Skip to main content

Trojan.Generic.14726540_221d95d13d


HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Generic.14726540 (B) (Emsisoft), Trojan.Generic.14726540 (AdAware), Backdoor.Win32.Farfli.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 221d95d13d1a8eb1b00832f7bf8bffad

SHA1: 005c7ee4f8727344254e80218ece56a865eb9cb1

SHA256: 01a6a30b3012180a9a5748653fc5daa570d9f2b4468317753f5bacf9358c891d

SSDeep: 12288:c5V0Qai0CVAxr0eaDVJQOYeT8ZxNdm02wP2aj 7QH6rGbiW:aai0CVKEVVFT8Z/00vP2aEY6qN

Size: 548401 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2013-06-05 15:27:11

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

mofcomp.exe:2548
WindowsXP-KB968930-x86-ENG.exe:372
ngen.exe:3920
ngen.exe:3928
ngen.exe:3492
ngen.exe:3416
ngen.exe:3556
ngen.exe:3456
ngen.exe:3380
ngen.exe:3516
ngen.exe:3572
ngen.exe:3580
ngen.exe:3912
ngen.exe:3936
ngen.exe:3524
ngen.exe:3404
ngen.exe:3880
ngen.exe:3508
ngen.exe:3464
ngen.exe:3448
ngen.exe:3564
ngen.exe:3500
ngen.exe:3548
ngen.exe:3888
ngen.exe:3424
%original file name%.exe:1328
update.exe:352
PSCustomSetupUtil.exe:3592
PSCustomSetupUtil.exe:2596
PSCustomSetupUtil.exe:2848
PSCustomSetupUtil.exe:3804
PSCustomSetupUtil.exe:2636
PSCustomSetupUtil.exe:3140
PSCustomSetupUtil.exe:3000
PSCustomSetupUtil.exe:3064
PSCustomSetupUtil.exe:3040
PSCustomSetupUtil.exe:3652
PSCustomSetupUtil.exe:2784
PSCustomSetupUtil.exe:2744
PSCustomSetupUtil.exe:2872
PSCustomSetupUtil.exe:2912
PSCustomSetupUtil.exe:3764
PSCustomSetupUtil.exe:2720
PSCustomSetupUtil.exe:2936
PSCustomSetupUtil.exe:3608
PSCustomSetupUtil.exe:3624
PSCustomSetupUtil.exe:3740
PSCustomSetupUtil.exe:2976
PSCustomSetupUtil.exe:3704
PSCustomSetupUtil.exe:3680
PSCustomSetupUtil.exe:2572
PSCustomSetupUtil.exe:3092
PSCustomSetupUtil.exe:2696
PSSetupNativeUtils.exe:4036
mscorsvw.exe:2860
mscorsvw.exe:2732
mscorsvw.exe:2920
mscorsvw.exe:3004
mscorsvw.exe:2192
mscorsvw.exe:3168
mscorsvw.exe:2800
mscorsvw.exe:3304
mscorsvw.exe:2136
mscorsvw.exe:3128
mscorsvw.exe:2988
mscorsvw.exe:2304
mscorsvw.exe:3388
mscorsvw.exe:2248
mscorsvw.exe:1296
mscorsvw.exe:588
mscorsvw.exe:3072
mscorsvw.exe:3528
mscorsvw.exe:1880
mscorsvw.exe:1644
mscorsvw.exe:844
mscorsvw.exe:2336
mscorsvw.exe:3220
mscorsvw.exe:2068
mscorsvw.exe:2512
wsmanhttpconfig.exe:2512
wsmanhttpconfig.exe:2452

The Trojan injects its code into the following process(es):

svchost.exe:1392
svchost.exe:592

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process mofcomp.exe:2548 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%System%\wbem\Logs\mofcomp.log (1814 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (1 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (0 bytes)

The process WindowsXP-KB968930-x86-ENG.exe:372 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\f6ff9a417a3a9051be1120c02a4790\pscustomsetuputil.exe (316 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_trap.help.txt (10 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_script_internationalization.help.txt (9 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\profile.ps1 (772 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_parsing.help.txt (2 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_scopes.help.txt (76 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_functions_advanced_parameters.help.txt (962 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.gpowershell.resources.dll (408 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\system.management.automation.dll-help.xml (16567 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_requires.help.txt (2 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.gpowershell.dll (9738 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.editor.dll (14450 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_bits_cmdlets.help.txt (7 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\powershell_ise.exe (2526 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\update\kb968930xp.cat (512 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_automatic_variables.help.txt (14 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\help.format.ps1xml (3947 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_hash_tables.help.txt (6 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_remote_output.help.txt (887 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\pssetupnativeutils.exe (9 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\pwrshmsg.dll (4 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\$shtdwn$.req (788 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.backgroundintelligenttransfer.management.dll-help.xml (2472 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\compiledcomposition.microsoft.powershell.gpowershell.dll (1737 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_pssession_details.help.txt (9 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmres.dll (6164 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_while.help.txt (2 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmpty.xsl (1 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.utility.dll (9684 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.consolehost.dll (3118 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrshost.exe (22 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_pssnapins.help.txt (6 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_format.ps1xml.help.txt (17 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_job_details.help.txt (824 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrmprov.mof (789 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\diagnostics.format.ps1xml (590 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.management.dll-help.xml (28236 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.management.dll (3386 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_if.help.txt (3 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\powershellcore.format.ps1xml (1492 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_type_operators.help.txt (5 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_line_editing.help.txt (1 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_remote_faq.help.txt (775 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrs.exe (1154 bytes)
C:\$Directory (800 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.backgroundintelligenttransfer.management.interop.dll (1532 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_debuggers.help.txt (21 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmanhttpconfig.exe (3009 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_eventlogs.help.txt (5 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_providers.help.txt (59 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\update\eula.txt (586 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_windows_powershell_2.0.help.txt (453 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\bitstransfer.format.ps1xml (16 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_switch.help.txt (489 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_preference_variables.help.txt (37 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_foreach.help.txt (10 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.consolehost.dll-help.xml (900 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_aliases.help.txt (6 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_arithmetic_operators.help.txt (168 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_functions_cmdletbindingattribute.help.txt (3 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\windowspowershellhelp.chm (26041 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_redirection.help.txt (2 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_arrays.help.txt (8 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_parameters.help.txt (9 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\bitstransfer.psd1 (950 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_methods.help.txt (6 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmprovhost.exe (657 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_remote.help.txt (7 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\certificate.format.ps1xml (155 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_for.help.txt (146 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_history.help.txt (3 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\importallmodules.psd1 (438 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_objects.help.txt (2 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.diagnostics.dll (998 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.security.resources.dll (9 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\windowsremoteshell.adm (12 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmsvc.dll (15909 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_functions.help.txt (586 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.backgroundintelligenttransfer.management.resources.dll (7 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_ws-management_cmdlets.help.txt (405 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\update\update.ver (14 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrmprov.dll (591 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\spupdsvc.exe (287 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_assignment_operators.help.txt (379 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\pwrshsip.dll (24 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsman.format.ps1xml (837 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_signing.help.txt (12 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_join.help.txt (2 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.utility.resources.dll (508 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\registry.format.ps1xml (20 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\update\update.exe (10748 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmauto.mof (4 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\spmsg.dll (495 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_try_catch_finally.help.txt (7 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_split.help.txt (10 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.security.dll-help.xml (1797 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\spuninst.exe (3787 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.management.resources.dll (508 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.editor.resources.dll (562 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\update\update.inf (2457 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\powershelltrace.format.ps1xml (344 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_jobs.help.txt (12 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.wsman.runtime.dll (33 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.consolehost.resources.dll (778 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_data_sections.help.txt (5 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\powershell.exe (7339 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_core_commands.help.txt (221 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_prompts.help.txt (7 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_variables.help.txt (6 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_reserved_words.help.txt (1 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrm.vbs (2727 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.utility.dll-help.xml (20810 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_wildcards.help.txt (3 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_continue.help.txt (1 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_locations.help.txt (794 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\update\updspapi.dll (5940 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_transactions.help.txt (1011 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_quoting_rules.help.txt (659 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_wmi_cmdlets.help.txt (8 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.security.dll (1145 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\powershell.exe.mui (10 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_comment_based_help.help.txt (595 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\windowsremotemanagement.adm (574 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_profiles.help.txt (457 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrm.ini (1956 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_regular_expressions.help.txt (5 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wevtfwd.dll (3351 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.diagnostics.resources.dll (470 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.wsman.management.dll (5010 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_do.help.txt (2 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmtxt.xsl (2 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_functions_advanced.help.txt (3 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\powershell_ise.resources.dll (4 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrscmd.dll (2907 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\dotnettypes.format.ps1xml (266 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_command_syntax.help.txt (5 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_break.help.txt (792 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_execution_policies.help.txt (13 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_pssessions.help.txt (9 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.wsman.management.dll-help.xml (8740 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wtrinstaller.ico (4803 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_functions_advanced_methods.help.txt (9 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.graphicalhost.dll (4408 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_properties.help.txt (7 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\update (4 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_commonparameters.help.txt (12 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmplpxy.dll (603 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_command_precedence.help.txt (8 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrsmgr.dll (2 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_modules.help.txt (13 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmauto.dll (1842 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.diagnostics.dll-help.xml (2301 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_session_configurations.help.txt (276 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_escape_characters.help.txt (2 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_remote_troubleshooting.help.txt (146 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_remote_jobs.help.txt (13 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\pspluginwkr.dll (1756 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrm.cmd (35 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\getevent.types.ps1xml (15 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_ref.help.txt (1 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.graphicalhost.resources.dll (16 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\types.ps1xml (2510 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\filesystem.format.ps1xml (133 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmwmipl.dll (2816 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_comparison_operators.help.txt (11 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\default.help.txt (2 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_logical_operators.help.txt (2 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_scripts.help.txt (12 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_special_characters.help.txt (3 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_environment_variables.help.txt (417 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_operators.help.txt (770 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_types.ps1xml.help.txt (481 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_windows_powershell_ise.help.txt (6 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_throw.help.txt (5 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_language_keywords.help.txt (11 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_path_syntax.help.txt (5 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrssrv.dll (12 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_script_blocks.help.txt (3 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_pipelines.help.txt (411 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.wsman.management.resources.dll (13 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\pwrshplugin.dll (802 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_return.help.txt (3 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\eventforwarding.adm (2 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\update\spcustom.dll (23 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_remote_requirements.help.txt (6 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\system.management.automation.dll (38414 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\system.management.automation.resources.dll (3153 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.backgroundintelligenttransfer.management.dll (1537 bytes)

The Trojan deletes the following file(s):

C:\f6ff9a417a3a9051be1120c02a4790\about_functions_advanced_parameters.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_trap.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_script_internationalization.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\profile.ps1 (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_parsing.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_command_syntax.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\pscustomsetuputil.exe (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.gpowershell.resources.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.utility.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\update\eula.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_requires.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.gpowershell.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_assignment_operators.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_bits_cmdlets.help.txt (0 bytes)
C:\_529390_ (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_redirection.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\update\kb968930xp.cat (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_automatic_variables.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\help.format.ps1xml (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_core_commands.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_pssessions.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\pwrshmsg.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\filesystem.format.ps1xml (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\compiledcomposition.microsoft.powershell.gpowershell.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_pssession_details.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmres.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_while.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmpty.xsl (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_logical_operators.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.consolehost.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrshost.exe (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_pssnapins.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_format.ps1xml.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_job_details.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\system.management.automation.dll-help.xml (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\diagnostics.format.ps1xml (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_reserved_words.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.management.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_if.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\powershellcore.format.ps1xml (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_type_operators.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_line_editing.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_remote_faq.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrs.exe (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.backgroundintelligenttransfer.management.interop.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_debuggers.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_remote_output.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_eventlogs.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_providers.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_execution_policies.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_switch.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_preference_variables.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_foreach.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.consolehost.dll-help.xml (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_remote_troubleshooting.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_remote_jobs.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_functions_cmdletbindingattribute.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\windowspowershellhelp.chm (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.consolehost.resources.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_language_keywords.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_functions.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\bitstransfer.psd1 (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_methods.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmprovhost.exe (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.backgroundintelligenttransfer.management.resources.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\certificate.format.ps1xml (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_for.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_history.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\importallmodules.psd1 (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_objects.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.diagnostics.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.security.resources.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\windowsremoteshell.adm (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmsvc.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_parameters.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_remote.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_environment_variables.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\update\update.ver (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrmprov.mof (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\spupdsvc.exe (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.editor.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\pwrshsip.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_operators.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_signing.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_join.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.utility.resources.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.backgroundintelligenttransfer.management.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\registry.format.ps1xml (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_windows_powershell_ise.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_commonparameters.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\spmsg.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_try_catch_finally.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_split.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.security.dll-help.xml (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\spuninst.exe (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.management.resources.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.editor.resources.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\update\update.inf (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\powershelltrace.format.ps1xml (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_jobs.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsman.format.ps1xml (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\powershell_ise.exe (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_data_sections.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmanhttpconfig.exe (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_hash_tables.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_variables.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.management.dll-help.xml (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrm.vbs (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.utility.dll-help.xml (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_wildcards.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_continue.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_comment_based_help.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\update\updspapi.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_transactions.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_quoting_rules.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_wmi_cmdlets.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.security.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\powershell.exe.mui (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_locations.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\windowsremotemanagement.adm (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_profiles.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrm.ini (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_regular_expressions.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wevtfwd.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.diagnostics.resources.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.wsman.management.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_do.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmtxt.xsl (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_functions_advanced.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_pipelines.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrscmd.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\dotnettypes.format.ps1xml (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_scopes.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.wsman.management.resources.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\bitstransfer.format.ps1xml (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\pssetupnativeutils.exe (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\powershell.exe (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.wsman.management.dll-help.xml (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wtrinstaller.ico (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_functions_advanced_methods.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.graphicalhost.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_properties.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\update (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmwmipl.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmauto.mof (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmplpxy.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_command_precedence.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrsmgr.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_modules.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmauto.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_session_configurations.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_escape_characters.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_aliases.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_arithmetic_operators.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\pspluginwkr.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrmprov.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrm.cmd (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\getevent.types.ps1xml (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_ref.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.graphicalhost.resources.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\types.ps1xml (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.backgroundintelligenttransfer.management.dll-help.xml (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_windows_powershell_2.0.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_comparison_operators.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\default.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_prompts.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_scripts.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_special_characters.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790 (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_ws-management_cmdlets.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.diagnostics.dll-help.xml (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_types.ps1xml.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\update\update.exe (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_throw.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_arrays.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_path_syntax.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrssrv.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_script_blocks.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\powershell_ise.resources.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_break.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\pwrshplugin.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_return.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\eventforwarding.adm (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\update\spcustom.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_remote_requirements.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\system.management.automation.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\system.management.automation.resources.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.wsman.runtime.dll (0 bytes)

The process ngen.exe:3920 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1106 bytes)

The process ngen.exe:3928 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1428 bytes)

The process ngen.exe:3492 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (772 bytes)

The process ngen.exe:3416 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1220 bytes)

The process ngen.exe:3556 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (800 bytes)

The process ngen.exe:3456 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1186 bytes)

The process ngen.exe:3380 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (596 bytes)

The process ngen.exe:3516 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (770 bytes)

The process ngen.exe:3572 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (474 bytes)

The process ngen.exe:3580 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (826 bytes)

The process ngen.exe:3912 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (784 bytes)

The process ngen.exe:3936 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (746 bytes)

The process ngen.exe:3524 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1114 bytes)

The process ngen.exe:3404 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (896 bytes)

The process ngen.exe:3880 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1184 bytes)

The process ngen.exe:3508 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1450 bytes)

The process ngen.exe:3464 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (494 bytes)

The process ngen.exe:3448 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (866 bytes)

The process ngen.exe:3564 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1140 bytes)

The process ngen.exe:3500 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1104 bytes)

The process ngen.exe:3548 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (468 bytes)

The process ngen.exe:3888 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (486 bytes)

The process ngen.exe:3424 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (554 bytes)

The process update.exe:352 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%System%\SETBF.tmp (42 bytes)
%WinDir%\ocmsn.log (7791 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (16 bytes)
%System%\SET12.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET3E.tmp (1281 bytes)
%System%\GroupPolicy\Adm\SET35.tmp (12 bytes)
%System%\SETC.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (36 bytes)
%System%\WindowsPowerShell\v1.0\SET51.tmp (14022 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SET46.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET41.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (950 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETC9.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET48.tmp (4 bytes)
%System%\SET2D.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (17 bytes)
%System%\SET25.tmp (1281 bytes)
%System%\SET13.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4E.tmp (673 bytes)
%System%\SET20.tmp (2 bytes)
%System%\SET14.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (49 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (673 bytes)
%WinDir%\inf\SET32.tmp (38 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (3 bytes)
%System%\GroupPolicy\Adm\SET34.tmp (38 bytes)
%System%\SET2A.tmp (2 bytes)
%WinDir%\inf\oem10.PNF (10136 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET3C.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (10 bytes)
%System%\SET7.tmp (35 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\updspapi.dll (4145 bytes)
%System%\WindowsPowerShell\v1.0\SET3D.tmp (601 bytes)
%WinDir%\msmqinst.log (5468 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (15 bytes)
%System%\SET22.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (673 bytes)
%System%\spmsg.dll (14 bytes)
%System%\WindowsPowerShell\v1.0\SETC8.tmp (7385 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (10 bytes)
%System%\GroupPolicy\Adm\SET1A.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (7 bytes)
%System%\SET2B.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (40 bytes)
%WinDir%\inf\SET18.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SETC7.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (3 bytes)
%System%\SETE.tmp (22 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.inf (9162 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (7 bytes)
%System%\SET6.tmp (2 bytes)
%System%\GroupPolicy\Adm\SET36.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (5 bytes)
%System%\wbem\SET4.tmp (4 bytes)
%System%\SET17.tmp (673 bytes)
%WinDir%\tabletoc.log (2313 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (6 bytes)
%System%\SETA.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (7 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.txt (29 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (13 bytes)
%WinDir%\MedCtrOC.log (8910 bytes)
%System%\config\SYSTEM.LOG (7577 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (3 bytes)
%System%\SET27.tmp (601 bytes)
%System%\GroupPolicy\Adm\SET1B.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (9 bytes)
%System%\SET11.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETCA.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET3F.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET4F.tmp (24 bytes)
%System%\config (200 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4B.tmp (20 bytes)
%WinDir%\Help\SETC5.tmp (12287 bytes)
%System%\SET8.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (61 bytes)
%WinDir%\msgsocm.log (6541 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE.lnk (4 bytes)
%System%\SETF.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (22 bytes)
%System%\SET10.tmp (2 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (7971 bytes)
%System%\SET26.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (9 bytes)
%System%\SET21.tmp (35 bytes)
%System%\config\system (5372 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET38.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET49.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (31 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET4A.tmp (673 bytes)
%WinDir%\SECD0.tmp (1897 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET4D.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (2 bytes)
%WinDir%\imsins.log (3792 bytes)
%System%\WindowsPowerShell\v1.0\SET44.tmp (57 bytes)
%System%\GroupPolicy\Adm\SET1C.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (3 bytes)
%System%\SET16.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (3361 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (15 bytes)
%System%\CatRoot2\dberr.txt (1031 bytes)
%System%\SETB.tmp (1281 bytes)
%System%\SET1F.tmp (1 bytes)
%WinDir%\iis6.log (138839 bytes)
%WinDir%\comsetup.log (48640 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (6 bytes)
%System%\spupdsvc.exe (23 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (22 bytes)
%System%\SET28.tmp (22 bytes)
%System%\SET5.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET45.tmp (2321 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (1 bytes)
%System%\SET31.tmp (673 bytes)
%System%\SET2E.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (10 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe (2497 bytes)
%System%\WindowsPowerShell\v1.0\SET3A.tmp (601 bytes)
%System%\SET29.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (21 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (6 bytes)
%System%\SET2C.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (16 bytes)
%WinDir%\KB968930.log (246954 bytes)
%System%\SET15.tmp (789 bytes)
%System%\WindowsPowerShell\v1.0\SET4C.tmp (18248 bytes)
%WinDir%\ntdtcsetup.log (22991 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (438 bytes)
%WinDir%\inf\oem10.inf (673 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (12 bytes)
%System%\SET24.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET52.tmp (10177 bytes)
%System%\WindowsPowerShell\v1.0\SET43.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (19 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (9 bytes)
%WinDir%\FaxSetup.log (53338 bytes)
%WinDir%\tsoc.log (79170 bytes)
%System%\WindowsPowerShell\v1.0\SET50.tmp (1425 bytes)
%WinDir%\KB968930xp.cat (59 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (9 bytes)
%System%\winrm\0409\SET1D.tmp (601 bytes)
%System%\SETD.tmp (601 bytes)
%WinDir%\inf\SET19.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET47.tmp (18 bytes)
%System%\SET9.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SETC6.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (12 bytes)
%System%\winrm\0409\SET37.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (10 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (40 bytes)
%System%\WindowsPowerShell\v1.0\SET39.tmp (27 bytes)
%WinDir%\ocgen.log (71000 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET40.tmp (1281 bytes)
%System%\SET2F.tmp (789 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (17 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (23 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (2 bytes)
%System%\SET30.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (6 bytes)
%System%\wbem\SET1E.tmp (4 bytes)
%System%\SET23.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET3B.tmp (24 bytes)
%WinDir%\netfxocm.log (9089 bytes)
%System%\WindowsPowerShell\v1.0\SET42.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (10 bytes)
%WinDir%\inf\SET33.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (7 bytes)

The Trojan deletes the following file(s):

%System%\SETBF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (0 bytes)
%System%\SET12.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3E.tmp (0 bytes)
%WinDir%\_000003_.tmp.dll (0 bytes)
%System%\GroupPolicy\Adm\SET35.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (0 bytes)
%System%\SETC.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET46.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET41.tmp (0 bytes)
%System%\_000002_.tmp.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (0 bytes)
%System%\wevtfwd.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET48.tmp (0 bytes)
%WinDir%\inf\windowsremotemanagement.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (0 bytes)
%System%\SET25.tmp (0 bytes)
%System%\SET13.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4E.tmp (0 bytes)
%System%\SET20.tmp (0 bytes)
%System%\SET14.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (0 bytes)
%WinDir%\inf\SET32.tmp (0 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (0 bytes)
%System%\SET7.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET34.tmp (0 bytes)
%System%\SET2A.tmp (0 bytes)
%WinDir%\inf\oem10.PNF (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (0 bytes)
%System%\WsmWmiPl.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (0 bytes)
%System%\GroupPolicy\Adm\WindowsRemoteShell.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (0 bytes)
%System%\winrm\0409\winrm.ini (0 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (0 bytes)
%System%\winrscmd.dll (0 bytes)
%System%\SET2B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (0 bytes)
%System%\SET2E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC7.tmp (0 bytes)
%System%\wsmanhttpconfig.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (0 bytes)
%System%\winrm.cmd (0 bytes)
%System%\SETE.tmp (0 bytes)
%System%\winrm.vbs (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (0 bytes)
%System%\SET6.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET36.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (0 bytes)
%System%\wbem\SET4.tmp (0 bytes)
%System%\SET17.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (0 bytes)
%System%\SETA.tmp (0 bytes)
%System%\SET22.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET51.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (0 bytes)
%System%\SET27.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (0 bytes)
%System%\SET11.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCA.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4F.tmp (0 bytes)
%System%\WsmAuto.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4B.tmp (0 bytes)
%System%\SET8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (0 bytes)
%System%\SETF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC9.tmp (0 bytes)
%System%\wbem\wsmAuto.mof (0 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (0 bytes)
%System%\wsmplpxy.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (0 bytes)
%System%\SET26.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (0 bytes)
%System%\SET21.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET38.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET49.tmp (0 bytes)
%System%\SET16.tmp (0 bytes)
%System%\GroupPolicy\Adm\windowsremotemanagement.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4A.tmp (0 bytes)
%WinDir%\SECD0.tmp (0 bytes)
%System%\GroupPolicy\Adm\EventForwarding.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4D.tmp (0 bytes)
%System%\winrmprov.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET44.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (0 bytes)
%System%\wsmprovhost.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (0 bytes)
%System%\winrmprov.mof (0 bytes)
%WinDir%\imsins.BAK (0 bytes)
%System%\SETB.tmp (0 bytes)
%System%\SET1F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (0 bytes)
%WinDir%\inf\oem10.inf (0 bytes)
%System%\SET28.tmp (0 bytes)
%System%\SET5.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET45.tmp (0 bytes)
%System%\winrshost.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (0 bytes)
%System%\SET31.tmp (0 bytes)
%WinDir%\inf\SET18.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (0 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\@.lnk (0 bytes)
%System%\WsmPty.xsl (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (0 bytes)
%System%\SET29.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (0 bytes)
%System%\WsmRes.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (0 bytes)
%WinDir%\Temp\UPD3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (0 bytes)
%System%\SET2C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (0 bytes)
%System%\SET15.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4C.tmp (0 bytes)
%System%\wbem\SET1E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (0 bytes)
%System%\SET2D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (0 bytes)
%System%\SET24.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET52.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET43.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET50.tmp (0 bytes)
%System%\winrssrv.dll (0 bytes)
%WinDir%\inf\WindowsRemoteShell.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (0 bytes)
%System%\winrm\0409\SET1D.tmp (0 bytes)
%System%\SETD.tmp (0 bytes)
%System%\SET10.tmp (0 bytes)
%WinDir%\inf\SET19.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET47.tmp (0 bytes)
%System%\SET9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC6.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (0 bytes)
%System%\winrm\0409\SET37.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (0 bytes)
%System%\winrs.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET39.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET40.tmp (0 bytes)
%System%\SET2F.tmp (0 bytes)
%WinDir%\Help\SETC5.tmp (0 bytes)
%System%\WsmSvc.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (0 bytes)
%System%\winrsmgr.dll (0 bytes)
%System%\SET30.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1A.tmp (0 bytes)
%System%\SET23.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET42.tmp (0 bytes)
%System%\WsmTxt.xsl (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (0 bytes)
%WinDir%\inf\SET33.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (0 bytes)

The process PSCustomSetupUtil.exe:2596 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\6PSVY158\Microsoft.PowerShell.ConsoleHost.dll (7192 bytes)

The process PSCustomSetupUtil.exe:2848 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\8TWZ259C\Microsoft.WSMan.Management.dll (9608 bytes)

The process PSCustomSetupUtil.exe:3804 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\FX047ADG\Microsoft.PowerShell.GPowerShell.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:2636 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\0JMQTWZ2\Microsoft.PowerShell.Commands.Management.dll (9320 bytes)

The process PSCustomSetupUtil.exe:3140 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\6PTWZ259\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll (7 bytes)

The process PSCustomSetupUtil.exe:3000 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\O7ADGJMP\Microsoft.PowerShell.Commands.Utility.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:3064 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\DX047ADG\Microsoft.PowerShell.Commands.Diagnostics.resources.dll (10 bytes)

The process PSCustomSetupUtil.exe:3040 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\DWZ259CF\Microsoft.PowerShell.Security.resources.dll (9 bytes)

The process PSCustomSetupUtil.exe:3652 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\1MPSVY25\Microsoft.PowerShell.GraphicalHost.dll (9608 bytes)

The process PSCustomSetupUtil.exe:2784 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\M9DHKORV\Microsoft.WSMan.Runtime.dll (7 bytes)

The process PSCustomSetupUtil.exe:2744 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\BVY158BE\Microsoft.PowerShell.Commands.Diagnostics.dll (3616 bytes)

The process PSCustomSetupUtil.exe:2872 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\1JMQTWZ2\Microsoft.BackgroundIntelligentTransfer.Management.dll (1856 bytes)

The process PSCustomSetupUtil.exe:2912 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\CVY158BE\System.Management.Automation.resources.dll (9320 bytes)

The process PSCustomSetupUtil.exe:3764 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\9SVY147A\Microsoft.PowerShell.Editor.resources.dll (2392 bytes)

The process PSCustomSetupUtil.exe:2720 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\6PTWZ269\Microsoft.PowerShell.Security.dll (2392 bytes)

The process PSCustomSetupUtil.exe:2936 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\BUX037AD\Microsoft.PowerShell.ConsoleHost.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:3740 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\9RUX0369\Microsoft.PowerShell.GraphicalHost.resources.dll (784 bytes)

The process PSCustomSetupUtil.exe:2976 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\RADGJMPS\Microsoft.PowerShell.Commands.Management.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:3704 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\ZILPSVY1\Microsoft.PowerShell.GPowerShell.dll (22192 bytes)

The process PSCustomSetupUtil.exe:3680 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\DWZ259CF\Microsoft.PowerShell.Editor.dll (32824 bytes)

The process PSCustomSetupUtil.exe:2572 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\I369DGJM\System.Management.Automation.dll (81046 bytes)

The process PSCustomSetupUtil.exe:3092 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\AUX147AD\Microsoft.WSMan.Management.resources.dll (13 bytes)

The process PSCustomSetupUtil.exe:2696 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\6PSVY158\Microsoft.PowerShell.Commands.Utility.dll (20624 bytes)

The process PSSetupNativeUtils.exe:4036 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)

The process mscorsvw.exe:2920 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD8.tmp\Microsoft.PowerShell.GraphicalHost.dll (47422 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD8.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5f.dat (0 bytes)

The process mscorsvw.exe:3004 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp\Microsoft.PowerShell.Security.dll (35530 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index60.dat (0 bytes)

The process mscorsvw.exe:2192 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD4.tmp\Microsoft.PowerShell.Commands.Utility.dll (40638 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5b.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD4.tmp (0 bytes)

The process mscorsvw.exe:2800 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7.tmp\Microsoft.PowerShell.GPowerShell.dll (50011 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5e.dat (0 bytes)

The process mscorsvw.exe:3128 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDA.tmp\Microsoft.WSMan.Management.dll (34061 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDA.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index61.dat (0 bytes)

The process mscorsvw.exe:2304 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD5.tmp\Microsoft.PowerShell.ConsoleHost.dll (33378 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\index5c.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD5.tmp (0 bytes)

The process mscorsvw.exe:3388 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (514 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\NGEN_SERVICE.LOG (83393 bytes)

The process mscorsvw.exe:1296 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD1.tmp\Microsoft.BackgroundIntelligentTransfer.Management.dll (27440 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD1.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index58.dat (0 bytes)

The process mscorsvw.exe:3528 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDC.tmp\System.Management.Automation.dll (105990 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\index63.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDC.tmp (0 bytes)

The process mscorsvw.exe:844 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD2.tmp\Microsoft.PowerShell.Commands.Diagnostics.dll (33116 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD2.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index59.dat (0 bytes)

The process mscorsvw.exe:3220 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDB.tmp\Microsoft.WSMan.Runtime.dll (17713 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\index62.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDB.tmp (0 bytes)

The process mscorsvw.exe:2068 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD3.tmp\Microsoft.PowerShell.Commands.Management.dll (45020 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD3.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5a.dat (0 bytes)

The process mscorsvw.exe:2512 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6.tmp\Microsoft.PowerShell.Editor.dll (64500 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5d.dat (0 bytes)

Registry activity

The process mofcomp.exe:2548 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 A0 FC E1 5F E8 C2 BB 3F B3 85 25 F9 A4 82 6F"

The process WindowsXP-KB968930-x86-ENG.exe:372 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 38 94 C9 CA 01 6F E6 C1 5F 22 D0 66 04 03 C4"

The process ngen.exe:3920 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 F8 A3 8B F0 F1 8D B7 93 33 45 E8 49 C2 DF 1F"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

The process ngen.exe:3928 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 CC 57 B7 07 0A DC 63 22 92 65 F3 F7 49 73 29"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:3492 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E8 E3 43 8D 7E 85 18 F3 02 D2 F0 93 72 92 1F 5E"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
"Scenario" = "32"

The process ngen.exe:3416 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4F DC B9 10 14 63 A8 8F ED 3E 44 B4 EF 22 9C 01"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

The process ngen.exe:3556 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D 10 AA 68 C8 F6 7E 4A 96 EB A8 48 4C 14 BB AB"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

The process ngen.exe:3456 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 08 2E 38 51 E7 3F E4 9D 83 C0 B0 7C 9A FA 05"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

The process ngen.exe:3380 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 10 D5 5C 7F 4A 00 95 C4 B3 82 AC 95 78 A9 98"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots]
"WorkPending" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

The process ngen.exe:3516 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 AF A4 5A 24 34 87 13 5E B4 A3 2F 9B DC 53 E1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

The process ngen.exe:3572 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 8A 38 52 F9 1E 05 DC 74 3D 74 45 AA A1 55 6D"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:3580 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 78 29 55 34 69 10 28 5F 41 FE 7F 6F D2 71 9B"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

The process ngen.exe:3912 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 E9 07 2D 69 27 C6 F8 FB 40 DB A4 37 19 5D 5F"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

The process ngen.exe:3936 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB 3E A6 3F AB B7 3D 4A E4 9D 19 73 AD 79 6F D1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:3524 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA 3A 80 C7 23 91 CB 60 CD 17 43 78 02 34 75 04"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:3404 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 9E 70 DE 6D 16 25 20 F4 55 4D 32 7F D8 1B BF"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

The process ngen.exe:3880 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 DA 39 78 58 56 17 A2 74 BE D8 F4 18 4D 92 30"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
"Scenario" = "32"

The process ngen.exe:3508 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 7B C7 E8 45 E3 04 2A F2 F5 A6 16 C1 C3 A6 6B"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:3464 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D 0B 23 31 98 78 04 2C C6 06 33 D3 47 4F D5 26"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
"Status" = "3"

The process ngen.exe:3448 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE 3D E5 03 BA 59 E5 52 10 C4 61 27 1D 73 C4 E6"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:3564 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 83 5A 88 0F 93 F9 77 F5 FC C0 2F B3 47 61 22"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

The process ngen.exe:3500 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 57 0C 4D 2F B9 E2 AA 02 66 3B DA 2A A9 E3 00"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

The process ngen.exe:3548 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 00 EB 3F AD 16 D8 9D F9 89 12 13 1A BD 62 BB"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:3888 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 15 F3 B5 F0 53 AA B0 10 03 67 CD 19 17 BA 18"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:3424 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 21 2B CB BC AC AE 19 3E 47 74 A2 63 20 AE 1E"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"

The process %original file name%.exe:1328 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 96 38 54 07 F7 6B 97 79 3E 2A DD C1 6F 91 F1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Control Panel\Desktop]
"Wallpaper" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

The process update.exe:352 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Description" = "Windows Management Framework Core"

[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"StackVersion" = "2.0"

[HKCR\Microsoft.PowerShellModule.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"ControlFlags" = "1"

[HKCR\.psc1]
"(Default)" = "Microsoft.PowerShellConsole.1"

[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}]
"(Default)" = "IWSManHostEntrySink"

[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsGetSignature"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\Typelib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\Typelib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"PSCompatibleVersion" = "1.0,2.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"NoModify" = "1"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\{3feb2f63-0eec-4b96-84ab-da1307e0117c}]
"(Default)" = "Microsoft Windows WSMan Provider Host"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\KB968930]
"TypesSupported" = "7"

[HKCR\Microsoft.PowerShellModule.1]
"EditFlags" = "131072"

[HKCR\WSMan.InternalAutomation\CurVer]
"(Default)" = "WSMan.InternalAutomation.1"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}]
"(Default)" = "IWSManResourceLocator"

[HKCR\.ps1xml]
"PerceivedType" = "Text"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}]
"(Default)" = "IWSManConnectionOptions"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"CategoryCount" = "8"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"LogLevel" = "536870912"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKCR\Microsoft.PowerShellScript.1]
"EditFlags" = "131072"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"WINRM" = "WINRM"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"file" = "%WinDir%\System32\config\WindowsPowerShell.evt"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKCR\Microsoft.PowerShellScript.1\shell\Run with PowerShell\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell.exe -file %1"

[HKCR\AppID\{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}]
"LaunchPermission" = "01 00 04 80 98 00 00 00 A4 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"EventMessageFile" = "%systemroot%\system32\WsmRes.dll"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}\LocalServer32]
"ServerExecutable" = "%System%\wsmprovhost.exe"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\InprocServer32]
"(Default)" = "%System%\winrssrv.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"PSModulePath" = "%System%\WindowsPowerShell\v1.0\Modules\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\WINRM]
"CoInitializeSecurityParam" = "1"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]
"Path" = "%System%\WindowsPowerShell\v1.0\powershell.exe"

[HKCR\Microsoft.PowerShellConsole.1]
"FriendlyTypeName" = "Windows PowerShell Console File"

[HKCR\Microsoft.PowerShellModule.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell_ise.exe %1"

[HKCR\WSMan.InternalAutomation]
"(Default)" = "WSMan InternalAutomation Class"

[HKCR\Microsoft.PowerShellData.1]
"FriendlyTypeName" = "Windows PowerShell Data File"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}\LocalServer32]
"(Default)" = "%System%\wsmprovhost.exe"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0]
"(Default)" = "Microsoft WSMAN Automation V1.0 Library"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\WINRM]
"AuthenticationCapabilities" = "12320"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\TypeLib]
"Version" = "1.0"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"Retention" = "0"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\KB968930]
"EventMessageFile" = "%SystemRoot%\System32\spmsg.dll"

[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}]
"(Default)" = "PSFactoryBuffer"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PublishingGroup" = "Management and Infrastructure Group"

[HKCR\Microsoft.PowerShellConsole.1\shell\open\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell.exe -p %1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\160:105700\iis]
"IISProgramGroup" = "Microsoft Internet Information Services"
"PathIISHelp" = "%WinDir%\Help\iishelp"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"Retention" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsPutSignature"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"ParameterMessageFile" = "%systemroot%\system32\kernel32.dll"

[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}\NumMethods]
"(Default)" = "6"

[HKLM\System\CurrentControlSet\Services\WinRM]
"DependOnService" = "RPCSS, HTTP, HTTPFilter"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\160:105700\iis]
"PathIISSamples" = "C:\Inetpub\iissamples"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"TypesSupported" = "7"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}]
"(Default)" = "IWSManEx"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"TSAware" = "1"

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}]
"(Default)" = "Microsoft Windows Remote Shell Host"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"UninstallCommand" = "%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\InprocServer32]
"(Default)" = "%System%\WSMAUTO.DLL"

[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ConsoleHostModuleName" = "%System%\WindowsPowerShell\v1.0\Microsoft.PowerShell.ConsoleHost.dll"

[HKCR\WSMan.Automation\CLSID]
"(Default)" = "{BCED617B-EC03-420b-8508-977DC7A686BD}"

[HKCR\WSMan.Automation.1\CLSID]
"(Default)" = "{BCED617B-EC03-420b-8508-977DC7A686BD}"

[HKLM\System\CurrentControlSet\Services\WinRM]
"Type" = "32"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational\EventForwarder-Operational]
"EventMessageFile" = "%systemroot%\system32\wevtfwd.dll"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\VersionIndependentProgID]
"(Default)" = "WSMan.Automation"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\System\CurrentControlSet\Services\WinRM]
"DisplayName" = "Windows Remote Management (WS-Management)"

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ\Regular]
"BitNames" = " rsError rsWarning rsTrace rsNone"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\0\win32]
"(Default)" = "%System%\WsmAuto.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\160:105700\iis]
"PathScripts" = "C:\Inetpub\iissamples\Scripts"

[HKCR\Microsoft.PowerShellConsole.1]
"EditFlags" = "131072"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstalledDate" = "7/16/2015"
"ReleaseType" = "Software Update"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCR\WSMan.InternalAutomation.1\CLSID]
"(Default)" = "{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}"

[HKCR\WSMan.Automation\CurVer]
"(Default)" = "WSMan.Automation.1"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\ProgID]
"(Default)" = "WSMan.InternalAutomation.1"

[HKCR\.ps1xml]
"(Default)" = "Microsoft.PowerShellXmlData.1"

[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ\Regular]
"Guid" = "24b9a175-8716-40e0-9b2b-785de75b1e67"

[HKLM\System\CurrentControlSet\Services\WinRM]
"ImagePath" = "%WinDir%\System32\svchost.exe -k WinRM"

[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem10.PNF" = "1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"MaxSize" = "15728640"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA 8B 5E 40 24 8A 2D 1E F1 0C 44 C6 F4 78 B1 A7"

[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}]
"(Default)" = "PSFactoryBuffer"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"Sources" = "PowerShell"

[HKCR\AppID\{3feb2f63-0eec-4b96-84ab-da1307e0117c}]
"LaunchPermission" = "01 00 04 80 98 00 00 00 A4 00 00 00 00 00 00 00"

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"MaxSize" = "20971520"

[HKLM\System\CurrentControlSet\Services\WinRM\Parameters]
"ServiceDll" = "%SystemRoot%\system32\WsmSvc.dll"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\1033]
"Install" = "1"

[HKCR\Microsoft.PowerShellScript.1\DefaultIcon]
"(Default)" = "%System%\WindowsPowerShell\V1.0\powershell_ise.exe,1"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\VersionIndependentProgID]
"(Default)" = "WSMan.InternalAutomation"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\160:105700\iis]
"PathFTPRoot" = "C:\Inetpub\ftproot"

[HKCR\Microsoft.PowerShellData.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell_ise.exe %1"

[HKLM\System\CurrentControlSet\Services\WinRM\Parameters]
"seRVicemAIN" = "ServiceMain"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\EventForwarder]
"TypesSupported" = "7"

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstalledBy" = "%CurrentUserName%"

[HKCR\Microsoft.PowerShellData.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}]
"AppID" = "{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstallerVersion" = "6.1.29.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"DisplayIcon" = "%System%\WindowsPowerShell\v1.0\WTRInstaller.ico"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\160:105700\iis]
"PathInetsrv" = "%System%\inetsrv"

[HKCR\.psc1]
"Content Type" = "application/PowerShell"

[HKCR\Microsoft.PowerShellXmlData.1]
"EditFlags" = "131072"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}]
"(Default)" = "WSMan InternalAutomation Class"

[HKCR\Microsoft.PowerShellData.1]
"EditFlags" = "131072"

[HKCR\Microsoft.PowerShellXmlData.1]
"FriendlyTypeName" = "Windows PowerShell XML Document"

[HKLM\System\CurrentControlSet\Services\WinRM]
"ErrorControl" = "1"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\160:105700\iis]
"PathWWWRoot" = "C:\Inetpub\wwwroot"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"ARPLink" = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}]
"(Default)" = "IWSManResourceLocatorInternal"

[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\ProxyStubClsid32]
"(Default)" = "{F73C1438-71B4-4D91-AD13-1F889A03AC67}"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"AutoBackupLogFiles" = "0"

[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\ProxyStubClsid32]
"(Default)" = "{F73C1438-71B4-4D91-AD13-1F889A03AC67}"

[HKCR\WSMan.InternalAutomation\CLSID]
"(Default)" = "{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"NoRepair" = "1"

[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}]
"(Default)" = "WinRM WMI Provider for User Profile"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"UninstallString" = "%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\WSMan.Automation.1]
"(Default)" = "WSMan Automation Class"

[HKLM\SOFTWARE\Microsoft\PowerShell\1]
"Install" = "1"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"RuntimeVersion" = "v2.0.50727"

[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}]
"(Default)" = "IWSManProvHost"

[HKCR\Microsoft.PowerShellModule.1]
"FriendlyTypeName" = "Windows PowerShell Script Module"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\InprocServer32]
"(Default)" = "%System%\WSMAUTO.DLL"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PackageVersion" = "1.0"

[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}\LocalServer32]
"ServerExecutable" = "%System%\winrshost.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"DisplayName" = "Windows Management Framework Core"
"InstallDate" = "20150716"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"Publisher" = "Microsoft Corporation"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"AllowProtectedRenames" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"ReleaseType" = "Software Update"

[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\NumMethods]
"(Default)" = "4"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsDelSignature"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}]
"(Default)" = "IWSMan"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"PowerShellVersion" = "2.0"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\ProgID]
"(Default)" = "WSMan.Automation.1"

[HKCR\Microsoft.PowerShellScript.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\V1.0\powershell_ise.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Services\WinRM]
"DependOnGroup" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}]
"(Default)" = "WSMan Automation Class"

[HKCR\Microsoft.PowerShellScript.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"

[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}]
"(Default)" = "IHost"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Publisher" = "Microsoft Corporation"

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\ProxyStubClsid32]
"(Default)" = "{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}"

[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\InprocServer32]
"(Default)" = "%System%\wsmplpxy.dll"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ApplicationBase" = "%System%\WindowsPowerShell\v1.0"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstallerName" = "Update.exe"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}]
"AppID" = "{3feb2f63-0eec-4b96-84ab-da1307e0117c}"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}]
"(Default)" = "Microsoft Windows Remote Shell Host"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PackageName" = "Windows Management Framework Core"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\Microsoft.PowerShellScript.1]
"FriendlyTypeName" = "Windows PowerShell Script"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\WinRM]
"Description" = "Allows access to management information from local and remote machines."

