags" = "131072"
[HKCR\Microsoft.PowerShellXmlData.1]
"FriendlyTypeName" = "Windows PowerShell XML Document"
[HKLM\System\CurrentControlSet\Services\WinRM]
"ErrorControl" = "1"
[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"ARPLink" = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930"
[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}]
"(Default)" = "IWSManResourceLocatorInternal"
[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\ProxyStubClsid32]
"(Default)" = "{F73C1438-71B4-4D91-AD13-1F889A03AC67}"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"AutoBackupLogFiles" = "0"
[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\ProxyStubClsid32]
"(Default)" = "{F73C1438-71B4-4D91-AD13-1F889A03AC67}"
[HKCR\WSMan.InternalAutomation\CLSID]
"(Default)" = "{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"NoRepair" = "1"
[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}]
"(Default)" = "WinRM WMI Provider for User Profile"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"UninstallString" = "%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe"
[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\WSMan.Automation.1]
"(Default)" = "WSMan Automation Class"
[HKLM\SOFTWARE\Microsoft\PowerShell\1]
"Install" = "1"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"RuntimeVersion" = "v2.0.50727"
[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}]
"(Default)" = "IWSManProvHost"
[HKCR\Microsoft.PowerShellModule.1]
"FriendlyTypeName" = "Windows PowerShell Script Module"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\InprocServer32]
"(Default)" = "%System%\WSMAUTO.DLL"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PackageVersion" = "1.0"
[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}\LocalServer32]
"ServerExecutable" = "%System%\winrshost.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"DisplayName" = "Windows Management Framework Core"
"InstallDate" = "20160712"
[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"Publisher" = "Microsoft Corporation"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"AllowProtectedRenames" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"ReleaseType" = "Software Update"
[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\NumMethods]
"(Default)" = "4"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsDelSignature"
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}]
"(Default)" = "IWSMan"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"PowerShellVersion" = "2.0"
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\ProgID]
"(Default)" = "WSMan.Automation.1"
[HKCR\Microsoft.PowerShellScript.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\V1.0\powershell_ise.exe %1"
[HKLM\System\CurrentControlSet\Services\WinRM]
"DependOnGroup" = ""
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}]
"(Default)" = "WSMan Automation Class"
[HKCR\Microsoft.PowerShellScript.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"
[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}]
"(Default)" = "IHost"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Publisher" = "Microsoft Corporation"
[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\ProxyStubClsid32]
"(Default)" = "{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}"
[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\InprocServer32]
"(Default)" = "%System%\wsmplpxy.dll"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ApplicationBase" = "%System%\WindowsPowerShell\v1.0"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstallerName" = "Update.exe"
[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}]
"AppID" = "{3feb2f63-0eec-4b96-84ab-da1307e0117c}"
[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}]
"(Default)" = "Microsoft Windows Remote Shell Host"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PackageName" = "Windows Management Framework Core"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKCR\Microsoft.PowerShellScript.1]
"FriendlyTypeName" = "Windows PowerShell Script"
[HKLM\System\CurrentControlSet\Services\WinRM]
"Description" = "Allows access to management information from local and remote machines."
[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}]
"(Default)" = "IWSManSession"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"HelpLink" = "http://go.microsoft.com/fwlink/?LinkID=163790"
[HKCR\WSMan.InternalAutomation.1]
"(Default)" = "WSMan Internal Class"
[HKCR\.psm1]
"(Default)" = "Microsoft.PowerShellModule.1"
[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\HELPDIR]
"(Default)" = "%System%"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsVerifyHash"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\Microsoft.PowerShell]
"ConfigXML" = ""
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"CategoryMessageFile" = "%System%\WindowsPowerShell\v1.0\pwrshmsg.dll"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsCreateHash"
[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}\ProxyStubClsid32]
"(Default)" = "{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}"
[HKCR\WSMan.Automation]
"(Default)" = "WSMan Automation Class"
[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"file" = "%systemroot%\system32\config\EventForwarding-Operational.Evt"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsIsMyFileType"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"URLInfoAbout" = "http://go.microsoft.com/fwlink/?LinkID=163792"
"RegistryLocation" = " HKLM,SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930"
[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\NumMethods]
"(Default)" = "4"
[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational\EventForwarder-Operational]
"TypesSupported" = "7"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"SupportsCompatListeners" = "1"
[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}]
"(Default)" = "IShell"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}\InprocServer32]
"(Default)" = "%System%\winrmprov.dll"
[HKCR\.ps1]
"(Default)" = "Microsoft.PowerShellScript.1"
[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\TypeLib]
"Version" = "1.0"
[HKLM\System\CurrentControlSet\Services\WinRM]
"ObjectName" = "NT AUTHORITY\NetworkService"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\EventForwarder]
"EventMessageFile" = "%systemroot%\system32\wevtfwd.dll"
[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}\LocalServer32]
"(Default)" = "%System%\winrshost.exe"
[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}]
"(Default)" = "Microsoft Windows WSMan Provider Host"
[HKLM\SOFTWARE\Microsoft\PowerShell\1]
"PID" = "89383-100-0001260-04309"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ConsoleHostAssemblyName" = "Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"
[HKCR\.psd1]
"(Default)" = "Microsoft.PowerShellData.1"
[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}]
"(Default)" = "IWSManEnumerator"
[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\InprocServer32]
"(Default)" = "%System%\winrssrv.dll"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"EventMessageFile" = "%System%\WindowsPowerShell\v1.0\pwrshmsg.dll"
[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\TypeLib]
"Version" = "1.0"
The process PSCustomSetupUtil.exe:2928 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6A 91 88 91 CE 48 CD 0C 93 6B 98 76 F4 BE E6 D8"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "D0 08 4D 8F E1 DB D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "198"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "199"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "177"
"StoreChangeIDFor32BitProcesses" = "198"
The process PSCustomSetupUtil.exe:1096 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC 96 79 0B C1 5B 7D 80 30 46 EF 99 99 04 99 82"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Utility, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "190"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35,MSIL" = "66 67 F5 88 E1 DB D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "191"
"StoreChangeIDFor64BitProcesses" = "169"
"StoreChangeIDFor32BitProcesses" = "190"
The process PSCustomSetupUtil.exe:3204 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 F1 36 96 44 03 9D F7 98 CB 38 61 D2 8D 21 E4"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "E6 38 E6 91 E1 DB D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "202"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "203"
"StoreChangeIDFor64BitProcesses" = "181"
"StoreChangeIDFor32BitProcesses" = "202"
The process PSCustomSetupUtil.exe:2336 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 74 C0 E8 6D E5 F0 5E 2D 76 C0 3A E4 47 DF 08"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Runtime, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "193"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35,MSIL" = "8E FF 14 8B E1 DB D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "194"
"StoreChangeIDFor64BitProcesses" = "172"
"StoreChangeIDFor32BitProcesses" = "193"
The process PSCustomSetupUtil.exe:2484 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 92 2B C5 FD 2B 1E 9E 46 D2 7D B8 2A D8 32 12"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "E8 8E 48 8C E1 DB D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.BackgroundIntelligentTransfer.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "195"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "196"
"StoreChangeIDFor64BitProcesses" = "174"
"StoreChangeIDFor32BitProcesses" = "195"
The process PSCustomSetupUtil.exe:2996 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B D4 9A FE BF 03 8D CB CB 5F 9A 1A 74 D5 5D 3A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "199"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "200"
"Microsoft.PowerShell.Commands.Utility.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "78 DD A2 8F E1 DB D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Utility.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "178"
"StoreChangeIDFor32BitProcesses" = "199"
The process PSCustomSetupUtil.exe:2856 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 CF F6 A7 A5 F2 A4 2D 10 4D 91 35 2E D0 45 2E"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.ConsoleHost.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.ConsoleHost.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "EA 1F 03 8F E1 DB D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "197"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "198"
"StoreChangeIDFor64BitProcesses" = "176"
"StoreChangeIDFor32BitProcesses" = "197"
The process PSCustomSetupUtil.exe:1876 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C 61 54 E0 F4 7F B7 17 A5 70 14 59 CC 1B F1 C5"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "188"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35,MSIL" = "F0 89 B3 87 E1 DB D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "189"
"StoreChangeIDFor64BitProcesses" = "167"
"StoreChangeIDFor32BitProcesses" = "188"
The process PSCustomSetupUtil.exe:3152 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 1D EC D6 FA 91 D8 15 31 76 A7 B1 29 6A B0 97"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Diagnostics.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "58 7B 46 91 E1 DB D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "201"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "202"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Diagnostics.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "180"
"StoreChangeIDFor32BitProcesses" = "201"
The process PSCustomSetupUtil.exe:2268 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 62 DB 27 5D 5D 97 C4 B0 02 3F D8 3F 1E E4 C7"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35,MSIL" = "AC 57 4A 8A E1 DB D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Diagnostics, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "192"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "193"
"StoreChangeIDFor64BitProcesses" = "171"
"StoreChangeIDFor32BitProcesses" = "192"
The process PSCustomSetupUtil.exe:2412 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 62 E6 7C 7C B3 F5 D4 9C AC A3 40 76 B2 2D E3"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "A0 94 CC 8B E1 DB D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "194"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "195"
"StoreChangeIDFor64BitProcesses" = "173"
"StoreChangeIDFor32BitProcesses" = "194"
The process PSCustomSetupUtil.exe:3096 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 BF B7 8C 24 DA 4E BD FF 7F FE 1C 91 9D D5 9E"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Security.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "E2 9D 04 90 E1 DB D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Security.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "200"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "201"
"StoreChangeIDFor64BitProcesses" = "179"
"StoreChangeIDFor32BitProcesses" = "200"
The process PSCustomSetupUtil.exe:828 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 53 33 F0 C7 98 FB 06 6B F7 A2 EC 94 75 2C 92"
[HKLM\SOFTWARE\Microsoft\Fusion\References\System.Management.Automation, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"System.Management.Automation,1.0.0.0,,31bf3856ad364e35,MSIL" = "5C 54 3C 87 E1 DB D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "187"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "188"
"StoreChangeIDFor64BitProcesses" = "166"
"StoreChangeIDFor32BitProcesses" = "187"
The process PSCustomSetupUtil.exe:3308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 D3 D4 4D 3B C6 97 A5 36 0C 0F FC 9C D0 FE 32"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.BackgroundIntelligentTransfer.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.BackgroundIntelligentTransfer.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "18 5D 2B 92 E1 DB D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "203"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "204"
"StoreChangeIDFor64BitProcesses" = "182"
"StoreChangeIDFor32BitProcesses" = "203"
The process PSCustomSetupUtil.exe:2532 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 8C 3F 3E FD A5 69 8B 97 22 E2 49 BE 92 5A 9C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "196"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "197"
"System.Management.Automation.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "84 A0 20 8E E1 DB D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\System.Management.Automation.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "175"
"StoreChangeIDFor32BitProcesses" = "196"
The process PSCustomSetupUtil.exe:328 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 4E 74 50 27 72 F3 5E C2 9E 5B A6 24 02 67 EC"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "EE 7F 8C 88 E1 DB D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "189"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "190"
"StoreChangeIDFor64BitProcesses" = "168"
"StoreChangeIDFor32BitProcesses" = "189"
The process PSCustomSetupUtil.exe:2160 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6A 2A 0C 1A 49 23 B4 63 62 C7 D9 9F 57 83 DC 26"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35,MSIL" = "BE BF D0 89 E1 DB D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "191"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "192"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Security, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "170"
"StoreChangeIDFor32BitProcesses" = "191"
The process mscorsvw.exe:3620 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB E7 03 DA 7F B4 70 A7 7C 47 DE DA 54 1D 4F D0"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "0"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "0"
The process wsmanhttpconfig.exe:2900 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE C1 BE E3 04 48 5F 79 BD C5 82 3E E3 6B FE F1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\Event Forwarding Plugin]
"ConfigXML" = ""
[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"http:// :47001/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"80:TCP" = "80:TCP:*:Enabled:Windows Remote Management - Compatibility Mode (HTTP-In)"
[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"https:// :5986/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5985:TCP" = "5985:TCP:*:Enabled:Windows Remote Management"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"UpdatedConfig" = "705AD653-D525-4991-8961-10D42529A8E0"
[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"http:// :5985/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\WMI Provider]
"ConfigXML" = ""
The process wsmanhttpconfig.exe:3492 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 89 29 C4 03 05 81 2B 04 8D 09 2B 82 46 E9 38"
The process %original file name%.exe:524 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D 64 E8 26 C7 B5 18 E1 A9 73 30 26 16 32 79 56"
The process %original file name%.exe:1612 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 5E 11 4D EC F9 3D 13 A8 07 54 89 A1 E1 FD 3C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
Dropped PE files
| MD5 | File path |
|---|---|
| 85d7ab466d0577c49fc9879107ec7ef5 | c:\1a581e7121a380047c3556\compiledcomposition.microsoft.powershell.gpowershell.dll |
| 2f7fe3a781ba8c0a67c775f20e3e9f70 | c:\1a581e7121a380047c3556\microsoft.backgroundintelligenttransfer.management.dll |
| 173d3dd1425a8e33fa1d4ed71067a3a2 | c:\1a581e7121a380047c3556\microsoft.backgroundintelligenttransfer.management.interop.dll |
| 75c183e262bd4400eb0f20349f6ef383 | c:\1a581e7121a380047c3556\microsoft.backgroundintelligenttransfer.management.resources.dll |
| 08e87e8abf7b41b28663dce817ce0ab6 | c:\1a581e7121a380047c3556\microsoft.powershell.commands.diagnostics.dll |
| 4e2482e69baaf3a5b13db8101c063ebf | c:\1a581e7121a380047c3556\microsoft.powershell.commands.diagnostics.resources.dll |
| f3ac3f844f90380aab2b4c0836c4288f | c:\1a581e7121a380047c3556\microsoft.powershell.commands.management.dll |
| b87e087fc013225e2aa1cb60c080647d | c:\1a581e7121a380047c3556\microsoft.powershell.commands.management.resources.dll |
| dfeb401cc051e5da721c584ff6a90f88 | c:\1a581e7121a380047c3556\microsoft.powershell.commands.utility.dll |
| 1ce73fb3f88c716cfc3fd550547d2b35 | c:\1a581e7121a380047c3556\microsoft.powershell.commands.utility.resources.dll |
| 3991b7fa452a9c9c291c06365a236792 | c:\1a581e7121a380047c3556\microsoft.powershell.consolehost.dll |
| 36ff641f37918f2cca98e7f407ac4d75 | c:\1a581e7121a380047c3556\microsoft.powershell.consolehost.resources.dll |
| 208fa9d0ebe2ceb9616042772e96598e | c:\1a581e7121a380047c3556\microsoft.powershell.editor.dll |
| 37bed865557084dd9988350ab1675e0b | c:\1a581e7121a380047c3556\microsoft.powershell.editor.resources.dll |
| d4eefccdc3de6ced901535fa4153c491 | c:\1a581e7121a380047c3556\microsoft.powershell.gpowershell.dll |
| 108500a98b9a2f66823e7615398fc87b | c:\1a581e7121a380047c3556\microsoft.powershell.gpowershell.resources.dll |
| 3eab4dbdc290edc4d53fe77f1fdb9e59 | c:\1a581e7121a380047c3556\microsoft.powershell.graphicalhost.dll |
| 5a69fb5d686f863e0e13268d671ef16d | c:\1a581e7121a380047c3556\microsoft.powershell.graphicalhost.resources.dll |
| 53a9d748ef09920a0d06da2583c298ad | c:\1a581e7121a380047c3556\microsoft.powershell.security.dll |
| c7a0d1321a67a2afd330c5fbe79befd1 | c:\1a581e7121a380047c3556\microsoft.powershell.security.resources.dll |
| 1a4e900c2fe3cd31d10107670d184fe6 | c:\1a581e7121a380047c3556\microsoft.wsman.management.dll |
| 6372ea7d2aced7185183cf3fcdd3577b | c:\1a581e7121a380047c3556\microsoft.wsman.management.resources.dll |
| f7da27672d2e4c21a1f996ee31de0dbf | c:\1a581e7121a380047c3556\microsoft.wsman.runtime.dll |
| df4217ddb34a0b73dc7aac7829371c0c | c:\1a581e7121a380047c3556\powershell.exe |
| fe7bc06af17d7cd8fb8e6d72d72453b8 | c:\1a581e7121a380047c3556\powershell.exe.mui |
| 36b6f71b6d7d280302b348145db05a9f | c:\1a581e7121a380047c3556\powershell_ise.exe |
| cb3a534127f37d0fa1f556dbb76575d3 | c:\1a581e7121a380047c3556\powershell_ise.resources.dll |
| fc9a05096522bb6d7ceda62ea1707420 | c:\1a581e7121a380047c3556\pscustomsetuputil.exe |
| 95b7f12a557dedac5e4a1e9afa5e73ab | c:\1a581e7121a380047c3556\pspluginwkr.dll |
| 35efd8cd6549a4339cb2a28c8cfd6598 | c:\1a581e7121a380047c3556\pssetupnativeutils.exe |
| a94243b797377ba03b63fc716c13bcf5 | c:\1a581e7121a380047c3556\pwrshmsg.dll |
| 8c386819bf5b39d7a4b274d0b55f87a5 | c:\1a581e7121a380047c3556\pwrshplugin.dll |
| 7943a80f1a6fd37969aacd411b511f91 | c:\1a581e7121a380047c3556\pwrshsip.dll |
| 066f7fcca265d01a5b7eaf41ade789b1 | c:\1a581e7121a380047c3556\spmsg.dll |
| a39df582ca051afc8811fbd00db12f10 | c:\1a581e7121a380047c3556\spuninst.exe |
| 1b2c60a6d6c3833b413943862b2bfed8 | c:\1a581e7121a380047c3556\spupdsvc.exe |
| 4d8ab4fad244f7985d8c59d456e026d7 | c:\1a581e7121a380047c3556\system.management.automation.dll |
| 2286b57ecc2d32d24049c51989084268 | c:\1a581e7121a380047c3556\system.management.automation.resources.dll |
| 5d6d17b645fa91fce7f0712f3da4f297 | c:\1a581e7121a380047c3556\update\spcustom.dll |
| 50914702cb6c72275018643c557ef8c5 | c:\1a581e7121a380047c3556\update\update.exe |
| 9a055da2f2819f155c33d47cd67a7c00 | c:\1a581e7121a380047c3556\update\updspapi.dll |
| 84e025b1259c66315f4d45a6caecacc9 | c:\1a581e7121a380047c3556\wevtfwd.dll |
| cd17705af8e53a82facb545a213ab09c | c:\1a581e7121a380047c3556\winrmprov.dll |
| afdf7654880ce23005014895b129d948 | c:\1a581e7121a380047c3556\winrs.exe |
| 3e9b11880ae4a8ff399ce0573c82655b | c:\1a581e7121a380047c3556\winrscmd.dll |
| 62021e3e6ba13d72cf5cc1047cfac991 | c:\1a581e7121a380047c3556\winrshost.exe |
| b84092e52861a026fc83bcede4a7abfa | c:\1a581e7121a380047c3556\winrsmgr.dll |
| 35bc7c49676e5ab617ef94dc9854a6f1 | c:\1a581e7121a380047c3556\winrssrv.dll |
| 972916faac89c4aa978952b30f478e81 | c:\1a581e7121a380047c3556\wsmanhttpconfig.exe |
| 2c9c9ae86eb2b4e78c8e09deb7509a63 | c:\1a581e7121a380047c3556\wsmauto.dll |
| 23ce21efc2ae95700f2b1f9582fe3867 | c:\1a581e7121a380047c3556\wsmplpxy.dll |
| faa2fcc6853e5123e05dccc5919657e2 | c:\1a581e7121a380047c3556\wsmprovhost.exe |
| 67146d3606be1111a39f0fd61f47e9b6 | c:\1a581e7121a380047c3556\wsmres.dll |
| 18f347402da544a780949b8fdf83351b | c:\1a581e7121a380047c3556\wsmsvc.dll |
| 296e6992278fea7140d88b603e6c2a8a | c:\1a581e7121a380047c3556\wsmwmipl.dll |
| f6b10cd7d50f1af15aad15f437da0681 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\miqan\miqan.exe |
| 9859a26d5e72bbb0685af813b409d99d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe |
| a39df582ca051afc8811fbd00db12f10 | c:\WINDOWS\$968930Uinstall_KB968930$\spuninst\spuninst.exe |
| 9a055da2f2819f155c33d47cd67a7c00 | c:\WINDOWS\$968930Uinstall_KB968930$\spuninst\updspapi.dll |
| 2f7fe3a781ba8c0a67c775f20e3e9f70 | c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.BackgroundIntelligentTransfer.Management.dll |
| 75c183e262bd4400eb0f20349f6ef383 | c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll |
| 08e87e8abf7b41b28663dce817ce0ab6 | c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell.Commands.Diagnostics.dll |
| 4e2482e69baaf3a5b13db8101c063ebf | c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell.Commands.Diagnostics.resources.dll |
| f3ac3f844f90380aab2b4c0836c4288f | c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell.Commands.Management.dll |
| b87e087fc013225e2aa1cb60c080647d | c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell.Commands.Management.resources.dll |
| dfeb401cc051e5da721c584ff6a90f88 | c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell.Commands.Utility.dll |
| 1ce73fb3f88c716cfc3fd550547d2b35 | c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell.Commands.Utility.resources.dll |
| 3991b7fa452a9c9c291c06365a236792 | c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell.ConsoleHost.dll |
| 36ff641f37918f2cca98e7f407ac4d75 | c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell.ConsoleHost.resources.dll |
| 53a9d748ef09920a0d06da2583c298ad | c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell.Security.dll |
| c7a0d1321a67a2afd330c5fbe79befd1 | c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell.Security.resources.dll |
| 6372ea7d2aced7185183cf3fcdd3577b | c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.WSMan.Management.Resources.dll |
| 1a4e900c2fe3cd31d10107670d184fe6 | c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.WSMan.Management.dll |
| f7da27672d2e4c21a1f996ee31de0dbf | c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.WSMan.Runtime.dll |
| 4d8ab4fad244f7985d8c59d456e026d7 | c:\WINDOWS\system32\WindowsPowerShell\v1.0\System.Management.Automation.dll |
| 2286b57ecc2d32d24049c51989084268 | c:\WINDOWS\system32\WindowsPowerShell\v1.0\System.Management.Automation.resources.dll |
| df4217ddb34a0b73dc7aac7829371c0c | c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe |
