HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Generic.14726540 (B) (Emsisoft), Trojan.Generic.14726540 (AdAware), Backdoor.Win32.Farfli.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 221d95d13d1a8eb1b00832f7bf8bffad
SHA1: 005c7ee4f8727344254e80218ece56a865eb9cb1
SHA256: 01a6a30b3012180a9a5748653fc5daa570d9f2b4468317753f5bacf9358c891d
SSDeep: 12288:c5V0Qai0CVAxr0eaDVJQOYeT8ZxNdm02wP2aj 7QH6rGbiW:aai0CVKEVVFT8Z/00vP2aEY6qN
Size: 548401 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-06-05 15:27:11
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
mofcomp.exe:2548
WindowsXP-KB968930-x86-ENG.exe:372
ngen.exe:3920
ngen.exe:3928
ngen.exe:3492
ngen.exe:3416
ngen.exe:3556
ngen.exe:3456
ngen.exe:3380
ngen.exe:3516
ngen.exe:3572
ngen.exe:3580
ngen.exe:3912
ngen.exe:3936
ngen.exe:3524
ngen.exe:3404
ngen.exe:3880
ngen.exe:3508
ngen.exe:3464
ngen.exe:3448
ngen.exe:3564
ngen.exe:3500
ngen.exe:3548
ngen.exe:3888
ngen.exe:3424
%original file name%.exe:1328
update.exe:352
PSCustomSetupUtil.exe:3592
PSCustomSetupUtil.exe:2596
PSCustomSetupUtil.exe:2848
PSCustomSetupUtil.exe:3804
PSCustomSetupUtil.exe:2636
PSCustomSetupUtil.exe:3140
PSCustomSetupUtil.exe:3000
PSCustomSetupUtil.exe:3064
PSCustomSetupUtil.exe:3040
PSCustomSetupUtil.exe:3652
PSCustomSetupUtil.exe:2784
PSCustomSetupUtil.exe:2744
PSCustomSetupUtil.exe:2872
PSCustomSetupUtil.exe:2912
PSCustomSetupUtil.exe:3764
PSCustomSetupUtil.exe:2720
PSCustomSetupUtil.exe:2936
PSCustomSetupUtil.exe:3608
PSCustomSetupUtil.exe:3624
PSCustomSetupUtil.exe:3740
PSCustomSetupUtil.exe:2976
PSCustomSetupUtil.exe:3704
PSCustomSetupUtil.exe:3680
PSCustomSetupUtil.exe:2572
PSCustomSetupUtil.exe:3092
PSCustomSetupUtil.exe:2696
PSSetupNativeUtils.exe:4036
mscorsvw.exe:2860
mscorsvw.exe:2732
mscorsvw.exe:2920
mscorsvw.exe:3004
mscorsvw.exe:2192
mscorsvw.exe:3168
mscorsvw.exe:2800
mscorsvw.exe:3304
mscorsvw.exe:2136
mscorsvw.exe:3128
mscorsvw.exe:2988
mscorsvw.exe:2304
mscorsvw.exe:3388
mscorsvw.exe:2248
mscorsvw.exe:1296
mscorsvw.exe:588
mscorsvw.exe:3072
mscorsvw.exe:3528
mscorsvw.exe:1880
mscorsvw.exe:1644
mscorsvw.exe:844
mscorsvw.exe:2336
mscorsvw.exe:3220
mscorsvw.exe:2068
mscorsvw.exe:2512
wsmanhttpconfig.exe:2512
wsmanhttpconfig.exe:2452
The Trojan injects its code into the following process(es):
svchost.exe:1392
svchost.exe:592
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process mofcomp.exe:2548 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\wbem\Logs\mofcomp.log (1814 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (1 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (0 bytes)
The process WindowsXP-KB968930-x86-ENG.exe:372 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\f6ff9a417a3a9051be1120c02a4790\pscustomsetuputil.exe (316 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_trap.help.txt (10 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_script_internationalization.help.txt (9 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\profile.ps1 (772 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_parsing.help.txt (2 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_scopes.help.txt (76 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_functions_advanced_parameters.help.txt (962 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.gpowershell.resources.dll (408 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\system.management.automation.dll-help.xml (16567 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_requires.help.txt (2 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.gpowershell.dll (9738 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.editor.dll (14450 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_bits_cmdlets.help.txt (7 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\powershell_ise.exe (2526 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\update\kb968930xp.cat (512 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_automatic_variables.help.txt (14 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\help.format.ps1xml (3947 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_hash_tables.help.txt (6 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_remote_output.help.txt (887 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\pssetupnativeutils.exe (9 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\pwrshmsg.dll (4 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\$shtdwn$.req (788 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.backgroundintelligenttransfer.management.dll-help.xml (2472 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\compiledcomposition.microsoft.powershell.gpowershell.dll (1737 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_pssession_details.help.txt (9 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmres.dll (6164 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_while.help.txt (2 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmpty.xsl (1 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.utility.dll (9684 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.consolehost.dll (3118 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrshost.exe (22 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_pssnapins.help.txt (6 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_format.ps1xml.help.txt (17 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_job_details.help.txt (824 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrmprov.mof (789 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\diagnostics.format.ps1xml (590 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.management.dll-help.xml (28236 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.management.dll (3386 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_if.help.txt (3 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\powershellcore.format.ps1xml (1492 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_type_operators.help.txt (5 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_line_editing.help.txt (1 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_remote_faq.help.txt (775 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrs.exe (1154 bytes)
C:\$Directory (800 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.backgroundintelligenttransfer.management.interop.dll (1532 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_debuggers.help.txt (21 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmanhttpconfig.exe (3009 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_eventlogs.help.txt (5 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_providers.help.txt (59 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\update\eula.txt (586 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_windows_powershell_2.0.help.txt (453 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\bitstransfer.format.ps1xml (16 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_switch.help.txt (489 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_preference_variables.help.txt (37 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_foreach.help.txt (10 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.consolehost.dll-help.xml (900 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_aliases.help.txt (6 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_arithmetic_operators.help.txt (168 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_functions_cmdletbindingattribute.help.txt (3 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\windowspowershellhelp.chm (26041 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_redirection.help.txt (2 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_arrays.help.txt (8 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_parameters.help.txt (9 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\bitstransfer.psd1 (950 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_methods.help.txt (6 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmprovhost.exe (657 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_remote.help.txt (7 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\certificate.format.ps1xml (155 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_for.help.txt (146 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_history.help.txt (3 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\importallmodules.psd1 (438 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_objects.help.txt (2 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.diagnostics.dll (998 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.security.resources.dll (9 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\windowsremoteshell.adm (12 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmsvc.dll (15909 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_functions.help.txt (586 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.backgroundintelligenttransfer.management.resources.dll (7 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_ws-management_cmdlets.help.txt (405 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\update\update.ver (14 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrmprov.dll (591 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\spupdsvc.exe (287 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_assignment_operators.help.txt (379 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\pwrshsip.dll (24 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsman.format.ps1xml (837 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_signing.help.txt (12 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_join.help.txt (2 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.utility.resources.dll (508 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\registry.format.ps1xml (20 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\update\update.exe (10748 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmauto.mof (4 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\spmsg.dll (495 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_try_catch_finally.help.txt (7 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_split.help.txt (10 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.security.dll-help.xml (1797 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\spuninst.exe (3787 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.management.resources.dll (508 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.editor.resources.dll (562 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\update\update.inf (2457 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\powershelltrace.format.ps1xml (344 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_jobs.help.txt (12 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.wsman.runtime.dll (33 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.consolehost.resources.dll (778 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_data_sections.help.txt (5 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\powershell.exe (7339 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_core_commands.help.txt (221 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_prompts.help.txt (7 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_variables.help.txt (6 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_reserved_words.help.txt (1 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrm.vbs (2727 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.utility.dll-help.xml (20810 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_wildcards.help.txt (3 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_continue.help.txt (1 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_locations.help.txt (794 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\update\updspapi.dll (5940 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_transactions.help.txt (1011 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_quoting_rules.help.txt (659 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_wmi_cmdlets.help.txt (8 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.security.dll (1145 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\powershell.exe.mui (10 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_comment_based_help.help.txt (595 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\windowsremotemanagement.adm (574 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_profiles.help.txt (457 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrm.ini (1956 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_regular_expressions.help.txt (5 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wevtfwd.dll (3351 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.diagnostics.resources.dll (470 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.wsman.management.dll (5010 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_do.help.txt (2 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmtxt.xsl (2 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_functions_advanced.help.txt (3 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\powershell_ise.resources.dll (4 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrscmd.dll (2907 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\dotnettypes.format.ps1xml (266 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_command_syntax.help.txt (5 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_break.help.txt (792 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_execution_policies.help.txt (13 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_pssessions.help.txt (9 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.wsman.management.dll-help.xml (8740 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wtrinstaller.ico (4803 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_functions_advanced_methods.help.txt (9 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.graphicalhost.dll (4408 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_properties.help.txt (7 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\update (4 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_commonparameters.help.txt (12 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmplpxy.dll (603 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_command_precedence.help.txt (8 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrsmgr.dll (2 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_modules.help.txt (13 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmauto.dll (1842 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.diagnostics.dll-help.xml (2301 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_session_configurations.help.txt (276 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_escape_characters.help.txt (2 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_remote_troubleshooting.help.txt (146 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_remote_jobs.help.txt (13 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\pspluginwkr.dll (1756 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrm.cmd (35 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\getevent.types.ps1xml (15 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_ref.help.txt (1 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.graphicalhost.resources.dll (16 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\types.ps1xml (2510 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\filesystem.format.ps1xml (133 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmwmipl.dll (2816 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_comparison_operators.help.txt (11 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\default.help.txt (2 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_logical_operators.help.txt (2 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_scripts.help.txt (12 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_special_characters.help.txt (3 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_environment_variables.help.txt (417 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_operators.help.txt (770 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_types.ps1xml.help.txt (481 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_windows_powershell_ise.help.txt (6 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_throw.help.txt (5 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_language_keywords.help.txt (11 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_path_syntax.help.txt (5 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrssrv.dll (12 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_script_blocks.help.txt (3 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_pipelines.help.txt (411 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.wsman.management.resources.dll (13 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\pwrshplugin.dll (802 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_return.help.txt (3 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\eventforwarding.adm (2 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\update\spcustom.dll (23 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_remote_requirements.help.txt (6 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\system.management.automation.dll (38414 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\system.management.automation.resources.dll (3153 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.backgroundintelligenttransfer.management.dll (1537 bytes)
The Trojan deletes the following file(s):
C:\f6ff9a417a3a9051be1120c02a4790\about_functions_advanced_parameters.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_trap.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_script_internationalization.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\profile.ps1 (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_parsing.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_command_syntax.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\pscustomsetuputil.exe (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.gpowershell.resources.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.utility.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\update\eula.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_requires.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.gpowershell.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_assignment_operators.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_bits_cmdlets.help.txt (0 bytes)
C:\_529390_ (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_redirection.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\update\kb968930xp.cat (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_automatic_variables.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\help.format.ps1xml (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_core_commands.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_pssessions.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\pwrshmsg.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\filesystem.format.ps1xml (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\compiledcomposition.microsoft.powershell.gpowershell.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_pssession_details.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmres.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_while.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmpty.xsl (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_logical_operators.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.consolehost.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrshost.exe (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_pssnapins.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_format.ps1xml.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_job_details.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\system.management.automation.dll-help.xml (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\diagnostics.format.ps1xml (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_reserved_words.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.management.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_if.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\powershellcore.format.ps1xml (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_type_operators.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_line_editing.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_remote_faq.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrs.exe (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.backgroundintelligenttransfer.management.interop.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_debuggers.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_remote_output.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_eventlogs.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_providers.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_execution_policies.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_switch.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_preference_variables.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_foreach.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.consolehost.dll-help.xml (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_remote_troubleshooting.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_remote_jobs.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_functions_cmdletbindingattribute.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\windowspowershellhelp.chm (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.consolehost.resources.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_language_keywords.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_functions.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\bitstransfer.psd1 (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_methods.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmprovhost.exe (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.backgroundintelligenttransfer.management.resources.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\certificate.format.ps1xml (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_for.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_history.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\importallmodules.psd1 (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_objects.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.diagnostics.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.security.resources.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\windowsremoteshell.adm (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmsvc.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_parameters.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_remote.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_environment_variables.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\update\update.ver (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrmprov.mof (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\spupdsvc.exe (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.editor.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\pwrshsip.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_operators.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_signing.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_join.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.utility.resources.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.backgroundintelligenttransfer.management.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\registry.format.ps1xml (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_windows_powershell_ise.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_commonparameters.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\spmsg.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_try_catch_finally.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_split.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.security.dll-help.xml (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\spuninst.exe (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.management.resources.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.editor.resources.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\update\update.inf (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\powershelltrace.format.ps1xml (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_jobs.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsman.format.ps1xml (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\powershell_ise.exe (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_data_sections.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmanhttpconfig.exe (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_hash_tables.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_variables.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.management.dll-help.xml (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrm.vbs (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.utility.dll-help.xml (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_wildcards.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_continue.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_comment_based_help.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\update\updspapi.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_transactions.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_quoting_rules.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_wmi_cmdlets.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.security.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\powershell.exe.mui (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_locations.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\windowsremotemanagement.adm (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_profiles.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrm.ini (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_regular_expressions.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wevtfwd.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.diagnostics.resources.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.wsman.management.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_do.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmtxt.xsl (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_functions_advanced.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_pipelines.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrscmd.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\dotnettypes.format.ps1xml (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_scopes.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.wsman.management.resources.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\bitstransfer.format.ps1xml (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\pssetupnativeutils.exe (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\powershell.exe (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.wsman.management.dll-help.xml (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wtrinstaller.ico (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_functions_advanced_methods.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.graphicalhost.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_properties.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\update (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmwmipl.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmauto.mof (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmplpxy.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_command_precedence.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrsmgr.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_modules.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmauto.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_session_configurations.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_escape_characters.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_aliases.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_arithmetic_operators.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\pspluginwkr.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrmprov.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrm.cmd (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\getevent.types.ps1xml (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_ref.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.graphicalhost.resources.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\types.ps1xml (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.backgroundintelligenttransfer.management.dll-help.xml (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_windows_powershell_2.0.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_comparison_operators.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\default.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_prompts.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_scripts.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_special_characters.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790 (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_ws-management_cmdlets.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.diagnostics.dll-help.xml (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_types.ps1xml.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\update\update.exe (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_throw.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_arrays.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_path_syntax.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrssrv.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_script_blocks.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\powershell_ise.resources.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_break.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\pwrshplugin.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_return.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\eventforwarding.adm (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\update\spcustom.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_remote_requirements.help.txt (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\system.management.automation.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\system.management.automation.resources.dll (0 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.wsman.runtime.dll (0 bytes)
The process ngen.exe:3920 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1106 bytes)
The process ngen.exe:3928 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1428 bytes)
The process ngen.exe:3492 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (772 bytes)
The process ngen.exe:3416 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1220 bytes)
The process ngen.exe:3556 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (800 bytes)
The process ngen.exe:3456 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1186 bytes)
The process ngen.exe:3380 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (596 bytes)
The process ngen.exe:3516 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (770 bytes)
The process ngen.exe:3572 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (474 bytes)
The process ngen.exe:3580 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (826 bytes)
The process ngen.exe:3912 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (784 bytes)
The process ngen.exe:3936 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (746 bytes)
The process ngen.exe:3524 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1114 bytes)
The process ngen.exe:3404 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (896 bytes)
The process ngen.exe:3880 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1184 bytes)
The process ngen.exe:3508 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1450 bytes)
The process ngen.exe:3464 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (494 bytes)
The process ngen.exe:3448 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (866 bytes)
The process ngen.exe:3564 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1140 bytes)
The process ngen.exe:3500 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1104 bytes)
The process ngen.exe:3548 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (468 bytes)
The process ngen.exe:3888 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (486 bytes)
The process ngen.exe:3424 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (554 bytes)
The process update.exe:352 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\SETBF.tmp (42 bytes)
%WinDir%\ocmsn.log (7791 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (16 bytes)
%System%\SET12.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET3E.tmp (1281 bytes)
%System%\GroupPolicy\Adm\SET35.tmp (12 bytes)
%System%\SETC.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (36 bytes)
%System%\WindowsPowerShell\v1.0\SET51.tmp (14022 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SET46.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET41.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (950 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETC9.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET48.tmp (4 bytes)
%System%\SET2D.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (17 bytes)
%System%\SET25.tmp (1281 bytes)
%System%\SET13.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4E.tmp (673 bytes)
%System%\SET20.tmp (2 bytes)
%System%\SET14.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (49 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (673 bytes)
%WinDir%\inf\SET32.tmp (38 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (3 bytes)
%System%\GroupPolicy\Adm\SET34.tmp (38 bytes)
%System%\SET2A.tmp (2 bytes)
%WinDir%\inf\oem10.PNF (10136 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET3C.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (10 bytes)
%System%\SET7.tmp (35 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\updspapi.dll (4145 bytes)
%System%\WindowsPowerShell\v1.0\SET3D.tmp (601 bytes)
%WinDir%\msmqinst.log (5468 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (15 bytes)
%System%\SET22.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (673 bytes)
%System%\spmsg.dll (14 bytes)
%System%\WindowsPowerShell\v1.0\SETC8.tmp (7385 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (10 bytes)
%System%\GroupPolicy\Adm\SET1A.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (7 bytes)
%System%\SET2B.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (40 bytes)
%WinDir%\inf\SET18.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SETC7.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (3 bytes)
%System%\SETE.tmp (22 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.inf (9162 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (7 bytes)
%System%\SET6.tmp (2 bytes)
%System%\GroupPolicy\Adm\SET36.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (5 bytes)
%System%\wbem\SET4.tmp (4 bytes)
%System%\SET17.tmp (673 bytes)
%WinDir%\tabletoc.log (2313 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (6 bytes)
%System%\SETA.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (7 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.txt (29 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (13 bytes)
%WinDir%\MedCtrOC.log (8910 bytes)
%System%\config\SYSTEM.LOG (7577 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (3 bytes)
%System%\SET27.tmp (601 bytes)
%System%\GroupPolicy\Adm\SET1B.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (9 bytes)
%System%\SET11.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETCA.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET3F.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET4F.tmp (24 bytes)