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\160:105700\iis]
"PathIISAdmin" = "%System%\inetsrv\iisadmin"

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}]
"(Default)" = "IWSManSession"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"HelpLink" = "http://go.microsoft.com/fwlink/?LinkID=163790"

[HKCR\WSMan.InternalAutomation.1]
"(Default)" = "WSMan Internal Class"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Type" = "Update"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCR\.psm1]
"(Default)" = "Microsoft.PowerShellModule.1"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\HELPDIR]
"(Default)" = "%System%"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsVerifyHash"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\Microsoft.PowerShell]
"ConfigXML" = ""

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"CategoryMessageFile" = "%System%\WindowsPowerShell\v1.0\pwrshmsg.dll"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsCreateHash"

[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem10.inf" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}\ProxyStubClsid32]
"(Default)" = "{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}"

[HKCR\WSMan.Automation]
"(Default)" = "WSMan Automation Class"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"file" = "%systemroot%\system32\config\EventForwarding-Operational.Evt"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsIsMyFileType"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"URLInfoAbout" = "http://go.microsoft.com/fwlink/?LinkID=163792"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"RegistryLocation" = " HKLM,SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930"

[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\NumMethods]
"(Default)" = "4"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational\EventForwarder-Operational]
"TypesSupported" = "7"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\160:105700\iis]
"UpgradeType" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"SupportsCompatListeners" = "1"

[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}]
"(Default)" = "IShell"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}\InprocServer32]
"(Default)" = "%System%\winrmprov.dll"

[HKCR\.ps1]
"(Default)" = "Microsoft.PowerShellScript.1"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\TypeLib]
"Version" = "1.0"

[HKLM\System\CurrentControlSet\Services\WinRM]
"ObjectName" = "NT AUTHORITY\NetworkService"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\EventForwarder]
"EventMessageFile" = "%systemroot%\system32\wevtfwd.dll"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}\LocalServer32]
"(Default)" = "%System%\winrshost.exe"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"Active" = "1"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}]
"(Default)" = "Microsoft Windows WSMan Provider Host"

[HKLM\SOFTWARE\Microsoft\PowerShell\1]
"PID" = "89383-100-0001260-04309"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ConsoleHostAssemblyName" = "Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"

[HKCR\.psd1]
"(Default)" = "Microsoft.PowerShellData.1"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}]
"(Default)" = "IWSManEnumerator"

[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\InprocServer32]
"(Default)" = "%System%\winrssrv.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"ServicePackCachePath" = "c:\windows\ServicePackFiles\ServicePackCache"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"EventMessageFile" = "%System%\WindowsPowerShell\v1.0\pwrshmsg.dll"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\TypeLib]
"Version" = "1.0"

The following service will be launched automatically at system boot up:

[HKLM\System\CurrentControlSet\Services\SENS]
"Start" = "2"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\160:105700]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\160:105700\iis]

The process PSCustomSetupUtil.exe:3592 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 B0 75 25 E4 0B 82 4F DA 44 46 50 B4 9B 2E E4"

[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"Path" = "C:\Perl\site\bin;C:\Perl\bin;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;c:\Program Files\Wireshark;%System%\WindowsPowerShell\v1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process PSCustomSetupUtil.exe:2596 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 5A D0 19 CA 92 BC AF 3C DB 8B 7F FF 06 88 C0"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "188"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35,MSIL" = "E8 24 98 D5 1A C0 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "189"
"StoreChangeIDFor64BitProcesses" = "167"
"StoreChangeIDFor32BitProcesses" = "188"

The process PSCustomSetupUtil.exe:2848 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 92 76 B0 46 E4 96 04 2E B8 DD 6D F7 0F F9 5B"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "C4 54 8B D6 1A C0 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "194"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "195"
"StoreChangeIDFor64BitProcesses" = "173"
"StoreChangeIDFor32BitProcesses" = "194"

The process PSCustomSetupUtil.exe:3804 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC CE A1 7C F0 80 AB 99 76 E8 82 B5 49 44 1E E7"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GPowerShell.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "76 96 FC DA 1A C0 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GPowerShell.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "210"
"StoreChangeIDFor64BitProcesses" = "188"
"StoreChangeIDFor32BitProcesses" = "209"

The process PSCustomSetupUtil.exe:2636 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB 69 2E 34 80 E5 D7 34 8F C5 49 6E 41 E6 23 AA"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "88 4A BE D5 1A C0 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "189"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "190"
"StoreChangeIDFor64BitProcesses" = "168"
"StoreChangeIDFor32BitProcesses" = "189"

The process PSCustomSetupUtil.exe:3140 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 48 59 24 65 09 6D 06 22 0E B9 4D 82 31 5E DD"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.BackgroundIntelligentTransfer.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.BackgroundIntelligentTransfer.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "1E E4 BE D7 1A C0 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "203"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "204"
"StoreChangeIDFor64BitProcesses" = "182"
"StoreChangeIDFor32BitProcesses" = "203"

The process PSCustomSetupUtil.exe:3000 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 E3 A7 B9 3C A1 02 24 BC 96 4E FE 0A 81 97 62"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "199"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "200"
"Microsoft.PowerShell.Commands.Utility.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "8A AE 47 D7 1A C0 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Utility.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "178"
"StoreChangeIDFor32BitProcesses" = "199"

The process PSCustomSetupUtil.exe:3064 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF C0 AB F6 8B 9A A9 F2 EC 91 33 83 DB 03 1A 91"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Diagnostics.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "54 49 83 D7 1A C0 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "201"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "202"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Diagnostics.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "180"
"StoreChangeIDFor32BitProcesses" = "201"

The process PSCustomSetupUtil.exe:3040 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 87 ED E7 C9 6A 89 91 FA CF F3 61 97 74 55 B3"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Security.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "C2 4A 64 D7 1A C0 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Security.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "200"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "201"
"StoreChangeIDFor64BitProcesses" = "179"
"StoreChangeIDFor32BitProcesses" = "200"

The process PSCustomSetupUtil.exe:3652 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 AF 15 2B B7 B8 C5 A7 49 A3 03 7D C0 D5 7C F3"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GraphicalHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GraphicalHost,1.0.0.0,,31bf3856ad364e35,MSIL" = "E8 D8 5C DA 1A C0 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "204"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "205"
"StoreChangeIDFor64BitProcesses" = "183"
"StoreChangeIDFor32BitProcesses" = "204"

The process PSCustomSetupUtil.exe:2784 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 36 F8 4F 08 40 84 19 4B C7 28 8C 8C 8E 0F A5"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Runtime, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "193"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35,MSIL" = "CA CC 62 D6 1A C0 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "194"
"StoreChangeIDFor64BitProcesses" = "172"
"StoreChangeIDFor32BitProcesses" = "193"

The process PSCustomSetupUtil.exe:2744 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 25 A1 45 B0 ED 1A B0 CA 9F 87 63 77 9D 34 5B"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35,MSIL" = "D0 44 3A D6 1A C0 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Diagnostics, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "193"
"StoreChangeIDFor64BitProcesses" = "171"
"StoreChangeIDFor32BitProcesses" = "192"

The process PSCustomSetupUtil.exe:2872 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F 7D 2A E6 06 54 8F 11 39 2C 11 16 C0 C9 10 10"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "18 3F B6 D6 1A C0 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.BackgroundIntelligentTransfer.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "195"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "196"
"StoreChangeIDFor64BitProcesses" = "174"
"StoreChangeIDFor32BitProcesses" = "195"

The process PSCustomSetupUtil.exe:2912 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A A2 4E 3B 74 E6 1A FE CC B7 15 79 19 0A E5 53"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "196"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "197"
"System.Management.Automation.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "B8 64 DC D6 1A C0 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\System.Management.Automation.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "175"
"StoreChangeIDFor32BitProcesses" = "196"

The process PSCustomSetupUtil.exe:3764 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B 00 2F 3B 32 D6 54 69 3B 55 84 B5 DA 61 A4 37"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Editor.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "208"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "209"
"Microsoft.PowerShell.Editor.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "3E FA DF DA 1A C0 D0 01"
"StoreChangeIDFor64BitProcesses" = "187"
"StoreChangeIDFor32BitProcesses" = "208"

The process PSCustomSetupUtil.exe:2720 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 D4 BC 65 9E 32 02 4D 82 78 B8 DD 5B D6 83 69"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35,MSIL" = "D6 BC 11 D6 1A C0 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "191"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "192"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Security, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "170"
"StoreChangeIDFor32BitProcesses" = "191"

The process PSCustomSetupUtil.exe:2936 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B A6 55 43 43 9E 56 69 1D ED 2E 32 B6 30 17 83"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.ConsoleHost.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.ConsoleHost.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "B2 EC 04 D7 1A C0 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "197"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "198"
"StoreChangeIDFor64BitProcesses" = "176"
"StoreChangeIDFor32BitProcesses" = "197"

The process PSCustomSetupUtil.exe:3608 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 68 BD 33 13 07 FF 68 61 64 D2 92 CD D9 96 80"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"PATHEXT" = ".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.PSC1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process PSCustomSetupUtil.exe:3624 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 19 F8 EB CF AA E1 9E B1 83 D7 E9 D9 0A 17 65"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process PSCustomSetupUtil.exe:3740 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D6 71 E1 19 9C 7E F2 08 C2 EF 8E E5 BC C9 0C 2E"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GraphicalHost.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "207"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GraphicalHost.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "AC FB C0 DA 1A C0 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "208"
"StoreChangeIDFor64BitProcesses" = "186"
"StoreChangeIDFor32BitProcesses" = "207"

The process PSCustomSetupUtil.exe:2976 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 68 BC A9 49 3E C6 0D F2 B4 B0 65 99 E3 38 BD"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "F8 AF 28 D7 1A C0 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "198"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "199"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "177"
"StoreChangeIDFor32BitProcesses" = "198"

The process PSCustomSetupUtil.exe:3704 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 5E 52 34 D5 35 4E D5 9A 7F 30 E1 E8 4D 7B 92"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GPowerShell, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "206"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GPowerShell,1.0.0.0,,31bf3856ad364e35,MSIL" = "1A FD A1 DA 1A C0 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "207"
"StoreChangeIDFor64BitProcesses" = "185"
"StoreChangeIDFor32BitProcesses" = "206"

The process PSCustomSetupUtil.exe:3680 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 97 AC 33 A6 FE FA 4A 10 34 99 86 04 26 A0 05"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Editor,1.0.0.0,,31bf3856ad364e35,MSIL" = "2E 9C 80 DA 1A C0 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Editor, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "205"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "206"
"StoreChangeIDFor64BitProcesses" = "184"
"StoreChangeIDFor32BitProcesses" = "205"

The process PSCustomSetupUtil.exe:2572 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 62 AD 5D BF D8 A4 49 67 5E 6C 49 D6 DD EE 24"

[HKLM\SOFTWARE\Microsoft\Fusion\References\System.Management.Automation, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"System.Management.Automation,1.0.0.0,,31bf3856ad364e35,MSIL" = "EE 9C 6F D5 1A C0 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "187"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "188"
"StoreChangeIDFor64BitProcesses" = "166"
"StoreChangeIDFor32BitProcesses" = "187"

The process PSCustomSetupUtil.exe:3092 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "37 E7 62 BF DA A0 16 F9 DD 8E 8D 08 3D 98 0F B1"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "8C E5 9F D7 1A C0 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "202"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "203"
"StoreChangeIDFor64BitProcesses" = "181"
"StoreChangeIDFor32BitProcesses" = "202"

The process PSCustomSetupUtil.exe:2696 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED 24 56 A8 31 CD 3D 40 45 83 35 47 F7 E2 86 A3"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Utility, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "190"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35,MSIL" = "DC 34 E9 D5 1A C0 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "191"
"StoreChangeIDFor64BitProcesses" = "169"
"StoreChangeIDFor32BitProcesses" = "190"

The process PSSetupNativeUtils.exe:4036 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 1D 85 D1 7A 5E 9C 8D FB B6 B1 6B 24 77 87 E3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

The process mscorsvw.exe:2860 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 DF 00 EF 74 70 6F 72 94 3B 73 32 D3 68 F5 5D"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:2732 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F F9 95 D0 21 A6 F3 A5 C9 6A 38 A4 62 99 F9 0E"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:2920 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"ConfigMask" = "4361"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\68fb5015\45ef206\b\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\77ccecdd\61ffc130\a\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"DisplayName" = "Microsoft.PowerShell.GraphicalHost,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"ILDependencies" = "DD EC CC 77 30 C1 FF 61 0A 00 00 00 03 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index61]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\3fa824d2\11\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"MVID" = "EA F7 7E C3 AE 2E A1 73 83 BF A6 FB A9 3D 37 37"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2ffb0c52\5076361\3\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DE 3B 60 C0 86 AB 92 41 53 B1 AB 6B 6E 0C 52 A6"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6e35940e\3a9b43f3\4\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "97"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\3ef4663b\f\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"SIG" = "7B 5D F0 E6 43 C6 6F 48 85 FF C5 61 E9 E4 D2 1B"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index61]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"DisplayName" = "Microsoft.PowerShell.GraphicalHost,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"LastModTime" = "E8 D8 5C DA 1A C0 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5f]

The process mscorsvw.exe:3004 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69\InvertDependencies\19aba884\767c2dc2]
"68" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\19aba884\767c2dc2]
"68" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"LastModTime" = "D6 BC 11 D6 1A C0 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\19aba884\767c2dc2]
"68" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"DisplayName" = "Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"MVID" = "AB 6E A2 EF 90 77 0C 78 07 DB 52 DB 59 B5 A1 32"
"Status" = "0"
"DisplayName" = "Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index62]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2995e574\9\InvertDependencies\19aba884\767c2dc2]
"68" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"ConfigMask" = "4361"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\19aba884\767c2dc2]
"68" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 A2 C2 BE C0 B2 3F DB 82 8C C8 B3 A8 20 BB 98"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\19aba884\767c2dc2]
"68" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index62]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "98"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"SIG" = "07 95 68 2E 6D 23 41 45 81 DB 7F 93 51 3C 97 66"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index60]

The process mscorsvw.exe:2192 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"DisplayName" = "Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\643db07b\27\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
"ConfigMask" = "4361"
"MVID" = "93 92 67 97 48 6D 4F 7A 9B 69 C5 87 5F F3 FC 30"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"ConfigString" = "ZAP--0000-0000"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"LastModTime" = "DC 34 E9 D5 1A C0 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\43970528\4b\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"DisplayName" = "Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C 25 29 5F 14 BD 15 B6 B5 7E 72 FF CD 96 51 A7"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"SIG" = "EF D0 54 19 D0 F5 86 44 A9 62 4E 86 6A 5F 6C 6E"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "93"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]

The process mscorsvw.exe:3168 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E8 33 DC AB 4D 52 C9 97 D9 91 53 98 F4 13 F7 6A"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:2800 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"SIG" = "B7 6F 43 3B 5E 11 DE 4E B3 DF 75 E5 9F 64 67 8F"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\67e63d5c\6\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FD"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\77ccecdd\61ffc130\a\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"ConfigMask" = "4361"
"ConfigString" = "ZAP--0000-0000"
"ILDependencies" = "DD EC CC 77 30 C1 FF 61 0A 00 00 00 03 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"DisplayName" = "Microsoft.PowerShell.GPowerShell,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2ffb0c52\5076361\3\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"LastModTime" = "1A FD A1 DA 1A C0 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"DisplayName" = "Microsoft.PowerShell.GPowerShell,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index60]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FD"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 F3 60 9A 31 70 31 3C 8C 8B 60 15 7C BB 8C 46"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"MVID" = "BE 89 7C E6 CB 7D 25 17 02 86 EA BC EA E9 F4 1E"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\67e63d5c\6\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6e35940e\3a9b43f3\4\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\268e923b\24\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "96"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index60]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5e]

The process mscorsvw.exe:3304 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 43 56 96 48 26 C8 2B 61 DF 98 A1 5E 70 A0 D6"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:2136 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 64 01 00 98 0B B4 82 2A 68 DB 0A FA 61 15 28"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

The process mscorsvw.exe:3128 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index63]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"DisplayName" = "Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"SIG" = "65 39 A0 50 E9 4F 14 4B 85 A8 07 D9 00 B9 C9 79"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index63]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"LastModTime" = "CA CC 62 D6 1A C0 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"ConfigMask" = "4361"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"MVID" = "B1 10 6C EC A9 F5 C8 9E A5 7E 9E CD 46 C7 CF 57"
"DisplayName" = "Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"DisplayName" = "Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB BD 31 BF AC 62 0D 40 1D EB 5E C1 4C 83 EF 93"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "99"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"LastModTime" = "C4 54 8B D6 1A C0 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\41470f34\2\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"SIG" = "EC D0 CD 16 68 09 9B 47 85 11 78 36 0F BB 3D 11"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index61]

The process mscorsvw.exe:2988 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 73 D5 C6 71 40 BF 6C 8E 45 81 31 66 DA 8F 96"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:2304 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"DisplayName" = "Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35"
"Status" = "4098"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"SIG" = "3C 55 A6 91 EF 61 21 4C 93 C9 D8 16 A5 41 D7 5A"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"ConfigMask" = "4361"
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"DisplayName" = "Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"MVID" = "DC 19 F5 0C 5E 84 E7 22 34 33 CC 70 9E 7E B4 3F"
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5e]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F9"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 73 D1 07 81 BF 91 D1 94 91 08 B6 F0 24 C8 99"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5e]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F9"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "94"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"LastModTime" = "E8 24 98 D5 1A C0 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]

The process mscorsvw.exe:3388 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 EC 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 E6 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F8 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 0A 01 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "0"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots]
"WorkPending" = "0"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 02 01 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F2 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 08 01 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F8 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "0"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F0 00 00 00 53 00 79"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 93 5F C8 42 46 39 C8 C6 FF 44 61 C4 B8 92 41"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 1C 01 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
"ImageList" = "01 00 00 00 00 02 00 00 00 FC 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 EE 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

The process mscorsvw.exe:2248 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 49 F0 D8 1F 3F EB 25 A3 D1 C5 6E 5D F9 85 99"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:1296 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"LastModTime" = "18 3F B6 D6 1A C0 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"SIG" = "5D B3 1D FA D7 A3 2D 4A 9D D3 B0 41 D1 BC 36 E6"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"LastModTime" = "EE 9C 6F D5 1A C0 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"DisplayName" = "System.Management.Automation,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"MissingDependencies" = "Microsoft.BackgroundIntelligentTransfer.Management.Interop,6.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"MVID" = "FD 3E DC DF A9 CE 60 AB AC 35 20 81 46 18 44 95"
"ConfigMask" = "4361"
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 48 19 E8 81 EF E5 4F 2D 4F 4F 92 C8 C2 CD EA"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "90"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"DisplayName" = "Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"DisplayName" = "Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"SIG" = "85 42 9C 0A C5 DF B1 48 A5 8E 44 2E FB 91 9D 84"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"Status" = "2"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index58]

The process mscorsvw.exe:588 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC 4D 70 67 CE 16 DE E6 EF FF 66 C0 BF 13 73 63"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:3072 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E 37 B9 24 7A B1 E2 80 08 69 15 5B 6D 9A AD 49"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:3528 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"ConfigMask" = "4361"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\3fa824d2\11\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index65]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"MVID" = "E2 17 82 39 6B BC 18 53 A8 67 A6 33 0D FD 66 7B"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\6abb48d8\39\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"DisplayName" = "System.Management.Automation,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3b249b34\afa163\1f\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index65]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"ILDependencies" = "57 8D AB 19 D0 02 1A 29 07 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD EC E9 EF 6C 9E 21 7B E1 57 76 16 55 7F 32 5D"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "101"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\638045d1\2c\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index63]

The process mscorsvw.exe:1880 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6A DE 53 F6 5F 68 D1 63 0F FE 63 09 F2 D6 2F 89"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:1644 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 02 BE 25 60 A1 86 A3 75 CD 40 9F D3 C3 88 17"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:844 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ConfigMask" = "4361"
"DisplayName" = "Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"SIG" = "EC BB F6 79 DE 07 9A 4F A7 CE DF 48 D6 49 CE 93"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"LastModTime" = "D0 44 3A D6 1A C0 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\3ef4663b\f\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"DisplayName" = "Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 75 7D B2 EE 09 15 8E 8D 48 E2 5D E8 53 F1 15"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "91"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"MVID" = "13 FC 3D AE F5 85 09 8F 11 91 1F 8F 72 AC 1C EA"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index59]

The process mscorsvw.exe:2336 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 9C F0 04 E5 14 21 25 1A BA CE E4 01 79 70 5C"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:3220 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 9D 5F B0 28 D9 54 B3 26 2C 47 FF 97 2C 49 3E"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"ILDependencies" = "44 18 F2 39 EC CB 26 0B 6F 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index64]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"ConfigMask" = "4361"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "100"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\2644b2e9\635b32a7]
"66" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"ConfigString" = "ZAP--0000-0000"
"MVID" = "9D 8E 8F 7B 7A E9 50 D8 65 44 54 05 97 83 7B 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f\InvertDependencies\2644b2e9\635b32a7]
"66" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"DisplayName" = "Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35"
"Status" = "0"
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index64]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\2644b2e9\635b32a7]
"66" = ""

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index62]

The process mscorsvw.exe:2068 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"MVID" = "F0 07 EE 1B F5 48 BA 76 1B A6 16 F4 C3 5B 15 8E"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\6abb48d8\39\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\41470f34\2\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\168b424e\2b\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"DisplayName" = "Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ConfigString" = "ZAP--0000-0000"
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"SIG" = "1D 3D FC F9 F8 82 BC 47 B7 60 1D 39 80 29 76 15"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"DisplayName" = "Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 B6 2F 6B EA 1A 01 D8 BD 0E E0 49 D4 14 9D F0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ConfigMask" = "4361"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "92"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"LastModTime" = "88 4A BE D5 1A C0 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\638045d1\2c\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]

The process mscorsvw.exe:2512 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"DisplayName" = "Microsoft.PowerShell.Editor,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\51be0150\645507bd\5d\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"ILDependencies" = "DD EC CC 77 30 C1 FF 61 0A 00 00 00 03 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F9"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\268e923b\24\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2ffb0c52\5076361\3\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6e35940e\3a9b43f3\4\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5f]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F9"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\77ccecdd\61ffc130\a\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5f]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FD"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"ConfigMask" = "4361"
"MVID" = "72 A5 E7 88 C4 07 6B 67 EC 68 97 DA DB 9C 00 B6"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FD"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 23 5D E7 D9 78 4E 29 C7 8F 4B 19 B9 EA A1 0E"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"DisplayName" = "Microsoft.PowerShell.Editor,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"LastModTime" = "2E 9C 80 DA 1A C0 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\68fb5015\45ef206\b\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"SIG" = "EC 74 C4 48 ED 80 64 4D BD A4 D7 78 32 8C 96 D8"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "95"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]

The process wsmanhttpconfig.exe:2512 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 70 9D 09 19 92 89 6D D0 75 E5 C8 7D D9 52 78"

The process wsmanhttpconfig.exe:2452 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE 72 57 60 4A 4B 0D 4E B7 98 8A 54 C3 48 6E B0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\Event Forwarding Plugin]
"ConfigXML" = ""

[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"http:// :47001/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"80:TCP" = "80:TCP:*:Enabled:Windows Remote Management - Compatibility Mode (HTTP-In)"

[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"https:// :5986/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5985:TCP" = "5985:TCP:*:Enabled:Windows Remote Management"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"UpdatedConfig" = "6F4B2747-7DC1-415B-8DA2-29BD46A9802F"

[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"http:// :5985/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\WMI Provider]
"ConfigXML" = ""

Dropped PE files

MD5 File path
9859a26d5e72bbb0685af813b409d99dc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe
fc9a05096522bb6d7ceda62ea1707420c:\WINDOWS\$968930Uinstall_KB968930$\PSCustomSetupUtil.exe
35efd8cd6549a4339cb2a28c8cfd6598c:\WINDOWS\$968930Uinstall_KB968930$\PSSetupNativeUtils.exe
a39df582ca051afc8811fbd00db12f10c:\WINDOWS\$968930Uinstall_KB968930$\spuninst\spuninst.exe
9a055da2f2819f155c33d47cd67a7c00c:\WINDOWS\$968930Uinstall_KB968930$\spuninst\updspapi.dll
75c183e262bd4400eb0f20349f6ef383c:\WINDOWS\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll
2f7fe3a781ba8c0a67c775f20e3e9f70c:\WINDOWS\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll
4e2482e69baaf3a5b13db8101c063ebfc:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.resources.dll
08e87e8abf7b41b28663dce817ce0ab6c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll
b87e087fc013225e2aa1cb60c080647dc:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.resources.dll
f3ac3f844f90380aab2b4c0836c4288fc:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll
1ce73fb3f88c716cfc3fd550547d2b35c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.resources.dll
dfeb401cc051e5da721c584ff6a90f88c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll
36ff641f37918f2cca98e7f407ac4d75c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.resources.dll
3991b7fa452a9c9c291c06365a236792c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll
37bed865557084dd9988350ab1675e0bc:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Editor.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Editor.resources.dll
208fa9d0ebe2ceb9616042772e96598ec:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Editor\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Editor.dll
108500a98b9a2f66823e7615398fc87bc:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.GPowerShell.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.GPowerShell.resources.dll
d4eefccdc3de6ced901535fa4153c491c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.GPowerShell\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.GPowerShell.dll
5a69fb5d686f863e0e13268d671ef16dc:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.GraphicalHost.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.GraphicalHost.resources.dll
3eab4dbdc290edc4d53fe77f1fdb9e59c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.GraphicalHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.GraphicalHost.dll
c7a0d1321a67a2afd330c5fbe79befd1c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Security.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Security.resources.dll
53a9d748ef09920a0d06da2583c298adc:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll
6372ea7d2aced7185183cf3fcdd3577bc:\WINDOWS\assembly\GAC_MSIL\Microsoft.WSMan.Management.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.WSMan.Management.resources.dll
1a4e900c2fe3cd31d10107670d184fe6c:\WINDOWS\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll
f7da27672d2e4c21a1f996ee31de0dbfc:\WINDOWS\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll
2286b57ecc2d32d24049c51989084268c:\WINDOWS\assembly\GAC_MSIL\System.Management.Automation.resources\1.0.0.0_en_31bf3856ad364e35\System.Management.Automation.resources.dll
4d8ab4fad244f7985d8c59d456e026d7c:\WINDOWS\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
930cdc3163f4d4a6bd52f96896e9fa44c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Backgroun#\fd3edcdfa9ce60abac35208146184495\Microsoft.BackgroundIntelligentTransfer.Management.ni.dll
e27a37cfbcff4c9941e73c9a3e762d0cc:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\13fc3daef585098f11911f8f72ac1cea\Microsoft.PowerShell.Commands.Diagnostics.ni.dll
8afa150131c5cba4b312493db94d30fbc:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\72a5e788c4076b67ec6897dadb9c00b6\Microsoft.PowerShell.Editor.ni.dll
8984e670f9760c504c5fca8370ad99d3c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\93926797486d4f7a9b69c5875ff3fc30\Microsoft.PowerShell.Commands.Utility.ni.dll
fecd06a285a93f004a1a4a1a629f55b7c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\ab6ea2ef90770c7807db52db59b5a132\Microsoft.PowerShell.Security.ni.dll
41980649706941d2ff841871435068b5c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\be897ce6cb7d25170286eabceae9f41e\Microsoft.PowerShell.GPowerShell.ni.dll
fe8b145b025e02fb4e23381a2e189d0ac:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\dc19f50c5e84e7223433cc709e7eb43f\Microsoft.PowerShell.ConsoleHost.ni.dll
1915d832be5b46ff2a888a9a6689e281c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\eaf77ec3ae2ea17383bfa6fba93d3737\Microsoft.PowerShell.GraphicalHost.ni.dll
6756eea89ecbaa301b79e4d01f381cd1c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\f007ee1bf548ba761ba616f4c35b158e\Microsoft.PowerShell.Commands.Management.ni.dll
aae309ef03acc9d2e5c3546abcabedecc:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\b1106ceca9f5c89ea57e9ecd46c7cf57\Microsoft.WSMan.Management.ni.dll
b582a633fcce28c0fc795810d4ca48f9c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Run#\9d8e8f7b7ae950d86544540597837b01\Microsoft.WSMan.Runtime.ni.dll
85d7ab466d0577c49fc9879107ec7ef5c:\WINDOWS\system32\WindowsPowerShell\v1.0\CompiledComposition.Microsoft.PowerShell.GPowerShell.dll
173d3dd1425a8e33fa1d4ed71067a3a2c:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer\microsoft.backgroundintelligenttransfer.management.interop.dll
df4217ddb34a0b73dc7aac7829371c0cc:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
fe7bc06af17d7cd8fb8e6d72d72453b8c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe.mui
36b6f71b6d7d280302b348145db05a9fc:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell_ise.exe
cb3a534127f37d0fa1f556dbb76575d3c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell_ise.resources.dll
95b7f12a557dedac5e4a1e9afa5e73abc:\WINDOWS\system32\WindowsPowerShell\v1.0\pspluginwkr.dll
a94243b797377ba03b63fc716c13bcf5c:\WINDOWS\system32\WindowsPowerShell\v1.0\pwrshmsg.dll
7943a80f1a6fd37969aacd411b511f91c:\WINDOWS\system32\WindowsPowerShell\v1.0\pwrshsip.dll
2c9c9ae86eb2b4e78c8e09deb7509a63c:\WINDOWS\system32\WsmAuto.dll
67146d3606be1111a39f0fd61f47e9b6c:\WINDOWS\system32\WsmRes.dll
18f347402da544a780949b8fdf83351bc:\WINDOWS\system32\WsmSvc.dll
296e6992278fea7140d88b603e6c2a8ac:\WINDOWS\system32\WsmWmiPl.dll
8c386819bf5b39d7a4b274d0b55f87a5c:\WINDOWS\system32\pwrshplugin.dll
84e025b1259c66315f4d45a6caecacc9c:\WINDOWS\system32\wevtfwd.dll
cd17705af8e53a82facb545a213ab09cc:\WINDOWS\system32\winrmprov.dll
afdf7654880ce23005014895b129d948c:\WINDOWS\system32\winrs.exe
3e9b11880ae4a8ff399ce0573c82655bc:\WINDOWS\system32\winrscmd.dll
62021e3e6ba13d72cf5cc1047cfac991c:\WINDOWS\system32\winrshost.exe
b84092e52861a026fc83bcede4a7abfac:\WINDOWS\system32\winrsmgr.dll
35bc7c49676e5ab617ef94dc9854a6f1c:\WINDOWS\system32\winrssrv.dll
972916faac89c4aa978952b30f478e81c:\WINDOWS\system32\wsmanhttpconfig.exe
23ce21efc2ae95700f2b1f9582fe3867c:\WINDOWS\system32\wsmplpxy.dll
faa2fcc6853e5123e05dccc5919657e2c:\WINDOWS\system32\wsmprovhost.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    mofcomp.exe:2548
    WindowsXP-KB968930-x86-ENG.exe:372
    ngen.exe:3920
    ngen.exe:3928
    ngen.exe:3492
    ngen.exe:3416
    ngen.exe:3556
    ngen.exe:3456
    ngen.exe:3380
    ngen.exe:3516
    ngen.exe:3572
    ngen.exe:3580
    ngen.exe:3912
    ngen.exe:3936
    ngen.exe:3524
    ngen.exe:3404
    ngen.exe:3880
    ngen.exe:3508
    ngen.exe:3464
    ngen.exe:3448
    ngen.exe:3564
    ngen.exe:3500
    ngen.exe:3548
    ngen.exe:3888
    ngen.exe:3424
    %original file name%.exe:1328
    update.exe:352
    PSCustomSetupUtil.exe:3592
    PSCustomSetupUtil.exe:2596
    PSCustomSetupUtil.exe:2848
    PSCustomSetupUtil.exe:3804
    PSCustomSetupUtil.exe:2636
    PSCustomSetupUtil.exe:3140
    PSCustomSetupUtil.exe:3000
    PSCustomSetupUtil.exe:3064
    PSCustomSetupUtil.exe:3040
    PSCustomSetupUtil.exe:3652
    PSCustomSetupUtil.exe:2784
    PSCustomSetupUtil.exe:2744
    PSCustomSetupUtil.exe:2872
    PSCustomSetupUtil.exe:2912
    PSCustomSetupUtil.exe:3764
    PSCustomSetupUtil.exe:2720
    PSCustomSetupUtil.exe:2936
    PSCustomSetupUtil.exe:3608
    PSCustomSetupUtil.exe:3624
    PSCustomSetupUtil.exe:3740
    PSCustomSetupUtil.exe:2976
    PSCustomSetupUtil.exe:3704
    PSCustomSetupUtil.exe:3680
    PSCustomSetupUtil.exe:2572
    PSCustomSetupUtil.exe:3092
    PSCustomSetupUtil.exe:2696
    PSSetupNativeUtils.exe:4036
    mscorsvw.exe:2860
    mscorsvw.exe:2732
    mscorsvw.exe:2920
    mscorsvw.exe:3004
    mscorsvw.exe:2192
    mscorsvw.exe:3168
    mscorsvw.exe:2800
    mscorsvw.exe:3304
    mscorsvw.exe:2136
    mscorsvw.exe:3128
    mscorsvw.exe:2988
    mscorsvw.exe:2304
    mscorsvw.exe:3388
    mscorsvw.exe:2248
    mscorsvw.exe:1296
    mscorsvw.exe:588
    mscorsvw.exe:3072
    mscorsvw.exe:3528
    mscorsvw.exe:1880
    mscorsvw.exe:1644
    mscorsvw.exe:844
    mscorsvw.exe:2336
    mscorsvw.exe:3220
    mscorsvw.exe:2068
    mscorsvw.exe:2512
    wsmanhttpconfig.exe:2512
    wsmanhttpconfig.exe:2452