| fe7bc06af17d7cd8fb8e6d72d72453b8 | c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe.mui |
| 95b7f12a557dedac5e4a1e9afa5e73ab | c:\WINDOWS\system32\WindowsPowerShell\v1.0\pspluginwkr.dll |
| a94243b797377ba03b63fc716c13bcf5 | c:\WINDOWS\system32\WindowsPowerShell\v1.0\pwrshmsg.dll |
| 7943a80f1a6fd37969aacd411b511f91 | c:\WINDOWS\system32\WindowsPowerShell\v1.0\pwrshsip.dll |
| 2c9c9ae86eb2b4e78c8e09deb7509a63 | c:\WINDOWS\system32\WsmAuto.dll |
| 67146d3606be1111a39f0fd61f47e9b6 | c:\WINDOWS\system32\WsmRes.dll |
| 18f347402da544a780949b8fdf83351b | c:\WINDOWS\system32\WsmSvc.dll |
| 296e6992278fea7140d88b603e6c2a8a | c:\WINDOWS\system32\WsmWmiPl.dll |
| 84e025b1259c66315f4d45a6caecacc9 | c:\WINDOWS\system32\wevtfwd.dll |
| cd17705af8e53a82facb545a213ab09c | c:\WINDOWS\system32\winrmprov.dll |
| afdf7654880ce23005014895b129d948 | c:\WINDOWS\system32\winrs.exe |
| 3e9b11880ae4a8ff399ce0573c82655b | c:\WINDOWS\system32\winrscmd.dll |
| 62021e3e6ba13d72cf5cc1047cfac991 | c:\WINDOWS\system32\winrshost.exe |
| b84092e52861a026fc83bcede4a7abfa | c:\WINDOWS\system32\winrsmgr.dll |
| 35bc7c49676e5ab617ef94dc9854a6f1 | c:\WINDOWS\system32\winrssrv.dll |
| 972916faac89c4aa978952b30f478e81 | c:\WINDOWS\system32\wsmanhttpconfig.exe |
| 23ce21efc2ae95700f2b1f9582fe3867 | c:\WINDOWS\system32\wsmplpxy.dll |
| faa2fcc6853e5123e05dccc5919657e2 | c:\WINDOWS\system32\wsmprovhost.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
mofcomp.exe:4092
WindowsXP-KB968930-x86-ENG.exe:900
ngen.exe:3760
ngen.exe:3984
ngen.exe:3616
ngen.exe:1932
ngen.exe:3940
ngen.exe:4004
ngen.exe:3744
ngen.exe:3908
ngen.exe:3800
ngen.exe:3840
ngen.exe:4064
ngen.exe:3892
ngen.exe:2072
ngen.exe:1144
ngen.exe:1232
PSCustomSetupUtil.exe:2928
PSCustomSetupUtil.exe:1096
PSCustomSetupUtil.exe:3204
PSCustomSetupUtil.exe:2336
PSCustomSetupUtil.exe:2484
PSCustomSetupUtil.exe:2996
PSCustomSetupUtil.exe:2856
PSCustomSetupUtil.exe:1876
PSCustomSetupUtil.exe:3152
PSCustomSetupUtil.exe:2268
PSCustomSetupUtil.exe:2412
PSCustomSetupUtil.exe:3096
PSCustomSetupUtil.exe:828
PSCustomSetupUtil.exe:3308
PSCustomSetupUtil.exe:2532
PSCustomSetupUtil.exe:328
PSCustomSetupUtil.exe:2160
wsmanhttpconfig.exe:2900
wsmanhttpconfig.exe:3492
%original file name%.exe:524
%original file name%.exe:1612 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%System%\wbem\Logs\mofcomp.log (1068 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (1 bytes)
C:\1a581e7121a380047c3556\wsmtxt.xsl (2 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.commands.utility.dll (9684 bytes)
C:\1a581e7121a380047c3556\registry.format.ps1xml (20 bytes)
C:\1a581e7121a380047c3556\compiledcomposition.microsoft.powershell.gpowershell.dll (1737 bytes)
C:\1a581e7121a380047c3556\about_logical_operators.help.txt (2 bytes)
C:\1a581e7121a380047c3556\about_functions.help.txt (586 bytes)
C:\1a581e7121a380047c3556\winrmprov.mof (789 bytes)
C:\1a581e7121a380047c3556\microsoft.backgroundintelligenttransfer.management.interop.dll (1532 bytes)
C:\1a581e7121a380047c3556\about_comparison_operators.help.txt (11 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.security.dll (1145 bytes)
C:\1a581e7121a380047c3556\diagnostics.format.ps1xml (590 bytes)
C:\1a581e7121a380047c3556\about_types.ps1xml.help.txt (481 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.gpowershell.dll (9738 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.editor.dll (14450 bytes)
C:\1a581e7121a380047c3556\about_language_keywords.help.txt (11 bytes)
C:\1a581e7121a380047c3556\microsoft.backgroundintelligenttransfer.management.resources.dll (7 bytes)
C:\1a581e7121a380047c3556\powershellcore.format.ps1xml (1492 bytes)
C:\1a581e7121a380047c3556\about_preference_variables.help.txt (37 bytes)
C:\1a581e7121a380047c3556\about_functions_advanced_methods.help.txt (9 bytes)
C:\1a581e7121a380047c3556\wsmplpxy.dll (603 bytes)
C:\1a581e7121a380047c3556\microsoft.backgroundintelligenttransfer.management.dll (1537 bytes)
C:\1a581e7121a380047c3556\winrs.exe (1154 bytes)
C:\1a581e7121a380047c3556\wtrinstaller.ico (4803 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.commands.management.resources.dll (508 bytes)
C:\1a581e7121a380047c3556\about_break.help.txt (792 bytes)
C:\1a581e7121a380047c3556\about_hash_tables.help.txt (6 bytes)
C:\1a581e7121a380047c3556\about_command_precedence.help.txt (8 bytes)
C:\1a581e7121a380047c3556\about_debuggers.help.txt (21 bytes)
C:\1a581e7121a380047c3556\about_wmi_cmdlets.help.txt (8 bytes)
C:\1a581e7121a380047c3556\about_requires.help.txt (2 bytes)
C:\1a581e7121a380047c3556\about_parameters.help.txt (9 bytes)
C:\1a581e7121a380047c3556\wsmanhttpconfig.exe (3009 bytes)
C:\1a581e7121a380047c3556\about_trap.help.txt (10 bytes)
C:\1a581e7121a380047c3556\winrm.ini (1956 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.gpowershell.resources.dll (408 bytes)
C:\1a581e7121a380047c3556\about_job_details.help.txt (824 bytes)
C:\1a581e7121a380047c3556\windowspowershellhelp.chm (26041 bytes)
C:\1a581e7121a380047c3556\about_transactions.help.txt (1011 bytes)
C:\1a581e7121a380047c3556\about_path_syntax.help.txt (5 bytes)
C:\1a581e7121a380047c3556\getevent.types.ps1xml (15 bytes)
C:\1a581e7121a380047c3556\wsmprovhost.exe (657 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.commands.diagnostics.dll (998 bytes)
C:\1a581e7121a380047c3556\about_profiles.help.txt (457 bytes)
C:\1a581e7121a380047c3556\about_regular_expressions.help.txt (5 bytes)
C:\1a581e7121a380047c3556\about_prompts.help.txt (7 bytes)
C:\1a581e7121a380047c3556\spupdsvc.exe (287 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.commands.diagnostics.resources.dll (470 bytes)
C:\1a581e7121a380047c3556\wsmsvc.dll (15909 bytes)
C:\1a581e7121a380047c3556\system.management.automation.dll-help.xml (16567 bytes)
C:\1a581e7121a380047c3556\update\update.ver (14 bytes)
C:\1a581e7121a380047c3556\winrssrv.dll (12 bytes)
C:\1a581e7121a380047c3556\about_assignment_operators.help.txt (379 bytes)
C:\1a581e7121a380047c3556\pwrshsip.dll (24 bytes)
C:\1a581e7121a380047c3556\about_format.ps1xml.help.txt (17 bytes)
C:\1a581e7121a380047c3556\about_while.help.txt (2 bytes)
C:\1a581e7121a380047c3556\about_command_syntax.help.txt (5 bytes)
C:\1a581e7121a380047c3556\wsmauto.mof (4 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.graphicalhost.dll (4408 bytes)
C:\1a581e7121a380047c3556\spmsg.dll (495 bytes)
C:\1a581e7121a380047c3556\about_type_operators.help.txt (5 bytes)
C:\1a581e7121a380047c3556\eventforwarding.adm (2 bytes)
C:\1a581e7121a380047c3556\about_functions_advanced.help.txt (3 bytes)
C:\1a581e7121a380047c3556\about_if.help.txt (3 bytes)
C:\1a581e7121a380047c3556\powershelltrace.format.ps1xml (344 bytes)
C:\1a581e7121a380047c3556\microsoft.wsman.runtime.dll (33 bytes)
C:\1a581e7121a380047c3556\spuninst.exe (3787 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.editor.resources.dll (562 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.commands.utility.dll-help.xml (20810 bytes)
C:\1a581e7121a380047c3556\about_remote_output.help.txt (887 bytes)
C:\1a581e7121a380047c3556\about_switch.help.txt (489 bytes)
C:\1a581e7121a380047c3556\about_eventlogs.help.txt (5 bytes)
C:\1a581e7121a380047c3556\about_arithmetic_operators.help.txt (168 bytes)
C:\1a581e7121a380047c3556\about_remote_requirements.help.txt (6 bytes)
C:\1a581e7121a380047c3556\about_script_internationalization.help.txt (9 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.consolehost.dll-help.xml (900 bytes)
C:\1a581e7121a380047c3556\about_aliases.help.txt (6 bytes)
C:\1a581e7121a380047c3556\winrm.vbs (2727 bytes)
C:\1a581e7121a380047c3556\pscustomsetuputil.exe (316 bytes)
C:\1a581e7121a380047c3556\update\eula.txt (586 bytes)
C:\1a581e7121a380047c3556\default.help.txt (2 bytes)
C:\1a581e7121a380047c3556\about_windows_powershell_ise.help.txt (6 bytes)
C:\1a581e7121a380047c3556\about_history.help.txt (3 bytes)
C:\1a581e7121a380047c3556\pssetupnativeutils.exe (9 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.consolehost.resources.dll (778 bytes)
C:\1a581e7121a380047c3556\update\kb968930xp.cat (512 bytes)
C:\1a581e7121a380047c3556\windowsremotemanagement.adm (574 bytes)
C:\1a581e7121a380047c3556\bitstransfer.psd1 (950 bytes)
C:\1a581e7121a380047c3556\about_join.help.txt (2 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.commands.utility.resources.dll (508 bytes)
C:\1a581e7121a380047c3556\about_operators.help.txt (770 bytes)
C:\1a581e7121a380047c3556\about_scripts.help.txt (12 bytes)
C:\1a581e7121a380047c3556\wsmres.dll (6164 bytes)
C:\1a581e7121a380047c3556\about_throw.help.txt (5 bytes)
C:\1a581e7121a380047c3556\about_remote.help.txt (7 bytes)
C:\1a581e7121a380047c3556\about_signing.help.txt (12 bytes)
C:\1a581e7121a380047c3556\about_quoting_rules.help.txt (659 bytes)
C:\1a581e7121a380047c3556\about_script_blocks.help.txt (3 bytes)
C:\1a581e7121a380047c3556\winrshost.exe (22 bytes)
C:\1a581e7121a380047c3556\dotnettypes.format.ps1xml (266 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.commands.management.dll (3386 bytes)
C:\1a581e7121a380047c3556\about_remote_troubleshooting.help.txt (146 bytes)
C:\1a581e7121a380047c3556\microsoft.backgroundintelligenttransfer.management.dll-help.xml (2472 bytes)
C:\1a581e7121a380047c3556\about_jobs.help.txt (12 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.commands.diagnostics.dll-help.xml (2301 bytes)
C:\1a581e7121a380047c3556\wsmpty.xsl (1 bytes)
C:\1a581e7121a380047c3556\about_escape_characters.help.txt (2 bytes)
C:\1a581e7121a380047c3556\about_return.help.txt (3 bytes)
C:\1a581e7121a380047c3556\about_session_configurations.help.txt (276 bytes)
C:\1a581e7121a380047c3556\winrsmgr.dll (2 bytes)
C:\1a581e7121a380047c3556\about_split.help.txt (10 bytes)
C:\1a581e7121a380047c3556\update\spcustom.dll (23 bytes)
C:\1a581e7121a380047c3556\about_foreach.help.txt (10 bytes)
C:\1a581e7121a380047c3556\about_core_commands.help.txt (221 bytes)
C:\1a581e7121a380047c3556\about_variables.help.txt (6 bytes)
C:\1a581e7121a380047c3556\bitstransfer.format.ps1xml (16 bytes)
C:\1a581e7121a380047c3556\about_execution_policies.help.txt (13 bytes)
C:\1a581e7121a380047c3556\profile.ps1 (772 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.security.dll-help.xml (1797 bytes)
C:\1a581e7121a380047c3556\about_reserved_words.help.txt (1 bytes)
C:\1a581e7121a380047c3556\about_ref.help.txt (1 bytes)
C:\1a581e7121a380047c3556\about_wildcards.help.txt (3 bytes)
C:\1a581e7121a380047c3556\about_continue.help.txt (1 bytes)
C:\1a581e7121a380047c3556\winrm.cmd (35 bytes)
C:\1a581e7121a380047c3556\about_redirection.help.txt (2 bytes)
C:\1a581e7121a380047c3556\about_locations.help.txt (794 bytes)
C:\1a581e7121a380047c3556\about_bits_cmdlets.help.txt (7 bytes)
C:\1a581e7121a380047c3556\wsmwmipl.dll (2816 bytes)
C:\1a581e7121a380047c3556\about_ws-management_cmdlets.help.txt (405 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.graphicalhost.resources.dll (16 bytes)
C:\1a581e7121a380047c3556\powershell.exe.mui (10 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.security.resources.dll (9 bytes)
C:\1a581e7121a380047c3556\about_pssession_details.help.txt (9 bytes)
C:\1a581e7121a380047c3556\certificate.format.ps1xml (155 bytes)
C:\1a581e7121a380047c3556\filesystem.format.ps1xml (133 bytes)
C:\1a581e7121a380047c3556\about_windows_powershell_2.0.help.txt (453 bytes)
C:\1a581e7121a380047c3556\winrmprov.dll (591 bytes)
C:\1a581e7121a380047c3556\about_parsing.help.txt (2 bytes)
C:\1a581e7121a380047c3556\about_automatic_variables.help.txt (14 bytes)
C:\1a581e7121a380047c3556\windowsremoteshell.adm (12 bytes)
C:\1a581e7121a380047c3556\wsman.format.ps1xml (837 bytes)
C:\1a581e7121a380047c3556\about_scopes.help.txt (76 bytes)
C:\1a581e7121a380047c3556\about_pipelines.help.txt (411 bytes)
C:\1a581e7121a380047c3556\$shtdwn$.req (788 bytes)
C:\1a581e7121a380047c3556\about_comment_based_help.help.txt (595 bytes)
C:\1a581e7121a380047c3556\powershell_ise.resources.dll (4 bytes)
C:\1a581e7121a380047c3556\about_functions_cmdletbindingattribute.help.txt (3 bytes)
C:\1a581e7121a380047c3556\update\update.inf (2457 bytes)
C:\1a581e7121a380047c3556\about_line_editing.help.txt (1 bytes)
C:\1a581e7121a380047c3556\about_remote_faq.help.txt (775 bytes)
C:\1a581e7121a380047c3556\update\update.exe (10748 bytes)
C:\1a581e7121a380047c3556\about_pssnapins.help.txt (6 bytes)
C:\1a581e7121a380047c3556\pspluginwkr.dll (1756 bytes)
C:\1a581e7121a380047c3556\microsoft.wsman.management.resources.dll (13 bytes)
C:\1a581e7121a380047c3556\system.management.automation.resources.dll (3153 bytes)
C:\1a581e7121a380047c3556\powershell_ise.exe (2526 bytes)
C:\1a581e7121a380047c3556\about_environment_variables.help.txt (417 bytes)
C:\1a581e7121a380047c3556\about_do.help.txt (2 bytes)
C:\1a581e7121a380047c3556\pwrshplugin.dll (802 bytes)
C:\1a581e7121a380047c3556\about_providers.help.txt (59 bytes)
C:\1a581e7121a380047c3556\update\updspapi.dll (5940 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.commands.management.dll-help.xml (28236 bytes)
C:\1a581e7121a380047c3556\about_functions_advanced_parameters.help.txt (962 bytes)
C:\1a581e7121a380047c3556\about_modules.help.txt (13 bytes)
C:\1a581e7121a380047c3556\about_pssessions.help.txt (9 bytes)
C:\1a581e7121a380047c3556\winrscmd.dll (2907 bytes)
C:\1a581e7121a380047c3556\about_commonparameters.help.txt (12 bytes)
C:\1a581e7121a380047c3556\about_remote_jobs.help.txt (13 bytes)
C:\1a581e7121a380047c3556\about_properties.help.txt (7 bytes)
C:\1a581e7121a380047c3556\about_data_sections.help.txt (5 bytes)
C:\1a581e7121a380047c3556\about_try_catch_finally.help.txt (7 bytes)
C:\1a581e7121a380047c3556\wsmauto.dll (1842 bytes)
C:\1a581e7121a380047c3556\importallmodules.psd1 (438 bytes)
C:\1a581e7121a380047c3556\about_arrays.help.txt (8 bytes)
C:\1a581e7121a380047c3556\help.format.ps1xml (3947 bytes)
C:\1a581e7121a380047c3556\about_for.help.txt (146 bytes)
C:\1a581e7121a380047c3556\about_methods.help.txt (6 bytes)
C:\1a581e7121a380047c3556\about_special_characters.help.txt (3 bytes)
C:\1a581e7121a380047c3556\pwrshmsg.dll (4 bytes)
C:\1a581e7121a380047c3556\wevtfwd.dll (3351 bytes)
C:\1a581e7121a380047c3556\about_objects.help.txt (2 bytes)
C:\1a581e7121a380047c3556\microsoft.wsman.management.dll-help.xml (8740 bytes)
C:\1a581e7121a380047c3556\types.ps1xml (2510 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1220 bytes)
%System%\SETBF.tmp (42 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (16 bytes)
%System%\SET12.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET3E.tmp (1281 bytes)
%System%\GroupPolicy\Adm\SET35.tmp (12 bytes)
%System%\SETC.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (36 bytes)
%System%\WindowsPowerShell\v1.0\SET51.tmp (14022 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SET46.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET41.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (950 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETC9.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET48.tmp (4 bytes)
%System%\SET2D.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (17 bytes)
%System%\SET25.tmp (1281 bytes)
%System%\SET13.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4E.tmp (673 bytes)
%System%\SET20.tmp (2 bytes)
%System%\SET14.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (49 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (673 bytes)
%WinDir%\inf\SET32.tmp (38 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (3 bytes)
%System%\GroupPolicy\Adm\SET34.tmp (38 bytes)
%System%\SET2A.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET3C.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (10 bytes)
%System%\SET7.tmp (35 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\updspapi.dll (4145 bytes)
%System%\WindowsPowerShell\v1.0\SET3D.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (15 bytes)
%System%\SET22.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (673 bytes)
%System%\spmsg.dll (14 bytes)
%System%\WindowsPowerShell\v1.0\SETC8.tmp (7385 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (10 bytes)
%System%\GroupPolicy\Adm\SET1A.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (7 bytes)
%System%\SET2B.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (40 bytes)
%WinDir%\inf\SET18.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SETC7.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (3 bytes)
%System%\SETE.tmp (22 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.inf (7641 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (7 bytes)
%System%\SET6.tmp (2 bytes)
%System%\GroupPolicy\Adm\SET36.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (5 bytes)
%System%\wbem\SET4.tmp (4 bytes)
%System%\SET17.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (6 bytes)
%System%\SETA.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (7 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.txt (29 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (13 bytes)
%System%\config\SYSTEM.LOG (6201 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (3 bytes)
%System%\SET27.tmp (601 bytes)
%System%\GroupPolicy\Adm\SET1B.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (9 bytes)
%System%\SET11.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETCA.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET3F.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET4F.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4B.tmp (20 bytes)
%System%\SET8.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (61 bytes)
%System%\SETF.tmp (1281 bytes)
%System%\SET10.tmp (2 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (7971 bytes)
%System%\SET26.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (9 bytes)
%System%\SET21.tmp (35 bytes)
%System%\config\system (3198 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET38.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET49.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (31 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET4A.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET4D.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET44.tmp (57 bytes)
%System%\GroupPolicy\Adm\SET1C.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (3 bytes)
%System%\SET16.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (3361 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (15 bytes)
%System%\CatRoot2\dberr.txt (1579 bytes)
%WinDir%\inf\oem11.PNF (10040 bytes)
%System%\SETB.tmp (1281 bytes)
%System%\SET1F.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (6 bytes)
%System%\spupdsvc.exe (23 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (22 bytes)
%System%\SET28.tmp (22 bytes)
%System%\SET5.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET45.tmp (2321 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (1 bytes)
%System%\SET31.tmp (673 bytes)
%System%\SET2E.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (10 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe (2497 bytes)
%System%\WindowsPowerShell\v1.0\SET3A.tmp (601 bytes)
%System%\SET29.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (21 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (6 bytes)
%System%\SET2C.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (16 bytes)
%WinDir%\KB968930.log (220274 bytes)
%System%\SET15.tmp (789 bytes)
%System%\WindowsPowerShell\v1.0\SET4C.tmp (18248 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (438 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (22 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (12 bytes)
%System%\SET24.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET52.tmp (10177 bytes)
%System%\WindowsPowerShell\v1.0\SET43.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (19 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (17 bytes)
%System%\WindowsPowerShell\v1.0\SET50.tmp (1425 bytes)
%WinDir%\KB968930xp.cat (59 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (9 bytes)
%System%\winrm\0409\SET1D.tmp (601 bytes)
%System%\SETD.tmp (601 bytes)
%WinDir%\inf\SET19.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET47.tmp (18 bytes)
%System%\SET9.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SETC6.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (12 bytes)
%System%\winrm\0409\SET37.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (10 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (40 bytes)
%System%\WindowsPowerShell\v1.0\SET39.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET40.tmp (1281 bytes)
%System%\SET2F.tmp (789 bytes)
%WinDir%\Help\SETC5.tmp (12287 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (8 bytes)
%WinDir%\inf\oem11.inf (673 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (23 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (2 bytes)
%System%\SET30.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (6 bytes)
%System%\wbem\SET1E.tmp (4 bytes)
%System%\SET23.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET3B.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\SET42.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (10 bytes)
%WinDir%\inf\SET33.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (7 bytes)
%WinDir%\assembly\tmp\7Y38EJOT\Microsoft.PowerShell.Commands.Management.resources.dll (1552 bytes)
%WinDir%\assembly\tmp\SKPUZ49F\Microsoft.PowerShell.Commands.Utility.dll (20624 bytes)
%WinDir%\assembly\tmp\KBGLQW16\Microsoft.WSMan.Management.resources.dll (13 bytes)
%WinDir%\assembly\tmp\H8EJOTY3\Microsoft.WSMan.Runtime.dll (7 bytes)
%WinDir%\assembly\tmp\LDINSW15\Microsoft.BackgroundIntelligentTransfer.Management.dll (1856 bytes)
%WinDir%\assembly\tmp\7Y38DINT\Microsoft.PowerShell.Commands.Utility.resources.dll (1552 bytes)
%WinDir%\assembly\tmp\KMSX27CH\Microsoft.PowerShell.ConsoleHost.resources.dll (1552 bytes)
%WinDir%\assembly\tmp\OFKPV17C\Microsoft.PowerShell.ConsoleHost.dll (7192 bytes)
%WinDir%\assembly\tmp\XOTY37CG\Microsoft.PowerShell.Commands.Diagnostics.resources.dll (10 bytes)
%WinDir%\assembly\tmp\DBHNSX38\Microsoft.PowerShell.Commands.Diagnostics.dll (3616 bytes)
%WinDir%\assembly\tmp\RJPUZ49E\Microsoft.WSMan.Management.dll (9608 bytes)
%WinDir%\assembly\tmp\ZQV05AFK\Microsoft.PowerShell.Security.resources.dll (9 bytes)
%WinDir%\assembly\tmp\KBGLQV05\System.Management.Automation.dll (81046 bytes)
%WinDir%\assembly\tmp\SJOTY38D\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll (7 bytes)
%WinDir%\assembly\tmp\MEJPUZ49\System.Management.Automation.resources.dll (9320 bytes)
%WinDir%\assembly\tmp\E6BGMRW1\Microsoft.PowerShell.Commands.Management.dll (9320 bytes)
%WinDir%\assembly\tmp\5W16BGLQ\Microsoft.PowerShell.Security.dll (2392 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (514 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startupx\system.pif (2105 bytes) - Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 34713 | 36864 | 4.40206 | 6db25a3f1fdb74aab3deb24026d0466a |
| .rdata | 40960 | 8410 | 12288 | 2.55633 | ab1740cf996f89e12b73d11b0cdecb25 |
| .data | 53248 | 10460609 | 24576 | 1.01396 | 156abe12512051ed72f706c052049be3 |
| .rsrc | 10514432 | 246384 | 249856 | 5.51269 | adc84c147f55008d94134d61b06d2ae4 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 1
f7fb14f51fe992947fcdf83221ef22e6
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
svchost.exe_168:
.idata
.idata
.reloc
.reloc
P.rsrc
P.rsrc
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
kernel32.dll
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
URLMON.DLL
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {jwplayer().play()} catch(e){}
try {jwplayer().play()} catch(e){}
PSAPI.dll
PSAPI.dll
setcpu:
setcpu:
:setcpu
:setcpu
HTTP/1.1
HTTP/1.1
.length;
.length;
=String.fromCharCode(parseInt(
=String.fromCharCode(parseInt(
.substr(
.substr(
,2),16));
,2),16));
=String.fromCharCode(
=String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt()^
,1).charCodeAt());
,1).charCodeAt());
.length-1)?
.length-1)?
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Environment("Process"))("
.Run("
.Run("
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.RegRead("
.RegRead("
wininet.dll
wininet.dll
user32.dll
user32.dll
ntdll.dll
ntdll.dll
psapi.dll
psapi.dll
"svchost.exe"
"svchost.exe"
svchost.exe
svchost.exe
ole32.dll
ole32.dll
Kernel32.dll
Kernel32.dll
\\.\LCD
\\.\LCD
1234567890
1234567890
Shell32.dll
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
hXXp://
hXXp://
0123456789
0123456789
Mozilla
Mozilla
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
.text
.text
`.rdata
`.rdata
@.pdata
@.pdata
KERNEL32.dll
KERNEL32.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
oleaut32.dll
oleaut32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyW
RegCreateKeyW
RegCreateKeyA
RegCreateKeyA
GetCPInfo
GetCPInfo
SetProcessWindowStation
SetProcessWindowStation
OpenWindowStationA
OpenWindowStationA
EnumChildWindows
EnumChildWindows
NtQueryValueKey
NtQueryValueKey
NtDeleteValueKey
NtDeleteValueKey
NtSetValueKey
NtSetValueKey
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