%System%\config (200 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4B.tmp (20 bytes)
%WinDir%\Help\SETC5.tmp (12287 bytes)
%System%\SET8.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (61 bytes)
%WinDir%\msgsocm.log (6541 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE.lnk (4 bytes)
%System%\SETF.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (22 bytes)
%System%\SET10.tmp (2 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (7971 bytes)
%System%\SET26.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (9 bytes)
%System%\SET21.tmp (35 bytes)
%System%\config\system (5372 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET38.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET49.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (31 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET4A.tmp (673 bytes)
%WinDir%\SECD0.tmp (1897 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET4D.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (2 bytes)
%WinDir%\imsins.log (3792 bytes)
%System%\WindowsPowerShell\v1.0\SET44.tmp (57 bytes)
%System%\GroupPolicy\Adm\SET1C.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (3 bytes)
%System%\SET16.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (3361 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (15 bytes)
%System%\CatRoot2\dberr.txt (1031 bytes)
%System%\SETB.tmp (1281 bytes)
%System%\SET1F.tmp (1 bytes)
%WinDir%\iis6.log (138839 bytes)
%WinDir%\comsetup.log (48640 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (6 bytes)
%System%\spupdsvc.exe (23 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (22 bytes)
%System%\SET28.tmp (22 bytes)
%System%\SET5.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET45.tmp (2321 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (1 bytes)
%System%\SET31.tmp (673 bytes)
%System%\SET2E.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (10 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe (2497 bytes)
%System%\WindowsPowerShell\v1.0\SET3A.tmp (601 bytes)
%System%\SET29.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (21 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (6 bytes)
%System%\SET2C.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (16 bytes)
%WinDir%\KB968930.log (246954 bytes)
%System%\SET15.tmp (789 bytes)
%System%\WindowsPowerShell\v1.0\SET4C.tmp (18248 bytes)
%WinDir%\ntdtcsetup.log (22991 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (438 bytes)
%WinDir%\inf\oem10.inf (673 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (12 bytes)
%System%\SET24.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET52.tmp (10177 bytes)
%System%\WindowsPowerShell\v1.0\SET43.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (19 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (9 bytes)
%WinDir%\FaxSetup.log (53338 bytes)
%WinDir%\tsoc.log (79170 bytes)
%System%\WindowsPowerShell\v1.0\SET50.tmp (1425 bytes)
%WinDir%\KB968930xp.cat (59 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (9 bytes)
%System%\winrm\0409\SET1D.tmp (601 bytes)
%System%\SETD.tmp (601 bytes)
%WinDir%\inf\SET19.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET47.tmp (18 bytes)
%System%\SET9.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SETC6.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (12 bytes)
%System%\winrm\0409\SET37.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (10 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (40 bytes)
%System%\WindowsPowerShell\v1.0\SET39.tmp (27 bytes)
%WinDir%\ocgen.log (71000 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET40.tmp (1281 bytes)
%System%\SET2F.tmp (789 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (17 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (23 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (2 bytes)
%System%\SET30.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (6 bytes)
%System%\wbem\SET1E.tmp (4 bytes)
%System%\SET23.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET3B.tmp (24 bytes)
%WinDir%\netfxocm.log (9089 bytes)
%System%\WindowsPowerShell\v1.0\SET42.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (10 bytes)
%WinDir%\inf\SET33.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (7 bytes)
The Trojan deletes the following file(s):
%System%\SETBF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (0 bytes)
%System%\SET12.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3E.tmp (0 bytes)
%WinDir%\_000003_.tmp.dll (0 bytes)
%System%\GroupPolicy\Adm\SET35.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (0 bytes)
%System%\SETC.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET46.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET41.tmp (0 bytes)
%System%\_000002_.tmp.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (0 bytes)
%System%\wevtfwd.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET48.tmp (0 bytes)
%WinDir%\inf\windowsremotemanagement.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (0 bytes)
%System%\SET25.tmp (0 bytes)
%System%\SET13.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4E.tmp (0 bytes)
%System%\SET20.tmp (0 bytes)
%System%\SET14.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (0 bytes)
%WinDir%\inf\SET32.tmp (0 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (0 bytes)
%System%\SET7.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET34.tmp (0 bytes)
%System%\SET2A.tmp (0 bytes)
%WinDir%\inf\oem10.PNF (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (0 bytes)
%System%\WsmWmiPl.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (0 bytes)
%System%\GroupPolicy\Adm\WindowsRemoteShell.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (0 bytes)
%System%\winrm\0409\winrm.ini (0 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (0 bytes)
%System%\winrscmd.dll (0 bytes)
%System%\SET2B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (0 bytes)
%System%\SET2E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC7.tmp (0 bytes)
%System%\wsmanhttpconfig.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (0 bytes)
%System%\winrm.cmd (0 bytes)
%System%\SETE.tmp (0 bytes)
%System%\winrm.vbs (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (0 bytes)
%System%\SET6.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET36.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (0 bytes)
%System%\wbem\SET4.tmp (0 bytes)
%System%\SET17.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (0 bytes)
%System%\SETA.tmp (0 bytes)
%System%\SET22.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET51.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (0 bytes)
%System%\SET27.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (0 bytes)
%System%\SET11.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCA.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4F.tmp (0 bytes)
%System%\WsmAuto.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4B.tmp (0 bytes)
%System%\SET8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (0 bytes)
%System%\SETF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC9.tmp (0 bytes)
%System%\wbem\wsmAuto.mof (0 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (0 bytes)
%System%\wsmplpxy.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (0 bytes)
%System%\SET26.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (0 bytes)
%System%\SET21.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET38.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET49.tmp (0 bytes)
%System%\SET16.tmp (0 bytes)
%System%\GroupPolicy\Adm\windowsremotemanagement.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4A.tmp (0 bytes)
%WinDir%\SECD0.tmp (0 bytes)
%System%\GroupPolicy\Adm\EventForwarding.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4D.tmp (0 bytes)
%System%\winrmprov.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET44.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (0 bytes)
%System%\wsmprovhost.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (0 bytes)
%System%\winrmprov.mof (0 bytes)
%WinDir%\imsins.BAK (0 bytes)
%System%\SETB.tmp (0 bytes)
%System%\SET1F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (0 bytes)
%WinDir%\inf\oem10.inf (0 bytes)
%System%\SET28.tmp (0 bytes)
%System%\SET5.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET45.tmp (0 bytes)
%System%\winrshost.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (0 bytes)
%System%\SET31.tmp (0 bytes)
%WinDir%\inf\SET18.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (0 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\@.lnk (0 bytes)
%System%\WsmPty.xsl (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (0 bytes)
%System%\SET29.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (0 bytes)
%System%\WsmRes.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (0 bytes)
%WinDir%\Temp\UPD3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (0 bytes)
%System%\SET2C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (0 bytes)
%System%\SET15.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4C.tmp (0 bytes)
%System%\wbem\SET1E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (0 bytes)
%System%\SET2D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (0 bytes)
%System%\SET24.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET52.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET43.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET50.tmp (0 bytes)
%System%\winrssrv.dll (0 bytes)
%WinDir%\inf\WindowsRemoteShell.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (0 bytes)
%System%\winrm\0409\SET1D.tmp (0 bytes)
%System%\SETD.tmp (0 bytes)
%System%\SET10.tmp (0 bytes)
%WinDir%\inf\SET19.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET47.tmp (0 bytes)
%System%\SET9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC6.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (0 bytes)
%System%\winrm\0409\SET37.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (0 bytes)
%System%\winrs.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET39.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET40.tmp (0 bytes)
%System%\SET2F.tmp (0 bytes)
%WinDir%\Help\SETC5.tmp (0 bytes)
%System%\WsmSvc.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (0 bytes)
%System%\winrsmgr.dll (0 bytes)
%System%\SET30.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1A.tmp (0 bytes)
%System%\SET23.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET42.tmp (0 bytes)
%System%\WsmTxt.xsl (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (0 bytes)
%WinDir%\inf\SET33.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (0 bytes)
The process PSCustomSetupUtil.exe:2596 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\6PSVY158\Microsoft.PowerShell.ConsoleHost.dll (7192 bytes)
The process PSCustomSetupUtil.exe:2848 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\8TWZ259C\Microsoft.WSMan.Management.dll (9608 bytes)
The process PSCustomSetupUtil.exe:3804 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\FX047ADG\Microsoft.PowerShell.GPowerShell.resources.dll (1552 bytes)
The process PSCustomSetupUtil.exe:2636 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\0JMQTWZ2\Microsoft.PowerShell.Commands.Management.dll (9320 bytes)
The process PSCustomSetupUtil.exe:3140 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\6PTWZ259\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll (7 bytes)
The process PSCustomSetupUtil.exe:3000 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\O7ADGJMP\Microsoft.PowerShell.Commands.Utility.resources.dll (1552 bytes)
The process PSCustomSetupUtil.exe:3064 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\DX047ADG\Microsoft.PowerShell.Commands.Diagnostics.resources.dll (10 bytes)
The process PSCustomSetupUtil.exe:3040 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\DWZ259CF\Microsoft.PowerShell.Security.resources.dll (9 bytes)
The process PSCustomSetupUtil.exe:3652 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\1MPSVY25\Microsoft.PowerShell.GraphicalHost.dll (9608 bytes)
The process PSCustomSetupUtil.exe:2784 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\M9DHKORV\Microsoft.WSMan.Runtime.dll (7 bytes)
The process PSCustomSetupUtil.exe:2744 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\BVY158BE\Microsoft.PowerShell.Commands.Diagnostics.dll (3616 bytes)
The process PSCustomSetupUtil.exe:2872 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\1JMQTWZ2\Microsoft.BackgroundIntelligentTransfer.Management.dll (1856 bytes)
The process PSCustomSetupUtil.exe:2912 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\CVY158BE\System.Management.Automation.resources.dll (9320 bytes)
The process PSCustomSetupUtil.exe:3764 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\9SVY147A\Microsoft.PowerShell.Editor.resources.dll (2392 bytes)
The process PSCustomSetupUtil.exe:2720 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\6PTWZ269\Microsoft.PowerShell.Security.dll (2392 bytes)
The process PSCustomSetupUtil.exe:2936 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\BUX037AD\Microsoft.PowerShell.ConsoleHost.resources.dll (1552 bytes)
The process PSCustomSetupUtil.exe:3740 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\9RUX0369\Microsoft.PowerShell.GraphicalHost.resources.dll (784 bytes)
The process PSCustomSetupUtil.exe:2976 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\RADGJMPS\Microsoft.PowerShell.Commands.Management.resources.dll (1552 bytes)
The process PSCustomSetupUtil.exe:3704 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\ZILPSVY1\Microsoft.PowerShell.GPowerShell.dll (22192 bytes)
The process PSCustomSetupUtil.exe:3680 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\DWZ259CF\Microsoft.PowerShell.Editor.dll (32824 bytes)
The process PSCustomSetupUtil.exe:2572 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\I369DGJM\System.Management.Automation.dll (81046 bytes)
The process PSCustomSetupUtil.exe:3092 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\AUX147AD\Microsoft.WSMan.Management.resources.dll (13 bytes)
The process PSCustomSetupUtil.exe:2696 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\6PSVY158\Microsoft.PowerShell.Commands.Utility.dll (20624 bytes)
The process PSSetupNativeUtils.exe:4036 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)
The process mscorsvw.exe:2920 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD8.tmp\Microsoft.PowerShell.GraphicalHost.dll (47422 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD8.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5f.dat (0 bytes)
The process mscorsvw.exe:3004 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp\Microsoft.PowerShell.Security.dll (35530 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index60.dat (0 bytes)
The process mscorsvw.exe:2192 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD4.tmp\Microsoft.PowerShell.Commands.Utility.dll (40638 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5b.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD4.tmp (0 bytes)
The process mscorsvw.exe:2800 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7.tmp\Microsoft.PowerShell.GPowerShell.dll (50011 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5e.dat (0 bytes)
The process mscorsvw.exe:3128 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDA.tmp\Microsoft.WSMan.Management.dll (34061 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDA.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index61.dat (0 bytes)
The process mscorsvw.exe:2304 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD5.tmp\Microsoft.PowerShell.ConsoleHost.dll (33378 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5c.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD5.tmp (0 bytes)
The process mscorsvw.exe:3388 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (514 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\NGEN_SERVICE.LOG (83393 bytes)
The process mscorsvw.exe:1296 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD1.tmp\Microsoft.BackgroundIntelligentTransfer.Management.dll (27440 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD1.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index58.dat (0 bytes)
The process mscorsvw.exe:3528 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDC.tmp\System.Management.Automation.dll (105990 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\index63.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDC.tmp (0 bytes)
The process mscorsvw.exe:844 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD2.tmp\Microsoft.PowerShell.Commands.Diagnostics.dll (33116 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD2.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index59.dat (0 bytes)
The process mscorsvw.exe:3220 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDB.tmp\Microsoft.WSMan.Runtime.dll (17713 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\index62.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDB.tmp (0 bytes)
The process mscorsvw.exe:2068 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD3.tmp\Microsoft.PowerShell.Commands.Management.dll (45020 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD3.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5a.dat (0 bytes)
The process mscorsvw.exe:2512 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6.tmp\Microsoft.PowerShell.Editor.dll (64500 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5d.dat (0 bytes)
Registry activity
The process mofcomp.exe:2548 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 A0 FC E1 5F E8 C2 BB 3F B3 85 25 F9 A4 82 6F"
The process WindowsXP-KB968930-x86-ENG.exe:372 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 38 94 C9 CA 01 6F E6 C1 5F 22 D0 66 04 03 C4"
The process ngen.exe:3920 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 F8 A3 8B F0 F1 8D B7 93 33 45 E8 49 C2 DF 1F"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
The process ngen.exe:3928 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 CC 57 B7 07 0A DC 63 22 92 65 F3 F7 49 73 29"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:3492 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E8 E3 43 8D 7E 85 18 F3 02 D2 F0 93 72 92 1F 5E"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
"Scenario" = "32"
The process ngen.exe:3416 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4F DC B9 10 14 63 A8 8F ED 3E 44 B4 EF 22 9C 01"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
The process ngen.exe:3556 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D 10 AA 68 C8 F6 7E 4A 96 EB A8 48 4C 14 BB AB"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
The process ngen.exe:3456 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 08 2E 38 51 E7 3F E4 9D 83 C0 B0 7C 9A FA 05"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
The process ngen.exe:3380 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 10 D5 5C 7F 4A 00 95 C4 B3 82 AC 95 78 A9 98"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots]
"WorkPending" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
The process ngen.exe:3516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 AF A4 5A 24 34 87 13 5E B4 A3 2F 9B DC 53 E1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
The process ngen.exe:3572 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 8A 38 52 F9 1E 05 DC 74 3D 74 45 AA A1 55 6D"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:3580 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 78 29 55 34 69 10 28 5F 41 FE 7F 6F D2 71 9B"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
The process ngen.exe:3912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 E9 07 2D 69 27 C6 F8 FB 40 DB A4 37 19 5D 5F"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"
The process ngen.exe:3936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB 3E A6 3F AB B7 3D 4A E4 9D 19 73 AD 79 6F D1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:3524 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA 3A 80 C7 23 91 CB 60 CD 17 43 78 02 34 75 04"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:3404 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 9E 70 DE 6D 16 25 20 F4 55 4D 32 7F D8 1B BF"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"
The process ngen.exe:3880 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 DA 39 78 58 56 17 A2 74 BE D8 F4 18 4D 92 30"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
"Scenario" = "32"
The process ngen.exe:3508 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 7B C7 E8 45 E3 04 2A F2 F5 A6 16 C1 C3 A6 6B"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:3464 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D 0B 23 31 98 78 04 2C C6 06 33 D3 47 4F D5 26"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
"Status" = "3"
The process ngen.exe:3448 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE 3D E5 03 BA 59 E5 52 10 C4 61 27 1D 73 C4 E6"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:3564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 83 5A 88 0F 93 F9 77 F5 FC C0 2F B3 47 61 22"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
The process ngen.exe:3500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 57 0C 4D 2F B9 E2 AA 02 66 3B DA 2A A9 E3 00"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"
The process ngen.exe:3548 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 00 EB 3F AD 16 D8 9D F9 89 12 13 1A BD 62 BB"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:3888 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 15 F3 B5 F0 53 AA B0 10 03 67 CD 19 17 BA 18"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:3424 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 21 2B CB BC AC AE 19 3E 47 74 A2 63 20 AE 1E"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"
The process %original file name%.exe:1328 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 96 38 54 07 F7 6B 97 79 3E 2A DD C1 6F 91 F1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Control Panel\Desktop]
"Wallpaper" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
The process update.exe:352 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Description" = "Windows Management Framework Core"
[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"StackVersion" = "2.0"
[HKCR\Microsoft.PowerShellModule.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"ControlFlags" = "1"
[HKCR\.psc1]
"(Default)" = "Microsoft.PowerShellConsole.1"
[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}]
"(Default)" = "IWSManHostEntrySink"
[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsGetSignature"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\Typelib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\Typelib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"PSCompatibleVersion" = "1.0,2.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"NoModify" = "1"
[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\AppID\{3feb2f63-0eec-4b96-84ab-da1307e0117c}]
"(Default)" = "Microsoft Windows WSMan Provider Host"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\KB968930]
"TypesSupported" = "7"
[HKCR\Microsoft.PowerShellModule.1]
"EditFlags" = "131072"
[HKCR\WSMan.InternalAutomation\CurVer]
"(Default)" = "WSMan.InternalAutomation.1"
[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}]
"(Default)" = "IWSManResourceLocator"
[HKCR\.ps1xml]
"PerceivedType" = "Text"
[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}]
"(Default)" = "IWSManConnectionOptions"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"CategoryCount" = "8"
[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\FLAGS]
"(Default)" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"LogLevel" = "536870912"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKCR\Microsoft.PowerShellScript.1]
"EditFlags" = "131072"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"WINRM" = "WINRM"
[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"file" = "%WinDir%\System32\config\WindowsPowerShell.evt"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKCR\Microsoft.PowerShellScript.1\shell\Run with PowerShell\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell.exe -file %1"
[HKCR\AppID\{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}]
"LaunchPermission" = "01 00 04 80 98 00 00 00 A4 00 00 00 00 00 00 00"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"EventMessageFile" = "%systemroot%\system32\WsmRes.dll"
[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}\LocalServer32]
"ServerExecutable" = "%System%\wsmprovhost.exe"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\InprocServer32]
"(Default)" = "%System%\winrssrv.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"PSModulePath" = "%System%\WindowsPowerShell\v1.0\Modules\"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\WINRM]
"CoInitializeSecurityParam" = "1"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]
"Path" = "%System%\WindowsPowerShell\v1.0\powershell.exe"
[HKCR\Microsoft.PowerShellConsole.1]
"FriendlyTypeName" = "Windows PowerShell Console File"
[HKCR\Microsoft.PowerShellModule.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell_ise.exe %1"
[HKCR\WSMan.InternalAutomation]
"(Default)" = "WSMan InternalAutomation Class"
[HKCR\Microsoft.PowerShellData.1]
"FriendlyTypeName" = "Windows PowerShell Data File"
[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}\LocalServer32]
"(Default)" = "%System%\wsmprovhost.exe"
[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0]
"(Default)" = "Microsoft WSMAN Automation V1.0 Library"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\WINRM]
"AuthenticationCapabilities" = "12320"
[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\TypeLib]
"Version" = "1.0"
[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"Retention" = "0"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\KB968930]
"EventMessageFile" = "%SystemRoot%\System32\spmsg.dll"
[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}]
"(Default)" = "PSFactoryBuffer"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PublishingGroup" = "Management and Infrastructure Group"
[HKCR\Microsoft.PowerShellConsole.1\shell\open\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell.exe -p %1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\160:105700\iis]
"IISProgramGroup" = "Microsoft Internet Information Services"
"PathIISHelp" = "%WinDir%\Help\iishelp"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"Retention" = "0"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsPutSignature"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"ParameterMessageFile" = "%systemroot%\system32\kernel32.dll"
[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}\NumMethods]
"(Default)" = "6"
[HKLM\System\CurrentControlSet\Services\WinRM]
"DependOnService" = "RPCSS, HTTP, HTTPFilter"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\160:105700\iis]
"PathIISSamples" = "C:\Inetpub\iissamples"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"TypesSupported" = "7"
[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}]
"(Default)" = "IWSManEx"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"TSAware" = "1"
[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\AppID\{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}]
"(Default)" = "Microsoft Windows Remote Shell Host"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"UninstallCommand" = "%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe"
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\InprocServer32]
"(Default)" = "%System%\WSMAUTO.DLL"
[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ConsoleHostModuleName" = "%System%\WindowsPowerShell\v1.0\Microsoft.PowerShell.ConsoleHost.dll"
[HKCR\WSMan.Automation\CLSID]
"(Default)" = "{BCED617B-EC03-420b-8508-977DC7A686BD}"
[HKCR\WSMan.Automation.1\CLSID]
"(Default)" = "{BCED617B-EC03-420b-8508-977DC7A686BD}"
[HKLM\System\CurrentControlSet\Services\WinRM]
"Type" = "32"
[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational\EventForwarder-Operational]
"EventMessageFile" = "%systemroot%\system32\wevtfwd.dll"
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\VersionIndependentProgID]
"(Default)" = "WSMan.Automation"
[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\System\CurrentControlSet\Services\WinRM]
"DisplayName" = "Windows Remote Management (WS-Management)"
[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ\Regular]
"BitNames" = " rsError rsWarning rsTrace rsNone"
[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\0\win32]
"(Default)" = "%System%\WsmAuto.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\160:105700\iis]
"PathScripts" = "C:\Inetpub\iissamples\Scripts"
[HKCR\Microsoft.PowerShellConsole.1]
"EditFlags" = "131072"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstalledDate" = "7/16/2015"
"ReleaseType" = "Software Update"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKCR\WSMan.InternalAutomation.1\CLSID]
"(Default)" = "{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}"
[HKCR\WSMan.Automation\CurVer]
"(Default)" = "WSMan.Automation.1"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\ProgID]
"(Default)" = "WSMan.InternalAutomation.1"
[HKCR\.ps1xml]
"(Default)" = "Microsoft.PowerShellXmlData.1"
[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ\Regular]
"Guid" = "24b9a175-8716-40e0-9b2b-785de75b1e67"
[HKLM\System\CurrentControlSet\Services\WinRM]
"ImagePath" = "%WinDir%\System32\svchost.exe -k WinRM"
[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem10.PNF" = "1"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"MaxSize" = "15728640"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA 8B 5E 40 24 8A 2D 1E F1 0C 44 C6 F4 78 B1 A7"
[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}]
"(Default)" = "PSFactoryBuffer"
[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}]
"(Default)" = "PSFactoryBuffer"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"Sources" = "PowerShell"
[HKCR\AppID\{3feb2f63-0eec-4b96-84ab-da1307e0117c}]
"LaunchPermission" = "01 00 04 80 98 00 00 00 A4 00 00 00 00 00 00 00"
[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"MaxSize" = "20971520"
[HKLM\System\CurrentControlSet\Services\WinRM\Parameters]
"ServiceDll" = "%SystemRoot%\system32\WsmSvc.dll"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\1033]
"Install" = "1"
[HKCR\Microsoft.PowerShellScript.1\DefaultIcon]
"(Default)" = "%System%\WindowsPowerShell\V1.0\powershell_ise.exe,1"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\VersionIndependentProgID]
"(Default)" = "WSMan.InternalAutomation"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\160:105700\iis]
"PathFTPRoot" = "C:\Inetpub\ftproot"
[HKCR\Microsoft.PowerShellData.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell_ise.exe %1"
[HKLM\System\CurrentControlSet\Services\WinRM\Parameters]
"seRVicemAIN" = "ServiceMain"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\EventForwarder]
"TypesSupported" = "7"
[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstalledBy" = "%CurrentUserName%"
[HKCR\Microsoft.PowerShellData.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}]
"AppID" = "{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstallerVersion" = "6.1.29.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"DisplayIcon" = "%System%\WindowsPowerShell\v1.0\WTRInstaller.ico"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\160:105700\iis]
"PathInetsrv" = "%System%\inetsrv"
[HKCR\.psc1]
"Content Type" = "application/PowerShell"
[HKCR\Microsoft.PowerShellXmlData.1]
"EditFlags" = "131072"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}]
"(Default)" = "WSMan InternalAutomation Class"
[HKCR\Microsoft.PowerShellData.1]
"EditFlags" = "131072"
[HKCR\Microsoft.PowerShellXmlData.1]
"FriendlyTypeName" = "Windows PowerShell XML Document"
[HKLM\System\CurrentControlSet\Services\WinRM]
"ErrorControl" = "1"
[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\160:105700\iis]
"PathWWWRoot" = "C:\Inetpub\wwwroot"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"ARPLink" = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930"
[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}]
"(Default)" = "IWSManResourceLocatorInternal"
[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\ProxyStubClsid32]
"(Default)" = "{F73C1438-71B4-4D91-AD13-1F889A03AC67}"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"AutoBackupLogFiles" = "0"
[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\ProxyStubClsid32]
"(Default)" = "{F73C1438-71B4-4D91-AD13-1F889A03AC67}"
[HKCR\WSMan.InternalAutomation\CLSID]
"(Default)" = "{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"NoRepair" = "1"
[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}]
"(Default)" = "WinRM WMI Provider for User Profile"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"UninstallString" = "%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe"
[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\WSMan.Automation.1]
"(Default)" = "WSMan Automation Class"
[HKLM\SOFTWARE\Microsoft\PowerShell\1]
"Install" = "1"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"RuntimeVersion" = "v2.0.50727"
[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}]
"(Default)" = "IWSManProvHost"
[HKCR\Microsoft.PowerShellModule.1]
"FriendlyTypeName" = "Windows PowerShell Script Module"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\InprocServer32]
"(Default)" = "%System%\WSMAUTO.DLL"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PackageVersion" = "1.0"
[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}\LocalServer32]
"ServerExecutable" = "%System%\winrshost.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"DisplayName" = "Windows Management Framework Core"
"InstallDate" = "20150716"
[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"Publisher" = "Microsoft Corporation"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"AllowProtectedRenames" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"ReleaseType" = "Software Update"
[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\NumMethods]
"(Default)" = "4"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsDelSignature"
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}]
"(Default)" = "IWSMan"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"PowerShellVersion" = "2.0"
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\ProgID]
"(Default)" = "WSMan.Automation.1"
[HKCR\Microsoft.PowerShellScript.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\V1.0\powershell_ise.exe %1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Services\WinRM]
"DependOnGroup" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}]
"(Default)" = "WSMan Automation Class"
[HKCR\Microsoft.PowerShellScript.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"
[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}]
"(Default)" = "IHost"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Publisher" = "Microsoft Corporation"
[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\ProxyStubClsid32]
"(Default)" = "{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}"
[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\InprocServer32]
"(Default)" = "%System%\wsmplpxy.dll"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ApplicationBase" = "%System%\WindowsPowerShell\v1.0"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstallerName" = "Update.exe"
[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}]
"AppID" = "{3feb2f63-0eec-4b96-84ab-da1307e0117c}"
[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}]
"(Default)" = "Microsoft Windows Remote Shell Host"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PackageName" = "Windows Management Framework Core"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKCR\Microsoft.PowerShellScript.1]
"FriendlyTypeName" = "Windows PowerShell Script"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"LogSessionName" = "stdout"
[HKLM\System\CurrentControlSet\Services\WinRM]
"Description" = "Allows access to management information from local and remote machines."