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %System%\wbem\Logs\mofcomp.log (1814 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (1 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\pscustomsetuputil.exe (316 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_trap.help.txt (10 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_script_internationalization.help.txt (9 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\profile.ps1 (772 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_parsing.help.txt (2 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_scopes.help.txt (76 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_functions_advanced_parameters.help.txt (962 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.gpowershell.resources.dll (408 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\system.management.automation.dll-help.xml (16567 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_requires.help.txt (2 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.gpowershell.dll (9738 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.editor.dll (14450 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_bits_cmdlets.help.txt (7 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\powershell_ise.exe (2526 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\update\kb968930xp.cat (512 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_automatic_variables.help.txt (14 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\help.format.ps1xml (3947 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_hash_tables.help.txt (6 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_remote_output.help.txt (887 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\pssetupnativeutils.exe (9 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\pwrshmsg.dll (4 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\$shtdwn$.req (788 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\microsoft.backgroundintelligenttransfer.management.dll-help.xml (2472 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\compiledcomposition.microsoft.powershell.gpowershell.dll (1737 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_pssession_details.help.txt (9 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\wsmres.dll (6164 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_while.help.txt (2 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\wsmpty.xsl (1 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.utility.dll (9684 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.consolehost.dll (3118 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\winrshost.exe (22 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_pssnapins.help.txt (6 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_format.ps1xml.help.txt (17 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_job_details.help.txt (824 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\winrmprov.mof (789 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\diagnostics.format.ps1xml (590 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.management.dll-help.xml (28236 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_if.help.txt (3 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\powershellcore.format.ps1xml (1492 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_type_operators.help.txt (5 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_line_editing.help.txt (1 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_remote_faq.help.txt (775 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\winrs.exe (1154 bytes)
    C:\$Directory (800 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\microsoft.backgroundintelligenttransfer.management.interop.dll (1532 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_debuggers.help.txt (21 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\wsmanhttpconfig.exe (3009 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_eventlogs.help.txt (5 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_providers.help.txt (59 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\update\eula.txt (586 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_windows_powershell_2.0.help.txt (453 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\bitstransfer.format.ps1xml (16 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_switch.help.txt (489 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_preference_variables.help.txt (37 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_foreach.help.txt (10 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.consolehost.dll-help.xml (900 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_aliases.help.txt (6 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_arithmetic_operators.help.txt (168 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_functions_cmdletbindingattribute.help.txt (3 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\windowspowershellhelp.chm (26041 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_redirection.help.txt (2 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_arrays.help.txt (8 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_parameters.help.txt (9 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\bitstransfer.psd1 (950 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_methods.help.txt (6 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\wsmprovhost.exe (657 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_remote.help.txt (7 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\certificate.format.ps1xml (155 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_for.help.txt (146 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_history.help.txt (3 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\importallmodules.psd1 (438 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_objects.help.txt (2 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.diagnostics.dll (998 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.security.resources.dll (9 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\windowsremoteshell.adm (12 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\wsmsvc.dll (15909 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_functions.help.txt (586 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\microsoft.backgroundintelligenttransfer.management.resources.dll (7 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_ws-management_cmdlets.help.txt (405 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\update\update.ver (14 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\winrmprov.dll (591 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\spupdsvc.exe (287 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_assignment_operators.help.txt (379 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\pwrshsip.dll (24 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\wsman.format.ps1xml (837 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_signing.help.txt (12 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_join.help.txt (2 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.utility.resources.dll (508 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\registry.format.ps1xml (20 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\update\update.exe (10748 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\wsmauto.mof (4 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\spmsg.dll (495 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_try_catch_finally.help.txt (7 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_split.help.txt (10 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.security.dll-help.xml (1797 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\spuninst.exe (3787 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.management.resources.dll (508 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.editor.resources.dll (562 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\update\update.inf (2457 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\powershelltrace.format.ps1xml (344 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_jobs.help.txt (12 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\microsoft.wsman.runtime.dll (33 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.consolehost.resources.dll (778 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_data_sections.help.txt (5 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\powershell.exe (7339 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_core_commands.help.txt (221 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_prompts.help.txt (7 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_variables.help.txt (6 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_reserved_words.help.txt (1 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\winrm.vbs (2727 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.utility.dll-help.xml (20810 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_wildcards.help.txt (3 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_continue.help.txt (1 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_locations.help.txt (794 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\update\updspapi.dll (5940 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_transactions.help.txt (1011 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_quoting_rules.help.txt (659 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_wmi_cmdlets.help.txt (8 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\powershell.exe.mui (10 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_comment_based_help.help.txt (595 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\windowsremotemanagement.adm (574 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_profiles.help.txt (457 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\winrm.ini (1956 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_regular_expressions.help.txt (5 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\wevtfwd.dll (3351 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.diagnostics.resources.dll (470 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\microsoft.wsman.management.dll (5010 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_do.help.txt (2 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\wsmtxt.xsl (2 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_functions_advanced.help.txt (3 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\powershell_ise.resources.dll (4 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\winrscmd.dll (2907 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\dotnettypes.format.ps1xml (266 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_command_syntax.help.txt (5 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_break.help.txt (792 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_execution_policies.help.txt (13 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_pssessions.help.txt (9 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\microsoft.wsman.management.dll-help.xml (8740 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\wtrinstaller.ico (4803 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_functions_advanced_methods.help.txt (9 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.graphicalhost.dll (4408 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_properties.help.txt (7 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_commonparameters.help.txt (12 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\wsmplpxy.dll (603 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_command_precedence.help.txt (8 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\winrsmgr.dll (2 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_modules.help.txt (13 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\wsmauto.dll (1842 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.diagnostics.dll-help.xml (2301 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_session_configurations.help.txt (276 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_escape_characters.help.txt (2 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_remote_troubleshooting.help.txt (146 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_remote_jobs.help.txt (13 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\pspluginwkr.dll (1756 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\winrm.cmd (35 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\getevent.types.ps1xml (15 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_ref.help.txt (1 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.graphicalhost.resources.dll (16 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\types.ps1xml (2510 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\filesystem.format.ps1xml (133 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\wsmwmipl.dll (2816 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_comparison_operators.help.txt (11 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\default.help.txt (2 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_logical_operators.help.txt (2 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_scripts.help.txt (12 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_special_characters.help.txt (3 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_environment_variables.help.txt (417 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_operators.help.txt (770 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_types.ps1xml.help.txt (481 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_windows_powershell_ise.help.txt (6 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_throw.help.txt (5 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_language_keywords.help.txt (11 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_path_syntax.help.txt (5 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\winrssrv.dll (12 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_script_blocks.help.txt (3 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_pipelines.help.txt (411 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\microsoft.wsman.management.resources.dll (13 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\pwrshplugin.dll (802 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_return.help.txt (3 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\eventforwarding.adm (2 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\update\spcustom.dll (23 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\about_remote_requirements.help.txt (6 bytes)
    C:\f6ff9a417a3a9051be1120c02a4790\system.management.automation.resources.dll (3153 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1106 bytes)
    %System%\SETBF.tmp (42 bytes)
    %WinDir%\ocmsn.log (7791 bytes)
    %System%\WindowsPowerShell\v1.0\SET86.tmp (4 bytes)
    %System%\WindowsPowerShell\v1.0\SETB7.tmp (16 bytes)
    %System%\SET12.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET3E.tmp (1281 bytes)
    %System%\GroupPolicy\Adm\SET35.tmp (12 bytes)
    %System%\SETC.tmp (2105 bytes)
    %System%\WindowsPowerShell\v1.0\SET58.tmp (36 bytes)
    %System%\WindowsPowerShell\v1.0\SET51.tmp (14022 bytes)
    %System%\WindowsPowerShell\v1.0\SET84.tmp (11 bytes)
    %System%\WindowsPowerShell\v1.0\SET46.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SET41.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (950 bytes)
    %System%\WindowsPowerShell\v1.0\SET8C.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SETCC.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SETC9.tmp (1425 bytes)
    %System%\WindowsPowerShell\v1.0\SET99.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SETA0.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET48.tmp (4 bytes)
    %System%\SET2D.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET74.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SETA5.tmp (17 bytes)
    %System%\SET25.tmp (1281 bytes)
    %System%\SET13.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET4E.tmp (673 bytes)
    %System%\SET20.tmp (2 bytes)
    %System%\SET14.tmp (25 bytes)
    %System%\WindowsPowerShell\v1.0\SET59.tmp (49 bytes)
    %System%\WindowsPowerShell\v1.0\SET57.tmp (673 bytes)
    %WinDir%\inf\SET32.tmp (38 bytes)
    %WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SET68.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET80.tmp (3 bytes)
    %System%\GroupPolicy\Adm\SET34.tmp (38 bytes)
    %System%\SET2A.tmp (2 bytes)
    %WinDir%\inf\oem10.PNF (10136 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET3C.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET56.tmp (10 bytes)
    %System%\SET7.tmp (35 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\updspapi.dll (4145 bytes)
    %System%\WindowsPowerShell\v1.0\SET3D.tmp (601 bytes)
    %WinDir%\msmqinst.log (5468 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET53.tmp (15 bytes)
    %System%\SET22.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET54.tmp (673 bytes)
    %System%\spmsg.dll (14 bytes)
    %System%\WindowsPowerShell\v1.0\SETC8.tmp (7385 bytes)
    %System%\WindowsPowerShell\v1.0\SETB0.tmp (10 bytes)
    %System%\GroupPolicy\Adm\SET1A.tmp (38 bytes)
    %System%\WindowsPowerShell\v1.0\SET66.tmp (14 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (7 bytes)
    %System%\SET2B.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET6D.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET76.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SET73.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET94.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET9C.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SET6C.tmp (11 bytes)
    %System%\WindowsPowerShell\v1.0\SET5A.tmp (40 bytes)
    %WinDir%\inf\SET18.tmp (38 bytes)
    %System%\WindowsPowerShell\v1.0\SETC7.tmp (4185 bytes)
    %System%\WindowsPowerShell\v1.0\SET7D.tmp (3 bytes)
    %System%\SETE.tmp (22 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.inf (9162 bytes)
    %System%\WindowsPowerShell\v1.0\SETA3.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SETA2.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET88.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET5E.tmp (7 bytes)
    %System%\SET6.tmp (2 bytes)
    %System%\GroupPolicy\Adm\SET36.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SETA6.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SETAE.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SETB3.tmp (5 bytes)
    %System%\wbem\SET4.tmp (4 bytes)
    %System%\SET17.tmp (673 bytes)
    %WinDir%\tabletoc.log (2313 bytes)
    %System%\WindowsPowerShell\v1.0\SET64.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET67.tmp (6 bytes)
    %System%\SETA.tmp (7433 bytes)
    %System%\WindowsPowerShell\v1.0\SET93.tmp (7 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.txt (29 bytes)
    %System%\WindowsPowerShell\v1.0\SET9B.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SET75.tmp (13 bytes)
    %WinDir%\MedCtrOC.log (8910 bytes)
    %System%\config\SYSTEM.LOG (7577 bytes)
    %System%\WindowsPowerShell\v1.0\SETA7.tmp (3 bytes)
    %System%\SET27.tmp (601 bytes)
    %System%\GroupPolicy\Adm\SET1B.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET72.tmp (9 bytes)
    %System%\SET11.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SETCA.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET3F.tmp (4185 bytes)
    %System%\WindowsPowerShell\v1.0\SET4F.tmp (24 bytes)
    %System%\WindowsPowerShell\v1.0\SETCE.tmp (4 bytes)
    %System%\WindowsPowerShell\v1.0\SET81.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET4B.tmp (20 bytes)
    %WinDir%\Help\SETC5.tmp (12287 bytes)
    %System%\SET8.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET90.tmp (61 bytes)
    %WinDir%\msgsocm.log (6541 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE.lnk (4 bytes)
    %System%\SETF.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET9D.tmp (22 bytes)
    %System%\SET10.tmp (2 bytes)
    %WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (20 bytes)
    %System%\WindowsPowerShell\v1.0\SET5F.tmp (7971 bytes)
    %System%\SET26.tmp (2105 bytes)
    %System%\WindowsPowerShell\v1.0\SET5B.tmp (9 bytes)
    %System%\SET21.tmp (35 bytes)
    %System%\config\system (5372 bytes)
    %System%\WindowsPowerShell\v1.0\SET8E.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SETB2.tmp (20 bytes)
    %System%\WindowsPowerShell\v1.0\SET38.tmp (27 bytes)
    %System%\WindowsPowerShell\v1.0\SET49.tmp (24 bytes)
    %System%\WindowsPowerShell\v1.0\SETA1.tmp (31 bytes)
    %System%\WindowsPowerShell\v1.0\SET9F.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SET4A.tmp (673 bytes)
    %WinDir%\SECD0.tmp (1897 bytes)
    %System%\WindowsPowerShell\v1.0\SET7F.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SET4D.tmp (15 bytes)
    %System%\WindowsPowerShell\v1.0\SETAF.tmp (27 bytes)
    %System%\WindowsPowerShell\v1.0\SET91.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET87.tmp (2 bytes)
    %WinDir%\imsins.log (3792 bytes)
    %System%\WindowsPowerShell\v1.0\SET44.tmp (57 bytes)
    %System%\GroupPolicy\Adm\SET1C.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SETB6.tmp (3 bytes)
    %System%\SET16.tmp (14 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SET55.tmp (3361 bytes)
    %System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (15 bytes)
    %System%\CatRoot2\dberr.txt (1031 bytes)
    %System%\SETB.tmp (1281 bytes)
    %System%\SET1F.tmp (1 bytes)
    %WinDir%\iis6.log (138839 bytes)
    %WinDir%\comsetup.log (48640 bytes)
    %System%\WindowsPowerShell\v1.0\SET97.tmp (6 bytes)
    %System%\spupdsvc.exe (23 bytes)
    %System%\WindowsPowerShell\v1.0\SET5D.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET95.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SET65.tmp (22 bytes)
    %System%\SET28.tmp (22 bytes)
    %System%\SET5.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET92.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SETA4.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SET7E.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET45.tmp (2321 bytes)
    %System%\WindowsPowerShell\v1.0\SETB4.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET9A.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET6E.tmp (1 bytes)
    %System%\SET31.tmp (673 bytes)
    %System%\SET2E.tmp (25 bytes)
    %System%\WindowsPowerShell\v1.0\SETAC.tmp (10 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe (2497 bytes)
    %System%\WindowsPowerShell\v1.0\SET3A.tmp (601 bytes)
    %System%\SET29.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET82.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET70.tmp (21 bytes)
    %System%\WindowsPowerShell\v1.0\SETB5.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET7A.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SETCD.tmp (16 bytes)
    %System%\WindowsPowerShell\v1.0\SET89.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SET69.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SETA9.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SETAD.tmp (6 bytes)
    %System%\SET2C.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET8B.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (16 bytes)
    %WinDir%\KB968930.log (246954 bytes)
    %System%\SET15.tmp (789 bytes)
    %System%\WindowsPowerShell\v1.0\SET4C.tmp (18248 bytes)
    %WinDir%\ntdtcsetup.log (22991 bytes)
    %System%\WindowsPowerShell\v1.0\SET85.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET61.tmp (438 bytes)
    %WinDir%\inf\oem10.inf (673 bytes)
    %System%\WindowsPowerShell\v1.0\SETAA.tmp (12 bytes)
    %System%\SET24.tmp (7433 bytes)
    %System%\WindowsPowerShell\v1.0\SETB1.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SET6F.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SET52.tmp (10177 bytes)
    %System%\WindowsPowerShell\v1.0\SET43.tmp (1425 bytes)
    %System%\WindowsPowerShell\v1.0\SET8F.tmp (19 bytes)
    %System%\WindowsPowerShell\v1.0\SET96.tmp (9 bytes)
    %WinDir%\FaxSetup.log (53338 bytes)
    %WinDir%\tsoc.log (79170 bytes)
    %System%\WindowsPowerShell\v1.0\SET50.tmp (1425 bytes)
    %WinDir%\KB968930xp.cat (59 bytes)
    %System%\WindowsPowerShell\v1.0\SET7B.tmp (9 bytes)
    %System%\winrm\0409\SET1D.tmp (601 bytes)
    %System%\SETD.tmp (601 bytes)
    %WinDir%\inf\SET19.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET47.tmp (18 bytes)
    %System%\SET9.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET8A.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET7C.tmp (16 bytes)
    %System%\WindowsPowerShell\v1.0\SETC6.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SET6B.tmp (12 bytes)
    %System%\winrm\0409\SET37.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SETB9.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SETBB.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET79.tmp (15 bytes)
    %System%\WindowsPowerShell\v1.0\SET60.tmp (10 bytes)
    %System%\WindowsPowerShell\v1.0\SETCB.tmp (40 bytes)
    %System%\WindowsPowerShell\v1.0\SET39.tmp (27 bytes)
    %WinDir%\ocgen.log (71000 bytes)
    %System%\WindowsPowerShell\v1.0\SET9E.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SET40.tmp (1281 bytes)
    %System%\SET2F.tmp (789 bytes)
    %System%\WindowsPowerShell\v1.0\SET62.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET98.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET78.tmp (17 bytes)
    %System%\WindowsPowerShell\v1.0\SET5C.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SET71.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET6A.tmp (23 bytes)
    %System%\WindowsPowerShell\v1.0\SET8D.tmp (2 bytes)
    %System%\SET30.tmp (14 bytes)
    %System%\WindowsPowerShell\v1.0\SETA8.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SETB8.tmp (6 bytes)
    %System%\wbem\SET1E.tmp (4 bytes)
    %System%\SET23.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET3B.tmp (24 bytes)
    %WinDir%\netfxocm.log (9089 bytes)
    %System%\WindowsPowerShell\v1.0\SET42.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SETAB.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SET77.tmp (10 bytes)
    %WinDir%\inf\SET33.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET83.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET63.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SETBA.tmp (7 bytes)
    %WinDir%\assembly\tmp\6PSVY158\Microsoft.PowerShell.ConsoleHost.dll (7192 bytes)
    %WinDir%\assembly\tmp\8TWZ259C\Microsoft.WSMan.Management.dll (9608 bytes)
    %WinDir%\assembly\tmp\FX047ADG\Microsoft.PowerShell.GPowerShell.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\0JMQTWZ2\Microsoft.PowerShell.Commands.Management.dll (9320 bytes)
    %WinDir%\assembly\tmp\6PTWZ259\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll (7 bytes)
    %WinDir%\assembly\tmp\O7ADGJMP\Microsoft.PowerShell.Commands.Utility.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\DX047ADG\Microsoft.PowerShell.Commands.Diagnostics.resources.dll (10 bytes)
    %WinDir%\assembly\tmp\DWZ259CF\Microsoft.PowerShell.Security.resources.dll (9 bytes)
    %WinDir%\assembly\tmp\1MPSVY25\Microsoft.PowerShell.GraphicalHost.dll (9608 bytes)
    %WinDir%\assembly\tmp\M9DHKORV\Microsoft.WSMan.Runtime.dll (7 bytes)
    %WinDir%\assembly\tmp\BVY158BE\Microsoft.PowerShell.Commands.Diagnostics.dll (3616 bytes)
    %WinDir%\assembly\tmp\1JMQTWZ2\Microsoft.BackgroundIntelligentTransfer.Management.dll (1856 bytes)
    %WinDir%\assembly\tmp\CVY158BE\System.Management.Automation.resources.dll (9320 bytes)
    %WinDir%\assembly\tmp\9SVY147A\Microsoft.PowerShell.Editor.resources.dll (2392 bytes)
    %WinDir%\assembly\tmp\6PTWZ269\Microsoft.PowerShell.Security.dll (2392 bytes)
    %WinDir%\assembly\tmp\BUX037AD\Microsoft.PowerShell.ConsoleHost.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\9RUX0369\Microsoft.PowerShell.GraphicalHost.resources.dll (784 bytes)
    %WinDir%\assembly\tmp\RADGJMPS\Microsoft.PowerShell.Commands.Management.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\ZILPSVY1\Microsoft.PowerShell.GPowerShell.dll (22192 bytes)
    %WinDir%\assembly\tmp\DWZ259CF\Microsoft.PowerShell.Editor.dll (32824 bytes)
    %WinDir%\assembly\tmp\I369DGJM\System.Management.Automation.dll (81046 bytes)
    %WinDir%\assembly\tmp\AUX147AD\Microsoft.WSMan.Management.resources.dll (13 bytes)
    %WinDir%\assembly\tmp\6PSVY158\Microsoft.PowerShell.Commands.Utility.dll (20624 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD8.tmp\Microsoft.PowerShell.GraphicalHost.dll (47422 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp\Microsoft.PowerShell.Security.dll (35530 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD4.tmp\Microsoft.PowerShell.Commands.Utility.dll (40638 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7.tmp\Microsoft.PowerShell.GPowerShell.dll (50011 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDA.tmp\Microsoft.WSMan.Management.dll (34061 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD5.tmp\Microsoft.PowerShell.ConsoleHost.dll (33378 bytes)
    %WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (514 bytes)
    %WinDir%\Microsoft.NET\Framework\v4.0.30319\NGEN_SERVICE.LOG (83393 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD1.tmp\Microsoft.BackgroundIntelligentTransfer.Management.dll (27440 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDC.tmp\System.Management.Automation.dll (105990 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD2.tmp\Microsoft.PowerShell.Commands.Diagnostics.dll (33116 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDB.tmp\Microsoft.WSMan.Runtime.dll (17713 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD3.tmp\Microsoft.PowerShell.Commands.Management.dll (45020 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6.tmp\Microsoft.PowerShell.Editor.dll (64500 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text40961319151320964.372451b2a4b775f40f8e75a7bc64f7a753e96
.rdata13926444756450563.82086b5fea3dacc733dda76f873b3a5a04b8a
.data1843201358521280005.3229729f2aff19280bf42b0e6297b44915842
.bss323584394840964.70969c4c9118108c3645b4a2598e3fc254d75
.relog3276801448901448964.611744fd90e141d7a5953198cd1d9039f7cc6
.rsrc47513679680798723.85846fd8e3f3353bcae195fedf101437f5499
.reloc55705613220133122.9783579a37ecdc37758d5cf941d375b38ae00

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://microsoft.com/134.170.188.221
hxxp://e10088.dspb.akamaiedge.net/
hxxp://e10088.dspb.akamaiedge.net/uk-ua/
hxxp://a767.dscms.akamai.net/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe
hxxp://www.microsoft.com/23.64.223.148
hxxp://www.microsoft.com/uk-ua/23.64.223.148
hxxp://download.microsoft.com/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe194.146.191.114

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET / HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: microsoft.com

Cache-Control: no-cache

HTTP/1.1 301 Moved Permanently

Content-Type: text/html; charset=UTF-8

Location: hXXp://VVV.microsoft.com/

Server: Microsoft-IIS/8.5

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

X-UA-Compatible: IE=EmulateIE7

Date: Thu, 16 Jul 2015 22:57:20 GMT

Connection: close

Content-Length: 148

<head><title>Document Moved</title></head>.<body><h1>Object Moved</h1>This document may be found <a HREF="hXXp://VVV.microsoft.com/">here</a></body>..

GET /download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: download.microsoft.com

Cache-Control: no-cache

Cookie: MS-CV=ncbwnWcAzkSloIoM.1

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Last-Modified: Fri, 09 Oct 2009 23:52:17 GMT

Accept-Ranges: bytes

ETag: "6d3979883b49ca1:0"

Server: Microsoft-IIS/8.5

Content-Disposition: attachment

Content-Length: 6156064

Date: Thu, 16 Jul 2015 22:57:24 GMT

Connection: close

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.............................c... ........... ................................^.......... ......................................x.............]. ........... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...x........H].................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................l...V...:..."...............................|...................................(...r...d...T.......*...........P...j...................<...................\.......................................>...L...^...n...........................................2...L.......h...p.......................................(...>...L...`...v...................................N...>...,...................d...........................................................z...,...<...J...\...|.......N...Z...d...n...@....

<<< skipped >>>

GET / HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Connection: Keep-Alive

Cache-Control: no-cache

Host: VVV.microsoft.com

HTTP/1.1 302 Moved Temporarily

Server: AkamaiGHost

Content-Length: 0

Location: hXXp://VVV.microsoft.com/uk-ua/

Date: Thu, 16 Jul 2015 22:57:21 GMT

Connection: keep-alive

X-CCC: PL

X-CID: 2

....

GET /uk-ua/ HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Connection: Keep-Alive

Cache-Control: no-cache

Host: VVV.microsoft.com

HTTP/1.1 200 OK

Cache-Control: no-cache, no-store

Pragma: no-cache

Content-Type: text/html

Expires: -1

Server: Microsoft-IIS/8.0

CorrelationVector: ncbwnWcAzkSloIoM.1.2

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Access-Control-Allow-Headers: Content-Type

Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS

Access-Control-Allow-Credentials: true

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

Content-Length: 233993

Date: Thu, 16 Jul 2015 22:57:22 GMT

Connection: keep-alive

Set-Cookie: MS-CV=ncbwnWcAzkSloIoM.1; domain=.microsoft.com; expires=Fri, 17-Jul-2015 22:57:21 GMT; path=/

X-CCC: PL

X-CID: 2

...<!DOCTYPE html ><html xmlns:mscom="hXXp://schemas.microsoft.com/CMSvNext" xmlns:md="hXXp://schemas.microsoft.com/mscom-data" lang="uk" xmlns="hXXp://VVV.w3.org/1999/xhtml"><head><meta http-equiv="X-UA-Compatible" content="IE=edge" /><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0" /><link rel="shortcut icon" href="//VVV.microsoft.com/favicon.ico?v2" /><script type="text/javascript" src="hXXp://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.7.2.min.js"> .. // Third party scripts and code linked to or referenced from this website are licensed to you by the parties that own such code, not by Microsoft. See ASP.NET Ajax CDN Terms of Use - hXXp://VVV.asp.net/ajaxlibrary/CDN.ashx... </script><script type="text/javascript" language="javascript">/*<![CDATA[*/if($(document).bind("mobileinit",function(){$.mobile.autoInitializePage=!1}),navigator.userAgent.match(/IEMobile\/10\.0/)){var msViewportStyle=document.createElement("style");msViewportStyle.appendChild(document.createTextNode("@-ms-viewport{width:auto!important}")),document.getElementsByTagName("head")[0].appendChild(msViewportStyle)}/*]]>*/</script><script type="text/javascript" src="hXXp://ajax.aspnetcdn.com/ajax/jquery.mobile/1.3.2/jquery.mobile-1.3.2.min.js"></script><script type="text/javascript" src="hXXp://i.s-microsoft.com/library/svy/broker.js"></script><title>Microsoft..... ................ .......

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

svchost.exe_1392:

.idata

.idata

.reloc

.reloc

P.rsrc

P.rsrc

Portions Copyright (c) 1983,99 Borland

Portions Copyright (c) 1983,99 Borland

kernel32.dll

kernel32.dll

Software\Microsoft\Windows NT\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

HTTP/1.1

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

wininet.dll

wininet.dll

user32.dll

user32.dll

ntdll.dll

ntdll.dll

URLMON.DLL

URLMON.DLL

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

Kernel32.dll

Kernel32.dll

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('video'); for(var i=0;i

try {var els=document.getElementsByTagName('video'); for(var i=0;i

try {jwplayer().play()} catch(e){}

try {jwplayer().play()} catch(e){}

PSAPI.dll

PSAPI.dll

HTTP/1.1

HTTP/1.1

.length;

.length;

=String.fromCharCode(parseInt(

=String.fromCharCode(parseInt(

.substr(

.substr(

,2),16));

,2),16));

=String.fromCharCode(

=String.fromCharCode(

,1).charCodeAt()^

,1).charCodeAt()^

,1).charCodeAt());

,1).charCodeAt());

.length-1)?

.length-1)?

=new ActiveXObject("WScript.Shell");

=new ActiveXObject("WScript.Shell");

.Environment("Process"))("

.Environment("Process"))("

.Run("

.Run("

=new ActiveXObject("WScript.Shell");

=new ActiveXObject("WScript.Shell");

.RegRead("

.RegRead("

psapi.dll

psapi.dll

"svchost.exe"

"svchost.exe"

svchost.exe

svchost.exe

ole32.dll

ole32.dll

\\.\LCD

\\.\LCD

1234567890

1234567890

Shell32.dll

Shell32.dll

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

hXXp://

hXXp://

0123456789

0123456789

Mozilla

Mozilla

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

.text

.text

`.rdata

`.rdata

@.pdata

@.pdata

KERNEL32.dll

KERNEL32.dll

GetKeyboardType

GetKeyboardType

advapi32.dll

advapi32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

oleaut32.dll

oleaut32.dll

RegOpenKeyExW

RegOpenKeyExW

RegCreateKeyW

RegCreateKeyW

RegCreateKeyA

RegCreateKeyA

GetCPInfo

GetCPInfo

SetProcessWindowStation

SetProcessWindowStation

OpenWindowStationA

OpenWindowStationA

EnumChildWindows

EnumChildWindows

HttpSendRequestA

HttpSendRequestA

HttpOpenRequestA

HttpOpenRequestA

atl.dll

atl.dll

wsock32.dll

wsock32.dll

winmm.dll

winmm.dll

shell32.dll

shell32.dll

ShellExecuteExW

ShellExecuteExW

wtsapi32.dll

wtsapi32.dll

Wtsapi32.dll

Wtsapi32.dll

PSAPI.DLL

PSAPI.DLL

NtQueryValueKey

NtQueryValueKey

NtDeleteValueKey

NtDeleteValueKey

NtSetValueKey

NtSetValueKey

urlmon.dll

urlmon.dll

UrlMkSetSessionOption

UrlMkSetSessionOption

?"?&?*?.?

?"?&?*?.?

6!6&696>6|6

6!6&696>6|6

9!:':-:6:

9!:':-:6:

:&;-;7;_;

:&;-;7;_;

5(6-6;6|6

5(6-6;6|6

7)7=7[7}7

7)7=7[7}7

>#>(>9>_>

>#>(>9>_>

?,?1?[?`?

?,?1?[?`?

5]5S5c5k5q5

5]5S5c5k5q5

:!:?:]:{:

:!:?:]:{:

CCn7A5XU4CzHzqO2FLGKUbyHdY6ib4THrj6hFnsNC91Ppav9uwgbOdS5yiEmzFlfEH5q9BrghvkQ6h6yHnRIruDtXd0PDynXRapk stnOg8 lhBkVQtwqvwdx0YKwOYYMsiPSZ4ZkbJaN4jiHpyXxikeLdivpDPd3kWJRmdyiGNBGHR7k6brC0v2K6Y3bIHi9fPpJIlvoGzlKyqWKZbgyvMKhfRH126QPM9 L6lCgK7m kyrVJiXkjtcP5z8SS p1bK16PrKxlNudveDjR9IlqhNqTiNr78QXP75MTIzVeZrz7Tcfof3QNj6U8Gv/JIeibNpOmlNns8ti9RIhh5ZLKoegOBmlmtQM0rniYADF47h6Lj6dLteD9vdSqZJsQHIGvIuA7947pmnUaqpcjKY3LYgVF2x9RvnVSrLQy8Msk7qqSbG2 18wzMzkSRmcDGU4kVcMMLftEmJ4bIHoF2FAPgyGgCSkTVbqrdTGlgcsvH0t4XSpP7tIh8jClm75Ou3CQTpLfFzMKnc6mJjLxthWVUze9iMkM2lodm24a72Q1ASzBLcyyVm6x6p wLyuJ8qma8MBknHVMisVT7MVknJ3vZbF9aZPJFzAhcUG/Upzx5isNAuTL4hmXOtkhI4FBxi1Cr61qDUiy5RWmbWg/8TMwzig8QrKciaaO5bHzpmKpQRuFszWr6F2QvRC0xGO2xRrXXZTn49ttSc8nqBKCUSN6laRQzaqlvIrCdoco77cJleen7p24ksvps1/5wvQdV5p73LSkGnWh8GFNEdOXqf3TRAvapyq/MK6pb ZVfjUuInC7v/fEmNgxChvtF 890LhInkEqFRbS19fUQ73JqLlcJZ18pvOf B1mj934NofFTx9nwdpJn3HzNX6GtzFas2HnN7eYIWlMw3tSAkgiusQimrQVscKmqnJQaa0khTfdi5XiZXSmL7ACZazSHb7jCa5pBrfMwYFUZ Oe9X2VZ6dhPqOx2PyPLSlbCoRrnbVdgQc9kdsRb7WM48D1x9vGYOWbUIoaJ2NbT3tOBeqcE/na9gY4KSEUEvJMG50HRf7PsjDOG07bHSTMWDWFJVWnBzRw0gxGugVSXb4cCgMsdK2Iy9YStviYLxSJNWOxr2nqr8FNfrm06XldaCdxzl91l8dtI5KijeweUIMAc 0LmyfOCkcxKlzf2gY6nXrBF4fg6MfU ynlZ5fJTtDsKdae7ft4SvOcILp7yrtsvMaBFDhz/kpidQxUDWKTfEsAhZ7MhMg/R8u8obqeVxbgYyzFKdZphWp 3mH/TnHPBZ2bpK5RAJbyhG6mzXDdK6n5WZ/t1rHvZnkzur8Ous6C0l 6mfTNAJtodq3/Hb2IzSzr/6ZIosa9wKWNAQXUzxS5VWTm5c06VIslbl lyuVB lszHKcuTo/WnlyiEQnXsGi3J9 4H47Jrpn7bmi4RsezcNIla6/9NNp Epn 7O oCDCWVLPojN8GIGagtuSTGvIaxcxsOH8pqzLmgKPEreqCODspRsSJFIQnyvyslEnaaGmA/5d5W657R/7GHKCX8zjkAgoN1DMq635FP8oTdr3TDX hf1kQjE0rAYauyUMCvK7sISTcp0mNaVNlb41xJ34HMs9MsptRLJ/vG5CxUlphVr5/bN/ lRjw7G FQOZ3fsm7g9hEsKP0ZyGDAa2 /5 Pbtnv8v mC6IIuDvXfhBhabUQROZ4ivV/5UW8AsgAG8vFNkMo su96PU/1JKOUIzfoiKRRkHkCTi/C8SA7aS5nMPHBANimaCqFnwwbCYwrLOihSaspSnyNkNyY757bt/QjJqFmIlXivAZUArboo35ORbIPUs3A1Mg/HqNKgpip4qHE7/FU gePTIpH8EneENl5xDvbkU5blo0X7LtnsFYtEH2gfOvuuyH2EDvXRTSQlzd7pxvlAPEbHt5Bp9bNzydjcUxsDuHLwVhsIX9vKuSoOJsffrqB8/St36C6A9QwalMeyTKycOGU0L/luLgb3waTr/HBXnwTJ/0yFwe0N2KJ9w7 bApzfBHsD1KyxfZTkejTc/90A5o3sdGUb NFk1t03fmnrieYc1jflgmExl15IbG3l1yH dQjKe3EDQQtrtqKOqTCz4kxERSvvwxHZAkHdvbuEgyj83msbURUK9a6Hw/eBdF5bwkam7gjRVBVAMYtOEOWml2LUzIVd6ODW9lQQPyxPuYx9E6zhNdJ IQ39KC9fZmA xBjThjtzQoLqHJuPg5Jhn8pqjr5R IXLjpuI/haegOdKxRQ ZhcMwtfcPyprJx6fk1q4BtXXlfTcz5tv98emMEZNjO9zJYPxD9 OLzecjXvIUSABygCVvyxigsL10H48GLPOZDOeimJO 35B/ZiROLmnqAJbPSC3CjJtXa4bw3PIVvQu4v2ble00zg2mNcRqvshCttYLCwVva6pssj7LinNm6RQkUobMg1SxD8/Qp9l5ujarkGoJoSaU9IWMKb6wHF3M1fLhNHehrt68pQMgRZ9A/N/xcFtUyTsgKo3QcpX13BAm/BhDO7crmpT9hGjulfatrTEbg6DvYM3rxrVv9nxqwax4/jQEh4c8/YtCPS7AguqCjOnmRkU/Thhm7FwtCRhZMoI/rVhg61uCrT9sklJNI38nXVCn81Qb7jrhd0AJjGEbPCd4aeuQU2k84m8jAPNpKjfuIA8nCjRf9RckQS0Ux/MzxwVDm1ltMC4IVK7z/mVdAUpAHVo4aAF zL9Q3gRpzFUxP 9V VzgaKhmyV7fle 0IPiJ7KJjT bSVDWToc rZDrFPg0Gw65ApdlxA4zbgpYEIKi9Yuxx hb8l9kNoEEGmAgbKCU2GdqLvqN5iJfeR/ /gGmhsFRRu8DzIvBhlKnPU11fQOGqNWazlhsPOqBnIG8mgw3LLRhUBl /emKIMhIfverCwYNp9/zPEh9DgDxmyDvbFIEZ1i2WG1IMRnSw/cOd4C3vlN6oA8a/WCeg7kItTuzHOOJy7uXfETlBEp0OhGH LTh7FTwbz7/RpdmHgGCEPUzXsQJQDr3PuB20EB15oMwcttK1/HP zDTBpRbfVIeC1vCJFTN T82EyhcdH/C/UGMTfHXdVIaJKHESm7zjqRo2wO xFsoxz9hLTBffynGjseluWz2P5U1hdtnpUcd18qKerCsdi3yFV4ViNG4ZJCT2 c//SOKDQ3x9/eTzUt1sMdDV75zPpdQXgyJPlQM3qDOL/NQbS2gi7SSWj36Z3tldugH9N9QU6ngqRw ZJ8jMQbjUCISHdaAThG42agRZ3p8fw0I/41olFnPLJzgcr8IB0ef/VO00i4wFT9iYxdict93pZ0aHPMq/Nb TxwjaODg2Xq0zykwuDjBEr2s/yts4tOGdm9PPITBJMJuiV/umbAMv1WaUrwSAgZq/wfihwX9lv9DEBM3Dc8s3W1pyk4b8r73LczeM6XX9XnuKc7Vt8d31LDtotiPuH7HUuRmiF/1tNBHmzft1fa7RNb2sikTAi5tbl1gOQbzft/W3smSeLxZai8h9UOvtLXD81CWvTszrKH1v82hvwoRiTVb4SWRLnWtp0Kp8l97VytDNAo/YHJjSe/n0h0wUdUuMPQLhz2pgAd1ED3nq 1qqHm/ET01FrpAJJ4KHlc//9Mr4apao1SQG7Re4hhYhYsmFyEv8z tw4flwXQWw06mKFF05k8n0HqJ/e/O25czj8DpvaJuwkVS9z7POMb6cStGWhBnwZv9v4LkF3qpGnf9w1DldmV uQKIRQ643NBXqA0V9MrmhMryvcbPZzlQH/RjEVRjtWeAEEG9sgyh 1jIBv38jO2Z J2TpWRXCrGKygJNObmidxYPVBebfiTOjGmcuU x4WmiySt9VfaZ0EZySrBtzzfSY6O0yKrG9Sa9UPgmMwNwmIbP7Ln2pi9XKfJWVoJRx1TMKmy3AlbXqd/GTk4gvzX4Iv8tNlX8EXZT4QAJqwtNvwD2Imw5Ce5trufAUmkf8KGflS6SihrYMcbcE72OVpeabR9ihDZslQDaeyvirKLEPMlkhiOQjenGPs4oiKafxTSIFtRF0MFHZ0HmuNeXx2XCO58LxugBa5a/RJQWK9boEO K6MqXutZzfvexdbw8xMP8mmPb HMpHKv1ymTNZ CZets0ZctUQnil9gjqHl6P92L5YV6yVa5O0JAJVOZxgrwd6E//7LM6K5DljtpPiQLsCy8Ednj1vMSyl1LcD02KsVLokeRh7id4Zo/BRhnYPYJC7dagDwp/kxcYyyAujw3yiCjTuXBIqE4 wTmONRGVyvnX eeWri5BaShelRKWDHdUCG18zoNvgKqrDnDpkHldErz/z9b5lGACLF7afI4DJbHZcWle2xit4vkxoHZ2jbhkerZBSh373o8qkhX xgcG6ck25QmZZDlNAts3AARoMtMI8wFhcuDizk6SFIVZ fE5gsZzFqyaWND2K5i/PMHF4ph e8BO412QuhGSyeyyUKhM1IX3RTl71G9QJ9EUREasKaVoUsmQO3HpLyw4SeTXpi 18gDyxlkuOuMrYt1Dy8zBNm9f14yNhh1QJGj1mQhh7xl X1HuZz2aHRW12T4U37zK6jnhWuW9i FXF7qzHRUy0fk4PpHsKvkOb5m YjxcDoWncAOIqWX7ZdE09ECG7P4y4GSwdjPiOfdxT7yc5H/3dsZHWW9zO85a55zdzQ0bSaC 6hG7cPLwICJtUm2aJUxcNFHBiZ/zSOEWh5YogOKBemH870e19pWZxFoQ0y2IgH/HzsEGSMSlTIdOcVDKv3c8beQf0PaOCKYj9SptOEVyeL9 WMnQU3nYF8IICmtF7G4TcN9e4Xf7AS1sGxMkonu8g32/ukLss5ySFKkPkbmgTPqXqWv5KEqZSqT/1K0FqfIp0Yv6P/Vn5Yp9ASMB9V4TUgrWbcsDQd1denq6EprcN1ECXzLSWVOtQGVjn03TsrIul4vvx9MmFrrDHQZVcgLFI7vAofPMtJ8ZC9v899JN7n5buIh0mwJuitPS1y0vHvbJQpULvc7zK6zUuB8wcxtd5nRT1RPWb2ABDLnazBB9NBqN91Tdi1I VEjWgXNoZWGs/noNm2dpR5VC5VQSJ931uxW8MjlHOL7aniLfIDRtacH2 aD90fsl7Mmrsw1fcwi3zpl3S1 WmVaX0pxisjmG6372Mp3XNxBujZD6TdgHi8ZnJ1 VG1kpAb0EH2Q7LmpQoMwhmU1Rx1hGcXvLBmD0MM0oN69HfN81DP97Hh9gFQjfkAWAIMVoAGuXPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