atl.dll
atl.dll
wsock32.dll
wsock32.dll
shell32.dll
shell32.dll
ShellExecuteExW
ShellExecuteExW
wtsapi32.dll
wtsapi32.dll
Wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
PSAPI.DLL
winmm.dll
winmm.dll
urlmon.dll
urlmon.dll
UrlMkSetSessionOption
UrlMkSetSessionOption
:!:%:):-:1:
:!:%:):-:1:
?:???_?}?
?:???_?}?
4hVjXqVVZ1zvh89QP3KkWoknQHJBor8qRuornGiIK3Azy/OkZNZ8dvu4BF4eNlZ ylMtd n6NYUMFAsPMFVcCp5riCv QJLU0cH8CxWwhpe3LU bL4dfZCyuZxVtJpQQjcSgKzK2zdCDtPRZUgo0ZjbbA5j0pXzJceUhUU2 3gGBXwXO3qybTJCQYhJFCJgussq9WVxjFKM7t91zIHKCdGCSXRoN4vBn1 yjFJuN7qowC1wpOTHO4Px0sKwHT3R0BStQccAL CWBsBvT3pHgt UyiVy0nAEqwkW6ORL3Yn x/QBoAKRohKjOA3qiq0P1CEDcQVkAOH3ceS8p9uBczn1sfXP 8n7q3Hkwnpxw7emo wVf2dS8EuLgBXvkufgMSTPh/KWYIWJK aNIlC5fYdqA6130llwEVFL9lYa8IHaqET84zqpZV9ApywvvRR/ydoUVnBiX24V2VqrBrnMoaIxT4ww71bTxxpFOD7LK52T3mj9oPyIsTVfTO5WbWr7/It/2j/eCspOBiNFYTik SnUl3XXJasnYIRnZHaZtX/ 5dQHO1hRMyG5d1TUUpyvPjUWQCPBrs1zj2JVBsqi0Lug1FmDRb4Hphc55wOtvZYO6zv1iwShwtqP3dbyhQ E66yCCdglju2JU 4zw5v4cBWqGIJPRSB7YRPL2LhnXbPNzsuKrCvA/nCz7HmPdp34g5pMcd8wPqh0jpx5QcvGK9GywKG330GLMTn7qFnOApziobstprpaga0zfFLpr2Ni 5rAG9juaEYZ8ES3XndpzC2QBw2cGnFYkB7BRH3NE5tNeg7SzxuUtCUPo0/PJZvIHt5Sq8xclSSatHNeEbYR 2dMKQ4vv3moTXVc40GtarkG8y8CLYwYjNDtm22CIeNq8/f0YoMEE8zGzWIWhCz7jWDVgD3H62bHwbscJJ4KUwiRSk4Om UrUzV X7AvENmT khv1luO9PmP6lrzTTUhZZWd3lmZlrIsgyMyQiQGCgz2njYQx0P3o9fObPjumMa3RvYi0vFvXl/ofhxzcnccq7 5T6NO2HKIEsN6t4lweBCBmYPjv8dp/h0lR7KFJPlMtdvzkZW0QrTdulQq1E45RdtVhWXhcuwmwGVz1RapaX2dgGfsy1e75vvxQ35Q5EkoYp0VE7F1NlJWYylGb3pN4C5iPG5 sDXXJzLs9WwIAXGU4X4FTG8QXuVW9xevMSl//s4PtqS4Wb1V7TH1V6IjV8QcUAt3TWA17WfH0CmcWO6pX3Sjhex2qTd2DjduSK7UqbZrNlaSuZgYZeB4g70T9pkgEN52M78g/lq8SYGJMtv182S7zf5pi87PfPlMyHx6DIfo2vztikWnXiuk6Hrvn04jLJ2yQqIrUgB Msl/t2OBmmgvXuWu7dum/BARM2fn2y68OQEW6W5KQd0TTuMUtxTgC1XE2qod5FSJknRDoJQuua3uJ7xAEhm6rmaAoDw/AqoHMVyCpRRE1IsfXcYEfZ4/MlkTI3aeY 3DpeyEdVUWj3lSZReJs2i3nxLoFsLwmvc2ze/OkLG10CihIl7UVu1BGo7v14bZWp5AuGlFNPJOp6rn66zjv2G9PN/RKb/q9vSouSI5BgO0DdRC kcgs0ol6jeGjfySpljStqDFHY44Eod vKsT5nhyjcERVUU/0Dl0mmQVob7BWpwgkQrVqmgFjfgg/G2P3jhH h4gPxdr0lHmDlrx BlJQCXsY3uuTXU2DKPFjDB0BakFtBdHQQ4MbIYK0X7OJiO6tBA1zBx0SUcATf 7uNeA5gdC254euPXliSrW8JFwDBMIH4diXWe3HHFyVAEO9NKnn LhUbiAEuwz4BHsIaA0SMeqT9HRch QndJGw/ wnP2fQBEyfbTEBBW8mKYIhHe64jWhp3XK68w4xTFMvTf29 mQuvElJ0t9z4ePY9pBCGdYvOCPJ2qvlyKb1R26HJ1255HFoioyWcV8PkmCxA3zFez1j sQsVRblBtejWlMwC9QuCoRygDvT28C06viV8bSlvyFA0jrvqiWr3xSFDicmis8wNYfNpTeJM48RWSjKi83maskgpeYl sWifQYNfLxIEmJ/QsWXOUs7uIabjoZlC8vAY14mTfszg9zZDm214qJimYJvwgv xdPZDKC73hN6Nzpw6jOylC7dU1GesKS/BNDTz0XKJizFDS3qdShIuB3D4Yg9LA9RMCNESl1k0fZFQzdlwG5hrmg6FN50s3a/YoRgGHbQLgV7FVAHt/CQ5waA8LSS4 8fKdzjzZm59ZnCLG3lcADgbeMPU1 1slH5Rf3tByagaY22TLMmeaiEGeyat8eImgWJh9scEMSpGo4 sjyWtbQS uBBwPPN8EY3bNC7pK5qXw/XYs3WpG4MmEotCLAkar053JAKiy5n 7k0LNTucDhmfL6S7ihLshfR5R8/qY4To8dfBkjmpQD 8bQd9OtnzWQOnQNk6kD4 WigsSP49uYu6Bo0bxMgrq IpnAdO6CxlUpKD2l B11uTiLkjsjs5Ey9cMSs8qUq19G6Nk yUr3bW A/7EJ75MvAX8XnpbuajNjhHyg/W1omrs5t9oI/W0SJLtca62q8cnCxlEFXK0hfxPbDs8UQui88Yha4dfp9PbHDGkh7LkvkGW7CjLsv5Gr2EKpzt3/FJ9s9Z8ghlMtr4ccaM9tF3q42nJB1qc57m bHSkE1rR/45EUZ5Hl8jX4XfM1BnodKvXurFpyCmZcR6IvMxvKgoYH01x2HiXrNbXuPltTsYChzYPn0vLf9AI2quM7Ca1H1ge38n4NFU3dUchWwRbr1RyI3xTNrF6pFMouB1YdrchH4TnDJoKoWPrjokTsT0C7kTnunZOYGvVPBgAYq8ldh05ItdpwUMVLnxpmsxHixBIFW7x2 s/ezpDm3r fOkNPR/wCKR7Tk7n8Tbh12HRCnslr1jSFbuC2ElvGGYVIQ35p9hAveyXDAN3qObdqgw3J LmjFszDREW DHVE488lC bZ6JiyN5BmuBIIKLRPmZXN4qGZGuOH55RwHYgvXONYe018OiUeOpcIKVUvTmz1M1qDjASEaQpnecdGeugQ/QbMuZB/veq/SHR OZarDO BO UQ8s0/V1Z lU4bU0JkTN1fiInZKnC5YsfZOGh5xEKZTsiB7TKTFA96GwQlAIKmkLSZ6RqqRnW5pCGzugAD6HlQEmNbGY SDuz9RFBdIg394S3eG9BQaqGFGOdxK4FIBBm5pg1efkq9wM5e3ItHt6oFkA mNArXVJnXp3z2l/sx9u32H5Al33guWzylllwn8lyrWcZNWkBpt5EIYEVuCEzm8CcTfz5zlnI5uSeWLYaDjTJa qebJDEp e3jZzSQzPO8oNqYRrM1iUX9oR4JfxN2VGOf3S5o2d/T mGa2CFciQHXlngJv1GBLZZkoFw3uNAHi54gBzE4mqOqUOORvqJOWNdd657rWO12FAzkgyrycbCRR HAgH2H/3uspgawgfeVoNDJm6T69CRssEFvRGKhYFnJUhRMGLE/bsqCnxEEhHAecYCXeBkMkOdqXTdEhkwl1mPIlocsMYUmvpqCP7H1DplJ1/GwFCSM4qku9 TjrCxIom7QPXqrTbCwCZN9f5jZiW7AZFT3jOMWtPcFYojPUPAEa7fwwFa4dfoSjBTdq1HA1yim70WrxShO9J12Rc4Ejnk6DlhDU48y0GMvQ9OfA5jaq2D2e20G1ot571IvFuy2oU4gp4SQsYoWihHlvYX1GPQwe3I6QYobvtfAcQ1XLVT6IY571f4HkDAmLcSe5xlq4GotRjkHqPoT0U9OjwdTG4RY8/2Cn6NM16mTK8bWhrzK1x0qGoBbGWbCU o8IKk1uI7w9q t I81C2bLFHMVWTzlB4Iy7wWVM19jAPOhLVB f98VjJJOx6hDglbljzaWUBuqYKm0afntFvKkF0nRZo9ZNcKoBZ/am1U02zYppGWkKXfY0VkBZDqa21QFDkyohtDVeoCP1NnVEkbXv/8bHWqeEOZiGcp4CmA/lhzlnMNf8fKgT656xMkIZLHc0WwecT967vPfXdyahZDaVyGSrjdhWswsHSpx9NcTT8w7KX8kM750DhA bP6WrxiRupDuHDHFDwH75ikMUYtpeNFWQM25U9J 2ey2HqyVpghmMU0a1V1tDJDtKs4glEUskMdGjI13Fbq1WKjGYNKq2Pkuc1LyoAyrML8jjyZ317BrqMqRN1emBd8c8dWZiq1j18/wovTZc0qGJ1vTKDqLp6p3ptdKuTh6SeEDYN2F3HDsftitXHxYpydPAB mF2YmIdGikVCT3AASvID39DXYidXo7Yk MfTWkal4l6L6dPnYzxebm nBNlIrKynVPPQ0ISgseYCGBjo/y/1CcBgUUhe620kXoYvMlHzi86aftheeirJIVz4AmKW75GAmZGXruIQr18DdtBaaZgy5nPX8S2sc7B1PkEu3AR/ 7xOAcKmDN/bgSWet9uLbsL/tz0DZ//y7HvshyB08gKO00klNpewoFePk1u7V fctI0gRpz1rZhz4/PlkEUyvCc7 Ge9LqxIUfM 0/l87bAJGhMbpK nNlqDVo9UWyz40B8tPEv8UakNRju6biU Kz79Od7Ul7HB5InxblzqBRQxcYszUYmh3Xckd/prNXnL 66ze k/aYtUP46d8tEnNOHFyl5vqX/RhDXGglxClrRfSOUD04l8dHOG6DgUsPzDtZ8 b0a6ULYdjlZ7V5WaB7r/FLr2AbF4672A85JVt2eIvN5wF8z/66Ju29JfXggSyonEYQf9PGDzX7LkmbqyMPXhjwPnShcGcFIcInswotoj2JKnp9R8QUXS5xP8RBHjpur6/adfZj7/cl0mu5ZCkPL0OKkxhk97m3P1BmPdzHsIHLBoynG2 ZiZf4wImTixwy0twy01Ud7tlVaMQ8f9ZhBuH5JUIf0 peZl3NTbjDS2rwXHC8hM8qKLMRkwOK1o71yveLrg6rJVdtfIYs4AZRGiVcsIxKM/ioAIh 3M IngboQPJtq/HtHFsxST0TgiMJZJK QONshSV/ntzXMpqxMzudlXMhiOhfPFKBG1fk3rrvxlTenuay NiLSXE2zjo9ijHRBdfoXHeYsBYerXth1pCxug6oRXvvhHx98sWFoTFS2nDLT/PE3Ch2oz RQ62S/mz7Bumzq7o1QrMLAedEx6JFKhJ56AVUsKKrqPQhz0Xs5HhQtmFviOnlZwFIve/liZvZ9hva9ax/xWO6CVFbyX4p6gTVpiJcb3nbAfwd2RsvDsphxC7/L2zOQ 9 oDk1DFxxqahMrmBk1NL0nlcVrn4p9FqhVHVJb1eSMX60EUyJAFQx7aub8ZRgGjDolQdNTSGR52IZc9tklef0R agccDIpUtvSWk8D9AM3ZlN6VCsqEX pvfWMFXzskuU4FOzCpsH2baMNbo Qfg8hpOzrFsHwjOG 4RMpiIHcqP5fINrN1Jl4hDWYZuvttYtRPidECBesYX2NREqTmtoQfGgsF5Lu2PSpnHUzD7CrZIso6DBQtJf2uoGAStiRPe3uPo5ypA/HpItvFFXnbYJ4tJWIIjKWD8ViskcRwGdRVk ysoJx7IKnDewRWpSyTRPSuocoSGTjxcTkIIcfmNVhTz630dLAWlkaIzntjY1UPyfahpf6GYUOYSsynB6vYQ6j1JAzsJ4YWLbHaLa/M9en3qyQjbuBFhdm5 AzDH4QuVtuNNuUK6eg24d0PB1px/SQw==plYbyktzMmNpkpcBPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
4hVjXqVVZ1zvh89QP3KkWoknQHJBor8qRuornGiIK3Azy/OkZNZ8dvu4BF4eNlZ ylMtd n6NYUMFAsPMFVcCp5riCv QJLU0cH8CxWwhpe3LU bL4dfZCyuZxVtJpQQjcSgKzK2zdCDtPRZUgo0ZjbbA5j0pXzJceUhUU2 3gGBXwXO3qybTJCQYhJFCJgussq9WVxjFKM7t91zIHKCdGCSXRoN4vBn1 yjFJuN7qowC1wpOTHO4Px0sKwHT3R0BStQccAL CWBsBvT3pHgt UyiVy0nAEqwkW6ORL3Yn x/QBoAKRohKjOA3qiq0P1CEDcQVkAOH3ceS8p9uBczn1sfXP 8n7q3Hkwnpxw7emo wVf2dS8EuLgBXvkufgMSTPh/KWYIWJK aNIlC5fYdqA6130llwEVFL9lYa8IHaqET84zqpZV9ApywvvRR/ydoUVnBiX24V2VqrBrnMoaIxT4ww71bTxxpFOD7LK52T3mj9oPyIsTVfTO5WbWr7/It/2j/eCspOBiNFYTik SnUl3XXJasnYIRnZHaZtX/ 5dQHO1hRMyG5d1TUUpyvPjUWQCPBrs1zj2JVBsqi0Lug1FmDRb4Hphc55wOtvZYO6zv1iwShwtqP3dbyhQ E66yCCdglju2JU 4zw5v4cBWqGIJPRSB7YRPL2LhnXbPNzsuKrCvA/nCz7HmPdp34g5pMcd8wPqh0jpx5QcvGK9GywKG330GLMTn7qFnOApziobstprpaga0zfFLpr2Ni 5rAG9juaEYZ8ES3XndpzC2QBw2cGnFYkB7BRH3NE5tNeg7SzxuUtCUPo0/PJZvIHt5Sq8xclSSatHNeEbYR 2dMKQ4vv3moTXVc40GtarkG8y8CLYwYjNDtm22CIeNq8/f0YoMEE8zGzWIWhCz7jWDVgD3H62bHwbscJJ4KUwiRSk4Om UrUzV X7AvENmT khv1luO9PmP6lrzTTUhZZWd3lmZlrIsgyMyQiQGCgz2njYQx0P3o9fObPjumMa3RvYi0vFvXl/ofhxzcnccq7 5T6NO2HKIEsN6t4lweBCBmYPjv8dp/h0lR7KFJPlMtdvzkZW0QrTdulQq1E45RdtVhWXhcuwmwGVz1RapaX2dgGfsy1e75vvxQ35Q5EkoYp0VE7F1NlJWYylGb3pN4C5iPG5 sDXXJzLs9WwIAXGU4X4FTG8QXuVW9xevMSl//s4PtqS4Wb1V7TH1V6IjV8QcUAt3TWA17WfH0CmcWO6pX3Sjhex2qTd2DjduSK7UqbZrNlaSuZgYZeB4g70T9pkgEN52M78g/lq8SYGJMtv182S7zf5pi87PfPlMyHx6DIfo2vztikWnXiuk6Hrvn04jLJ2yQqIrUgB Msl/t2OBmmgvXuWu7dum/BARM2fn2y68OQEW6W5KQd0TTuMUtxTgC1XE2qod5FSJknRDoJQuua3uJ7xAEhm6rmaAoDw/AqoHMVyCpRRE1IsfXcYEfZ4/MlkTI3aeY 3DpeyEdVUWj3lSZReJs2i3nxLoFsLwmvc2ze/OkLG10CihIl7UVu1BGo7v14bZWp5AuGlFNPJOp6rn66zjv2G9PN/RKb/q9vSouSI5BgO0DdRC kcgs0ol6jeGjfySpljStqDFHY44Eod vKsT5nhyjcERVUU/0Dl0mmQVob7BWpwgkQrVqmgFjfgg/G2P3jhH h4gPxdr0lHmDlrx BlJQCXsY3uuTXU2DKPFjDB0BakFtBdHQQ4MbIYK0X7OJiO6tBA1zBx0SUcATf 7uNeA5gdC254euPXliSrW8JFwDBMIH4diXWe3HHFyVAEO9NKnn LhUbiAEuwz4BHsIaA0SMeqT9HRch QndJGw/ wnP2fQBEyfbTEBBW8mKYIhHe64jWhp3XK68w4xTFMvTf29 mQuvElJ0t9z4ePY9pBCGdYvOCPJ2qvlyKb1R26HJ1255HFoioyWcV8PkmCxA3zFez1j sQsVRblBtejWlMwC9QuCoRygDvT28C06viV8bSlvyFA0jrvqiWr3xSFDicmis8wNYfNpTeJM48RWSjKi83maskgpeYl sWifQYNfLxIEmJ/QsWXOUs7uIabjoZlC8vAY14mTfszg9zZDm214qJimYJvwgv xdPZDKC73hN6Nzpw6jOylC7dU1GesKS/BNDTz0XKJizFDS3qdShIuB3D4Yg9LA9RMCNESl1k0fZFQzdlwG5hrmg6FN50s3a/YoRgGHbQLgV7FVAHt/CQ5waA8LSS4 8fKdzjzZm59ZnCLG3lcADgbeMPU1 1slH5Rf3tByagaY22TLMmeaiEGeyat8eImgWJh9scEMSpGo4 sjyWtbQS uBBwPPN8EY3bNC7pK5qXw/XYs3WpG4MmEotCLAkar053JAKiy5n 7k0LNTucDhmfL6S7ihLshfR5R8/qY4To8dfBkjmpQD 8bQd9OtnzWQOnQNk6kD4 WigsSP49uYu6Bo0bxMgrq IpnAdO6CxlUpKD2l B11uTiLkjsjs5Ey9cMSs8qUq19G6Nk yUr3bW A/7EJ75MvAX8XnpbuajNjhHyg/W1omrs5t9oI/W0SJLtca62q8cnCxlEFXK0hfxPbDs8UQui88Yha4dfp9PbHDGkh7LkvkGW7CjLsv5Gr2EKpzt3/FJ9s9Z8ghlMtr4ccaM9tF3q42nJB1qc57m bHSkE1rR/45EUZ5Hl8jX4XfM1BnodKvXurFpyCmZcR6IvMxvKgoYH01x2HiXrNbXuPltTsYChzYPn0vLf9AI2quM7Ca1H1ge38n4NFU3dUchWwRbr1RyI3xTNrF6pFMouB1YdrchH4TnDJoKoWPrjokTsT0C7kTnunZOYGvVPBgAYq8ldh05ItdpwUMVLnxpmsxHixBIFW7x2 s/ezpDm3r fOkNPR/wCKR7Tk7n8Tbh12HRCnslr1jSFbuC2ElvGGYVIQ35p9hAveyXDAN3qObdqgw3J LmjFszDREW DHVE488lC bZ6JiyN5BmuBIIKLRPmZXN4qGZGuOH55RwHYgvXONYe018OiUeOpcIKVUvTmz1M1qDjASEaQpnecdGeugQ/QbMuZB/veq/SHR OZarDO BO UQ8s0/V1Z lU4bU0JkTN1fiInZKnC5YsfZOGh5xEKZTsiB7TKTFA96GwQlAIKmkLSZ6RqqRnW5pCGzugAD6HlQEmNbGY SDuz9RFBdIg394S3eG9BQaqGFGOdxK4FIBBm5pg1efkq9wM5e3ItHt6oFkA mNArXVJnXp3z2l/sx9u32H5Al33guWzylllwn8lyrWcZNWkBpt5EIYEVuCEzm8CcTfz5zlnI5uSeWLYaDjTJa qebJDEp e3jZzSQzPO8oNqYRrM1iUX9oR4JfxN2VGOf3S5o2d/T mGa2CFciQHXlngJv1GBLZZkoFw3uNAHi54gBzE4mqOqUOORvqJOWNdd657rWO12FAzkgyrycbCRR HAgH2H/3uspgawgfeVoNDJm6T69CRssEFvRGKhYFnJUhRMGLE/bsqCnxEEhHAecYCXeBkMkOdqXTdEhkwl1mPIlocsMYUmvpqCP7H1DplJ1/GwFCSM4qku9 TjrCxIom7QPXqrTbCwCZN9f5jZiW7AZFT3jOMWtPcFYojPUPAEa7fwwFa4dfoSjBTdq1HA1yim70WrxShO9J12Rc4Ejnk6DlhDU48y0GMvQ9OfA5jaq2D2e20G1ot571IvFuy2oU4gp4SQsYoWihHlvYX1GPQwe3I6QYobvtfAcQ1XLVT6IY571f4HkDAmLcSe5xlq4GotRjkHqPoT0U9OjwdTG4RY8/2Cn6NM16mTK8bWhrzK1x0qGoBbGWbCU o8IKk1uI7w9q t I81C2bLFHMVWTzlB4Iy7wWVM19jAPOhLVB f98VjJJOx6hDglbljzaWUBuqYKm0afntFvKkF0nRZo9ZNcKoBZ/am1U02zYppGWkKXfY0VkBZDqa21QFDkyohtDVeoCP1NnVEkbXv/8bHWqeEOZiGcp4CmA/lhzlnMNf8fKgT656xMkIZLHc0WwecT967vPfXdyahZDaVyGSrjdhWswsHSpx9NcTT8w7KX8kM750DhA bP6WrxiRupDuHDHFDwH75ikMUYtpeNFWQM25U9J 2ey2HqyVpghmMU0a1V1tDJDtKs4glEUskMdGjI13Fbq1WKjGYNKq2Pkuc1LyoAyrML8jjyZ317BrqMqRN1emBd8c8dWZiq1j18/wovTZc0qGJ1vTKDqLp6p3ptdKuTh6SeEDYN2F3HDsftitXHxYpydPAB mF2YmIdGikVCT3AASvID39DXYidXo7Yk MfTWkal4l6L6dPnYzxebm nBNlIrKynVPPQ0ISgseYCGBjo/y/1CcBgUUhe620kXoYvMlHzi86aftheeirJIVz4AmKW75GAmZGXruIQr18DdtBaaZgy5nPX8S2sc7B1PkEu3AR/ 7xOAcKmDN/bgSWet9uLbsL/tz0DZ//y7HvshyB08gKO00klNpewoFePk1u7V fctI0gRpz1rZhz4/PlkEUyvCc7 Ge9LqxIUfM 0/l87bAJGhMbpK nNlqDVo9UWyz40B8tPEv8UakNRju6biU Kz79Od7Ul7HB5InxblzqBRQxcYszUYmh3Xckd/prNXnL 66ze k/aYtUP46d8tEnNOHFyl5vqX/RhDXGglxClrRfSOUD04l8dHOG6DgUsPzDtZ8 b0a6ULYdjlZ7V5WaB7r/FLr2AbF4672A85JVt2eIvN5wF8z/66Ju29JfXggSyonEYQf9PGDzX7LkmbqyMPXhjwPnShcGcFIcInswotoj2JKnp9R8QUXS5xP8RBHjpur6/adfZj7/cl0mu5ZCkPL0OKkxhk97m3P1BmPdzHsIHLBoynG2 ZiZf4wImTixwy0twy01Ud7tlVaMQ8f9ZhBuH5JUIf0 peZl3NTbjDS2rwXHC8hM8qKLMRkwOK1o71yveLrg6rJVdtfIYs4AZRGiVcsIxKM/ioAIh 3M IngboQPJtq/HtHFsxST0TgiMJZJK QONshSV/ntzXMpqxMzudlXMhiOhfPFKBG1fk3rrvxlTenuay NiLSXE2zjo9ijHRBdfoXHeYsBYerXth1pCxug6oRXvvhHx98sWFoTFS2nDLT/PE3Ch2oz RQ62S/mz7Bumzq7o1QrMLAedEx6JFKhJ56AVUsKKrqPQhz0Xs5HhQtmFviOnlZwFIve/liZvZ9hva9ax/xWO6CVFbyX4p6gTVpiJcb3nbAfwd2RsvDsphxC7/L2zOQ 9 oDk1DFxxqahMrmBk1NL0nlcVrn4p9FqhVHVJb1eSMX60EUyJAFQx7aub8ZRgGjDolQdNTSGR52IZc9tklef0R agccDIpUtvSWk8D9AM3ZlN6VCsqEX pvfWMFXzskuU4FOzCpsH2baMNbo Qfg8hpOzrFsHwjOG 4RMpiIHcqP5fINrN1Jl4hDWYZuvttYtRPidECBesYX2NREqTmtoQfGgsF5Lu2PSpnHUzD7CrZIso6DBQtJf2uoGAStiRPe3uPo5ypA/HpItvFFXnbYJ4tJWIIjKWD8ViskcRwGdRVk ysoJx7IKnDewRWpSyTRPSuocoSGTjxcTkIIcfmNVhTz630dLAWlkaIzntjY1UPyfahpf6GYUOYSsynB6vYQ6j1JAzsJ4YWLbHaLa/M9en3qyQjbuBFhdm5 AzDH4QuVtuNNuUK6eg24d0PB1px/SQw==plYbyktzMmNpkpcBPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
4hVjXqVVZ1zvh89QP3KkWoknQHJBor8qRuornGiIK3Azy/OkZNZ8dvu4BF4eNlZ ylMtd n6NYUMFAsPMFVcCp5riCv QJLU0cH8CxWwhpe3LU bL4dfZCyuZxVtJpQQjcSgKzK2zdCDtPRZUgo0ZjbbA5j0pXzJceUhUU2 3gGBXwXO3qybTJCQYhJFCJgussq9WVxjFKM7t91zIHKCdGCSXRoN4vBn1 yjFJuN7qowC1wpOTHO4Px0sKwHT3R0BStQccAL CWBsBvT3pHgt UyiVy0nAEqwkW6ORL3Yn x/QBoAKRohKjOA3qiq0P1CEDcQVkAOH3ceS8p9uBczn1sfXP 8n7q3Hkwnpxw7emo wVf2dS8EuLgBXvkufgMSTPh/KWYIWJK aNIlC5fYdqA6130llwEVFL9lYa8IHaqET84zqpZV9ApywvvRR/ydoUVnBiX24V2VqrBrnMoaIxT4ww71bTxxpFOD7LK52T3mj9oPyIsTVfTO5WbWr7/It/2j/eCspOBiNFYTik SnUl3XXJasnYIRnZHaZtX/ 5dQHO1hRMyG5d1TUUpyvPjUWQCPBrs1zj2JVBsqi0Lug1FmDRb4Hphc55wOtvZYO6zv1iwShwtqP3dbyhQ E66yCCdglju2JU 4zw5v4cBWqGIJPRSB7YRPL2LhnXbPNzsuKrCvA/nCz7HmPdp34g5pMcd8wPqh0jpx5QcvGK9GywKG330GLMTn7qFnOApziobstprpaga0zfFLpr2Ni 5rAG9juaEYZ8ES3XndpzC2QBw2cGnFYkB7BRH3NE5tNeg7SzxuUtCUPo0/PJZvIHt5Sq8xclSSatHNeEbYR 2dMKQ4vv3moTXVc40GtarkG8y8CLYwYjNDtm22CIeNq8/f0YoMEE8zGzWIWhCz7jWDVgD3H62bHwbscJJ4KUwiRSk4Om UrUzV X7AvENmT khv1luO9PmP6lrzTTUhZZWd3lmZlrIsgyMyQiQGCgz2njYQx0P3o9fObPjumMa3RvYi0vFvXl/ofhxzcnccq7 5T6NO2HKIEsN6t4lweBCBmYPjv8dp/h0lR7KFJPlMtdvzkZW0QrTdulQq1E45RdtVhWXhcuwmwGVz1RapaX2dgGfsy1e75vvxQ35Q5EkoYp0VE7F1NlJWYylGb3pN4C5iPG5 sDXXJzLs9WwIAXGU4X4FTG8QXuVW9xevMSl//s4PtqS4Wb1V7TH1V6IjV8QcUAt3TWA17WfH0CmcWO6pX3Sjhex2qTd2DjduSK7UqbZrNlaSuZgYZeB4g70T9pkgEN52M78g/lq8SYGJMtv182S7zf5pi87PfPlMyHx6DIfo2vztikWnXiuk6Hrvn04jLJ2yQqIrUgB Msl/t2OBmmgvXuWu7dum/BARM2fn2y68OQEW6W5KQd0TTuMUtxTgC1XE2qod5FSJknRDoJQuua3uJ7xAEhm6rmaAoDw/AqoHMVyCpRRE1IsfXcYEfZ4/MlkTI3aeY 3DpeyEdVUWj3lSZReJs2i3nxLoFsLwmvc2ze/OkLG10CihIl7UVu1BGo7v14bZWp5AuGlFNPJOp6rn66zjv2G9PN/RKb/q9vSouSI5BgO0DdRC kcgs0ol6jeGjfySpljStqDFHY44Eod vKsT5nhyjcERVUU/0Dl0mmQVob7BWpwgkQrVqmgFjfgg/G2P3jhH h4gPxdr0lHmDlrx BlJQCXsY3uuTXU2DKPFjDB0BakFtBdHQQ4MbIYK0X7OJiO6tBA1zBx0SUcATf 7uNeA5gdC254euPXliSrW8JFwDBMIH4diXWe3HHFyVAEO9NKnn LhUbiAEuwz4BHsIaA0SMeqT9HRch QndJGw/ wnP2fQBEyfbTEBBW8mKYIhHe64jWhp3XK68w4xTFMvTf29 mQuvElJ0t9z4ePY9pBCGdYvOCPJ2qvlyKb1R26HJ1255HFoioyWcV8PkmCxA3zFez1j sQsVRblBtejWlMwC9QuCoRygDvT28C06viV8bSlvyFA0jrvqiWr3xSFDicmis8wNYfNpTeJM48RWSjKi83maskgpeYl sWifQYNfLxIEmJ/QsWXOUs7uIabjoZlC8vAY14mTfszg9zZDm214qJimYJvwgv xdPZDKC73hN6Nzpw6jOylC7dU1GesKS/BNDTz0XKJizFDS3qdShIuB3D4Yg9LA9RMCNESl1k0fZFQzdlwG5hrmg6FN50s3a/YoRgGHbQLgV7FVAHt/CQ5waA8LSS4 8fKdzjzZm59ZnCLG3lcADgbeMPU1 1slH5Rf3tByagaY22TLMmeaiEGeyat8eImgWJh9scEMSpGo4 sjyWtbQS uBBwPPN8EY3bNC7pK5qXw/XYs3WpG4MmEotCLAkar053JAKiy5n 7k0LNTucDhmfL6S7ihLshfR5R8/qY4To8dfBkjmpQD 8bQd9OtnzWQOnQNk6kD4 WigsSP49uYu6Bo0bxMgrq IpnAdO6CxlUpKD2l B11uTiLkjsjs5Ey9cMSs8qUq19G6Nk yUr3bW A/7EJ75MvAX8XnpbuajNjhHyg/W1omrs5t9oI/W0SJLtca62q8cnCxlEFXK0hfxPbDs8UQui88Yha4dfp9PbHDGkh7LkvkGW7CjLsv5Gr2EKpzt3/FJ9s9Z8ghlMtr4ccaM9tF3q42nJB1qc57m bHSkE1rR/45EUZ5Hl8jX4XfM1BnodKvXurFpyCmZcR6IvMxvKgoYH01x2HiXrNbXuPltTsYChzYPn0vLf9AI2quM7Ca1H1ge38n4NFU3dUchWwRbr1RyI3xTNrF6pFMouB1YdrchH4TnDJoKoWPrjokTsT0C7kTnunZOYGvVPBgAYq8ldh05ItdpwUMVLnxpmsxHixBIFW7x2 s/ezpDm3r fOkNPR/wCKR7Tk7n8Tbh12HRCnslr1jSFbuC2ElvGGYVIQ35p9hAveyXDAN3qObdqgw3J LmjFszDREW DHVE488lC bZ6JiyN5BmuBIIKLRPmZXN4qGZGuOH55RwHYgvXONYe018OiUeOpcIKVUvTmz1M1qDjASEaQpnecdGeugQ/QbMuZB/veq/SHR OZarDO BO UQ8s0/V1Z lU4bU0JkTN1fiInZKnC5YsfZOGh5xEKZTsiB7TKTFA96GwQlAIKmkLSZ6RqqRnW5pCGzugAD6HlQEmNbGY SDuz9RFBdIg394S3eG9BQaqGFGOdxK4FIBBm5pg1efkq9wM5e3ItHt6oFkA mNArXVJnXp3z2l/sx9u32H5Al33guWzylllwn8lyrWcZNWkBpt5EIYEVuCEzm8CcTfz5zlnI5uSeWLYaDjTJa qebJDEp e3jZzSQzPO8oNqYRrM1iUX9oR4JfxN2VGOf3S5o2d/T mGa2CFciQHXlngJv1GBLZZkoFw3uNAHi54gBzE4mqOqUOORvqJOWNdd657rWO12FAzkgyrycbCRR HAgH2H/3uspgawgfeVoNDJm6T69CRssEFvRGKhYFnJUhRMGLE/bsqCnxEEhHAecYCXeBkMkOdqXTdEhkwl1mPIlocsMYUmvpqCP7H1DplJ1/GwFCSM4qku9 TjrCxIom7QPXqrTbCwCZN9f5jZiW7AZFT3jOMWtPcFYojPUPAEa7fwwFa4dfoSjBTdq1HA1yim70WrxShO9J12Rc4Ejnk6DlhDU48y0GMvQ9OfA5jaq2D2e20G1ot571IvFuy2oU4gp4SQsYoWihHlvYX1GPQwe3I6QYobvtfAcQ1XLVT6IY571f4HkDAmLcSe5xlq4GotRjkHqPoT0U9OjwdTG4RY8/2Cn6NM16mTK8bWhrzK1x0qGoBbGWbCU o8IKk1uI7w9q t I81C2bLFHMVWTzlB4Iy7wWVM19jAPOhLVB f98VjJJOx6hDglbljzaWUBuqYKm0afntFvKkF0nRZo9ZNcKoBZ/am1U02zYppGWkKXfY0VkBZDqa21QFDkyohtDVeoCP1NnVEkbXv/8bHWqeEOZiGcp4CmA/lhzlnMNf8fKgT656xMkIZLHc0WwecT967vPfXdyahZDaVyGSrjdhWswsHSpx9NcTT8w7KX8kM750DhA bP6WrxiRupDuHDHFDwH75ikMUYtpeNFWQM25U9J 2ey2HqyVpghmMU0a1V1tDJDtKs4glEUskMdGjI13Fbq1WKjGYNKq2Pkuc1LyoAyrML8jjyZ317BrqMqRN1emBd8c8dWZiq1j18/wovTZc0qGJ1vTKDqLp6p3ptdKuTh6SeEDYN2F3HDsftitXHxYpydPAB mF2YmIdGikVCT3AASvID39DXYidXo7Yk MfTWkal4l6L6dPnYzxebm nBNlIrKynVPPQ0ISgseYCGBjo/y/1CcBgUUhe620kXoYvMlHzi86aftheeirJIVz4AmKW75GAmZGXruIQr18DdtBaaZgy5nPX8S2sc7B1PkEu3AR/ 7xOAcKmDN/bgSWet9uLbsL/tz0DZ//y7HvshyB08gKO00klNpewoFePk1u7V fctI0gRpz1rZhz4/PlkEUyvCc7 Ge9LqxIUfM 0/l87bAJGhMbpK nNlqDVo9UWyz40B8tPEv8UakNRju6biU Kz79Od7Ul7HB5InxblzqBRQxcYszUYmh3Xckd/prNXnL 66ze k/aYtUP46d8tEnNOHFyl5vqX/RhDXGglxClrRfSOUD04l8dHOG6DgUsPzDtZ8 b0a6ULYdjlZ7V5WaB7r/FLr2AbF4672A85JVt2eIvN5wF8z/66Ju29JfXggSyonEYQf9PGDzX7LkmbqyMPXhjwPnShcGcFIcInswotoj2JKnp9R8QUXS5xP8RBHjpur6/adfZj7/cl0mu5ZCkPL0OKkxhk97m3P1BmPdzHsIHLBoynG2 ZiZf4wImTixwy0twy01Ud7tlVaMQ8f9ZhBuH5JUIf0 peZl3NTbjDS2rwXHC8hM8qKLMRkwOK1o71yveLrg6rJVdtfIYs4AZRGiVcsIxKM/ioAIh 3M IngboQPJtq/HtHFsxST0TgiMJZJK QONshSV/ntzXMpqxMzudlXMhiOhfPFKBG1fk3rrvxlTenuay NiLSXE2zjo9ijHRBdfoXHeYsBYerXth1pCxug6oRXvvhHx98sWFoTFS2nDLT/PE3Ch2oz RQ62S/mz7Bumzq7o1QrMLAedEx6JFKhJ56AVUsKKrqPQhz0Xs5HhQtmFviOnlZwFIve/liZvZ9hva9ax/xWO6CVFbyX4p6gTVpiJcb3nbAfwd2RsvDsphxC7/L2zOQ 9 oDk1DFxxqahMrmBk1NL0nlcVrn4p9FqhVHVJb1eSMX60EUyJAFQx7aub8ZRgGjDolQdNTSGR52IZc9tklef0R agccDIpUtvSWk8D9AM3ZlN6VCsqEX pvfWMFXzskuU4FOzCpsH2baMNbo Qfg8hpOzrFsHwjOG 4RMpiIHcqP5fINrN1Jl4hDWYZuvttYtRPidECBesYX2NREqTmtoQfGgsF5Lu2PSpnHUzD7CrZIso6DBQtJf2uoGAStiRPe3uPo5ypA/HpItvFFXnbYJ4tJWIIjKWD8ViskcRwGdRVk ysoJx7IKnDewRWpSyTRPSuocoSGTjxcTkIIcfmNVhTz630dLAWlkaIzntjY1UPyfahpf6GYUOYSsynB6vYQ6j1JAzsJ4YWLbHaLa/M9en3qyQjbuBFhdm5 AzDH4QuVtuNNuUK6eg24d0PB1px/SQw==plYbyktzMmNpkpcBPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADc
4hVjXqVVZ1zvh89QP3KkWoknQHJBor8qRuornGiIK3Azy/OkZNZ8dvu4BF4eNlZ ylMtd n6NYUMFAsPMFVcCp5riCv QJLU0cH8CxWwhpe3LU bL4dfZCyuZxVtJpQQjcSgKzK2zdCDtPRZUgo0ZjbbA5j0pXzJceUhUU2 3gGBXwXO3qybTJCQYhJFCJgussq9WVxjFKM7t91zIHKCdGCSXRoN4vBn1 yjFJuN7qowC1wpOTHO4Px0sKwHT3R0BStQccAL CWBsBvT3pHgt UyiVy0nAEqwkW6ORL3Yn x/QBoAKRohKjOA3qiq0P1CEDcQVkAOH3ceS8p9uBczn1sfXP 8n7q3Hkwnpxw7emo wVf2dS8EuLgBXvkufgMSTPh/KWYIWJK aNIlC5fYdqA6130llwEVFL9lYa8IHaqET84zqpZV9ApywvvRR/ydoUVnBiX24V2VqrBrnMoaIxT4ww71bTxxpFOD7LK52T3mj9oPyIsTVfTO5WbWr7/It/2j/eCspOBiNFYTik SnUl3XXJasnYIRnZHaZtX/ 5dQHO1hRMyG5d1TUUpyvPjUWQCPBrs1zj2JVBsqi0Lug1FmDRb4Hphc55wOtvZYO6zv1iwShwtqP3dbyhQ E66yCCdglju2JU 4zw5v4cBWqGIJPRSB7YRPL2LhnXbPNzsuKrCvA/nCz7HmPdp34g5pMcd8wPqh0jpx5QcvGK9GywKG330GLMTn7qFnOApziobstprpaga0zfFLpr2Ni 5rAG9juaEYZ8ES3XndpzC2QBw2cGnFYkB7BRH3NE5tNeg7SzxuUtCUPo0/PJZvIHt5Sq8xclSSatHNeEbYR 2dMKQ4vv3moTXVc40GtarkG8y8CLYwYjNDtm22CIeNq8/f0YoMEE8zGzWIWhCz7jWDVgD3H62bHwbscJJ4KUwiRSk4Om UrUzV X7AvENmT khv1luO9PmP6lrzTTUhZZWd3lmZlrIsgyMyQiQGCgz2njYQx0P3o9fObPjumMa3RvYi0vFvXl/ofhxzcnccq7 5T6NO2HKIEsN6t4lweBCBmYPjv8dp/h0lR7KFJPlMtdvzkZW0QrTdulQq1E45RdtVhWXhcuwmwGVz1RapaX2dgGfsy1e75vvxQ35Q5EkoYp0VE7F1NlJWYylGb3pN4C5iPG5 sDXXJzLs9WwIAXGU4X4FTG8QXuVW9xevMSl//s4PtqS4Wb1V7TH1V6IjV8QcUAt3TWA17WfH0CmcWO6pX3Sjhex2qTd2DjduSK7UqbZrNlaSuZgYZeB4g70T9pkgEN52M78g/lq8SYGJMtv182S7zf5pi87PfPlMyHx6DIfo2vztikWnXiuk6Hrvn04jLJ2yQqIrUgB Msl/t2OBmmgvXuWu7dum/BARM2fn2y68OQEW6W5KQd0TTuMUtxTgC1XE2qod5FSJknRDoJQuua3uJ7xAEhm6rmaAoDw/AqoHMVyCpRRE1IsfXcYEfZ4/MlkTI3aeY 3DpeyEdVUWj3lSZReJs2i3nxLoFsLwmvc2ze/OkLG10CihIl7UVu1BGo7v14bZWp5AuGlFNPJOp6rn66zjv2G9PN/RKb/q9vSouSI5BgO0DdRC kcgs0ol6jeGjfySpljStqDFHY44Eod vKsT5nhyjcERVUU/0Dl0mmQVob7BWpwgkQrVqmgFjfgg/G2P3jhH h4gPxdr0lHmDlrx BlJQCXsY3uuTXU2DKPFjDB0BakFtBdHQQ4MbIYK0X7OJiO6tBA1zBx0SUcATf 7uNeA5gdC254euPXliSrW8JFwDBMIH4diXWe3HHFyVAEO9NKnn LhUbiAEuwz4BHsIaA0SMeqT9HRch QndJGw/ wnP2fQBEyfbTEBBW8mKYIhHe64jWhp3XK68w4xTFMvTf29 mQuvElJ0t9z4ePY9pBCGdYvOCPJ2qvlyKb1R26HJ1255HFoioyWcV8PkmCxA3zFez1j sQsVRblBtejWlMwC9QuCoRygDvT28C06viV8bSlvyFA0jrvqiWr3xSFDicmis8wNYfNpTeJM48RWSjKi83maskgpeYl sWifQYNfLxIEmJ/QsWXOUs7uIabjoZlC8vAY14mTfszg9zZDm214qJimYJvwgv xdPZDKC73hN6Nzpw6jOylC7dU1GesKS/BNDTz0XKJizFDS3qdShIuB3D4Yg9LA9RMCNESl1k0fZFQzdlwG5hrmg6FN50s3a/YoRgGHbQLgV7FVAHt/CQ5waA8LSS4 8fKdzjzZm59ZnCLG3lcADgbeMPU1 1slH5Rf3tByagaY22TLMmeaiEGeyat8eImgWJh9scEMSpGo4 sjyWtbQS uBBwPPN8EY3bNC7pK5qXw/XYs3WpG4MmEotCLAkar053JAKiy5n 7k0LNTucDhmfL6S7ihLshfR5R8/qY4To8dfBkjmpQD 8bQd9OtnzWQOnQNk6kD4 WigsSP49uYu6Bo0bxMgrq IpnAdO6CxlUpKD2l B11uTiLkjsjs5Ey9cMSs8qUq19G6Nk yUr3bW A/7EJ75MvAX8XnpbuajNjhHyg/W1omrs5t9oI/W0SJLtca62q8cnCxlEFXK0hfxPbDs8UQui88Yha4dfp9PbHDGkh7LkvkGW7CjLsv5Gr2EKpzt3/FJ9s9Z8ghlMtr4ccaM9tF3q42nJB1qc57m bHSkE1rR/45EUZ5Hl8jX4XfM1BnodKvXurFpyCmZcR6IvMxvKgoYH01x2HiXrNbXuPltTsYChzYPn0vLf9AI2quM7Ca1H1ge38n4NFU3dUchWwRbr1RyI3xTNrF6pFMouB1YdrchH4TnDJoKoWPrjokTsT0C7kTnunZOYGvVPBgAYq8ldh05ItdpwUMVLnxpmsxHixBIFW7x2 s/ezpDm3r fOkNPR/wCKR7Tk7n8Tbh12HRCnslr1jSFbuC2ElvGGYVIQ35p9hAveyXDAN3qObdqgw3J LmjFszDREW DHVE488lC bZ6JiyN5BmuBIIKLRPmZXN4qGZGuOH55RwHYgvXONYe018OiUeOpcIKVUvTmz1M1qDjASEaQpnecdGeugQ/QbMuZB/veq/SHR OZarDO BO UQ8s0/V1Z lU4bU0JkTN1fiInZKnC5YsfZOGh5xEKZTsiB7TKTFA96GwQlAIKmkLSZ6RqqRnW5pCGzugAD6HlQEmNbGY SDuz9RFBdIg394S3eG9BQaqGFGOdxK4FIBBm5pg1efkq9wM5e3ItHt6oFkA mNArXVJnXp3z2l/sx9u32H5Al33guWzylllwn8lyrWcZNWkBpt5EIYEVuCEzm8CcTfz5zlnI5uSeWLYaDjTJa qebJDEp e3jZzSQzPO8oNqYRrM1iUX9oR4JfxN2VGOf3S5o2d/T mGa2CFciQHXlngJv1GBLZZkoFw3uNAHi54gBzE4mqOqUOORvqJOWNdd657rWO12FAzkgyrycbCRR HAgH2H/3uspgawgfeVoNDJm6T69CRssEFvRGKhYFnJUhRMGLE/bsqCnxEEhHAecYCXeBkMkOdqXTdEhkwl1mPIlocsMYUmvpqCP7H1DplJ1/GwFCSM4qku9 TjrCxIom7QPXqrTbCwCZN9f5jZiW7AZFT3jOMWtPcFYojPUPAEa7fwwFa4dfoSjBTdq1HA1yim70WrxShO9J12Rc4Ejnk6DlhDU48y0GMvQ9OfA5jaq2D2e20G1ot571IvFuy2oU4gp4SQsYoWihHlvYX1GPQwe3I6QYobvtfAcQ1XLVT6IY571f4HkDAmLcSe5xlq4GotRjkHqPoT0U9OjwdTG4RY8/2Cn6NM16mTK8bWhrzK1x0qGoBbGWbCU o8IKk1uI7w9q t I81C2bLFHMVWTzlB4Iy7wWVM19jAPOhLVB f98VjJJOx6hDglbljzaWUBuqYKm0afntFvKkF0nRZo9ZNcKoBZ/am1U02zYppGWkKXfY0VkBZDqa21QFDkyohtDVeoCP1NnVEkbXv/8bHWqeEOZiGcp4CmA/lhzlnMNf8fKgT656xMkIZLHc0WwecT967vPfXdyahZDaVyGSrjdhWswsHSpx9NcTT8w7KX8kM750DhA bP6WrxiRupDuHDHFDwH75ikMUYtpeNFWQM25U9J 2ey2HqyVpghmMU0a1V1tDJDtKs4glEUskMdGjI13Fbq1WKjGYNKq2Pkuc1LyoAyrML8jjyZ317BrqMqRN1emBd8c8dWZiq1j18/wovTZc0qGJ1vTKDqLp6p3ptdKuTh6SeEDYN2F3HDsftitXHxYpydPAB mF2YmIdGikVCT3AASvID39DXYidXo7Yk MfTWkal4l6L6dPnYzxebm nBNlIrKynVPPQ0ISgseYCGBjo/y/1CcBgUUhe620kXoYvMlHzi86aftheeirJIVz4AmKW75GAmZGXruIQr18DdtBaaZgy5nPX8S2sc7B1PkEu3AR/ 7xOAcKmDN/bgSWet9uLbsL/tz0DZ//y7HvshyB08gKO00klNpewoFePk1u7V fctI0gRpz1rZhz4/PlkEUyvCc7 Ge9LqxIUfM 0/l87bAJGhMbpK nNlqDVo9UWyz40B8tPEv8UakNRju6biU Kz79Od7Ul7HB5InxblzqBRQxcYszUYmh3Xckd/prNXnL 66ze k/aYtUP46d8tEnNOHFyl5vqX/RhDXGglxClrRfSOUD04l8dHOG6DgUsPzDtZ8 b0a6ULYdjlZ7V5WaB7r/FLr2AbF4672A85JVt2eIvN5wF8z/66Ju29JfXggSyonEYQf9PGDzX7LkmbqyMPXhjwPnShcGcFIcInswotoj2JKnp9R8QUXS5xP8RBHjpur6/adfZj7/cl0mu5ZCkPL0OKkxhk97m3P1BmPdzHsIHLBoynG2 ZiZf4wImTixwy0twy01Ud7tlVaMQ8f9ZhBuH5JUIf0 peZl3NTbjDS2rwXHC8hM8qKLMRkwOK1o71yveLrg6rJVdtfIYs4AZRGiVcsIxKM/ioAIh 3M IngboQPJtq/HtHFsxST0TgiMJZJK QONshSV/ntzXMpqxMzudlXMhiOhfPFKBG1fk3rrvxlTenuay NiLSXE2zjo9ijHRBdfoXHeYsBYerXth1pCxug6oRXvvhHx98sWFoTFS2nDLT/PE3Ch2oz RQ62S/mz7Bumzq7o1QrMLAedEx6JFKhJ56AVUsKKrqPQhz0Xs5HhQtmFviOnlZwFIve/liZvZ9hva9ax/xWO6CVFbyX4p6gTVpiJcb3nbAfwd2RsvDsphxC7/L2zOQ 9 oDk1DFxxqahMrmBk1NL0nlcVrn4p9FqhVHVJb1eSMX60EUyJAFQx7aub8ZRgGjDolQdNTSGR52IZc9tklef0R agccDIpUtvSWk8D9AM3ZlN6VCsqEX pvfWMFXzskuU4FOzCpsH2baMNbo Qfg8hpOzrFsHwjOG 4RMpiIHcqP5fINrN1Jl4hDWYZuvttYtRPidECBesYX2NREqTmtoQfGgsF5Lu2PSpnHUzD7CrZIso6DBQtJf2uoGAStiRPe3uPo5ypA/HpItvFFXnbYJ4tJWIIjKWD8ViskcRwGdRVk ysoJx7IKnDewRWpSyTRPSuocoSGTjxcTkIIcfmNVhTz630dLAWlkaIzntjY1UPyfahpf6GYUOYSsynB6vYQ6j1JAzsJ4YWLbHaLa/M9en3qyQjbuBFhdm5 AzDH4QuVtuNNuUK6eg24d0PB1px/SQw==plYbyktzMmNpkpcBPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADc
.Default
.Default
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
svchost.exe
svchost.exe
explorer.exe
explorer.exe
66006666
66006666
.Method '%s' not supported by automation object/Variant does not reference an automation object
.Method '%s' not supported by automation object/Variant does not reference an automation object
External exception %x
External exception %x
Interface not supported
Interface not supported
%s (%s, line %d)
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
Invalid variant operation"Variant method calls not supported
I/O error %d
I/O error %d
Integer overflow Invalid floating point operation
Integer overflow Invalid floating point operation
c:\%original file name%.exe path>path
c:\%original file name%.exe path>path
svchost.exe_168_rwx_00090000_000B2000:
.idata
.idata
.reloc
.reloc
P.rsrc
P.rsrc
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
kernel32.dll
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
URLMON.DLL
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {jwplayer().play()} catch(e){}
try {jwplayer().play()} catch(e){}
PSAPI.dll
PSAPI.dll
setcpu:
setcpu:
:setcpu
:setcpu
HTTP/1.1
HTTP/1.1
.length;
.length;
=String.fromCharCode(parseInt(
=String.fromCharCode(parseInt(
.substr(
.substr(
,2),16));
,2),16));
=String.fromCharCode(
=String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt()^
,1).charCodeAt());
,1).charCodeAt());
.length-1)?