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\160:105700\iis]
"PathIISAdmin" = "%System%\inetsrv\iisadmin"
[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}]
"(Default)" = "IWSManSession"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"HelpLink" = "http://go.microsoft.com/fwlink/?LinkID=163790"
[HKCR\WSMan.InternalAutomation.1]
"(Default)" = "WSMan Internal Class"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Type" = "Update"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCR\.psm1]
"(Default)" = "Microsoft.PowerShellModule.1"
[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\HELPDIR]
"(Default)" = "%System%"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsVerifyHash"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\Microsoft.PowerShell]
"ConfigXML" = ""
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"CategoryMessageFile" = "%System%\WindowsPowerShell\v1.0\pwrshmsg.dll"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsCreateHash"
[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem10.inf" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}\ProxyStubClsid32]
"(Default)" = "{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}"
[HKCR\WSMan.Automation]
"(Default)" = "WSMan Automation Class"
[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"file" = "%systemroot%\system32\config\EventForwarding-Operational.Evt"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsIsMyFileType"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"URLInfoAbout" = "http://go.microsoft.com/fwlink/?LinkID=163792"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"RegistryLocation" = " HKLM,SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930"
[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\NumMethods]
"(Default)" = "4"
[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational\EventForwarder-Operational]
"TypesSupported" = "7"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\160:105700\iis]
"UpgradeType" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"SupportsCompatListeners" = "1"
[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}]
"(Default)" = "IShell"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}\InprocServer32]
"(Default)" = "%System%\winrmprov.dll"
[HKCR\.ps1]
"(Default)" = "Microsoft.PowerShellScript.1"
[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\TypeLib]
"Version" = "1.0"
[HKLM\System\CurrentControlSet\Services\WinRM]
"ObjectName" = "NT AUTHORITY\NetworkService"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\EventForwarder]
"EventMessageFile" = "%systemroot%\system32\wevtfwd.dll"
[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}\LocalServer32]
"(Default)" = "%System%\winrshost.exe"
[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"Active" = "1"
[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}]
"(Default)" = "Microsoft Windows WSMan Provider Host"
[HKLM\SOFTWARE\Microsoft\PowerShell\1]
"PID" = "89383-100-0001260-04309"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ConsoleHostAssemblyName" = "Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"
[HKCR\.psd1]
"(Default)" = "Microsoft.PowerShellData.1"
[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}]
"(Default)" = "IWSManEnumerator"
[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\InprocServer32]
"(Default)" = "%System%\winrssrv.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"ServicePackCachePath" = "c:\windows\ServicePackFiles\ServicePackCache"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"EventMessageFile" = "%System%\WindowsPowerShell\v1.0\pwrshmsg.dll"
[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\TypeLib]
"Version" = "1.0"
The following service will be launched automatically at system boot up:
[HKLM\System\CurrentControlSet\Services\SENS]
"Start" = "2"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\160:105700]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\160:105700\iis]
The process PSCustomSetupUtil.exe:3592 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 B0 75 25 E4 0B 82 4F DA 44 46 50 B4 9B 2E E4"
[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"Path" = "C:\Perl\site\bin;C:\Perl\bin;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;c:\Program Files\Wireshark;%System%\WindowsPowerShell\v1.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process PSCustomSetupUtil.exe:2596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 5A D0 19 CA 92 BC AF 3C DB 8B 7F FF 06 88 C0"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "188"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35,MSIL" = "E8 24 98 D5 1A C0 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "189"
"StoreChangeIDFor64BitProcesses" = "167"
"StoreChangeIDFor32BitProcesses" = "188"
The process PSCustomSetupUtil.exe:2848 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 92 76 B0 46 E4 96 04 2E B8 DD 6D F7 0F F9 5B"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "C4 54 8B D6 1A C0 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "194"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "195"
"StoreChangeIDFor64BitProcesses" = "173"
"StoreChangeIDFor32BitProcesses" = "194"
The process PSCustomSetupUtil.exe:3804 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC CE A1 7C F0 80 AB 99 76 E8 82 B5 49 44 1E E7"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GPowerShell.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "76 96 FC DA 1A C0 D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GPowerShell.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "210"
"StoreChangeIDFor64BitProcesses" = "188"
"StoreChangeIDFor32BitProcesses" = "209"
The process PSCustomSetupUtil.exe:2636 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB 69 2E 34 80 E5 D7 34 8F C5 49 6E 41 E6 23 AA"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "88 4A BE D5 1A C0 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "189"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "190"
"StoreChangeIDFor64BitProcesses" = "168"
"StoreChangeIDFor32BitProcesses" = "189"
The process PSCustomSetupUtil.exe:3140 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 48 59 24 65 09 6D 06 22 0E B9 4D 82 31 5E DD"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.BackgroundIntelligentTransfer.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.BackgroundIntelligentTransfer.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "1E E4 BE D7 1A C0 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "203"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "204"
"StoreChangeIDFor64BitProcesses" = "182"
"StoreChangeIDFor32BitProcesses" = "203"
The process PSCustomSetupUtil.exe:3000 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 E3 A7 B9 3C A1 02 24 BC 96 4E FE 0A 81 97 62"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "199"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "200"
"Microsoft.PowerShell.Commands.Utility.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "8A AE 47 D7 1A C0 D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Utility.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "178"
"StoreChangeIDFor32BitProcesses" = "199"
The process PSCustomSetupUtil.exe:3064 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF C0 AB F6 8B 9A A9 F2 EC 91 33 83 DB 03 1A 91"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Diagnostics.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "54 49 83 D7 1A C0 D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "201"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "202"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Diagnostics.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "180"
"StoreChangeIDFor32BitProcesses" = "201"
The process PSCustomSetupUtil.exe:3040 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 87 ED E7 C9 6A 89 91 FA CF F3 61 97 74 55 B3"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Security.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "C2 4A 64 D7 1A C0 D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Security.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "200"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "201"
"StoreChangeIDFor64BitProcesses" = "179"
"StoreChangeIDFor32BitProcesses" = "200"
The process PSCustomSetupUtil.exe:3652 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 AF 15 2B B7 B8 C5 A7 49 A3 03 7D C0 D5 7C F3"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GraphicalHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GraphicalHost,1.0.0.0,,31bf3856ad364e35,MSIL" = "E8 D8 5C DA 1A C0 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "204"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "205"
"StoreChangeIDFor64BitProcesses" = "183"
"StoreChangeIDFor32BitProcesses" = "204"
The process PSCustomSetupUtil.exe:2784 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 36 F8 4F 08 40 84 19 4B C7 28 8C 8C 8E 0F A5"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Runtime, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "193"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35,MSIL" = "CA CC 62 D6 1A C0 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "194"
"StoreChangeIDFor64BitProcesses" = "172"
"StoreChangeIDFor32BitProcesses" = "193"
The process PSCustomSetupUtil.exe:2744 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 25 A1 45 B0 ED 1A B0 CA 9F 87 63 77 9D 34 5B"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35,MSIL" = "D0 44 3A D6 1A C0 D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Diagnostics, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "192"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "193"
"StoreChangeIDFor64BitProcesses" = "171"
"StoreChangeIDFor32BitProcesses" = "192"
The process PSCustomSetupUtil.exe:2872 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F 7D 2A E6 06 54 8F 11 39 2C 11 16 C0 C9 10 10"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "18 3F B6 D6 1A C0 D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.BackgroundIntelligentTransfer.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "195"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "196"
"StoreChangeIDFor64BitProcesses" = "174"
"StoreChangeIDFor32BitProcesses" = "195"
The process PSCustomSetupUtil.exe:2912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A A2 4E 3B 74 E6 1A FE CC B7 15 79 19 0A E5 53"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "196"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "197"
"System.Management.Automation.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "B8 64 DC D6 1A C0 D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\System.Management.Automation.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "175"
"StoreChangeIDFor32BitProcesses" = "196"
The process PSCustomSetupUtil.exe:3764 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B 00 2F 3B 32 D6 54 69 3B 55 84 B5 DA 61 A4 37"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Editor.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "208"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "209"
"Microsoft.PowerShell.Editor.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "3E FA DF DA 1A C0 D0 01"
"StoreChangeIDFor64BitProcesses" = "187"
"StoreChangeIDFor32BitProcesses" = "208"
The process PSCustomSetupUtil.exe:2720 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 D4 BC 65 9E 32 02 4D 82 78 B8 DD 5B D6 83 69"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35,MSIL" = "D6 BC 11 D6 1A C0 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "191"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "192"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Security, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "170"
"StoreChangeIDFor32BitProcesses" = "191"
The process PSCustomSetupUtil.exe:2936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B A6 55 43 43 9E 56 69 1D ED 2E 32 B6 30 17 83"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.ConsoleHost.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.ConsoleHost.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "B2 EC 04 D7 1A C0 D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "197"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "198"
"StoreChangeIDFor64BitProcesses" = "176"
"StoreChangeIDFor32BitProcesses" = "197"
The process PSCustomSetupUtil.exe:3608 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 68 BD 33 13 07 FF 68 61 64 D2 92 CD D9 96 80"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"PATHEXT" = ".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.PSC1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process PSCustomSetupUtil.exe:3624 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 19 F8 EB CF AA E1 9E B1 83 D7 E9 D9 0A 17 65"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process PSCustomSetupUtil.exe:3740 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D6 71 E1 19 9C 7E F2 08 C2 EF 8E E5 BC C9 0C 2E"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GraphicalHost.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "207"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GraphicalHost.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "AC FB C0 DA 1A C0 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "208"
"StoreChangeIDFor64BitProcesses" = "186"
"StoreChangeIDFor32BitProcesses" = "207"
The process PSCustomSetupUtil.exe:2976 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 68 BC A9 49 3E C6 0D F2 B4 B0 65 99 E3 38 BD"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "F8 AF 28 D7 1A C0 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "198"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "199"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "177"
"StoreChangeIDFor32BitProcesses" = "198"
The process PSCustomSetupUtil.exe:3704 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 5E 52 34 D5 35 4E D5 9A 7F 30 E1 E8 4D 7B 92"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GPowerShell, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "206"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GPowerShell,1.0.0.0,,31bf3856ad364e35,MSIL" = "1A FD A1 DA 1A C0 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "207"
"StoreChangeIDFor64BitProcesses" = "185"
"StoreChangeIDFor32BitProcesses" = "206"
The process PSCustomSetupUtil.exe:3680 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 97 AC 33 A6 FE FA 4A 10 34 99 86 04 26 A0 05"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Editor,1.0.0.0,,31bf3856ad364e35,MSIL" = "2E 9C 80 DA 1A C0 D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Editor, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "205"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "206"
"StoreChangeIDFor64BitProcesses" = "184"
"StoreChangeIDFor32BitProcesses" = "205"
The process PSCustomSetupUtil.exe:2572 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 62 AD 5D BF D8 A4 49 67 5E 6C 49 D6 DD EE 24"
[HKLM\SOFTWARE\Microsoft\Fusion\References\System.Management.Automation, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"System.Management.Automation,1.0.0.0,,31bf3856ad364e35,MSIL" = "EE 9C 6F D5 1A C0 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "187"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "188"
"StoreChangeIDFor64BitProcesses" = "166"
"StoreChangeIDFor32BitProcesses" = "187"
The process PSCustomSetupUtil.exe:3092 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "37 E7 62 BF DA A0 16 F9 DD 8E 8D 08 3D 98 0F B1"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "8C E5 9F D7 1A C0 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "202"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "203"
"StoreChangeIDFor64BitProcesses" = "181"
"StoreChangeIDFor32BitProcesses" = "202"
The process PSCustomSetupUtil.exe:2696 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED 24 56 A8 31 CD 3D 40 45 83 35 47 F7 E2 86 A3"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Utility, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "190"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35,MSIL" = "DC 34 E9 D5 1A C0 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "191"
"StoreChangeIDFor64BitProcesses" = "169"
"StoreChangeIDFor32BitProcesses" = "190"
The process PSSetupNativeUtils.exe:4036 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 1D 85 D1 7A 5E 9C 8D FB B6 B1 6B 24 77 87 E3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
The process mscorsvw.exe:2860 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 DF 00 EF 74 70 6F 72 94 3B 73 32 D3 68 F5 5D"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:2732 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F F9 95 D0 21 A6 F3 A5 C9 6A 38 A4 62 99 F9 0E"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:2920 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\7ac727df\3ef4663b]
"F" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"ConfigMask" = "4361"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\68fb5015\45ef206\b\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\77ccecdd\61ffc130\a\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"DisplayName" = "Microsoft.PowerShell.GraphicalHost,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"ILDependencies" = "DD EC CC 77 30 C1 FF 61 0A 00 00 00 03 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index61]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\3fa824d2\11\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"MVID" = "EA F7 7E C3 AE 2E A1 73 83 BF A6 FB A9 3D 37 37"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2ffb0c52\5076361\3\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\7ac727df\3ef4663b]
"F" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DE 3B 60 C0 86 AB 92 41 53 B1 AB 6B 6E 0C 52 A6"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6e35940e\3a9b43f3\4\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "97"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\3ef4663b\f\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"SIG" = "7B 5D F0 E6 43 C6 6F 48 85 FF C5 61 E9 E4 D2 1B"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index61]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"DisplayName" = "Microsoft.PowerShell.GraphicalHost,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"LastModTime" = "E8 D8 5C DA 1A C0 D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\7ac727df\3ef4663b]
"F" = ""
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5f]
The process mscorsvw.exe:3004 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69\InvertDependencies\19aba884\767c2dc2]
"68" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\19aba884\767c2dc2]
"68" = ""
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"LastModTime" = "D6 BC 11 D6 1A C0 D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\19aba884\767c2dc2]
"68" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"DisplayName" = "Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"MVID" = "AB 6E A2 EF 90 77 0C 78 07 DB 52 DB 59 B5 A1 32"
"Status" = "0"
"DisplayName" = "Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index62]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2995e574\9\InvertDependencies\19aba884\767c2dc2]
"68" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"ConfigMask" = "4361"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\19aba884\767c2dc2]
"68" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 A2 C2 BE C0 B2 3F DB 82 8C C8 B3 A8 20 BB 98"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\19aba884\767c2dc2]
"68" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index62]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "98"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"SIG" = "07 95 68 2E 6D 23 41 45 81 DB 7F 93 51 3C 97 66"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index60]
The process mscorsvw.exe:2192 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"DisplayName" = "Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\643db07b\27\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
"ConfigMask" = "4361"
"MVID" = "93 92 67 97 48 6D 4F 7A 9B 69 C5 87 5F F3 FC 30"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F1"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"ConfigString" = "ZAP--0000-0000"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"LastModTime" = "DC 34 E9 D5 1A C0 D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\43970528\4b\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"DisplayName" = "Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F1"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C 25 29 5F 14 BD 15 B6 B5 7E 72 FF CD 96 51 A7"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"SIG" = "EF D0 54 19 D0 F5 86 44 A9 62 4E 86 6A 5F 6C 6E"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "93"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]
The process mscorsvw.exe:3168 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E8 33 DC AB 4D 52 C9 97 D9 91 53 98 F4 13 F7 6A"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:2800 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"SIG" = "B7 6F 43 3B 5E 11 DE 4E B3 DF 75 E5 9F 64 67 8F"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\67e63d5c\6\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FD"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\77ccecdd\61ffc130\a\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"ConfigMask" = "4361"
"ConfigString" = "ZAP--0000-0000"
"ILDependencies" = "DD EC CC 77 30 C1 FF 61 0A 00 00 00 03 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"DisplayName" = "Microsoft.PowerShell.GPowerShell,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2ffb0c52\5076361\3\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"LastModTime" = "1A FD A1 DA 1A C0 D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"DisplayName" = "Microsoft.PowerShell.GPowerShell,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index60]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FD"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 F3 60 9A 31 70 31 3C 8C 8B 60 15 7C BB 8C 46"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"MVID" = "BE 89 7C E6 CB 7D 25 17 02 86 EA BC EA E9 F4 1E"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\67e63d5c\6\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6e35940e\3a9b43f3\4\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\268e923b\24\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "96"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index60]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5e]
The process mscorsvw.exe:3304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 43 56 96 48 26 C8 2B 61 DF 98 A1 5E 70 A0 D6"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:2136 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 64 01 00 98 0B B4 82 2A 68 DB 0A FA 61 15 28"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
The process mscorsvw.exe:3128 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index63]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f\InvertDependencies\34cea914\1285f653]
"67" = ""
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"DisplayName" = "Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\34cea914\1285f653]
"67" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\34cea914\1285f653]
"67" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"SIG" = "65 39 A0 50 E9 4F 14 4B 85 A8 07 D9 00 B9 C9 79"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index63]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\34cea914\1285f653]
"67" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"LastModTime" = "CA CC 62 D6 1A C0 D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"ConfigMask" = "4361"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\34cea914\1285f653]
"67" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"MVID" = "B1 10 6C EC A9 F5 C8 9E A5 7E 9E CD 46 C7 CF 57"
"DisplayName" = "Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"DisplayName" = "Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70\InvertDependencies\34cea914\1285f653]
"67" = ""
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB BD 31 BF AC 62 0D 40 1D EB 5E C1 4C 83 EF 93"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\34cea914\1285f653]
"67" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "99"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"LastModTime" = "C4 54 8B D6 1A C0 D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\41470f34\2\InvertDependencies\34cea914\1285f653]
"67" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"SIG" = "EC D0 CD 16 68 09 9B 47 85 11 78 36 0F BB 3D 11"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index61]
The process mscorsvw.exe:2988 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 73 D5 C6 71 40 BF 6C 8E 45 81 31 66 DA 8F 96"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:2304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"DisplayName" = "Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35"
"Status" = "4098"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65\InvertDependencies\13b06edc\1367089b]
"5c" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"SIG" = "3C 55 A6 91 EF 61 21 4C 93 C9 D8 16 A5 41 D7 5A"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\13b06edc\1367089b]
"5c" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\13b06edc\1367089b]
"5c" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"ConfigMask" = "4361"
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"DisplayName" = "Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\13b06edc\1367089b]
"5c" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"MVID" = "DC 19 F5 0C 5E 84 E7 22 34 33 CC 70 9E 7E B4 3F"
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5e]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F9"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\13b06edc\1367089b]
"5c" = ""
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 73 D1 07 81 BF 91 D1 94 91 08 B6 F0 24 C8 99"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5e]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F9"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\13b06edc\1367089b]
"5c" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "94"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"LastModTime" = "E8 24 98 D5 1A C0 D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]