CCn7A5XU4CzHzqO2FLGKUbyHdY6ib4THrj6hFnsNC91Ppav9uwgbOdS5yiEmzFlfEH5q9BrghvkQ6h6yHnRIruDtXd0PDynXRapk stnOg8 lhBkVQtwqvwdx0YKwOYYMsiPSZ4ZkbJaN4jiHpyXxikeLdivpDPd3kWJRmdyiGNBGHR7k6brC0v2K6Y3bIHi9fPpJIlvoGzlKyqWKZbgyvMKhfRH126QPM9 L6lCgK7m kyrVJiXkjtcP5z8SS p1bK16PrKxlNudveDjR9IlqhNqTiNr78QXP75MTIzVeZrz7Tcfof3QNj6U8Gv/JIeibNpOmlNns8ti9RIhh5ZLKoegOBmlmtQM0rniYADF47h6Lj6dLteD9vdSqZJsQHIGvIuA7947pmnUaqpcjKY3LYgVF2x9RvnVSrLQy8Msk7qqSbG2 18wzMzkSRmcDGU4kVcMMLftEmJ4bIHoF2FAPgyGgCSkTVbqrdTGlgcsvH0t4XSpP7tIh8jClm75Ou3CQTpLfFzMKnc6mJjLxthWVUze9iMkM2lodm24a72Q1ASzBLcyyVm6x6p wLyuJ8qma8MBknHVMisVT7MVknJ3vZbF9aZPJFzAhcUG/Upzx5isNAuTL4hmXOtkhI4FBxi1Cr61qDUiy5RWmbWg/8TMwzig8QrKciaaO5bHzpmKpQRuFszWr6F2QvRC0xGO2xRrXXZTn49ttSc8nqBKCUSN6laRQzaqlvIrCdoco77cJleen7p24ksvps1/5wvQdV5p73LSkGnWh8GFNEdOXqf3TRAvapyq/MK6pb ZVfjUuInC7v/fEmNgxChvtF 890LhInkEqFRbS19fUQ73JqLlcJZ18pvOf B1mj934NofFTx9nwdpJn3HzNX6GtzFas2HnN7eYIWlMw3tSAkgiusQimrQVscKmqnJQaa0khTfdi5XiZXSmL7ACZazSHb7jCa5pBrfMwYFUZ Oe9X2VZ6dhPqOx2PyPLSlbCoRrnbVdgQc9kdsRb7WM48D1x9vGYOWbUIoaJ2NbT3tOBeqcE/na9gY4KSEUEvJMG50HRf7PsjDOG07bHSTMWDWFJVWnBzRw0gxGugVSXb4cCgMsdK2Iy9YStviYLxSJNWOxr2nqr8FNfrm06XldaCdxzl91l8dtI5KijeweUIMAc 0LmyfOCkcxKlzf2gY6nXrBF4fg6MfU ynlZ5fJTtDsKdae7ft4SvOcILp7yrtsvMaBFDhz/kpidQxUDWKTfEsAhZ7MhMg/R8u8obqeVxbgYyzFKdZphWp 3mH/TnHPBZ2bpK5RAJbyhG6mzXDdK6n5WZ/t1rHvZnkzur8Ous6C0l 6mfTNAJtodq3/Hb2IzSzr/6ZIosa9wKWNAQXUzxS5VWTm5c06VIslbl lyuVB lszHKcuTo/WnlyiEQnXsGi3J9 4H47Jrpn7bmi4RsezcNIla6/9NNp Epn 7O oCDCWVLPojN8GIGagtuSTGvIaxcxsOH8pqzLmgKPEreqCODspRsSJFIQnyvyslEnaaGmA/5d5W657R/7GHKCX8zjkAgoN1DMq635FP8oTdr3TDX hf1kQjE0rAYauyUMCvK7sISTcp0mNaVNlb41xJ34HMs9MsptRLJ/vG5CxUlphVr5/bN/ lRjw7G FQOZ3fsm7g9hEsKP0ZyGDAa2 /5 Pbtnv8v mC6IIuDvXfhBhabUQROZ4ivV/5UW8AsgAG8vFNkMo su96PU/1JKOUIzfoiKRRkHkCTi/C8SA7aS5nMPHBANimaCqFnwwbCYwrLOihSaspSnyNkNyY757bt/QjJqFmIlXivAZUArboo35ORbIPUs3A1Mg/HqNKgpip4qHE7/FU gePTIpH8EneENl5xDvbkU5blo0X7LtnsFYtEH2gfOvuuyH2EDvXRTSQlzd7pxvlAPEbHt5Bp9bNzydjcUxsDuHLwVhsIX9vKuSoOJsffrqB8/St36C6A9QwalMeyTKycOGU0L/luLgb3waTr/HBXnwTJ/0yFwe0N2KJ9w7 bApzfBHsD1KyxfZTkejTc/90A5o3sdGUb NFk1t03fmnrieYc1jflgmExl15IbG3l1yH dQjKe3EDQQtrtqKOqTCz4kxERSvvwxHZAkHdvbuEgyj83msbURUK9a6Hw/eBdF5bwkam7gjRVBVAMYtOEOWml2LUzIVd6ODW9lQQPyxPuYx9E6zhNdJ IQ39KC9fZmA xBjThjtzQoLqHJuPg5Jhn8pqjr5R IXLjpuI/haegOdKxRQ ZhcMwtfcPyprJx6fk1q4BtXXlfTcz5tv98emMEZNjO9zJYPxD9 OLzecjXvIUSABygCVvyxigsL10H48GLPOZDOeimJO 35B/ZiROLmnqAJbPSC3CjJtXa4bw3PIVvQu4v2ble00zg2mNcRqvshCttYLCwVva6pssj7LinNm6RQkUobMg1SxD8/Qp9l5ujarkGoJoSaU9IWMKb6wHF3M1fLhNHehrt68pQMgRZ9A/N/xcFtUyTsgKo3QcpX13BAm/BhDO7crmpT9hGjulfatrTEbg6DvYM3rxrVv9nxqwax4/jQEh4c8/YtCPS7AguqCjOnmRkU/Thhm7FwtCRhZMoI/rVhg61uCrT9sklJNI38nXVCn81Qb7jrhd0AJjGEbPCd4aeuQU2k84m8jAPNpKjfuIA8nCjRf9RckQS0Ux/MzxwVDm1ltMC4IVK7z/mVdAUpAHVo4aAF zL9Q3gRpzFUxP 9V VzgaKhmyV7fle 0IPiJ7KJjT bSVDWToc rZDrFPg0Gw65ApdlxA4zbgpYEIKi9Yuxx hb8l9kNoEEGmAgbKCU2GdqLvqN5iJfeR/ /gGmhsFRRu8DzIvBhlKnPU11fQOGqNWazlhsPOqBnIG8mgw3LLRhUBl /emKIMhIfverCwYNp9/zPEh9DgDxmyDvbFIEZ1i2WG1IMRnSw/cOd4C3vlN6oA8a/WCeg7kItTuzHOOJy7uXfETlBEp0OhGH LTh7FTwbz7/RpdmHgGCEPUzXsQJQDr3PuB20EB15oMwcttK1/HP zDTBpRbfVIeC1vCJFTN T82EyhcdH/C/UGMTfHXdVIaJKHESm7zjqRo2wO xFsoxz9hLTBffynGjseluWz2P5U1hdtnpUcd18qKerCsdi3yFV4ViNG4ZJCT2 c//SOKDQ3x9/eTzUt1sMdDV75zPpdQXgyJPlQM3qDOL/NQbS2gi7SSWj36Z3tldugH9N9QU6ngqRw ZJ8jMQbjUCISHdaAThG42agRZ3p8fw0I/41olFnPLJzgcr8IB0ef/VO00i4wFT9iYxdict93pZ0aHPMq/Nb TxwjaODg2Xq0zykwuDjBEr2s/yts4tOGdm9PPITBJMJuiV/umbAMv1WaUrwSAgZq/wfihwX9lv9DEBM3Dc8s3W1pyk4b8r73LczeM6XX9XnuKc7Vt8d31LDtotiPuH7HUuRmiF/1tNBHmzft1fa7RNb2sikTAi5tbl1gOQbzft/W3smSeLxZai8h9UOvtLXD81CWvTszrKH1v82hvwoRiTVb4SWRLnWtp0Kp8l97VytDNAo/YHJjSe/n0h0wUdUuMPQLhz2pgAd1ED3nq 1qqHm/ET01FrpAJJ4KHlc//9Mr4apao1SQG7Re4hhYhYsmFyEv8z tw4flwXQWw06mKFF05k8n0HqJ/e/O25czj8DpvaJuwkVS9z7POMb6cStGWhBnwZv9v4LkF3qpGnf9w1DldmV uQKIRQ643NBXqA0V9MrmhMryvcbPZzlQH/RjEVRjtWeAEEG9sgyh 1jIBv38jO2Z J2TpWRXCrGKygJNObmidxYPVBebfiTOjGmcuU x4WmiySt9VfaZ0EZySrBtzzfSY6O0yKrG9Sa9UPgmMwNwmIbP7Ln2pi9XKfJWVoJRx1TMKmy3AlbXqd/GTk4gvzX4Iv8tNlX8EXZT4QAJqwtNvwD2Imw5Ce5trufAUmkf8KGflS6SihrYMcbcE72OVpeabR9ihDZslQDaeyvirKLEPMlkhiOQjenGPs4oiKafxTSIFtRF0MFHZ0HmuNeXx2XCO58LxugBa5a/RJQWK9boEO K6MqXutZzfvexdbw8xMP8mmPb HMpHKv1ymTNZ CZets0ZctUQnil9gjqHl6P92L5YV6yVa5O0JAJVOZxgrwd6E//7LM6K5DljtpPiQLsCy8Ednj1vMSyl1LcD02KsVLokeRh7id4Zo/BRhnYPYJC7dagDwp/kxcYyyAujw3yiCjTuXBIqE4 wTmONRGVyvnX eeWri5BaShelRKWDHdUCG18zoNvgKqrDnDpkHldErz/z9b5lGACLF7afI4DJbHZcWle2xit4vkxoHZ2jbhkerZBSh373o8qkhX xgcG6ck25QmZZDlNAts3AARoMtMI8wFhcuDizk6SFIVZ fE5gsZzFqyaWND2K5i/PMHF4ph e8BO412QuhGSyeyyUKhM1IX3RTl71G9QJ9EUREasKaVoUsmQO3HpLyw4SeTXpi 18gDyxlkuOuMrYt1Dy8zBNm9f14yNhh1QJGj1mQhh7xl X1HuZz2aHRW12T4U37zK6jnhWuW9i FXF7qzHRUy0fk4PpHsKvkOb5m YjxcDoWncAOIqWX7ZdE09ECG7P4y4GSwdjPiOfdxT7yc5H/3dsZHWW9zO85a55zdzQ0bSaC 6hG7cPLwICJtUm2aJUxcNFHBiZ/zSOEWh5YogOKBemH870e19pWZxFoQ0y2IgH/HzsEGSMSlTIdOcVDKv3c8beQf0PaOCKYj9SptOEVyeL9 WMnQU3nYF8IICmtF7G4TcN9e4Xf7AS1sGxMkonu8g32/ukLss5ySFKkPkbmgTPqXqWv5KEqZSqT/1K0FqfIp0Yv6P/Vn5Yp9ASMB9V4TUgrWbcsDQd1denq6EprcN1ECXzLSWVOtQGVjn03TsrIul4vvx9MmFrrDHQZVcgLFI7vAofPMtJ8ZC9v899JN7n5buIh0mwJuitPS1y0vHvbJQpULvc7zK6zUuB8wcxtd5nRT1RPWb2ABDLnazBB9NBqN91Tdi1I VEjWgXNoZWGs/noNm2dpR5VC5VQSJ931uxW8MjlHOL7aniLfIDRtacH2 aD90fsl7Mmrsw1fcwi3zpl3S1 WmVaX0pxisjmG6372Mp3XNxBujZD6TdgHi8ZnJ1 VG1kpAb0EH2Q7LmpQoMwhmU1Rx1hGcXvLBmD0MM0oN69HfN81DP97Hh9gFQjfkAWAIMVoAGuXPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

CCn7A5XU4CzHzqO2FLGKUbyHdY6ib4THrj6hFnsNC91Ppav9uwgbOdS5yiEmzFlfEH5q9BrghvkQ6h6yHnRIruDtXd0PDynXRapk stnOg8 lhBkVQtwqvwdx0YKwOYYMsiPSZ4ZkbJaN4jiHpyXxikeLdivpDPd3kWJRmdyiGNBGHR7k6brC0v2K6Y3bIHi9fPpJIlvoGzlKyqWKZbgyvMKhfRH126QPM9 L6lCgK7m kyrVJiXkjtcP5z8SS p1bK16PrKxlNudveDjR9IlqhNqTiNr78QXP75MTIzVeZrz7Tcfof3QNj6U8Gv/JIeibNpOmlNns8ti9RIhh5ZLKoegOBmlmtQM0rniYADF47h6Lj6dLteD9vdSqZJsQHIGvIuA7947pmnUaqpcjKY3LYgVF2x9RvnVSrLQy8Msk7qqSbG2 18wzMzkSRmcDGU4kVcMMLftEmJ4bIHoF2FAPgyGgCSkTVbqrdTGlgcsvH0t4XSpP7tIh8jClm75Ou3CQTpLfFzMKnc6mJjLxthWVUze9iMkM2lodm24a72Q1ASzBLcyyVm6x6p wLyuJ8qma8MBknHVMisVT7MVknJ3vZbF9aZPJFzAhcUG/Upzx5isNAuTL4hmXOtkhI4FBxi1Cr61qDUiy5RWmbWg/8TMwzig8QrKciaaO5bHzpmKpQRuFszWr6F2QvRC0xGO2xRrXXZTn49ttSc8nqBKCUSN6laRQzaqlvIrCdoco77cJleen7p24ksvps1/5wvQdV5p73LSkGnWh8GFNEdOXqf3TRAvapyq/MK6pb ZVfjUuInC7v/fEmNgxChvtF 890LhInkEqFRbS19fUQ73JqLlcJZ18pvOf B1mj934NofFTx9nwdpJn3HzNX6GtzFas2HnN7eYIWlMw3tSAkgiusQimrQVscKmqnJQaa0khTfdi5XiZXSmL7ACZazSHb7jCa5pBrfMwYFUZ Oe9X2VZ6dhPqOx2PyPLSlbCoRrnbVdgQc9kdsRb7WM48D1x9vGYOWbUIoaJ2NbT3tOBeqcE/na9gY4KSEUEvJMG50HRf7PsjDOG07bHSTMWDWFJVWnBzRw0gxGugVSXb4cCgMsdK2Iy9YStviYLxSJNWOxr2nqr8FNfrm06XldaCdxzl91l8dtI5KijeweUIMAc 0LmyfOCkcxKlzf2gY6nXrBF4fg6MfU ynlZ5fJTtDsKdae7ft4SvOcILp7yrtsvMaBFDhz/kpidQxUDWKTfEsAhZ7MhMg/R8u8obqeVxbgYyzFKdZphWp 3mH/TnHPBZ2bpK5RAJbyhG6mzXDdK6n5WZ/t1rHvZnkzur8Ous6C0l 6mfTNAJtodq3/Hb2IzSzr/6ZIosa9wKWNAQXUzxS5VWTm5c06VIslbl lyuVB lszHKcuTo/WnlyiEQnXsGi3J9 4H47Jrpn7bmi4RsezcNIla6/9NNp Epn 7O oCDCWVLPojN8GIGagtuSTGvIaxcxsOH8pqzLmgKPEreqCODspRsSJFIQnyvyslEnaaGmA/5d5W657R/7GHKCX8zjkAgoN1DMq635FP8oTdr3TDX hf1kQjE0rAYauyUMCvK7sISTcp0mNaVNlb41xJ34HMs9MsptRLJ/vG5CxUlphVr5/bN/ lRjw7G FQOZ3fsm7g9hEsKP0ZyGDAa2 /5 Pbtnv8v mC6IIuDvXfhBhabUQROZ4ivV/5UW8AsgAG8vFNkMo su96PU/1JKOUIzfoiKRRkHkCTi/C8SA7aS5nMPHBANimaCqFnwwbCYwrLOihSaspSnyNkNyY757bt/QjJqFmIlXivAZUArboo35ORbIPUs3A1Mg/HqNKgpip4qHE7/FU gePTIpH8EneENl5xDvbkU5blo0X7LtnsFYtEH2gfOvuuyH2EDvXRTSQlzd7pxvlAPEbHt5Bp9bNzydjcUxsDuHLwVhsIX9vKuSoOJsffrqB8/St36C6A9QwalMeyTKycOGU0L/luLgb3waTr/HBXnwTJ/0yFwe0N2KJ9w7 bApzfBHsD1KyxfZTkejTc/90A5o3sdGUb NFk1t03fmnrieYc1jflgmExl15IbG3l1yH dQjKe3EDQQtrtqKOqTCz4kxERSvvwxHZAkHdvbuEgyj83msbURUK9a6Hw/eBdF5bwkam7gjRVBVAMYtOEOWml2LUzIVd6ODW9lQQPyxPuYx9E6zhNdJ IQ39KC9fZmA xBjThjtzQoLqHJuPg5Jhn8pqjr5R IXLjpuI/haegOdKxRQ ZhcMwtfcPyprJx6fk1q4BtXXlfTcz5tv98emMEZNjO9zJYPxD9 OLzecjXvIUSABygCVvyxigsL10H48GLPOZDOeimJO 35B/ZiROLmnqAJbPSC3CjJtXa4bw3PIVvQu4v2ble00zg2mNcRqvshCttYLCwVva6pssj7LinNm6RQkUobMg1SxD8/Qp9l5ujarkGoJoSaU9IWMKb6wHF3M1fLhNHehrt68pQMgRZ9A/N/xcFtUyTsgKo3QcpX13BAm/BhDO7crmpT9hGjulfatrTEbg6DvYM3rxrVv9nxqwax4/jQEh4c8/YtCPS7AguqCjOnmRkU/Thhm7FwtCRhZMoI/rVhg61uCrT9sklJNI38nXVCn81Qb7jrhd0AJjGEbPCd4aeuQU2k84m8jAPNpKjfuIA8nCjRf9RckQS0Ux/MzxwVDm1ltMC4IVK7z/mVdAUpAHVo4aAF zL9Q3gRpzFUxP 9V VzgaKhmyV7fle 0IPiJ7KJjT bSVDWToc rZDrFPg0Gw65ApdlxA4zbgpYEIKi9Yuxx hb8l9kNoEEGmAgbKCU2GdqLvqN5iJfeR/ /gGmhsFRRu8DzIvBhlKnPU11fQOGqNWazlhsPOqBnIG8mgw3LLRhUBl /emKIMhIfverCwYNp9/zPEh9DgDxmyDvbFIEZ1i2WG1IMRnSw/cOd4C3vlN6oA8a/WCeg7kItTuzHOOJy7uXfETlBEp0OhGH LTh7FTwbz7/RpdmHgGCEPUzXsQJQDr3PuB20EB15oMwcttK1/HP zDTBpRbfVIeC1vCJFTN T82EyhcdH/C/UGMTfHXdVIaJKHESm7zjqRo2wO xFsoxz9hLTBffynGjseluWz2P5U1hdtnpUcd18qKerCsdi3yFV4ViNG4ZJCT2 c//SOKDQ3x9/eTzUt1sMdDV75zPpdQXgyJPlQM3qDOL/NQbS2gi7SSWj36Z3tldugH9N9QU6ngqRw ZJ8jMQbjUCISHdaAThG42agRZ3p8fw0I/41olFnPLJzgcr8IB0ef/VO00i4wFT9iYxdict93pZ0aHPMq/Nb TxwjaODg2Xq0zykwuDjBEr2s/yts4tOGdm9PPITBJMJuiV/umbAMv1WaUrwSAgZq/wfihwX9lv9DEBM3Dc8s3W1pyk4b8r73LczeM6XX9XnuKc7Vt8d31LDtotiPuH7HUuRmiF/1tNBHmzft1fa7RNb2sikTAi5tbl1gOQbzft/W3smSeLxZai8h9UOvtLXD81CWvTszrKH1v82hvwoRiTVb4SWRLnWtp0Kp8l97VytDNAo/YHJjSe/n0h0wUdUuMPQLhz2pgAd1ED3nq 1qqHm/ET01FrpAJJ4KHlc//9Mr4apao1SQG7Re4hhYhYsmFyEv8z tw4flwXQWw06mKFF05k8n0HqJ/e/O25czj8DpvaJuwkVS9z7POMb6cStGWhBnwZv9v4LkF3qpGnf9w1DldmV uQKIRQ643NBXqA0V9MrmhMryvcbPZzlQH/RjEVRjtWeAEEG9sgyh 1jIBv38jO2Z J2TpWRXCrGKygJNObmidxYPVBebfiTOjGmcuU x4WmiySt9VfaZ0EZySrBtzzfSY6O0yKrG9Sa9UPgmMwNwmIbP7Ln2pi9XKfJWVoJRx1TMKmy3AlbXqd/GTk4gvzX4Iv8tNlX8EXZT4QAJqwtNvwD2Imw5Ce5trufAUmkf8KGflS6SihrYMcbcE72OVpeabR9ihDZslQDaeyvirKLEPMlkhiOQjenGPs4oiKafxTSIFtRF0MFHZ0HmuNeXx2XCO58LxugBa5a/RJQWK9boEO K6MqXutZzfvexdbw8xMP8mmPb HMpHKv1ymTNZ CZets0ZctUQnil9gjqHl6P92L5YV6yVa5O0JAJVOZxgrwd6E//7LM6K5DljtpPiQLsCy8Ednj1vMSyl1LcD02KsVLokeRh7id4Zo/BRhnYPYJC7dagDwp/kxcYyyAujw3yiCjTuXBIqE4 wTmONRGVyvnX eeWri5BaShelRKWDHdUCG18zoNvgKqrDnDpkHldErz/z9b5lGACLF7afI4DJbHZcWle2xit4vkxoHZ2jbhkerZBSh373o8qkhX xgcG6ck25QmZZDlNAts3AARoMtMI8wFhcuDizk6SFIVZ fE5gsZzFqyaWND2K5i/PMHF4ph e8BO412QuhGSyeyyUKhM1IX3RTl71G9QJ9EUREasKaVoUsmQO3HpLyw4SeTXpi 18gDyxlkuOuMrYt1Dy8zBNm9f14yNhh1QJGj1mQhh7xl X1HuZz2aHRW12T4U37zK6jnhWuW9i FXF7qzHRUy0fk4PpHsKvkOb5m YjxcDoWncAOIqWX7ZdE09ECG7P4y4GSwdjPiOfdxT7yc5H/3dsZHWW9zO85a55zdzQ0bSaC 6hG7cPLwICJtUm2aJUxcNFHBiZ/zSOEWh5YogOKBemH870e19pWZxFoQ0y2IgH/HzsEGSMSlTIdOcVDKv3c8beQf0PaOCKYj9SptOEVyeL9 WMnQU3nYF8IICmtF7G4TcN9e4Xf7AS1sGxMkonu8g32/ukLss5ySFKkPkbmgTPqXqWv5KEqZSqT/1K0FqfIp0Yv6P/Vn5Yp9ASMB9V4TUgrWbcsDQd1denq6EprcN1ECXzLSWVOtQGVjn03TsrIul4vvx9MmFrrDHQZVcgLFI7vAofPMtJ8ZC9v899JN7n5buIh0mwJuitPS1y0vHvbJQpULvc7zK6zUuB8wcxtd5nRT1RPWb2ABDLnazBB9NBqN91Tdi1I VEjWgXNoZWGs/noNm2dpR5VC5VQSJ931uxW8MjlHOL7aniLfIDRtacH2 aD90fsl7Mmrsw1fcwi3zpl3S1 WmVaX0pxisjmG6372Mp3XNxBujZD6TdgHi8ZnJ1 VG1kpAb0EH2Q7LmpQoMwhmU1Rx1hGcXvLBmD0MM0oN69HfN81DP97Hh9gFQjfkAWAIMVoAGuXPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADc

CCn7A5XU4CzHzqO2FLGKUbyHdY6ib4THrj6hFnsNC91Ppav9uwgbOdS5yiEmzFlfEH5q9BrghvkQ6h6yHnRIruDtXd0PDynXRapk stnOg8 lhBkVQtwqvwdx0YKwOYYMsiPSZ4ZkbJaN4jiHpyXxikeLdivpDPd3kWJRmdyiGNBGHR7k6brC0v2K6Y3bIHi9fPpJIlvoGzlKyqWKZbgyvMKhfRH126QPM9 L6lCgK7m kyrVJiXkjtcP5z8SS p1bK16PrKxlNudveDjR9IlqhNqTiNr78QXP75MTIzVeZrz7Tcfof3QNj6U8Gv/JIeibNpOmlNns8ti9RIhh5ZLKoegOBmlmtQM0rniYADF47h6Lj6dLteD9vdSqZJsQHIGvIuA7947pmnUaqpcjKY3LYgVF2x9RvnVSrLQy8Msk7qqSbG2 18wzMzkSRmcDGU4kVcMMLftEmJ4bIHoF2FAPgyGgCSkTVbqrdTGlgcsvH0t4XSpP7tIh8jClm75Ou3CQTpLfFzMKnc6mJjLxthWVUze9iMkM2lodm24a72Q1ASzBLcyyVm6x6p wLyuJ8qma8MBknHVMisVT7MVknJ3vZbF9aZPJFzAhcUG/Upzx5isNAuTL4hmXOtkhI4FBxi1Cr61qDUiy5RWmbWg/8TMwzig8QrKciaaO5bHzpmKpQRuFszWr6F2QvRC0xGO2xRrXXZTn49ttSc8nqBKCUSN6laRQzaqlvIrCdoco77cJleen7p24ksvps1/5wvQdV5p73LSkGnWh8GFNEdOXqf3TRAvapyq/MK6pb ZVfjUuInC7v/fEmNgxChvtF 890LhInkEqFRbS19fUQ73JqLlcJZ18pvOf B1mj934NofFTx9nwdpJn3HzNX6GtzFas2HnN7eYIWlMw3tSAkgiusQimrQVscKmqnJQaa0khTfdi5XiZXSmL7ACZazSHb7jCa5pBrfMwYFUZ Oe9X2VZ6dhPqOx2PyPLSlbCoRrnbVdgQc9kdsRb7WM48D1x9vGYOWbUIoaJ2NbT3tOBeqcE/na9gY4KSEUEvJMG50HRf7PsjDOG07bHSTMWDWFJVWnBzRw0gxGugVSXb4cCgMsdK2Iy9YStviYLxSJNWOxr2nqr8FNfrm06XldaCdxzl91l8dtI5KijeweUIMAc 0LmyfOCkcxKlzf2gY6nXrBF4fg6MfU ynlZ5fJTtDsKdae7ft4SvOcILp7yrtsvMaBFDhz/kpidQxUDWKTfEsAhZ7MhMg/R8u8obqeVxbgYyzFKdZphWp 3mH/TnHPBZ2bpK5RAJbyhG6mzXDdK6n5WZ/t1rHvZnkzur8Ous6C0l 6mfTNAJtodq3/Hb2IzSzr/6ZIosa9wKWNAQXUzxS5VWTm5c06VIslbl lyuVB lszHKcuTo/WnlyiEQnXsGi3J9 4H47Jrpn7bmi4RsezcNIla6/9NNp Epn 7O oCDCWVLPojN8GIGagtuSTGvIaxcxsOH8pqzLmgKPEreqCODspRsSJFIQnyvyslEnaaGmA/5d5W657R/7GHKCX8zjkAgoN1DMq635FP8oTdr3TDX hf1kQjE0rAYauyUMCvK7sISTcp0mNaVNlb41xJ34HMs9MsptRLJ/vG5CxUlphVr5/bN/ lRjw7G FQOZ3fsm7g9hEsKP0ZyGDAa2 /5 Pbtnv8v mC6IIuDvXfhBhabUQROZ4ivV/5UW8AsgAG8vFNkMo su96PU/1JKOUIzfoiKRRkHkCTi/C8SA7aS5nMPHBANimaCqFnwwbCYwrLOihSaspSnyNkNyY757bt/QjJqFmIlXivAZUArboo35ORbIPUs3A1Mg/HqNKgpip4qHE7/FU gePTIpH8EneENl5xDvbkU5blo0X7LtnsFYtEH2gfOvuuyH2EDvXRTSQlzd7pxvlAPEbHt5Bp9bNzydjcUxsDuHLwVhsIX9vKuSoOJsffrqB8/St36C6A9QwalMeyTKycOGU0L/luLgb3waTr/HBXnwTJ/0yFwe0N2KJ9w7 bApzfBHsD1KyxfZTkejTc/90A5o3sdGUb NFk1t03fmnrieYc1jflgmExl15IbG3l1yH dQjKe3EDQQtrtqKOqTCz4kxERSvvwxHZAkHdvbuEgyj83msbURUK9a6Hw/eBdF5bwkam7gjRVBVAMYtOEOWml2LUzIVd6ODW9lQQPyxPuYx9E6zhNdJ IQ39KC9fZmA xBjThjtzQoLqHJuPg5Jhn8pqjr5R IXLjpuI/haegOdKxRQ ZhcMwtfcPyprJx6fk1q4BtXXlfTcz5tv98emMEZNjO9zJYPxD9 OLzecjXvIUSABygCVvyxigsL10H48GLPOZDOeimJO 35B/ZiROLmnqAJbPSC3CjJtXa4bw3PIVvQu4v2ble00zg2mNcRqvshCttYLCwVva6pssj7LinNm6RQkUobMg1SxD8/Qp9l5ujarkGoJoSaU9IWMKb6wHF3M1fLhNHehrt68pQMgRZ9A/N/xcFtUyTsgKo3QcpX13BAm/BhDO7crmpT9hGjulfatrTEbg6DvYM3rxrVv9nxqwax4/jQEh4c8/YtCPS7AguqCjOnmRkU/Thhm7FwtCRhZMoI/rVhg61uCrT9sklJNI38nXVCn81Qb7jrhd0AJjGEbPCd4aeuQU2k84m8jAPNpKjfuIA8nCjRf9RckQS0Ux/MzxwVDm1ltMC4IVK7z/mVdAUpAHVo4aAF zL9Q3gRpzFUxP 9V VzgaKhmyV7fle 0IPiJ7KJjT bSVDWToc rZDrFPg0Gw65ApdlxA4zbgpYEIKi9Yuxx hb8l9kNoEEGmAgbKCU2GdqLvqN5iJfeR/ /gGmhsFRRu8DzIvBhlKnPU11fQOGqNWazlhsPOqBnIG8mgw3LLRhUBl /emKIMhIfverCwYNp9/zPEh9DgDxmyDvbFIEZ1i2WG1IMRnSw/cOd4C3vlN6oA8a/WCeg7kItTuzHOOJy7uXfETlBEp0OhGH LTh7FTwbz7/RpdmHgGCEPUzXsQJQDr3PuB20EB15oMwcttK1/HP zDTBpRbfVIeC1vCJFTN T82EyhcdH/C/UGMTfHXdVIaJKHESm7zjqRo2wO xFsoxz9hLTBffynGjseluWz2P5U1hdtnpUcd18qKerCsdi3yFV4ViNG4ZJCT2 c//SOKDQ3x9/eTzUt1sMdDV75zPpdQXgyJPlQM3qDOL/NQbS2gi7SSWj36Z3tldugH9N9QU6ngqRw ZJ8jMQbjUCISHdaAThG42agRZ3p8fw0I/41olFnPLJzgcr8IB0ef/VO00i4wFT9iYxdict93pZ0aHPMq/Nb TxwjaODg2Xq0zykwuDjBEr2s/yts4tOGdm9PPITBJMJuiV/umbAMv1WaUrwSAgZq/wfihwX9lv9DEBM3Dc8s3W1pyk4b8r73LczeM6XX9XnuKc7Vt8d31LDtotiPuH7HUuRmiF/1tNBHmzft1fa7RNb2sikTAi5tbl1gOQbzft/W3smSeLxZai8h9UOvtLXD81CWvTszrKH1v82hvwoRiTVb4SWRLnWtp0Kp8l97VytDNAo/YHJjSe/n0h0wUdUuMPQLhz2pgAd1ED3nq 1qqHm/ET01FrpAJJ4KHlc//9Mr4apao1SQG7Re4hhYhYsmFyEv8z tw4flwXQWw06mKFF05k8n0HqJ/e/O25czj8DpvaJuwkVS9z7POMb6cStGWhBnwZv9v4LkF3qpGnf9w1DldmV uQKIRQ643NBXqA0V9MrmhMryvcbPZzlQH/RjEVRjtWeAEEG9sgyh 1jIBv38jO2Z J2TpWRXCrGKygJNObmidxYPVBebfiTOjGmcuU x4WmiySt9VfaZ0EZySrBtzzfSY6O0yKrG9Sa9UPgmMwNwmIbP7Ln2pi9XKfJWVoJRx1TMKmy3AlbXqd/GTk4gvzX4Iv8tNlX8EXZT4QAJqwtNvwD2Imw5Ce5trufAUmkf8KGflS6SihrYMcbcE72OVpeabR9ihDZslQDaeyvirKLEPMlkhiOQjenGPs4oiKafxTSIFtRF0MFHZ0HmuNeXx2XCO58LxugBa5a/RJQWK9boEO K6MqXutZzfvexdbw8xMP8mmPb HMpHKv1ymTNZ CZets0ZctUQnil9gjqHl6P92L5YV6yVa5O0JAJVOZxgrwd6E//7LM6K5DljtpPiQLsCy8Ednj1vMSyl1LcD02KsVLokeRh7id4Zo/BRhnYPYJC7dagDwp/kxcYyyAujw3yiCjTuXBIqE4 wTmONRGVyvnX eeWri5BaShelRKWDHdUCG18zoNvgKqrDnDpkHldErz/z9b5lGACLF7afI4DJbHZcWle2xit4vkxoHZ2jbhkerZBSh373o8qkhX xgcG6ck25QmZZDlNAts3AARoMtMI8wFhcuDizk6SFIVZ fE5gsZzFqyaWND2K5i/PMHF4ph e8BO412QuhGSyeyyUKhM1IX3RTl71G9QJ9EUREasKaVoUsmQO3HpLyw4SeTXpi 18gDyxlkuOuMrYt1Dy8zBNm9f14yNhh1QJGj1mQhh7xl X1HuZz2aHRW12T4U37zK6jnhWuW9i FXF7qzHRUy0fk4PpHsKvkOb5m YjxcDoWncAOIqWX7ZdE09ECG7P4y4GSwdjPiOfdxT7yc5H/3dsZHWW9zO85a55zdzQ0bSaC 6hG7cPLwICJtUm2aJUxcNFHBiZ/zSOEWh5YogOKBemH870e19pWZxFoQ0y2IgH/HzsEGSMSlTIdOcVDKv3c8beQf0PaOCKYj9SptOEVyeL9 WMnQU3nYF8IICmtF7G4TcN9e4Xf7AS1sGxMkonu8g32/ukLss5ySFKkPkbmgTPqXqWv5KEqZSqT/1K0FqfIp0Yv6P/Vn5Yp9ASMB9V4TUgrWbcsDQd1denq6EprcN1ECXzLSWVOtQGVjn03TsrIul4vvx9MmFrrDHQZVcgLFI7vAofPMtJ8ZC9v899JN7n5buIh0mwJuitPS1y0vHvbJQpULvc7zK6zUuB8wcxtd5nRT1RPWb2ABDLnazBB9NBqN91Tdi1I VEjWgXNoZWGs/noNm2dpR5VC5VQSJ931uxW8MjlHOL7aniLfIDRtacH2 aD90fsl7Mmrsw1fcwi3zpl3S1 WmVaX0pxisjmG6372Mp3XNxBujZD6TdgHi8ZnJ1 VG1kpAb0EH2Q7LmpQoMwhmU1Rx1hGcXvLBmD0MM0oN69HfN81DP97Hh9gFQjfkAWAIMVoAGuXPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADc

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

66006666

66006666

.Method '%s' not supported by automation object/Variant does not reference an automation object

.Method '%s' not supported by automation object/Variant does not reference an automation object

External exception %x

External exception %x

Interface not supported

Interface not supported

%s (%s, line %d)

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Invalid pointer operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction%Exception %s in module %s at %p.