.length-1)?
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Environment("Process"))("
.Run("
.Run("
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.RegRead("
.RegRead("
wininet.dll
wininet.dll
user32.dll
user32.dll
ntdll.dll
ntdll.dll
psapi.dll
psapi.dll
"svchost.exe"
"svchost.exe"
svchost.exe
svchost.exe
ole32.dll
ole32.dll
Kernel32.dll
Kernel32.dll
\\.\LCD
\\.\LCD
1234567890
1234567890
Shell32.dll
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
hXXp://
hXXp://
0123456789
0123456789
Mozilla
Mozilla
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
.text
.text
`.rdata
`.rdata
@.pdata
@.pdata
KERNEL32.dll
KERNEL32.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
oleaut32.dll
oleaut32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyW
RegCreateKeyW
RegCreateKeyA
RegCreateKeyA
GetCPInfo
GetCPInfo
SetProcessWindowStation
SetProcessWindowStation
OpenWindowStationA
OpenWindowStationA
EnumChildWindows
EnumChildWindows
NtQueryValueKey
NtQueryValueKey
NtDeleteValueKey
NtDeleteValueKey
NtSetValueKey
NtSetValueKey
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
atl.dll
atl.dll
wsock32.dll
wsock32.dll
shell32.dll
shell32.dll
ShellExecuteExW
ShellExecuteExW
wtsapi32.dll
wtsapi32.dll
Wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
PSAPI.DLL
winmm.dll
winmm.dll
urlmon.dll
urlmon.dll
UrlMkSetSessionOption
UrlMkSetSessionOption
:!:%:):-:1:
:!:%:):-:1:
?:???_?}?
?:???_?}?
4hVjXqVVZ1zvh89QP3KkWoknQHJBor8qRuornGiIK3Azy/OkZNZ8dvu4BF4eNlZ ylMtd n6NYUMFAsPMFVcCp5riCv QJLU0cH8CxWwhpe3LU bL4dfZCyuZxVtJpQQjcSgKzK2zdCDtPRZUgo0ZjbbA5j0pXzJceUhUU2 3gGBXwXO3qybTJCQYhJFCJgussq9WVxjFKM7t91zIHKCdGCSXRoN4vBn1 yjFJuN7qowC1wpOTHO4Px0sKwHT3R0BStQccAL CWBsBvT3pHgt UyiVy0nAEqwkW6ORL3Yn x/QBoAKRohKjOA3qiq0P1CEDcQVkAOH3ceS8p9uBczn1sfXP 8n7q3Hkwnpxw7emo wVf2dS8EuLgBXvkufgMSTPh/KWYIWJK aNIlC5fYdqA6130llwEVFL9lYa8IHaqET84zqpZV9ApywvvRR/ydoUVnBiX24V2VqrBrnMoaIxT4ww71bTxxpFOD7LK52T3mj9oPyIsTVfTO5WbWr7/It/2j/eCspOBiNFYTik SnUl3XXJasnYIRnZHaZtX/ 5dQHO1hRMyG5d1TUUpyvPjUWQCPBrs1zj2JVBsqi0Lug1FmDRb4Hphc55wOtvZYO6zv1iwShwtqP3dbyhQ E66yCCdglju2JU 4zw5v4cBWqGIJPRSB7YRPL2LhnXbPNzsuKrCvA/nCz7HmPdp34g5pMcd8wPqh0jpx5QcvGK9GywKG330GLMTn7qFnOApziobstprpaga0zfFLpr2Ni 5rAG9juaEYZ8ES3XndpzC2QBw2cGnFYkB7BRH3NE5tNeg7SzxuUtCUPo0/PJZvIHt5Sq8xclSSatHNeEbYR 2dMKQ4vv3moTXVc40GtarkG8y8CLYwYjNDtm22CIeNq8/f0YoMEE8zGzWIWhCz7jWDVgD3H62bHwbscJJ4KUwiRSk4Om UrUzV X7AvENmT khv1luO9PmP6lrzTTUhZZWd3lmZlrIsgyMyQiQGCgz2njYQx0P3o9fObPjumMa3RvYi0vFvXl/ofhxzcnccq7 5T6NO2HKIEsN6t4lweBCBmYPjv8dp/h0lR7KFJPlMtdvzkZW0QrTdulQq1E45RdtVhWXhcuwmwGVz1RapaX2dgGfsy1e75vvxQ35Q5EkoYp0VE7F1NlJWYylGb3pN4C5iPG5 sDXXJzLs9WwIAXGU4X4FTG8QXuVW9xevMSl//s4PtqS4Wb1V7TH1V6IjV8QcUAt3TWA17WfH0CmcWO6pX3Sjhex2qTd2DjduSK7UqbZrNlaSuZgYZeB4g70T9pkgEN52M78g/lq8SYGJMtv182S7zf5pi87PfPlMyHx6DIfo2vztikWnXiuk6Hrvn04jLJ2yQqIrUgB Msl/t2OBmmgvXuWu7dum/BARM2fn2y68OQEW6W5KQd0TTuMUtxTgC1XE2qod5FSJknRDoJQuua3uJ7xAEhm6rmaAoDw/AqoHMVyCpRRE1IsfXcYEfZ4/MlkTI3aeY 3DpeyEdVUWj3lSZReJs2i3nxLoFsLwmvc2ze/OkLG10CihIl7UVu1BGo7v14bZWp5AuGlFNPJOp6rn66zjv2G9PN/RKb/q9vSouSI5BgO0DdRC kcgs0ol6jeGjfySpljStqDFHY44Eod vKsT5nhyjcERVUU/0Dl0mmQVob7BWpwgkQrVqmgFjfgg/G2P3jhH h4gPxdr0lHmDlrx BlJQCXsY3uuTXU2DKPFjDB0BakFtBdHQQ4MbIYK0X7OJiO6tBA1zBx0SUcATf 7uNeA5gdC254euPXliSrW8JFwDBMIH4diXWe3HHFyVAEO9NKnn LhUbiAEuwz4BHsIaA0SMeqT9HRch QndJGw/ wnP2fQBEyfbTEBBW8mKYIhHe64jWhp3XK68w4xTFMvTf29 mQuvElJ0t9z4ePY9pBCGdYvOCPJ2qvlyKb1R26HJ1255HFoioyWcV8PkmCxA3zFez1j sQsVRblBtejWlMwC9QuCoRygDvT28C06viV8bSlvyFA0jrvqiWr3xSFDicmis8wNYfNpTeJM48RWSjKi83maskgpeYl sWifQYNfLxIEmJ/QsWXOUs7uIabjoZlC8vAY14mTfszg9zZDm214qJimYJvwgv xdPZDKC73hN6Nzpw6jOylC7dU1GesKS/BNDTz0XKJizFDS3qdShIuB3D4Yg9LA9RMCNESl1k0fZFQzdlwG5hrmg6FN50s3a/YoRgGHbQLgV7FVAHt/CQ5waA8LSS4 8fKdzjzZm59ZnCLG3lcADgbeMPU1 1slH5Rf3tByagaY22TLMmeaiEGeyat8eImgWJh9scEMSpGo4 sjyWtbQS uBBwPPN8EY3bNC7pK5qXw/XYs3WpG4MmEotCLAkar053JAKiy5n 7k0LNTucDhmfL6S7ihLshfR5R8/qY4To8dfBkjmpQD 8bQd9OtnzWQOnQNk6kD4 WigsSP49uYu6Bo0bxMgrq IpnAdO6CxlUpKD2l B11uTiLkjsjs5Ey9cMSs8qUq19G6Nk yUr3bW A/7EJ75MvAX8XnpbuajNjhHyg/W1omrs5t9oI/W0SJLtca62q8cnCxlEFXK0hfxPbDs8UQui88Yha4dfp9PbHDGkh7LkvkGW7CjLsv5Gr2EKpzt3/FJ9s9Z8ghlMtr4ccaM9tF3q42nJB1qc57m bHSkE1rR/45EUZ5Hl8jX4XfM1BnodKvXurFpyCmZcR6IvMxvKgoYH01x2HiXrNbXuPltTsYChzYPn0vLf9AI2quM7Ca1H1ge38n4NFU3dUchWwRbr1RyI3xTNrF6pFMouB1YdrchH4TnDJoKoWPrjokTsT0C7kTnunZOYGvVPBgAYq8ldh05ItdpwUMVLnxpmsxHixBIFW7x2 s/ezpDm3r fOkNPR/wCKR7Tk7n8Tbh12HRCnslr1jSFbuC2ElvGGYVIQ35p9hAveyXDAN3qObdqgw3J LmjFszDREW DHVE488lC bZ6JiyN5BmuBIIKLRPmZXN4qGZGuOH55RwHYgvXONYe018OiUeOpcIKVUvTmz1M1qDjASEaQpnecdGeugQ/QbMuZB/veq/SHR OZarDO BO UQ8s0/V1Z lU4bU0JkTN1fiInZKnC5YsfZOGh5xEKZTsiB7TKTFA96GwQlAIKmkLSZ6RqqRnW5pCGzugAD6HlQEmNbGY SDuz9RFBdIg394S3eG9BQaqGFGOdxK4FIBBm5pg1efkq9wM5e3ItHt6oFkA mNArXVJnXp3z2l/sx9u32H5Al33guWzylllwn8lyrWcZNWkBpt5EIYEVuCEzm8CcTfz5zlnI5uSeWLYaDjTJa qebJDEp e3jZzSQzPO8oNqYRrM1iUX9oR4JfxN2VGOf3S5o2d/T mGa2CFciQHXlngJv1GBLZZkoFw3uNAHi54gBzE4mqOqUOORvqJOWNdd657rWO12FAzkgyrycbCRR HAgH2H/3uspgawgfeVoNDJm6T69CRssEFvRGKhYFnJUhRMGLE/bsqCnxEEhHAecYCXeBkMkOdqXTdEhkwl1mPIlocsMYUmvpqCP7H1DplJ1/GwFCSM4qku9 TjrCxIom7QPXqrTbCwCZN9f5jZiW7AZFT3jOMWtPcFYojPUPAEa7fwwFa4dfoSjBTdq1HA1yim70WrxShO9J12Rc4Ejnk6DlhDU48y0GMvQ9OfA5jaq2D2e20G1ot571IvFuy2oU4gp4SQsYoWihHlvYX1GPQwe3I6QYobvtfAcQ1XLVT6IY571f4HkDAmLcSe5xlq4GotRjkHqPoT0U9OjwdTG4RY8/2Cn6NM16mTK8bWhrzK1x0qGoBbGWbCU o8IKk1uI7w9q t I81C2bLFHMVWTzlB4Iy7wWVM19jAPOhLVB f98VjJJOx6hDglbljzaWUBuqYKm0afntFvKkF0nRZo9ZNcKoBZ/am1U02zYppGWkKXfY0VkBZDqa21QFDkyohtDVeoCP1NnVEkbXv/8bHWqeEOZiGcp4CmA/lhzlnMNf8fKgT656xMkIZLHc0WwecT967vPfXdyahZDaVyGSrjdhWswsHSpx9NcTT8w7KX8kM750DhA bP6WrxiRupDuHDHFDwH75ikMUYtpeNFWQM25U9J 2ey2HqyVpghmMU0a1V1tDJDtKs4glEUskMdGjI13Fbq1WKjGYNKq2Pkuc1LyoAyrML8jjyZ317BrqMqRN1emBd8c8dWZiq1j18/wovTZc0qGJ1vTKDqLp6p3ptdKuTh6SeEDYN2F3HDsftitXHxYpydPAB mF2YmIdGikVCT3AASvID39DXYidXo7Yk MfTWkal4l6L6dPnYzxebm nBNlIrKynVPPQ0ISgseYCGBjo/y/1CcBgUUhe620kXoYvMlHzi86aftheeirJIVz4AmKW75GAmZGXruIQr18DdtBaaZgy5nPX8S2sc7B1PkEu3AR/ 7xOAcKmDN/bgSWet9uLbsL/tz0DZ//y7HvshyB08gKO00klNpewoFePk1u7V fctI0gRpz1rZhz4/PlkEUyvCc7 Ge9LqxIUfM 0/l87bAJGhMbpK nNlqDVo9UWyz40B8tPEv8UakNRju6biU Kz79Od7Ul7HB5InxblzqBRQxcYszUYmh3Xckd/prNXnL 66ze k/aYtUP46d8tEnNOHFyl5vqX/RhDXGglxClrRfSOUD04l8dHOG6DgUsPzDtZ8 b0a6ULYdjlZ7V5WaB7r/FLr2AbF4672A85JVt2eIvN5wF8z/66Ju29JfXggSyonEYQf9PGDzX7LkmbqyMPXhjwPnShcGcFIcInswotoj2JKnp9R8QUXS5xP8RBHjpur6/adfZj7/cl0mu5ZCkPL0OKkxhk97m3P1BmPdzHsIHLBoynG2 ZiZf4wImTixwy0twy01Ud7tlVaMQ8f9ZhBuH5JUIf0 peZl3NTbjDS2rwXHC8hM8qKLMRkwOK1o71yveLrg6rJVdtfIYs4AZRGiVcsIxKM/ioAIh 3M IngboQPJtq/HtHFsxST0TgiMJZJK QONshSV/ntzXMpqxMzudlXMhiOhfPFKBG1fk3rrvxlTenuay NiLSXE2zjo9ijHRBdfoXHeYsBYerXth1pCxug6oRXvvhHx98sWFoTFS2nDLT/PE3Ch2oz RQ62S/mz7Bumzq7o1QrMLAedEx6JFKhJ56AVUsKKrqPQhz0Xs5HhQtmFviOnlZwFIve/liZvZ9hva9ax/xWO6CVFbyX4p6gTVpiJcb3nbAfwd2RsvDsphxC7/L2zOQ 9 oDk1DFxxqahMrmBk1NL0nlcVrn4p9FqhVHVJb1eSMX60EUyJAFQx7aub8ZRgGjDolQdNTSGR52IZc9tklef0R agccDIpUtvSWk8D9AM3ZlN6VCsqEX pvfWMFXzskuU4FOzCpsH2baMNbo Qfg8hpOzrFsHwjOG 4RMpiIHcqP5fINrN1Jl4hDWYZuvttYtRPidECBesYX2NREqTmtoQfGgsF5Lu2PSpnHUzD7CrZIso6DBQtJf2uoGAStiRPe3uPo5ypA/HpItvFFXnbYJ4tJWIIjKWD8ViskcRwGdRVk ysoJx7IKnDewRWpSyTRPSuocoSGTjxcTkIIcfmNVhTz630dLAWlkaIzntjY1UPyfahpf6GYUOYSsynB6vYQ6j1JAzsJ4YWLbHaLa/M9en3qyQjbuBFhdm5 AzDH4QuVtuNNuUK6eg24d0PB1px/SQw==plYbyktzMmNpkpcBPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
4hVjXqVVZ1zvh89QP3KkWoknQHJBor8qRuornGiIK3Azy/OkZNZ8dvu4BF4eNlZ ylMtd n6NYUMFAsPMFVcCp5riCv QJLU0cH8CxWwhpe3LU bL4dfZCyuZxVtJpQQjcSgKzK2zdCDtPRZUgo0ZjbbA5j0pXzJceUhUU2 3gGBXwXO3qybTJCQYhJFCJgussq9WVxjFKM7t91zIHKCdGCSXRoN4vBn1 yjFJuN7qowC1wpOTHO4Px0sKwHT3R0BStQccAL CWBsBvT3pHgt UyiVy0nAEqwkW6ORL3Yn x/QBoAKRohKjOA3qiq0P1CEDcQVkAOH3ceS8p9uBczn1sfXP 8n7q3Hkwnpxw7emo wVf2dS8EuLgBXvkufgMSTPh/KWYIWJK aNIlC5fYdqA6130llwEVFL9lYa8IHaqET84zqpZV9ApywvvRR/ydoUVnBiX24V2VqrBrnMoaIxT4ww71bTxxpFOD7LK52T3mj9oPyIsTVfTO5WbWr7/It/2j/eCspOBiNFYTik SnUl3XXJasnYIRnZHaZtX/ 5dQHO1hRMyG5d1TUUpyvPjUWQCPBrs1zj2JVBsqi0Lug1FmDRb4Hphc55wOtvZYO6zv1iwShwtqP3dbyhQ E66yCCdglju2JU 4zw5v4cBWqGIJPRSB7YRPL2LhnXbPNzsuKrCvA/nCz7HmPdp34g5pMcd8wPqh0jpx5QcvGK9GywKG330GLMTn7qFnOApziobstprpaga0zfFLpr2Ni 5rAG9juaEYZ8ES3XndpzC2QBw2cGnFYkB7BRH3NE5tNeg7SzxuUtCUPo0/PJZvIHt5Sq8xclSSatHNeEbYR 2dMKQ4vv3moTXVc40GtarkG8y8CLYwYjNDtm22CIeNq8/f0YoMEE8zGzWIWhCz7jWDVgD3H62bHwbscJJ4KUwiRSk4Om UrUzV X7AvENmT khv1luO9PmP6lrzTTUhZZWd3lmZlrIsgyMyQiQGCgz2njYQx0P3o9fObPjumMa3RvYi0vFvXl/ofhxzcnccq7 5T6NO2HKIEsN6t4lweBCBmYPjv8dp/h0lR7KFJPlMtdvzkZW0QrTdulQq1E45RdtVhWXhcuwmwGVz1RapaX2dgGfsy1e75vvxQ35Q5EkoYp0VE7F1NlJWYylGb3pN4C5iPG5 sDXXJzLs9WwIAXGU4X4FTG8QXuVW9xevMSl//s4PtqS4Wb1V7TH1V6IjV8QcUAt3TWA17WfH0CmcWO6pX3Sjhex2qTd2DjduSK7UqbZrNlaSuZgYZeB4g70T9pkgEN52M78g/lq8SYGJMtv182S7zf5pi87PfPlMyHx6DIfo2vztikWnXiuk6Hrvn04jLJ2yQqIrUgB Msl/t2OBmmgvXuWu7dum/BARM2fn2y68OQEW6W5KQd0TTuMUtxTgC1XE2qod5FSJknRDoJQuua3uJ7xAEhm6rmaAoDw/AqoHMVyCpRRE1IsfXcYEfZ4/MlkTI3aeY 3DpeyEdVUWj3lSZReJs2i3nxLoFsLwmvc2ze/OkLG10CihIl7UVu1BGo7v14bZWp5AuGlFNPJOp6rn66zjv2G9PN/RKb/q9vSouSI5BgO0DdRC kcgs0ol6jeGjfySpljStqDFHY44Eod vKsT5nhyjcERVUU/0Dl0mmQVob7BWpwgkQrVqmgFjfgg/G2P3jhH h4gPxdr0lHmDlrx BlJQCXsY3uuTXU2DKPFjDB0BakFtBdHQQ4MbIYK0X7OJiO6tBA1zBx0SUcATf 7uNeA5gdC254euPXliSrW8JFwDBMIH4diXWe3HHFyVAEO9NKnn LhUbiAEuwz4BHsIaA0SMeqT9HRch QndJGw/ wnP2fQBEyfbTEBBW8mKYIhHe64jWhp3XK68w4xTFMvTf29 mQuvElJ0t9z4ePY9pBCGdYvOCPJ2qvlyKb1R26HJ1255HFoioyWcV8PkmCxA3zFez1j sQsVRblBtejWlMwC9QuCoRygDvT28C06viV8bSlvyFA0jrvqiWr3xSFDicmis8wNYfNpTeJM48RWSjKi83maskgpeYl sWifQYNfLxIEmJ/QsWXOUs7uIabjoZlC8vAY14mTfszg9zZDm214qJimYJvwgv xdPZDKC73hN6Nzpw6jOylC7dU1GesKS/BNDTz0XKJizFDS3qdShIuB3D4Yg9LA9RMCNESl1k0fZFQzdlwG5hrmg6FN50s3a/YoRgGHbQLgV7FVAHt/CQ5waA8LSS4 8fKdzjzZm59ZnCLG3lcADgbeMPU1 1slH5Rf3tByagaY22TLMmeaiEGeyat8eImgWJh9scEMSpGo4 sjyWtbQS uBBwPPN8EY3bNC7pK5qXw/XYs3WpG4MmEotCLAkar053JAKiy5n 7k0LNTucDhmfL6S7ihLshfR5R8/qY4To8dfBkjmpQD 8bQd9OtnzWQOnQNk6kD4 WigsSP49uYu6Bo0bxMgrq IpnAdO6CxlUpKD2l B11uTiLkjsjs5Ey9cMSs8qUq19G6Nk yUr3bW A/7EJ75MvAX8XnpbuajNjhHyg/W1omrs5t9oI/W0SJLtca62q8cnCxlEFXK0hfxPbDs8UQui88Yha4dfp9PbHDGkh7LkvkGW7CjLsv5Gr2EKpzt3/FJ9s9Z8ghlMtr4ccaM9tF3q42nJB1qc57m bHSkE1rR/45EUZ5Hl8jX4XfM1BnodKvXurFpyCmZcR6IvMxvKgoYH01x2HiXrNbXuPltTsYChzYPn0vLf9AI2quM7Ca1H1ge38n4NFU3dUchWwRbr1RyI3xTNrF6pFMouB1YdrchH4TnDJoKoWPrjokTsT0C7kTnunZOYGvVPBgAYq8ldh05ItdpwUMVLnxpmsxHixBIFW7x2 s/ezpDm3r fOkNPR/wCKR7Tk7n8Tbh12HRCnslr1jSFbuC2ElvGGYVIQ35p9hAveyXDAN3qObdqgw3J LmjFszDREW DHVE488lC bZ6JiyN5BmuBIIKLRPmZXN4qGZGuOH55RwHYgvXONYe018OiUeOpcIKVUvTmz1M1qDjASEaQpnecdGeugQ/QbMuZB/veq/SHR OZarDO BO UQ8s0/V1Z lU4bU0JkTN1fiInZKnC5YsfZOGh5xEKZTsiB7TKTFA96GwQlAIKmkLSZ6RqqRnW5pCGzugAD6HlQEmNbGY SDuz9RFBdIg394S3eG9BQaqGFGOdxK4FIBBm5pg1efkq9wM5e3ItHt6oFkA mNArXVJnXp3z2l/sx9u32H5Al33guWzylllwn8lyrWcZNWkBpt5EIYEVuCEzm8CcTfz5zlnI5uSeWLYaDjTJa qebJDEp e3jZzSQzPO8oNqYRrM1iUX9oR4JfxN2VGOf3S5o2d/T mGa2CFciQHXlngJv1GBLZZkoFw3uNAHi54gBzE4mqOqUOORvqJOWNdd657rWO12FAzkgyrycbCRR HAgH2H/3uspgawgfeVoNDJm6T69CRssEFvRGKhYFnJUhRMGLE/bsqCnxEEhHAecYCXeBkMkOdqXTdEhkwl1mPIlocsMYUmvpqCP7H1DplJ1/GwFCSM4qku9 TjrCxIom7QPXqrTbCwCZN9f5jZiW7AZFT3jOMWtPcFYojPUPAEa7fwwFa4dfoSjBTdq1HA1yim70WrxShO9J12Rc4Ejnk6DlhDU48y0GMvQ9OfA5jaq2D2e20G1ot571IvFuy2oU4gp4SQsYoWihHlvYX1GPQwe3I6QYobvtfAcQ1XLVT6IY571f4HkDAmLcSe5xlq4GotRjkHqPoT0U9OjwdTG4RY8/2Cn6NM16mTK8bWhrzK1x0qGoBbGWbCU o8IKk1uI7w9q t I81C2bLFHMVWTzlB4Iy7wWVM19jAPOhLVB f98VjJJOx6hDglbljzaWUBuqYKm0afntFvKkF0nRZo9ZNcKoBZ/am1U02zYppGWkKXfY0VkBZDqa21QFDkyohtDVeoCP1NnVEkbXv/8bHWqeEOZiGcp4CmA/lhzlnMNf8fKgT656xMkIZLHc0WwecT967vPfXdyahZDaVyGSrjdhWswsHSpx9NcTT8w7KX8kM750DhA bP6WrxiRupDuHDHFDwH75ikMUYtpeNFWQM25U9J 2ey2HqyVpghmMU0a1V1tDJDtKs4glEUskMdGjI13Fbq1WKjGYNKq2Pkuc1LyoAyrML8jjyZ317BrqMqRN1emBd8c8dWZiq1j18/wovTZc0qGJ1vTKDqLp6p3ptdKuTh6SeEDYN2F3HDsftitXHxYpydPAB mF2YmIdGikVCT3AASvID39DXYidXo7Yk MfTWkal4l6L6dPnYzxebm nBNlIrKynVPPQ0ISgseYCGBjo/y/1CcBgUUhe620kXoYvMlHzi86aftheeirJIVz4AmKW75GAmZGXruIQr18DdtBaaZgy5nPX8S2sc7B1PkEu3AR/ 7xOAcKmDN/bgSWet9uLbsL/tz0DZ//y7HvshyB08gKO00klNpewoFePk1u7V fctI0gRpz1rZhz4/PlkEUyvCc7 Ge9LqxIUfM 0/l87bAJGhMbpK nNlqDVo9UWyz40B8tPEv8UakNRju6biU Kz79Od7Ul7HB5InxblzqBRQxcYszUYmh3Xckd/prNXnL 66ze k/aYtUP46d8tEnNOHFyl5vqX/RhDXGglxClrRfSOUD04l8dHOG6DgUsPzDtZ8 b0a6ULYdjlZ7V5WaB7r/FLr2AbF4672A85JVt2eIvN5wF8z/66Ju29JfXggSyonEYQf9PGDzX7LkmbqyMPXhjwPnShcGcFIcInswotoj2JKnp9R8QUXS5xP8RBHjpur6/adfZj7/cl0mu5ZCkPL0OKkxhk97m3P1BmPdzHsIHLBoynG2 ZiZf4wImTixwy0twy01Ud7tlVaMQ8f9ZhBuH5JUIf0 peZl3NTbjDS2rwXHC8hM8qKLMRkwOK1o71yveLrg6rJVdtfIYs4AZRGiVcsIxKM/ioAIh 3M IngboQPJtq/HtHFsxST0TgiMJZJK QONshSV/ntzXMpqxMzudlXMhiOhfPFKBG1fk3rrvxlTenuay NiLSXE2zjo9ijHRBdfoXHeYsBYerXth1pCxug6oRXvvhHx98sWFoTFS2nDLT/PE3Ch2oz RQ62S/mz7Bumzq7o1QrMLAedEx6JFKhJ56AVUsKKrqPQhz0Xs5HhQtmFviOnlZwFIve/liZvZ9hva9ax/xWO6CVFbyX4p6gTVpiJcb3nbAfwd2RsvDsphxC7/L2zOQ 9 oDk1DFxxqahMrmBk1NL0nlcVrn4p9FqhVHVJb1eSMX60EUyJAFQx7aub8ZRgGjDolQdNTSGR52IZc9tklef0R agccDIpUtvSWk8D9AM3ZlN6VCsqEX pvfWMFXzskuU4FOzCpsH2baMNbo Qfg8hpOzrFsHwjOG 4RMpiIHcqP5fINrN1Jl4hDWYZuvttYtRPidECBesYX2NREqTmtoQfGgsF5Lu2PSpnHUzD7CrZIso6DBQtJf2uoGAStiRPe3uPo5ypA/HpItvFFXnbYJ4tJWIIjKWD8ViskcRwGdRVk ysoJx7IKnDewRWpSyTRPSuocoSGTjxcTkIIcfmNVhTz630dLAWlkaIzntjY1UPyfahpf6GYUOYSsynB6vYQ6j1JAzsJ4YWLbHaLa/M9en3qyQjbuBFhdm5 AzDH4QuVtuNNuUK6eg24d0PB1px/SQw==plYbyktzMmNpkpcBPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