The process mscorsvw.exe:3388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 EC 00 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 E6 00 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F8 00 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 0A 01 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "0"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots]
"WorkPending" = "0"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 02 01 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F2 00 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 08 01 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F8 00 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "0"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F0 00 00 00 53 00 79"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 93 5F C8 42 46 39 C8 C6 FF 44 61 C4 B8 92 41"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 1C 01 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
"ImageList" = "01 00 00 00 00 02 00 00 00 FC 00 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 EE 00 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
The process mscorsvw.exe:2248 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 49 F0 D8 1F 3F EB 25 A3 D1 C5 6E 5D F9 85 99"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:1296 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"LastModTime" = "18 3F B6 D6 1A C0 D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"SIG" = "5D B3 1D FA D7 A3 2D 4A 9D D3 B0 41 D1 BC 36 E6"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\2042d09e\663d72dd]
"60" = ""
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"LastModTime" = "EE 9C 6F D5 1A C0 D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"DisplayName" = "System.Management.Automation,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"MissingDependencies" = "Microsoft.BackgroundIntelligentTransfer.Management.Interop,6.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\2042d09e\663d72dd]
"60" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"MVID" = "FD 3E DC DF A9 CE 60 AB AC 35 20 81 46 18 44 95"
"ConfigMask" = "4361"
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF 81"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\2042d09e\663d72dd]
"60" = ""
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 48 19 E8 81 EF E5 4F 2D 4F 4F 92 C8 C2 CD EA"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\2042d09e\663d72dd]
"60" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF 81"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "90"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"DisplayName" = "Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"DisplayName" = "Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"SIG" = "85 42 9C 0A C5 DF B1 48 A5 8E 44 2E FB 91 9D 84"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a\InvertDependencies\2042d09e\663d72dd]
"60" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"Status" = "2"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index58]
The process mscorsvw.exe:588 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC 4D 70 67 CE 16 DE E6 EF FF 66 C0 BF 13 73 63"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:3072 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E 37 B9 24 7A B1 E2 80 08 69 15 5B 6D 9A AD 49"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:3528 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"ConfigMask" = "4361"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\3fa824d2\11\InvertDependencies\130e9a23\3c38ef63]
"65" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\130e9a23\3c38ef63]
"65" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\130e9a23\3c38ef63]
"65" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index65]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"MVID" = "E2 17 82 39 6B BC 18 53 A8 67 A6 33 0D FD 66 7B"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\130e9a23\3c38ef63]
"65" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\6abb48d8\39\InvertDependencies\130e9a23\3c38ef63]
"65" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"DisplayName" = "System.Management.Automation,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3b249b34\afa163\1f\InvertDependencies\130e9a23\3c38ef63]
"65" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\130e9a23\3c38ef63]
"65" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index65]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"ILDependencies" = "57 8D AB 19 D0 02 1A 29 07 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD EC E9 EF 6C 9E 21 7B E1 57 76 16 55 7F 32 5D"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\130e9a23\3c38ef63]
"65" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "101"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\638045d1\2c\InvertDependencies\130e9a23\3c38ef63]
"65" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index63]
The process mscorsvw.exe:1880 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6A DE 53 F6 5F 68 D1 63 0F FE 63 09 F2 D6 2F 89"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:1644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 02 BE 25 60 A1 86 A3 75 CD 40 9F D3 C3 88 17"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:844 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\7ac727df\3ef4663b]
"F" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ConfigMask" = "4361"
"DisplayName" = "Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"SIG" = "EC BB F6 79 DE 07 9A 4F A7 CE DF 48 D6 49 CE 93"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"LastModTime" = "D0 44 3A D6 1A C0 D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\3ef4663b\f\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\7ac727df\3ef4663b]
"F" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"DisplayName" = "Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 75 7D B2 EE 09 15 8E 8D 48 E2 5D E8 53 F1 15"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "91"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"MVID" = "13 FC 3D AE F5 85 09 8F 11 91 1F 8F 72 AC 1C EA"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\7ac727df\3ef4663b]
"F" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index59]
The process mscorsvw.exe:2336 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 9C F0 04 E5 14 21 25 1A BA CE E4 01 79 70 5C"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:3220 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 9D 5F B0 28 D9 54 B3 26 2C 47 FF 97 2C 49 3E"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"ILDependencies" = "44 18 F2 39 EC CB 26 0B 6F 00 00 00 01 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index64]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"ConfigMask" = "4361"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "100"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\2644b2e9\635b32a7]
"66" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"ConfigString" = "ZAP--0000-0000"
"MVID" = "9D 8E 8F 7B 7A E9 50 D8 65 44 54 05 97 83 7B 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f\InvertDependencies\2644b2e9\635b32a7]
"66" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"DisplayName" = "Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35"
"Status" = "0"
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index64]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"
"SystemStoreChangeId" = "209"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\2644b2e9\635b32a7]
"66" = ""
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index62]
The process mscorsvw.exe:2068 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"MVID" = "F0 07 EE 1B F5 48 BA 76 1B A6 16 F4 C3 5B 15 8E"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\6abb48d8\39\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\41470f34\2\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\168b424e\2b\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"DisplayName" = "Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ConfigString" = "ZAP--0000-0000"
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"SIG" = "1D 3D FC F9 F8 82 BC 47 B7 60 1D 39 80 29 76 15"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"DisplayName" = "Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF E1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF E1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 B6 2F 6B EA 1A 01 D8 BD 0E E0 49 D4 14 9D F0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ConfigMask" = "4361"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "92"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"LastModTime" = "88 4A BE D5 1A C0 D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\638045d1\2c\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]
The process mscorsvw.exe:2512 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"DisplayName" = "Microsoft.PowerShell.Editor,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\51be0150\645507bd\5d\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"ILDependencies" = "DD EC CC 77 30 C1 FF 61 0A 00 00 00 03 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F9"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\268e923b\24\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2ffb0c52\5076361\3\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6e35940e\3a9b43f3\4\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5f]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F9"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\77ccecdd\61ffc130\a\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5f]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FD"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"ConfigMask" = "4361"
"MVID" = "72 A5 E7 88 C4 07 6B 67 EC 68 97 DA DB 9C 00 B6"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FD"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 23 5D E7 D9 78 4E 29 C7 8F 4B 19 B9 EA A1 0E"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"DisplayName" = "Microsoft.PowerShell.Editor,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"LastModTime" = "2E 9C 80 DA 1A C0 D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\68fb5015\45ef206\b\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"SIG" = "EC 74 C4 48 ED 80 64 4D BD A4 D7 78 32 8C 96 D8"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "95"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]
The process wsmanhttpconfig.exe:2512 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 70 9D 09 19 92 89 6D D0 75 E5 C8 7D D9 52 78"
The process wsmanhttpconfig.exe:2452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE 72 57 60 4A 4B 0D 4E B7 98 8A 54 C3 48 6E B0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\Event Forwarding Plugin]
"ConfigXML" = ""
[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"http:// :47001/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"80:TCP" = "80:TCP:*:Enabled:Windows Remote Management - Compatibility Mode (HTTP-In)"
[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"https:// :5986/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5985:TCP" = "5985:TCP:*:Enabled:Windows Remote Management"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"UpdatedConfig" = "6F4B2747-7DC1-415B-8DA2-29BD46A9802F"
[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"http:// :5985/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\WMI Provider]
"ConfigXML" = ""
Dropped PE files
MD5 | File path |
---|---|
9859a26d5e72bbb0685af813b409d99d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe |
fc9a05096522bb6d7ceda62ea1707420 | c:\WINDOWS\$968930Uinstall_KB968930$\PSCustomSetupUtil.exe |
35efd8cd6549a4339cb2a28c8cfd6598 | c:\WINDOWS\$968930Uinstall_KB968930$\PSSetupNativeUtils.exe |
a39df582ca051afc8811fbd00db12f10 | c:\WINDOWS\$968930Uinstall_KB968930$\spuninst\spuninst.exe |
9a055da2f2819f155c33d47cd67a7c00 | c:\WINDOWS\$968930Uinstall_KB968930$\spuninst\updspapi.dll |
75c183e262bd4400eb0f20349f6ef383 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll |
2f7fe3a781ba8c0a67c775f20e3e9f70 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll |
4e2482e69baaf3a5b13db8101c063ebf | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.resources.dll |
08e87e8abf7b41b28663dce817ce0ab6 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll |
b87e087fc013225e2aa1cb60c080647d | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.resources.dll |
f3ac3f844f90380aab2b4c0836c4288f | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll |
1ce73fb3f88c716cfc3fd550547d2b35 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.resources.dll |
dfeb401cc051e5da721c584ff6a90f88 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll |
36ff641f37918f2cca98e7f407ac4d75 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.resources.dll |
3991b7fa452a9c9c291c06365a236792 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll |
37bed865557084dd9988350ab1675e0b | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Editor.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Editor.resources.dll |
208fa9d0ebe2ceb9616042772e96598e | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Editor\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Editor.dll |
108500a98b9a2f66823e7615398fc87b | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.GPowerShell.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.GPowerShell.resources.dll |
d4eefccdc3de6ced901535fa4153c491 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.GPowerShell\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.GPowerShell.dll |
5a69fb5d686f863e0e13268d671ef16d | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.GraphicalHost.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.GraphicalHost.resources.dll |
3eab4dbdc290edc4d53fe77f1fdb9e59 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.GraphicalHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.GraphicalHost.dll |
c7a0d1321a67a2afd330c5fbe79befd1 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Security.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Security.resources.dll |
53a9d748ef09920a0d06da2583c298ad | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll |
6372ea7d2aced7185183cf3fcdd3577b | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.WSMan.Management.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.WSMan.Management.resources.dll |
1a4e900c2fe3cd31d10107670d184fe6 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll |
f7da27672d2e4c21a1f996ee31de0dbf | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll |
2286b57ecc2d32d24049c51989084268 | c:\WINDOWS\assembly\GAC_MSIL\System.Management.Automation.resources\1.0.0.0_en_31bf3856ad364e35\System.Management.Automation.resources.dll |
4d8ab4fad244f7985d8c59d456e026d7 | c:\WINDOWS\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll |
930cdc3163f4d4a6bd52f96896e9fa44 | c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Backgroun#\fd3edcdfa9ce60abac35208146184495\Microsoft.BackgroundIntelligentTransfer.Management.ni.dll |
e27a37cfbcff4c9941e73c9a3e762d0c | c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\13fc3daef585098f11911f8f72ac1cea\Microsoft.PowerShell.Commands.Diagnostics.ni.dll |
8afa150131c5cba4b312493db94d30fb | c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\72a5e788c4076b67ec6897dadb9c00b6\Microsoft.PowerShell.Editor.ni.dll |
8984e670f9760c504c5fca8370ad99d3 | c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\93926797486d4f7a9b69c5875ff3fc30\Microsoft.PowerShell.Commands.Utility.ni.dll |
fecd06a285a93f004a1a4a1a629f55b7 | c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\ab6ea2ef90770c7807db52db59b5a132\Microsoft.PowerShell.Security.ni.dll |
41980649706941d2ff841871435068b5 | c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\be897ce6cb7d25170286eabceae9f41e\Microsoft.PowerShell.GPowerShell.ni.dll |
fe8b145b025e02fb4e23381a2e189d0a | c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\dc19f50c5e84e7223433cc709e7eb43f\Microsoft.PowerShell.ConsoleHost.ni.dll |
1915d832be5b46ff2a888a9a6689e281 | c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\eaf77ec3ae2ea17383bfa6fba93d3737\Microsoft.PowerShell.GraphicalHost.ni.dll |
6756eea89ecbaa301b79e4d01f381cd1 | c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\f007ee1bf548ba761ba616f4c35b158e\Microsoft.PowerShell.Commands.Management.ni.dll |
aae309ef03acc9d2e5c3546abcabedec | c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\b1106ceca9f5c89ea57e9ecd46c7cf57\Microsoft.WSMan.Management.ni.dll |
b582a633fcce28c0fc795810d4ca48f9 | c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Run#\9d8e8f7b7ae950d86544540597837b01\Microsoft.WSMan.Runtime.ni.dll |
85d7ab466d0577c49fc9879107ec7ef5 | c:\WINDOWS\system32\WindowsPowerShell\v1.0\CompiledComposition.Microsoft.PowerShell.GPowerShell.dll |
173d3dd1425a8e33fa1d4ed71067a3a2 | c:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer\microsoft.backgroundintelligenttransfer.management.interop.dll |
df4217ddb34a0b73dc7aac7829371c0c | c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe |
fe7bc06af17d7cd8fb8e6d72d72453b8 | c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe.mui |
36b6f71b6d7d280302b348145db05a9f | c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell_ise.exe |
cb3a534127f37d0fa1f556dbb76575d3 | c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell_ise.resources.dll |
95b7f12a557dedac5e4a1e9afa5e73ab | c:\WINDOWS\system32\WindowsPowerShell\v1.0\pspluginwkr.dll |
a94243b797377ba03b63fc716c13bcf5 | c:\WINDOWS\system32\WindowsPowerShell\v1.0\pwrshmsg.dll |
7943a80f1a6fd37969aacd411b511f91 | c:\WINDOWS\system32\WindowsPowerShell\v1.0\pwrshsip.dll |
2c9c9ae86eb2b4e78c8e09deb7509a63 | c:\WINDOWS\system32\WsmAuto.dll |
67146d3606be1111a39f0fd61f47e9b6 | c:\WINDOWS\system32\WsmRes.dll |
18f347402da544a780949b8fdf83351b | c:\WINDOWS\system32\WsmSvc.dll |
296e6992278fea7140d88b603e6c2a8a | c:\WINDOWS\system32\WsmWmiPl.dll |
8c386819bf5b39d7a4b274d0b55f87a5 | c:\WINDOWS\system32\pwrshplugin.dll |
84e025b1259c66315f4d45a6caecacc9 | c:\WINDOWS\system32\wevtfwd.dll |
cd17705af8e53a82facb545a213ab09c | c:\WINDOWS\system32\winrmprov.dll |
afdf7654880ce23005014895b129d948 | c:\WINDOWS\system32\winrs.exe |
3e9b11880ae4a8ff399ce0573c82655b | c:\WINDOWS\system32\winrscmd.dll |
62021e3e6ba13d72cf5cc1047cfac991 | c:\WINDOWS\system32\winrshost.exe |
b84092e52861a026fc83bcede4a7abfa | c:\WINDOWS\system32\winrsmgr.dll |
35bc7c49676e5ab617ef94dc9854a6f1 | c:\WINDOWS\system32\winrssrv.dll |
972916faac89c4aa978952b30f478e81 | c:\WINDOWS\system32\wsmanhttpconfig.exe |
23ce21efc2ae95700f2b1f9582fe3867 | c:\WINDOWS\system32\wsmplpxy.dll |
faa2fcc6853e5123e05dccc5919657e2 | c:\WINDOWS\system32\wsmprovhost.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
mofcomp.exe:2548
WindowsXP-KB968930-x86-ENG.exe:372
ngen.exe:3920
ngen.exe:3928
ngen.exe:3492
ngen.exe:3416
ngen.exe:3556
ngen.exe:3456
ngen.exe:3380
ngen.exe:3516
ngen.exe:3572
ngen.exe:3580
ngen.exe:3912
ngen.exe:3936
ngen.exe:3524
ngen.exe:3404
ngen.exe:3880
ngen.exe:3508
ngen.exe:3464
ngen.exe:3448
ngen.exe:3564
ngen.exe:3500
ngen.exe:3548
ngen.exe:3888
ngen.exe:3424
%original file name%.exe:1328
update.exe:352
PSCustomSetupUtil.exe:3592
PSCustomSetupUtil.exe:2596
PSCustomSetupUtil.exe:2848
PSCustomSetupUtil.exe:3804
PSCustomSetupUtil.exe:2636
PSCustomSetupUtil.exe:3140
PSCustomSetupUtil.exe:3000
PSCustomSetupUtil.exe:3064
PSCustomSetupUtil.exe:3040
PSCustomSetupUtil.exe:3652
PSCustomSetupUtil.exe:2784
PSCustomSetupUtil.exe:2744
PSCustomSetupUtil.exe:2872
PSCustomSetupUtil.exe:2912
PSCustomSetupUtil.exe:3764
PSCustomSetupUtil.exe:2720
PSCustomSetupUtil.exe:2936
PSCustomSetupUtil.exe:3608
PSCustomSetupUtil.exe:3624
PSCustomSetupUtil.exe:3740
PSCustomSetupUtil.exe:2976
PSCustomSetupUtil.exe:3704
PSCustomSetupUtil.exe:3680
PSCustomSetupUtil.exe:2572
PSCustomSetupUtil.exe:3092
PSCustomSetupUtil.exe:2696
PSSetupNativeUtils.exe:4036
mscorsvw.exe:2860
mscorsvw.exe:2732
mscorsvw.exe:2920
mscorsvw.exe:3004
mscorsvw.exe:2192
mscorsvw.exe:3168
mscorsvw.exe:2800
mscorsvw.exe:3304
mscorsvw.exe:2136
mscorsvw.exe:3128
mscorsvw.exe:2988
mscorsvw.exe:2304
mscorsvw.exe:3388
mscorsvw.exe:2248
mscorsvw.exe:1296
mscorsvw.exe:588
mscorsvw.exe:3072
mscorsvw.exe:3528
mscorsvw.exe:1880
mscorsvw.exe:1644
mscorsvw.exe:844
mscorsvw.exe:2336
mscorsvw.exe:3220
mscorsvw.exe:2068
mscorsvw.exe:2512
wsmanhttpconfig.exe:2512
wsmanhttpconfig.exe:2452 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%System%\wbem\Logs\mofcomp.log (1814 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (1 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\pscustomsetuputil.exe (316 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_trap.help.txt (10 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_script_internationalization.help.txt (9 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\profile.ps1 (772 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_parsing.help.txt (2 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_scopes.help.txt (76 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_functions_advanced_parameters.help.txt (962 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.gpowershell.resources.dll (408 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\system.management.automation.dll-help.xml (16567 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_requires.help.txt (2 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.gpowershell.dll (9738 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.editor.dll (14450 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_bits_cmdlets.help.txt (7 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\powershell_ise.exe (2526 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\update\kb968930xp.cat (512 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_automatic_variables.help.txt (14 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\help.format.ps1xml (3947 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_hash_tables.help.txt (6 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_remote_output.help.txt (887 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\pssetupnativeutils.exe (9 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\pwrshmsg.dll (4 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\$shtdwn$.req (788 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.backgroundintelligenttransfer.management.dll-help.xml (2472 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\compiledcomposition.microsoft.powershell.gpowershell.dll (1737 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_pssession_details.help.txt (9 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmres.dll (6164 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_while.help.txt (2 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmpty.xsl (1 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.utility.dll (9684 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.consolehost.dll (3118 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrshost.exe (22 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_pssnapins.help.txt (6 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_format.ps1xml.help.txt (17 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_job_details.help.txt (824 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrmprov.mof (789 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\diagnostics.format.ps1xml (590 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.management.dll-help.xml (28236 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_if.help.txt (3 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\powershellcore.format.ps1xml (1492 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_type_operators.help.txt (5 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_line_editing.help.txt (1 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_remote_faq.help.txt (775 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrs.exe (1154 bytes)