Privileged instruction%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

Invalid variant operation"Variant method calls not supported

I/O error %d

I/O error %d

Integer overflow Invalid floating point operation

Integer overflow Invalid floating point operation

c:\%original file name%.exe path>path inj_ffile>inj_ffile

c:\%original file name%.exe path>path inj_ffile>inj_ffile

svchost.exe_1392_rwx_00080000_000BE000:

.idata

.idata

.reloc

.reloc

P.rsrc

P.rsrc

Portions Copyright (c) 1983,99 Borland

Portions Copyright (c) 1983,99 Borland

kernel32.dll

kernel32.dll

Software\Microsoft\Windows NT\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

HTTP/1.1

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

wininet.dll

wininet.dll

user32.dll

user32.dll

ntdll.dll

ntdll.dll

URLMON.DLL

URLMON.DLL

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

Kernel32.dll

Kernel32.dll

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('video'); for(var i=0;i

try {var els=document.getElementsByTagName('video'); for(var i=0;i

try {jwplayer().play()} catch(e){}

try {jwplayer().play()} catch(e){}

PSAPI.dll

PSAPI.dll

HTTP/1.1

HTTP/1.1

.length;

.length;

=String.fromCharCode(parseInt(

=String.fromCharCode(parseInt(

.substr(

.substr(

,2),16));

,2),16));

=String.fromCharCode(

=String.fromCharCode(

,1).charCodeAt()^

,1).charCodeAt()^

,1).charCodeAt());

,1).charCodeAt());

.length-1)?

.length-1)?

=new ActiveXObject("WScript.Shell");

=new ActiveXObject("WScript.Shell");

.Environment("Process"))("

.Environment("Process"))("

.Run("

.Run("

=new ActiveXObject("WScript.Shell");

=new ActiveXObject("WScript.Shell");

.RegRead("

.RegRead("

psapi.dll

psapi.dll

"svchost.exe"

"svchost.exe"

svchost.exe

svchost.exe

ole32.dll

ole32.dll

\\.\LCD

\\.\LCD

1234567890

1234567890

Shell32.dll

Shell32.dll

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

hXXp://

hXXp://

0123456789

0123456789

Mozilla

Mozilla

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

.text

.text

`.rdata

`.rdata

@.pdata

@.pdata

KERNEL32.dll

KERNEL32.dll

GetKeyboardType

GetKeyboardType

advapi32.dll

advapi32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

oleaut32.dll

oleaut32.dll

RegOpenKeyExW

RegOpenKeyExW

RegCreateKeyW

RegCreateKeyW

RegCreateKeyA

RegCreateKeyA

GetCPInfo

GetCPInfo

SetProcessWindowStation

SetProcessWindowStation

OpenWindowStationA

OpenWindowStationA

EnumChildWindows

EnumChildWindows

HttpSendRequestA

HttpSendRequestA

HttpOpenRequestA

HttpOpenRequestA

atl.dll

atl.dll

wsock32.dll

wsock32.dll

winmm.dll

winmm.dll

shell32.dll

shell32.dll

ShellExecuteExW

ShellExecuteExW

wtsapi32.dll

wtsapi32.dll

Wtsapi32.dll

Wtsapi32.dll

PSAPI.DLL

PSAPI.DLL

NtQueryValueKey

NtQueryValueKey

NtDeleteValueKey

NtDeleteValueKey

NtSetValueKey

NtSetValueKey

urlmon.dll

urlmon.dll

UrlMkSetSessionOption

UrlMkSetSessionOption

?"?&?*?.?

?"?&?*?.?

6!6&696>6|6

6!6&696>6|6

9!:':-:6:

9!:':-:6:

:&;-;7;_;

:&;-;7;_;

5(6-6;6|6

5(6-6;6|6

7)7=7[7}7

7)7=7[7}7

>#>(>9>_>

>#>(>9>_>

?,?1?[?`?

?,?1?[?`?

5]5S5c5k5q5

5]5S5c5k5q5

:!:?:]:{:

:!:?:]:{:

CCn7A5XU4CzHzqO2FLGKUbyHdY6ib4THrj6hFnsNC91Ppav9uwgbOdS5yiEmzFlfEH5q9BrghvkQ6h6yHnRIruDtXd0PDynXRapk stnOg8 lhBkVQtwqvwdx0YKwOYYMsiPSZ4ZkbJaN4jiHpyXxikeLdivpDPd3kWJRmdyiGNBGHR7k6brC0v2K6Y3bIHi9fPpJIlvoGzlKyqWKZbgyvMKhfRH126QPM9 L6lCgK7m kyrVJiXkjtcP5z8SS p1bK16PrKxlNudveDjR9IlqhNqTiNr78QXP75MTIzVeZrz7Tcfof3QNj6U8Gv/JIeibNpOmlNns8ti9RIhh5ZLKoegOBmlmtQM0rniYADF47h6Lj6dLteD9vdSqZJsQHIGvIuA7947pmnUaqpcjKY3LYgVF2x9RvnVSrLQy8Msk7qqSbG2 18wzMzkSRmcDGU4kVcMMLftEmJ4bIHoF2FAPgyGgCSkTVbqrdTGlgcsvH0t4XSpP7tIh8jClm75Ou3CQTpLfFzMKnc6mJjLxthWVUze9iMkM2lodm24a72Q1ASzBLcyyVm6x6p wLyuJ8qma8MBknHVMisVT7MVknJ3vZbF9aZPJFzAhcUG/Upzx5isNAuTL4hmXOtkhI4FBxi1Cr61qDUiy5RWmbWg/8TMwzig8QrKciaaO5bHzpmKpQRuFszWr6F2QvRC0xGO2xRrXXZTn49ttSc8nqBKCUSN6laRQzaqlvIrCdoco77cJleen7p24ksvps1/5wvQdV5p73LSkGnWh8GFNEdOXqf3TRAvapyq/MK6pb ZVfjUuInC7v/fEmNgxChvtF 890LhInkEqFRbS19fUQ73JqLlcJZ18pvOf B1mj934NofFTx9nwdpJn3HzNX6GtzFas2HnN7eYIWlMw3tSAkgiusQimrQVscKmqnJQaa0khTfdi5XiZXSmL7ACZazSHb7jCa5pBrfMwYFUZ Oe9X2VZ6dhPqOx2PyPLSlbCoRrnbVdgQc9kdsRb7WM48D1x9vGYOWbUIoaJ2NbT3tOBeqcE/na9gY4KSEUEvJMG50HRf7PsjDOG07bHSTMWDWFJVWnBzRw0gxGugVSXb4cCgMsdK2Iy9YStviYLxSJNWOxr2nqr8FNfrm06XldaCdxzl91l8dtI5KijeweUIMAc 0LmyfOCkcxKlzf2gY6nXrBF4fg6MfU ynlZ5fJTtDsKdae7ft4SvOcILp7yrtsvMaBFDhz/kpidQxUDWKTfEsAhZ7MhMg/R8u8obqeVxbgYyzFKdZphWp 3mH/TnHPBZ2bpK5RAJbyhG6mzXDdK6n5WZ/t1rHvZnkzur8Ous6C0l 6mfTNAJtodq3/Hb2IzSzr/6ZIosa9wKWNAQXUzxS5VWTm5c06VIslbl lyuVB lszHKcuTo/WnlyiEQnXsGi3J9 4H47Jrpn7bmi4RsezcNIla6/9NNp Epn 7O oCDCWVLPojN8GIGagtuSTGvIaxcxsOH8pqzLmgKPEreqCODspRsSJFIQnyvyslEnaaGmA/5d5W657R/7GHKCX8zjkAgoN1DMq635FP8oTdr3TDX hf1kQjE0rAYauyUMCvK7sISTcp0mNaVNlb41xJ34HMs9MsptRLJ/vG5CxUlphVr5/bN/ lRjw7G FQOZ3fsm7g9hEsKP0ZyGDAa2 /5 Pbtnv8v mC6IIuDvXfhBhabUQROZ4ivV/5UW8AsgAG8vFNkMo su96PU/1JKOUIzfoiKRRkHkCTi/C8SA7aS5nMPHBANimaCqFnwwbCYwrLOihSaspSnyNkNyY757bt/QjJqFmIlXivAZUArboo35ORbIPUs3A1Mg/HqNKgpip4qHE7/FU gePTIpH8EneENl5xDvbkU5blo0X7LtnsFYtEH2gfOvuuyH2EDvXRTSQlzd7pxvlAPEbHt5Bp9bNzydjcUxsDuHLwVhsIX9vKuSoOJsffrqB8/St36C6A9QwalMeyTKycOGU0L/luLgb3waTr/HBXnwTJ/0yFwe0N2KJ9w7 bApzfBHsD1KyxfZTkejTc/90A5o3sdGUb NFk1t03fmnrieYc1jflgmExl15IbG3l1yH dQjKe3EDQQtrtqKOqTCz4kxERSvvwxHZAkHdvbuEgyj83msbURUK9a6Hw/eBdF5bwkam7gjRVBVAMYtOEOWml2LUzIVd6ODW9lQQPyxPuYx9E6zhNdJ IQ39KC9fZmA xBjThjtzQoLqHJuPg5Jhn8pqjr5R IXLjpuI/haegOdKxRQ ZhcMwtfcPyprJx6fk1q4BtXXlfTcz5tv98emMEZNjO9zJYPxD9 OLzecjXvIUSABygCVvyxigsL10H48GLPOZDOeimJO 35B/ZiROLmnqAJbPSC3CjJtXa4bw3PIVvQu4v2ble00zg2mNcRqvshCttYLCwVva6pssj7LinNm6RQkUobMg1SxD8/Qp9l5ujarkGoJoSaU9IWMKb6wHF3M1fLhNHehrt68pQMgRZ9A/N/xcFtUyTsgKo3QcpX13BAm/BhDO7crmpT9hGjulfatrTEbg6DvYM3rxrVv9nxqwax4/jQEh4c8/YtCPS7AguqCjOnmRkU/Thhm7FwtCRhZMoI/rVhg61uCrT9sklJNI38nXVCn81Qb7jrhd0AJjGEbPCd4aeuQU2k84m8jAPNpKjfuIA8nCjRf9RckQS0Ux/MzxwVDm1ltMC4IVK7z/mVdAUpAHVo4aAF zL9Q3gRpzFUxP 9V VzgaKhmyV7fle 0IPiJ7KJjT bSVDWToc rZDrFPg0Gw65ApdlxA4zbgpYEIKi9Yuxx hb8l9kNoEEGmAgbKCU2GdqLvqN5iJfeR/ /gGmhsFRRu8DzIvBhlKnPU11fQOGqNWazlhsPOqBnIG8mgw3LLRhUBl /emKIMhIfverCwYNp9/zPEh9DgDxmyDvbFIEZ1i2WG1IMRnSw/cOd4C3vlN6oA8a/WCeg7kItTuzHOOJy7uXfETlBEp0OhGH LTh7FTwbz7/RpdmHgGCEPUzXsQJQDr3PuB20EB15oMwcttK1/HP zDTBpRbfVIeC1vCJFTN T82EyhcdH/C/UGMTfHXdVIaJKHESm7zjqRo2wO xFsoxz9hLTBffynGjseluWz2P5U1hdtnpUcd18qKerCsdi3yFV4ViNG4ZJCT2 c//SOKDQ3x9/eTzUt1sMdDV75zPpdQXgyJPlQM3qDOL/NQbS2gi7SSWj36Z3tldugH9N9QU6ngqRw ZJ8jMQbjUCISHdaAThG42agRZ3p8fw0I/41olFnPLJzgcr8IB0ef/VO00i4wFT9iYxdict93pZ0aHPMq/Nb TxwjaODg2Xq0zykwuDjBEr2s/yts4tOGdm9PPITBJMJuiV/umbAMv1WaUrwSAgZq/wfihwX9lv9DEBM3Dc8s3W1pyk4b8r73LczeM6XX9XnuKc7Vt8d31LDtotiPuH7HUuRmiF/1tNBHmzft1fa7RNb2sikTAi5tbl1gOQbzft/W3smSeLxZai8h9UOvtLXD81CWvTszrKH1v82hvwoRiTVb4SWRLnWtp0Kp8l97VytDNAo/YHJjSe/n0h0wUdUuMPQLhz2pgAd1ED3nq 1qqHm/ET01FrpAJJ4KHlc//9Mr4apao1SQG7Re4hhYhYsmFyEv8z tw4flwXQWw06mKFF05k8n0HqJ/e/O25czj8DpvaJuwkVS9z7POMb6cStGWhBnwZv9v4LkF3qpGnf9w1DldmV uQKIRQ643NBXqA0V9MrmhMryvcbPZzlQH/RjEVRjtWeAEEG9sgyh 1jIBv38jO2Z J2TpWRXCrGKygJNObmidxYPVBebfiTOjGmcuU x4WmiySt9VfaZ0EZySrBtzzfSY6O0yKrG9Sa9UPgmMwNwmIbP7Ln2pi9XKfJWVoJRx1TMKmy3AlbXqd/GTk4gvzX4Iv8tNlX8EXZT4QAJqwtNvwD2Imw5Ce5trufAUmkf8KGflS6SihrYMcbcE72OVpeabR9ihDZslQDaeyvirKLEPMlkhiOQjenGPs4oiKafxTSIFtRF0MFHZ0HmuNeXx2XCO58LxugBa5a/RJQWK9boEO K6MqXutZzfvexdbw8xMP8mmPb HMpHKv1ymTNZ CZets0ZctUQnil9gjqHl6P92L5YV6yVa5O0JAJVOZxgrwd6E//7LM6K5DljtpPiQLsCy8Ednj1vMSyl1LcD02KsVLokeRh7id4Zo/BRhnYPYJC7dagDwp/kxcYyyAujw3yiCjTuXBIqE4 wTmONRGVyvnX eeWri5BaShelRKWDHdUCG18zoNvgKqrDnDpkHldErz/z9b5lGACLF7afI4DJbHZcWle2xit4vkxoHZ2jbhkerZBSh373o8qkhX xgcG6ck25QmZZDlNAts3AARoMtMI8wFhcuDizk6SFIVZ fE5gsZzFqyaWND2K5i/PMHF4ph e8BO412QuhGSyeyyUKhM1IX3RTl71G9QJ9EUREasKaVoUsmQO3HpLyw4SeTXpi 18gDyxlkuOuMrYt1Dy8zBNm9f14yNhh1QJGj1mQhh7xl X1HuZz2aHRW12T4U37zK6jnhWuW9i FXF7qzHRUy0fk4PpHsKvkOb5m YjxcDoWncAOIqWX7ZdE09ECG7P4y4GSwdjPiOfdxT7yc5H/3dsZHWW9zO85a55zdzQ0bSaC 6hG7cPLwICJtUm2aJUxcNFHBiZ/zSOEWh5YogOKBemH870e19pWZxFoQ0y2IgH/HzsEGSMSlTIdOcVDKv3c8beQf0PaOCKYj9SptOEVyeL9 WMnQU3nYF8IICmtF7G4TcN9e4Xf7AS1sGxMkonu8g32/ukLss5ySFKkPkbmgTPqXqWv5KEqZSqT/1K0FqfIp0Yv6P/Vn5Yp9ASMB9V4TUgrWbcsDQd1denq6EprcN1ECXzLSWVOtQGVjn03TsrIul4vvx9MmFrrDHQZVcgLFI7vAofPMtJ8ZC9v899JN7n5buIh0mwJuitPS1y0vHvbJQpULvc7zK6zUuB8wcxtd5nRT1RPWb2ABDLnazBB9NBqN91Tdi1I VEjWgXNoZWGs/noNm2dpR5VC5VQSJ931uxW8MjlHOL7aniLfIDRtacH2 aD90fsl7Mmrsw1fcwi3zpl3S1 WmVaX0pxisjmG6372Mp3XNxBujZD6TdgHi8ZnJ1 VG1kpAb0EH2Q7LmpQoMwhmU1Rx1hGcXvLBmD0MM0oN69HfN81DP97Hh9gFQjfkAWAIMVoAGuXPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

CCn7A5XU4CzHzqO2FLGKUbyHdY6ib4THrj6hFnsNC91Ppav9uwgbOdS5yiEmzFlfEH5q9BrghvkQ6h6yHnRIruDtXd0PDynXRapk stnOg8 lhBkVQtwqvwdx0YKwOYYMsiPSZ4ZkbJaN4jiHpyXxikeLdivpDPd3kWJRmdyiGNBGHR7k6brC0v2K6Y3bIHi9fPpJIlvoGzlKyqWKZbgyvMKhfRH126QPM9 L6lCgK7m kyrVJiXkjtcP5z8SS p1bK16PrKxlNudveDjR9IlqhNqTiNr78QXP75MTIzVeZrz7Tcfof3QNj6U8Gv/JIeibNpOmlNns8ti9RIhh5ZLKoegOBmlmtQM0rniYADF47h6Lj6dLteD9vdSqZJsQHIGvIuA7947pmnUaqpcjKY3LYgVF2x9RvnVSrLQy8Msk7qqSbG2 18wzMzkSRmcDGU4kVcMMLftEmJ4bIHoF2FAPgyGgCSkTVbqrdTGlgcsvH0t4XSpP7tIh8jClm75Ou3CQTpLfFzMKnc6mJjLxthWVUze9iMkM2lodm24a72Q1ASzBLcyyVm6x6p wLyuJ8qma8MBknHVMisVT7MVknJ3vZbF9aZPJFzAhcUG/Upzx5isNAuTL4hmXOtkhI4FBxi1Cr61qDUiy5RWmbWg/8TMwzig8QrKciaaO5bHzpmKpQRuFszWr6F2QvRC0xGO2xRrXXZTn49ttSc8nqBKCUSN6laRQzaqlvIrCdoco77cJleen7p24ksvps1/5wvQdV5p73LSkGnWh8GFNEdOXqf3TRAvapyq/MK6pb ZVfjUuInC7v/fEmNgxChvtF 890LhInkEqFRbS19fUQ73JqLlcJZ18pvOf B1mj934NofFTx9nwdpJn3HzNX6GtzFas2HnN7eYIWlMw3tSAkgiusQimrQVscKmqnJQaa0khTfdi5XiZXSmL7ACZazSHb7jCa5pBrfMwYFUZ Oe9X2VZ6dhPqOx2PyPLSlbCoRrnbVdgQc9kdsRb7WM48D1x9vGYOWbUIoaJ2NbT3tOBeqcE/na9gY4KSEUEvJMG50HRf7PsjDOG07bHSTMWDWFJVWnBzRw0gxGugVSXb4cCgMsdK2Iy9YStviYLxSJNWOxr2nqr8FNfrm06XldaCdxzl91l8dtI5KijeweUIMAc 0LmyfOCkcxKlzf2gY6nXrBF4fg6MfU ynlZ5fJTtDsKdae7ft4SvOcILp7yrtsvMaBFDhz/kpidQxUDWKTfEsAhZ7MhMg/R8u8obqeVxbgYyzFKdZphWp 3mH/TnHPBZ2bpK5RAJbyhG6mzXDdK6n5WZ/t1rHvZnkzur8Ous6C0l 6mfTNAJtodq3/Hb2IzSzr/6ZIosa9wKWNAQXUzxS5VWTm5c06VIslbl lyuVB lszHKcuTo/WnlyiEQnXsGi3J9 4H47Jrpn7bmi4RsezcNIla6/9NNp Epn 7O oCDCWVLPojN8GIGagtuSTGvIaxcxsOH8pqzLmgKPEreqCODspRsSJFIQnyvyslEnaaGmA/5d5W657R/7GHKCX8zjkAgoN1DMq635FP8oTdr3TDX hf1kQjE0rAYauyUMCvK7sISTcp0mNaVNlb41xJ34HMs9MsptRLJ/vG5CxUlphVr5/bN/ lRjw7G FQOZ3fsm7g9hEsKP0ZyGDAa2 /5 Pbtnv8v mC6IIuDvXfhBhabUQROZ4ivV/5UW8AsgAG8vFNkMo su96PU/1JKOUIzfoiKRRkHkCTi/C8SA7aS5nMPHBANimaCqFnwwbCYwrLOihSaspSnyNkNyY757bt/QjJqFmIlXivAZUArboo35ORbIPUs3A1Mg/HqNKgpip4qHE7/FU gePTIpH8EneENl5xDvbkU5blo0X7LtnsFYtEH2gfOvuuyH2EDvXRTSQlzd7pxvlAPEbHt5Bp9bNzydjcUxsDuHLwVhsIX9vKuSoOJsffrqB8/St36C6A9QwalMeyTKycOGU0L/luLgb3waTr/HBXnwTJ/0yFwe0N2KJ9w7 bApzfBHsD1KyxfZTkejTc/90A5o3sdGUb NFk1t03fmnrieYc1jflgmExl15IbG3l1yH dQjKe3EDQQtrtqKOqTCz4kxERSvvwxHZAkHdvbuEgyj83msbURUK9a6Hw/eBdF5bwkam7gjRVBVAMYtOEOWml2LUzIVd6ODW9lQQPyxPuYx9E6zhNdJ IQ39KC9fZmA xBjThjtzQoLqHJuPg5Jhn8pqjr5R IXLjpuI/haegOdKxRQ ZhcMwtfcPyprJx6fk1q4BtXXlfTcz5tv98emMEZNjO9zJYPxD9 OLzecjXvIUSABygCVvyxigsL10H48GLPOZDOeimJO 35B/ZiROLmnqAJbPSC3CjJtXa4bw3PIVvQu4v2ble00zg2mNcRqvshCttYLCwVva6pssj7LinNm6RQkUobMg1SxD8/Qp9l5ujarkGoJoSaU9IWMKb6wHF3M1fLhNHehrt68pQMgRZ9A/N/xcFtUyTsgKo3QcpX13BAm/BhDO7crmpT9hGjulfatrTEbg6DvYM3rxrVv9nxqwax4/jQEh4c8/YtCPS7AguqCjOnmRkU/Thhm7FwtCRhZMoI/rVhg61uCrT9sklJNI38nXVCn81Qb7jrhd0AJjGEbPCd4aeuQU2k84m8jAPNpKjfuIA8nCjRf9RckQS0Ux/MzxwVDm1ltMC4IVK7z/mVdAUpAHVo4aAF zL9Q3gRpzFUxP 9V VzgaKhmyV7fle 0IPiJ7KJjT bSVDWToc rZDrFPg0Gw65ApdlxA4zbgpYEIKi9Yuxx hb8l9kNoEEGmAgbKCU2GdqLvqN5iJfeR/ /gGmhsFRRu8DzIvBhlKnPU11fQOGqNWazlhsPOqBnIG8mgw3LLRhUBl /emKIMhIfverCwYNp9/zPEh9DgDxmyDvbFIEZ1i2WG1IMRnSw/cOd4C3vlN6oA8a/WCeg7kItTuzHOOJy7uXfETlBEp0OhGH LTh7FTwbz7/RpdmHgGCEPUzXsQJQDr3PuB20EB15oMwcttK1/HP zDTBpRbfVIeC1vCJFTN T82EyhcdH/C/UGMTfHXdVIaJKHESm7zjqRo2wO xFsoxz9hLTBffynGjseluWz2P5U1hdtnpUcd18qKerCsdi3yFV4ViNG4ZJCT2 c//SOKDQ3x9/eTzUt1sMdDV75zPpdQXgyJPlQM3qDOL/NQbS2gi7SSWj36Z3tldugH9N9QU6ngqRw ZJ8jMQbjUCISHdaAThG42agRZ3p8fw0I/41olFnPLJzgcr8IB0ef/VO00i4wFT9iYxdict93pZ0aHPMq/Nb TxwjaODg2Xq0zykwuDjBEr2s/yts4tOGdm9PPITBJMJuiV/umbAMv1WaUrwSAgZq/wfihwX9lv9DEBM3Dc8s3W1pyk4b8r73LczeM6XX9XnuKc7Vt8d31LDtotiPuH7HUuRmiF/1tNBHmzft1fa7RNb2sikTAi5tbl1gOQbzft/W3smSeLxZai8h9UOvtLXD81CWvTszrKH1v82hvwoRiTVb4SWRLnWtp0Kp8l97VytDNAo/YHJjSe/n0h0wUdUuMPQLhz2pgAd1ED3nq 1qqHm/ET01FrpAJJ4KHlc//9Mr4apao1SQG7Re4hhYhYsmFyEv8z tw4flwXQWw06mKFF05k8n0HqJ/e/O25czj8DpvaJuwkVS9z7POMb6cStGWhBnwZv9v4LkF3qpGnf9w1DldmV uQKIRQ643NBXqA0V9MrmhMryvcbPZzlQH/RjEVRjtWeAEEG9sgyh 1jIBv38jO2Z J2TpWRXCrGKygJNObmidxYPVBebfiTOjGmcuU x4WmiySt9VfaZ0EZySrBtzzfSY6O0yKrG9Sa9UPgmMwNwmIbP7Ln2pi9XKfJWVoJRx1TMKmy3AlbXqd/GTk4gvzX4Iv8tNlX8EXZT4QAJqwtNvwD2Imw5Ce5trufAUmkf8KGflS6SihrYMcbcE72OVpeabR9ihDZslQDaeyvirKLEPMlkhiOQjenGPs4oiKafxTSIFtRF0MFHZ0HmuNeXx2XCO58LxugBa5a/RJQWK9boEO K6MqXutZzfvexdbw8xMP8mmPb HMpHKv1ymTNZ CZets0ZctUQnil9gjqHl6P92L5YV6yVa5O0JAJVOZxgrwd6E//7LM6K5DljtpPiQLsCy8Ednj1vMSyl1LcD02KsVLokeRh7id4Zo/BRhnYPYJC7dagDwp/kxcYyyAujw3yiCjTuXBIqE4 wTmONRGVyvnX eeWri5BaShelRKWDHdUCG18zoNvgKqrDnDpkHldErz/z9b5lGACLF7afI4DJbHZcWle2xit4vkxoHZ2jbhkerZBSh373o8qkhX xgcG6ck25QmZZDlNAts3AARoMtMI8wFhcuDizk6SFIVZ fE5gsZzFqyaWND2K5i/PMHF4ph e8BO412QuhGSyeyyUKhM1IX3RTl71G9QJ9EUREasKaVoUsmQO3HpLyw4SeTXpi 18gDyxlkuOuMrYt1Dy8zBNm9f14yNhh1QJGj1mQhh7xl X1HuZz2aHRW12T4U37zK6jnhWuW9i FXF7qzHRUy0fk4PpHsKvkOb5m YjxcDoWncAOIqWX7ZdE09ECG7P4y4GSwdjPiOfdxT7yc5H/3dsZHWW9zO85a55zdzQ0bSaC 6hG7cPLwICJtUm2aJUxcNFHBiZ/zSOEWh5YogOKBemH870e19pWZxFoQ0y2IgH/HzsEGSMSlTIdOcVDKv3c8beQf0PaOCKYj9SptOEVyeL9 WMnQU3nYF8IICmtF7G4TcN9e4Xf7AS1sGxMkonu8g32/ukLss5ySFKkPkbmgTPqXqWv5KEqZSqT/1K0FqfIp0Yv6P/Vn5Yp9ASMB9V4TUgrWbcsDQd1denq6EprcN1ECXzLSWVOtQGVjn03TsrIul4vvx9MmFrrDHQZVcgLFI7vAofPMtJ8ZC9v899JN7n5buIh0mwJuitPS1y0vHvbJQpULvc7zK6zUuB8wcxtd5nRT1RPWb2ABDLnazBB9NBqN91Tdi1I VEjWgXNoZWGs/noNm2dpR5VC5VQSJ931uxW8MjlHOL7aniLfIDRtacH2 aD90fsl7Mmrsw1fcwi3zpl3S1 WmVaX0pxisjmG6372Mp3XNxBujZD6TdgHi8ZnJ1 VG1kpAb0EH2Q7LmpQoMwhmU1Rx1hGcXvLBmD0MM0oN69HfN81DP97Hh9gFQjfkAWAIMVoAGuXPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

CCn7A5XU4CzHzqO2FLGKUbyHdY6ib4THrj6hFnsNC91Ppav9uwgbOdS5yiEmzFlfEH5q9BrghvkQ6h6yHnRIruDtXd0PDynXRapk stnOg8 lhBkVQtwqvwdx0YKwOYYMsiPSZ4ZkbJaN4jiHpyXxikeLdivpDPd3kWJRmdyiGNBGHR7k6brC0v2K6Y3bIHi9fPpJIlvoGzlKyqWKZbgyvMKhfRH126QPM9 L6lCgK7m kyrVJiXkjtcP5z8SS p1bK16PrKxlNudveDjR9IlqhNqTiNr78QXP75MTIzVeZrz7Tcfof3QNj6U8Gv/JIeibNpOmlNns8ti9RIhh5ZLKoegOBmlmtQM0rniYADF47h6Lj6dLteD9vdSqZJsQHIGvIuA7947pmnUaqpcjKY3LYgVF2x9RvnVSrLQy8Msk7qqSbG2 18wzMzkSRmcDGU4kVcMMLftEmJ4bIHoF2FAPgyGgCSkTVbqrdTGlgcsvH0t4XSpP7tIh8jClm75Ou3CQTpLfFzMKnc6mJjLxthWVUze9iMkM2lodm24a72Q1ASzBLcyyVm6x6p wLyuJ8qma8MBknHVMisVT7MVknJ3vZbF9aZPJFzAhcUG/Upzx5isNAuTL4hmXOtkhI4FBxi1Cr61qDUiy5RWmbWg/8TMwzig8QrKciaaO5bHzpmKpQRuFszWr6F2QvRC0xGO2xRrXXZTn49ttSc8nqBKCUSN6laRQzaqlvIrCdoco77cJleen7p24ksvps1/5wvQdV5p73LSkGnWh8GFNEdOXqf3TRAvapyq/MK6pb ZVfjUuInC7v/fEmNgxChvtF 890LhInkEqFRbS19fUQ73JqLlcJZ18pvOf B1mj934NofFTx9nwdpJn3HzNX6GtzFas2HnN7eYIWlMw3tSAkgiusQimrQVscKmqnJQaa0khTfdi5XiZXSmL7ACZazSHb7jCa5pBrfMwYFUZ Oe9X2VZ6dhPqOx2PyPLSlbCoRrnbVdgQc9kdsRb7WM48D1x9vGYOWbUIoaJ2NbT3tOBeqcE/na9gY4KSEUEvJMG50HRf7PsjDOG07bHSTMWDWFJVWnBzRw0gxGugVSXb4cCgMsdK2Iy9YStviYLxSJNWOxr2nqr8FNfrm06XldaCdxzl91l8dtI5KijeweUIMAc 0LmyfOCkcxKlzf2gY6nXrBF4fg6MfU ynlZ5fJTtDsKdae7ft4SvOcILp7yrtsvMaBFDhz/kpidQxUDWKTfEsAhZ7MhMg/R8u8obqeVxbgYyzFKdZphWp 3mH/TnHPBZ2bpK5RAJbyhG6mzXDdK6n5WZ/t1rHvZnkzur8Ous6C0l 6mfTNAJtodq3/Hb2IzSzr/6ZIosa9wKWNAQXUzxS5VWTm5c06VIslbl lyuVB lszHKcuTo/WnlyiEQnXsGi3J9 4H47Jrpn7bmi4RsezcNIla6/9NNp Epn 7O oCDCWVLPojN8GIGagtuSTGvIaxcxsOH8pqzLmgKPEreqCODspRsSJFIQnyvyslEnaaGmA/5d5W657R/7GHKCX8zjkAgoN1DMq635FP8oTdr3TDX hf1kQjE0rAYauyUMCvK7sISTcp0mNaVNlb41xJ34HMs9MsptRLJ/vG5CxUlphVr5/bN/ lRjw7G FQOZ3fsm7g9hEsKP0ZyGDAa2 /5 Pbtnv8v mC6IIuDvXfhBhabUQROZ4ivV/5UW8AsgAG8vFNkMo su96PU/1JKOUIzfoiKRRkHkCTi/C8SA7aS5nMPHBANimaCqFnwwbCYwrLOihSaspSnyNkNyY757bt/QjJqFmIlXivAZUArboo35ORbIPUs3A1Mg/HqNKgpip4qHE7/FU gePTIpH8EneENl5xDvbkU5blo0X7LtnsFYtEH2gfOvuuyH2EDvXRTSQlzd7pxvlAPEbHt5Bp9bNzydjcUxsDuHLwVhsIX9vKuSoOJsffrqB8/St36C6A9QwalMeyTKycOGU0L/luLgb3waTr/HBXnwTJ/0yFwe0N2KJ9w7 bApzfBHsD1KyxfZTkejTc/90A5o3sdGUb NFk1t03fmnrieYc1jflgmExl15IbG3l1yH dQjKe3EDQQtrtqKOqTCz4kxERSvvwxHZAkHdvbuEgyj83msbURUK9a6Hw/eBdF5bwkam7gjRVBVAMYtOEOWml2LUzIVd6ODW9lQQPyxPuYx9E6zhNdJ IQ39KC9fZmA xBjThjtzQoLqHJuPg5Jhn8pqjr5R IXLjpuI/haegOdKxRQ ZhcMwtfcPyprJx6fk1q4BtXXlfTcz5tv98emMEZNjO9zJYPxD9 OLzecjXvIUSABygCVvyxigsL10H48GLPOZDOeimJO 35B/ZiROLmnqAJbPSC3CjJtXa4bw3PIVvQu4v2ble00zg2mNcRqvshCttYLCwVva6pssj7LinNm6RQkUobMg1SxD8/Qp9l5ujarkGoJoSaU9IWMKb6wHF3M1fLhNHehrt68pQMgRZ9A/N/xcFtUyTsgKo3QcpX13BAm/BhDO7crmpT9hGjulfatrTEbg6DvYM3rxrVv9nxqwax4/jQEh4c8/YtCPS7AguqCjOnmRkU/Thhm7FwtCRhZMoI/rVhg61uCrT9sklJNI38nXVCn81Qb7jrhd0AJjGEbPCd4aeuQU2k84m8jAPNpKjfuIA8nCjRf9RckQS0Ux/MzxwVDm1ltMC4IVK7z/mVdAUpAHVo4aAF zL9Q3gRpzFUxP 9V VzgaKhmyV7fle 0IPiJ7KJjT bSVDWToc rZDrFPg0Gw65ApdlxA4zbgpYEIKi9Yuxx hb8l9kNoEEGmAgbKCU2GdqLvqN5iJfeR/ /gGmhsFRRu8DzIvBhlKnPU11fQOGqNWazlhsPOqBnIG8mgw3LLRhUBl /emKIMhIfverCwYNp9/zPEh9DgDxmyDvbFIEZ1i2WG1IMRnSw/cOd4C3vlN6oA8a/WCeg7kItTuzHOOJy7uXfETlBEp0OhGH LTh7FTwbz7/RpdmHgGCEPUzXsQJQDr3PuB20EB15oMwcttK1/HP zDTBpRbfVIeC1vCJFTN T82EyhcdH/C/UGMTfHXdVIaJKHESm7zjqRo2wO xFsoxz9hLTBffynGjseluWz2P5U1hdtnpUcd18qKerCsdi3yFV4ViNG4ZJCT2 c//SOKDQ3x9/eTzUt1sMdDV75zPpdQXgyJPlQM3qDOL/NQbS2gi7SSWj36Z3tldugH9N9QU6ngqRw ZJ8jMQbjUCISHdaAThG42agRZ3p8fw0I/41olFnPLJzgcr8IB0ef/VO00i4wFT9iYxdict93pZ0aHPMq/Nb TxwjaODg2Xq0zykwuDjBEr2s/yts4tOGdm9PPITBJMJuiV/umbAMv1WaUrwSAgZq/wfihwX9lv9DEBM3Dc8s3W1pyk4b8r73LczeM6XX9XnuKc7Vt8d31LDtotiPuH7HUuRmiF/1tNBHmzft1fa7RNb2sikTAi5tbl1gOQbzft/W3smSeLxZai8h9UOvtLXD81CWvTszrKH1v82hvwoRiTVb4SWRLnWtp0Kp8l97VytDNAo/YHJjSe/n0h0wUdUuMPQLhz2pgAd1ED3nq 1qqHm/ET01FrpAJJ4KHlc//9Mr4apao1SQG7Re4hhYhYsmFyEv8z tw4flwXQWw06mKFF05k8n0HqJ/e/O25czj8DpvaJuwkVS9z7POMb6cStGWhBnwZv9v4LkF3qpGnf9w1DldmV uQKIRQ643NBXqA0V9MrmhMryvcbPZzlQH/RjEVRjtWeAEEG9sgyh 1jIBv38jO2Z J2TpWRXCrGKygJNObmidxYPVBebfiTOjGmcuU x4WmiySt9VfaZ0EZySrBtzzfSY6O0yKrG9Sa9UPgmMwNwmIbP7Ln2pi9XKfJWVoJRx1TMKmy3AlbXqd/GTk4gvzX4Iv8tNlX8EXZT4QAJqwtNvwD2Imw5Ce5trufAUmkf8KGflS6SihrYMcbcE72OVpeabR9ihDZslQDaeyvirKLEPMlkhiOQjenGPs4oiKafxTSIFtRF0MFHZ0HmuNeXx2XCO58LxugBa5a/RJQWK9boEO K6MqXutZzfvexdbw8xMP8mmPb HMpHKv1ymTNZ CZets0ZctUQnil9gjqHl6P92L5YV6yVa5O0JAJVOZxgrwd6E//7LM6K5DljtpPiQLsCy8Ednj1vMSyl1LcD02KsVLokeRh7id4Zo/BRhnYPYJC7dagDwp/kxcYyyAujw3yiCjTuXBIqE4 wTmONRGVyvnX eeWri5BaShelRKWDHdUCG18zoNvgKqrDnDpkHldErz/z9b5lGACLF7afI4DJbHZcWle2xit4vkxoHZ2jbhkerZBSh373o8qkhX xgcG6ck25QmZZDlNAts3AARoMtMI8wFhcuDizk6SFIVZ fE5gsZzFqyaWND2K5i/PMHF4ph e8BO412QuhGSyeyyUKhM1IX3RTl71G9QJ9EUREasKaVoUsmQO3HpLyw4SeTXpi 18gDyxlkuOuMrYt1Dy8zBNm9f14yNhh1QJGj1mQhh7xl X1HuZz2aHRW12T4U37zK6jnhWuW9i FXF7qzHRUy0fk4PpHsKvkOb5m YjxcDoWncAOIqWX7ZdE09ECG7P4y4GSwdjPiOfdxT7yc5H/3dsZHWW9zO85a55zdzQ0bSaC 6hG7cPLwICJtUm2aJUxcNFHBiZ/zSOEWh5YogOKBemH870e19pWZxFoQ0y2IgH/HzsEGSMSlTIdOcVDKv3c8beQf0PaOCKYj9SptOEVyeL9 WMnQU3nYF8IICmtF7G4TcN9e4Xf7AS1sGxMkonu8g32/ukLss5ySFKkPkbmgTPqXqWv5KEqZSqT/1K0FqfIp0Yv6P/Vn5Yp9ASMB9V4TUgrWbcsDQd1denq6EprcN1ECXzLSWVOtQGVjn03TsrIul4vvx9MmFrrDHQZVcgLFI7vAofPMtJ8ZC9v899JN7n5buIh0mwJuitPS1y0vHvbJQpULvc7zK6zUuB8wcxtd5nRT1RPWb2ABDLnazBB9NBqN91Tdi1I VEjWgXNoZWGs/noNm2dpR5VC5VQSJ931uxW8MjlHOL7aniLfIDRtacH2 aD90fsl7Mmrsw1fcwi3zpl3S1 WmVaX0pxisjmG6372Mp3XNxBujZD6TdgHi8ZnJ1 VG1kpAb0EH2Q7LmpQoMwhmU1Rx1hGcXvLBmD0MM0oN69HfN81DP97Hh9gFQjfkAWAIMVoAGuXPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADc

CCn7A5XU4CzHzqO2FLGKUbyHdY6ib4THrj6hFnsNC91Ppav9uwgbOdS5yiEmzFlfEH5q9BrghvkQ6h6yHnRIruDtXd0PDynXRapk stnOg8 lhBkVQtwqvwdx0YKwOYYMsiPSZ4ZkbJaN4jiHpyXxikeLdivpDPd3kWJRmdyiGNBGHR7k6brC0v2K6Y3bIHi9fPpJIlvoGzlKyqWKZbgyvMKhfRH126QPM9 L6lCgK7m kyrVJiXkjtcP5z8SS p1bK16PrKxlNudveDjR9IlqhNqTiNr78QXP75MTIzVeZrz7Tcfof3QNj6U8Gv/JIeibNpOmlNns8ti9RIhh5ZLKoegOBmlmtQM0rniYADF47h6Lj6dLteD9vdSqZJsQHIGvIuA7947pmnUaqpcjKY3LYgVF2x9RvnVSrLQy8Msk7qqSbG2 18wzMzkSRmcDGU4kVcMMLftEmJ4bIHoF2FAPgyGgCSkTVbqrdTGlgcsvH0t4XSpP7tIh8jClm75Ou3CQTpLfFzMKnc6mJjLxthWVUze9iMkM2lodm24a72Q1ASzBLcyyVm6x6p wLyuJ8qma8MBknHVMisVT7MVknJ3vZbF9aZPJFzAhcUG/Upzx5isNAuTL4hmXOtkhI4FBxi1Cr61qDUiy5RWmbWg/8TMwzig8QrKciaaO5bHzpmKpQRuFszWr6F2QvRC0xGO2xRrXXZTn49ttSc8nqBKCUSN6laRQzaqlvIrCdoco77cJleen7p24ksvps1/5wvQdV5p73LSkGnWh8GFNEdOXqf3TRAvapyq/MK6pb ZVfjUuInC7v/fEmNgxChvtF 890LhInkEqFRbS19fUQ73JqLlcJZ18pvOf B1mj934NofFTx9nwdpJn3HzNX6GtzFas2HnN7eYIWlMw3tSAkgiusQimrQVscKmqnJQaa0khTfdi5XiZXSmL7ACZazSHb7jCa5pBrfMwYFUZ Oe9X2VZ6dhPqOx2PyPLSlbCoRrnbVdgQc9kdsRb7WM48D1x9vGYOWbUIoaJ2NbT3tOBeqcE/na9gY4KSEUEvJMG50HRf7PsjDOG07bHSTMWDWFJVWnBzRw0gxGugVSXb4cCgMsdK2Iy9YStviYLxSJNWOxr2nqr8FNfrm06XldaCdxzl91l8dtI5KijeweUIMAc 0LmyfOCkcxKlzf2gY6nXrBF4fg6MfU ynlZ5fJTtDsKdae7ft4SvOcILp7yrtsvMaBFDhz/kpidQxUDWKTfEsAhZ7MhMg/R8u8obqeVxbgYyzFKdZphWp 3mH/TnHPBZ2bpK5RAJbyhG6mzXDdK6n5WZ/t1rHvZnkzur8Ous6C0l 6mfTNAJtodq3/Hb2IzSzr/6ZIosa9wKWNAQXUzxS5VWTm5c06VIslbl lyuVB lszHKcuTo/WnlyiEQnXsGi3J9 4H47Jrpn7bmi4RsezcNIla6/9NNp Epn 7O oCDCWVLPojN8GIGagtuSTGvIaxcxsOH8pqzLmgKPEreqCODspRsSJFIQnyvyslEnaaGmA/5d5W657R/7GHKCX8zjkAgoN1DMq635FP8oTdr3TDX hf1kQjE0rAYauyUMCvK7sISTcp0mNaVNlb41xJ34HMs9MsptRLJ/vG5CxUlphVr5/bN/ lRjw7G FQOZ3fsm7g9hEsKP0ZyGDAa2 /5 Pbtnv8v mC6IIuDvXfhBhabUQROZ4ivV/5UW8AsgAG8vFNkMo su96PU/1JKOUIzfoiKRRkHkCTi/C8SA7aS5nMPHBANimaCqFnwwbCYwrLOihSaspSnyNkNyY757bt/QjJqFmIlXivAZUArboo35ORbIPUs3A1Mg/HqNKgpip4qHE7/FU gePTIpH8EneENl5xDvbkU5blo0X7LtnsFYtEH2gfOvuuyH2EDvXRTSQlzd7pxvlAPEbHt5Bp9bNzydjcUxsDuHLwVhsIX9vKuSoOJsffrqB8/St36C6A9QwalMeyTKycOGU0L/luLgb3waTr/HBXnwTJ/0yFwe0N2KJ9w7 bApzfBHsD1KyxfZTkejTc/90A5o3sdGUb NFk1t03fmnrieYc1jflgmExl15IbG3l1yH dQjKe3EDQQtrtqKOqTCz4kxERSvvwxHZAkHdvbuEgyj83msbURUK9a6Hw/eBdF5bwkam7gjRVBVAMYtOEOWml2LUzIVd6ODW9lQQPyxPuYx9E6zhNdJ IQ39KC9fZmA xBjThjtzQoLqHJuPg5Jhn8pqjr5R IXLjpuI/haegOdKxRQ ZhcMwtfcPyprJx6fk1q4BtXXlfTcz5tv98emMEZNjO9zJYPxD9 OLzecjXvIUSABygCVvyxigsL10H48GLPOZDOeimJO 35B/ZiROLmnqAJbPSC3CjJtXa4bw3PIVvQu4v2ble00zg2mNcRqvshCttYLCwVva6pssj7LinNm6RQkUobMg1SxD8/Qp9l5ujarkGoJoSaU9IWMKb6wHF3M1fLhNHehrt68pQMgRZ9A/N/xcFtUyTsgKo3QcpX13BAm/BhDO7crmpT9hGjulfatrTEbg6DvYM3rxrVv9nxqwax4/jQEh4c8/YtCPS7AguqCjOnmRkU/Thhm7FwtCRhZMoI/rVhg61uCrT9sklJNI38nXVCn81Qb7jrhd0AJjGEbPCd4aeuQU2k84m8jAPNpKjfuIA8nCjRf9RckQS0Ux/MzxwVDm1ltMC4IVK7z/mVdAUpAHVo4aAF zL9Q3gRpzFUxP 9V VzgaKhmyV7fle 0IPiJ7KJjT bSVDWToc rZDrFPg0Gw65ApdlxA4zbgpYEIKi9Yuxx hb8l9kNoEEGmAgbKCU2GdqLvqN5iJfeR/ /gGmhsFRRu8DzIvBhlKnPU11fQOGqNWazlhsPOqBnIG8mgw3LLRhUBl /emKIMhIfverCwYNp9/zPEh9DgDxmyDvbFIEZ1i2WG1IMRnSw/cOd4C3vlN6oA8a/WCeg7kItTuzHOOJy7uXfETlBEp0OhGH LTh7FTwbz7/RpdmHgGCEPUzXsQJQDr3PuB20EB15oMwcttK1/HP zDTBpRbfVIeC1vCJFTN T82EyhcdH/C/UGMTfHXdVIaJKHESm7zjqRo2wO xFsoxz9hLTBffynGjseluWz2P5U1hdtnpUcd18qKerCsdi3yFV4ViNG4ZJCT2 c//SOKDQ3x9/eTzUt1sMdDV75zPpdQXgyJPlQM3qDOL/NQbS2gi7SSWj36Z3tldugH9N9QU6ngqRw ZJ8jMQbjUCISHdaAThG42agRZ3p8fw0I/41olFnPLJzgcr8IB0ef/VO00i4wFT9iYxdict93pZ0aHPMq/Nb TxwjaODg2Xq0zykwuDjBEr2s/yts4tOGdm9PPITBJMJuiV/umbAMv1WaUrwSAgZq/wfihwX9lv9DEBM3Dc8s3W1pyk4b8r73LczeM6XX9XnuKc7Vt8d31LDtotiPuH7HUuRmiF/1tNBHmzft1fa7RNb2sikTAi5tbl1gOQbzft/W3smSeLxZai8h9UOvtLXD81CWvTszrKH1v82hvwoRiTVb4SWRLnWtp0Kp8l97VytDNAo/YHJjSe/n0h0wUdUuMPQLhz2pgAd1ED3nq 1qqHm/ET01FrpAJJ4KHlc//9Mr4apao1SQG7Re4hhYhYsmFyEv8z tw4flwXQWw06mKFF05k8n0HqJ/e/O25czj8DpvaJuwkVS9z7POMb6cStGWhBnwZv9v4LkF3qpGnf9w1DldmV uQKIRQ643NBXqA0V9MrmhMryvcbPZzlQH/RjEVRjtWeAEEG9sgyh 1jIBv38jO2Z J2TpWRXCrGKygJNObmidxYPVBebfiTOjGmcuU x4WmiySt9VfaZ0EZySrBtzzfSY6O0yKrG9Sa9UPgmMwNwmIbP7Ln2pi9XKfJWVoJRx1TMKmy3AlbXqd/GTk4gvzX4Iv8tNlX8EXZT4QAJqwtNvwD2Imw5Ce5trufAUmkf8KGflS6SihrYMcbcE72OVpeabR9ihDZslQDaeyvirKLEPMlkhiOQjenGPs4oiKafxTSIFtRF0MFHZ0HmuNeXx2XCO58LxugBa5a/RJQWK9boEO K6MqXutZzfvexdbw8xMP8mmPb HMpHKv1ymTNZ CZets0ZctUQnil9gjqHl6P92L5YV6yVa5O0JAJVOZxgrwd6E//7LM6K5DljtpPiQLsCy8Ednj1vMSyl1LcD02KsVLokeRh7id4Zo/BRhnYPYJC7dagDwp/kxcYyyAujw3yiCjTuXBIqE4 wTmONRGVyvnX eeWri5BaShelRKWDHdUCG18zoNvgKqrDnDpkHldErz/z9b5lGACLF7afI4DJbHZcWle2xit4vkxoHZ2jbhkerZBSh373o8qkhX xgcG6ck25QmZZDlNAts3AARoMtMI8wFhcuDizk6SFIVZ fE5gsZzFqyaWND2K5i/PMHF4ph e8BO412QuhGSyeyyUKhM1IX3RTl71G9QJ9EUREasKaVoUsmQO3HpLyw4SeTXpi 18gDyxlkuOuMrYt1Dy8zBNm9f14yNhh1QJGj1mQhh7xl X1HuZz2aHRW12T4U37zK6jnhWuW9i FXF7qzHRUy0fk4PpHsKvkOb5m YjxcDoWncAOIqWX7ZdE09ECG7P4y4GSwdjPiOfdxT7yc5H/3dsZHWW9zO85a55zdzQ0bSaC 6hG7cPLwICJtUm2aJUxcNFHBiZ/zSOEWh5YogOKBemH870e19pWZxFoQ0y2IgH/HzsEGSMSlTIdOcVDKv3c8beQf0PaOCKYj9SptOEVyeL9 WMnQU3nYF8IICmtF7G4TcN9e4Xf7AS1sGxMkonu8g32/ukLss5ySFKkPkbmgTPqXqWv5KEqZSqT/1K0FqfIp0Yv6P/Vn5Yp9ASMB9V4TUgrWbcsDQd1denq6EprcN1ECXzLSWVOtQGVjn03TsrIul4vvx9MmFrrDHQZVcgLFI7vAofPMtJ8ZC9v899JN7n5buIh0mwJuitPS1y0vHvbJQpULvc7zK6zUuB8wcxtd5nRT1RPWb2ABDLnazBB9NBqN91Tdi1I VEjWgXNoZWGs/noNm2dpR5VC5VQSJ931uxW8MjlHOL7aniLfIDRtacH2 aD90fsl7Mmrsw1fcwi3zpl3S1 WmVaX0pxisjmG6372Mp3XNxBujZD6TdgHi8ZnJ1 VG1kpAb0EH2Q7LmpQoMwhmU1Rx1hGcXvLBmD0MM0oN69HfN81DP97Hh9gFQjfkAWAIMVoAGuXPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADc

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

66006666

66006666

.Method '%s' not supported by automation object/Variant does not reference an automation object

.Method '%s' not supported by automation object/Variant does not reference an automation object

External exception %x

External exception %x

Interface not supported

Interface not supported

%s (%s, line %d)

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Invalid pointer operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction%Exception %s in module %s at %p.

Privileged instruction%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

Invalid variant operation"Variant method calls not supported

I/O error %d

I/O error %d

Integer overflow Invalid floating point operation

Integer overflow Invalid floating point operation

c:\%original file name%.exe path>path inj_ffile>inj_ffile

c:\%original file name%.exe path>path inj_ffile>inj_ffile

svchost.exe_1392_rwx_01000000_00006000:

.text

.text

`.data

`.data

.rsrc

.rsrc

ADVAPI32.dll

ADVAPI32.dll

KERNEL32.dll

KERNEL32.dll

NTDLL.DLL

NTDLL.DLL

RPCRT4.dll

RPCRT4.dll

NETAPI32.dll

NETAPI32.dll

ole32.dll

ole32.dll

ntdll.dll

ntdll.dll

RegCloseKey

RegCloseKey

RegOpenKeyExW

RegOpenKeyExW

GetProcessHeap

GetProcessHeap

NtOpenKey

NtOpenKey

svchost.pdb

svchost.pdb

\PIPE\

\PIPE\

Software\Microsoft\Windows NT\CurrentVersion\Svchost

Software\Microsoft\Windows NT\CurrentVersion\Svchost

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

5.1.2600.5512 (xpsp.080413-2111)

5.1.2600.5512 (xpsp.080413-2111)

svchost.exe

svchost.exe

Windows

Windows

Operating System

Operating System

5.1.2600.5512

5.1.2600.5512

svchost.exe_592:

.idata

.idata

.reloc

.reloc

P.rsrc

P.rsrc

Portions Copyright (c) 1983,99 Borland

Portions Copyright (c) 1983,99 Borland

kernel32.dll

kernel32.dll

Software\Microsoft\Windows NT\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

HTTP/1.1

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

wininet.dll

wininet.dll

user32.dll

user32.dll

ntdll.dll

ntdll.dll

URLMON.DLL

URLMON.DLL

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

Kernel32.dll

Kernel32.dll

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('video'); for(var i=0;i

try {var els=document.getElementsByTagName('video'); for(var i=0;i

try {jwplayer().play()} catch(e){}

try {jwplayer().play()} catch(e){}

PSAPI.dll

PSAPI.dll

HTTP/1.1

HTTP/1.1

.length;

.length;

=String.fromCharCode(parseInt(

=String.fromCharCode(parseInt(

.substr(

.substr(

,2),16));

,2),16));

=String.fromCharCode(

=String.fromCharCode(

,1).charCodeAt()^

,1).charCodeAt()^

,1).charCodeAt());

,1).charCodeAt());

.length-1)?

.length-1)?

=new ActiveXObject("WScript.Shell");

=new ActiveXObject("WScript.Shell");

.Environment("Process"))("

.Environment("Process"))("

.Run("

.Run("

=new ActiveXObject("WScript.Shell");

=new ActiveXObject("WScript.Shell");

.RegRead("

.RegRead("

psapi.dll

psapi.dll

"svchost.exe"

"svchost.exe"

svchost.exe

svchost.exe

ole32.dll

ole32.dll

\\.\LCD

\\.\LCD

1234567890

1234567890

Shell32.dll

Shell32.dll

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

hXXp://

hXXp://

0123456789

0123456789

Mozilla

Mozilla

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

.text

.text

`.rdata

`.rdata

@.pdata

@.pdata

KERNEL32.dll

KERNEL32.dll

GetKeyboardType

GetKeyboardType

advapi32.dll

advapi32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

oleaut32.dll

oleaut32.dll

RegOpenKeyExW

RegOpenKeyExW

RegCreateKeyW

RegCreateKeyW

RegCreateKeyA

RegCreateKeyA

GetCPInfo

GetCPInfo

SetProcessWindowStation

SetProcessWindowStation

OpenWindowStationA

OpenWindowStationA

EnumChildWindows

EnumChildWindows

HttpSendRequestA

HttpSendRequestA

HttpOpenRequestA

HttpOpenRequestA

atl.dll

atl.dll

wsock32.dll

wsock32.dll

winmm.dll

winmm.dll

shell32.dll

shell32.dll

ShellExecuteExW

ShellExecuteExW

wtsapi32.dll

wtsapi32.dll

Wtsapi32.dll

Wtsapi32.dll

PSAPI.DLL

PSAPI.DLL

NtQueryValueKey

NtQueryValueKey

NtDeleteValueKey

NtDeleteValueKey

NtSetValueKey

NtSetValueKey

urlmon.dll

urlmon.dll

UrlMkSetSessionOption

UrlMkSetSessionOption

?"?&?*?.?

?"?&?*?.?

6!6&696>6|6

6!6&696>6|6

9!:':-:6:

9!:':-:6:

:&;-;7;_;

:&;-;7;_;

5(6-6;6|6

5(6-6;6|6

7)7=7[7}7

7)7=7[7}7

>#>(>9>_>

>#>(>9>_>

?,?1?[?`?

?,?1?[?`?

5]5S5c5k5q5

5]5S5c5k5q5

:!:?:]:{:

:!:?:]:{:

CCn7A5XU4CzHzqO2FLGKUbyHdY6ib4THrj6hFnsNC91Ppav9uwgbOdS5yiEmzFlfEH5q9BrghvkQ6h6yHnRIruDtXd0PDynXRapk stnOg8 lhBkVQtwqvwdx0YKwOYYMsiPSZ4ZkbJaN4jiHpyXxikeLdivpDPd3kWJRmdyiGNBGHR7k6brC0v2K6Y3bIHi9fPpJIlvoGzlKyqWKZbgyvMKhfRH126QPM9 L6lCgK7m kyrVJiXkjtcP5z8SS p1bK16PrKxlNudveDjR9IlqhNqTiNr78QXP75MTIzVeZrz7Tcfof3QNj6U8Gv/JIeibNpOmlNns8ti9RIhh5ZLKoegOBmlmtQM0rniYADF47h6Lj6dLteD9vdSqZJsQHIGvIuA7947pmnUaqpcjKY3LYgVF2x9RvnVSrLQy8Msk7qqSbG2 18wzMzkSRmcDGU4kVcMMLftEmJ4bIHoF2FAPgyGgCSkTVbqrdTGlgcsvH0t4XSpP7tIh8jClm75Ou3CQTpLfFzMKnc6mJjLxthWVUze9iMkM2lodm24a72Q1ASzBLcyyVm6x6p wLyuJ8qma8MBknHVMisVT7MVknJ3vZbF9aZPJFzAhcUG/Upzx5isNAuTL4hmXOtkhI4FBxi1Cr61qDUiy5RWmbWg/8TMwzig8QrKciaaO5bHzpmKpQRuFszWr6F2QvRC0xGO2xRrXXZTn49ttSc8nqBKCUSN6laRQzaqlvIrCdoco77cJleen7p24ksvps1/5wvQdV5p73LSkGnWh8GFNEdOXqf3TRAvapyq/MK6pb ZVfjUuInC7v/fEmNgxChvtF 890LhInkEqFRbS19fUQ73JqLlcJZ18pvOf B1mj934NofFTx9nwdpJn3HzNX6GtzFas2HnN7eYIWlMw3tSAkgiusQimrQVscKmqnJQaa0khTfdi5XiZXSmL7ACZazSHb7jCa5pBrfMwYFUZ Oe9X2VZ6dhPqOx2PyPLSlbCoRrnbVdgQc9kdsRb7WM48D1x9vGYOWbUIoaJ2NbT3tOBeqcE/na9gY4KSEUEvJMG50HRf7PsjDOG07bHSTMWDWFJVWnBzRw0gxGugVSXb4cCgMsdK2Iy9YStviYLxSJNWOxr2nqr8FNfrm06XldaCdxzl91l8dtI5KijeweUIMAc 0LmyfOCkcxKlzf2gY6nXrBF4fg6MfU ynlZ5fJTtDsKdae7ft4SvOcILp7yrtsvMaBFDhz/kpidQxUDWKTfEsAhZ7MhMg/R8u8obqeVxbgYyzFKdZphWp 3mH/TnHPBZ2bpK5RAJbyhG6mzXDdK6n5WZ/t1rHvZnkzur8Ous6C0l 6mfTNAJtodq3/Hb2IzSzr/6ZIosa9wKWNAQXUzxS5VWTm5c06VIslbl lyuVB lszHKcuTo/WnlyiEQnXsGi3J9 4H47Jrpn7bmi4RsezcNIla6/9NNp Epn 7O oCDCWVLPojN8GIGagtuSTGvIaxcxsOH8pqzLmgKPEreqCODspRsSJFIQnyvyslEnaaGmA/5d5W657R/7GHKCX8zjkAgoN1DMq635FP8oTdr3TDX hf1kQjE0rAYauyUMCvK7sISTcp0mNaVNlb41xJ34HMs9MsptRLJ/vG5CxUlphVr5/bN/ lRjw7G FQOZ3fsm7g9hEsKP0ZyGDAa2 /5 Pbtnv8v mC6IIuDvXfhBhabUQROZ4ivV/5UW8AsgAG8vFNkMo su96PU/1JKOUIzfoiKRRkHkCTi/C8SA7aS5nMPHBANimaCqFnwwbCYwrLOihSaspSnyNkNyY757bt/QjJqFmIlXivAZUArboo35ORbIPUs3A1Mg/HqNKgpip4qHE7/FU gePTIpH8EneENl5xDvbkU5blo0X7LtnsFYtEH2gfOvuuyH2EDvXRTSQlzd7pxvlAPEbHt5Bp9bNzydjcUxsDuHLwVhsIX9vKuSoOJsffrqB8/St36C6A9QwalMeyTKycOGU0L/luLgb3waTr/HBXnwTJ/0yFwe0N2KJ9w7 bApzfBHsD1KyxfZTkejTc/90A5o3sdGUb NFk1t03fmnrieYc1jflgmExl15IbG3l1yH dQjKe3EDQQtrtqKOqTCz4kxERSvvwxHZAkHdvbuEgyj83msbURUK9a6Hw/eBdF5bwkam7gjRVBVAMYtOEOWml2LUzIVd6ODW9lQQPyxPuYx9E6zhNdJ IQ39KC9fZmA xBjThjtzQoLqHJuPg5Jhn8pqjr5R IXLjpuI/haegOdKxRQ ZhcMwtfcPyprJx6fk1q4BtXXlfTcz5tv98emMEZNjO9zJYPxD9 OLzecjXvIUSABygCVvyxigsL10H48GLPOZDOeimJO 35B/ZiROLmnqAJbPSC3CjJtXa4bw3PIVvQu4v2ble00zg2mNcRqvshCttYLCwVva6pssj7LinNm6RQkUobMg1SxD8/Qp9l5ujarkGoJoSaU9IWMKb6wHF3M1fLhNHehrt68pQMgRZ9A/N/xcFtUyTsgKo3QcpX13BAm/BhDO7crmpT9hGjulfatrTEbg6DvYM3rxrVv9nxqwax4/jQEh4c8/YtCPS7AguqCjOnmRkU/Thhm7FwtCRhZMoI/rVhg61uCrT9sklJNI38nXVCn81Qb7jrhd0AJjGEbPCd4aeuQU2k84m8jAPNpKjfuIA8nCjRf9RckQS0Ux/MzxwVDm1ltMC4IVK7z/mVdAUpAHVo4aAF zL9Q3gRpzFUxP 9V VzgaKhmyV7fle 0IPiJ7KJjT bSVDWToc rZDrFPg0Gw65ApdlxA4zbgpYEIKi9Yuxx hb8l9kNoEEGmAgbKCU2GdqLvqN5iJfeR/ /gGmhsFRRu8DzIvBhlKnPU11fQOGqNWazlhsPOqBnIG8mgw3LLRhUBl /emKIMhIfverCwYNp9/zPEh9DgDxmyDvbFIEZ1i2WG1IMRnSw/cOd4C3vlN6oA8a/WCeg7kItTuzHOOJy7uXfETlBEp0OhGH LTh7FTwbz7/RpdmHgGCEPUzXsQJQDr3PuB20EB15oMwcttK1/HP zDTBpRbfVIeC1vCJFTN T82EyhcdH/C/UGMTfHXdVIaJKHESm7zjqRo2wO xFsoxz9hLTBffynGjseluWz2P5U1hdtnpUcd18qKerCsdi3yFV4ViNG4ZJCT2 c//SOKDQ3x9/eTzUt1sMdDV75zPpdQXgyJPlQM3qDOL/NQbS2gi7SSWj36Z3tldugH9N9QU6ngqRw ZJ8jMQbjUCISHdaAThG42agRZ3p8fw0I/41olFnPLJzgcr8IB0ef/VO00i4wFT9iYxdict93pZ0aHPMq/Nb TxwjaODg2Xq0zykwuDjBEr2s/yts4tOGdm9PPITBJMJuiV/umbAMv1WaUrwSAgZq/wfihwX9lv9DEBM3Dc8s3W1pyk4b8r73LczeM6XX9XnuKc7Vt8d31LDtotiPuH7HUuRmiF/1tNBHmzft1fa7RNb2sikTAi5tbl1gOQbzft/W3smSeLxZai8h9UOvtLXD81CWvTszrKH1v82hvwoRiTVb4SWRLnWtp0Kp8l97VytDNAo/YHJjSe/n0h0wUdUuMPQLhz2pgAd1ED3nq 1qqHm/ET01FrpAJJ4KHlc//9Mr4apao1SQG7Re4hhYhYsmFyEv8z tw4flwXQWw06mKFF05k8n0HqJ/e/O25czj8DpvaJuwkVS9z7POMb6cStGWhBnwZv9v4LkF3qpGnf9w1DldmV uQKIRQ643NBXqA0V9MrmhMryvcbPZzlQH/RjEVRjtWeAEEG9sgyh 1jIBv38jO2Z J2TpWRXCrGKygJNObmidxYPVBebfiTOjGmcuU x4WmiySt9VfaZ0EZySrBtzzfSY6O0yKrG9Sa9UPgmMwNwmIbP7Ln2pi9XKfJWVoJRx1TMKmy3AlbXqd/GTk4gvzX4Iv8tNlX8EXZT4QAJqwtNvwD2Imw5Ce5trufAUmkf8KGflS6SihrYMcbcE72OVpeabR9ihDZslQDaeyvirKLEPMlkhiOQjenGPs4oiKafxTSIFtRF0MFHZ0HmuNeXx2XCO58LxugBa5a/RJQWK9boEO K6MqXutZzfvexdbw8xMP8mmPb HMpHKv1ymTNZ CZets0ZctUQnil9gjqHl6P92L5YV6yVa5O0JAJVOZxgrwd6E//7LM6K5DljtpPiQLsCy8Ednj1vMSyl1LcD02KsVLokeRh7id4Zo/BRhnYPYJC7dagDwp/kxcYyyAujw3yiCjTuXBIqE4 wTmONRGVyvnX eeWri5BaShelRKWDHdUCG18zoNvgKqrDnDpkHldErz/z9b5lGACLF7afI4DJbHZcWle2xit4vkxoHZ2jbhkerZBSh373o8qkhX xgcG6ck25QmZZDlNAts3AARoMtMI8wFhcuDizk6SFIVZ fE5gsZzFqyaWND2K5i/PMHF4ph e8BO412QuhGSyeyyUKhM1IX3RTl71G9QJ9EUREasKaVoUsmQO3HpLyw4SeTXpi 18gDyxlkuOuMrYt1Dy8zBNm9f14yNhh1QJGj1mQhh7xl X1HuZz2aHRW12T4U37zK6jnhWuW9i FXF7qzHRUy0fk4PpHsKvkOb5m YjxcDoWncAOIqWX7ZdE09ECG7P4y4GSwdjPiOfdxT7yc5H/3dsZHWW9zO85a55zdzQ0bSaC 6hG7cPLwICJtUm2aJUxcNFHBiZ/zSOEWh5YogOKBemH870e19pWZxFoQ0y2IgH/HzsEGSMSlTIdOcVDKv3c8beQf0PaOCKYj9SptOEVyeL9 WMnQU3nYF8IICmtF7G4TcN9e4Xf7AS1sGxMkonu8g32/ukLss5ySFKkPkbmgTPqXqWv5KEqZSqT/1K0FqfIp0Yv6P/Vn5Yp9ASMB9V4TUgrWbcsDQd1denq6EprcN1ECXzLSWVOtQGVjn03TsrIul4vvx9MmFrrDHQZVcgLFI7vAofPMtJ8ZC9v899JN7n5buIh0mwJuitPS1y0vHvbJQpULvc7zK6zUuB8wcxtd5nRT1RPWb2ABDLnazBB9NBqN91Tdi1I VEjWgXNoZWGs/noNm2dpR5VC5VQSJ931uxW8MjlHOL7aniLfIDRtacH2 aD90fsl7Mmrsw1fcwi3zpl3S1 WmVaX0pxisjmG6372Mp3XNxBujZD6TdgHi8ZnJ1 VG1kpAb0EH2Q7LmpQoMwhmU1Rx1hGcXvLBmD0MM0oN69HfN81DP97Hh9gFQjfkAWAIMVoAGuXPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

CCn7A5XU4CzHzqO2FLGKUbyHdY6ib4THrj6hFnsNC91Ppav9uwgbOdS5yiEmzFlfEH5q9BrghvkQ6h6yHnRIruDtXd0PDynXRapk stnOg8 lhBkVQtwqvwdx0YKwOYYMsiPSZ4ZkbJaN4jiHpyXxikeLdivpDPd3kWJRmdyiGNBGHR7k6brC0v2K6Y3bIHi9fPpJIlvoGzlKyqWKZbgyvMKhfRH126QPM9 L6lCgK7m kyrVJiXkjtcP5z8SS p1bK16PrKxlNudveDjR9IlqhNqTiNr78QXP75MTIzVeZrz7Tcfof3QNj6U8Gv/JIeibNpOmlNns8ti9RIhh5ZLKoegOBmlmtQM0rniYADF47h6Lj6dLteD9vdSqZJsQHIGvIuA7947pmnUaqpcjKY3LYgVF2x9RvnVSrLQy8Msk7qqSbG2 18wzMzkSRmcDGU4kVcMMLftEmJ4bIHoF2FAPgyGgCSkTVbqrdTGlgcsvH0t4XSpP7tIh8jClm75Ou3CQTpLfFzMKnc6mJjLxthWVUze9iMkM2lodm24a72Q1ASzBLcyyVm6x6p wLyuJ8qma8MBknHVMisVT7MVknJ3vZbF9aZPJFzAhcUG/Upzx5isNAuTL4hmXOtkhI4FBxi1Cr61qDUiy5RWmbWg/8TMwzig8QrKciaaO5bHzpmKpQRuFszWr6F2QvRC0xGO2xRrXXZTn49ttSc8nqBKCUSN6laRQzaqlvIrCdoco77cJleen7p24ksvps1/5wvQdV5p73LSkGnWh8GFNEdOXqf3TRAvapyq/MK6pb ZVfjUuInC7v/fEmNgxChvtF 890LhInkEqFRbS19fUQ73JqLlcJZ18pvOf B1mj934NofFTx9nwdpJn3HzNX6GtzFas2HnN7eYIWlMw3tSAkgiusQimrQVscKmqnJQaa0khTfdi5XiZXSmL7ACZazSHb7jCa5pBrfMwYFUZ Oe9X2VZ6dhPqOx2PyPLSlbCoRrnbVdgQc9kdsRb7WM48D1x9vGYOWbUIoaJ2NbT3tOBeqcE/na9gY4KSEUEvJMG50HRf7PsjDOG07bHSTMWDWFJVWnBzRw0gxGugVSXb4cCgMsdK2Iy9YStviYLxSJNWOxr2nqr8FNfrm06XldaCdxzl91l8dtI5KijeweUIMAc 0LmyfOCkcxKlzf2gY6nXrBF4fg6MfU ynlZ5fJTtDsKdae7ft4SvOcILp7yrtsvMaBFDhz/kpidQxUDWKTfEsAhZ7MhMg/R8u8obqeVxbgYyzFKdZphWp 3mH/TnHPBZ2bpK5RAJbyhG6mzXDdK6n5WZ/t1rHvZnkzur8Ous6C0l 6mfTNAJtodq3/Hb2IzSzr/6ZIosa9wKWNAQXUzxS5VWTm5c06VIslbl lyuVB lszHKcuTo/WnlyiEQnXsGi3J9 4H47Jrpn7bmi4RsezcNIla6/9NNp Epn 7O oCDCWVLPojN8GIGagtuSTGvIaxcxsOH8pqzLmgKPEreqCODspRsSJFIQnyvyslEnaaGmA/5d5W657R/7GHKCX8zjkAgoN1DMq635FP8oTdr3TDX hf1kQjE0rAYauyUMCvK7sISTcp0mNaVNlb41xJ34HMs9MsptRLJ/vG5CxUlphVr5/bN/ lRjw7G FQOZ3fsm7g9hEsKP0ZyGDAa2 /5 Pbtnv8v mC6IIuDvXfhBhabUQROZ4ivV/5UW8AsgAG8vFNkMo su96PU/1JKOUIzfoiKRRkHkCTi/C8SA7aS5nMPHBANimaCqFnwwbCYwrLOihSaspSnyNkNyY757bt/QjJqFmIlXivAZUArboo35ORbIPUs3A1Mg/HqNKgpip4qHE7/FU gePTIpH8EneENl5xDvbkU5blo0X7LtnsFYtEH2gfOvuuyH2EDvXRTSQlzd7pxvlAPEbHt5Bp9bNzydjcUxsDuHLwVhsIX9vKuSoOJsffrqB8/St36C6A9QwalMeyTKycOGU0L/luLgb3waTr/HBXnwTJ/0yFwe0N2KJ9w7 bApzfBHsD1KyxfZTkejTc/90A5o3sdGUb NFk1t03fmnrieYc1jflgmExl15IbG3l1yH dQjKe3EDQQtrtqKOqTCz4kxERSvvwxHZAkHdvbuEgyj83msbURUK9a6Hw/eBdF5bwkam7gjRVBVAMYtOEOWml2LUzIVd6ODW9lQQPyxPuYx9E6zhNdJ IQ39KC9fZmA xBjThjtzQoLqHJuPg5Jhn8pqjr5R IXLjpuI/haegOdKxRQ ZhcMwtfcPyprJx6fk1q4BtXXlfTcz5tv98emMEZNjO9zJYPxD9 OLzecjXvIUSABygCVvyxigsL10H48GLPOZDOeimJO 35B/ZiROLmnqAJbPSC3CjJtXa4bw3PIVvQu4v2ble00zg2mNcRqvshCttYLCwVva6pssj7LinNm6RQkUobMg1SxD8/Qp9l5ujarkGoJoSaU9IWMKb6wHF3M1fLhNHehrt68pQMgRZ9A/N/xcFtUyTsgKo3QcpX13BAm/BhDO7crmpT9hGjulfatrTEbg6DvYM3rxrVv9nxqwax4/jQEh4c8/YtCPS7AguqCjOnmRkU/Thhm7FwtCRhZMoI/rVhg61uCrT9sklJNI38nXVCn81Qb7jrhd0AJjGEbPCd4aeuQU2k84m8jAPNpKjfuIA8nCjRf9RckQS0Ux/MzxwVDm1ltMC4IVK7z/mVdAUpAHVo4aAF zL9Q3gRpzFUxP 9V VzgaKhmyV7fle 0IPiJ7KJjT bSVDWToc rZDrFPg0Gw65ApdlxA4zbgpYEIKi9Yuxx hb8l9kNoEEGmAgbKCU2GdqLvqN5iJfeR/ /gGmhsFRRu8DzIvBhlKnPU11fQOGqNWazlhsPOqBnIG8mgw3LLRhUBl /emKIMhIfverCwYNp9/zPEh9DgDxmyDvbFIEZ1i2WG1IMRnSw/cOd4C3vlN6oA8a/WCeg7kItTuzHOOJy7uXfETlBEp0OhGH LTh7FTwbz7/RpdmHgGCEPUzXsQJQDr3PuB20EB15oMwcttK1/HP zDTBpRbfVIeC1vCJFTN T82EyhcdH/C/UGMTfHXdVIaJKHESm7zjqRo2wO xFsoxz9hLTBffynGjseluWz2P5U1hdtnpUcd18qKerCsdi3yFV4ViNG4ZJCT2 c//SOKDQ3x9/eTzUt1sMdDV75zPpdQXgyJPlQM3qDOL/NQbS2gi7SSWj36Z3tldugH9N9QU6ngqRw ZJ8jMQbjUCISHdaAThG42agRZ3p8fw0I/41olFnPLJzgcr8IB0ef/VO00i4wFT9iYxdict93pZ0aHPMq/Nb TxwjaODg2Xq0zykwuDjBEr2s/yts4tOGdm9PPITBJMJuiV/umbAMv1WaUrwSAgZq/wfihwX9lv9DEBM3Dc8s3W1pyk4b8r73LczeM6XX9XnuKc7Vt8d31LDtotiPuH7HUuRmiF/1tNBHmzft1fa7RNb2sikTAi5tbl1gOQbzft/W3smSeLxZai8h9UOvtLXD81CWvTszrKH1v82hvwoRiTVb4SWRLnWtp0Kp8l97VytDNAo/YHJjSe/n0h0wUdUuMPQLhz2pgAd1ED3nq 1qqHm/ET01FrpAJJ4KHlc//9Mr4apao1SQG7Re4hhYhYsmFyEv8z tw4flwXQWw06mKFF05k8n0HqJ/e/O25czj8DpvaJuwkVS9z7POMb6cStGWhBnwZv9v4LkF3qpGnf9w1DldmV uQKIRQ643NBXqA0V9MrmhMryvcbPZzlQH/RjEVRjtWeAEEG9sgyh 1jIBv38jO2Z J2TpWRXCrGKygJNObmidxYPVBebfiTOjGmcuU x4WmiySt9VfaZ0EZySrBtzzfSY6O0yKrG9Sa9UPgmMwNwmIbP7Ln2pi9XKfJWVoJRx1TMKmy3AlbXqd/GTk4gvzX4Iv8tNlX8EXZT4QAJqwtNvwD2Imw5Ce5trufAUmkf8KGflS6SihrYMcbcE72OVpeabR9ihDZslQDaeyvirKLEPMlkhiOQjenGPs4oiKafxTSIFtRF0MFHZ0HmuNeXx2XCO58LxugBa5a/RJQWK9boEO K6MqXutZzfvexdbw8xMP8mmPb HMpHKv1ymTNZ CZets0ZctUQnil9gjqHl6P92L5YV6yVa5O0JAJVOZxgrwd6E//7LM6K5DljtpPiQLsCy8Ednj1vMSyl1LcD02KsVLokeRh7id4Zo/BRhnYPYJC7dagDwp/kxcYyyAujw3yiCjTuXBIqE4 wTmONRGVyvnX eeWri5BaShelRKWDHdUCG18zoNvgKqrDnDpkHldErz/z9b5lGACLF7afI4DJbHZcWle2xit4vkxoHZ2jbhkerZBSh373o8qkhX xgcG6ck25QmZZDlNAts3AARoMtMI8wFhcuDizk6SFIVZ fE5gsZzFqyaWND2K5i/PMHF4ph e8BO412QuhGSyeyyUKhM1IX3RTl71G9QJ9EUREasKaVoUsmQO3HpLyw4SeTXpi 18gDyxlkuOuMrYt1Dy8zBNm9f14yNhh1QJGj1mQhh7xl X1HuZz2aHRW12T4U37zK6jnhWuW9i FXF7qzHRUy0fk4PpHsKvkOb5m YjxcDoWncAOIqWX7ZdE09ECG7P4y4GSwdjPiOfdxT7yc5H/3dsZHWW9zO85a55zdzQ0bSaC 6hG7cPLwICJtUm2aJUxcNFHBiZ/zSOEWh5YogOKBemH870e19pWZxFoQ0y2IgH/HzsEGSMSlTIdOcVDKv3c8beQf0PaOCKYj9SptOEVyeL9 WMnQU3nYF8IICmtF7G4TcN9e4Xf7AS1sGxMkonu8g32/ukLss5ySFKkPkbmgTPqXqWv5KEqZSqT/1K0FqfIp0Yv6P/Vn5Yp9ASMB9V4TUgrWbcsDQd1denq6EprcN1ECXzLSWVOtQGVjn03TsrIul4vvx9MmFrrDHQZVcgLFI7vAofPMtJ8ZC9v899JN7n5buIh0mwJuitPS1y0vHvbJQpULvc7zK6zUuB8wcxtd5nRT1RPWb2ABDLnazBB9NBqN91Tdi1I VEjWgXNoZWGs/noNm2dpR5VC5VQSJ931uxW8MjlHOL7aniLfIDRtacH2 aD90fsl7Mmrsw1fcwi3zpl3S1 WmVaX0pxisjmG6372Mp3XNxBujZD6TdgHi8ZnJ1 VG1kpAb0EH2Q7LmpQoMwhmU1Rx1hGcXvLBmD0MM0oN69HfN81DP97Hh9gFQjfkAWAIMVoAGuXPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