4hVjXqVVZ1zvh89QP3KkWoknQHJBor8qRuornGiIK3Azy/OkZNZ8dvu4BF4eNlZ ylMtd n6NYUMFAsPMFVcCp5riCv QJLU0cH8CxWwhpe3LU bL4dfZCyuZxVtJpQQjcSgKzK2zdCDtPRZUgo0ZjbbA5j0pXzJceUhUU2 3gGBXwXO3qybTJCQYhJFCJgussq9WVxjFKM7t91zIHKCdGCSXRoN4vBn1 yjFJuN7qowC1wpOTHO4Px0sKwHT3R0BStQccAL CWBsBvT3pHgt UyiVy0nAEqwkW6ORL3Yn x/QBoAKRohKjOA3qiq0P1CEDcQVkAOH3ceS8p9uBczn1sfXP 8n7q3Hkwnpxw7emo wVf2dS8EuLgBXvkufgMSTPh/KWYIWJK aNIlC5fYdqA6130llwEVFL9lYa8IHaqET84zqpZV9ApywvvRR/ydoUVnBiX24V2VqrBrnMoaIxT4ww71bTxxpFOD7LK52T3mj9oPyIsTVfTO5WbWr7/It/2j/eCspOBiNFYTik SnUl3XXJasnYIRnZHaZtX/ 5dQHO1hRMyG5d1TUUpyvPjUWQCPBrs1zj2JVBsqi0Lug1FmDRb4Hphc55wOtvZYO6zv1iwShwtqP3dbyhQ E66yCCdglju2JU 4zw5v4cBWqGIJPRSB7YRPL2LhnXbPNzsuKrCvA/nCz7HmPdp34g5pMcd8wPqh0jpx5QcvGK9GywKG330GLMTn7qFnOApziobstprpaga0zfFLpr2Ni 5rAG9juaEYZ8ES3XndpzC2QBw2cGnFYkB7BRH3NE5tNeg7SzxuUtCUPo0/PJZvIHt5Sq8xclSSatHNeEbYR 2dMKQ4vv3moTXVc40GtarkG8y8CLYwYjNDtm22CIeNq8/f0YoMEE8zGzWIWhCz7jWDVgD3H62bHwbscJJ4KUwiRSk4Om UrUzV X7AvENmT khv1luO9PmP6lrzTTUhZZWd3lmZlrIsgyMyQiQGCgz2njYQx0P3o9fObPjumMa3RvYi0vFvXl/ofhxzcnccq7 5T6NO2HKIEsN6t4lweBCBmYPjv8dp/h0lR7KFJPlMtdvzkZW0QrTdulQq1E45RdtVhWXhcuwmwGVz1RapaX2dgGfsy1e75vvxQ35Q5EkoYp0VE7F1NlJWYylGb3pN4C5iPG5 sDXXJzLs9WwIAXGU4X4FTG8QXuVW9xevMSl//s4PtqS4Wb1V7TH1V6IjV8QcUAt3TWA17WfH0CmcWO6pX3Sjhex2qTd2DjduSK7UqbZrNlaSuZgYZeB4g70T9pkgEN52M78g/lq8SYGJMtv182S7zf5pi87PfPlMyHx6DIfo2vztikWnXiuk6Hrvn04jLJ2yQqIrUgB Msl/t2OBmmgvXuWu7dum/BARM2fn2y68OQEW6W5KQd0TTuMUtxTgC1XE2qod5FSJknRDoJQuua3uJ7xAEhm6rmaAoDw/AqoHMVyCpRRE1IsfXcYEfZ4/MlkTI3aeY 3DpeyEdVUWj3lSZReJs2i3nxLoFsLwmvc2ze/OkLG10CihIl7UVu1BGo7v14bZWp5AuGlFNPJOp6rn66zjv2G9PN/RKb/q9vSouSI5BgO0DdRC kcgs0ol6jeGjfySpljStqDFHY44Eod vKsT5nhyjcERVUU/0Dl0mmQVob7BWpwgkQrVqmgFjfgg/G2P3jhH h4gPxdr0lHmDlrx BlJQCXsY3uuTXU2DKPFjDB0BakFtBdHQQ4MbIYK0X7OJiO6tBA1zBx0SUcATf 7uNeA5gdC254euPXliSrW8JFwDBMIH4diXWe3HHFyVAEO9NKnn LhUbiAEuwz4BHsIaA0SMeqT9HRch QndJGw/ wnP2fQBEyfbTEBBW8mKYIhHe64jWhp3XK68w4xTFMvTf29 mQuvElJ0t9z4ePY9pBCGdYvOCPJ2qvlyKb1R26HJ1255HFoioyWcV8PkmCxA3zFez1j sQsVRblBtejWlMwC9QuCoRygDvT28C06viV8bSlvyFA0jrvqiWr3xSFDicmis8wNYfNpTeJM48RWSjKi83maskgpeYl sWifQYNfLxIEmJ/QsWXOUs7uIabjoZlC8vAY14mTfszg9zZDm214qJimYJvwgv xdPZDKC73hN6Nzpw6jOylC7dU1GesKS/BNDTz0XKJizFDS3qdShIuB3D4Yg9LA9RMCNESl1k0fZFQzdlwG5hrmg6FN50s3a/YoRgGHbQLgV7FVAHt/CQ5waA8LSS4 8fKdzjzZm59ZnCLG3lcADgbeMPU1 1slH5Rf3tByagaY22TLMmeaiEGeyat8eImgWJh9scEMSpGo4 sjyWtbQS uBBwPPN8EY3bNC7pK5qXw/XYs3WpG4MmEotCLAkar053JAKiy5n 7k0LNTucDhmfL6S7ihLshfR5R8/qY4To8dfBkjmpQD 8bQd9OtnzWQOnQNk6kD4 WigsSP49uYu6Bo0bxMgrq IpnAdO6CxlUpKD2l B11uTiLkjsjs5Ey9cMSs8qUq19G6Nk yUr3bW A/7EJ75MvAX8XnpbuajNjhHyg/W1omrs5t9oI/W0SJLtca62q8cnCxlEFXK0hfxPbDs8UQui88Yha4dfp9PbHDGkh7LkvkGW7CjLsv5Gr2EKpzt3/FJ9s9Z8ghlMtr4ccaM9tF3q42nJB1qc57m bHSkE1rR/45EUZ5Hl8jX4XfM1BnodKvXurFpyCmZcR6IvMxvKgoYH01x2HiXrNbXuPltTsYChzYPn0vLf9AI2quM7Ca1H1ge38n4NFU3dUchWwRbr1RyI3xTNrF6pFMouB1YdrchH4TnDJoKoWPrjokTsT0C7kTnunZOYGvVPBgAYq8ldh05ItdpwUMVLnxpmsxHixBIFW7x2 s/ezpDm3r fOkNPR/wCKR7Tk7n8Tbh12HRCnslr1jSFbuC2ElvGGYVIQ35p9hAveyXDAN3qObdqgw3J LmjFszDREW DHVE488lC bZ6JiyN5BmuBIIKLRPmZXN4qGZGuOH55RwHYgvXONYe018OiUeOpcIKVUvTmz1M1qDjASEaQpnecdGeugQ/QbMuZB/veq/SHR OZarDO BO UQ8s0/V1Z lU4bU0JkTN1fiInZKnC5YsfZOGh5xEKZTsiB7TKTFA96GwQlAIKmkLSZ6RqqRnW5pCGzugAD6HlQEmNbGY SDuz9RFBdIg394S3eG9BQaqGFGOdxK4FIBBm5pg1efkq9wM5e3ItHt6oFkA mNArXVJnXp3z2l/sx9u32H5Al33guWzylllwn8lyrWcZNWkBpt5EIYEVuCEzm8CcTfz5zlnI5uSeWLYaDjTJa qebJDEp e3jZzSQzPO8oNqYRrM1iUX9oR4JfxN2VGOf3S5o2d/T mGa2CFciQHXlngJv1GBLZZkoFw3uNAHi54gBzE4mqOqUOORvqJOWNdd657rWO12FAzkgyrycbCRR HAgH2H/3uspgawgfeVoNDJm6T69CRssEFvRGKhYFnJUhRMGLE/bsqCnxEEhHAecYCXeBkMkOdqXTdEhkwl1mPIlocsMYUmvpqCP7H1DplJ1/GwFCSM4qku9 TjrCxIom7QPXqrTbCwCZN9f5jZiW7AZFT3jOMWtPcFYojPUPAEa7fwwFa4dfoSjBTdq1HA1yim70WrxShO9J12Rc4Ejnk6DlhDU48y0GMvQ9OfA5jaq2D2e20G1ot571IvFuy2oU4gp4SQsYoWihHlvYX1GPQwe3I6QYobvtfAcQ1XLVT6IY571f4HkDAmLcSe5xlq4GotRjkHqPoT0U9OjwdTG4RY8/2Cn6NM16mTK8bWhrzK1x0qGoBbGWbCU o8IKk1uI7w9q t I81C2bLFHMVWTzlB4Iy7wWVM19jAPOhLVB f98VjJJOx6hDglbljzaWUBuqYKm0afntFvKkF0nRZo9ZNcKoBZ/am1U02zYppGWkKXfY0VkBZDqa21QFDkyohtDVeoCP1NnVEkbXv/8bHWqeEOZiGcp4CmA/lhzlnMNf8fKgT656xMkIZLHc0WwecT967vPfXdyahZDaVyGSrjdhWswsHSpx9NcTT8w7KX8kM750DhA bP6WrxiRupDuHDHFDwH75ikMUYtpeNFWQM25U9J 2ey2HqyVpghmMU0a1V1tDJDtKs4glEUskMdGjI13Fbq1WKjGYNKq2Pkuc1LyoAyrML8jjyZ317BrqMqRN1emBd8c8dWZiq1j18/wovTZc0qGJ1vTKDqLp6p3ptdKuTh6SeEDYN2F3HDsftitXHxYpydPAB mF2YmIdGikVCT3AASvID39DXYidXo7Yk MfTWkal4l6L6dPnYzxebm nBNlIrKynVPPQ0ISgseYCGBjo/y/1CcBgUUhe620kXoYvMlHzi86aftheeirJIVz4AmKW75GAmZGXruIQr18DdtBaaZgy5nPX8S2sc7B1PkEu3AR/ 7xOAcKmDN/bgSWet9uLbsL/tz0DZ//y7HvshyB08gKO00klNpewoFePk1u7V fctI0gRpz1rZhz4/PlkEUyvCc7 Ge9LqxIUfM 0/l87bAJGhMbpK nNlqDVo9UWyz40B8tPEv8UakNRju6biU Kz79Od7Ul7HB5InxblzqBRQxcYszUYmh3Xckd/prNXnL 66ze k/aYtUP46d8tEnNOHFyl5vqX/RhDXGglxClrRfSOUD04l8dHOG6DgUsPzDtZ8 b0a6ULYdjlZ7V5WaB7r/FLr2AbF4672A85JVt2eIvN5wF8z/66Ju29JfXggSyonEYQf9PGDzX7LkmbqyMPXhjwPnShcGcFIcInswotoj2JKnp9R8QUXS5xP8RBHjpur6/adfZj7/cl0mu5ZCkPL0OKkxhk97m3P1BmPdzHsIHLBoynG2 ZiZf4wImTixwy0twy01Ud7tlVaMQ8f9ZhBuH5JUIf0 peZl3NTbjDS2rwXHC8hM8qKLMRkwOK1o71yveLrg6rJVdtfIYs4AZRGiVcsIxKM/ioAIh 3M IngboQPJtq/HtHFsxST0TgiMJZJK QONshSV/ntzXMpqxMzudlXMhiOhfPFKBG1fk3rrvxlTenuay NiLSXE2zjo9ijHRBdfoXHeYsBYerXth1pCxug6oRXvvhHx98sWFoTFS2nDLT/PE3Ch2oz RQ62S/mz7Bumzq7o1QrMLAedEx6JFKhJ56AVUsKKrqPQhz0Xs5HhQtmFviOnlZwFIve/liZvZ9hva9ax/xWO6CVFbyX4p6gTVpiJcb3nbAfwd2RsvDsphxC7/L2zOQ 9 oDk1DFxxqahMrmBk1NL0nlcVrn4p9FqhVHVJb1eSMX60EUyJAFQx7aub8ZRgGjDolQdNTSGR52IZc9tklef0R agccDIpUtvSWk8D9AM3ZlN6VCsqEX pvfWMFXzskuU4FOzCpsH2baMNbo Qfg8hpOzrFsHwjOG 4RMpiIHcqP5fINrN1Jl4hDWYZuvttYtRPidECBesYX2NREqTmtoQfGgsF5Lu2PSpnHUzD7CrZIso6DBQtJf2uoGAStiRPe3uPo5ypA/HpItvFFXnbYJ4tJWIIjKWD8ViskcRwGdRVk ysoJx7IKnDewRWpSyTRPSuocoSGTjxcTkIIcfmNVhTz630dLAWlkaIzntjY1UPyfahpf6GYUOYSsynB6vYQ6j1JAzsJ4YWLbHaLa/M9en3qyQjbuBFhdm5 AzDH4QuVtuNNuUK6eg24d0PB1px/SQw==plYbyktzMmNpkpcBPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADc
4hVjXqVVZ1zvh89QP3KkWoknQHJBor8qRuornGiIK3Azy/OkZNZ8dvu4BF4eNlZ ylMtd n6NYUMFAsPMFVcCp5riCv QJLU0cH8CxWwhpe3LU bL4dfZCyuZxVtJpQQjcSgKzK2zdCDtPRZUgo0ZjbbA5j0pXzJceUhUU2 3gGBXwXO3qybTJCQYhJFCJgussq9WVxjFKM7t91zIHKCdGCSXRoN4vBn1 yjFJuN7qowC1wpOTHO4Px0sKwHT3R0BStQccAL CWBsBvT3pHgt UyiVy0nAEqwkW6ORL3Yn x/QBoAKRohKjOA3qiq0P1CEDcQVkAOH3ceS8p9uBczn1sfXP 8n7q3Hkwnpxw7emo wVf2dS8EuLgBXvkufgMSTPh/KWYIWJK aNIlC5fYdqA6130llwEVFL9lYa8IHaqET84zqpZV9ApywvvRR/ydoUVnBiX24V2VqrBrnMoaIxT4ww71bTxxpFOD7LK52T3mj9oPyIsTVfTO5WbWr7/It/2j/eCspOBiNFYTik SnUl3XXJasnYIRnZHaZtX/ 5dQHO1hRMyG5d1TUUpyvPjUWQCPBrs1zj2JVBsqi0Lug1FmDRb4Hphc55wOtvZYO6zv1iwShwtqP3dbyhQ E66yCCdglju2JU 4zw5v4cBWqGIJPRSB7YRPL2LhnXbPNzsuKrCvA/nCz7HmPdp34g5pMcd8wPqh0jpx5QcvGK9GywKG330GLMTn7qFnOApziobstprpaga0zfFLpr2Ni 5rAG9juaEYZ8ES3XndpzC2QBw2cGnFYkB7BRH3NE5tNeg7SzxuUtCUPo0/PJZvIHt5Sq8xclSSatHNeEbYR 2dMKQ4vv3moTXVc40GtarkG8y8CLYwYjNDtm22CIeNq8/f0YoMEE8zGzWIWhCz7jWDVgD3H62bHwbscJJ4KUwiRSk4Om UrUzV X7AvENmT khv1luO9PmP6lrzTTUhZZWd3lmZlrIsgyMyQiQGCgz2njYQx0P3o9fObPjumMa3RvYi0vFvXl/ofhxzcnccq7 5T6NO2HKIEsN6t4lweBCBmYPjv8dp/h0lR7KFJPlMtdvzkZW0QrTdulQq1E45RdtVhWXhcuwmwGVz1RapaX2dgGfsy1e75vvxQ35Q5EkoYp0VE7F1NlJWYylGb3pN4C5iPG5 sDXXJzLs9WwIAXGU4X4FTG8QXuVW9xevMSl//s4PtqS4Wb1V7TH1V6IjV8QcUAt3TWA17WfH0CmcWO6pX3Sjhex2qTd2DjduSK7UqbZrNlaSuZgYZeB4g70T9pkgEN52M78g/lq8SYGJMtv182S7zf5pi87PfPlMyHx6DIfo2vztikWnXiuk6Hrvn04jLJ2yQqIrUgB Msl/t2OBmmgvXuWu7dum/BARM2fn2y68OQEW6W5KQd0TTuMUtxTgC1XE2qod5FSJknRDoJQuua3uJ7xAEhm6rmaAoDw/AqoHMVyCpRRE1IsfXcYEfZ4/MlkTI3aeY 3DpeyEdVUWj3lSZReJs2i3nxLoFsLwmvc2ze/OkLG10CihIl7UVu1BGo7v14bZWp5AuGlFNPJOp6rn66zjv2G9PN/RKb/q9vSouSI5BgO0DdRC kcgs0ol6jeGjfySpljStqDFHY44Eod vKsT5nhyjcERVUU/0Dl0mmQVob7BWpwgkQrVqmgFjfgg/G2P3jhH h4gPxdr0lHmDlrx BlJQCXsY3uuTXU2DKPFjDB0BakFtBdHQQ4MbIYK0X7OJiO6tBA1zBx0SUcATf 7uNeA5gdC254euPXliSrW8JFwDBMIH4diXWe3HHFyVAEO9NKnn LhUbiAEuwz4BHsIaA0SMeqT9HRch QndJGw/ wnP2fQBEyfbTEBBW8mKYIhHe64jWhp3XK68w4xTFMvTf29 mQuvElJ0t9z4ePY9pBCGdYvOCPJ2qvlyKb1R26HJ1255HFoioyWcV8PkmCxA3zFez1j sQsVRblBtejWlMwC9QuCoRygDvT28C06viV8bSlvyFA0jrvqiWr3xSFDicmis8wNYfNpTeJM48RWSjKi83maskgpeYl sWifQYNfLxIEmJ/QsWXOUs7uIabjoZlC8vAY14mTfszg9zZDm214qJimYJvwgv xdPZDKC73hN6Nzpw6jOylC7dU1GesKS/BNDTz0XKJizFDS3qdShIuB3D4Yg9LA9RMCNESl1k0fZFQzdlwG5hrmg6FN50s3a/YoRgGHbQLgV7FVAHt/CQ5waA8LSS4 8fKdzjzZm59ZnCLG3lcADgbeMPU1 1slH5Rf3tByagaY22TLMmeaiEGeyat8eImgWJh9scEMSpGo4 sjyWtbQS uBBwPPN8EY3bNC7pK5qXw/XYs3WpG4MmEotCLAkar053JAKiy5n 7k0LNTucDhmfL6S7ihLshfR5R8/qY4To8dfBkjmpQD 8bQd9OtnzWQOnQNk6kD4 WigsSP49uYu6Bo0bxMgrq IpnAdO6CxlUpKD2l B11uTiLkjsjs5Ey9cMSs8qUq19G6Nk yUr3bW A/7EJ75MvAX8XnpbuajNjhHyg/W1omrs5t9oI/W0SJLtca62q8cnCxlEFXK0hfxPbDs8UQui88Yha4dfp9PbHDGkh7LkvkGW7CjLsv5Gr2EKpzt3/FJ9s9Z8ghlMtr4ccaM9tF3q42nJB1qc57m bHSkE1rR/45EUZ5Hl8jX4XfM1BnodKvXurFpyCmZcR6IvMxvKgoYH01x2HiXrNbXuPltTsYChzYPn0vLf9AI2quM7Ca1H1ge38n4NFU3dUchWwRbr1RyI3xTNrF6pFMouB1YdrchH4TnDJoKoWPrjokTsT0C7kTnunZOYGvVPBgAYq8ldh05ItdpwUMVLnxpmsxHixBIFW7x2 s/ezpDm3r fOkNPR/wCKR7Tk7n8Tbh12HRCnslr1jSFbuC2ElvGGYVIQ35p9hAveyXDAN3qObdqgw3J LmjFszDREW DHVE488lC bZ6JiyN5BmuBIIKLRPmZXN4qGZGuOH55RwHYgvXONYe018OiUeOpcIKVUvTmz1M1qDjASEaQpnecdGeugQ/QbMuZB/veq/SHR OZarDO BO UQ8s0/V1Z lU4bU0JkTN1fiInZKnC5YsfZOGh5xEKZTsiB7TKTFA96GwQlAIKmkLSZ6RqqRnW5pCGzugAD6HlQEmNbGY SDuz9RFBdIg394S3eG9BQaqGFGOdxK4FIBBm5pg1efkq9wM5e3ItHt6oFkA mNArXVJnXp3z2l/sx9u32H5Al33guWzylllwn8lyrWcZNWkBpt5EIYEVuCEzm8CcTfz5zlnI5uSeWLYaDjTJa qebJDEp e3jZzSQzPO8oNqYRrM1iUX9oR4JfxN2VGOf3S5o2d/T mGa2CFciQHXlngJv1GBLZZkoFw3uNAHi54gBzE4mqOqUOORvqJOWNdd657rWO12FAzkgyrycbCRR HAgH2H/3uspgawgfeVoNDJm6T69CRssEFvRGKhYFnJUhRMGLE/bsqCnxEEhHAecYCXeBkMkOdqXTdEhkwl1mPIlocsMYUmvpqCP7H1DplJ1/GwFCSM4qku9 TjrCxIom7QPXqrTbCwCZN9f5jZiW7AZFT3jOMWtPcFYojPUPAEa7fwwFa4dfoSjBTdq1HA1yim70WrxShO9J12Rc4Ejnk6DlhDU48y0GMvQ9OfA5jaq2D2e20G1ot571IvFuy2oU4gp4SQsYoWihHlvYX1GPQwe3I6QYobvtfAcQ1XLVT6IY571f4HkDAmLcSe5xlq4GotRjkHqPoT0U9OjwdTG4RY8/2Cn6NM16mTK8bWhrzK1x0qGoBbGWbCU o8IKk1uI7w9q t I81C2bLFHMVWTzlB4Iy7wWVM19jAPOhLVB f98VjJJOx6hDglbljzaWUBuqYKm0afntFvKkF0nRZo9ZNcKoBZ/am1U02zYppGWkKXfY0VkBZDqa21QFDkyohtDVeoCP1NnVEkbXv/8bHWqeEOZiGcp4CmA/lhzlnMNf8fKgT656xMkIZLHc0WwecT967vPfXdyahZDaVyGSrjdhWswsHSpx9NcTT8w7KX8kM750DhA bP6WrxiRupDuHDHFDwH75ikMUYtpeNFWQM25U9J 2ey2HqyVpghmMU0a1V1tDJDtKs4glEUskMdGjI13Fbq1WKjGYNKq2Pkuc1LyoAyrML8jjyZ317BrqMqRN1emBd8c8dWZiq1j18/wovTZc0qGJ1vTKDqLp6p3ptdKuTh6SeEDYN2F3HDsftitXHxYpydPAB mF2YmIdGikVCT3AASvID39DXYidXo7Yk MfTWkal4l6L6dPnYzxebm nBNlIrKynVPPQ0ISgseYCGBjo/y/1CcBgUUhe620kXoYvMlHzi86aftheeirJIVz4AmKW75GAmZGXruIQr18DdtBaaZgy5nPX8S2sc7B1PkEu3AR/ 7xOAcKmDN/bgSWet9uLbsL/tz0DZ//y7HvshyB08gKO00klNpewoFePk1u7V fctI0gRpz1rZhz4/PlkEUyvCc7 Ge9LqxIUfM 0/l87bAJGhMbpK nNlqDVo9UWyz40B8tPEv8UakNRju6biU Kz79Od7Ul7HB5InxblzqBRQxcYszUYmh3Xckd/prNXnL 66ze k/aYtUP46d8tEnNOHFyl5vqX/RhDXGglxClrRfSOUD04l8dHOG6DgUsPzDtZ8 b0a6ULYdjlZ7V5WaB7r/FLr2AbF4672A85JVt2eIvN5wF8z/66Ju29JfXggSyonEYQf9PGDzX7LkmbqyMPXhjwPnShcGcFIcInswotoj2JKnp9R8QUXS5xP8RBHjpur6/adfZj7/cl0mu5ZCkPL0OKkxhk97m3P1BmPdzHsIHLBoynG2 ZiZf4wImTixwy0twy01Ud7tlVaMQ8f9ZhBuH5JUIf0 peZl3NTbjDS2rwXHC8hM8qKLMRkwOK1o71yveLrg6rJVdtfIYs4AZRGiVcsIxKM/ioAIh 3M IngboQPJtq/HtHFsxST0TgiMJZJK QONshSV/ntzXMpqxMzudlXMhiOhfPFKBG1fk3rrvxlTenuay NiLSXE2zjo9ijHRBdfoXHeYsBYerXth1pCxug6oRXvvhHx98sWFoTFS2nDLT/PE3Ch2oz RQ62S/mz7Bumzq7o1QrMLAedEx6JFKhJ56AVUsKKrqPQhz0Xs5HhQtmFviOnlZwFIve/liZvZ9hva9ax/xWO6CVFbyX4p6gTVpiJcb3nbAfwd2RsvDsphxC7/L2zOQ 9 oDk1DFxxqahMrmBk1NL0nlcVrn4p9FqhVHVJb1eSMX60EUyJAFQx7aub8ZRgGjDolQdNTSGR52IZc9tklef0R agccDIpUtvSWk8D9AM3ZlN6VCsqEX pvfWMFXzskuU4FOzCpsH2baMNbo Qfg8hpOzrFsHwjOG 4RMpiIHcqP5fINrN1Jl4hDWYZuvttYtRPidECBesYX2NREqTmtoQfGgsF5Lu2PSpnHUzD7CrZIso6DBQtJf2uoGAStiRPe3uPo5ypA/HpItvFFXnbYJ4tJWIIjKWD8ViskcRwGdRVk ysoJx7IKnDewRWpSyTRPSuocoSGTjxcTkIIcfmNVhTz630dLAWlkaIzntjY1UPyfahpf6GYUOYSsynB6vYQ6j1JAzsJ4YWLbHaLa/M9en3qyQjbuBFhdm5 AzDH4QuVtuNNuUK6eg24d0PB1px/SQw==plYbyktzMmNpkpcBPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADc
.Default
.Default
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
svchost.exe
svchost.exe
explorer.exe
explorer.exe
66006666
66006666
.Method '%s' not supported by automation object/Variant does not reference an automation object
.Method '%s' not supported by automation object/Variant does not reference an automation object
External exception %x
External exception %x
Interface not supported
Interface not supported
%s (%s, line %d)
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
Invalid variant operation"Variant method calls not supported
I/O error %d
I/O error %d
Integer overflow Invalid floating point operation
Integer overflow Invalid floating point operation
c:\%original file name%.exe path>path
c:\%original file name%.exe path>path
svchost.exe_168_rwx_01000000_00006000:
.text
.text
`.data
`.data
.rsrc
.rsrc
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
RPCRT4.dll
RPCRT4.dll
NETAPI32.dll
NETAPI32.dll
ole32.dll
ole32.dll
ntdll.dll
ntdll.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
GetProcessHeap
GetProcessHeap
NtOpenKey
NtOpenKey
svchost.pdb
svchost.pdb
\PIPE\
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
svchost.exe
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
svchost.exe_272:
.idata
.idata
.reloc
.reloc
P.rsrc
P.rsrc
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
kernel32.dll
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
URLMON.DLL
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {jwplayer().play()} catch(e){}
try {jwplayer().play()} catch(e){}
PSAPI.dll
PSAPI.dll
setcpu:
setcpu:
:setcpu
:setcpu
HTTP/1.1
HTTP/1.1
.length;
.length;
=String.fromCharCode(parseInt(
=String.fromCharCode(parseInt(
.substr(
.substr(
,2),16));
,2),16));
=String.fromCharCode(
=String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt()^
,1).charCodeAt());
,1).charCodeAt());
.length-1)?
.length-1)?
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Environment("Process"))("
.Run("
.Run("
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.RegRead("
.RegRead("
wininet.dll
wininet.dll
user32.dll
user32.dll
ntdll.dll
ntdll.dll
psapi.dll
psapi.dll
"svchost.exe"
"svchost.exe"
svchost.exe
svchost.exe
ole32.dll
ole32.dll
Kernel32.dll
Kernel32.dll
\\.\LCD
\\.\LCD
1234567890
1234567890
Shell32.dll
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
hXXp://
hXXp://
0123456789
0123456789
Mozilla
Mozilla
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
.text
.text
`.rdata
`.rdata
@.pdata
@.pdata
KERNEL32.dll
KERNEL32.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
oleaut32.dll
oleaut32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyW
RegCreateKeyW
RegCreateKeyA
RegCreateKeyA
GetCPInfo
GetCPInfo
SetProcessWindowStation
SetProcessWindowStation
OpenWindowStationA
OpenWindowStationA
EnumChildWindows
EnumChildWindows
NtQueryValueKey
NtQueryValueKey
NtDeleteValueKey
NtDeleteValueKey
NtSetValueKey
NtSetValueKey
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
atl.dll
atl.dll
wsock32.dll
wsock32.dll
shell32.dll
shell32.dll
ShellExecuteExW
ShellExecuteExW
wtsapi32.dll
wtsapi32.dll
Wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
PSAPI.DLL
winmm.dll
winmm.dll
urlmon.dll
urlmon.dll
UrlMkSetSessionOption
UrlMkSetSessionOption
:!:%:):-:1:
:!:%:):-:1:
?:???_?}?
?:???_?}?