C:\$Directory (800 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.backgroundintelligenttransfer.management.interop.dll (1532 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_debuggers.help.txt (21 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmanhttpconfig.exe (3009 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_eventlogs.help.txt (5 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_providers.help.txt (59 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\update\eula.txt (586 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_windows_powershell_2.0.help.txt (453 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\bitstransfer.format.ps1xml (16 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_switch.help.txt (489 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_preference_variables.help.txt (37 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_foreach.help.txt (10 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.consolehost.dll-help.xml (900 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_aliases.help.txt (6 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_arithmetic_operators.help.txt (168 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_functions_cmdletbindingattribute.help.txt (3 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\windowspowershellhelp.chm (26041 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_redirection.help.txt (2 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_arrays.help.txt (8 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_parameters.help.txt (9 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\bitstransfer.psd1 (950 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_methods.help.txt (6 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmprovhost.exe (657 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_remote.help.txt (7 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\certificate.format.ps1xml (155 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_for.help.txt (146 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_history.help.txt (3 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\importallmodules.psd1 (438 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_objects.help.txt (2 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.diagnostics.dll (998 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.security.resources.dll (9 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\windowsremoteshell.adm (12 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmsvc.dll (15909 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_functions.help.txt (586 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.backgroundintelligenttransfer.management.resources.dll (7 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_ws-management_cmdlets.help.txt (405 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\update\update.ver (14 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrmprov.dll (591 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\spupdsvc.exe (287 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_assignment_operators.help.txt (379 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\pwrshsip.dll (24 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsman.format.ps1xml (837 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_signing.help.txt (12 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_join.help.txt (2 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.utility.resources.dll (508 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\registry.format.ps1xml (20 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\update\update.exe (10748 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmauto.mof (4 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\spmsg.dll (495 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_try_catch_finally.help.txt (7 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_split.help.txt (10 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.security.dll-help.xml (1797 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\spuninst.exe (3787 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.management.resources.dll (508 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.editor.resources.dll (562 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\update\update.inf (2457 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\powershelltrace.format.ps1xml (344 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_jobs.help.txt (12 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.wsman.runtime.dll (33 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.consolehost.resources.dll (778 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_data_sections.help.txt (5 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\powershell.exe (7339 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_core_commands.help.txt (221 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_prompts.help.txt (7 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_variables.help.txt (6 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_reserved_words.help.txt (1 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrm.vbs (2727 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.utility.dll-help.xml (20810 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_wildcards.help.txt (3 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_continue.help.txt (1 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_locations.help.txt (794 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\update\updspapi.dll (5940 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_transactions.help.txt (1011 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_quoting_rules.help.txt (659 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_wmi_cmdlets.help.txt (8 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\powershell.exe.mui (10 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_comment_based_help.help.txt (595 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\windowsremotemanagement.adm (574 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_profiles.help.txt (457 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrm.ini (1956 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_regular_expressions.help.txt (5 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wevtfwd.dll (3351 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.diagnostics.resources.dll (470 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.wsman.management.dll (5010 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_do.help.txt (2 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmtxt.xsl (2 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_functions_advanced.help.txt (3 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\powershell_ise.resources.dll (4 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrscmd.dll (2907 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\dotnettypes.format.ps1xml (266 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_command_syntax.help.txt (5 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_break.help.txt (792 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_execution_policies.help.txt (13 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_pssessions.help.txt (9 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.wsman.management.dll-help.xml (8740 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wtrinstaller.ico (4803 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_functions_advanced_methods.help.txt (9 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.graphicalhost.dll (4408 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_properties.help.txt (7 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_commonparameters.help.txt (12 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmplpxy.dll (603 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_command_precedence.help.txt (8 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrsmgr.dll (2 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_modules.help.txt (13 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmauto.dll (1842 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.commands.diagnostics.dll-help.xml (2301 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_session_configurations.help.txt (276 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_escape_characters.help.txt (2 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_remote_troubleshooting.help.txt (146 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_remote_jobs.help.txt (13 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\pspluginwkr.dll (1756 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrm.cmd (35 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\getevent.types.ps1xml (15 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_ref.help.txt (1 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.powershell.graphicalhost.resources.dll (16 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\types.ps1xml (2510 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\filesystem.format.ps1xml (133 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\wsmwmipl.dll (2816 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_comparison_operators.help.txt (11 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\default.help.txt (2 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_logical_operators.help.txt (2 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_scripts.help.txt (12 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_special_characters.help.txt (3 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_environment_variables.help.txt (417 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_operators.help.txt (770 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_types.ps1xml.help.txt (481 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_windows_powershell_ise.help.txt (6 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_throw.help.txt (5 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_language_keywords.help.txt (11 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_path_syntax.help.txt (5 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\winrssrv.dll (12 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_script_blocks.help.txt (3 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_pipelines.help.txt (411 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\microsoft.wsman.management.resources.dll (13 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\pwrshplugin.dll (802 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_return.help.txt (3 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\eventforwarding.adm (2 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\update\spcustom.dll (23 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\about_remote_requirements.help.txt (6 bytes)
C:\f6ff9a417a3a9051be1120c02a4790\system.management.automation.resources.dll (3153 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1106 bytes)
%System%\SETBF.tmp (42 bytes)
%WinDir%\ocmsn.log (7791 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (16 bytes)
%System%\SET12.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET3E.tmp (1281 bytes)
%System%\GroupPolicy\Adm\SET35.tmp (12 bytes)
%System%\SETC.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (36 bytes)
%System%\WindowsPowerShell\v1.0\SET51.tmp (14022 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SET46.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET41.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (950 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETC9.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET48.tmp (4 bytes)
%System%\SET2D.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (17 bytes)
%System%\SET25.tmp (1281 bytes)
%System%\SET13.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4E.tmp (673 bytes)
%System%\SET20.tmp (2 bytes)
%System%\SET14.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (49 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (673 bytes)
%WinDir%\inf\SET32.tmp (38 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (3 bytes)
%System%\GroupPolicy\Adm\SET34.tmp (38 bytes)
%System%\SET2A.tmp (2 bytes)
%WinDir%\inf\oem10.PNF (10136 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET3C.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (10 bytes)
%System%\SET7.tmp (35 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\updspapi.dll (4145 bytes)
%System%\WindowsPowerShell\v1.0\SET3D.tmp (601 bytes)
%WinDir%\msmqinst.log (5468 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (15 bytes)
%System%\SET22.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (673 bytes)
%System%\spmsg.dll (14 bytes)
%System%\WindowsPowerShell\v1.0\SETC8.tmp (7385 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (10 bytes)
%System%\GroupPolicy\Adm\SET1A.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (7 bytes)
%System%\SET2B.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (40 bytes)
%WinDir%\inf\SET18.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SETC7.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (3 bytes)
%System%\SETE.tmp (22 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.inf (9162 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (7 bytes)
%System%\SET6.tmp (2 bytes)
%System%\GroupPolicy\Adm\SET36.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (5 bytes)
%System%\wbem\SET4.tmp (4 bytes)
%System%\SET17.tmp (673 bytes)
%WinDir%\tabletoc.log (2313 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (6 bytes)
%System%\SETA.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (7 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.txt (29 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (13 bytes)
%WinDir%\MedCtrOC.log (8910 bytes)
%System%\config\SYSTEM.LOG (7577 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (3 bytes)
%System%\SET27.tmp (601 bytes)
%System%\GroupPolicy\Adm\SET1B.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (9 bytes)
%System%\SET11.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETCA.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET3F.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET4F.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4B.tmp (20 bytes)
%WinDir%\Help\SETC5.tmp (12287 bytes)
%System%\SET8.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (61 bytes)
%WinDir%\msgsocm.log (6541 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE.lnk (4 bytes)
%System%\SETF.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (22 bytes)
%System%\SET10.tmp (2 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (7971 bytes)
%System%\SET26.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (9 bytes)
%System%\SET21.tmp (35 bytes)
%System%\config\system (5372 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET38.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET49.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (31 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET4A.tmp (673 bytes)
%WinDir%\SECD0.tmp (1897 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET4D.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (2 bytes)
%WinDir%\imsins.log (3792 bytes)
%System%\WindowsPowerShell\v1.0\SET44.tmp (57 bytes)
%System%\GroupPolicy\Adm\SET1C.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (3 bytes)
%System%\SET16.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (3361 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (15 bytes)
%System%\CatRoot2\dberr.txt (1031 bytes)
%System%\SETB.tmp (1281 bytes)
%System%\SET1F.tmp (1 bytes)
%WinDir%\iis6.log (138839 bytes)
%WinDir%\comsetup.log (48640 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (6 bytes)
%System%\spupdsvc.exe (23 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (22 bytes)
%System%\SET28.tmp (22 bytes)
%System%\SET5.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET45.tmp (2321 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (1 bytes)
%System%\SET31.tmp (673 bytes)
%System%\SET2E.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (10 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe (2497 bytes)
%System%\WindowsPowerShell\v1.0\SET3A.tmp (601 bytes)
%System%\SET29.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (21 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (6 bytes)
%System%\SET2C.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (16 bytes)
%WinDir%\KB968930.log (246954 bytes)
%System%\SET15.tmp (789 bytes)
%System%\WindowsPowerShell\v1.0\SET4C.tmp (18248 bytes)
%WinDir%\ntdtcsetup.log (22991 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (438 bytes)
%WinDir%\inf\oem10.inf (673 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (12 bytes)
%System%\SET24.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET52.tmp (10177 bytes)
%System%\WindowsPowerShell\v1.0\SET43.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (19 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (9 bytes)
%WinDir%\FaxSetup.log (53338 bytes)
%WinDir%\tsoc.log (79170 bytes)
%System%\WindowsPowerShell\v1.0\SET50.tmp (1425 bytes)
%WinDir%\KB968930xp.cat (59 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (9 bytes)
%System%\winrm\0409\SET1D.tmp (601 bytes)
%System%\SETD.tmp (601 bytes)
%WinDir%\inf\SET19.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET47.tmp (18 bytes)
%System%\SET9.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SETC6.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (12 bytes)
%System%\winrm\0409\SET37.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (10 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (40 bytes)
%System%\WindowsPowerShell\v1.0\SET39.tmp (27 bytes)
%WinDir%\ocgen.log (71000 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET40.tmp (1281 bytes)
%System%\SET2F.tmp (789 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (17 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (23 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (2 bytes)
%System%\SET30.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (6 bytes)
%System%\wbem\SET1E.tmp (4 bytes)
%System%\SET23.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET3B.tmp (24 bytes)
%WinDir%\netfxocm.log (9089 bytes)
%System%\WindowsPowerShell\v1.0\SET42.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (10 bytes)
%WinDir%\inf\SET33.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (7 bytes)
%WinDir%\assembly\tmp\6PSVY158\Microsoft.PowerShell.ConsoleHost.dll (7192 bytes)
%WinDir%\assembly\tmp\8TWZ259C\Microsoft.WSMan.Management.dll (9608 bytes)
%WinDir%\assembly\tmp\FX047ADG\Microsoft.PowerShell.GPowerShell.resources.dll (1552 bytes)
%WinDir%\assembly\tmp\0JMQTWZ2\Microsoft.PowerShell.Commands.Management.dll (9320 bytes)
%WinDir%\assembly\tmp\6PTWZ259\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll (7 bytes)
%WinDir%\assembly\tmp\O7ADGJMP\Microsoft.PowerShell.Commands.Utility.resources.dll (1552 bytes)
%WinDir%\assembly\tmp\DX047ADG\Microsoft.PowerShell.Commands.Diagnostics.resources.dll (10 bytes)
%WinDir%\assembly\tmp\DWZ259CF\Microsoft.PowerShell.Security.resources.dll (9 bytes)
%WinDir%\assembly\tmp\1MPSVY25\Microsoft.PowerShell.GraphicalHost.dll (9608 bytes)
%WinDir%\assembly\tmp\M9DHKORV\Microsoft.WSMan.Runtime.dll (7 bytes)
%WinDir%\assembly\tmp\BVY158BE\Microsoft.PowerShell.Commands.Diagnostics.dll (3616 bytes)
%WinDir%\assembly\tmp\1JMQTWZ2\Microsoft.BackgroundIntelligentTransfer.Management.dll (1856 bytes)
%WinDir%\assembly\tmp\CVY158BE\System.Management.Automation.resources.dll (9320 bytes)
%WinDir%\assembly\tmp\9SVY147A\Microsoft.PowerShell.Editor.resources.dll (2392 bytes)
%WinDir%\assembly\tmp\6PTWZ269\Microsoft.PowerShell.Security.dll (2392 bytes)
%WinDir%\assembly\tmp\BUX037AD\Microsoft.PowerShell.ConsoleHost.resources.dll (1552 bytes)
%WinDir%\assembly\tmp\9RUX0369\Microsoft.PowerShell.GraphicalHost.resources.dll (784 bytes)
%WinDir%\assembly\tmp\RADGJMPS\Microsoft.PowerShell.Commands.Management.resources.dll (1552 bytes)
%WinDir%\assembly\tmp\ZILPSVY1\Microsoft.PowerShell.GPowerShell.dll (22192 bytes)
%WinDir%\assembly\tmp\DWZ259CF\Microsoft.PowerShell.Editor.dll (32824 bytes)
%WinDir%\assembly\tmp\I369DGJM\System.Management.Automation.dll (81046 bytes)
%WinDir%\assembly\tmp\AUX147AD\Microsoft.WSMan.Management.resources.dll (13 bytes)
%WinDir%\assembly\tmp\6PSVY158\Microsoft.PowerShell.Commands.Utility.dll (20624 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD8.tmp\Microsoft.PowerShell.GraphicalHost.dll (47422 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp\Microsoft.PowerShell.Security.dll (35530 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD4.tmp\Microsoft.PowerShell.Commands.Utility.dll (40638 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7.tmp\Microsoft.PowerShell.GPowerShell.dll (50011 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDA.tmp\Microsoft.WSMan.Management.dll (34061 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD5.tmp\Microsoft.PowerShell.ConsoleHost.dll (33378 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (514 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\NGEN_SERVICE.LOG (83393 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD1.tmp\Microsoft.BackgroundIntelligentTransfer.Management.dll (27440 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDC.tmp\System.Management.Automation.dll (105990 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD2.tmp\Microsoft.PowerShell.Commands.Diagnostics.dll (33116 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDB.tmp\Microsoft.WSMan.Runtime.dll (17713 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD3.tmp\Microsoft.PowerShell.Commands.Management.dll (45020 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6.tmp\Microsoft.PowerShell.Editor.dll (64500 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 131915 | 132096 | 4.37245 | 1b2a4b775f40f8e75a7bc64f7a753e96 |
.rdata | 139264 | 44756 | 45056 | 3.82086 | b5fea3dacc733dda76f873b3a5a04b8a |
.data | 184320 | 135852 | 128000 | 5.32297 | 29f2aff19280bf42b0e6297b44915842 |
.bss | 323584 | 3948 | 4096 | 4.70969 | c4c9118108c3645b4a2598e3fc254d75 |
.relog | 327680 | 144890 | 144896 | 4.61174 | 4fd90e141d7a5953198cd1d9039f7cc6 |
.rsrc | 475136 | 79680 | 79872 | 3.85846 | fd8e3f3353bcae195fedf101437f5499 |
.reloc | 557056 | 13220 | 13312 | 2.97835 | 79a37ecdc37758d5cf941d375b38ae00 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://microsoft.com/ | 134.170.188.221 |
hxxp://e10088.dspb.akamaiedge.net/ | |
hxxp://e10088.dspb.akamaiedge.net/uk-ua/ | |
hxxp://a767.dscms.akamai.net/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe | |
hxxp://www.microsoft.com/ | 23.64.223.148 |
hxxp://www.microsoft.com/uk-ua/ | 23.64.223.148 |
hxxp://download.microsoft.com/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe | 194.146.191.114 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: microsoft.com
Cache-Control: no-cache
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Location: hXXp://VVV.microsoft.com/
Server: Microsoft-IIS/8.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
X-UA-Compatible: IE=EmulateIE7
Date: Thu, 16 Jul 2015 22:57:20 GMT
Connection: close
Content-Length: 148
<head><title>Document Moved</title></head>.<body><h1>Object Moved</h1>This document may be found <a HREF="hXXp://VVV.microsoft.com/">here</a></body>..
GET /download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: download.microsoft.com
Cache-Control: no-cache
Cookie: MS-CV=ncbwnWcAzkSloIoM.1
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Fri, 09 Oct 2009 23:52:17 GMT
Accept-Ranges: bytes
ETag: "6d3979883b49ca1:0"
Server: Microsoft-IIS/8.5
Content-Disposition: attachment
Content-Length: 6156064
Date: Thu, 16 Jul 2015 22:57:24 GMT
Connection: close
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.............................c... ........... ................................^.......... ......................................x.............]. ........... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...x........H].................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................l...V...:..."...............................|...................................(...r...d...T.......*...........P...j...................<...................\.......................................>...L...^...n...........................................2...L.......h...p.......................................(...>...L...`...v...................................N...>...,...................d...........................................................z...,...<...J...\...|.......N...Z...d...n...@....
<<< skipped >>>
GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Cache-Control: no-cache
Host: VVV.microsoft.com
HTTP/1.1 302 Moved Temporarily
Server: AkamaiGHost
Content-Length: 0
Location: hXXp://VVV.microsoft.com/uk-ua/
Date: Thu, 16 Jul 2015 22:57:21 GMT
Connection: keep-alive
X-CCC: PL
X-CID: 2
....
GET /uk-ua/ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Cache-Control: no-cache
Host: VVV.microsoft.com
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: -1
Server: Microsoft-IIS/8.0
CorrelationVector: ncbwnWcAzkSloIoM.1.2
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Credentials: true
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Content-Length: 233993
Date: Thu, 16 Jul 2015 22:57:22 GMT
Connection: keep-alive
Set-Cookie: MS-CV=ncbwnWcAzkSloIoM.1; domain=.microsoft.com; expires=Fri, 17-Jul-2015 22:57:21 GMT; path=/
X-CCC: PL
X-CID: 2
...<!DOCTYPE html ><html xmlns:mscom="hXXp://schemas.microsoft.com/CMSvNext" xmlns:md="hXXp://schemas.microsoft.com/mscom-data" lang="uk" xmlns="hXXp://VVV.w3.org/1999/xhtml"><head><meta http-equiv="X-UA-Compatible" content="IE=edge" /><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0" /><link rel="shortcut icon" href="//VVV.microsoft.com/favicon.ico?v2" /><script type="text/javascript" src="hXXp://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.7.2.min.js"> .. // Third party scripts and code linked to or referenced from this website are licensed to you by the parties that own such code, not by Microsoft. See ASP.NET Ajax CDN Terms of Use - hXXp://VVV.asp.net/ajaxlibrary/CDN.ashx... </script><script type="text/javascript" language="javascript">/*<![CDATA[*/if($(document).bind("mobileinit",function(){$.mobile.autoInitializePage=!1}),navigator.userAgent.match(/IEMobile\/10\.0/)){var msViewportStyle=document.createElement("style");msViewportStyle.appendChild(document.createTextNode("@-ms-viewport{width:auto!important}")),document.getElementsByTagName("head")[0].appendChild(msViewportStyle)}/*]]>*/</script><script type="text/javascript" src="hXXp://ajax.aspnetcdn.com/ajax/jquery.mobile/1.3.2/jquery.mobile-1.3.2.min.js"></script><script type="text/javascript" src="hXXp://i.s-microsoft.com/library/svy/broker.js"></script><title>Microsoft..... ................ .......
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
svchost.exe_1392:
.idata
.idata
.reloc
.reloc
P.rsrc
P.rsrc
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
kernel32.dll
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
wininet.dll
wininet.dll
user32.dll
user32.dll
ntdll.dll
ntdll.dll
URLMON.DLL
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Kernel32.dll
Kernel32.dll
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {jwplayer().play()} catch(e){}
try {jwplayer().play()} catch(e){}
PSAPI.dll
PSAPI.dll
HTTP/1.1
HTTP/1.1
.length;
.length;
=String.fromCharCode(parseInt(
=String.fromCharCode(parseInt(
.substr(
.substr(
,2),16));
,2),16));
=String.fromCharCode(
=String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt()^
,1).charCodeAt());
,1).charCodeAt());
.length-1)?
.length-1)?
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Environment("Process"))("
.Run("
.Run("
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.RegRead("
.RegRead("
psapi.dll
psapi.dll
"svchost.exe"
"svchost.exe"
svchost.exe
svchost.exe
ole32.dll
ole32.dll
\\.\LCD
\\.\LCD
1234567890
1234567890
Shell32.dll
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
hXXp://
hXXp://
0123456789
0123456789
Mozilla
Mozilla
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
.text
.text
`.rdata
`.rdata
@.pdata
@.pdata
KERNEL32.dll
KERNEL32.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
oleaut32.dll
oleaut32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyW
RegCreateKeyW
RegCreateKeyA
RegCreateKeyA
GetCPInfo
GetCPInfo
SetProcessWindowStation
SetProcessWindowStation
OpenWindowStationA
OpenWindowStationA
EnumChildWindows
EnumChildWindows
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
atl.dll
atl.dll
wsock32.dll
wsock32.dll
winmm.dll
winmm.dll
shell32.dll
shell32.dll
ShellExecuteExW
ShellExecuteExW
wtsapi32.dll
wtsapi32.dll
Wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
PSAPI.DLL
NtQueryValueKey
NtQueryValueKey
NtDeleteValueKey
NtDeleteValueKey
NtSetValueKey
NtSetValueKey
urlmon.dll
urlmon.dll
UrlMkSetSessionOption
UrlMkSetSessionOption
?"?&?*?.?
?"?&?*?.?
6!6&696>6|6
6!6&696>6|6
9!:':-:6:
9!:':-:6:
:&;-;7;_;
:&;-;7;_;
5(6-6;6|6
5(6-6;6|6
7)7=7[7}7
7)7=7[7}7
>#>(>9>_>
>#>(>9>_>
?,?1?[?`?