CCn7A5XU4CzHzqO2FLGKUbyHdY6ib4THrj6hFnsNC91Ppav9uwgbOdS5yiEmzFlfEH5q9BrghvkQ6h6yHnRIruDtXd0PDynXRapk stnOg8 lhBkVQtwqvwdx0YKwOYYMsiPSZ4ZkbJaN4jiHpyXxikeLdivpDPd3kWJRmdyiGNBGHR7k6brC0v2K6Y3bIHi9fPpJIlvoGzlKyqWKZbgyvMKhfRH126QPM9 L6lCgK7m kyrVJiXkjtcP5z8SS p1bK16PrKxlNudveDjR9IlqhNqTiNr78QXP75MTIzVeZrz7Tcfof3QNj6U8Gv/JIeibNpOmlNns8ti9RIhh5ZLKoegOBmlmtQM0rniYADF47h6Lj6dLteD9vdSqZJsQHIGvIuA7947pmnUaqpcjKY3LYgVF2x9RvnVSrLQy8Msk7qqSbG2 18wzMzkSRmcDGU4kVcMMLftEmJ4bIHoF2FAPgyGgCSkTVbqrdTGlgcsvH0t4XSpP7tIh8jClm75Ou3CQTpLfFzMKnc6mJjLxthWVUze9iMkM2lodm24a72Q1ASzBLcyyVm6x6p wLyuJ8qma8MBknHVMisVT7MVknJ3vZbF9aZPJFzAhcUG/Upzx5isNAuTL4hmXOtkhI4FBxi1Cr61qDUiy5RWmbWg/8TMwzig8QrKciaaO5bHzpmKpQRuFszWr6F2QvRC0xGO2xRrXXZTn49ttSc8nqBKCUSN6laRQzaqlvIrCdoco77cJleen7p24ksvps1/5wvQdV5p73LSkGnWh8GFNEdOXqf3TRAvapyq/MK6pb ZVfjUuInC7v/fEmNgxChvtF 890LhInkEqFRbS19fUQ73JqLlcJZ18pvOf B1mj934NofFTx9nwdpJn3HzNX6GtzFas2HnN7eYIWlMw3tSAkgiusQimrQVscKmqnJQaa0khTfdi5XiZXSmL7ACZazSHb7jCa5pBrfMwYFUZ Oe9X2VZ6dhPqOx2PyPLSlbCoRrnbVdgQc9kdsRb7WM48D1x9vGYOWbUIoaJ2NbT3tOBeqcE/na9gY4KSEUEvJMG50HRf7PsjDOG07bHSTMWDWFJVWnBzRw0gxGugVSXb4cCgMsdK2Iy9YStviYLxSJNWOxr2nqr8FNfrm06XldaCdxzl91l8dtI5KijeweUIMAc 0LmyfOCkcxKlzf2gY6nXrBF4fg6MfU ynlZ5fJTtDsKdae7ft4SvOcILp7yrtsvMaBFDhz/kpidQxUDWKTfEsAhZ7MhMg/R8u8obqeVxbgYyzFKdZphWp 3mH/TnHPBZ2bpK5RAJbyhG6mzXDdK6n5WZ/t1rHvZnkzur8Ous6C0l 6mfTNAJtodq3/Hb2IzSzr/6ZIosa9wKWNAQXUzxS5VWTm5c06VIslbl lyuVB lszHKcuTo/WnlyiEQnXsGi3J9 4H47Jrpn7bmi4RsezcNIla6/9NNp Epn 7O oCDCWVLPojN8GIGagtuSTGvIaxcxsOH8pqzLmgKPEreqCODspRsSJFIQnyvyslEnaaGmA/5d5W657R/7GHKCX8zjkAgoN1DMq635FP8oTdr3TDX hf1kQjE0rAYauyUMCvK7sISTcp0mNaVNlb41xJ34HMs9MsptRLJ/vG5CxUlphVr5/bN/ lRjw7G FQOZ3fsm7g9hEsKP0ZyGDAa2 /5 Pbtnv8v mC6IIuDvXfhBhabUQROZ4ivV/5UW8AsgAG8vFNkMo su96PU/1JKOUIzfoiKRRkHkCTi/C8SA7aS5nMPHBANimaCqFnwwbCYwrLOihSaspSnyNkNyY757bt/QjJqFmIlXivAZUArboo35ORbIPUs3A1Mg/HqNKgpip4qHE7/FU gePTIpH8EneENl5xDvbkU5blo0X7LtnsFYtEH2gfOvuuyH2EDvXRTSQlzd7pxvlAPEbHt5Bp9bNzydjcUxsDuHLwVhsIX9vKuSoOJsffrqB8/St36C6A9QwalMeyTKycOGU0L/luLgb3waTr/HBXnwTJ/0yFwe0N2KJ9w7 bApzfBHsD1KyxfZTkejTc/90A5o3sdGUb NFk1t03fmnrieYc1jflgmExl15IbG3l1yH dQjKe3EDQQtrtqKOqTCz4kxERSvvwxHZAkHdvbuEgyj83msbURUK9a6Hw/eBdF5bwkam7gjRVBVAMYtOEOWml2LUzIVd6ODW9lQQPyxPuYx9E6zhNdJ IQ39KC9fZmA xBjThjtzQoLqHJuPg5Jhn8pqjr5R IXLjpuI/haegOdKxRQ ZhcMwtfcPyprJx6fk1q4BtXXlfTcz5tv98emMEZNjO9zJYPxD9 OLzecjXvIUSABygCVvyxigsL10H48GLPOZDOeimJO 35B/ZiROLmnqAJbPSC3CjJtXa4bw3PIVvQu4v2ble00zg2mNcRqvshCttYLCwVva6pssj7LinNm6RQkUobMg1SxD8/Qp9l5ujarkGoJoSaU9IWMKb6wHF3M1fLhNHehrt68pQMgRZ9A/N/xcFtUyTsgKo3QcpX13BAm/BhDO7crmpT9hGjulfatrTEbg6DvYM3rxrVv9nxqwax4/jQEh4c8/YtCPS7AguqCjOnmRkU/Thhm7FwtCRhZMoI/rVhg61uCrT9sklJNI38nXVCn81Qb7jrhd0AJjGEbPCd4aeuQU2k84m8jAPNpKjfuIA8nCjRf9RckQS0Ux/MzxwVDm1ltMC4IVK7z/mVdAUpAHVo4aAF zL9Q3gRpzFUxP 9V VzgaKhmyV7fle 0IPiJ7KJjT bSVDWToc rZDrFPg0Gw65ApdlxA4zbgpYEIKi9Yuxx hb8l9kNoEEGmAgbKCU2GdqLvqN5iJfeR/ /gGmhsFRRu8DzIvBhlKnPU11fQOGqNWazlhsPOqBnIG8mgw3LLRhUBl /emKIMhIfverCwYNp9/zPEh9DgDxmyDvbFIEZ1i2WG1IMRnSw/cOd4C3vlN6oA8a/WCeg7kItTuzHOOJy7uXfETlBEp0OhGH LTh7FTwbz7/RpdmHgGCEPUzXsQJQDr3PuB20EB15oMwcttK1/HP zDTBpRbfVIeC1vCJFTN T82EyhcdH/C/UGMTfHXdVIaJKHESm7zjqRo2wO xFsoxz9hLTBffynGjseluWz2P5U1hdtnpUcd18qKerCsdi3yFV4ViNG4ZJCT2 c//SOKDQ3x9/eTzUt1sMdDV75zPpdQXgyJPlQM3qDOL/NQbS2gi7SSWj36Z3tldugH9N9QU6ngqRw ZJ8jMQbjUCISHdaAThG42agRZ3p8fw0I/41olFnPLJzgcr8IB0ef/VO00i4wFT9iYxdict93pZ0aHPMq/Nb TxwjaODg2Xq0zykwuDjBEr2s/yts4tOGdm9PPITBJMJuiV/umbAMv1WaUrwSAgZq/wfihwX9lv9DEBM3Dc8s3W1pyk4b8r73LczeM6XX9XnuKc7Vt8d31LDtotiPuH7HUuRmiF/1tNBHmzft1fa7RNb2sikTAi5tbl1gOQbzft/W3smSeLxZai8h9UOvtLXD81CWvTszrKH1v82hvwoRiTVb4SWRLnWtp0Kp8l97VytDNAo/YHJjSe/n0h0wUdUuMPQLhz2pgAd1ED3nq 1qqHm/ET01FrpAJJ4KHlc//9Mr4apao1SQG7Re4hhYhYsmFyEv8z tw4flwXQWw06mKFF05k8n0HqJ/e/O25czj8DpvaJuwkVS9z7POMb6cStGWhBnwZv9v4LkF3qpGnf9w1DldmV uQKIRQ643NBXqA0V9MrmhMryvcbPZzlQH/RjEVRjtWeAEEG9sgyh 1jIBv38jO2Z J2TpWRXCrGKygJNObmidxYPVBebfiTOjGmcuU x4WmiySt9VfaZ0EZySrBtzzfSY6O0yKrG9Sa9UPgmMwNwmIbP7Ln2pi9XKfJWVoJRx1TMKmy3AlbXqd/GTk4gvzX4Iv8tNlX8EXZT4QAJqwtNvwD2Imw5Ce5trufAUmkf8KGflS6SihrYMcbcE72OVpeabR9ihDZslQDaeyvirKLEPMlkhiOQjenGPs4oiKafxTSIFtRF0MFHZ0HmuNeXx2XCO58LxugBa5a/RJQWK9boEO K6MqXutZzfvexdbw8xMP8mmPb HMpHKv1ymTNZ CZets0ZctUQnil9gjqHl6P92L5YV6yVa5O0JAJVOZxgrwd6E//7LM6K5DljtpPiQLsCy8Ednj1vMSyl1LcD02KsVLokeRh7id4Zo/BRhnYPYJC7dagDwp/kxcYyyAujw3yiCjTuXBIqE4 wTmONRGVyvnX eeWri5BaShelRKWDHdUCG18zoNvgKqrDnDpkHldErz/z9b5lGACLF7afI4DJbHZcWle2xit4vkxoHZ2jbhkerZBSh373o8qkhX xgcG6ck25QmZZDlNAts3AARoMtMI8wFhcuDizk6SFIVZ fE5gsZzFqyaWND2K5i/PMHF4ph e8BO412QuhGSyeyyUKhM1IX3RTl71G9QJ9EUREasKaVoUsmQO3HpLyw4SeTXpi 18gDyxlkuOuMrYt1Dy8zBNm9f14yNhh1QJGj1mQhh7xl X1HuZz2aHRW12T4U37zK6jnhWuW9i FXF7qzHRUy0fk4PpHsKvkOb5m YjxcDoWncAOIqWX7ZdE09ECG7P4y4GSwdjPiOfdxT7yc5H/3dsZHWW9zO85a55zdzQ0bSaC 6hG7cPLwICJtUm2aJUxcNFHBiZ/zSOEWh5YogOKBemH870e19pWZxFoQ0y2IgH/HzsEGSMSlTIdOcVDKv3c8beQf0PaOCKYj9SptOEVyeL9 WMnQU3nYF8IICmtF7G4TcN9e4Xf7AS1sGxMkonu8g32/ukLss5ySFKkPkbmgTPqXqWv5KEqZSqT/1K0FqfIp0Yv6P/Vn5Yp9ASMB9V4TUgrWbcsDQd1denq6EprcN1ECXzLSWVOtQGVjn03TsrIul4vvx9MmFrrDHQZVcgLFI7vAofPMtJ8ZC9v899JN7n5buIh0mwJuitPS1y0vHvbJQpULvc7zK6zUuB8wcxtd5nRT1RPWb2ABDLnazBB9NBqN91Tdi1I VEjWgXNoZWGs/noNm2dpR5VC5VQSJ931uxW8MjlHOL7aniLfIDRtacH2 aD90fsl7Mmrsw1fcwi3zpl3S1 WmVaX0pxisjmG6372Mp3XNxBujZD6TdgHi8ZnJ1 VG1kpAb0EH2Q7LmpQoMwhmU1Rx1hGcXvLBmD0MM0oN69HfN81DP97Hh9gFQjfkAWAIMVoAGuXPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD2

CCn7A5XU4CzHzqO2FLGKUbyHdY6ib4THrj6hFnsNC91Ppav9uwgbOdS5yiEmzFlfEH5q9BrghvkQ6h6yHnRIruDtXd0PDynXRapk stnOg8 lhBkVQtwqvwdx0YKwOYYMsiPSZ4ZkbJaN4jiHpyXxikeLdivpDPd3kWJRmdyiGNBGHR7k6brC0v2K6Y3bIHi9fPpJIlvoGzlKyqWKZbgyvMKhfRH126QPM9 L6lCgK7m kyrVJiXkjtcP5z8SS p1bK16PrKxlNudveDjR9IlqhNqTiNr78QXP75MTIzVeZrz7Tcfof3QNj6U8Gv/JIeibNpOmlNns8ti9RIhh5ZLKoegOBmlmtQM0rniYADF47h6Lj6dLteD9vdSqZJsQHIGvIuA7947pmnUaqpcjKY3LYgVF2x9RvnVSrLQy8Msk7qqSbG2 18wzMzkSRmcDGU4kVcMMLftEmJ4bIHoF2FAPgyGgCSkTVbqrdTGlgcsvH0t4XSpP7tIh8jClm75Ou3CQTpLfFzMKnc6mJjLxthWVUze9iMkM2lodm24a72Q1ASzBLcyyVm6x6p wLyuJ8qma8MBknHVMisVT7MVknJ3vZbF9aZPJFzAhcUG/Upzx5isNAuTL4hmXOtkhI4FBxi1Cr61qDUiy5RWmbWg/8TMwzig8QrKciaaO5bHzpmKpQRuFszWr6F2QvRC0xGO2xRrXXZTn49ttSc8nqBKCUSN6laRQzaqlvIrCdoco77cJleen7p24ksvps1/5wvQdV5p73LSkGnWh8GFNEdOXqf3TRAvapyq/MK6pb ZVfjUuInC7v/fEmNgxChvtF 890LhInkEqFRbS19fUQ73JqLlcJZ18pvOf B1mj934NofFTx9nwdpJn3HzNX6GtzFas2HnN7eYIWlMw3tSAkgiusQimrQVscKmqnJQaa0khTfdi5XiZXSmL7ACZazSHb7jCa5pBrfMwYFUZ Oe9X2VZ6dhPqOx2PyPLSlbCoRrnbVdgQc9kdsRb7WM48D1x9vGYOWbUIoaJ2NbT3tOBeqcE/na9gY4KSEUEvJMG50HRf7PsjDOG07bHSTMWDWFJVWnBzRw0gxGugVSXb4cCgMsdK2Iy9YStviYLxSJNWOxr2nqr8FNfrm06XldaCdxzl91l8dtI5KijeweUIMAc 0LmyfOCkcxKlzf2gY6nXrBF4fg6MfU ynlZ5fJTtDsKdae7ft4SvOcILp7yrtsvMaBFDhz/kpidQxUDWKTfEsAhZ7MhMg/R8u8obqeVxbgYyzFKdZphWp 3mH/TnHPBZ2bpK5RAJbyhG6mzXDdK6n5WZ/t1rHvZnkzur8Ous6C0l 6mfTNAJtodq3/Hb2IzSzr/6ZIosa9wKWNAQXUzxS5VWTm5c06VIslbl lyuVB lszHKcuTo/WnlyiEQnXsGi3J9 4H47Jrpn7bmi4RsezcNIla6/9NNp Epn 7O oCDCWVLPojN8GIGagtuSTGvIaxcxsOH8pqzLmgKPEreqCODspRsSJFIQnyvyslEnaaGmA/5d5W657R/7GHKCX8zjkAgoN1DMq635FP8oTdr3TDX hf1kQjE0rAYauyUMCvK7sISTcp0mNaVNlb41xJ34HMs9MsptRLJ/vG5CxUlphVr5/bN/ lRjw7G FQOZ3fsm7g9hEsKP0ZyGDAa2 /5 Pbtnv8v mC6IIuDvXfhBhabUQROZ4ivV/5UW8AsgAG8vFNkMo su96PU/1JKOUIzfoiKRRkHkCTi/C8SA7aS5nMPHBANimaCqFnwwbCYwrLOihSaspSnyNkNyY757bt/QjJqFmIlXivAZUArboo35ORbIPUs3A1Mg/HqNKgpip4qHE7/FU gePTIpH8EneENl5xDvbkU5blo0X7LtnsFYtEH2gfOvuuyH2EDvXRTSQlzd7pxvlAPEbHt5Bp9bNzydjcUxsDuHLwVhsIX9vKuSoOJsffrqB8/St36C6A9QwalMeyTKycOGU0L/luLgb3waTr/HBXnwTJ/0yFwe0N2KJ9w7 bApzfBHsD1KyxfZTkejTc/90A5o3sdGUb NFk1t03fmnrieYc1jflgmExl15IbG3l1yH dQjKe3EDQQtrtqKOqTCz4kxERSvvwxHZAkHdvbuEgyj83msbURUK9a6Hw/eBdF5bwkam7gjRVBVAMYtOEOWml2LUzIVd6ODW9lQQPyxPuYx9E6zhNdJ IQ39KC9fZmA xBjThjtzQoLqHJuPg5Jhn8pqjr5R IXLjpuI/haegOdKxRQ ZhcMwtfcPyprJx6fk1q4BtXXlfTcz5tv98emMEZNjO9zJYPxD9 OLzecjXvIUSABygCVvyxigsL10H48GLPOZDOeimJO 35B/ZiROLmnqAJbPSC3CjJtXa4bw3PIVvQu4v2ble00zg2mNcRqvshCttYLCwVva6pssj7LinNm6RQkUobMg1SxD8/Qp9l5ujarkGoJoSaU9IWMKb6wHF3M1fLhNHehrt68pQMgRZ9A/N/xcFtUyTsgKo3QcpX13BAm/BhDO7crmpT9hGjulfatrTEbg6DvYM3rxrVv9nxqwax4/jQEh4c8/YtCPS7AguqCjOnmRkU/Thhm7FwtCRhZMoI/rVhg61uCrT9sklJNI38nXVCn81Qb7jrhd0AJjGEbPCd4aeuQU2k84m8jAPNpKjfuIA8nCjRf9RckQS0Ux/MzxwVDm1ltMC4IVK7z/mVdAUpAHVo4aAF zL9Q3gRpzFUxP 9V VzgaKhmyV7fle 0IPiJ7KJjT bSVDWToc rZDrFPg0Gw65ApdlxA4zbgpYEIKi9Yuxx hb8l9kNoEEGmAgbKCU2GdqLvqN5iJfeR/ /gGmhsFRRu8DzIvBhlKnPU11fQOGqNWazlhsPOqBnIG8mgw3LLRhUBl /emKIMhIfverCwYNp9/zPEh9DgDxmyDvbFIEZ1i2WG1IMRnSw/cOd4C3vlN6oA8a/WCeg7kItTuzHOOJy7uXfETlBEp0OhGH LTh7FTwbz7/RpdmHgGCEPUzXsQJQDr3PuB20EB15oMwcttK1/HP zDTBpRbfVIeC1vCJFTN T82EyhcdH/C/UGMTfHXdVIaJKHESm7zjqRo2wO xFsoxz9hLTBffynGjseluWz2P5U1hdtnpUcd18qKerCsdi3yFV4ViNG4ZJCT2 c//SOKDQ3x9/eTzUt1sMdDV75zPpdQXgyJPlQM3qDOL/NQbS2gi7SSWj36Z3tldugH9N9QU6ngqRw ZJ8jMQbjUCISHdaAThG42agRZ3p8fw0I/41olFnPLJzgcr8IB0ef/VO00i4wFT9iYxdict93pZ0aHPMq/Nb TxwjaODg2Xq0zykwuDjBEr2s/yts4tOGdm9PPITBJMJuiV/umbAMv1WaUrwSAgZq/wfihwX9lv9DEBM3Dc8s3W1pyk4b8r73LczeM6XX9XnuKc7Vt8d31LDtotiPuH7HUuRmiF/1tNBHmzft1fa7RNb2sikTAi5tbl1gOQbzft/W3smSeLxZai8h9UOvtLXD81CWvTszrKH1v82hvwoRiTVb4SWRLnWtp0Kp8l97VytDNAo/YHJjSe/n0h0wUdUuMPQLhz2pgAd1ED3nq 1qqHm/ET01FrpAJJ4KHlc//9Mr4apao1SQG7Re4hhYhYsmFyEv8z tw4flwXQWw06mKFF05k8n0HqJ/e/O25czj8DpvaJuwkVS9z7POMb6cStGWhBnwZv9v4LkF3qpGnf9w1DldmV uQKIRQ643NBXqA0V9MrmhMryvcbPZzlQH/RjEVRjtWeAEEG9sgyh 1jIBv38jO2Z J2TpWRXCrGKygJNObmidxYPVBebfiTOjGmcuU x4WmiySt9VfaZ0EZySrBtzzfSY6O0yKrG9Sa9UPgmMwNwmIbP7Ln2pi9XKfJWVoJRx1TMKmy3AlbXqd/GTk4gvzX4Iv8tNlX8EXZT4QAJqwtNvwD2Imw5Ce5trufAUmkf8KGflS6SihrYMcbcE72OVpeabR9ihDZslQDaeyvirKLEPMlkhiOQjenGPs4oiKafxTSIFtRF0MFHZ0HmuNeXx2XCO58LxugBa5a/RJQWK9boEO K6MqXutZzfvexdbw8xMP8mmPb HMpHKv1ymTNZ CZets0ZctUQnil9gjqHl6P92L5YV6yVa5O0JAJVOZxgrwd6E//7LM6K5DljtpPiQLsCy8Ednj1vMSyl1LcD02KsVLokeRh7id4Zo/BRhnYPYJC7dagDwp/kxcYyyAujw3yiCjTuXBIqE4 wTmONRGVyvnX eeWri5BaShelRKWDHdUCG18zoNvgKqrDnDpkHldErz/z9b5lGACLF7afI4DJbHZcWle2xit4vkxoHZ2jbhkerZBSh373o8qkhX xgcG6ck25QmZZDlNAts3AARoMtMI8wFhcuDizk6SFIVZ fE5gsZzFqyaWND2K5i/PMHF4ph e8BO412QuhGSyeyyUKhM1IX3RTl71G9QJ9EUREasKaVoUsmQO3HpLyw4SeTXpi 18gDyxlkuOuMrYt1Dy8zBNm9f14yNhh1QJGj1mQhh7xl X1HuZz2aHRW12T4U37zK6jnhWuW9i FXF7qzHRUy0fk4PpHsKvkOb5m YjxcDoWncAOIqWX7ZdE09ECG7P4y4GSwdjPiOfdxT7yc5H/3dsZHWW9zO85a55zdzQ0bSaC 6hG7cPLwICJtUm2aJUxcNFHBiZ/zSOEWh5YogOKBemH870e19pWZxFoQ0y2IgH/HzsEGSMSlTIdOcVDKv3c8beQf0PaOCKYj9SptOEVyeL9 WMnQU3nYF8IICmtF7G4TcN9e4Xf7AS1sGxMkonu8g32/ukLss5ySFKkPkbmgTPqXqWv5KEqZSqT/1K0FqfIp0Yv6P/Vn5Yp9ASMB9V4TUgrWbcsDQd1denq6EprcN1ECXzLSWVOtQGVjn03TsrIul4vvx9MmFrrDHQZVcgLFI7vAofPMtJ8ZC9v899JN7n5buIh0mwJuitPS1y0vHvbJQpULvc7zK6zUuB8wcxtd5nRT1RPWb2ABDLnazBB9NBqN91Tdi1I VEjWgXNoZWGs/noNm2dpR5VC5VQSJ931uxW8MjlHOL7aniLfIDRtacH2 aD90fsl7Mmrsw1fcwi3zpl3S1 WmVaX0pxisjmG6372Mp3XNxBujZD6TdgHi8ZnJ1 VG1kpAb0EH2Q7LmpQoMwhmU1Rx1hGcXvLBmD0MM0oN69HfN81DP97Hh9gFQjfkAWAIMVoAGuXPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD2

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

66006666

66006666

.Method '%s' not supported by automation object/Variant does not reference an automation object

.Method '%s' not supported by automation object/Variant does not reference an automation object

External exception %x

External exception %x

Interface not supported

Interface not supported

%s (%s, line %d)

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Invalid pointer operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction%Exception %s in module %s at %p.

Privileged instruction%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

Invalid variant operation"Variant method calls not supported

I/O error %d

I/O error %d

Integer overflow Invalid floating point operation

Integer overflow Invalid floating point operation

svchost.exe_592_rwx_00080000_000BE000:

.idata

.idata

.reloc

.reloc

P.rsrc

P.rsrc

Portions Copyright (c) 1983,99 Borland

Portions Copyright (c) 1983,99 Borland

kernel32.dll

kernel32.dll

Software\Microsoft\Windows NT\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

HTTP/1.1

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

wininet.dll

wininet.dll

user32.dll

user32.dll

ntdll.dll

ntdll.dll

URLMON.DLL

URLMON.DLL

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

Kernel32.dll

Kernel32.dll

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('video'); for(var i=0;i

try {var els=document.getElementsByTagName('video'); for(var i=0;i

try {jwplayer().play()} catch(e){}

try {jwplayer().play()} catch(e){}

PSAPI.dll

PSAPI.dll

HTTP/1.1

HTTP/1.1

.length;

.length;

=String.fromCharCode(parseInt(

=String.fromCharCode(parseInt(

.substr(

.substr(

,2),16));

,2),16));

=String.fromCharCode(

=String.fromCharCode(

,1).charCodeAt()^

,1).charCodeAt()^

,1).charCodeAt());

,1).charCodeAt());

.length-1)?

.length-1)?

=new ActiveXObject("WScript.Shell");

=new ActiveXObject("WScript.Shell");

.Environment("Process"))("

.Environment("Process"))("

.Run("

.Run("

=new ActiveXObject("WScript.Shell");

=new ActiveXObject("WScript.Shell");

.RegRead("

.RegRead("

psapi.dll

psapi.dll

"svchost.exe"

"svchost.exe"

svchost.exe

svchost.exe

ole32.dll

ole32.dll

\\.\LCD

\\.\LCD

1234567890

1234567890

Shell32.dll

Shell32.dll

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

hXXp://

hXXp://

0123456789

0123456789

Mozilla

Mozilla

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

.text

.text

`.rdata

`.rdata

@.pdata

@.pdata

KERNEL32.dll

KERNEL32.dll

GetKeyboardType

GetKeyboardType

advapi32.dll

advapi32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

oleaut32.dll

oleaut32.dll

RegOpenKeyExW

RegOpenKeyExW

RegCreateKeyW

RegCreateKeyW

RegCreateKeyA

RegCreateKeyA

GetCPInfo

GetCPInfo

SetProcessWindowStation

SetProcessWindowStation

OpenWindowStationA

OpenWindowStationA

EnumChildWindows

EnumChildWindows

HttpSendRequestA

HttpSendRequestA

HttpOpenRequestA

HttpOpenRequestA

atl.dll

atl.dll

wsock32.dll

wsock32.dll

winmm.dll

winmm.dll

shell32.dll

shell32.dll

ShellExecuteExW

ShellExecuteExW

wtsapi32.dll

wtsapi32.dll

Wtsapi32.dll

Wtsapi32.dll

PSAPI.DLL

PSAPI.DLL

NtQueryValueKey

NtQueryValueKey

NtDeleteValueKey

NtDeleteValueKey

NtSetValueKey

NtSetValueKey

urlmon.dll

urlmon.dll

UrlMkSetSessionOption

UrlMkSetSessionOption

?"?&?*?.?

?"?&?*?.?

6!6&696>6|6

6!6&696>6|6

9!:':-:6:

9!:':-:6:

:&;-;7;_;

:&;-;7;_;

5(6-6;6|6

5(6-6;6|6

7)7=7[7}7

7)7=7[7}7

>#>(>9>_>

>#>(>9>_>

?,?1?[?`?

?,?1?[?`?

5]5S5c5k5q5

5]5S5c5k5q5

:!:?:]:{:

:!:?:]:{:

CCn7A5XU4CzHzqO2FLGKUbyHdY6ib4THrj6hFnsNC91Ppav9uwgbOdS5yiEmzFlfEH5q9BrghvkQ6h6yHnRIruDtXd0PDynXRapk stnOg8 lhBkVQtwqvwdx0YKwOYYMsiPSZ4ZkbJaN4jiHpyXxikeLdivpDPd3kWJRmdyiGNBGHR7k6brC0v2K6Y3bIHi9fPpJIlvoGzlKyqWKZbgyvMKhfRH126QPM9 L6lCgK7m kyrVJiXkjtcP5z8SS p1bK16PrKxlNudveDjR9IlqhNqTiNr78QXP75MTIzVeZrz7Tcfof3QNj6U8Gv/JIeibNpOmlNns8ti9RIhh5ZLKoegOBmlmtQM0rniYADF47h6Lj6dLteD9vdSqZJsQHIGvIuA7947pmnUaqpcjKY3LYgVF2x9RvnVSrLQy8Msk7qqSbG2 18wzMzkSRmcDGU4kVcMMLftEmJ4bIHoF2FAPgyGgCSkTVbqrdTGlgcsvH0t4XSpP7tIh8jClm75Ou3CQTpLfFzMKnc6mJjLxthWVUze9iMkM2lodm24a72Q1ASzBLcyyVm6x6p wLyuJ8qma8MBknHVMisVT7MVknJ3vZbF9aZPJFzAhcUG/Upzx5isNAuTL4hmXOtkhI4FBxi1Cr61qDUiy5RWmbWg/8TMwzig8QrKciaaO5bHzpmKpQRuFszWr6F2QvRC0xGO2xRrXXZTn49ttSc8nqBKCUSN6laRQzaqlvIrCdoco77cJleen7p24ksvps1/5wvQdV5p73LSkGnWh8GFNEdOXqf3TRAvapyq/MK6pb ZVfjUuInC7v/fEmNgxChvtF 890LhInkEqFRbS19fUQ73JqLlcJZ18pvOf B1mj934NofFTx9nwdpJn3HzNX6GtzFas2HnN7eYIWlMw3tSAkgiusQimrQVscKmqnJQaa0khTfdi5XiZXSmL7ACZazSHb7jCa5pBrfMwYFUZ Oe9X2VZ6dhPqOx2PyPLSlbCoRrnbVdgQc9kdsRb7WM48D1x9vGYOWbUIoaJ2NbT3tOBeqcE/na9gY4KSEUEvJMG50HRf7PsjDOG07bHSTMWDWFJVWnBzRw0gxGugVSXb4cCgMsdK2Iy9YStviYLxSJNWOxr2nqr8FNfrm06XldaCdxzl91l8dtI5KijeweUIMAc 0LmyfOCkcxKlzf2gY6nXrBF4fg6MfU ynlZ5fJTtDsKdae7ft4SvOcILp7yrtsvMaBFDhz/kpidQxUDWKTfEsAhZ7MhMg/R8u8obqeVxbgYyzFKdZphWp 3mH/TnHPBZ2bpK5RAJbyhG6mzXDdK6n5WZ/t1rHvZnkzur8Ous6C0l 6mfTNAJtodq3/Hb2IzSzr/6ZIosa9wKWNAQXUzxS5VWTm5c06VIslbl lyuVB lszHKcuTo/WnlyiEQnXsGi3J9 4H47Jrpn7bmi4RsezcNIla6/9NNp Epn 7O oCDCWVLPojN8GIGagtuSTGvIaxcxsOH8pqzLmgKPEreqCODspRsSJFIQnyvyslEnaaGmA/5d5W657R/7GHKCX8zjkAgoN1DMq635FP8oTdr3TDX hf1kQjE0rAYauyUMCvK7sISTcp0mNaVNlb41xJ34HMs9MsptRLJ/vG5CxUlphVr5/bN/ lRjw7G FQOZ3fsm7g9hEsKP0ZyGDAa2 /5 Pbtnv8v mC6IIuDvXfhBhabUQROZ4ivV/5UW8AsgAG8vFNkMo su96PU/1JKOUIzfoiKRRkHkCTi/C8SA7aS5nMPHBANimaCqFnwwbCYwrLOihSaspSnyNkNyY757bt/QjJqFmIlXivAZUArboo35ORbIPUs3A1Mg/HqNKgpip4qHE7/FU gePTIpH8EneENl5xDvbkU5blo0X7LtnsFYtEH2gfOvuuyH2EDvXRTSQlzd7pxvlAPEbHt5Bp9bNzydjcUxsDuHLwVhsIX9vKuSoOJsffrqB8/St36C6A9QwalMeyTKycOGU0L/luLgb3waTr/HBXnwTJ/0yFwe0N2KJ9w7 bApzfBHsD1KyxfZTkejTc/90A5o3sdGUb NFk1t03fmnrieYc1jflgmExl15IbG3l1yH dQjKe3EDQQtrtqKOqTCz4kxERSvvwxHZAkHdvbuEgyj83msbURUK9a6Hw/eBdF5bwkam7gjRVBVAMYtOEOWml2LUzIVd6ODW9lQQPyxPuYx9E6zhNdJ IQ39KC9fZmA xBjThjtzQoLqHJuPg5Jhn8pqjr5R IXLjpuI/haegOdKxRQ ZhcMwtfcPyprJx6fk1q4BtXXlfTcz5tv98emMEZNjO9zJYPxD9 OLzecjXvIUSABygCVvyxigsL10H48GLPOZDOeimJO 35B/ZiROLmnqAJbPSC3CjJtXa4bw3PIVvQu4v2ble00zg2mNcRqvshCttYLCwVva6pssj7LinNm6RQkUobMg1SxD8/Qp9l5ujarkGoJoSaU9IWMKb6wHF3M1fLhNHehrt68pQMgRZ9A/N/xcFtUyTsgKo3QcpX13BAm/BhDO7crmpT9hGjulfatrTEbg6DvYM3rxrVv9nxqwax4/jQEh4c8/YtCPS7AguqCjOnmRkU/Thhm7FwtCRhZMoI/rVhg61uCrT9sklJNI38nXVCn81Qb7jrhd0AJjGEbPCd4aeuQU2k84m8jAPNpKjfuIA8nCjRf9RckQS0Ux/MzxwVDm1ltMC4IVK7z/mVdAUpAHVo4aAF zL9Q3gRpzFUxP 9V VzgaKhmyV7fle 0IPiJ7KJjT bSVDWToc rZDrFPg0Gw65ApdlxA4zbgpYEIKi9Yuxx hb8l9kNoEEGmAgbKCU2GdqLvqN5iJfeR/ /gGmhsFRRu8DzIvBhlKnPU11fQOGqNWazlhsPOqBnIG8mgw3LLRhUBl /emKIMhIfverCwYNp9/zPEh9DgDxmyDvbFIEZ1i2WG1IMRnSw/cOd4C3vlN6oA8a/WCeg7kItTuzHOOJy7uXfETlBEp0OhGH LTh7FTwbz7/RpdmHgGCEPUzXsQJQDr3PuB20EB15oMwcttK1/HP zDTBpRbfVIeC1vCJFTN T82EyhcdH/C/UGMTfHXdVIaJKHESm7zjqRo2wO xFsoxz9hLTBffynGjseluWz2P5U1hdtnpUcd18qKerCsdi3yFV4ViNG4ZJCT2 c//SOKDQ3x9/eTzUt1sMdDV75zPpdQXgyJPlQM3qDOL/NQbS2gi7SSWj36Z3tldugH9N9QU6ngqRw ZJ8jMQbjUCISHdaAThG42agRZ3p8fw0I/41olFnPLJzgcr8IB0ef/VO00i4wFT9iYxdict93pZ0aHPMq/Nb TxwjaODg2Xq0zykwuDjBEr2s/yts4tOGdm9PPITBJMJuiV/umbAMv1WaUrwSAgZq/wfihwX9lv9DEBM3Dc8s3W1pyk4b8r73LczeM6XX9XnuKc7Vt8d31LDtotiPuH7HUuRmiF/1tNBHmzft1fa7RNb2sikTAi5tbl1gOQbzft/W3smSeLxZai8h9UOvtLXD81CWvTszrKH1v82hvwoRiTVb4SWRLnWtp0Kp8l97VytDNAo/YHJjSe/n0h0wUdUuMPQLhz2pgAd1ED3nq 1qqHm/ET01FrpAJJ4KHlc//9Mr4apao1SQG7Re4hhYhYsmFyEv8z tw4flwXQWw06mKFF05k8n0HqJ/e/O25czj8DpvaJuwkVS9z7POMb6cStGWhBnwZv9v4LkF3qpGnf9w1DldmV uQKIRQ643NBXqA0V9MrmhMryvcbPZzlQH/RjEVRjtWeAEEG9sgyh 1jIBv38jO2Z J2TpWRXCrGKygJNObmidxYPVBebfiTOjGmcuU x4WmiySt9VfaZ0EZySrBtzzfSY6O0yKrG9Sa9UPgmMwNwmIbP7Ln2pi9XKfJWVoJRx1TMKmy3AlbXqd/GTk4gvzX4Iv8tNlX8EXZT4QAJqwtNvwD2Imw5Ce5trufAUmkf8KGflS6SihrYMcbcE72OVpeabR9ihDZslQDaeyvirKLEPMlkhiOQjenGPs4oiKafxTSIFtRF0MFHZ0HmuNeXx2XCO58LxugBa5a/RJQWK9boEO K6MqXutZzfvexdbw8xMP8mmPb HMpHKv1ymTNZ CZets0ZctUQnil9gjqHl6P92L5YV6yVa5O0JAJVOZxgrwd6E//7LM6K5DljtpPiQLsCy8Ednj1vMSyl1LcD02KsVLokeRh7id4Zo/BRhnYPYJC7dagDwp/kxcYyyAujw3yiCjTuXBIqE4 wTmONRGVyvnX eeWri5BaShelRKWDHdUCG18zoNvgKqrDnDpkHldErz/z9b5lGACLF7afI4DJbHZcWle2xit4vkxoHZ2jbhkerZBSh373o8qkhX xgcG6ck25QmZZDlNAts3AARoMtMI8wFhcuDizk6SFIVZ fE5gsZzFqyaWND2K5i/PMHF4ph e8BO412QuhGSyeyyUKhM1IX3RTl71G9QJ9EUREasKaVoUsmQO3HpLyw4SeTXpi 18gDyxlkuOuMrYt1Dy8zBNm9f14yNhh1QJGj1mQhh7xl X1HuZz2aHRW12T4U37zK6jnhWuW9i FXF7qzHRUy0fk4PpHsKvkOb5m YjxcDoWncAOIqWX7ZdE09ECG7P4y4GSwdjPiOfdxT7yc5H/3dsZHWW9zO85a55zdzQ0bSaC 6hG7cPLwICJtUm2aJUxcNFHBiZ/zSOEWh5YogOKBemH870e19pWZxFoQ0y2IgH/HzsEGSMSlTIdOcVDKv3c8beQf0PaOCKYj9SptOEVyeL9 WMnQU3nYF8IICmtF7G4TcN9e4Xf7AS1sGxMkonu8g32/ukLss5ySFKkPkbmgTPqXqWv5KEqZSqT/1K0FqfIp0Yv6P/Vn5Yp9ASMB9V4TUgrWbcsDQd1denq6EprcN1ECXzLSWVOtQGVjn03TsrIul4vvx9MmFrrDHQZVcgLFI7vAofPMtJ8ZC9v899JN7n5buIh0mwJuitPS1y0vHvbJQpULvc7zK6zUuB8wcxtd5nRT1RPWb2ABDLnazBB9NBqN91Tdi1I VEjWgXNoZWGs/noNm2dpR5VC5VQSJ931uxW8MjlHOL7aniLfIDRtacH2 aD90fsl7Mmrsw1fcwi3zpl3S1 WmVaX0pxisjmG6372Mp3XNxBujZD6TdgHi8ZnJ1 VG1kpAb0EH2Q7LmpQoMwhmU1Rx1hGcXvLBmD0MM0oN69HfN81DP97Hh9gFQjfkAWAIMVoAGuXPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