4hVjXqVVZ1zvh89QP3KkWoknQHJBor8qRuornGiIK3Azy/OkZNZ8dvu4BF4eNlZ ylMtd n6NYUMFAsPMFVcCp5riCv QJLU0cH8CxWwhpe3LU bL4dfZCyuZxVtJpQQjcSgKzK2zdCDtPRZUgo0ZjbbA5j0pXzJceUhUU2 3gGBXwXO3qybTJCQYhJFCJgussq9WVxjFKM7t91zIHKCdGCSXRoN4vBn1 yjFJuN7qowC1wpOTHO4Px0sKwHT3R0BStQccAL CWBsBvT3pHgt UyiVy0nAEqwkW6ORL3Yn x/QBoAKRohKjOA3qiq0P1CEDcQVkAOH3ceS8p9uBczn1sfXP 8n7q3Hkwnpxw7emo wVf2dS8EuLgBXvkufgMSTPh/KWYIWJK aNIlC5fYdqA6130llwEVFL9lYa8IHaqET84zqpZV9ApywvvRR/ydoUVnBiX24V2VqrBrnMoaIxT4ww71bTxxpFOD7LK52T3mj9oPyIsTVfTO5WbWr7/It/2j/eCspOBiNFYTik SnUl3XXJasnYIRnZHaZtX/ 5dQHO1hRMyG5d1TUUpyvPjUWQCPBrs1zj2JVBsqi0Lug1FmDRb4Hphc55wOtvZYO6zv1iwShwtqP3dbyhQ E66yCCdglju2JU 4zw5v4cBWqGIJPRSB7YRPL2LhnXbPNzsuKrCvA/nCz7HmPdp34g5pMcd8wPqh0jpx5QcvGK9GywKG330GLMTn7qFnOApziobstprpaga0zfFLpr2Ni 5rAG9juaEYZ8ES3XndpzC2QBw2cGnFYkB7BRH3NE5tNeg7SzxuUtCUPo0/PJZvIHt5Sq8xclSSatHNeEbYR 2dMKQ4vv3moTXVc40GtarkG8y8CLYwYjNDtm22CIeNq8/f0YoMEE8zGzWIWhCz7jWDVgD3H62bHwbscJJ4KUwiRSk4Om UrUzV X7AvENmT khv1luO9PmP6lrzTTUhZZWd3lmZlrIsgyMyQiQGCgz2njYQx0P3o9fObPjumMa3RvYi0vFvXl/ofhxzcnccq7 5T6NO2HKIEsN6t4lweBCBmYPjv8dp/h0lR7KFJPlMtdvzkZW0QrTdulQq1E45RdtVhWXhcuwmwGVz1RapaX2dgGfsy1e75vvxQ35Q5EkoYp0VE7F1NlJWYylGb3pN4C5iPG5 sDXXJzLs9WwIAXGU4X4FTG8QXuVW9xevMSl//s4PtqS4Wb1V7TH1V6IjV8QcUAt3TWA17WfH0CmcWO6pX3Sjhex2qTd2DjduSK7UqbZrNlaSuZgYZeB4g70T9pkgEN52M78g/lq8SYGJMtv182S7zf5pi87PfPlMyHx6DIfo2vztikWnXiuk6Hrvn04jLJ2yQqIrUgB Msl/t2OBmmgvXuWu7dum/BARM2fn2y68OQEW6W5KQd0TTuMUtxTgC1XE2qod5FSJknRDoJQuua3uJ7xAEhm6rmaAoDw/AqoHMVyCpRRE1IsfXcYEfZ4/MlkTI3aeY 3DpeyEdVUWj3lSZReJs2i3nxLoFsLwmvc2ze/OkLG10CihIl7UVu1BGo7v14bZWp5AuGlFNPJOp6rn66zjv2G9PN/RKb/q9vSouSI5BgO0DdRC kcgs0ol6jeGjfySpljStqDFHY44Eod vKsT5nhyjcERVUU/0Dl0mmQVob7BWpwgkQrVqmgFjfgg/G2P3jhH h4gPxdr0lHmDlrx BlJQCXsY3uuTXU2DKPFjDB0BakFtBdHQQ4MbIYK0X7OJiO6tBA1zBx0SUcATf 7uNeA5gdC254euPXliSrW8JFwDBMIH4diXWe3HHFyVAEO9NKnn LhUbiAEuwz4BHsIaA0SMeqT9HRch QndJGw/ wnP2fQBEyfbTEBBW8mKYIhHe64jWhp3XK68w4xTFMvTf29 mQuvElJ0t9z4ePY9pBCGdYvOCPJ2qvlyKb1R26HJ1255HFoioyWcV8PkmCxA3zFez1j sQsVRblBtejWlMwC9QuCoRygDvT28C06viV8bSlvyFA0jrvqiWr3xSFDicmis8wNYfNpTeJM48RWSjKi83maskgpeYl sWifQYNfLxIEmJ/QsWXOUs7uIabjoZlC8vAY14mTfszg9zZDm214qJimYJvwgv xdPZDKC73hN6Nzpw6jOylC7dU1GesKS/BNDTz0XKJizFDS3qdShIuB3D4Yg9LA9RMCNESl1k0fZFQzdlwG5hrmg6FN50s3a/YoRgGHbQLgV7FVAHt/CQ5waA8LSS4 8fKdzjzZm59ZnCLG3lcADgbeMPU1 1slH5Rf3tByagaY22TLMmeaiEGeyat8eImgWJh9scEMSpGo4 sjyWtbQS uBBwPPN8EY3bNC7pK5qXw/XYs3WpG4MmEotCLAkar053JAKiy5n 7k0LNTucDhmfL6S7ihLshfR5R8/qY4To8dfBkjmpQD 8bQd9OtnzWQOnQNk6kD4 WigsSP49uYu6Bo0bxMgrq IpnAdO6CxlUpKD2l B11uTiLkjsjs5Ey9cMSs8qUq19G6Nk yUr3bW A/7EJ75MvAX8XnpbuajNjhHyg/W1omrs5t9oI/W0SJLtca62q8cnCxlEFXK0hfxPbDs8UQui88Yha4dfp9PbHDGkh7LkvkGW7CjLsv5Gr2EKpzt3/FJ9s9Z8ghlMtr4ccaM9tF3q42nJB1qc57m bHSkE1rR/45EUZ5Hl8jX4XfM1BnodKvXurFpyCmZcR6IvMxvKgoYH01x2HiXrNbXuPltTsYChzYPn0vLf9AI2quM7Ca1H1ge38n4NFU3dUchWwRbr1RyI3xTNrF6pFMouB1YdrchH4TnDJoKoWPrjokTsT0C7kTnunZOYGvVPBgAYq8ldh05ItdpwUMVLnxpmsxHixBIFW7x2 s/ezpDm3r fOkNPR/wCKR7Tk7n8Tbh12HRCnslr1jSFbuC2ElvGGYVIQ35p9hAveyXDAN3qObdqgw3J LmjFszDREW DHVE488lC bZ6JiyN5BmuBIIKLRPmZXN4qGZGuOH55RwHYgvXONYe018OiUeOpcIKVUvTmz1M1qDjASEaQpnecdGeugQ/QbMuZB/veq/SHR OZarDO BO UQ8s0/V1Z lU4bU0JkTN1fiInZKnC5YsfZOGh5xEKZTsiB7TKTFA96GwQlAIKmkLSZ6RqqRnW5pCGzugAD6HlQEmNbGY SDuz9RFBdIg394S3eG9BQaqGFGOdxK4FIBBm5pg1efkq9wM5e3ItHt6oFkA mNArXVJnXp3z2l/sx9u32H5Al33guWzylllwn8lyrWcZNWkBpt5EIYEVuCEzm8CcTfz5zlnI5uSeWLYaDjTJa qebJDEp e3jZzSQzPO8oNqYRrM1iUX9oR4JfxN2VGOf3S5o2d/T mGa2CFciQHXlngJv1GBLZZkoFw3uNAHi54gBzE4mqOqUOORvqJOWNdd657rWO12FAzkgyrycbCRR HAgH2H/3uspgawgfeVoNDJm6T69CRssEFvRGKhYFnJUhRMGLE/bsqCnxEEhHAecYCXeBkMkOdqXTdEhkwl1mPIlocsMYUmvpqCP7H1DplJ1/GwFCSM4qku9 TjrCxIom7QPXqrTbCwCZN9f5jZiW7AZFT3jOMWtPcFYojPUPAEa7fwwFa4dfoSjBTdq1HA1yim70WrxShO9J12Rc4Ejnk6DlhDU48y0GMvQ9OfA5jaq2D2e20G1ot571IvFuy2oU4gp4SQsYoWihHlvYX1GPQwe3I6QYobvtfAcQ1XLVT6IY571f4HkDAmLcSe5xlq4GotRjkHqPoT0U9OjwdTG4RY8/2Cn6NM16mTK8bWhrzK1x0qGoBbGWbCU o8IKk1uI7w9q t I81C2bLFHMVWTzlB4Iy7wWVM19jAPOhLVB f98VjJJOx6hDglbljzaWUBuqYKm0afntFvKkF0nRZo9ZNcKoBZ/am1U02zYppGWkKXfY0VkBZDqa21QFDkyohtDVeoCP1NnVEkbXv/8bHWqeEOZiGcp4CmA/lhzlnMNf8fKgT656xMkIZLHc0WwecT967vPfXdyahZDaVyGSrjdhWswsHSpx9NcTT8w7KX8kM750DhA bP6WrxiRupDuHDHFDwH75ikMUYtpeNFWQM25U9J 2ey2HqyVpghmMU0a1V1tDJDtKs4glEUskMdGjI13Fbq1WKjGYNKq2Pkuc1LyoAyrML8jjyZ317BrqMqRN1emBd8c8dWZiq1j18/wovTZc0qGJ1vTKDqLp6p3ptdKuTh6SeEDYN2F3HDsftitXHxYpydPAB mF2YmIdGikVCT3AASvID39DXYidXo7Yk MfTWkal4l6L6dPnYzxebm nBNlIrKynVPPQ0ISgseYCGBjo/y/1CcBgUUhe620kXoYvMlHzi86aftheeirJIVz4AmKW75GAmZGXruIQr18DdtBaaZgy5nPX8S2sc7B1PkEu3AR/ 7xOAcKmDN/bgSWet9uLbsL/tz0DZ//y7HvshyB08gKO00klNpewoFePk1u7V fctI0gRpz1rZhz4/PlkEUyvCc7 Ge9LqxIUfM 0/l87bAJGhMbpK nNlqDVo9UWyz40B8tPEv8UakNRju6biU Kz79Od7Ul7HB5InxblzqBRQxcYszUYmh3Xckd/prNXnL 66ze k/aYtUP46d8tEnNOHFyl5vqX/RhDXGglxClrRfSOUD04l8dHOG6DgUsPzDtZ8 b0a6ULYdjlZ7V5WaB7r/FLr2AbF4672A85JVt2eIvN5wF8z/66Ju29JfXggSyonEYQf9PGDzX7LkmbqyMPXhjwPnShcGcFIcInswotoj2JKnp9R8QUXS5xP8RBHjpur6/adfZj7/cl0mu5ZCkPL0OKkxhk97m3P1BmPdzHsIHLBoynG2 ZiZf4wImTixwy0twy01Ud7tlVaMQ8f9ZhBuH5JUIf0 peZl3NTbjDS2rwXHC8hM8qKLMRkwOK1o71yveLrg6rJVdtfIYs4AZRGiVcsIxKM/ioAIh 3M IngboQPJtq/HtHFsxST0TgiMJZJK QONshSV/ntzXMpqxMzudlXMhiOhfPFKBG1fk3rrvxlTenuay NiLSXE2zjo9ijHRBdfoXHeYsBYerXth1pCxug6oRXvvhHx98sWFoTFS2nDLT/PE3Ch2oz RQ62S/mz7Bumzq7o1QrMLAedEx6JFKhJ56AVUsKKrqPQhz0Xs5HhQtmFviOnlZwFIve/liZvZ9hva9ax/xWO6CVFbyX4p6gTVpiJcb3nbAfwd2RsvDsphxC7/L2zOQ 9 oDk1DFxxqahMrmBk1NL0nlcVrn4p9FqhVHVJb1eSMX60EUyJAFQx7aub8ZRgGjDolQdNTSGR52IZc9tklef0R agccDIpUtvSWk8D9AM3ZlN6VCsqEX pvfWMFXzskuU4FOzCpsH2baMNbo Qfg8hpOzrFsHwjOG 4RMpiIHcqP5fINrN1Jl4hDWYZuvttYtRPidECBesYX2NREqTmtoQfGgsF5Lu2PSpnHUzD7CrZIso6DBQtJf2uoGAStiRPe3uPo5ypA/HpItvFFXnbYJ4tJWIIjKWD8ViskcRwGdRVk ysoJx7IKnDewRWpSyTRPSuocoSGTjxcTkIIcfmNVhTz630dLAWlkaIzntjY1UPyfahpf6GYUOYSsynB6vYQ6j1JAzsJ4YWLbHaLa/M9en3qyQjbuBFhdm5 AzDH4QuVtuNNuUK6eg24d0PB1px/SQw==plYbyktzMmNpkpcBPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
4hVjXqVVZ1zvh89QP3KkWoknQHJBor8qRuornGiIK3Azy/OkZNZ8dvu4BF4eNlZ ylMtd n6NYUMFAsPMFVcCp5riCv QJLU0cH8CxWwhpe3LU bL4dfZCyuZxVtJpQQjcSgKzK2zdCDtPRZUgo0ZjbbA5j0pXzJceUhUU2 3gGBXwXO3qybTJCQYhJFCJgussq9WVxjFKM7t91zIHKCdGCSXRoN4vBn1 yjFJuN7qowC1wpOTHO4Px0sKwHT3R0BStQccAL CWBsBvT3pHgt UyiVy0nAEqwkW6ORL3Yn x/QBoAKRohKjOA3qiq0P1CEDcQVkAOH3ceS8p9uBczn1sfXP 8n7q3Hkwnpxw7emo wVf2dS8EuLgBXvkufgMSTPh/KWYIWJK aNIlC5fYdqA6130llwEVFL9lYa8IHaqET84zqpZV9ApywvvRR/ydoUVnBiX24V2VqrBrnMoaIxT4ww71bTxxpFOD7LK52T3mj9oPyIsTVfTO5WbWr7/It/2j/eCspOBiNFYTik SnUl3XXJasnYIRnZHaZtX/ 5dQHO1hRMyG5d1TUUpyvPjUWQCPBrs1zj2JVBsqi0Lug1FmDRb4Hphc55wOtvZYO6zv1iwShwtqP3dbyhQ E66yCCdglju2JU 4zw5v4cBWqGIJPRSB7YRPL2LhnXbPNzsuKrCvA/nCz7HmPdp34g5pMcd8wPqh0jpx5QcvGK9GywKG330GLMTn7qFnOApziobstprpaga0zfFLpr2Ni 5rAG9juaEYZ8ES3XndpzC2QBw2cGnFYkB7BRH3NE5tNeg7SzxuUtCUPo0/PJZvIHt5Sq8xclSSatHNeEbYR 2dMKQ4vv3moTXVc40GtarkG8y8CLYwYjNDtm22CIeNq8/f0YoMEE8zGzWIWhCz7jWDVgD3H62bHwbscJJ4KUwiRSk4Om UrUzV X7AvENmT khv1luO9PmP6lrzTTUhZZWd3lmZlrIsgyMyQiQGCgz2njYQx0P3o9fObPjumMa3RvYi0vFvXl/ofhxzcnccq7 5T6NO2HKIEsN6t4lweBCBmYPjv8dp/h0lR7KFJPlMtdvzkZW0QrTdulQq1E45RdtVhWXhcuwmwGVz1RapaX2dgGfsy1e75vvxQ35Q5EkoYp0VE7F1NlJWYylGb3pN4C5iPG5 sDXXJzLs9WwIAXGU4X4FTG8QXuVW9xevMSl//s4PtqS4Wb1V7TH1V6IjV8QcUAt3TWA17WfH0CmcWO6pX3Sjhex2qTd2DjduSK7UqbZrNlaSuZgYZeB4g70T9pkgEN52M78g/lq8SYGJMtv182S7zf5pi87PfPlMyHx6DIfo2vztikWnXiuk6Hrvn04jLJ2yQqIrUgB Msl/t2OBmmgvXuWu7dum/BARM2fn2y68OQEW6W5KQd0TTuMUtxTgC1XE2qod5FSJknRDoJQuua3uJ7xAEhm6rmaAoDw/AqoHMVyCpRRE1IsfXcYEfZ4/MlkTI3aeY 3DpeyEdVUWj3lSZReJs2i3nxLoFsLwmvc2ze/OkLG10CihIl7UVu1BGo7v14bZWp5AuGlFNPJOp6rn66zjv2G9PN/RKb/q9vSouSI5BgO0DdRC kcgs0ol6jeGjfySpljStqDFHY44Eod vKsT5nhyjcERVUU/0Dl0mmQVob7BWpwgkQrVqmgFjfgg/G2P3jhH h4gPxdr0lHmDlrx BlJQCXsY3uuTXU2DKPFjDB0BakFtBdHQQ4MbIYK0X7OJiO6tBA1zBx0SUcATf 7uNeA5gdC254euPXliSrW8JFwDBMIH4diXWe3HHFyVAEO9NKnn LhUbiAEuwz4BHsIaA0SMeqT9HRch QndJGw/ wnP2fQBEyfbTEBBW8mKYIhHe64jWhp3XK68w4xTFMvTf29 mQuvElJ0t9z4ePY9pBCGdYvOCPJ2qvlyKb1R26HJ1255HFoioyWcV8PkmCxA3zFez1j sQsVRblBtejWlMwC9QuCoRygDvT28C06viV8bSlvyFA0jrvqiWr3xSFDicmis8wNYfNpTeJM48RWSjKi83maskgpeYl sWifQYNfLxIEmJ/QsWXOUs7uIabjoZlC8vAY14mTfszg9zZDm214qJimYJvwgv xdPZDKC73hN6Nzpw6jOylC7dU1GesKS/BNDTz0XKJizFDS3qdShIuB3D4Yg9LA9RMCNESl1k0fZFQzdlwG5hrmg6FN50s3a/YoRgGHbQLgV7FVAHt/CQ5waA8LSS4 8fKdzjzZm59ZnCLG3lcADgbeMPU1 1slH5Rf3tByagaY22TLMmeaiEGeyat8eImgWJh9scEMSpGo4 sjyWtbQS uBBwPPN8EY3bNC7pK5qXw/XYs3WpG4MmEotCLAkar053JAKiy5n 7k0LNTucDhmfL6S7ihLshfR5R8/qY4To8dfBkjmpQD 8bQd9OtnzWQOnQNk6kD4 WigsSP49uYu6Bo0bxMgrq IpnAdO6CxlUpKD2l B11uTiLkjsjs5Ey9cMSs8qUq19G6Nk yUr3bW A/7EJ75MvAX8XnpbuajNjhHyg/W1omrs5t9oI/W0SJLtca62q8cnCxlEFXK0hfxPbDs8UQui88Yha4dfp9PbHDGkh7LkvkGW7CjLsv5Gr2EKpzt3/FJ9s9Z8ghlMtr4ccaM9tF3q42nJB1qc57m bHSkE1rR/45EUZ5Hl8jX4XfM1BnodKvXurFpyCmZcR6IvMxvKgoYH01x2HiXrNbXuPltTsYChzYPn0vLf9AI2quM7Ca1H1ge38n4NFU3dUchWwRbr1RyI3xTNrF6pFMouB1YdrchH4TnDJoKoWPrjokTsT0C7kTnunZOYGvVPBgAYq8ldh05ItdpwUMVLnxpmsxHixBIFW7x2 s/ezpDm3r fOkNPR/wCKR7Tk7n8Tbh12HRCnslr1jSFbuC2ElvGGYVIQ35p9hAveyXDAN3qObdqgw3J LmjFszDREW DHVE488lC bZ6JiyN5BmuBIIKLRPmZXN4qGZGuOH55RwHYgvXONYe018OiUeOpcIKVUvTmz1M1qDjASEaQpnecdGeugQ/QbMuZB/veq/SHR OZarDO BO UQ8s0/V1Z lU4bU0JkTN1fiInZKnC5YsfZOGh5xEKZTsiB7TKTFA96GwQlAIKmkLSZ6RqqRnW5pCGzugAD6HlQEmNbGY SDuz9RFBdIg394S3eG9BQaqGFGOdxK4FIBBm5pg1efkq9wM5e3ItHt6oFkA mNArXVJnXp3z2l/sx9u32H5Al33guWzylllwn8lyrWcZNWkBpt5EIYEVuCEzm8CcTfz5zlnI5uSeWLYaDjTJa qebJDEp e3jZzSQzPO8oNqYRrM1iUX9oR4JfxN2VGOf3S5o2d/T mGa2CFciQHXlngJv1GBLZZkoFw3uNAHi54gBzE4mqOqUOORvqJOWNdd657rWO12FAzkgyrycbCRR HAgH2H/3uspgawgfeVoNDJm6T69CRssEFvRGKhYFnJUhRMGLE/bsqCnxEEhHAecYCXeBkMkOdqXTdEhkwl1mPIlocsMYUmvpqCP7H1DplJ1/GwFCSM4qku9 TjrCxIom7QPXqrTbCwCZN9f5jZiW7AZFT3jOMWtPcFYojPUPAEa7fwwFa4dfoSjBTdq1HA1yim70WrxShO9J12Rc4Ejnk6DlhDU48y0GMvQ9OfA5jaq2D2e20G1ot571IvFuy2oU4gp4SQsYoWihHlvYX1GPQwe3I6QYobvtfAcQ1XLVT6IY571f4HkDAmLcSe5xlq4GotRjkHqPoT0U9OjwdTG4RY8/2Cn6NM16mTK8bWhrzK1x0qGoBbGWbCU o8IKk1uI7w9q t I81C2bLFHMVWTzlB4Iy7wWVM19jAPOhLVB f98VjJJOx6hDglbljzaWUBuqYKm0afntFvKkF0nRZo9ZNcKoBZ/am1U02zYppGWkKXfY0VkBZDqa21QFDkyohtDVeoCP1NnVEkbXv/8bHWqeEOZiGcp4CmA/lhzlnMNf8fKgT656xMkIZLHc0WwecT967vPfXdyahZDaVyGSrjdhWswsHSpx9NcTT8w7KX8kM750DhA bP6WrxiRupDuHDHFDwH75ikMUYtpeNFWQM25U9J 2ey2HqyVpghmMU0a1V1tDJDtKs4glEUskMdGjI13Fbq1WKjGYNKq2Pkuc1LyoAyrML8jjyZ317BrqMqRN1emBd8c8dWZiq1j18/wovTZc0qGJ1vTKDqLp6p3ptdKuTh6SeEDYN2F3HDsftitXHxYpydPAB mF2YmIdGikVCT3AASvID39DXYidXo7Yk MfTWkal4l6L6dPnYzxebm nBNlIrKynVPPQ0ISgseYCGBjo/y/1CcBgUUhe620kXoYvMlHzi86aftheeirJIVz4AmKW75GAmZGXruIQr18DdtBaaZgy5nPX8S2sc7B1PkEu3AR/ 7xOAcKmDN/bgSWet9uLbsL/tz0DZ//y7HvshyB08gKO00klNpewoFePk1u7V fctI0gRpz1rZhz4/PlkEUyvCc7 Ge9LqxIUfM 0/l87bAJGhMbpK nNlqDVo9UWyz40B8tPEv8UakNRju6biU Kz79Od7Ul7HB5InxblzqBRQxcYszUYmh3Xckd/prNXnL 66ze k/aYtUP46d8tEnNOHFyl5vqX/RhDXGglxClrRfSOUD04l8dHOG6DgUsPzDtZ8 b0a6ULYdjlZ7V5WaB7r/FLr2AbF4672A85JVt2eIvN5wF8z/66Ju29JfXggSyonEYQf9PGDzX7LkmbqyMPXhjwPnShcGcFIcInswotoj2JKnp9R8QUXS5xP8RBHjpur6/adfZj7/cl0mu5ZCkPL0OKkxhk97m3P1BmPdzHsIHLBoynG2 ZiZf4wImTixwy0twy01Ud7tlVaMQ8f9ZhBuH5JUIf0 peZl3NTbjDS2rwXHC8hM8qKLMRkwOK1o71yveLrg6rJVdtfIYs4AZRGiVcsIxKM/ioAIh 3M IngboQPJtq/HtHFsxST0TgiMJZJK QONshSV/ntzXMpqxMzudlXMhiOhfPFKBG1fk3rrvxlTenuay NiLSXE2zjo9ijHRBdfoXHeYsBYerXth1pCxug6oRXvvhHx98sWFoTFS2nDLT/PE3Ch2oz RQ62S/mz7Bumzq7o1QrMLAedEx6JFKhJ56AVUsKKrqPQhz0Xs5HhQtmFviOnlZwFIve/liZvZ9hva9ax/xWO6CVFbyX4p6gTVpiJcb3nbAfwd2RsvDsphxC7/L2zOQ 9 oDk1DFxxqahMrmBk1NL0nlcVrn4p9FqhVHVJb1eSMX60EUyJAFQx7aub8ZRgGjDolQdNTSGR52IZc9tklef0R agccDIpUtvSWk8D9AM3ZlN6VCsqEX pvfWMFXzskuU4FOzCpsH2baMNbo Qfg8hpOzrFsHwjOG 4RMpiIHcqP5fINrN1Jl4hDWYZuvttYtRPidECBesYX2NREqTmtoQfGgsF5Lu2PSpnHUzD7CrZIso6DBQtJf2uoGAStiRPe3uPo5ypA/HpItvFFXnbYJ4tJWIIjKWD8ViskcRwGdRVk ysoJx7IKnDewRWpSyTRPSuocoSGTjxcTkIIcfmNVhTz630dLAWlkaIzntjY1UPyfahpf6GYUOYSsynB6vYQ6j1JAzsJ4YWLbHaLa/M9en3qyQjbuBFhdm5 AzDH4QuVtuNNuUK6eg24d0PB1px/SQw==plYbyktzMmNpkpcBPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
4hVjXqVVZ1zvh89QP3KkWoknQHJBor8qRuornGiIK3Azy/OkZNZ8dvu4BF4eNlZ ylMtd n6NYUMFAsPMFVcCp5riCv QJLU0cH8CxWwhpe3LU bL4dfZCyuZxVtJpQQjcSgKzK2zdCDtPRZUgo0ZjbbA5j0pXzJceUhUU2 3gGBXwXO3qybTJCQYhJFCJgussq9WVxjFKM7t91zIHKCdGCSXRoN4vBn1 yjFJuN7qowC1wpOTHO4Px0sKwHT3R0BStQccAL CWBsBvT3pHgt UyiVy0nAEqwkW6ORL3Yn x/QBoAKRohKjOA3qiq0P1CEDcQVkAOH3ceS8p9uBczn1sfXP 8n7q3Hkwnpxw7emo wVf2dS8EuLgBXvkufgMSTPh/KWYIWJK aNIlC5fYdqA6130llwEVFL9lYa8IHaqET84zqpZV9ApywvvRR/ydoUVnBiX24V2VqrBrnMoaIxT4ww71bTxxpFOD7LK52T3mj9oPyIsTVfTO5WbWr7/It/2j/eCspOBiNFYTik SnUl3XXJasnYIRnZHaZtX/ 5dQHO1hRMyG5d1TUUpyvPjUWQCPBrs1zj2JVBsqi0Lug1FmDRb4Hphc55wOtvZYO6zv1iwShwtqP3dbyhQ E66yCCdglju2JU 4zw5v4cBWqGIJPRSB7YRPL2LhnXbPNzsuKrCvA/nCz7HmPdp34g5pMcd8wPqh0jpx5QcvGK9GywKG330GLMTn7qFnOApziobstprpaga0zfFLpr2Ni 5rAG9juaEYZ8ES3XndpzC2QBw2cGnFYkB7BRH3NE5tNeg7SzxuUtCUPo0/PJZvIHt5Sq8xclSSatHNeEbYR 2dMKQ4vv3moTXVc40GtarkG8y8CLYwYjNDtm22CIeNq8/f0YoMEE8zGzWIWhCz7jWDVgD3H62bHwbscJJ4KUwiRSk4Om UrUzV X7AvENmT khv1luO9PmP6lrzTTUhZZWd3lmZlrIsgyMyQiQGCgz2njYQx0P3o9fObPjumMa3RvYi0vFvXl/ofhxzcnccq7 5T6NO2HKIEsN6t4lweBCBmYPjv8dp/h0lR7KFJPlMtdvzkZW0QrTdulQq1E45RdtVhWXhcuwmwGVz1RapaX2dgGfsy1e75vvxQ35Q5EkoYp0VE7F1NlJWYylGb3pN4C5iPG5 sDXXJzLs9WwIAXGU4X4FTG8QXuVW9xevMSl//s4PtqS4Wb1V7TH1V6IjV8QcUAt3TWA17WfH0CmcWO6pX3Sjhex2qTd2DjduSK7UqbZrNlaSuZgYZeB4g70T9pkgEN52M78g/lq8SYGJMtv182S7zf5pi87PfPlMyHx6DIfo2vztikWnXiuk6Hrvn04jLJ2yQqIrUgB Msl/t2OBmmgvXuWu7dum/BARM2fn2y68OQEW6W5KQd0TTuMUtxTgC1XE2qod5FSJknRDoJQuua3uJ7xAEhm6rmaAoDw/AqoHMVyCpRRE1IsfXcYEfZ4/MlkTI3aeY 3DpeyEdVUWj3lSZReJs2i3nxLoFsLwmvc2ze/OkLG10CihIl7UVu1BGo7v14bZWp5AuGlFNPJOp6rn66zjv2G9PN/RKb/q9vSouSI5BgO0DdRC kcgs0ol6jeGjfySpljStqDFHY44Eod vKsT5nhyjcERVUU/0Dl0mmQVob7BWpwgkQrVqmgFjfgg/G2P3jhH h4gPxdr0lHmDlrx BlJQCXsY3uuTXU2DKPFjDB0BakFtBdHQQ4MbIYK0X7OJiO6tBA1zBx0SUcATf 7uNeA5gdC254euPXliSrW8JFwDBMIH4diXWe3HHFyVAEO9NKnn LhUbiAEuwz4BHsIaA0SMeqT9HRch QndJGw/ wnP2fQBEyfbTEBBW8mKYIhHe64jWhp3XK68w4xTFMvTf29 mQuvElJ0t9z4ePY9pBCGdYvOCPJ2qvlyKb1R26HJ1255HFoioyWcV8PkmCxA3zFez1j sQsVRblBtejWlMwC9QuCoRygDvT28C06viV8bSlvyFA0jrvqiWr3xSFDicmis8wNYfNpTeJM48RWSjKi83maskgpeYl sWifQYNfLxIEmJ/QsWXOUs7uIabjoZlC8vAY14mTfszg9zZDm214qJimYJvwgv xdPZDKC73hN6Nzpw6jOylC7dU1GesKS/BNDTz0XKJizFDS3qdShIuB3D4Yg9LA9RMCNESl1k0fZFQzdlwG5hrmg6FN50s3a/YoRgGHbQLgV7FVAHt/CQ5waA8LSS4 8fKdzjzZm59ZnCLG3lcADgbeMPU1 1slH5Rf3tByagaY22TLMmeaiEGeyat8eImgWJh9scEMSpGo4 sjyWtbQS uBBwPPN8EY3bNC7pK5qXw/XYs3WpG4MmEotCLAkar053JAKiy5n 7k0LNTucDhmfL6S7ihLshfR5R8/qY4To8dfBkjmpQD 8bQd9OtnzWQOnQNk6kD4 WigsSP49uYu6Bo0bxMgrq IpnAdO6CxlUpKD2l B11uTiLkjsjs5Ey9cMSs8qUq19G6Nk yUr3bW A/7EJ75MvAX8XnpbuajNjhHyg/W1omrs5t9oI/W0SJLtca62q8cnCxlEFXK0hfxPbDs8UQui88Yha4dfp9PbHDGkh7LkvkGW7CjLsv5Gr2EKpzt3/FJ9s9Z8ghlMtr4ccaM9tF3q42nJB1qc57m bHSkE1rR/45EUZ5Hl8jX4XfM1BnodKvXurFpyCmZcR6IvMxvKgoYH01x2HiXrNbXuPltTsYChzYPn0vLf9AI2quM7Ca1H1ge38n4NFU3dUchWwRbr1RyI3xTNrF6pFMouB1YdrchH4TnDJoKoWPrjokTsT0C7kTnunZOYGvVPBgAYq8ldh05ItdpwUMVLnxpmsxHixBIFW7x2 s/ezpDm3r fOkNPR/wCKR7Tk7n8Tbh12HRCnslr1jSFbuC2ElvGGYVIQ35p9hAveyXDAN3qObdqgw3J LmjFszDREW DHVE488lC bZ6JiyN5BmuBIIKLRPmZXN4qGZGuOH55RwHYgvXONYe018OiUeOpcIKVUvTmz1M1qDjASEaQpnecdGeugQ/QbMuZB/veq/SHR OZarDO BO UQ8s0/V1Z lU4bU0JkTN1fiInZKnC5YsfZOGh5xEKZTsiB7TKTFA96GwQlAIKmkLSZ6RqqRnW5pCGzugAD6HlQEmNbGY SDuz9RFBdIg394S3eG9BQaqGFGOdxK4FIBBm5pg1efkq9wM5e3ItHt6oFkA mNArXVJnXp3z2l/sx9u32H5Al33guWzylllwn8lyrWcZNWkBpt5EIYEVuCEzm8CcTfz5zlnI5uSeWLYaDjTJa qebJDEp e3jZzSQzPO8oNqYRrM1iUX9oR4JfxN2VGOf3S5o2d/T mGa2CFciQHXlngJv1GBLZZkoFw3uNAHi54gBzE4mqOqUOORvqJOWNdd657rWO12FAzkgyrycbCRR HAgH2H/3uspgawgfeVoNDJm6T69CRssEFvRGKhYFnJUhRMGLE/bsqCnxEEhHAecYCXeBkMkOdqXTdEhkwl1mPIlocsMYUmvpqCP7H1DplJ1/GwFCSM4qku9 TjrCxIom7QPXqrTbCwCZN9f5jZiW7AZFT3jOMWtPcFYojPUPAEa7fwwFa4dfoSjBTdq1HA1yim70WrxShO9J12Rc4Ejnk6DlhDU48y0GMvQ9OfA5jaq2D2e20G1ot571IvFuy2oU4gp4SQsYoWihHlvYX1GPQwe3I6QYobvtfAcQ1XLVT6IY571f4HkDAmLcSe5xlq4GotRjkHqPoT0U9OjwdTG4RY8/2Cn6NM16mTK8bWhrzK1x0qGoBbGWbCU o8IKk1uI7w9q t I81C2bLFHMVWTzlB4Iy7wWVM19jAPOhLVB f98VjJJOx6hDglbljzaWUBuqYKm0afntFvKkF0nRZo9ZNcKoBZ/am1U02zYppGWkKXfY0VkBZDqa21QFDkyohtDVeoCP1NnVEkbXv/8bHWqeEOZiGcp4CmA/lhzlnMNf8fKgT656xMkIZLHc0WwecT967vPfXdyahZDaVyGSrjdhWswsHSpx9NcTT8w7KX8kM750DhA bP6WrxiRupDuHDHFDwH75ikMUYtpeNFWQM25U9J 2ey2HqyVpghmMU0a1V1tDJDtKs4glEUskMdGjI13Fbq1WKjGYNKq2Pkuc1LyoAyrML8jjyZ317BrqMqRN1emBd8c8dWZiq1j18/wovTZc0qGJ1vTKDqLp6p3ptdKuTh6SeEDYN2F3HDsftitXHxYpydPAB mF2YmIdGikVCT3AASvID39DXYidXo7Yk MfTWkal4l6L6dPnYzxebm nBNlIrKynVPPQ0ISgseYCGBjo/y/1CcBgUUhe620kXoYvMlHzi86aftheeirJIVz4AmKW75GAmZGXruIQr18DdtBaaZgy5nPX8S2sc7B1PkEu3AR/ 7xOAcKmDN/bgSWet9uLbsL/tz0DZ//y7HvshyB08gKO00klNpewoFePk1u7V fctI0gRpz1rZhz4/PlkEUyvCc7 Ge9LqxIUfM 0/l87bAJGhMbpK nNlqDVo9UWyz40B8tPEv8UakNRju6biU Kz79Od7Ul7HB5InxblzqBRQxcYszUYmh3Xckd/prNXnL 66ze k/aYtUP46d8tEnNOHFyl5vqX/RhDXGglxClrRfSOUD04l8dHOG6DgUsPzDtZ8 b0a6ULYdjlZ7V5WaB7r/FLr2AbF4672A85JVt2eIvN5wF8z/66Ju29JfXggSyonEYQf9PGDzX7LkmbqyMPXhjwPnShcGcFIcInswotoj2JKnp9R8QUXS5xP8RBHjpur6/adfZj7/cl0mu5ZCkPL0OKkxhk97m3P1BmPdzHsIHLBoynG2 ZiZf4wImTixwy0twy01Ud7tlVaMQ8f9ZhBuH5JUIf0 peZl3NTbjDS2rwXHC8hM8qKLMRkwOK1o71yveLrg6rJVdtfIYs4AZRGiVcsIxKM/ioAIh 3M IngboQPJtq/HtHFsxST0TgiMJZJK QONshSV/ntzXMpqxMzudlXMhiOhfPFKBG1fk3rrvxlTenuay NiLSXE2zjo9ijHRBdfoXHeYsBYerXth1pCxug6oRXvvhHx98sWFoTFS2nDLT/PE3Ch2oz RQ62S/mz7Bumzq7o1QrMLAedEx6JFKhJ56AVUsKKrqPQhz0Xs5HhQtmFviOnlZwFIve/liZvZ9hva9ax/xWO6CVFbyX4p6gTVpiJcb3nbAfwd2RsvDsphxC7/L2zOQ 9 oDk1DFxxqahMrmBk1NL0nlcVrn4p9FqhVHVJb1eSMX60EUyJAFQx7aub8ZRgGjDolQdNTSGR52IZc9tklef0R agccDIpUtvSWk8D9AM3ZlN6VCsqEX pvfWMFXzskuU4FOzCpsH2baMNbo Qfg8hpOzrFsHwjOG 4RMpiIHcqP5fINrN1Jl4hDWYZuvttYtRPidECBesYX2NREqTmtoQfGgsF5Lu2PSpnHUzD7CrZIso6DBQtJf2uoGAStiRPe3uPo5ypA/HpItvFFXnbYJ4tJWIIjKWD8ViskcRwGdRVk ysoJx7IKnDewRWpSyTRPSuocoSGTjxcTkIIcfmNVhTz630dLAWlkaIzntjY1UPyfahpf6GYUOYSsynB6vYQ6j1JAzsJ4YWLbHaLa/M9en3qyQjbuBFhdm5 AzDH4QuVtuNNuUK6eg24d0PB1px/SQw==plYbyktzMmNpkpcBPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD5