?,?1?[?`?
5]5S5c5k5q5
5]5S5c5k5q5
:!:?:]:{:
:!:?:]:{:
CCn7A5XU4CzHzqO2FLGKUbyHdY6ib4THrj6hFnsNC91Ppav9uwgbOdS5yiEmzFlfEH5q9BrghvkQ6h6yHnRIruDtXd0PDynXRapk stnOg8 lhBkVQtwqvwdx0YKwOYYMsiPSZ4ZkbJaN4jiHpyXxikeLdivpDPd3kWJRmdyiGNBGHR7k6brC0v2K6Y3bIHi9fPpJIlvoGzlKyqWKZbgyvMKhfRH126QPM9 L6lCgK7m kyrVJiXkjtcP5z8SS p1bK16PrKxlNudveDjR9IlqhNqTiNr78QXP75MTIzVeZrz7Tcfof3QNj6U8Gv/JIeibNpOmlNns8ti9RIhh5ZLKoegOBmlmtQM0rniYADF47h6Lj6dLteD9vdSqZJsQHIGvIuA7947pmnUaqpcjKY3LYgVF2x9RvnVSrLQy8Msk7qqSbG2 18wzMzkSRmcDGU4kVcMMLftEmJ4bIHoF2FAPgyGgCSkTVbqrdTGlgcsvH0t4XSpP7tIh8jClm75Ou3CQTpLfFzMKnc6mJjLxthWVUze9iMkM2lodm24a72Q1ASzBLcyyVm6x6p wLyuJ8qma8MBknHVMisVT7MVknJ3vZbF9aZPJFzAhcUG/Upzx5isNAuTL4hmXOtkhI4FBxi1Cr61qDUiy5RWmbWg/8TMwzig8QrKciaaO5bHzpmKpQRuFszWr6F2QvRC0xGO2xRrXXZTn49ttSc8nqBKCUSN6laRQzaqlvIrCdoco77cJleen7p24ksvps1/5wvQdV5p73LSkGnWh8GFNEdOXqf3TRAvapyq/MK6pb ZVfjUuInC7v/fEmNgxChvtF 890LhInkEqFRbS19fUQ73JqLlcJZ18pvOf B1mj934NofFTx9nwdpJn3HzNX6GtzFas2HnN7eYIWlMw3tSAkgiusQimrQVscKmqnJQaa0khTfdi5XiZXSmL7ACZazSHb7jCa5pBrfMwYFUZ Oe9X2VZ6dhPqOx2PyPLSlbCoRrnbVdgQc9kdsRb7WM48D1x9vGYOWbUIoaJ2NbT3tOBeqcE/na9gY4KSEUEvJMG50HRf7PsjDOG07bHSTMWDWFJVWnBzRw0gxGugVSXb4cCgMsdK2Iy9YStviYLxSJNWOxr2nqr8FNfrm06XldaCdxzl91l8dtI5KijeweUIMAc 0LmyfOCkcxKlzf2gY6nXrBF4fg6MfU ynlZ5fJTtDsKdae7ft4SvOcILp7yrtsvMaBFDhz/kpidQxUDWKTfEsAhZ7MhMg/R8u8obqeVxbgYyzFKdZphWp 3mH/TnHPBZ2bpK5RAJbyhG6mzXDdK6n5WZ/t1rHvZnkzur8Ous6C0l 6mfTNAJtodq3/Hb2IzSzr/6ZIosa9wKWNAQXUzxS5VWTm5c06VIslbl lyuVB lszHKcuTo/WnlyiEQnXsGi3J9 4H47Jrpn7bmi4RsezcNIla6/9NNp Epn 7O oCDCWVLPojN8GIGagtuSTGvIaxcxsOH8pqzLmgKPEreqCODspRsSJFIQnyvyslEnaaGmA/5d5W657R/7GHKCX8zjkAgoN1DMq635FP8oTdr3TDX hf1kQjE0rAYauyUMCvK7sISTcp0mNaVNlb41xJ34HMs9MsptRLJ/vG5CxUlphVr5/bN/ lRjw7G FQOZ3fsm7g9hEsKP0ZyGDAa2 /5 Pbtnv8v mC6IIuDvXfhBhabUQROZ4ivV/5UW8AsgAG8vFNkMo su96PU/1JKOUIzfoiKRRkHkCTi/C8SA7aS5nMPHBANimaCqFnwwbCYwrLOihSaspSnyNkNyY757bt/QjJqFmIlXivAZUArboo35ORbIPUs3A1Mg/HqNKgpip4qHE7/FU gePTIpH8EneENl5xDvbkU5blo0X7LtnsFYtEH2gfOvuuyH2EDvXRTSQlzd7pxvlAPEbHt5Bp9bNzydjcUxsDuHLwVhsIX9vKuSoOJsffrqB8/St36C6A9QwalMeyTKycOGU0L/luLgb3waTr/HBXnwTJ/0yFwe0N2KJ9w7 bApzfBHsD1KyxfZTkejTc/90A5o3sdGUb NFk1t03fmnrieYc1jflgmExl15IbG3l1yH dQjKe3EDQQtrtqKOqTCz4kxERSvvwxHZAkHdvbuEgyj83msbURUK9a6Hw/eBdF5bwkam7gjRVBVAMYtOEOWml2LUzIVd6ODW9lQQPyxPuYx9E6zhNdJ IQ39KC9fZmA xBjThjtzQoLqHJuPg5Jhn8pqjr5R IXLjpuI/haegOdKxRQ ZhcMwtfcPyprJx6fk1q4BtXXlfTcz5tv98emMEZNjO9zJYPxD9 OLzecjXvIUSABygCVvyxigsL10H48GLPOZDOeimJO 35B/ZiROLmnqAJbPSC3CjJtXa4bw3PIVvQu4v2ble00zg2mNcRqvshCttYLCwVva6pssj7LinNm6RQkUobMg1SxD8/Qp9l5ujarkGoJoSaU9IWMKb6wHF3M1fLhNHehrt68pQMgRZ9A/N/xcFtUyTsgKo3QcpX13BAm/BhDO7crmpT9hGjulfatrTEbg6DvYM3rxrVv9nxqwax4/jQEh4c8/YtCPS7AguqCjOnmRkU/Thhm7FwtCRhZMoI/rVhg61uCrT9sklJNI38nXVCn81Qb7jrhd0AJjGEbPCd4aeuQU2k84m8jAPNpKjfuIA8nCjRf9RckQS0Ux/MzxwVDm1ltMC4IVK7z/mVdAUpAHVo4aAF zL9Q3gRpzFUxP 9V VzgaKhmyV7fle 0IPiJ7KJjT bSVDWToc rZDrFPg0Gw65ApdlxA4zbgpYEIKi9Yuxx hb8l9kNoEEGmAgbKCU2GdqLvqN5iJfeR/ /gGmhsFRRu8DzIvBhlKnPU11fQOGqNWazlhsPOqBnIG8mgw3LLRhUBl /emKIMhIfverCwYNp9/zPEh9DgDxmyDvbFIEZ1i2WG1IMRnSw/cOd4C3vlN6oA8a/WCeg7kItTuzHOOJy7uXfETlBEp0OhGH LTh7FTwbz7/RpdmHgGCEPUzXsQJQDr3PuB20EB15oMwcttK1/HP zDTBpRbfVIeC1vCJFTN T82EyhcdH/C/UGMTfHXdVIaJKHESm7zjqRo2wO xFsoxz9hLTBffynGjseluWz2P5U1hdtnpUcd18qKerCsdi3yFV4ViNG4ZJCT2 c//SOKDQ3x9/eTzUt1sMdDV75zPpdQXgyJPlQM3qDOL/NQbS2gi7SSWj36Z3tldugH9N9QU6ngqRw ZJ8jMQbjUCISHdaAThG42agRZ3p8fw0I/41olFnPLJzgcr8IB0ef/VO00i4wFT9iYxdict93pZ0aHPMq/Nb TxwjaODg2Xq0zykwuDjBEr2s/yts4tOGdm9PPITBJMJuiV/umbAMv1WaUrwSAgZq/wfihwX9lv9DEBM3Dc8s3W1pyk4b8r73LczeM6XX9XnuKc7Vt8d31LDtotiPuH7HUuRmiF/1tNBHmzft1fa7RNb2sikTAi5tbl1gOQbzft/W3smSeLxZai8h9UOvtLXD81CWvTszrKH1v82hvwoRiTVb4SWRLnWtp0Kp8l97VytDNAo/YHJjSe/n0h0wUdUuMPQLhz2pgAd1ED3nq 1qqHm/ET01FrpAJJ4KHlc//9Mr4apao1SQG7Re4hhYhYsmFyEv8z tw4flwXQWw06mKFF05k8n0HqJ/e/O25czj8DpvaJuwkVS9z7POMb6cStGWhBnwZv9v4LkF3qpGnf9w1DldmV uQKIRQ643NBXqA0V9MrmhMryvcbPZzlQH/RjEVRjtWeAEEG9sgyh 1jIBv38jO2Z J2TpWRXCrGKygJNObmidxYPVBebfiTOjGmcuU x4WmiySt9VfaZ0EZySrBtzzfSY6O0yKrG9Sa9UPgmMwNwmIbP7Ln2pi9XKfJWVoJRx1TMKmy3AlbXqd/GTk4gvzX4Iv8tNlX8EXZT4QAJqwtNvwD2Imw5Ce5trufAUmkf8KGflS6SihrYMcbcE72OVpeabR9ihDZslQDaeyvirKLEPMlkhiOQjenGPs4oiKafxTSIFtRF0MFHZ0HmuNeXx2XCO58LxugBa5a/RJQWK9boEO K6MqXutZzfvexdbw8xMP8mmPb HMpHKv1ymTNZ CZets0ZctUQnil9gjqHl6P92L5YV6yVa5O0JAJVOZxgrwd6E//7LM6K5DljtpPiQLsCy8Ednj1vMSyl1LcD02KsVLokeRh7id4Zo/BRhnYPYJC7dagDwp/kxcYyyAujw3yiCjTuXBIqE4 wTmONRGVyvnX eeWri5BaShelRKWDHdUCG18zoNvgKqrDnDpkHldErz/z9b5lGACLF7afI4DJbHZcWle2xit4vkxoHZ2jbhkerZBSh373o8qkhX xgcG6ck25QmZZDlNAts3AARoMtMI8wFhcuDizk6SFIVZ fE5gsZzFqyaWND2K5i/PMHF4ph e8BO412QuhGSyeyyUKhM1IX3RTl71G9QJ9EUREasKaVoUsmQO3HpLyw4SeTXpi 18gDyxlkuOuMrYt1Dy8zBNm9f14yNhh1QJGj1mQhh7xl X1HuZz2aHRW12T4U37zK6jnhWuW9i FXF7qzHRUy0fk4PpHsKvkOb5m YjxcDoWncAOIqWX7ZdE09ECG7P4y4GSwdjPiOfdxT7yc5H/3dsZHWW9zO85a55zdzQ0bSaC 6hG7cPLwICJtUm2aJUxcNFHBiZ/zSOEWh5YogOKBemH870e19pWZxFoQ0y2IgH/HzsEGSMSlTIdOcVDKv3c8beQf0PaOCKYj9SptOEVyeL9 WMnQU3nYF8IICmtF7G4TcN9e4Xf7AS1sGxMkonu8g32/ukLss5ySFKkPkbmgTPqXqWv5KEqZSqT/1K0FqfIp0Yv6P/Vn5Yp9ASMB9V4TUgrWbcsDQd1denq6EprcN1ECXzLSWVOtQGVjn03TsrIul4vvx9MmFrrDHQZVcgLFI7vAofPMtJ8ZC9v899JN7n5buIh0mwJuitPS1y0vHvbJQpULvc7zK6zUuB8wcxtd5nRT1RPWb2ABDLnazBB9NBqN91Tdi1I VEjWgXNoZWGs/noNm2dpR5VC5VQSJ931uxW8MjlHOL7aniLfIDRtacH2 aD90fsl7Mmrsw1fcwi3zpl3S1 WmVaX0pxisjmG6372Mp3XNxBujZD6TdgHi8ZnJ1 VG1kpAb0EH2Q7LmpQoMwhmU1Rx1hGcXvLBmD0MM0oN69HfN81DP97Hh9gFQjfkAWAIMVoAGuXPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
CCn7A5XU4CzHzqO2FLGKUbyHdY6ib4THrj6hFnsNC91Ppav9uwgbOdS5yiEmzFlfEH5q9BrghvkQ6h6yHnRIruDtXd0PDynXRapk stnOg8 lhBkVQtwqvwdx0YKwOYYMsiPSZ4ZkbJaN4jiHpyXxikeLdivpDPd3kWJRmdyiGNBGHR7k6brC0v2K6Y3bIHi9fPpJIlvoGzlKyqWKZbgyvMKhfRH126QPM9 L6lCgK7m kyrVJiXkjtcP5z8SS p1bK16PrKxlNudveDjR9IlqhNqTiNr78QXP75MTIzVeZrz7Tcfof3QNj6U8Gv/JIeibNpOmlNns8ti9RIhh5ZLKoegOBmlmtQM0rniYADF47h6Lj6dLteD9vdSqZJsQHIGvIuA7947pmnUaqpcjKY3LYgVF2x9RvnVSrLQy8Msk7qqSbG2 18wzMzkSRmcDGU4kVcMMLftEmJ4bIHoF2FAPgyGgCSkTVbqrdTGlgcsvH0t4XSpP7tIh8jClm75Ou3CQTpLfFzMKnc6mJjLxthWVUze9iMkM2lodm24a72Q1ASzBLcyyVm6x6p wLyuJ8qma8MBknHVMisVT7MVknJ3vZbF9aZPJFzAhcUG/Upzx5isNAuTL4hmXOtkhI4FBxi1Cr61qDUiy5RWmbWg/8TMwzig8QrKciaaO5bHzpmKpQRuFszWr6F2QvRC0xGO2xRrXXZTn49ttSc8nqBKCUSN6laRQzaqlvIrCdoco77cJleen7p24ksvps1/5wvQdV5p73LSkGnWh8GFNEdOXqf3TRAvapyq/MK6pb ZVfjUuInC7v/fEmNgxChvtF 890LhInkEqFRbS19fUQ73JqLlcJZ18pvOf B1mj934NofFTx9nwdpJn3HzNX6GtzFas2HnN7eYIWlMw3tSAkgiusQimrQVscKmqnJQaa0khTfdi5XiZXSmL7ACZazSHb7jCa5pBrfMwYFUZ Oe9X2VZ6dhPqOx2PyPLSlbCoRrnbVdgQc9kdsRb7WM48D1x9vGYOWbUIoaJ2NbT3tOBeqcE/na9gY4KSEUEvJMG50HRf7PsjDOG07bHSTMWDWFJVWnBzRw0gxGugVSXb4cCgMsdK2Iy9YStviYLxSJNWOxr2nqr8FNfrm06XldaCdxzl91l8dtI5KijeweUIMAc 0LmyfOCkcxKlzf2gY6nXrBF4fg6MfU ynlZ5fJTtDsKdae7ft4SvOcILp7yrtsvMaBFDhz/kpidQxUDWKTfEsAhZ7MhMg/R8u8obqeVxbgYyzFKdZphWp 3mH/TnHPBZ2bpK5RAJbyhG6mzXDdK6n5WZ/t1rHvZnkzur8Ous6C0l 6mfTNAJtodq3/Hb2IzSzr/6ZIosa9wKWNAQXUzxS5VWTm5c06VIslbl lyuVB lszHKcuTo/WnlyiEQnXsGi3J9 4H47Jrpn7bmi4RsezcNIla6/9NNp Epn 7O oCDCWVLPojN8GIGagtuSTGvIaxcxsOH8pqzLmgKPEreqCODspRsSJFIQnyvyslEnaaGmA/5d5W657R/7GHKCX8zjkAgoN1DMq635FP8oTdr3TDX hf1kQjE0rAYauyUMCvK7sISTcp0mNaVNlb41xJ34HMs9MsptRLJ/vG5CxUlphVr5/bN/ lRjw7G FQOZ3fsm7g9hEsKP0ZyGDAa2 /5 Pbtnv8v mC6IIuDvXfhBhabUQROZ4ivV/5UW8AsgAG8vFNkMo su96PU/1JKOUIzfoiKRRkHkCTi/C8SA7aS5nMPHBANimaCqFnwwbCYwrLOihSaspSnyNkNyY757bt/QjJqFmIlXivAZUArboo35ORbIPUs3A1Mg/HqNKgpip4qHE7/FU gePTIpH8EneENl5xDvbkU5blo0X7LtnsFYtEH2gfOvuuyH2EDvXRTSQlzd7pxvlAPEbHt5Bp9bNzydjcUxsDuHLwVhsIX9vKuSoOJsffrqB8/St36C6A9QwalMeyTKycOGU0L/luLgb3waTr/HBXnwTJ/0yFwe0N2KJ9w7 bApzfBHsD1KyxfZTkejTc/90A5o3sdGUb NFk1t03fmnrieYc1jflgmExl15IbG3l1yH dQjKe3EDQQtrtqKOqTCz4kxERSvvwxHZAkHdvbuEgyj83msbURUK9a6Hw/eBdF5bwkam7gjRVBVAMYtOEOWml2LUzIVd6ODW9lQQPyxPuYx9E6zhNdJ IQ39KC9fZmA xBjThjtzQoLqHJuPg5Jhn8pqjr5R IXLjpuI/haegOdKxRQ ZhcMwtfcPyprJx6fk1q4BtXXlfTcz5tv98emMEZNjO9zJYPxD9 OLzecjXvIUSABygCVvyxigsL10H48GLPOZDOeimJO 35B/ZiROLmnqAJbPSC3CjJtXa4bw3PIVvQu4v2ble00zg2mNcRqvshCttYLCwVva6pssj7LinNm6RQkUobMg1SxD8/Qp9l5ujarkGoJoSaU9IWMKb6wHF3M1fLhNHehrt68pQMgRZ9A/N/xcFtUyTsgKo3QcpX13BAm/BhDO7crmpT9hGjulfatrTEbg6DvYM3rxrVv9nxqwax4/jQEh4c8/YtCPS7AguqCjOnmRkU/Thhm7FwtCRhZMoI/rVhg61uCrT9sklJNI38nXVCn81Qb7jrhd0AJjGEbPCd4aeuQU2k84m8jAPNpKjfuIA8nCjRf9RckQS0Ux/MzxwVDm1ltMC4IVK7z/mVdAUpAHVo4aAF zL9Q3gRpzFUxP 9V VzgaKhmyV7fle 0IPiJ7KJjT bSVDWToc rZDrFPg0Gw65ApdlxA4zbgpYEIKi9Yuxx hb8l9kNoEEGmAgbKCU2GdqLvqN5iJfeR/ /gGmhsFRRu8DzIvBhlKnPU11fQOGqNWazlhsPOqBnIG8mgw3LLRhUBl /emKIMhIfverCwYNp9/zPEh9DgDxmyDvbFIEZ1i2WG1IMRnSw/cOd4C3vlN6oA8a/WCeg7kItTuzHOOJy7uXfETlBEp0OhGH LTh7FTwbz7/RpdmHgGCEPUzXsQJQDr3PuB20EB15oMwcttK1/HP zDTBpRbfVIeC1vCJFTN T82EyhcdH/C/UGMTfHXdVIaJKHESm7zjqRo2wO xFsoxz9hLTBffynGjseluWz2P5U1hdtnpUcd18qKerCsdi3yFV4ViNG4ZJCT2 c//SOKDQ3x9/eTzUt1sMdDV75zPpdQXgyJPlQM3qDOL/NQbS2gi7SSWj36Z3tldugH9N9QU6ngqRw ZJ8jMQbjUCISHdaAThG42agRZ3p8fw0I/41olFnPLJzgcr8IB0ef/VO00i4wFT9iYxdict93pZ0aHPMq/Nb TxwjaODg2Xq0zykwuDjBEr2s/yts4tOGdm9PPITBJMJuiV/umbAMv1WaUrwSAgZq/wfihwX9lv9DEBM3Dc8s3W1pyk4b8r73LczeM6XX9XnuKc7Vt8d31LDtotiPuH7HUuRmiF/1tNBHmzft1fa7RNb2sikTAi5tbl1gOQbzft/W3smSeLxZai8h9UOvtLXD81CWvTszrKH1v82hvwoRiTVb4SWRLnWtp0Kp8l97VytDNAo/YHJjSe/n0h0wUdUuMPQLhz2pgAd1ED3nq 1qqHm/ET01FrpAJJ4KHlc//9Mr4apao1SQG7Re4hhYhYsmFyEv8z tw4flwXQWw06mKFF05k8n0HqJ/e/O25czj8DpvaJuwkVS9z7POMb6cStGWhBnwZv9v4LkF3qpGnf9w1DldmV uQKIRQ643NBXqA0V9MrmhMryvcbPZzlQH/RjEVRjtWeAEEG9sgyh 1jIBv38jO2Z J2TpWRXCrGKygJNObmidxYPVBebfiTOjGmcuU x4WmiySt9VfaZ0EZySrBtzzfSY6O0yKrG9Sa9UPgmMwNwmIbP7Ln2pi9XKfJWVoJRx1TMKmy3AlbXqd/GTk4gvzX4Iv8tNlX8EXZT4QAJqwtNvwD2Imw5Ce5trufAUmkf8KGflS6SihrYMcbcE72OVpeabR9ihDZslQDaeyvirKLEPMlkhiOQjenGPs4oiKafxTSIFtRF0MFHZ0HmuNeXx2XCO58LxugBa5a/RJQWK9boEO K6MqXutZzfvexdbw8xMP8mmPb HMpHKv1ymTNZ CZets0ZctUQnil9gjqHl6P92L5YV6yVa5O0JAJVOZxgrwd6E//7LM6K5DljtpPiQLsCy8Ednj1vMSyl1LcD02KsVLokeRh7id4Zo/BRhnYPYJC7dagDwp/kxcYyyAujw3yiCjTuXBIqE4 wTmONRGVyvnX eeWri5BaShelRKWDHdUCG18zoNvgKqrDnDpkHldErz/z9b5lGACLF7afI4DJbHZcWle2xit4vkxoHZ2jbhkerZBSh373o8qkhX xgcG6ck25QmZZDlNAts3AARoMtMI8wFhcuDizk6SFIVZ fE5gsZzFqyaWND2K5i/PMHF4ph e8BO412QuhGSyeyyUKhM1IX3RTl71G9QJ9EUREasKaVoUsmQO3HpLyw4SeTXpi 18gDyxlkuOuMrYt1Dy8zBNm9f14yNhh1QJGj1mQhh7xl X1HuZz2aHRW12T4U37zK6jnhWuW9i FXF7qzHRUy0fk4PpHsKvkOb5m YjxcDoWncAOIqWX7ZdE09ECG7P4y4GSwdjPiOfdxT7yc5H/3dsZHWW9zO85a55zdzQ0bSaC 6hG7cPLwICJtUm2aJUxcNFHBiZ/zSOEWh5YogOKBemH870e19pWZxFoQ0y2IgH/HzsEGSMSlTIdOcVDKv3c8beQf0PaOCKYj9SptOEVyeL9 WMnQU3nYF8IICmtF7G4TcN9e4Xf7AS1sGxMkonu8g32/ukLss5ySFKkPkbmgTPqXqWv5KEqZSqT/1K0FqfIp0Yv6P/Vn5Yp9ASMB9V4TUgrWbcsDQd1denq6EprcN1ECXzLSWVOtQGVjn03TsrIul4vvx9MmFrrDHQZVcgLFI7vAofPMtJ8ZC9v899JN7n5buIh0mwJuitPS1y0vHvbJQpULvc7zK6zUuB8wcxtd5nRT1RPWb2ABDLnazBB9NBqN91Tdi1I VEjWgXNoZWGs/noNm2dpR5VC5VQSJ931uxW8MjlHOL7aniLfIDRtacH2 aD90fsl7Mmrsw1fcwi3zpl3S1 WmVaX0pxisjmG6372Mp3XNxBujZD6TdgHi8ZnJ1 VG1kpAb0EH2Q7LmpQoMwhmU1Rx1hGcXvLBmD0MM0oN69HfN81DP97Hh9gFQjfkAWAIMVoAGuXPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