CCn7A5XU4CzHzqO2FLGKUbyHdY6ib4THrj6hFnsNC91Ppav9uwgbOdS5yiEmzFlfEH5q9BrghvkQ6h6yHnRIruDtXd0PDynXRapk stnOg8 lhBkVQtwqvwdx0YKwOYYMsiPSZ4ZkbJaN4jiHpyXxikeLdivpDPd3kWJRmdyiGNBGHR7k6brC0v2K6Y3bIHi9fPpJIlvoGzlKyqWKZbgyvMKhfRH126QPM9 L6lCgK7m kyrVJiXkjtcP5z8SS p1bK16PrKxlNudveDjR9IlqhNqTiNr78QXP75MTIzVeZrz7Tcfof3QNj6U8Gv/JIeibNpOmlNns8ti9RIhh5ZLKoegOBmlmtQM0rniYADF47h6Lj6dLteD9vdSqZJsQHIGvIuA7947pmnUaqpcjKY3LYgVF2x9RvnVSrLQy8Msk7qqSbG2 18wzMzkSRmcDGU4kVcMMLftEmJ4bIHoF2FAPgyGgCSkTVbqrdTGlgcsvH0t4XSpP7tIh8jClm75Ou3CQTpLfFzMKnc6mJjLxthWVUze9iMkM2lodm24a72Q1ASzBLcyyVm6x6p wLyuJ8qma8MBknHVMisVT7MVknJ3vZbF9aZPJFzAhcUG/Upzx5isNAuTL4hmXOtkhI4FBxi1Cr61qDUiy5RWmbWg/8TMwzig8QrKciaaO5bHzpmKpQRuFszWr6F2QvRC0xGO2xRrXXZTn49ttSc8nqBKCUSN6laRQzaqlvIrCdoco77cJleen7p24ksvps1/5wvQdV5p73LSkGnWh8GFNEdOXqf3TRAvapyq/MK6pb ZVfjUuInC7v/fEmNgxChvtF 890LhInkEqFRbS19fUQ73JqLlcJZ18pvOf B1mj934NofFTx9nwdpJn3HzNX6GtzFas2HnN7eYIWlMw3tSAkgiusQimrQVscKmqnJQaa0khTfdi5XiZXSmL7ACZazSHb7jCa5pBrfMwYFUZ Oe9X2VZ6dhPqOx2PyPLSlbCoRrnbVdgQc9kdsRb7WM48D1x9vGYOWbUIoaJ2NbT3tOBeqcE/na9gY4KSEUEvJMG50HRf7PsjDOG07bHSTMWDWFJVWnBzRw0gxGugVSXb4cCgMsdK2Iy9YStviYLxSJNWOxr2nqr8FNfrm06XldaCdxzl91l8dtI5KijeweUIMAc 0LmyfOCkcxKlzf2gY6nXrBF4fg6MfU ynlZ5fJTtDsKdae7ft4SvOcILp7yrtsvMaBFDhz/kpidQxUDWKTfEsAhZ7MhMg/R8u8obqeVxbgYyzFKdZphWp 3mH/TnHPBZ2bpK5RAJbyhG6mzXDdK6n5WZ/t1rHvZnkzur8Ous6C0l 6mfTNAJtodq3/Hb2IzSzr/6ZIosa9wKWNAQXUzxS5VWTm5c06VIslbl lyuVB lszHKcuTo/WnlyiEQnXsGi3J9 4H47Jrpn7bmi4RsezcNIla6/9NNp Epn 7O oCDCWVLPojN8GIGagtuSTGvIaxcxsOH8pqzLmgKPEreqCODspRsSJFIQnyvyslEnaaGmA/5d5W657R/7GHKCX8zjkAgoN1DMq635FP8oTdr3TDX hf1kQjE0rAYauyUMCvK7sISTcp0mNaVNlb41xJ34HMs9MsptRLJ/vG5CxUlphVr5/bN/ lRjw7G FQOZ3fsm7g9hEsKP0ZyGDAa2 /5 Pbtnv8v mC6IIuDvXfhBhabUQROZ4ivV/5UW8AsgAG8vFNkMo su96PU/1JKOUIzfoiKRRkHkCTi/C8SA7aS5nMPHBANimaCqFnwwbCYwrLOihSaspSnyNkNyY757bt/QjJqFmIlXivAZUArboo35ORbIPUs3A1Mg/HqNKgpip4qHE7/FU gePTIpH8EneENl5xDvbkU5blo0X7LtnsFYtEH2gfOvuuyH2EDvXRTSQlzd7pxvlAPEbHt5Bp9bNzydjcUxsDuHLwVhsIX9vKuSoOJsffrqB8/St36C6A9QwalMeyTKycOGU0L/luLgb3waTr/HBXnwTJ/0yFwe0N2KJ9w7 bApzfBHsD1KyxfZTkejTc/90A5o3sdGUb NFk1t03fmnrieYc1jflgmExl15IbG3l1yH dQjKe3EDQQtrtqKOqTCz4kxERSvvwxHZAkHdvbuEgyj83msbURUK9a6Hw/eBdF5bwkam7gjRVBVAMYtOEOWml2LUzIVd6ODW9lQQPyxPuYx9E6zhNdJ IQ39KC9fZmA xBjThjtzQoLqHJuPg5Jhn8pqjr5R IXLjpuI/haegOdKxRQ ZhcMwtfcPyprJx6fk1q4BtXXlfTcz5tv98emMEZNjO9zJYPxD9 OLzecjXvIUSABygCVvyxigsL10H48GLPOZDOeimJO 35B/ZiROLmnqAJbPSC3CjJtXa4bw3PIVvQu4v2ble00zg2mNcRqvshCttYLCwVva6pssj7LinNm6RQkUobMg1SxD8/Qp9l5ujarkGoJoSaU9IWMKb6wHF3M1fLhNHehrt68pQMgRZ9A/N/xcFtUyTsgKo3QcpX13BAm/BhDO7crmpT9hGjulfatrTEbg6DvYM3rxrVv9nxqwax4/jQEh4c8/YtCPS7AguqCjOnmRkU/Thhm7FwtCRhZMoI/rVhg61uCrT9sklJNI38nXVCn81Qb7jrhd0AJjGEbPCd4aeuQU2k84m8jAPNpKjfuIA8nCjRf9RckQS0Ux/MzxwVDm1ltMC4IVK7z/mVdAUpAHVo4aAF zL9Q3gRpzFUxP 9V VzgaKhmyV7fle 0IPiJ7KJjT bSVDWToc rZDrFPg0Gw65ApdlxA4zbgpYEIKi9Yuxx hb8l9kNoEEGmAgbKCU2GdqLvqN5iJfeR/ /gGmhsFRRu8DzIvBhlKnPU11fQOGqNWazlhsPOqBnIG8mgw3LLRhUBl /emKIMhIfverCwYNp9/zPEh9DgDxmyDvbFIEZ1i2WG1IMRnSw/cOd4C3vlN6oA8a/WCeg7kItTuzHOOJy7uXfETlBEp0OhGH LTh7FTwbz7/RpdmHgGCEPUzXsQJQDr3PuB20EB15oMwcttK1/HP zDTBpRbfVIeC1vCJFTN T82EyhcdH/C/UGMTfHXdVIaJKHESm7zjqRo2wO xFsoxz9hLTBffynGjseluWz2P5U1hdtnpUcd18qKerCsdi3yFV4ViNG4ZJCT2 c//SOKDQ3x9/eTzUt1sMdDV75zPpdQXgyJPlQM3qDOL/NQbS2gi7SSWj36Z3tldugH9N9QU6ngqRw ZJ8jMQbjUCISHdaAThG42agRZ3p8fw0I/41olFnPLJzgcr8IB0ef/VO00i4wFT9iYxdict93pZ0aHPMq/Nb TxwjaODg2Xq0zykwuDjBEr2s/yts4tOGdm9PPITBJMJuiV/umbAMv1WaUrwSAgZq/wfihwX9lv9DEBM3Dc8s3W1pyk4b8r73LczeM6XX9XnuKc7Vt8d31LDtotiPuH7HUuRmiF/1tNBHmzft1fa7RNb2sikTAi5tbl1gOQbzft/W3smSeLxZai8h9UOvtLXD81CWvTszrKH1v82hvwoRiTVb4SWRLnWtp0Kp8l97VytDNAo/YHJjSe/n0h0wUdUuMPQLhz2pgAd1ED3nq 1qqHm/ET01FrpAJJ4KHlc//9Mr4apao1SQG7Re4hhYhYsmFyEv8z tw4flwXQWw06mKFF05k8n0HqJ/e/O25czj8DpvaJuwkVS9z7POMb6cStGWhBnwZv9v4LkF3qpGnf9w1DldmV uQKIRQ643NBXqA0V9MrmhMryvcbPZzlQH/RjEVRjtWeAEEG9sgyh 1jIBv38jO2Z J2TpWRXCrGKygJNObmidxYPVBebfiTOjGmcuU x4WmiySt9VfaZ0EZySrBtzzfSY6O0yKrG9Sa9UPgmMwNwmIbP7Ln2pi9XKfJWVoJRx1TMKmy3AlbXqd/GTk4gvzX4Iv8tNlX8EXZT4QAJqwtNvwD2Imw5Ce5trufAUmkf8KGflS6SihrYMcbcE72OVpeabR9ihDZslQDaeyvirKLEPMlkhiOQjenGPs4oiKafxTSIFtRF0MFHZ0HmuNeXx2XCO58LxugBa5a/RJQWK9boEO K6MqXutZzfvexdbw8xMP8mmPb HMpHKv1ymTNZ CZets0ZctUQnil9gjqHl6P92L5YV6yVa5O0JAJVOZxgrwd6E//7LM6K5DljtpPiQLsCy8Ednj1vMSyl1LcD02KsVLokeRh7id4Zo/BRhnYPYJC7dagDwp/kxcYyyAujw3yiCjTuXBIqE4 wTmONRGVyvnX eeWri5BaShelRKWDHdUCG18zoNvgKqrDnDpkHldErz/z9b5lGACLF7afI4DJbHZcWle2xit4vkxoHZ2jbhkerZBSh373o8qkhX xgcG6ck25QmZZDlNAts3AARoMtMI8wFhcuDizk6SFIVZ fE5gsZzFqyaWND2K5i/PMHF4ph e8BO412QuhGSyeyyUKhM1IX3RTl71G9QJ9EUREasKaVoUsmQO3HpLyw4SeTXpi 18gDyxlkuOuMrYt1Dy8zBNm9f14yNhh1QJGj1mQhh7xl X1HuZz2aHRW12T4U37zK6jnhWuW9i FXF7qzHRUy0fk4PpHsKvkOb5m YjxcDoWncAOIqWX7ZdE09ECG7P4y4GSwdjPiOfdxT7yc5H/3dsZHWW9zO85a55zdzQ0bSaC 6hG7cPLwICJtUm2aJUxcNFHBiZ/zSOEWh5YogOKBemH870e19pWZxFoQ0y2IgH/HzsEGSMSlTIdOcVDKv3c8beQf0PaOCKYj9SptOEVyeL9 WMnQU3nYF8IICmtF7G4TcN9e4Xf7AS1sGxMkonu8g32/ukLss5ySFKkPkbmgTPqXqWv5KEqZSqT/1K0FqfIp0Yv6P/Vn5Yp9ASMB9V4TUgrWbcsDQd1denq6EprcN1ECXzLSWVOtQGVjn03TsrIul4vvx9MmFrrDHQZVcgLFI7vAofPMtJ8ZC9v899JN7n5buIh0mwJuitPS1y0vHvbJQpULvc7zK6zUuB8wcxtd5nRT1RPWb2ABDLnazBB9NBqN91Tdi1I VEjWgXNoZWGs/noNm2dpR5VC5VQSJ931uxW8MjlHOL7aniLfIDRtacH2 aD90fsl7Mmrsw1fcwi3zpl3S1 WmVaX0pxisjmG6372Mp3XNxBujZD6TdgHi8ZnJ1 VG1kpAb0EH2Q7LmpQoMwhmU1Rx1hGcXvLBmD0MM0oN69HfN81DP97Hh9gFQjfkAWAIMVoAGuXPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

CCn7A5XU4CzHzqO2FLGKUbyHdY6ib4THrj6hFnsNC91Ppav9uwgbOdS5yiEmzFlfEH5q9BrghvkQ6h6yHnRIruDtXd0PDynXRapk stnOg8 lhBkVQtwqvwdx0YKwOYYMsiPSZ4ZkbJaN4jiHpyXxikeLdivpDPd3kWJRmdyiGNBGHR7k6brC0v2K6Y3bIHi9fPpJIlvoGzlKyqWKZbgyvMKhfRH126QPM9 L6lCgK7m kyrVJiXkjtcP5z8SS p1bK16PrKxlNudveDjR9IlqhNqTiNr78QXP75MTIzVeZrz7Tcfof3QNj6U8Gv/JIeibNpOmlNns8ti9RIhh5ZLKoegOBmlmtQM0rniYADF47h6Lj6dLteD9vdSqZJsQHIGvIuA7947pmnUaqpcjKY3LYgVF2x9RvnVSrLQy8Msk7qqSbG2 18wzMzkSRmcDGU4kVcMMLftEmJ4bIHoF2FAPgyGgCSkTVbqrdTGlgcsvH0t4XSpP7tIh8jClm75Ou3CQTpLfFzMKnc6mJjLxthWVUze9iMkM2lodm24a72Q1ASzBLcyyVm6x6p wLyuJ8qma8MBknHVMisVT7MVknJ3vZbF9aZPJFzAhcUG/Upzx5isNAuTL4hmXOtkhI4FBxi1Cr61qDUiy5RWmbWg/8TMwzig8QrKciaaO5bHzpmKpQRuFszWr6F2QvRC0xGO2xRrXXZTn49ttSc8nqBKCUSN6laRQzaqlvIrCdoco77cJleen7p24ksvps1/5wvQdV5p73LSkGnWh8GFNEdOXqf3TRAvapyq/MK6pb ZVfjUuInC7v/fEmNgxChvtF 890LhInkEqFRbS19fUQ73JqLlcJZ18pvOf B1mj934NofFTx9nwdpJn3HzNX6GtzFas2HnN7eYIWlMw3tSAkgiusQimrQVscKmqnJQaa0khTfdi5XiZXSmL7ACZazSHb7jCa5pBrfMwYFUZ Oe9X2VZ6dhPqOx2PyPLSlbCoRrnbVdgQc9kdsRb7WM48D1x9vGYOWbUIoaJ2NbT3tOBeqcE/na9gY4KSEUEvJMG50HRf7PsjDOG07bHSTMWDWFJVWnBzRw0gxGugVSXb4cCgMsdK2Iy9YStviYLxSJNWOxr2nqr8FNfrm06XldaCdxzl91l8dtI5KijeweUIMAc 0LmyfOCkcxKlzf2gY6nXrBF4fg6MfU ynlZ5fJTtDsKdae7ft4SvOcILp7yrtsvMaBFDhz/kpidQxUDWKTfEsAhZ7MhMg/R8u8obqeVxbgYyzFKdZphWp 3mH/TnHPBZ2bpK5RAJbyhG6mzXDdK6n5WZ/t1rHvZnkzur8Ous6C0l 6mfTNAJtodq3/Hb2IzSzr/6ZIosa9wKWNAQXUzxS5VWTm5c06VIslbl lyuVB lszHKcuTo/WnlyiEQnXsGi3J9 4H47Jrpn7bmi4RsezcNIla6/9NNp Epn 7O oCDCWVLPojN8GIGagtuSTGvIaxcxsOH8pqzLmgKPEreqCODspRsSJFIQnyvyslEnaaGmA/5d5W657R/7GHKCX8zjkAgoN1DMq635FP8oTdr3TDX hf1kQjE0rAYauyUMCvK7sISTcp0mNaVNlb41xJ34HMs9MsptRLJ/vG5CxUlphVr5/bN/ lRjw7G FQOZ3fsm7g9hEsKP0ZyGDAa2 /5 Pbtnv8v mC6IIuDvXfhBhabUQROZ4ivV/5UW8AsgAG8vFNkMo su96PU/1JKOUIzfoiKRRkHkCTi/C8SA7aS5nMPHBANimaCqFnwwbCYwrLOihSaspSnyNkNyY757bt/QjJqFmIlXivAZUArboo35ORbIPUs3A1Mg/HqNKgpip4qHE7/FU gePTIpH8EneENl5xDvbkU5blo0X7LtnsFYtEH2gfOvuuyH2EDvXRTSQlzd7pxvlAPEbHt5Bp9bNzydjcUxsDuHLwVhsIX9vKuSoOJsffrqB8/St36C6A9QwalMeyTKycOGU0L/luLgb3waTr/HBXnwTJ/0yFwe0N2KJ9w7 bApzfBHsD1KyxfZTkejTc/90A5o3sdGUb NFk1t03fmnrieYc1jflgmExl15IbG3l1yH dQjKe3EDQQtrtqKOqTCz4kxERSvvwxHZAkHdvbuEgyj83msbURUK9a6Hw/eBdF5bwkam7gjRVBVAMYtOEOWml2LUzIVd6ODW9lQQPyxPuYx9E6zhNdJ IQ39KC9fZmA xBjThjtzQoLqHJuPg5Jhn8pqjr5R IXLjpuI/haegOdKxRQ ZhcMwtfcPyprJx6fk1q4BtXXlfTcz5tv98emMEZNjO9zJYPxD9 OLzecjXvIUSABygCVvyxigsL10H48GLPOZDOeimJO 35B/ZiROLmnqAJbPSC3CjJtXa4bw3PIVvQu4v2ble00zg2mNcRqvshCttYLCwVva6pssj7LinNm6RQkUobMg1SxD8/Qp9l5ujarkGoJoSaU9IWMKb6wHF3M1fLhNHehrt68pQMgRZ9A/N/xcFtUyTsgKo3QcpX13BAm/BhDO7crmpT9hGjulfatrTEbg6DvYM3rxrVv9nxqwax4/jQEh4c8/YtCPS7AguqCjOnmRkU/Thhm7FwtCRhZMoI/rVhg61uCrT9sklJNI38nXVCn81Qb7jrhd0AJjGEbPCd4aeuQU2k84m8jAPNpKjfuIA8nCjRf9RckQS0Ux/MzxwVDm1ltMC4IVK7z/mVdAUpAHVo4aAF zL9Q3gRpzFUxP 9V VzgaKhmyV7fle 0IPiJ7KJjT bSVDWToc rZDrFPg0Gw65ApdlxA4zbgpYEIKi9Yuxx hb8l9kNoEEGmAgbKCU2GdqLvqN5iJfeR/ /gGmhsFRRu8DzIvBhlKnPU11fQOGqNWazlhsPOqBnIG8mgw3LLRhUBl /emKIMhIfverCwYNp9/zPEh9DgDxmyDvbFIEZ1i2WG1IMRnSw/cOd4C3vlN6oA8a/WCeg7kItTuzHOOJy7uXfETlBEp0OhGH LTh7FTwbz7/RpdmHgGCEPUzXsQJQDr3PuB20EB15oMwcttK1/HP zDTBpRbfVIeC1vCJFTN T82EyhcdH/C/UGMTfHXdVIaJKHESm7zjqRo2wO xFsoxz9hLTBffynGjseluWz2P5U1hdtnpUcd18qKerCsdi3yFV4ViNG4ZJCT2 c//SOKDQ3x9/eTzUt1sMdDV75zPpdQXgyJPlQM3qDOL/NQbS2gi7SSWj36Z3tldugH9N9QU6ngqRw ZJ8jMQbjUCISHdaAThG42agRZ3p8fw0I/41olFnPLJzgcr8IB0ef/VO00i4wFT9iYxdict93pZ0aHPMq/Nb TxwjaODg2Xq0zykwuDjBEr2s/yts4tOGdm9PPITBJMJuiV/umbAMv1WaUrwSAgZq/wfihwX9lv9DEBM3Dc8s3W1pyk4b8r73LczeM6XX9XnuKc7Vt8d31LDtotiPuH7HUuRmiF/1tNBHmzft1fa7RNb2sikTAi5tbl1gOQbzft/W3smSeLxZai8h9UOvtLXD81CWvTszrKH1v82hvwoRiTVb4SWRLnWtp0Kp8l97VytDNAo/YHJjSe/n0h0wUdUuMPQLhz2pgAd1ED3nq 1qqHm/ET01FrpAJJ4KHlc//9Mr4apao1SQG7Re4hhYhYsmFyEv8z tw4flwXQWw06mKFF05k8n0HqJ/e/O25czj8DpvaJuwkVS9z7POMb6cStGWhBnwZv9v4LkF3qpGnf9w1DldmV uQKIRQ643NBXqA0V9MrmhMryvcbPZzlQH/RjEVRjtWeAEEG9sgyh 1jIBv38jO2Z J2TpWRXCrGKygJNObmidxYPVBebfiTOjGmcuU x4WmiySt9VfaZ0EZySrBtzzfSY6O0yKrG9Sa9UPgmMwNwmIbP7Ln2pi9XKfJWVoJRx1TMKmy3AlbXqd/GTk4gvzX4Iv8tNlX8EXZT4QAJqwtNvwD2Imw5Ce5trufAUmkf8KGflS6SihrYMcbcE72OVpeabR9ihDZslQDaeyvirKLEPMlkhiOQjenGPs4oiKafxTSIFtRF0MFHZ0HmuNeXx2XCO58LxugBa5a/RJQWK9boEO K6MqXutZzfvexdbw8xMP8mmPb HMpHKv1ymTNZ CZets0ZctUQnil9gjqHl6P92L5YV6yVa5O0JAJVOZxgrwd6E//7LM6K5DljtpPiQLsCy8Ednj1vMSyl1LcD02KsVLokeRh7id4Zo/BRhnYPYJC7dagDwp/kxcYyyAujw3yiCjTuXBIqE4 wTmONRGVyvnX eeWri5BaShelRKWDHdUCG18zoNvgKqrDnDpkHldErz/z9b5lGACLF7afI4DJbHZcWle2xit4vkxoHZ2jbhkerZBSh373o8qkhX xgcG6ck25QmZZDlNAts3AARoMtMI8wFhcuDizk6SFIVZ fE5gsZzFqyaWND2K5i/PMHF4ph e8BO412QuhGSyeyyUKhM1IX3RTl71G9QJ9EUREasKaVoUsmQO3HpLyw4SeTXpi 18gDyxlkuOuMrYt1Dy8zBNm9f14yNhh1QJGj1mQhh7xl X1HuZz2aHRW12T4U37zK6jnhWuW9i FXF7qzHRUy0fk4PpHsKvkOb5m YjxcDoWncAOIqWX7ZdE09ECG7P4y4GSwdjPiOfdxT7yc5H/3dsZHWW9zO85a55zdzQ0bSaC 6hG7cPLwICJtUm2aJUxcNFHBiZ/zSOEWh5YogOKBemH870e19pWZxFoQ0y2IgH/HzsEGSMSlTIdOcVDKv3c8beQf0PaOCKYj9SptOEVyeL9 WMnQU3nYF8IICmtF7G4TcN9e4Xf7AS1sGxMkonu8g32/ukLss5ySFKkPkbmgTPqXqWv5KEqZSqT/1K0FqfIp0Yv6P/Vn5Yp9ASMB9V4TUgrWbcsDQd1denq6EprcN1ECXzLSWVOtQGVjn03TsrIul4vvx9MmFrrDHQZVcgLFI7vAofPMtJ8ZC9v899JN7n5buIh0mwJuitPS1y0vHvbJQpULvc7zK6zUuB8wcxtd5nRT1RPWb2ABDLnazBB9NBqN91Tdi1I VEjWgXNoZWGs/noNm2dpR5VC5VQSJ931uxW8MjlHOL7aniLfIDRtacH2 aD90fsl7Mmrsw1fcwi3zpl3S1 WmVaX0pxisjmG6372Mp3XNxBujZD6TdgHi8ZnJ1 VG1kpAb0EH2Q7LmpQoMwhmU1Rx1hGcXvLBmD0MM0oN69HfN81DP97Hh9gFQjfkAWAIMVoAGuXPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD2

CCn7A5XU4CzHzqO2FLGKUbyHdY6ib4THrj6hFnsNC91Ppav9uwgbOdS5yiEmzFlfEH5q9BrghvkQ6h6yHnRIruDtXd0PDynXRapk stnOg8 lhBkVQtwqvwdx0YKwOYYMsiPSZ4ZkbJaN4jiHpyXxikeLdivpDPd3kWJRmdyiGNBGHR7k6brC0v2K6Y3bIHi9fPpJIlvoGzlKyqWKZbgyvMKhfRH126QPM9 L6lCgK7m kyrVJiXkjtcP5z8SS p1bK16PrKxlNudveDjR9IlqhNqTiNr78QXP75MTIzVeZrz7Tcfof3QNj6U8Gv/JIeibNpOmlNns8ti9RIhh5ZLKoegOBmlmtQM0rniYADF47h6Lj6dLteD9vdSqZJsQHIGvIuA7947pmnUaqpcjKY3LYgVF2x9RvnVSrLQy8Msk7qqSbG2 18wzMzkSRmcDGU4kVcMMLftEmJ4bIHoF2FAPgyGgCSkTVbqrdTGlgcsvH0t4XSpP7tIh8jClm75Ou3CQTpLfFzMKnc6mJjLxthWVUze9iMkM2lodm24a72Q1ASzBLcyyVm6x6p wLyuJ8qma8MBknHVMisVT7MVknJ3vZbF9aZPJFzAhcUG/Upzx5isNAuTL4hmXOtkhI4FBxi1Cr61qDUiy5RWmbWg/8TMwzig8QrKciaaO5bHzpmKpQRuFszWr6F2QvRC0xGO2xRrXXZTn49ttSc8nqBKCUSN6laRQzaqlvIrCdoco77cJleen7p24ksvps1/5wvQdV5p73LSkGnWh8GFNEdOXqf3TRAvapyq/MK6pb ZVfjUuInC7v/fEmNgxChvtF 890LhInkEqFRbS19fUQ73JqLlcJZ18pvOf B1mj934NofFTx9nwdpJn3HzNX6GtzFas2HnN7eYIWlMw3tSAkgiusQimrQVscKmqnJQaa0khTfdi5XiZXSmL7ACZazSHb7jCa5pBrfMwYFUZ Oe9X2VZ6dhPqOx2PyPLSlbCoRrnbVdgQc9kdsRb7WM48D1x9vGYOWbUIoaJ2NbT3tOBeqcE/na9gY4KSEUEvJMG50HRf7PsjDOG07bHSTMWDWFJVWnBzRw0gxGugVSXb4cCgMsdK2Iy9YStviYLxSJNWOxr2nqr8FNfrm06XldaCdxzl91l8dtI5KijeweUIMAc 0LmyfOCkcxKlzf2gY6nXrBF4fg6MfU ynlZ5fJTtDsKdae7ft4SvOcILp7yrtsvMaBFDhz/kpidQxUDWKTfEsAhZ7MhMg/R8u8obqeVxbgYyzFKdZphWp 3mH/TnHPBZ2bpK5RAJbyhG6mzXDdK6n5WZ/t1rHvZnkzur8Ous6C0l 6mfTNAJtodq3/Hb2IzSzr/6ZIosa9wKWNAQXUzxS5VWTm5c06VIslbl lyuVB lszHKcuTo/WnlyiEQnXsGi3J9 4H47Jrpn7bmi4RsezcNIla6/9NNp Epn 7O oCDCWVLPojN8GIGagtuSTGvIaxcxsOH8pqzLmgKPEreqCODspRsSJFIQnyvyslEnaaGmA/5d5W657R/7GHKCX8zjkAgoN1DMq635FP8oTdr3TDX hf1kQjE0rAYauyUMCvK7sISTcp0mNaVNlb41xJ34HMs9MsptRLJ/vG5CxUlphVr5/bN/ lRjw7G FQOZ3fsm7g9hEsKP0ZyGDAa2 /5 Pbtnv8v mC6IIuDvXfhBhabUQROZ4ivV/5UW8AsgAG8vFNkMo su96PU/1JKOUIzfoiKRRkHkCTi/C8SA7aS5nMPHBANimaCqFnwwbCYwrLOihSaspSnyNkNyY757bt/QjJqFmIlXivAZUArboo35ORbIPUs3A1Mg/HqNKgpip4qHE7/FU gePTIpH8EneENl5xDvbkU5blo0X7LtnsFYtEH2gfOvuuyH2EDvXRTSQlzd7pxvlAPEbHt5Bp9bNzydjcUxsDuHLwVhsIX9vKuSoOJsffrqB8/St36C6A9QwalMeyTKycOGU0L/luLgb3waTr/HBXnwTJ/0yFwe0N2KJ9w7 bApzfBHsD1KyxfZTkejTc/90A5o3sdGUb NFk1t03fmnrieYc1jflgmExl15IbG3l1yH dQjKe3EDQQtrtqKOqTCz4kxERSvvwxHZAkHdvbuEgyj83msbURUK9a6Hw/eBdF5bwkam7gjRVBVAMYtOEOWml2LUzIVd6ODW9lQQPyxPuYx9E6zhNdJ IQ39KC9fZmA xBjThjtzQoLqHJuPg5Jhn8pqjr5R IXLjpuI/haegOdKxRQ ZhcMwtfcPyprJx6fk1q4BtXXlfTcz5tv98emMEZNjO9zJYPxD9 OLzecjXvIUSABygCVvyxigsL10H48GLPOZDOeimJO 35B/ZiROLmnqAJbPSC3CjJtXa4bw3PIVvQu4v2ble00zg2mNcRqvshCttYLCwVva6pssj7LinNm6RQkUobMg1SxD8/Qp9l5ujarkGoJoSaU9IWMKb6wHF3M1fLhNHehrt68pQMgRZ9A/N/xcFtUyTsgKo3QcpX13BAm/BhDO7crmpT9hGjulfatrTEbg6DvYM3rxrVv9nxqwax4/jQEh4c8/YtCPS7AguqCjOnmRkU/Thhm7FwtCRhZMoI/rVhg61uCrT9sklJNI38nXVCn81Qb7jrhd0AJjGEbPCd4aeuQU2k84m8jAPNpKjfuIA8nCjRf9RckQS0Ux/MzxwVDm1ltMC4IVK7z/mVdAUpAHVo4aAF zL9Q3gRpzFUxP 9V VzgaKhmyV7fle 0IPiJ7KJjT bSVDWToc rZDrFPg0Gw65ApdlxA4zbgpYEIKi9Yuxx hb8l9kNoEEGmAgbKCU2GdqLvqN5iJfeR/ /gGmhsFRRu8DzIvBhlKnPU11fQOGqNWazlhsPOqBnIG8mgw3LLRhUBl /emKIMhIfverCwYNp9/zPEh9DgDxmyDvbFIEZ1i2WG1IMRnSw/cOd4C3vlN6oA8a/WCeg7kItTuzHOOJy7uXfETlBEp0OhGH LTh7FTwbz7/RpdmHgGCEPUzXsQJQDr3PuB20EB15oMwcttK1/HP zDTBpRbfVIeC1vCJFTN T82EyhcdH/C/UGMTfHXdVIaJKHESm7zjqRo2wO xFsoxz9hLTBffynGjseluWz2P5U1hdtnpUcd18qKerCsdi3yFV4ViNG4ZJCT2 c//SOKDQ3x9/eTzUt1sMdDV75zPpdQXgyJPlQM3qDOL/NQbS2gi7SSWj36Z3tldugH9N9QU6ngqRw ZJ8jMQbjUCISHdaAThG42agRZ3p8fw0I/41olFnPLJzgcr8IB0ef/VO00i4wFT9iYxdict93pZ0aHPMq/Nb TxwjaODg2Xq0zykwuDjBEr2s/yts4tOGdm9PPITBJMJuiV/umbAMv1WaUrwSAgZq/wfihwX9lv9DEBM3Dc8s3W1pyk4b8r73LczeM6XX9XnuKc7Vt8d31LDtotiPuH7HUuRmiF/1tNBHmzft1fa7RNb2sikTAi5tbl1gOQbzft/W3smSeLxZai8h9UOvtLXD81CWvTszrKH1v82hvwoRiTVb4SWRLnWtp0Kp8l97VytDNAo/YHJjSe/n0h0wUdUuMPQLhz2pgAd1ED3nq 1qqHm/ET01FrpAJJ4KHlc//9Mr4apao1SQG7Re4hhYhYsmFyEv8z tw4flwXQWw06mKFF05k8n0HqJ/e/O25czj8DpvaJuwkVS9z7POMb6cStGWhBnwZv9v4LkF3qpGnf9w1DldmV uQKIRQ643NBXqA0V9MrmhMryvcbPZzlQH/RjEVRjtWeAEEG9sgyh 1jIBv38jO2Z J2TpWRXCrGKygJNObmidxYPVBebfiTOjGmcuU x4WmiySt9VfaZ0EZySrBtzzfSY6O0yKrG9Sa9UPgmMwNwmIbP7Ln2pi9XKfJWVoJRx1TMKmy3AlbXqd/GTk4gvzX4Iv8tNlX8EXZT4QAJqwtNvwD2Imw5Ce5trufAUmkf8KGflS6SihrYMcbcE72OVpeabR9ihDZslQDaeyvirKLEPMlkhiOQjenGPs4oiKafxTSIFtRF0MFHZ0HmuNeXx2XCO58LxugBa5a/RJQWK9boEO K6MqXutZzfvexdbw8xMP8mmPb HMpHKv1ymTNZ CZets0ZctUQnil9gjqHl6P92L5YV6yVa5O0JAJVOZxgrwd6E//7LM6K5DljtpPiQLsCy8Ednj1vMSyl1LcD02KsVLokeRh7id4Zo/BRhnYPYJC7dagDwp/kxcYyyAujw3yiCjTuXBIqE4 wTmONRGVyvnX eeWri5BaShelRKWDHdUCG18zoNvgKqrDnDpkHldErz/z9b5lGACLF7afI4DJbHZcWle2xit4vkxoHZ2jbhkerZBSh373o8qkhX xgcG6ck25QmZZDlNAts3AARoMtMI8wFhcuDizk6SFIVZ fE5gsZzFqyaWND2K5i/PMHF4ph e8BO412QuhGSyeyyUKhM1IX3RTl71G9QJ9EUREasKaVoUsmQO3HpLyw4SeTXpi 18gDyxlkuOuMrYt1Dy8zBNm9f14yNhh1QJGj1mQhh7xl X1HuZz2aHRW12T4U37zK6jnhWuW9i FXF7qzHRUy0fk4PpHsKvkOb5m YjxcDoWncAOIqWX7ZdE09ECG7P4y4GSwdjPiOfdxT7yc5H/3dsZHWW9zO85a55zdzQ0bSaC 6hG7cPLwICJtUm2aJUxcNFHBiZ/zSOEWh5YogOKBemH870e19pWZxFoQ0y2IgH/HzsEGSMSlTIdOcVDKv3c8beQf0PaOCKYj9SptOEVyeL9 WMnQU3nYF8IICmtF7G4TcN9e4Xf7AS1sGxMkonu8g32/ukLss5ySFKkPkbmgTPqXqWv5KEqZSqT/1K0FqfIp0Yv6P/Vn5Yp9ASMB9V4TUgrWbcsDQd1denq6EprcN1ECXzLSWVOtQGVjn03TsrIul4vvx9MmFrrDHQZVcgLFI7vAofPMtJ8ZC9v899JN7n5buIh0mwJuitPS1y0vHvbJQpULvc7zK6zUuB8wcxtd5nRT1RPWb2ABDLnazBB9NBqN91Tdi1I VEjWgXNoZWGs/noNm2dpR5VC5VQSJ931uxW8MjlHOL7aniLfIDRtacH2 aD90fsl7Mmrsw1fcwi3zpl3S1 WmVaX0pxisjmG6372Mp3XNxBujZD6TdgHi8ZnJ1 VG1kpAb0EH2Q7LmpQoMwhmU1Rx1hGcXvLBmD0MM0oN69HfN81DP97Hh9gFQjfkAWAIMVoAGuXPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD2

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

66006666

66006666

.Method '%s' not supported by automation object/Variant does not reference an automation object

.Method '%s' not supported by automation object/Variant does not reference an automation object

External exception %x

External exception %x

Interface not supported

Interface not supported

%s (%s, line %d)

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Invalid pointer operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction%Exception %s in module %s at %p.

Privileged instruction%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

Invalid variant operation"Variant method calls not supported

I/O error %d

I/O error %d

Integer overflow Invalid floating point operation

Integer overflow Invalid floating point operation

svchost.exe_592_rwx_01000000_00006000:

.text

.text

`.data

`.data

.rsrc

.rsrc

ADVAPI32.dll

ADVAPI32.dll

KERNEL32.dll

KERNEL32.dll

NTDLL.DLL

NTDLL.DLL

RPCRT4.dll

RPCRT4.dll

NETAPI32.dll

NETAPI32.dll

ole32.dll

ole32.dll

ntdll.dll

ntdll.dll

RegCloseKey

RegCloseKey

RegOpenKeyExW

RegOpenKeyExW

GetProcessHeap

GetProcessHeap

NtOpenKey

NtOpenKey

svchost.pdb

svchost.pdb

\PIPE\

\PIPE\

Software\Microsoft\Windows NT\CurrentVersion\Svchost

Software\Microsoft\Windows NT\CurrentVersion\Svchost

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

5.1.2600.5512 (xpsp.080413-2111)

5.1.2600.5512 (xpsp.080413-2111)

svchost.exe

svchost.exe

Windows

Windows

Operating System

Operating System

5.1.2600.5512

5.1.2600.5512