4hVjXqVVZ1zvh89QP3KkWoknQHJBor8qRuornGiIK3Azy/OkZNZ8dvu4BF4eNlZ ylMtd n6NYUMFAsPMFVcCp5riCv QJLU0cH8CxWwhpe3LU bL4dfZCyuZxVtJpQQjcSgKzK2zdCDtPRZUgo0ZjbbA5j0pXzJceUhUU2 3gGBXwXO3qybTJCQYhJFCJgussq9WVxjFKM7t91zIHKCdGCSXRoN4vBn1 yjFJuN7qowC1wpOTHO4Px0sKwHT3R0BStQccAL CWBsBvT3pHgt UyiVy0nAEqwkW6ORL3Yn x/QBoAKRohKjOA3qiq0P1CEDcQVkAOH3ceS8p9uBczn1sfXP 8n7q3Hkwnpxw7emo wVf2dS8EuLgBXvkufgMSTPh/KWYIWJK aNIlC5fYdqA6130llwEVFL9lYa8IHaqET84zqpZV9ApywvvRR/ydoUVnBiX24V2VqrBrnMoaIxT4ww71bTxxpFOD7LK52T3mj9oPyIsTVfTO5WbWr7/It/2j/eCspOBiNFYTik SnUl3XXJasnYIRnZHaZtX/ 5dQHO1hRMyG5d1TUUpyvPjUWQCPBrs1zj2JVBsqi0Lug1FmDRb4Hphc55wOtvZYO6zv1iwShwtqP3dbyhQ E66yCCdglju2JU 4zw5v4cBWqGIJPRSB7YRPL2LhnXbPNzsuKrCvA/nCz7HmPdp34g5pMcd8wPqh0jpx5QcvGK9GywKG330GLMTn7qFnOApziobstprpaga0zfFLpr2Ni 5rAG9juaEYZ8ES3XndpzC2QBw2cGnFYkB7BRH3NE5tNeg7SzxuUtCUPo0/PJZvIHt5Sq8xclSSatHNeEbYR 2dMKQ4vv3moTXVc40GtarkG8y8CLYwYjNDtm22CIeNq8/f0YoMEE8zGzWIWhCz7jWDVgD3H62bHwbscJJ4KUwiRSk4Om UrUzV X7AvENmT khv1luO9PmP6lrzTTUhZZWd3lmZlrIsgyMyQiQGCgz2njYQx0P3o9fObPjumMa3RvYi0vFvXl/ofhxzcnccq7 5T6NO2HKIEsN6t4lweBCBmYPjv8dp/h0lR7KFJPlMtdvzkZW0QrTdulQq1E45RdtVhWXhcuwmwGVz1RapaX2dgGfsy1e75vvxQ35Q5EkoYp0VE7F1NlJWYylGb3pN4C5iPG5 sDXXJzLs9WwIAXGU4X4FTG8QXuVW9xevMSl//s4PtqS4Wb1V7TH1V6IjV8QcUAt3TWA17WfH0CmcWO6pX3Sjhex2qTd2DjduSK7UqbZrNlaSuZgYZeB4g70T9pkgEN52M78g/lq8SYGJMtv182S7zf5pi87PfPlMyHx6DIfo2vztikWnXiuk6Hrvn04jLJ2yQqIrUgB Msl/t2OBmmgvXuWu7dum/BARM2fn2y68OQEW6W5KQd0TTuMUtxTgC1XE2qod5FSJknRDoJQuua3uJ7xAEhm6rmaAoDw/AqoHMVyCpRRE1IsfXcYEfZ4/MlkTI3aeY 3DpeyEdVUWj3lSZReJs2i3nxLoFsLwmvc2ze/OkLG10CihIl7UVu1BGo7v14bZWp5AuGlFNPJOp6rn66zjv2G9PN/RKb/q9vSouSI5BgO0DdRC kcgs0ol6jeGjfySpljStqDFHY44Eod vKsT5nhyjcERVUU/0Dl0mmQVob7BWpwgkQrVqmgFjfgg/G2P3jhH h4gPxdr0lHmDlrx BlJQCXsY3uuTXU2DKPFjDB0BakFtBdHQQ4MbIYK0X7OJiO6tBA1zBx0SUcATf 7uNeA5gdC254euPXliSrW8JFwDBMIH4diXWe3HHFyVAEO9NKnn LhUbiAEuwz4BHsIaA0SMeqT9HRch QndJGw/ wnP2fQBEyfbTEBBW8mKYIhHe64jWhp3XK68w4xTFMvTf29 mQuvElJ0t9z4ePY9pBCGdYvOCPJ2qvlyKb1R26HJ1255HFoioyWcV8PkmCxA3zFez1j sQsVRblBtejWlMwC9QuCoRygDvT28C06viV8bSlvyFA0jrvqiWr3xSFDicmis8wNYfNpTeJM48RWSjKi83maskgpeYl sWifQYNfLxIEmJ/QsWXOUs7uIabjoZlC8vAY14mTfszg9zZDm214qJimYJvwgv xdPZDKC73hN6Nzpw6jOylC7dU1GesKS/BNDTz0XKJizFDS3qdShIuB3D4Yg9LA9RMCNESl1k0fZFQzdlwG5hrmg6FN50s3a/YoRgGHbQLgV7FVAHt/CQ5waA8LSS4 8fKdzjzZm59ZnCLG3lcADgbeMPU1 1slH5Rf3tByagaY22TLMmeaiEGeyat8eImgWJh9scEMSpGo4 sjyWtbQS uBBwPPN8EY3bNC7pK5qXw/XYs3WpG4MmEotCLAkar053JAKiy5n 7k0LNTucDhmfL6S7ihLshfR5R8/qY4To8dfBkjmpQD 8bQd9OtnzWQOnQNk6kD4 WigsSP49uYu6Bo0bxMgrq IpnAdO6CxlUpKD2l B11uTiLkjsjs5Ey9cMSs8qUq19G6Nk yUr3bW A/7EJ75MvAX8XnpbuajNjhHyg/W1omrs5t9oI/W0SJLtca62q8cnCxlEFXK0hfxPbDs8UQui88Yha4dfp9PbHDGkh7LkvkGW7CjLsv5Gr2EKpzt3/FJ9s9Z8ghlMtr4ccaM9tF3q42nJB1qc57m bHSkE1rR/45EUZ5Hl8jX4XfM1BnodKvXurFpyCmZcR6IvMxvKgoYH01x2HiXrNbXuPltTsYChzYPn0vLf9AI2quM7Ca1H1ge38n4NFU3dUchWwRbr1RyI3xTNrF6pFMouB1YdrchH4TnDJoKoWPrjokTsT0C7kTnunZOYGvVPBgAYq8ldh05ItdpwUMVLnxpmsxHixBIFW7x2 s/ezpDm3r fOkNPR/wCKR7Tk7n8Tbh12HRCnslr1jSFbuC2ElvGGYVIQ35p9hAveyXDAN3qObdqgw3J LmjFszDREW DHVE488lC bZ6JiyN5BmuBIIKLRPmZXN4qGZGuOH55RwHYgvXONYe018OiUeOpcIKVUvTmz1M1qDjASEaQpnecdGeugQ/QbMuZB/veq/SHR OZarDO BO UQ8s0/V1Z lU4bU0JkTN1fiInZKnC5YsfZOGh5xEKZTsiB7TKTFA96GwQlAIKmkLSZ6RqqRnW5pCGzugAD6HlQEmNbGY SDuz9RFBdIg394S3eG9BQaqGFGOdxK4FIBBm5pg1efkq9wM5e3ItHt6oFkA mNArXVJnXp3z2l/sx9u32H5Al33guWzylllwn8lyrWcZNWkBpt5EIYEVuCEzm8CcTfz5zlnI5uSeWLYaDjTJa qebJDEp e3jZzSQzPO8oNqYRrM1iUX9oR4JfxN2VGOf3S5o2d/T mGa2CFciQHXlngJv1GBLZZkoFw3uNAHi54gBzE4mqOqUOORvqJOWNdd657rWO12FAzkgyrycbCRR HAgH2H/3uspgawgfeVoNDJm6T69CRssEFvRGKhYFnJUhRMGLE/bsqCnxEEhHAecYCXeBkMkOdqXTdEhkwl1mPIlocsMYUmvpqCP7H1DplJ1/GwFCSM4qku9 TjrCxIom7QPXqrTbCwCZN9f5jZiW7AZFT3jOMWtPcFYojPUPAEa7fwwFa4dfoSjBTdq1HA1yim70WrxShO9J12Rc4Ejnk6DlhDU48y0GMvQ9OfA5jaq2D2e20G1ot571IvFuy2oU4gp4SQsYoWihHlvYX1GPQwe3I6QYobvtfAcQ1XLVT6IY571f4HkDAmLcSe5xlq4GotRjkHqPoT0U9OjwdTG4RY8/2Cn6NM16mTK8bWhrzK1x0qGoBbGWbCU o8IKk1uI7w9q t I81C2bLFHMVWTzlB4Iy7wWVM19jAPOhLVB f98VjJJOx6hDglbljzaWUBuqYKm0afntFvKkF0nRZo9ZNcKoBZ/am1U02zYppGWkKXfY0VkBZDqa21QFDkyohtDVeoCP1NnVEkbXv/8bHWqeEOZiGcp4CmA/lhzlnMNf8fKgT656xMkIZLHc0WwecT967vPfXdyahZDaVyGSrjdhWswsHSpx9NcTT8w7KX8kM750DhA bP6WrxiRupDuHDHFDwH75ikMUYtpeNFWQM25U9J 2ey2HqyVpghmMU0a1V1tDJDtKs4glEUskMdGjI13Fbq1WKjGYNKq2Pkuc1LyoAyrML8jjyZ317BrqMqRN1emBd8c8dWZiq1j18/wovTZc0qGJ1vTKDqLp6p3ptdKuTh6SeEDYN2F3HDsftitXHxYpydPAB mF2YmIdGikVCT3AASvID39DXYidXo7Yk MfTWkal4l6L6dPnYzxebm nBNlIrKynVPPQ0ISgseYCGBjo/y/1CcBgUUhe620kXoYvMlHzi86aftheeirJIVz4AmKW75GAmZGXruIQr18DdtBaaZgy5nPX8S2sc7B1PkEu3AR/ 7xOAcKmDN/bgSWet9uLbsL/tz0DZ//y7HvshyB08gKO00klNpewoFePk1u7V fctI0gRpz1rZhz4/PlkEUyvCc7 Ge9LqxIUfM 0/l87bAJGhMbpK nNlqDVo9UWyz40B8tPEv8UakNRju6biU Kz79Od7Ul7HB5InxblzqBRQxcYszUYmh3Xckd/prNXnL 66ze k/aYtUP46d8tEnNOHFyl5vqX/RhDXGglxClrRfSOUD04l8dHOG6DgUsPzDtZ8 b0a6ULYdjlZ7V5WaB7r/FLr2AbF4672A85JVt2eIvN5wF8z/66Ju29JfXggSyonEYQf9PGDzX7LkmbqyMPXhjwPnShcGcFIcInswotoj2JKnp9R8QUXS5xP8RBHjpur6/adfZj7/cl0mu5ZCkPL0OKkxhk97m3P1BmPdzHsIHLBoynG2 ZiZf4wImTixwy0twy01Ud7tlVaMQ8f9ZhBuH5JUIf0 peZl3NTbjDS2rwXHC8hM8qKLMRkwOK1o71yveLrg6rJVdtfIYs4AZRGiVcsIxKM/ioAIh 3M IngboQPJtq/HtHFsxST0TgiMJZJK QONshSV/ntzXMpqxMzudlXMhiOhfPFKBG1fk3rrvxlTenuay NiLSXE2zjo9ijHRBdfoXHeYsBYerXth1pCxug6oRXvvhHx98sWFoTFS2nDLT/PE3Ch2oz RQ62S/mz7Bumzq7o1QrMLAedEx6JFKhJ56AVUsKKrqPQhz0Xs5HhQtmFviOnlZwFIve/liZvZ9hva9ax/xWO6CVFbyX4p6gTVpiJcb3nbAfwd2RsvDsphxC7/L2zOQ 9 oDk1DFxxqahMrmBk1NL0nlcVrn4p9FqhVHVJb1eSMX60EUyJAFQx7aub8ZRgGjDolQdNTSGR52IZc9tklef0R agccDIpUtvSWk8D9AM3ZlN6VCsqEX pvfWMFXzskuU4FOzCpsH2baMNbo Qfg8hpOzrFsHwjOG 4RMpiIHcqP5fINrN1Jl4hDWYZuvttYtRPidECBesYX2NREqTmtoQfGgsF5Lu2PSpnHUzD7CrZIso6DBQtJf2uoGAStiRPe3uPo5ypA/HpItvFFXnbYJ4tJWIIjKWD8ViskcRwGdRVk ysoJx7IKnDewRWpSyTRPSuocoSGTjxcTkIIcfmNVhTz630dLAWlkaIzntjY1UPyfahpf6GYUOYSsynB6vYQ6j1JAzsJ4YWLbHaLa/M9en3qyQjbuBFhdm5 AzDH4QuVtuNNuUK6eg24d0PB1px/SQw==plYbyktzMmNpkpcBPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD5
.Default
.Default
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
svchost.exe
svchost.exe
explorer.exe
explorer.exe
66006666
66006666
.Method '%s' not supported by automation object/Variant does not reference an automation object
.Method '%s' not supported by automation object/Variant does not reference an automation object
External exception %x
External exception %x
Interface not supported
Interface not supported
%s (%s, line %d)
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
Invalid variant operation"Variant method calls not supported
I/O error %d
I/O error %d
Integer overflow Invalid floating point operation
Integer overflow Invalid floating point operation
svchost.exe_372:
.idata
.idata
.reloc
.reloc
P.rsrc
P.rsrc
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
kernel32.dll
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
URLMON.DLL
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {jwplayer().play()} catch(e){}
try {jwplayer().play()} catch(e){}
PSAPI.dll
PSAPI.dll
setcpu:
setcpu:
:setcpu
:setcpu
HTTP/1.1
HTTP/1.1
.length;
.length;
=String.fromCharCode(parseInt(
=String.fromCharCode(parseInt(
.substr(
.substr(
,2),16));
,2),16));
=String.fromCharCode(
=String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt()^
,1).charCodeAt());
,1).charCodeAt());
.length-1)?
.length-1)?
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Environment("Process"))("
.Run("
.Run("
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.RegRead("
.RegRead("
wininet.dll
wininet.dll
user32.dll
user32.dll
ntdll.dll
ntdll.dll
psapi.dll
psapi.dll
"svchost.exe"
"svchost.exe"
svchost.exe
svchost.exe
ole32.dll
ole32.dll
Kernel32.dll
Kernel32.dll
\\.\LCD
\\.\LCD
1234567890
1234567890
Shell32.dll
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
hXXp://
hXXp://
0123456789
0123456789
Mozilla
Mozilla
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
.text
.text
`.rdata
`.rdata
@.pdata
@.pdata
KERNEL32.dll
KERNEL32.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
oleaut32.dll
oleaut32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyW
RegCreateKeyW
RegCreateKeyA
RegCreateKeyA
GetCPInfo
GetCPInfo
SetProcessWindowStation
SetProcessWindowStation
OpenWindowStationA
OpenWindowStationA
EnumChildWindows
EnumChildWindows
NtQueryValueKey
NtQueryValueKey
NtDeleteValueKey
NtDeleteValueKey
NtSetValueKey
NtSetValueKey
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
atl.dll
atl.dll
wsock32.dll
wsock32.dll
shell32.dll
shell32.dll
ShellExecuteExW
ShellExecuteExW
wtsapi32.dll
wtsapi32.dll
Wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
PSAPI.DLL
winmm.dll
winmm.dll
urlmon.dll
urlmon.dll
UrlMkSetSessionOption
UrlMkSetSessionOption
:!:%:):-:1:
:!:%:):-:1:
?:???_?}?
?:???_?}?
4hVjXqVVZ1zvh89QP3KkWoknQHJBor8qRuornGiIK3Azy/OkZNZ8dvu4BF4eNlZ ylMtd n6NYUMFAsPMFVcCp5riCv QJLU0cH8CxWwhpe3LU bL4dfZCyuZxVtJpQQjcSgKzK2zdCDtPRZUgo0ZjbbA5j0pXzJceUhUU2 3gGBXwXO3qybTJCQYhJFCJgussq9WVxjFKM7t91zIHKCdGCSXRoN4vBn1 yjFJuN7qowC1wpOTHO4Px0sKwHT3R0BStQccAL CWBsBvT3pHgt UyiVy0nAEqwkW6ORL3Yn x/QBoAKRohKjOA3qiq0P1CEDcQVkAOH3ceS8p9uBczn1sfXP 8n7q3Hkwnpxw7emo wVf2dS8EuLgBXvkufgMSTPh/KWYIWJK aNIlC5fYdqA6130llwEVFL9lYa8IHaqET84zqpZV9ApywvvRR/ydoUVnBiX24V2VqrBrnMoaIxT4ww71bTxxpFOD7LK52T3mj9oPyIsTVfTO5WbWr7/It/2j/eCspOBiNFYTik SnUl3XXJasnYIRnZHaZtX/ 5dQHO1hRMyG5d1TUUpyvPjUWQCPBrs1zj2JVBsqi0Lug1FmDRb4Hphc55wOtvZYO6zv1iwShwtqP3dbyhQ E66yCCdglju2JU 4zw5v4cBWqGIJPRSB7YRPL2LhnXbPNzsuKrCvA/nCz7HmPdp34g5pMcd8wPqh0jpx5QcvGK9GywKG330GLMTn7qFnOApziobstprpaga0zfFLpr2Ni 5rAG9juaEYZ8ES3XndpzC2QBw2cGnFYkB7BRH3NE5tNeg7SzxuUtCUPo0/PJZvIHt5Sq8xclSSatHNeEbYR 2dMKQ4vv3moTXVc40GtarkG8y8CLYwYjNDtm22CIeNq8/f0YoMEE8zGzWIWhCz7jWDVgD3H62bHwbscJJ4KUwiRSk4Om UrUzV X7AvENmT khv1luO9PmP6lrzTTUhZZWd3lmZlrIsgyMyQiQGCgz2njYQx0P3o9fObPjumMa3RvYi0vFvXl/ofhxzcnccq7 5T6NO2HKIEsN6t4lweBCBmYPjv8dp/h0lR7KFJPlMtdvzkZW0QrTdulQq1E45RdtVhWXhcuwmwGVz1RapaX2dgGfsy1e75vvxQ35Q5EkoYp0VE7F1NlJWYylGb3pN4C5iPG5 sDXXJzLs9WwIAXGU4X4FTG8QXuVW9xevMSl//s4PtqS4Wb1V7TH1V6IjV8QcUAt3TWA17WfH0CmcWO6pX3Sjhex2qTd2DjduSK7UqbZrNlaSuZgYZeB4g70T9pkgEN52M78g/lq8SYGJMtv182S7zf5pi87PfPlMyHx6DIfo2vztikWnXiuk6Hrvn04jLJ2yQqIrUgB Msl/t2OBmmgvXuWu7dum/BARM2fn2y68OQEW6W5KQd0TTuMUtxTgC1XE2qod5FSJknRDoJQuua3uJ7xAEhm6rmaAoDw/AqoHMVyCpRRE1IsfXcYEfZ4/MlkTI3aeY 3DpeyEdVUWj3lSZReJs2i3nxLoFsLwmvc2ze/OkLG10CihIl7UVu1BGo7v14bZWp5AuGlFNPJOp6rn66zjv2G9PN/RKb/q9vSouSI5BgO0DdRC kcgs0ol6jeGjfySpljStqDFHY44Eod vKsT5nhyjcERVUU/0Dl0mmQVob7BWpwgkQrVqmgFjfgg/G2P3jhH h4gPxdr0lHmDlrx BlJQCXsY3uuTXU2DKPFjDB0BakFtBdHQQ4MbIYK0X7OJiO6tBA1zBx0SUcATf 7uNeA5gdC254euPXliSrW8JFwDBMIH4diXWe3HHFyVAEO9NKnn LhUbiAEuwz4BHsIaA0SMeqT9HRch QndJGw/ wnP2fQBEyfbTEBBW8mKYIhHe64jWhp3XK68w4xTFMvTf29 mQuvElJ0t9z4ePY9pBCGdYvOCPJ2qvlyKb1R26HJ1255HFoioyWcV8PkmCxA3zFez1j sQsVRblBtejWlMwC9QuCoRygDvT28C06viV8bSlvyFA0jrvqiWr3xSFDicmis8wNYfNpTeJM48RWSjKi83maskgpeYl sWifQYNfLxIEmJ/QsWXOUs7uIabjoZlC8vAY14mTfszg9zZDm214qJimYJvwgv xdPZDKC73hN6Nzpw6jOylC7dU1GesKS/BNDTz0XKJizFDS3qdShIuB3D4Yg9LA9RMCNESl1k0fZFQzdlwG5hrmg6FN50s3a/YoRgGHbQLgV7FVAHt/CQ5waA8LSS4 8fKdzjzZm59ZnCLG3lcADgbeMPU1 1slH5Rf3tByagaY22TLMmeaiEGeyat8eImgWJh9scEMSpGo4 sjyWtbQS uBBwPPN8EY3bNC7pK5qXw/XYs3WpG4MmEotCLAkar053JAKiy5n 7k0LNTucDhmfL6S7ihLshfR5R8/qY4To8dfBkjmpQD 8bQd9OtnzWQOnQNk6kD4 WigsSP49uYu6Bo0bxMgrq IpnAdO6CxlUpKD2l B11uTiLkjsjs5Ey9cMSs8qUq19G6Nk yUr3bW A/7EJ75MvAX8XnpbuajNjhHyg/W1omrs5t9oI/W0SJLtca62q8cnCxlEFXK0hfxPbDs8UQui88Yha4dfp9PbHDGkh7LkvkGW7CjLsv5Gr2EKpzt3/FJ9s9Z8ghlMtr4ccaM9tF3q42nJB1qc57m bHSkE1rR/45EUZ5Hl8jX4XfM1BnodKvXurFpyCmZcR6IvMxvKgoYH01x2HiXrNbXuPltTsYChzYPn0vLf9AI2quM7Ca1H1ge38n4NFU3dUchWwRbr1RyI3xTNrF6pFMouB1YdrchH4TnDJoKoWPrjokTsT0C7kTnunZOYGvVPBgAYq8ldh05ItdpwUMVLnxpmsxHixBIFW7x2 s/ezpDm3r fOkNPR/wCKR7Tk7n8Tbh12HRCnslr1jSFbuC2ElvGGYVIQ35p9hAveyXDAN3qObdqgw3J LmjFszDREW DHVE488lC bZ6JiyN5BmuBIIKLRPmZXN4qGZGuOH55RwHYgvXONYe018OiUeOpcIKVUvTmz1M1qDjASEaQpnecdGeugQ/QbMuZB/veq/SHR OZarDO BO UQ8s0/V1Z lU4bU0JkTN1fiInZKnC5YsfZOGh5xEKZTsiB7TKTFA96GwQlAIKmkLSZ6RqqRnW5pCGzugAD6HlQEmNbGY SDuz9RFBdIg394S3eG9BQaqGFGOdxK4FIBBm5pg1efkq9wM5e3ItHt6oFkA mNArXVJnXp3z2l/sx9u32H5Al33guWzylllwn8lyrWcZNWkBpt5EIYEVuCEzm8CcTfz5zlnI5uSeWLYaDjTJa qebJDEp e3jZzSQzPO8oNqYRrM1iUX9oR4JfxN2VGOf3S5o2d/T mGa2CFciQHXlngJv1GBLZZkoFw3uNAHi54gBzE4mqOqUOORvqJOWNdd657rWO12FAzkgyrycbCRR HAgH2H/3uspgawgfeVoNDJm6T69CRssEFvRGKhYFnJUhRMGLE/bsqCnxEEhHAecYCXeBkMkOdqXTdEhkwl1mPIlocsMYUmvpqCP7H1DplJ1/GwFCSM4qku9 TjrCxIom7QPXqrTbCwCZN9f5jZiW7AZFT3jOMWtPcFYojPUPAEa7fwwFa4dfoSjBTdq1HA1yim70WrxShO9J12Rc4Ejnk6DlhDU48y0GMvQ9OfA5jaq2D2e20G1ot571IvFuy2oU4gp4SQsYoWihHlvYX1GPQwe3I6QYobvtfAcQ1XLVT6IY571f4HkDAmLcSe5xlq4GotRjkHqPoT0U9OjwdTG4RY8/2Cn6NM16mTK8bWhrzK1x0qGoBbGWbCU o8IKk1uI7w9q t I81C2bLFHMVWTzlB4Iy7wWVM19jAPOhLVB f98VjJJOx6hDglbljzaWUBuqYKm0afntFvKkF0nRZo9ZNcKoBZ/am1U02zYppGWkKXfY0VkBZDqa21QFDkyohtDVeoCP1NnVEkbXv/8bHWqeEOZiGcp4CmA/lhzlnMNf8fKgT656xMkIZLHc0WwecT967vPfXdyahZDaVyGSrjdhWswsHSpx9NcTT8w7KX8kM750DhA bP6WrxiRupDuHDHFDwH75ikMUYtpeNFWQM25U9J 2ey2HqyVpghmMU0a1V1tDJDtKs4glEUskMdGjI13Fbq1WKjGYNKq2Pkuc1LyoAyrML8jjyZ317BrqMqRN1emBd8c8dWZiq1j18/wovTZc0qGJ1vTKDqLp6p3ptdKuTh6SeEDYN2F3HDsftitXHxYpydPAB mF2YmIdGikVCT3AASvID39DXYidXo7Yk MfTWkal4l6L6dPnYzxebm nBNlIrKynVPPQ0ISgseYCGBjo/y/1CcBgUUhe620kXoYvMlHzi86aftheeirJIVz4AmKW75GAmZGXruIQr18DdtBaaZgy5nPX8S2sc7B1PkEu3AR/ 7xOAcKmDN/bgSWet9uLbsL/tz0DZ//y7HvshyB08gKO00klNpewoFePk1u7V fctI0gRpz1rZhz4/PlkEUyvCc7 Ge9LqxIUfM 0/l87bAJGhMbpK nNlqDVo9UWyz40B8tPEv8UakNRju6biU Kz79Od7Ul7HB5InxblzqBRQxcYszUYmh3Xckd/prNXnL 66ze k/aYtUP46d8tEnNOHFyl5vqX/RhDXGglxClrRfSOUD04l8dHOG6DgUsPzDtZ8 b0a6ULYdjlZ7V5WaB7r/FLr2AbF4672A85JVt2eIvN5wF8z/66Ju29JfXggSyonEYQf9PGDzX7LkmbqyMPXhjwPnShcGcFIcInswotoj2JKnp9R8QUXS5xP8RBHjpur6/adfZj7/cl0mu5ZCkPL0OKkxhk97m3P1BmPdzHsIHLBoynG2 ZiZf4wImTixwy0twy01Ud7tlVaMQ8f9ZhBuH5JUIf0 peZl3NTbjDS2rwXHC8hM8qKLMRkwOK1o71yveLrg6rJVdtfIYs4AZRGiVcsIxKM/ioAIh 3M IngboQPJtq/HtHFsxST0TgiMJZJK QONshSV/ntzXMpqxMzudlXMhiOhfPFKBG1fk3rrvxlTenuay NiLSXE2zjo9ijHRBdfoXHeYsBYerXth1pCxug6oRXvvhHx98sWFoTFS2nDLT/PE3Ch2oz RQ62S/mz7Bumzq7o1QrMLAedEx6JFKhJ56AVUsKKrqPQhz0Xs5HhQtmFviOnlZwFIve/liZvZ9hva9ax/xWO6CVFbyX4p6gTVpiJcb3nbAfwd2RsvDsphxC7/L2zOQ 9 oDk1DFxxqahMrmBk1NL0nlcVrn4p9FqhVHVJb1eSMX60EUyJAFQx7aub8ZRgGjDolQdNTSGR52IZc9tklef0R agccDIpUtvSWk8D9AM3ZlN6VCsqEX pvfWMFXzskuU4FOzCpsH2baMNbo Qfg8hpOzrFsHwjOG 4RMpiIHcqP5fINrN1Jl4hDWYZuvttYtRPidECBesYX2NREqTmtoQfGgsF5Lu2PSpnHUzD7CrZIso6DBQtJf2uoGAStiRPe3uPo5ypA/HpItvFFXnbYJ4tJWIIjKWD8ViskcRwGdRVk ysoJx7IKnDewRWpSyTRPSuocoSGTjxcTkIIcfmNVhTz630dLAWlkaIzntjY1UPyfahpf6GYUOYSsynB6vYQ6j1JAzsJ4YWLbHaLa/M9en3qyQjbuBFhdm5 AzDH4QuVtuNNuUK6eg24d0PB1px/SQw==plYbyktzMmNpkpcBPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