CCn7A5XU4CzHzqO2FLGKUbyHdY6ib4THrj6hFnsNC91Ppav9uwgbOdS5yiEmzFlfEH5q9BrghvkQ6h6yHnRIruDtXd0PDynXRapk stnOg8 lhBkVQtwqvwdx0YKwOYYMsiPSZ4ZkbJaN4jiHpyXxikeLdivpDPd3kWJRmdyiGNBGHR7k6brC0v2K6Y3bIHi9fPpJIlvoGzlKyqWKZbgyvMKhfRH126QPM9 L6lCgK7m kyrVJiXkjtcP5z8SS p1bK16PrKxlNudveDjR9IlqhNqTiNr78QXP75MTIzVeZrz7Tcfof3QNj6U8Gv/JIeibNpOmlNns8ti9RIhh5ZLKoegOBmlmtQM0rniYADF47h6Lj6dLteD9vdSqZJsQHIGvIuA7947pmnUaqpcjKY3LYgVF2x9RvnVSrLQy8Msk7qqSbG2 18wzMzkSRmcDGU4kVcMMLftEmJ4bIHoF2FAPgyGgCSkTVbqrdTGlgcsvH0t4XSpP7tIh8jClm75Ou3CQTpLfFzMKnc6mJjLxthWVUze9iMkM2lodm24a72Q1ASzBLcyyVm6x6p wLyuJ8qma8MBknHVMisVT7MVknJ3vZbF9aZPJFzAhcUG/Upzx5isNAuTL4hmXOtkhI4FBxi1Cr61qDUiy5RWmbWg/8TMwzig8QrKciaaO5bHzpmKpQRuFszWr6F2QvRC0xGO2xRrXXZTn49ttSc8nqBKCUSN6laRQzaqlvIrCdoco77cJleen7p24ksvps1/5wvQdV5p73LSkGnWh8GFNEdOXqf3TRAvapyq/MK6pb ZVfjUuInC7v/fEmNgxChvtF 890LhInkEqFRbS19fUQ73JqLlcJZ18pvOf B1mj934NofFTx9nwdpJn3HzNX6GtzFas2HnN7eYIWlMw3tSAkgiusQimrQVscKmqnJQaa0khTfdi5XiZXSmL7ACZazSHb7jCa5pBrfMwYFUZ Oe9X2VZ6dhPqOx2PyPLSlbCoRrnbVdgQc9kdsRb7WM48D1x9vGYOWbUIoaJ2NbT3tOBeqcE/na9gY4KSEUEvJMG50HRf7PsjDOG07bHSTMWDWFJVWnBzRw0gxGugVSXb4cCgMsdK2Iy9YStviYLxSJNWOxr2nqr8FNfrm06XldaCdxzl91l8dtI5KijeweUIMAc 0LmyfOCkcxKlzf2gY6nXrBF4fg6MfU ynlZ5fJTtDsKdae7ft4SvOcILp7yrtsvMaBFDhz/kpidQxUDWKTfEsAhZ7MhMg/R8u8obqeVxbgYyzFKdZphWp 3mH/TnHPBZ2bpK5RAJbyhG6mzXDdK6n5WZ/t1rHvZnkzur8Ous6C0l 6mfTNAJtodq3/Hb2IzSzr/6ZIosa9wKWNAQXUzxS5VWTm5c06VIslbl lyuVB lszHKcuTo/WnlyiEQnXsGi3J9 4H47Jrpn7bmi4RsezcNIla6/9NNp Epn 7O oCDCWVLPojN8GIGagtuSTGvIaxcxsOH8pqzLmgKPEreqCODspRsSJFIQnyvyslEnaaGmA/5d5W657R/7GHKCX8zjkAgoN1DMq635FP8oTdr3TDX hf1kQjE0rAYauyUMCvK7sISTcp0mNaVNlb41xJ34HMs9MsptRLJ/vG5CxUlphVr5/bN/ lRjw7G FQOZ3fsm7g9hEsKP0ZyGDAa2 /5 Pbtnv8v mC6IIuDvXfhBhabUQROZ4ivV/5UW8AsgAG8vFNkMo su96PU/1JKOUIzfoiKRRkHkCTi/C8SA7aS5nMPHBANimaCqFnwwbCYwrLOihSaspSnyNkNyY757bt/QjJqFmIlXivAZUArboo35ORbIPUs3A1Mg/HqNKgpip4qHE7/FU gePTIpH8EneENl5xDvbkU5blo0X7LtnsFYtEH2gfOvuuyH2EDvXRTSQlzd7pxvlAPEbHt5Bp9bNzydjcUxsDuHLwVhsIX9vKuSoOJsffrqB8/St36C6A9QwalMeyTKycOGU0L/luLgb3waTr/HBXnwTJ/0yFwe0N2KJ9w7 bApzfBHsD1KyxfZTkejTc/90A5o3sdGUb NFk1t03fmnrieYc1jflgmExl15IbG3l1yH dQjKe3EDQQtrtqKOqTCz4kxERSvvwxHZAkHdvbuEgyj83msbURUK9a6Hw/eBdF5bwkam7gjRVBVAMYtOEOWml2LUzIVd6ODW9lQQPyxPuYx9E6zhNdJ IQ39KC9fZmA xBjThjtzQoLqHJuPg5Jhn8pqjr5R IXLjpuI/haegOdKxRQ ZhcMwtfcPyprJx6fk1q4BtXXlfTcz5tv98emMEZNjO9zJYPxD9 OLzecjXvIUSABygCVvyxigsL10H48GLPOZDOeimJO 35B/ZiROLmnqAJbPSC3CjJtXa4bw3PIVvQu4v2ble00zg2mNcRqvshCttYLCwVva6pssj7LinNm6RQkUobMg1SxD8/Qp9l5ujarkGoJoSaU9IWMKb6wHF3M1fLhNHehrt68pQMgRZ9A/N/xcFtUyTsgKo3QcpX13BAm/BhDO7crmpT9hGjulfatrTEbg6DvYM3rxrVv9nxqwax4/jQEh4c8/YtCPS7AguqCjOnmRkU/Thhm7FwtCRhZMoI/rVhg61uCrT9sklJNI38nXVCn81Qb7jrhd0AJjGEbPCd4aeuQU2k84m8jAPNpKjfuIA8nCjRf9RckQS0Ux/MzxwVDm1ltMC4IVK7z/mVdAUpAHVo4aAF zL9Q3gRpzFUxP 9V VzgaKhmyV7fle 0IPiJ7KJjT bSVDWToc rZDrFPg0Gw65ApdlxA4zbgpYEIKi9Yuxx hb8l9kNoEEGmAgbKCU2GdqLvqN5iJfeR/ /gGmhsFRRu8DzIvBhlKnPU11fQOGqNWazlhsPOqBnIG8mgw3LLRhUBl /emKIMhIfverCwYNp9/zPEh9DgDxmyDvbFIEZ1i2WG1IMRnSw/cOd4C3vlN6oA8a/WCeg7kItTuzHOOJy7uXfETlBEp0OhGH LTh7FTwbz7/RpdmHgGCEPUzXsQJQDr3PuB20EB15oMwcttK1/HP zDTBpRbfVIeC1vCJFTN T82EyhcdH/C/UGMTfHXdVIaJKHESm7zjqRo2wO xFsoxz9hLTBffynGjseluWz2P5U1hdtnpUcd18qKerCsdi3yFV4ViNG4ZJCT2 c//SOKDQ3x9/eTzUt1sMdDV75zPpdQXgyJPlQM3qDOL/NQbS2gi7SSWj36Z3tldugH9N9QU6ngqRw ZJ8jMQbjUCISHdaAThG42agRZ3p8fw0I/41olFnPLJzgcr8IB0ef/VO00i4wFT9iYxdict93pZ0aHPMq/Nb TxwjaODg2Xq0zykwuDjBEr2s/yts4tOGdm9PPITBJMJuiV/umbAMv1WaUrwSAgZq/wfihwX9lv9DEBM3Dc8s3W1pyk4b8r73LczeM6XX9XnuKc7Vt8d31LDtotiPuH7HUuRmiF/1tNBHmzft1fa7RNb2sikTAi5tbl1gOQbzft/W3smSeLxZai8h9UOvtLXD81CWvTszrKH1v82hvwoRiTVb4SWRLnWtp0Kp8l97VytDNAo/YHJjSe/n0h0wUdUuMPQLhz2pgAd1ED3nq 1qqHm/ET01FrpAJJ4KHlc//9Mr4apao1SQG7Re4hhYhYsmFyEv8z tw4flwXQWw06mKFF05k8n0HqJ/e/O25czj8DpvaJuwkVS9z7POMb6cStGWhBnwZv9v4LkF3qpGnf9w1DldmV uQKIRQ643NBXqA0V9MrmhMryvcbPZzlQH/RjEVRjtWeAEEG9sgyh 1jIBv38jO2Z J2TpWRXCrGKygJNObmidxYPVBebfiTOjGmcuU x4WmiySt9VfaZ0EZySrBtzzfSY6O0yKrG9Sa9UPgmMwNwmIbP7Ln2pi9XKfJWVoJRx1TMKmy3AlbXqd/GTk4gvzX4Iv8tNlX8EXZT4QAJqwtNvwD2Imw5Ce5trufAUmkf8KGflS6SihrYMcbcE72OVpeabR9ihDZslQDaeyvirKLEPMlkhiOQjenGPs4oiKafxTSIFtRF0MFHZ0HmuNeXx2XCO58LxugBa5a/RJQWK9boEO K6MqXutZzfvexdbw8xMP8mmPb HMpHKv1ymTNZ CZets0ZctUQnil9gjqHl6P92L5YV6yVa5O0JAJVOZxgrwd6E//7LM6K5DljtpPiQLsCy8Ednj1vMSyl1LcD02KsVLokeRh7id4Zo/BRhnYPYJC7dagDwp/kxcYyyAujw3yiCjTuXBIqE4 wTmONRGVyvnX eeWri5BaShelRKWDHdUCG18zoNvgKqrDnDpkHldErz/z9b5lGACLF7afI4DJbHZcWle2xit4vkxoHZ2jbhkerZBSh373o8qkhX xgcG6ck25QmZZDlNAts3AARoMtMI8wFhcuDizk6SFIVZ fE5gsZzFqyaWND2K5i/PMHF4ph e8BO412QuhGSyeyyUKhM1IX3RTl71G9QJ9EUREasKaVoUsmQO3HpLyw4SeTXpi 18gDyxlkuOuMrYt1Dy8zBNm9f14yNhh1QJGj1mQhh7xl X1HuZz2aHRW12T4U37zK6jnhWuW9i FXF7qzHRUy0fk4PpHsKvkOb5m YjxcDoWncAOIqWX7ZdE09ECG7P4y4GSwdjPiOfdxT7yc5H/3dsZHWW9zO85a55zdzQ0bSaC 6hG7cPLwICJtUm2aJUxcNFHBiZ/zSOEWh5YogOKBemH870e19pWZxFoQ0y2IgH/HzsEGSMSlTIdOcVDKv3c8beQf0PaOCKYj9SptOEVyeL9 WMnQU3nYF8IICmtF7G4TcN9e4Xf7AS1sGxMkonu8g32/ukLss5ySFKkPkbmgTPqXqWv5KEqZSqT/1K0FqfIp0Yv6P/Vn5Yp9ASMB9V4TUgrWbcsDQd1denq6EprcN1ECXzLSWVOtQGVjn03TsrIul4vvx9MmFrrDHQZVcgLFI7vAofPMtJ8ZC9v899JN7n5buIh0mwJuitPS1y0vHvbJQpULvc7zK6zUuB8wcxtd5nRT1RPWb2ABDLnazBB9NBqN91Tdi1I VEjWgXNoZWGs/noNm2dpR5VC5VQSJ931uxW8MjlHOL7aniLfIDRtacH2 aD90fsl7Mmrsw1fcwi3zpl3S1 WmVaX0pxisjmG6372Mp3XNxBujZD6TdgHi8ZnJ1 VG1kpAb0EH2Q7LmpQoMwhmU1Rx1hGcXvLBmD0MM0oN69HfN81DP97Hh9gFQjfkAWAIMVoAGuXPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADc
CCn7A5XU4CzHzqO2FLGKUbyHdY6ib4THrj6hFnsNC91Ppav9uwgbOdS5yiEmzFlfEH5q9BrghvkQ6h6yHnRIruDtXd0PDynXRapk stnOg8 lhBkVQtwqvwdx0YKwOYYMsiPSZ4ZkbJaN4jiHpyXxikeLdivpDPd3kWJRmdyiGNBGHR7k6brC0v2K6Y3bIHi9fPpJIlvoGzlKyqWKZbgyvMKhfRH126QPM9 L6lCgK7m kyrVJiXkjtcP5z8SS p1bK16PrKxlNudveDjR9IlqhNqTiNr78QXP75MTIzVeZrz7Tcfof3QNj6U8Gv/JIeibNpOmlNns8ti9RIhh5ZLKoegOBmlmtQM0rniYADF47h6Lj6dLteD9vdSqZJsQHIGvIuA7947pmnUaqpcjKY3LYgVF2x9RvnVSrLQy8Msk7qqSbG2 18wzMzkSRmcDGU4kVcMMLftEmJ4bIHoF2FAPgyGgCSkTVbqrdTGlgcsvH0t4XSpP7tIh8jClm75Ou3CQTpLfFzMKnc6mJjLxthWVUze9iMkM2lodm24a72Q1ASzBLcyyVm6x6p wLyuJ8qma8MBknHVMisVT7MVknJ3vZbF9aZPJFzAhcUG/Upzx5isNAuTL4hmXOtkhI4FBxi1Cr61qDUiy5RWmbWg/8TMwzig8QrKciaaO5bHzpmKpQRuFszWr6F2QvRC0xGO2xRrXXZTn49ttSc8nqBKCUSN6laRQzaqlvIrCdoco77cJleen7p24ksvps1/5wvQdV5p73LSkGnWh8GFNEdOXqf3TRAvapyq/MK6pb ZVfjUuInC7v/fEmNgxChvtF 890LhInkEqFRbS19fUQ73JqLlcJZ18pvOf B1mj934NofFTx9nwdpJn3HzNX6GtzFas2HnN7eYIWlMw3tSAkgiusQimrQVscKmqnJQaa0khTfdi5XiZXSmL7ACZazSHb7jCa5pBrfMwYFUZ Oe9X2VZ6dhPqOx2PyPLSlbCoRrnbVdgQc9kdsRb7WM48D1x9vGYOWbUIoaJ2NbT3tOBeqcE/na9gY4KSEUEvJMG50HRf7PsjDOG07bHSTMWDWFJVWnBzRw0gxGugVSXb4cCgMsdK2Iy9YStviYLxSJNWOxr2nqr8FNfrm06XldaCdxzl91l8dtI5KijeweUIMAc 0LmyfOCkcxKlzf2gY6nXrBF4fg6MfU ynlZ5fJTtDsKdae7ft4SvOcILp7yrtsvMaBFDhz/kpidQxUDWKTfEsAhZ7MhMg/R8u8obqeVxbgYyzFKdZphWp 3mH/TnHPBZ2bpK5RAJbyhG6mzXDdK6n5WZ/t1rHvZnkzur8Ous6C0l 6mfTNAJtodq3/Hb2IzSzr/6ZIosa9wKWNAQXUzxS5VWTm5c06VIslbl lyuVB lszHKcuTo/WnlyiEQnXsGi3J9 4H47Jrpn7bmi4RsezcNIla6/9NNp Epn 7O oCDCWVLPojN8GIGagtuSTGvIaxcxsOH8pqzLmgKPEreqCODspRsSJFIQnyvyslEnaaGmA/5d5W657R/7GHKCX8zjkAgoN1DMq635FP8oTdr3TDX hf1kQjE0rAYauyUMCvK7sISTcp0mNaVNlb41xJ34HMs9MsptRLJ/vG5CxUlphVr5/bN/ lRjw7G FQOZ3fsm7g9hEsKP0ZyGDAa2 /5 Pbtnv8v mC6IIuDvXfhBhabUQROZ4ivV/5UW8AsgAG8vFNkMo su96PU/1JKOUIzfoiKRRkHkCTi/C8SA7aS5nMPHBANimaCqFnwwbCYwrLOihSaspSnyNkNyY757bt/QjJqFmIlXivAZUArboo35ORbIPUs3A1Mg/HqNKgpip4qHE7/FU gePTIpH8EneENl5xDvbkU5blo0X7LtnsFYtEH2gfOvuuyH2EDvXRTSQlzd7pxvlAPEbHt5Bp9bNzydjcUxsDuHLwVhsIX9vKuSoOJsffrqB8/St36C6A9QwalMeyTKycOGU0L/luLgb3waTr/HBXnwTJ/0yFwe0N2KJ9w7 bApzfBHsD1KyxfZTkejTc/90A5o3sdGUb NFk1t03fmnrieYc1jflgmExl15IbG3l1yH dQjKe3EDQQtrtqKOqTCz4kxERSvvwxHZAkHdvbuEgyj83msbURUK9a6Hw/eBdF5bwkam7gjRVBVAMYtOEOWml2LUzIVd6ODW9lQQPyxPuYx9E6zhNdJ IQ39KC9fZmA xBjThjtzQoLqHJuPg5Jhn8pqjr5R IXLjpuI/haegOdKxRQ ZhcMwtfcPyprJx6fk1q4BtXXlfTcz5tv98emMEZNjO9zJYPxD9 OLzecjXvIUSABygCVvyxigsL10H48GLPOZDOeimJO 35B/ZiROLmnqAJbPSC3CjJtXa4bw3PIVvQu4v2ble00zg2mNcRqvshCttYLCwVva6pssj7LinNm6RQkUobMg1SxD8/Qp9l5ujarkGoJoSaU9IWMKb6wHF3M1fLhNHehrt68pQMgRZ9A/N/xcFtUyTsgKo3QcpX13BAm/BhDO7crmpT9hGjulfatrTEbg6DvYM3rxrVv9nxqwax4/jQEh4c8/YtCPS7AguqCjOnmRkU/Thhm7FwtCRhZMoI/rVhg61uCrT9sklJNI38nXVCn81Qb7jrhd0AJjGEbPCd4aeuQU2k84m8jAPNpKjfuIA8nCjRf9RckQS0Ux/MzxwVDm1ltMC4IVK7z/mVdAUpAHVo4aAF zL9Q3gRpzFUxP 9V VzgaKhmyV7fle 0IPiJ7KJjT bSVDWToc rZDrFPg0Gw65ApdlxA4zbgpYEIKi9Yuxx hb8l9kNoEEGmAgbKCU2GdqLvqN5iJfeR/ /gGmhsFRRu8DzIvBhlKnPU11fQOGqNWazlhsPOqBnIG8mgw3LLRhUBl /emKIMhIfverCwYNp9/zPEh9DgDxmyDvbFIEZ1i2WG1IMRnSw/cOd4C3vlN6oA8a/WCeg7kItTuzHOOJy7uXfETlBEp0OhGH LTh7FTwbz7/RpdmHgGCEPUzXsQJQDr3PuB20EB15oMwcttK1/HP zDTBpRbfVIeC1vCJFTN T82EyhcdH/C/UGMTfHXdVIaJKHESm7zjqRo2wO xFsoxz9hLTBffynGjseluWz2P5U1hdtnpUcd18qKerCsdi3yFV4ViNG4ZJCT2 c//SOKDQ3x9/eTzUt1sMdDV75zPpdQXgyJPlQM3qDOL/NQbS2gi7SSWj36Z3tldugH9N9QU6ngqRw ZJ8jMQbjUCISHdaAThG42agRZ3p8fw0I/41olFnPLJzgcr8IB0ef/VO00i4wFT9iYxdict93pZ0aHPMq/Nb TxwjaODg2Xq0zykwuDjBEr2s/yts4tOGdm9PPITBJMJuiV/umbAMv1WaUrwSAgZq/wfihwX9lv9DEBM3Dc8s3W1pyk4b8r73LczeM6XX9XnuKc7Vt8d31LDtotiPuH7HUuRmiF/1tNBHmzft1fa7RNb2sikTAi5tbl1gOQbzft/W3smSeLxZai8h9UOvtLXD81CWvTszrKH1v82hvwoRiTVb4SWRLnWtp0Kp8l97VytDNAo/YHJjSe/n0h0wUdUuMPQLhz2pgAd1ED3nq 