4hVjXqVVZ1zvh89QP3KkWoknQHJBor8qRuornGiIK3Azy/OkZNZ8dvu4BF4eNlZ ylMtd n6NYUMFAsPMFVcCp5riCv QJLU0cH8CxWwhpe3LU bL4dfZCyuZxVtJpQQjcSgKzK2zdCDtPRZUgo0ZjbbA5j0pXzJceUhUU2 3gGBXwXO3qybTJCQYhJFCJgussq9WVxjFKM7t91zIHKCdGCSXRoN4vBn1 yjFJuN7qowC1wpOTHO4Px0sKwHT3R0BStQccAL CWBsBvT3pHgt UyiVy0nAEqwkW6ORL3Yn x/QBoAKRohKjOA3qiq0P1CEDcQVkAOH3ceS8p9uBczn1sfXP 8n7q3Hkwnpxw7emo wVf2dS8EuLgBXvkufgMSTPh/KWYIWJK aNIlC5fYdqA6130llwEVFL9lYa8IHaqET84zqpZV9ApywvvRR/ydoUVnBiX24V2VqrBrnMoaIxT4ww71bTxxpFOD7LK52T3mj9oPyIsTVfTO5WbWr7/It/2j/eCspOBiNFYTik SnUl3XXJasnYIRnZHaZtX/ 5dQHO1hRMyG5d1TUUpyvPjUWQCPBrs1zj2JVBsqi0Lug1FmDRb4Hphc55wOtvZYO6zv1iwShwtqP3dbyhQ E66yCCdglju2JU 4zw5v4cBWqGIJPRSB7YRPL2LhnXbPNzsuKrCvA/nCz7HmPdp34g5pMcd8wPqh0jpx5QcvGK9GywKG330GLMTn7qFnOApziobstprpaga0zfFLpr2Ni 5rAG9juaEYZ8ES3XndpzC2QBw2cGnFYkB7BRH3NE5tNeg7SzxuUtCUPo0/PJZvIHt5Sq8xclSSatHNeEbYR 2dMKQ4vv3moTXVc40GtarkG8y8CLYwYjNDtm22CIeNq8/f0YoMEE8zGzWIWhCz7jWDVgD3H62bHwbscJJ4KUwiRSk4Om UrUzV X7AvENmT khv1luO9PmP6lrzTTUhZZWd3lmZlrIsgyMyQiQGCgz2njYQx0P3o9fObPjumMa3RvYi0vFvXl/ofhxzcnccq7 5T6NO2HKIEsN6t4lweBCBmYPjv8dp/h0lR7KFJPlMtdvzkZW0QrTdulQq1E45RdtVhWXhcuwmwGVz1RapaX2dgGfsy1e75vvxQ35Q5EkoYp0VE7F1NlJWYylGb3pN4C5iPG5 sDXXJzLs9WwIAXGU4X4FTG8QXuVW9xevMSl//s4PtqS4Wb1V7TH1V6IjV8QcUAt3TWA17WfH0CmcWO6pX3Sjhex2qTd2DjduSK7UqbZrNlaSuZgYZeB4g70T9pkgEN52M78g/lq8SYGJMtv182S7zf5pi87PfPlMyHx6DIfo2vztikWnXiuk6Hrvn04jLJ2yQqIrUgB Msl/t2OBmmgvXuWu7dum/BARM2fn2y68OQEW6W5KQd0TTuMUtxTgC1XE2qod5FSJknRDoJQuua3uJ7xAEhm6rmaAoDw/AqoHMVyCpRRE1IsfXcYEfZ4/MlkTI3aeY 3DpeyEdVUWj3lSZReJs2i3nxLoFsLwmvc2ze/OkLG10CihIl7UVu1BGo7v14bZWp5AuGlFNPJOp6rn66zjv2G9PN/RKb/q9vSouSI5BgO0DdRC kcgs0ol6jeGjfySpljStqDFHY44Eod vKsT5nhyjcERVUU/0Dl0mmQVob7BWpwgkQrVqmgFjfgg/G2P3jhH h4gPxdr0lHmDlrx BlJQCXsY3uuTXU2DKPFjDB0BakFtBdHQQ4MbIYK0X7OJiO6tBA1zBx0SUcATf 7uNeA5gdC254euPXliSrW8JFwDBMIH4diXWe3HHFyVAEO9NKnn LhUbiAEuwz4BHsIaA0SMeqT9HRch QndJGw/ wnP2fQBEyfbTEBBW8mKYIhHe64jWhp3XK68w4xTFMvTf29 mQuvElJ0t9z4ePY9pBCGdYvOCPJ2qvlyKb1R26HJ1255HFoioyWcV8PkmCxA3zFez1j sQsVRblBtejWlMwC9QuCoRygDvT28C06viV8bSlvyFA0jrvqiWr3xSFDicmis8wNYfNpTeJM48RWSjKi83maskgpeYl sWifQYNfLxIEmJ/QsWXOUs7uIabjoZlC8vAY14mTfszg9zZDm214qJimYJvwgv xdPZDKC73hN6Nzpw6jOylC7dU1GesKS/BNDTz0XKJizFDS3qdShIuB3D4Yg9LA9RMCNESl1k0fZFQzdlwG5hrmg6FN50s3a/YoRgGHbQLgV7FVAHt/CQ5waA8LSS4 8fKdzjzZm59ZnCLG3lcADgbeMPU1 1slH5Rf3tByagaY22TLMmeaiEGeyat8eImgWJh9scEMSpGo4 sjyWtbQS uBBwPPN8EY3bNC7pK5qXw/XYs3WpG4MmEotCLAkar053JAKiy5n 7k0LNTucDhmfL6S7ihLshfR5R8/qY4To8dfBkjmpQD 8bQd9OtnzWQOnQNk6kD4 WigsSP49uYu6Bo0bxMgrq IpnAdO6CxlUpKD2l B11uTiLkjsjs5Ey9cMSs8qUq19G6Nk yUr3bW A/7EJ75MvAX8XnpbuajNjhHyg/W1omrs5t9oI/W0SJLtca62q8cnCxlEFXK0hfxPbDs8UQui88Yha4dfp9PbHDGkh7LkvkGW7CjLsv5Gr2EKpzt3/FJ9s9Z8ghlMtr4ccaM9tF3q42nJB1qc57m bHSkE1rR/45EUZ5Hl8jX4XfM1BnodKvXurFpyCmZcR6IvMxvKgoYH01x2HiXrNbXuPltTsYChzYPn0vLf9AI2quM7Ca1H1ge38n4NFU3dUchWwRbr1RyI3xTNrF6pFMouB1YdrchH4TnDJoKoWPrjokTsT0C7kTnunZOYGvVPBgAYq8ldh05ItdpwUMVLnxpmsxHixBIFW7x2 s/ezpDm3r fOkNPR/wCKR7Tk7n8Tbh12HRCnslr1jSFbuC2ElvGGYVIQ35p9hAveyXDAN3qObdqgw3J LmjFszDREW DHVE488lC bZ6JiyN5BmuBIIKLRPmZXN4qGZGuOH55RwHYgvXONYe018OiUeOpcIKVUvTmz1M1qDjASEaQpnecdGeugQ/QbMuZB/veq/SHR OZarDO BO UQ8s0/V1Z lU4bU0JkTN1fiInZKnC5YsfZOGh5xEKZTsiB7TKTFA96GwQlAIKmkLSZ6RqqRnW5pCGzugAD6HlQEmNbGY SDuz9RFBdIg394S3eG9BQaqGFGOdxK4FIBBm5pg1efkq9wM5e3ItHt6oFkA mNArXVJnXp3z2l/sx9u32H5Al33guWzylllwn8lyrWcZNWkBpt5EIYEVuCEzm8CcTfz5zlnI5uSeWLYaDjTJa qebJDEp e3jZzSQzPO8oNqYRrM1iUX9oR4JfxN2VGOf3S5o2d/T mGa2CFciQHXlngJv1GBLZZkoFw3uNAHi54gBzE4mqOqUOORvqJOWNdd657rWO12FAzkgyrycbCRR HAgH2H/3uspgawgfeVoNDJm6T69CRssEFvRGKhYFnJUhRMGLE/bsqCnxEEhHAecYCXeBkMkOdqXTdEhkwl1mPIlocsMYUmvpqCP7H1DplJ1/GwFCSM4qku9 TjrCxIom7QPXqrTbCwCZN9f5jZiW7AZFT3jOMWtPcFYojPUPAEa7fwwFa4dfoSjBTdq1HA1yim70WrxShO9J12Rc4Ejnk6DlhDU48y0GMvQ9OfA5jaq2D2e20G1ot571IvFuy2oU4gp4SQsYoWihHlvYX1GPQwe3I6QYobvtfAcQ1XLVT6IY571f4HkDAmLcSe5xlq4GotRjkHqPoT0U9OjwdTG4RY8/2Cn6NM16mTK8bWhrzK1x0qGoBbGWbCU o8IKk1uI7w9q t I81C2bLFHMVWTzlB4Iy7wWVM19jAPOhLVB f98VjJJOx6hDglbljzaWUBuqYKm0afntFvKkF0nRZo9ZNcKoBZ/am1U02zYppGWkKXfY0VkBZDqa21QFDkyohtDVeoCP1NnVEkbXv/8bHWqeEOZiGcp4CmA/lhzlnMNf8fKgT656xMkIZLHc0WwecT967vPfXdyahZDaVyGSrjdhWswsHSpx9NcTT8w7KX8kM750DhA bP6WrxiRupDuHDHFDwH75ikMUYtpeNFWQM25U9J 2ey2HqyVpghmMU0a1V1tDJDtKs4glEUskMdGjI13Fbq1WKjGYNKq2Pkuc1LyoAyrML8jjyZ317BrqMqRN1emBd8c8dWZiq1j18/wovTZc0qGJ1vTKDqLp6p3ptdKuTh6SeEDYN2F3HDsftitXHxYpydPAB mF2YmIdGikVCT3AASvID39DXYidXo7Yk MfTWkal4l6L6dPnYzxebm nBNlIrKynVPPQ0ISgseYCGBjo/y/1CcBgUUhe620kXoYvMlHzi86aftheeirJIVz4AmKW75GAmZGXruIQr18DdtBaaZgy5nPX8S2sc7B1PkEu3AR/ 7xOAcKmDN/bgSWet9uLbsL/tz0DZ//y7HvshyB08gKO00klNpewoFePk1u7V fctI0gRpz1rZhz4/PlkEUyvCc7 Ge9LqxIUfM 0/l87bAJGhMbpK nNlqDVo9UWyz40B8tPEv8UakNRju6biU Kz79Od7Ul7HB5InxblzqBRQxcYszUYmh3Xckd/prNXnL 66ze k/aYtUP46d8tEnNOHFyl5vqX/RhDXGglxClrRfSOUD04l8dHOG6DgUsPzDtZ8 b0a6ULYdjlZ7V5WaB7r/FLr2AbF4672A85JVt2eIvN5wF8z/66Ju29JfXggSyonEYQf9PGDzX7LkmbqyMPXhjwPnShcGcFIcInswotoj2JKnp9R8QUXS5xP8RBHjpur6/adfZj7/cl0mu5ZCkPL0OKkxhk97m3P1BmPdzHsIHLBoynG2 ZiZf4wImTixwy0twy01Ud7tlVaMQ8f9ZhBuH5JUIf0 peZl3NTbjDS2rwXHC8hM8qKLMRkwOK1o71yveLrg6rJVdtfIYs4AZRGiVcsIxKM/ioAIh 3M IngboQPJtq/HtHFsxST0TgiMJZJK QONshSV/ntzXMpqxMzudlXMhiOhfPFKBG1fk3rrvxlTenuay NiLSXE2zjo9ijHRBdfoXHeYsBYerXth1pCxug6oRXvvhHx98sWFoTFS2nDLT/PE3Ch2oz RQ62S/mz7Bumzq7o1QrMLAedEx6JFKhJ56AVUsKKrqPQhz0Xs5HhQtmFviOnlZwFIve/liZvZ9hva9ax/xWO6CVFbyX4p6gTVpiJcb3nbAfwd2RsvDsphxC7/L2zOQ 9 oDk1DFxxqahMrmBk1NL0nlcVrn4p9FqhVHVJb1eSMX60EUyJAFQx7aub8ZRgGjDolQdNTSGR52IZc9tklef0R agccDIpUtvSWk8D9AM3ZlN6VCsqEX pvfWMFXzskuU4FOzCpsH2baMNbo Qfg8hpOzrFsHwjOG 4RMpiIHcqP5fINrN1Jl4hDWYZuvttYtRPidECBesYX2NREqTmtoQfGgsF5Lu2PSpnHUzD7CrZIso6DBQtJf2uoGAStiRPe3uPo5ypA/HpItvFFXnbYJ4tJWIIjKWD8ViskcRwGdRVk ysoJx7IKnDewRWpSyTRPSuocoSGTjxcTkIIcfmNVhTz630dLAWlkaIzntjY1UPyfahpf6GYUOYSsynB6vYQ6j1JAzsJ4YWLbHaLa/M9en3qyQjbuBFhdm5 AzDH4QuVtuNNuUK6eg24d0PB1px/SQw==plYbyktzMmNpkpcBPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
4hVjXqVVZ1zvh89QP3KkWoknQHJBor8qRuornGiIK3Azy/OkZNZ8dvu4BF4eNlZ ylMtd n6NYUMFAsPMFVcCp5riCv QJLU0cH8CxWwhpe3LU bL4dfZCyuZxVtJpQQjcSgKzK2zdCDtPRZUgo0ZjbbA5j0pXzJceUhUU2 3gGBXwXO3qybTJCQYhJFCJgussq9WVxjFKM7t91zIHKCdGCSXRoN4vBn1 yjFJuN7qowC1wpOTHO4Px0sKwHT3R0BStQccAL CWBsBvT3pHgt UyiVy0nAEqwkW6ORL3Yn x/QBoAKRohKjOA3qiq0P1CEDcQVkAOH3ceS8p9uBczn1sfXP 8n7q3Hkwnpxw7emo wVf2dS8EuLgBXvkufgMSTPh/KWYIWJK aNIlC5fYdqA6130llwEVFL9lYa8IHaqET84zqpZV9ApywvvRR/ydoUVnBiX24V2VqrBrnMoaIxT4ww71bTxxpFOD7LK52T3mj9oPyIsTVfTO5WbWr7/It/2j/eCspOBiNFYTik SnUl3XXJasnYIRnZHaZtX/ 5dQHO1hRMyG5d1TUUpyvPjUWQCPBrs1zj2JVBsqi0Lug1FmDRb4Hphc55wOtvZYO6zv1iwShwtqP3dbyhQ E66yCCdglju2JU 4zw5v4cBWqGIJPRSB7YRPL2LhnXbPNzsuKrCvA/nCz7HmPdp34g5pMcd8wPqh0jpx5QcvGK9GywKG330GLMTn7qFnOApziobstprpaga0zfFLpr2Ni 5rAG9juaEYZ8ES3XndpzC2QBw2cGnFYkB7BRH3NE5tNeg7SzxuUtCUPo0/PJZvIHt5Sq8xclSSatHNeEbYR 2dMKQ4vv3moTXVc40GtarkG8y8CLYwYjNDtm22CIeNq8/f0YoMEE8zGzWIWhCz7jWDVgD3H62bHwbscJJ4KUwiRSk4Om UrUzV X7AvENmT khv1luO9PmP6lrzTTUhZZWd3lmZlrIsgyMyQiQGCgz2njYQx0P3o9fObPjumMa3RvYi0vFvXl/ofhxzcnccq7 5T6NO2HKIEsN6t4lweBCBmYPjv8dp/h0lR7KFJPlMtdvzkZW0QrTdulQq1E45RdtVhWXhcuwmwGVz1RapaX2dgGfsy1e75vvxQ35Q5EkoYp0VE7F1NlJWYylGb3pN4C5iPG5 sDXXJzLs9WwIAXGU4X4FTG8QXuVW9xevMSl//s4PtqS4Wb1V7TH1V6IjV8QcUAt3TWA17WfH0CmcWO6pX3Sjhex2qTd2DjduSK7UqbZrNlaSuZgYZeB4g70T9pkgEN52M78g/lq8SYGJMtv182S7zf5pi87PfPlMyHx6DIfo2vztikWnXiuk6Hrvn04jLJ2yQqIrUgB Msl/t2OBmmgvXuWu7dum/BARM2fn2y68OQEW6W5KQd0TTuMUtxTgC1XE2qod5FSJknRDoJQuua3uJ7xAEhm6rmaAoDw/AqoHMVyCpRRE1IsfXcYEfZ4/MlkTI3aeY 3DpeyEdVUWj3lSZReJs2i3nxLoFsLwmvc2ze/OkLG10CihIl7UVu1BGo7v14bZWp5AuGlFNPJOp6rn66zjv2G9PN/RKb/q9vSouSI5BgO0DdRC kcgs0ol6jeGjfySpljStqDFHY44Eod vKsT5nhyjcERVUU/0Dl0mmQVob7BWpwgkQrVqmgFjfgg/G2P3jhH h4gPxdr0lHmDlrx BlJQCXsY3uuTXU2DKPFjDB0BakFtBdHQQ4MbIYK0X7OJiO6tBA1zBx0SUcATf 7uNeA5gdC254euPXliSrW8JFwDBMIH4diXWe3HHFyVAEO9NKnn LhUbiAEuwz4BHsIaA0SMeqT9HRch QndJGw/ wnP2fQBEyfbTEBBW8mKYIhHe64jWhp3XK68w4xTFMvTf29 mQuvElJ0t9z4ePY9pBCGdYvOCPJ2qvlyKb1R26HJ1255HFoioyWcV8PkmCxA3zFez1j sQsVRblBtejWlMwC9QuCoRygDvT28C06viV8bSlvyFA0jrvqiWr3xSFDicmis8wNYfNpTeJM48RWSjKi83maskgpeYl sWifQYNfLxIEmJ/QsWXOUs7uIabjoZlC8vAY14mTfszg9zZDm214qJimYJvwgv xdPZDKC73hN6Nzpw6jOylC7dU1GesKS/BNDTz0XKJizFDS3qdShIuB3D4Yg9LA9RMCNESl1k0fZFQzdlwG5hrmg6FN50s3a/YoRgGHbQLgV7FVAHt/CQ5waA8LSS4 8fKdzjzZm59ZnCLG3lcADgbeMPU1 1slH5Rf3tByagaY22TLMmeaiEGeyat8eImgWJh9scEMSpGo4 sjyWtbQS uBBwPPN8EY3bNC7pK5qXw/XYs3WpG4MmEotCLAkar053JAKiy5n 7k0LNTucDhmfL6S7ihLshfR5R8/qY4To8dfBkjmpQD 8bQd9OtnzWQOnQNk6kD4 WigsSP49uYu6Bo0bxMgrq IpnAdO6CxlUpKD2l B11uTiLkjsjs5Ey9cMSs8qUq19G6Nk yUr3bW A/7EJ75MvAX8XnpbuajNjhHyg/W1omrs5t9oI/W0SJLtca62q8cnCxlEFXK0hfxPbDs8UQui88Yha4dfp9PbHDGkh7LkvkGW7CjLsv5Gr2EKpzt3/FJ9s9Z8ghlMtr4ccaM9tF3q42nJB1qc57m bHSkE1rR/45EUZ5Hl8jX4XfM1BnodKvXurFpyCmZcR6IvMxvKgoYH01x2HiXrNbXuPltTsYChzYPn0vLf9AI2quM7Ca1H1ge38n4NFU3dUchWwRbr1RyI3xTNrF6pFMouB1YdrchH4TnDJoKoWPrjokTsT0C7kTnunZOYGvVPBgAYq8ldh05ItdpwUMVLnxpmsxHixBIFW7x2 s/ezpDm3r fOkNPR/wCKR7Tk7n8Tbh12HRCnslr1jSFbuC2ElvGGYVIQ35p9hAveyXDAN3qObdqgw3J LmjFszDREW DHVE488lC bZ6JiyN5BmuBIIKLRPmZXN4qGZGuOH55RwHYgvXONYe018OiUeOpcIKVUvTmz1M1qDjASEaQpnecdGeugQ/QbMuZB/veq/SHR OZarDO BO UQ8s0/V1Z lU4bU0JkTN1fiInZKnC5YsfZOGh5xEKZTsiB7TKTFA96GwQlAIKmkLSZ6RqqRnW5pCGzugAD6HlQEmNbGY SDuz9RFBdIg394S3eG9BQaqGFGOdxK4FIBBm5pg1efkq9wM5e3ItHt6oFkA mNArXVJnXp3z2l/sx9u32H5Al33guWzylllwn8lyrWcZNWkBpt5EIYEVuCEzm8CcTfz5zlnI5uSeWLYaDjTJa qebJDEp e3jZzSQzPO8oNqYRrM1iUX9oR4JfxN2VGOf3S5o2d/T mGa2CFciQHXlngJv1GBLZZkoFw3uNAHi54gBzE4mqOqUOORvqJOWNdd657rWO12FAzkgyrycbCRR HAgH2H/3uspgawgfeVoNDJm6T69CRssEFvRGKhYFnJUhRMGLE/bsqCnxEEhHAecYCXeBkMkOdqXTdEhkwl1mPIlocsMYUmvpqCP7H1DplJ1/GwFCSM4qku9 TjrCxIom7QPXqrTbCwCZN9f5jZiW7AZFT3jOMWtPcFYojPUPAEa7fwwFa4dfoSjBTdq1HA1yim70WrxShO9J12Rc4Ejnk6DlhDU48y0GMvQ9OfA5jaq2D2e20G1ot571IvFuy2oU4gp4SQsYoWihHlvYX1GPQwe3I6QYobvtfAcQ1XLVT6IY571f4HkDAmLcSe5xlq4GotRjkHqPoT0U9OjwdTG4RY8/2Cn6NM16mTK8bWhrzK1x0qGoBbGWbCU o8IKk1uI7w9q t I81C2bLFHMVWTzlB4Iy7wWVM19jAPOhLVB f98VjJJOx6hDglbljzaWUBuqYKm0afntFvKkF0nRZo9ZNcKoBZ/am1U02zYppGWkKXfY0VkBZDqa21QFDkyohtDVeoCP1NnVEkbXv/8bHWqeEOZiGcp4CmA/lhzlnMNf8fKgT656xMkIZLHc0WwecT967vPfXdyahZDaVyGSrjdhWswsHSpx9NcTT8w7KX8kM750DhA bP6WrxiRupDuHDHFDwH75ikMUYtpeNFWQM25U9J 2ey2HqyVpghmMU0a1V1tDJDtKs4glEUskMdGjI13Fbq1WKjGYNKq2Pkuc1LyoAyrML8jjyZ317BrqMqRN1emBd8c8dWZiq1j18/wovTZc0qGJ1vTKDqLp6p3ptdKuTh6SeEDYN2F3HDsftitXHxYpydPAB mF2YmIdGikVCT3AASvID39DXYidXo7Yk MfTWkal4l6L6dPnYzxebm nBNlIrKynVPPQ0ISgseYCGBjo/y/1CcBgUUhe620kXoYvMlHzi86aftheeirJIVz4AmKW75GAmZGXruIQr18DdtBaaZgy5nPX8S2sc7B1PkEu3AR/ 7xOAcKmDN/bgSWet9uLbsL/tz0DZ//y7HvshyB08gKO00klNpewoFePk1u7V fctI0gRpz1rZhz4/PlkEUyvCc7 Ge9LqxIUfM 0/l87bAJGhMbpK nNlqDVo9UWyz40B8tPEv8UakNRju6biU Kz79Od7Ul7HB5InxblzqBRQxcYszUYmh3Xckd/prNXnL 66ze k/aYtUP46d8tEnNOHFyl5vqX/RhDXGglxClrRfSOUD04l8dHOG6DgUsPzDtZ8 b0a6ULYdjlZ7V5WaB7r/FLr2AbF4672A85JVt2eIvN5wF8z/66Ju29JfXggSyonEYQf9PGDzX7LkmbqyMPXhjwPnShcGcFIcInswotoj2JKnp9R8QUXS5xP8RBHjpur6/adfZj7/cl0mu5ZCkPL0OKkxhk97m3P1BmPdzHsIHLBoynG2 ZiZf4wImTixwy0twy01Ud7tlVaMQ8f9ZhBuH5JUIf0 peZl3NTbjDS2rwXHC8hM8qKLMRkwOK1o71yveLrg6rJVdtfIYs4AZRGiVcsIxKM/ioAIh 3M IngboQPJtq/HtHFsxST0TgiMJZJK QONshSV/ntzXMpqxMzudlXMhiOhfPFKBG1fk3rrvxlTenuay NiLSXE2zjo9ijHRBdfoXHeYsBYerXth1pCxug6oRXvvhHx98sWFoTFS2nDLT/PE3Ch2oz RQ62S/mz7Bumzq7o1QrMLAedEx6JFKhJ56AVUsKKrqPQhz0Xs5HhQtmFviOnlZwFIve/liZvZ9hva9ax/xWO6CVFbyX4p6gTVpiJcb3nbAfwd2RsvDsphxC7/L2zOQ 9 oDk1DFxxqahMrmBk1NL0nlcVrn4p9FqhVHVJb1eSMX60EUyJAFQx7aub8ZRgGjDolQdNTSGR52IZc9tklef0R agccDIpUtvSWk8D9AM3ZlN6VCsqEX pvfWMFXzskuU4FOzCpsH2baMNbo Qfg8hpOzrFsHwjOG 4RMpiIHcqP5fINrN1Jl4hDWYZuvttYtRPidECBesYX2NREqTmtoQfGgsF5Lu2PSpnHUzD7CrZIso6DBQtJf2uoGAStiRPe3uPo5ypA/HpItvFFXnbYJ4tJWIIjKWD8ViskcRwGdRVk ysoJx7IKnDewRWpSyTRPSuocoSGTjxcTkIIcfmNVhTz630dLAWlkaIzntjY1UPyfahpf6GYUOYSsynB6vYQ6j1JAzsJ4YWLbHaLa/M9en3qyQjbuBFhdm5 AzDH4QuVtuNNuUK6eg24d0PB1px/SQw==plYbyktzMmNpkpcBPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD2
4hVjXqVVZ1zvh89QP3KkWoknQHJBor8qRuornGiIK3Azy/OkZNZ8dvu4BF4eNlZ ylMtd n6NYUMFAsPMFVcCp5riCv QJLU0cH8CxWwhpe3LU bL4dfZCyuZxVtJpQQjcSgKzK2zdCDtPRZUgo0ZjbbA5j0pXzJceUhUU2 3gGBXwXO3qybTJCQYhJFCJgussq9WVxjFKM7t91zIHKCdGCSXRoN4vBn1 yjFJuN7qowC1wpOTHO4Px0sKwHT3R0BStQccAL CWBsBvT3pHgt UyiVy0nAEqwkW6ORL3Yn x/QBoAKRohKjOA3qiq0P1CEDcQVkAOH3ceS8p9uBczn1sfXP 8n7q3Hkwnpxw7emo wVf2dS8EuLgBXvkufgMSTPh/KWYIWJK aNIlC5fYdqA6130llwEVFL9lYa8IHaqET84zqpZV9ApywvvRR/ydoUVnBiX24V2VqrBrnMoaIxT4ww71bTxxpFOD7LK52T3mj9oPyIsTVfTO5WbWr7/It/2j/eCspOBiNFYTik SnUl3XXJasnYIRnZHaZtX/ 5dQHO1hRMyG5d1TUUpyvPjUWQCPBrs1zj2JVBsqi0Lug1FmDRb4Hphc55wOtvZYO6zv1iwShwtqP3dbyhQ E66yCCdglju2JU 4zw5v4cBWqGIJPRSB7YRPL2LhnXbPNzsuKrCvA/nCz7HmPdp34g5pMcd8wPqh0jpx5QcvGK9GywKG330GLMTn7qFnOApziobstprpaga0zfFLpr2Ni 5rAG9juaEYZ8ES3XndpzC2QBw2cGnFYkB7BRH3NE5tNeg7SzxuUtCUPo0/PJZvIHt5Sq8xclSSatHNeEbYR 2dMKQ4vv3moTXVc40GtarkG8y8CLYwYjNDtm22CIeNq8/f0YoMEE8zGzWIWhCz7jWDVgD3H62bHwbscJJ4KUwiRSk4Om UrUzV X7AvENmT khv1luO9PmP6lrzTTUhZZWd3lmZlrIsgyMyQiQGCgz2njYQx0P3o9fObPjumMa3RvYi0vFvXl/ofhxzcnccq7 5T6NO2HKIEsN6t4lweBCBmYPjv8dp/h0lR7KFJPlMtdvzkZW0QrTdulQq1E45RdtVhWXhcuwmwGVz1RapaX2dgGfsy1e75vvxQ35Q5EkoYp0VE7F1NlJWYylGb3pN4C5iPG5 sDXXJzLs9WwIAXGU4X4FTG8QXuVW9xevMSl//s4PtqS4Wb1V7TH1V6IjV8QcUAt3TWA17WfH0CmcWO6pX3Sjhex2qTd2DjduSK7UqbZrNlaSuZgYZeB4g70T9pkgEN52M78g/lq8SYGJMtv182S7zf5pi87PfPlMyHx6DIfo2vztikWnXiuk6Hrvn04jLJ2yQqIrUgB Msl/t2OBmmgvXuWu7dum/BARM2fn2y68OQEW6W5KQd0TTuMUtxTgC1XE2qod5FSJknRDoJQuua3uJ7xAEhm6rmaAoDw/AqoHMVyCpRRE1IsfXcYEfZ4/MlkTI3aeY 3DpeyEdVUWj3lSZReJs2i3nxLoFsLwmvc2ze/OkLG10CihIl7UVu1BGo7v14bZWp5AuGlFNPJOp6rn66zjv2G9PN/RKb/q9vSouSI5BgO0DdRC kcgs0ol6jeGjfySpljStqDFHY44Eod vKsT5nhyjcERVUU/0Dl0mmQVob7BWpwgkQrVqmgFjfgg/G2P3jhH h4gPxdr0lHmDlrx BlJQCXsY3uuTXU2DKPFjDB0BakFtBdHQQ4MbIYK0X7OJiO6tBA1zBx0SUcATf 7uNeA5gdC254euPXliSrW8JFwDBMIH4diXWe3HHFyVAEO9NKnn LhUbiAEuwz4BHsIaA0SMeqT9HRch QndJGw/ wnP2fQBEyfbTEBBW8mKYIhHe64jWhp3XK68w4xTFMvTf29 mQuvElJ0t9z4ePY9pBCGdYvOCPJ2qvlyKb1R26HJ1255HFoioyWcV8PkmCxA3zFez1j sQsVRblBtejWlMwC9QuCoRygDvT28C06viV8bSlvyFA0jrvqiWr3xSFDicmis8wNYfNpTeJM48RWSjKi83maskgpeYl sWifQYNfLxIEmJ/QsWXOUs7uIabjoZlC8vAY14mTfszg9zZDm214qJimYJvwgv xdPZDKC73hN6Nzpw6jOylC7dU1GesKS/BNDTz0XKJizFDS3qdShIuB3D4Yg9LA9RMCNESl1k0fZFQzdlwG5hrmg6FN50s3a/YoRgGHbQLgV7FVAHt/CQ5waA8LSS4 8fKdzjzZm59ZnCLG3lcADgbeMPU1 1slH5Rf3tByagaY22TLMmeaiEGeyat8eImgWJh9scEMSpGo4 sjyWtbQS uBBwPPN8EY3bNC7pK5qXw/XYs3WpG4MmEotCLAkar053JAKiy5n 7k0LNTucDhmfL6S7ihLshfR5R8/qY4To8dfBkjmpQD 8bQd9OtnzWQOnQNk6kD4 WigsSP49uYu6Bo0bxMgrq IpnAdO6CxlUpKD2l B11uTiLkjsjs5Ey9cMSs8qUq19G6Nk yUr3bW A/7EJ75MvAX8XnpbuajNjhHyg/W1omrs5t9oI/W0SJLtca62q8cnCxlEFXK0hfxPbDs8UQui88Yha4dfp9PbHDGkh7LkvkGW7CjLsv5Gr2EKpzt3/FJ9s9Z8ghlMtr4ccaM9tF3q42nJB1qc57m bHSkE1rR/45EUZ5Hl8jX4XfM1BnodKvXurFpyCmZcR6IvMxvKgoYH01x2HiXrNbXuPltTsYChzYPn0vLf9AI2quM7Ca1H1ge38n4NFU3dUchWwRbr1RyI3xTNrF6pFMouB1YdrchH4TnDJoKoWPrjokTsT0C7kTnunZOYGvVPBgAYq8ldh05ItdpwUMVLnxpmsxHixBIFW7x2 s/ezpDm3r fOkNPR/wCKR7Tk7n8Tbh12HRCnslr1jSFbuC2ElvGGYVIQ35p9hAveyXDAN3qObdqgw3J LmjFszDREW DHVE488lC bZ6JiyN5BmuBIIKLRPmZXN4qGZGuOH55RwHYgvXONYe018OiUeOpcIKVUvTmz1M1qDjASEaQpnecdGeugQ/QbMuZB/veq/SHR OZarDO BO UQ8s0/V1Z lU4bU0JkTN1fiInZKnC5YsfZOGh5xEKZTsiB7TKTFA96GwQlAIKmkLSZ6RqqRnW5pCGzugAD6HlQEmNbGY SDuz9RFBdIg394S3eG9BQaqGFGOdxK4FIBBm5pg1efkq9wM5e3ItHt6oFkA mNArXVJnXp3z2l/sx9u32H5Al33guWzylllwn8lyrWcZNWkBpt5EIYEVuCEzm8CcTfz5zlnI5uSeWLYaDjTJa qebJDEp e3jZzSQzPO8oNqYRrM1iUX9oR4JfxN2VGOf3S5o2d/T mGa2CFciQHXlngJv1GBLZZkoFw3uNAHi54gBzE4mqOqUOORvqJOWNdd657rWO12FAzkgyrycbCRR HAgH2H/3uspgawgfeVoNDJm6T69CRssEFvRGKhYFnJUhRMGLE/bsqCnxEEhHAecYCXeBkMkOdqXTdEhkwl1mPIlocsMYUmvpqCP7H1DplJ1/GwFCSM4qku9 TjrCxIom7QPXqrTbCwCZN9f5jZiW7AZFT3jOMWtPcFYojPUPAEa7fwwFa4dfoSjBTdq1HA1yim70WrxShO9J12Rc4Ejnk6DlhDU48y0GMvQ9OfA5jaq2D2e20G1ot571IvFuy2oU4gp4SQsYoWihHlvYX1GPQwe3I6QYobvtfAcQ1XLVT6IY571f4HkDAmLcSe5xlq4GotRjkHqPoT0U9OjwdTG4RY8/2Cn6NM16mTK8bWhrzK1x0qGoBbGWbCU o8IKk1uI7w9q t I81C2bLFHMVWTzlB4Iy7wWVM19jAPOhLVB f98VjJJOx6hDglbljzaWUBuqYKm0afntFvKkF0nRZo9ZNcKoBZ/am1U02zYppGWkKXfY0VkBZDqa21QFDkyohtDVeoCP1NnVEkbXv/8bHWqeEOZiGcp4CmA/lhzlnMNf8fKgT656xMkIZLHc0WwecT967vPfXdyahZDaVyGSrjdhWswsHSpx9NcTT8w7KX8kM750DhA bP6WrxiRupDuHDHFDwH75ikMUYtpeNFWQM25U9J 2ey2HqyVpghmMU0a1V1tDJDtKs4glEUskMdGjI13Fbq1WKjGYNKq2Pkuc1LyoAyrML8jjyZ317BrqMqRN1emBd8c8dWZiq1j18/wovTZc0qGJ1vTKDqLp6p3ptdKuTh6SeEDYN2F3HDsftitXHxYpydPAB mF2YmIdGikVCT3AASvID39DXYidXo7Yk MfTWkal4l6L6dPnYzxebm nBNlIrKynVPPQ0ISgseYCGBjo/y/1CcBgUUhe620kXoYvMlHzi86aftheeirJIVz4AmKW75GAmZGXruIQr18DdtBaaZgy5nPX8S2sc7B1PkEu3AR/ 7xOAcKmDN/bgSWet9uLbsL/tz0DZ//y7HvshyB08gKO00klNpewoFePk1u7V fctI0gRpz1rZhz4/PlkEUyvCc7 Ge9LqxIUfM 0/l87bAJGhMbpK nNlqDVo9UWyz40B8tPEv8UakNRju6biU Kz79Od7Ul7HB5InxblzqBRQxcYszUYmh3Xckd/prNXnL 66ze k/aYtUP46d8tEnNOHFyl5vqX/RhDXGglxClrRfSOUD04l8dHOG6DgUsPzDtZ8 b0a6ULYdjlZ7V5WaB7r/FLr2AbF4672A85JVt2eIvN5wF8z/66Ju29JfXggSyonEYQf9PGDzX7LkmbqyMPXhjwPnShcGcFIcInswotoj2JKnp9R8QUXS5xP8RBHjpur6/adfZj7/cl0mu5ZCkPL0OKkxhk97m3P1BmPdzHsIHLBoynG2 ZiZf4wImTixwy0twy01Ud7tlVaMQ8f9ZhBuH5JUIf0 peZl3NTbjDS2rwXHC8hM8qKLMRkwOK1o71yveLrg6rJVdtfIYs4AZRGiVcsIxKM/ioAIh 3M IngboQPJtq/HtHFsxST0TgiMJZJK QONshSV/ntzXMpqxMzudlXMhiOhfPFKBG1fk3rrvxlTenuay NiLSXE2zjo9ijHRBdfoXHeYsBYerXth1pCxug6oRXvvhHx98sWFoTFS2nDLT/PE3Ch2oz RQ62S/mz7Bumzq7o1QrMLAedEx6JFKhJ56AVUsKKrqPQhz0Xs5HhQtmFviOnlZwFIve/liZvZ9hva9ax/xWO6CVFbyX4p6gTVpiJcb3nbAfwd2RsvDsphxC7/L2zOQ 9 oDk1DFxxqahMrmBk1NL0nlcVrn4p9FqhVHVJb1eSMX60EUyJAFQx7aub8ZRgGjDolQdNTSGR52IZc9tklef0R agccDIpUtvSWk8D9AM3ZlN6VCsqEX pvfWMFXzskuU4FOzCpsH2baMNbo Qfg8hpOzrFsHwjOG 4RMpiIHcqP5fINrN1Jl4hDWYZuvttYtRPidECBesYX2NREqTmtoQfGgsF5Lu2PSpnHUzD7CrZIso6DBQtJf2uoGAStiRPe3uPo5ypA/HpItvFFXnbYJ4tJWIIjKWD8ViskcRwGdRVk ysoJx7IKnDewRWpSyTRPSuocoSGTjxcTkIIcfmNVhTz630dLAWlkaIzntjY1UPyfahpf6GYUOYSsynB6vYQ6j1JAzsJ4YWLbHaLa/M9en3qyQjbuBFhdm5 AzDH4QuVtuNNuUK6eg24d0PB1px/SQw==plYbyktzMmNpkpcBPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD2
.Default
.Default
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
svchost.exe
svchost.exe
explorer.exe
explorer.exe
66006666
66006666
.Method '%s' not supported by automation object/Variant does not reference an automation object
.Method '%s' not supported by automation object/Variant does not reference an automation object
External exception %x
External exception %x
Interface not supported
Interface not supported
%s (%s, line %d)
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
Invalid variant operation"Variant method calls not supported
I/O error %d
I/O error %d
Integer overflow Invalid floating point operation
Integer overflow Invalid floating point operation
svchost.exe_272_rwx_00080000_000B2000:
.idata
.idata
.reloc
.reloc
P.rsrc
P.rsrc
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
kernel32.dll
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
URLMON.DLL
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i