1qqHm/ET01FrpAJJ4KHlc//9Mr4apao1SQG7Re4hhYhYsmFyEv8z tw4flwXQWw06mKFF05k8n0HqJ/e/O25czj8DpvaJuwkVS9z7POMb6cStGWhBnwZv9v4LkF3qpGnf9w1DldmV uQKIRQ643NBXqA0V9MrmhMryvcbPZzlQH/RjEVRjtWeAEEG9sgyh 1jIBv38jO2Z J2TpWRXCrGKygJNObmidxYPVBebfiTOjGmcuU x4WmiySt9VfaZ0EZySrBtzzfSY6O0yKrG9Sa9UPgmMwNwmIbP7Ln2pi9XKfJWVoJRx1TMKmy3AlbXqd/GTk4gvzX4Iv8tNlX8EXZT4QAJqwtNvwD2Imw5Ce5trufAUmkf8KGflS6SihrYMcbcE72OVpeabR9ihDZslQDaeyvirKLEPMlkhiOQjenGPs4oiKafxTSIFtRF0MFHZ0HmuNeXx2XCO58LxugBa5a/RJQWK9boEO K6MqXutZzfvexdbw8xMP8mmPb HMpHKv1ymTNZ CZets0ZctUQnil9gjqHl6P92L5YV6yVa5O0JAJVOZxgrwd6E//7LM6K5DljtpPiQLsCy8Ednj1vMSyl1LcD02KsVLokeRh7id4Zo/BRhnYPYJC7dagDwp/kxcYyyAujw3yiCjTuXBIqE4 wTmONRGVyvnX eeWri5BaShelRKWDHdUCG18zoNvgKqrDnDpkHldErz/z9b5lGACLF7afI4DJbHZcWle2xit4vkxoHZ2jbhkerZBSh373o8qkhX xgcG6ck25QmZZDlNAts3AARoMtMI8wFhcuDizk6SFIVZ fE5gsZzFqyaWND2K5i/PMHF4ph e8BO412QuhGSyeyyUKhM1IX3RTl71G9QJ9EUREasKaVoUsmQO3HpLyw4SeTXpi 18gDyxlkuOuMrYt1Dy8zBNm9f14yNhh1QJGj1mQhh7xl X1HuZz2aHRW12T4U37zK6jnhWuW9i FXF7qzHRUy0fk4PpHsKvkOb5m YjxcDoWncAOIqWX7ZdE09ECG7P4y4GSwdjPiOfdxT7yc5H/3dsZHWW9zO85a55zdzQ0bSaC 6hG7cPLwICJtUm2aJUxcNFHBiZ/zSOEWh5YogOKBemH870e19pWZxFoQ0y2IgH/HzsEGSMSlTIdOcVDKv3c8beQf0PaOCKYj9SptOEVyeL9 WMnQU3nYF8IICmtF7G4TcN9e4Xf7AS1sGxMkonu8g32/ukLss5ySFKkPkbmgTPqXqWv5KEqZSqT/1K0FqfIp0Yv6P/Vn5Yp9ASMB9V4TUgrWbcsDQd1denq6EprcN1ECXzLSWVOtQGVjn03TsrIul4vvx9MmFrrDHQZVcgLFI7vAofPMtJ8ZC9v899JN7n5buIh0mwJuitPS1y0vHvbJQpULvc7zK6zUuB8wcxtd5nRT1RPWb2ABDLnazBB9NBqN91Tdi1I VEjWgXNoZWGs/noNm2dpR5VC5VQSJ931uxW8MjlHOL7aniLfIDRtacH2 aD90fsl7Mmrsw1fcwi3zpl3S1 WmVaX0pxisjmG6372Mp3XNxBujZD6TdgHi8ZnJ1 VG1kpAb0EH2Q7LmpQoMwhmU1Rx1hGcXvLBmD0MM0oN69HfN81DP97Hh9gFQjfkAWAIMVoAGuXPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADc
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
66006666
.Method '%s' not supported by automation object/Variant does not reference an automation object
.Method '%s' not supported by automation object/Variant does not reference an automation object
External exception %x
External exception %x
Interface not supported
Interface not supported
%s (%s, line %d)
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
Invalid variant operation"Variant method calls not supported
I/O error %d
I/O error %d
Integer overflow Invalid floating point operation
Integer overflow Invalid floating point operation
c:\%original file name%.exe path>path inj_ffile>inj_ffile
c:\%original file name%.exe path>path inj_ffile>inj_ffile
svchost.exe_1392_rwx_00080000_000BE000:
.idata
.idata
.reloc
.reloc
P.rsrc
P.rsrc
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
kernel32.dll
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
wininet.dll
wininet.dll
user32.dll
user32.dll
ntdll.dll
ntdll.dll
URLMON.DLL
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Kernel32.dll
Kernel32.dll
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {jwplayer().play()} catch(e){}
try {jwplayer().play()} catch(e){}
PSAPI.dll
PSAPI.dll
HTTP/1.1
HTTP/1.1
.length;
.length;
=String.fromCharCode(parseInt(
=String.fromCharCode(parseInt(
.substr(
.substr(
,2),16));
,2),16));
=String.fromCharCode(
=String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt()^
,1).charCodeAt());
,1).charCodeAt());
.length-1)?
.length-1)?
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Environment("Process"))("
.Run("
.Run("
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.RegRead("
.RegRead("
psapi.dll
psapi.dll
"svchost.exe"
"svchost.exe"
svchost.exe
svchost.exe
ole32.dll
ole32.dll
\\.\LCD
\\.\LCD
1234567890
1234567890
Shell32.dll
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
hXXp://
hXXp://
0123456789
0123456789
Mozilla
Mozilla
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
.text
.text
`.rdata
`.rdata
@.pdata
@.pdata
KERNEL32.dll
KERNEL32.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
oleaut32.dll
oleaut32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyW
RegCreateKeyW
RegCreateKeyA
RegCreateKeyA
GetCPInfo
GetCPInfo
SetProcessWindowStation
SetProcessWindowStation
OpenWindowStationA
OpenWindowStationA
EnumChildWindows
EnumChildWindows
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
atl.dll
atl.dll
wsock32.dll
wsock32.dll
winmm.dll
winmm.dll
shell32.dll
shell32.dll
ShellExecuteExW
ShellExecuteExW
wtsapi32.dll
wtsapi32.dll
Wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
PSAPI.DLL
NtQueryValueKey
NtQueryValueKey
NtDeleteValueKey
NtDeleteValueKey
NtSetValueKey
NtSetValueKey
urlmon.dll
urlmon.dll
UrlMkSetSessionOption
UrlMkSetSessionOption
?"?&?*?.?
?"?&?*?.?
6!6&696>6|6
6!6&696>6|6
9!:':-:6:
9!:':-:6:
:&;-;7;_;
:&;-;7;_;
5(6-6;6|6
5(6-6;6|6
7)7=7[7}7
7)7=7[7}7
>#>(>9>_>
>#>(>9>_>
?,?1?[?`?
?,?1?[?`?
5]5S5c5k5q5
5]5S5c5k5q5
:!:?:]:{:
:!:?:]:{:
CCn7A5XU4CzHzqO2FLGKUbyHdY6ib4THrj6hFnsNC91Ppav9uwgbOdS5yiEmzFlfEH5q9BrghvkQ6h6yHnRIruDtXd0PDynXRapk stnOg8 lhBkVQtwqvwdx0YKwOYYMsiPSZ4ZkbJaN4jiHpyXxikeLdivpDPd3kWJRmdyiGNBGHR7k6brC0v2K6Y3bIHi9fPpJIlvoGzlKyqWKZbgyvMKhfRH126QPM9 L6lCgK7m kyrVJiXkjtcP5z8SS p1bK16PrKxlNudveDjR9IlqhNqTiNr78QXP75MTIzVeZrz7Tcfof3QNj6U8Gv/JIeibNpOmlNns8ti9RIhh5ZLKoegOBmlmtQM0rniYADF47h6Lj6dLteD9vdSqZJsQHIGvIuA7947pmnUaqpcjKY3LYgVF2x9RvnVSrLQy8Msk7qqSbG2 18wzMzkSRmcDGU4kVcMMLftEmJ4bIHoF2FAPgyGgCSkTVbqrdTGlgcsvH0t4XSpP7tIh8jClm75Ou3CQTpLfFzMKnc6mJjLxthWVUze9iMkM2lodm24a72Q1ASzBLcyyVm6x6p wLyuJ8qma8MBknHVMisVT7MVknJ3vZbF9aZPJFzAhcUG/Upzx5isNAuTL4hmXOtkhI4FBxi1Cr61qDUiy5RWmbWg/8TMwzig8QrKciaaO5bHzpmKpQRuFszWr6F2QvRC0xGO2xRrXXZTn49ttSc8nqBKCUSN6laRQzaqlvIrCdoco77cJleen7p24ksvps1/5wvQdV5p73LSkGnWh8GFNEdOXqf3TRAvapyq/MK6pb ZVfjUuInC7v/fEmNgxChvtF 890LhInkEqFRbS19fUQ73JqLlcJZ18pvOf B1mj934NofFTx9nwdpJn3HzNX6GtzFas2HnN7eYIWlMw3tSAkgiusQimrQVscKmqnJQaa0khTfdi5XiZXSmL7ACZazSHb7jCa5pBrfMwYFUZ Oe9X2VZ6dhPqOx2PyPLSlbCoRrnbVdgQc9kdsRb7WM48D1x9vGYOWbUIoaJ2NbT3tOBeqcE/na9gY4KSEUEvJMG50HRf7PsjDOG07bHSTMWDWFJVWnBzRw0gxGugVSXb4cCgMsdK2Iy9YStviYLxSJNWOxr2nqr8FNfrm06XldaCdxzl91l8dtI5KijeweUIMAc 0LmyfOCkcxKlzf2gY6nXrBF4fg6MfU ynlZ5fJTtDsKdae7ft4SvOcILp7yrtsvMaBFDhz/kpidQxUDWKTfEsAhZ7MhMg/R8u8obqeVxbgYyzFKdZphWp 3mH/TnHPBZ2bpK5RAJbyhG6mzXDdK6n5WZ/t1rHvZnkzur8Ous6C0l 6mfTNAJtodq3/Hb2IzSzr/6ZIosa9wKWNAQXUzxS5VWTm5c06VIslbl lyuVB lszHKcuTo/WnlyiEQnXsGi3J9 4H47Jrpn7bmi4RsezcNIla6/9NNp Epn 7O oCDCWVLPojN8GIGagtuSTGvIaxcxsOH8pqzLmgKPEreqCODspRsSJFIQnyvyslEnaaGmA/5d5W657R/7GHKCX8zjkAgoN1DMq635FP8oTdr3TDX hf1kQjE0rAYauyUMCvK7sISTcp0mNaVNlb41xJ34HMs9MsptRLJ/vG5CxUlphVr5/bN/ lRjw7G FQOZ3fsm7g9hEsKP0ZyGDAa2 /5 Pbtnv8v mC6IIuDvXfhBhabUQROZ4ivV/5UW8AsgAG8vFNkMo su96PU/1JKOUIzfoiKRRkHkCTi/C8SA7aS5nMPHBANimaCqFnwwbCYwrLOihSaspSnyNkNyY757bt/QjJqFmIlXivAZUArboo35ORbIPUs3A1Mg/HqNKgpip4qHE7/FU gePTIpH8EneENl5xDvbkU5blo0X7LtnsFYtEH2gfOvuuyH2EDvXRTSQlzd7pxvlAPEbHt5Bp9bNzydjcUxsDuHLwVhsIX9vKuSoOJsffrqB8/St36C6A9QwalMeyTKycOGU0L/luLgb3waTr/HBXnwTJ/0yFwe0N2KJ9w7 bApzfBHsD1KyxfZTkejTc/90A5o3sdGUb NFk1t03fmnrieYc1jflgmExl15IbG3l1yH dQjKe3EDQQtrtqKOqTCz4kxERSvvwxHZAkHdvbuEgyj83msbURUK9a6Hw/eBdF5bwkam7gjRVBVAMYtOEOWml2LUzIVd6ODW9lQQPyxPuYx9E6zhNdJ IQ39KC9fZmA xBjThjtzQoLqHJuPg5Jhn8pqjr5R IXLjpuI/haegOdKxRQ ZhcMwtfcPyprJx6fk1q4BtXXlfTcz5tv98emMEZNjO9zJYPxD9 OLzecjXvIUSABygCVvyxigsL10H48GLPOZDOeimJO 35B/ZiROLmnqAJbPSC3CjJtXa4bw3PIVvQu4v2ble00zg2mNcRqvshCttYLCwVva6pssj7LinNm6RQkUobMg1SxD8/Qp9l5ujarkGoJoSaU9IWMKb6wHF3M1fLhNHehrt68pQMgRZ9A/N/xcFtUyTsgKo3QcpX13BAm/BhDO7crmpT9hGjulfatrTEbg6DvYM3rxrVv9nxqwax4/jQEh4c8/YtCPS7AguqCjOnmRkU/Thhm7FwtCRhZMoI/rVhg61uCrT9sklJNI38nXVCn81Qb7jrhd0AJjGEbPCd4aeuQU2k84m8jAPNpKjfuIA8nCjRf9RckQS0Ux/MzxwVDm1ltMC4IVK7z/mVdAUpAHVo4aAF zL9Q3gRpzFUxP 9V VzgaKhmyV7fle 0IPiJ7KJjT bSVDWToc rZDrFPg0Gw65ApdlxA4zbgpYEIKi9Yuxx hb8l9kNoEEGmAgbKCU2GdqLvqN5iJfeR/ /gGmhsFRRu8DzIvBhlKnPU11fQOGqNWazlhsPOqBnIG8mgw3LLRhUBl /emKIMhIfverCwYNp9/zPEh9DgDxmyDvbFIEZ1i2WG1IMRnSw/cOd4C3vlN6oA8a/WCeg7kItTuzHOOJy7uXfETlBEp0OhGH LTh7FTwbz7/RpdmHgGCEPUzXsQJQDr3PuB20EB15oMwcttK1/HP zDTBpRbfVIeC1vCJFTN T82EyhcdH/C/UGMTfHXdVIaJKHESm7zjqRo2wO xFsoxz9hLTBffynGjseluWz2P5U1hdtnpUcd18qKerCsdi3yFV4ViNG4ZJCT2 c//SOKDQ3x9/eTzUt1sMdDV75zPpdQXgyJPlQM3qDOL/NQbS2gi7SSWj36Z3tldugH9N9QU6ngqRw ZJ8jMQbjUCISHdaAThG42agRZ3p8fw0I/41olFnPLJzgcr8IB0ef/VO00i4wFT9iYxdict93pZ0aHPMq/Nb TxwjaODg2Xq0zykwuDjBEr2s/yts4tOGdm9PPITBJMJuiV/umbAMv1WaUrwSAgZq/wfihwX9lv9DEBM3Dc8s3W1pyk4b8r73LczeM6XX9XnuKc7Vt8d31LDtotiPuH7HUuRmiF/1tNBHmzft1fa7RNb2sikTAi5tbl1gOQbzft/W3smSeLxZai8h9UOvtLXD81CWvTszrKH1v82hvwoRiTVb4SWRLnWtp0Kp8l97VytDNAo/YHJjSe/n0h0wUdUuMPQLhz2pgAd1ED3nq 1qqHm/ET01FrpAJJ4KHlc//9Mr4apao1SQG7Re4hhYhYsmFyEv8z tw4flwXQWw06mKFF05k8n0HqJ/e/O25czj8DpvaJuwkVS9z7POMb6cStGWhBnwZv9v4LkF3qpGnf9w1DldmV uQKIRQ643NBXqA0V9MrmhMryvcbPZzlQH/RjEVRjtWeAEEG9sgyh 1jIBv38jO2Z J2TpWRXCrGKygJNObmidxYPVBebfiTOjGmcuU x4WmiySt9VfaZ0EZySrBtzzfSY6O0yKrG9Sa9UPgmMwNwmIbP7Ln2pi9XKfJWVoJRx1TMKmy3AlbXqd/GTk4gvzX4Iv8tNlX8EXZT4QAJqwtNvwD2Imw5Ce5trufAUmkf8KGflS6SihrYMcbcE72OVpeabR9ihDZslQDaeyvirKLEPMlkhiOQjenGPs4oiKafxTSIFtRF0MFHZ0HmuNeXx2XCO58LxugBa5a/RJQWK9boEO K6MqXutZzfvexdbw8xMP8mmPb HMpHKv1ymTNZ CZets0ZctUQnil9gjqHl6P92L5YV6yVa5O0JAJVOZxgrwd6E//7LM6K5DljtpPiQLsCy8Ednj1vMSyl1LcD02KsVLokeRh7id4Zo/BRhnYPYJC7dagDwp/kxcYyyAujw3yiCjTuXBIqE4 wTmONRGVyvnX eeWri5BaShelRKWDHdUCG18zoNvgKqrDnDpkHldErz/z9b5lGACLF7afI4DJbHZcWle2xit4vkxoHZ2jbhkerZBSh373o8qkhX xgcG6ck25QmZZDlNAts3AARoMtMI8wFhcuDizk6SFIVZ fE5gsZzFqyaWND2K5i/PMHF4ph e8BO412QuhGSyeyyUKhM1IX3RTl71G9QJ9EUREasKaVoUsmQO3HpLyw4SeTXpi 18gDyxlkuOuMrYt1Dy8zBNm9f14yNhh1QJGj1mQhh7xl X1HuZz2aHRW12T4U37zK6jnhWuW9i FXF7qzHRUy0fk4PpHsKvkOb5m YjxcDoWncAOIqWX7ZdE09ECG7P4y4GSwdjPiOfdxT7yc5H/3dsZHWW9zO85a55zdzQ0bSaC 6hG7cPLwICJtUm2aJUxcNFHBiZ/zSOEWh5YogOKBemH870e19pWZxFoQ0y2IgH/HzsEGSMSlTIdOcVDKv3c8beQf0PaOCKYj9SptOEVyeL9 WMnQU3nYF8IICmtF7G4TcN9e4Xf7AS1sGxMkonu8g32/ukLss5ySFKkPkbmgTPqXqWv5KEqZSqT/1K0FqfIp0Yv6P/Vn5Yp9ASMB9V4TUgrWbcsDQd1denq6EprcN1ECXzLSWVOtQGVjn03TsrIul4vvx9MmFrrDHQZVcgLFI7vAofPMtJ8ZC9v899JN7n5buIh0mwJuitPS1y0vHvbJQpULvc7zK6zUuB8wcxtd5nRT1RPWb2ABDLnazBB9NBqN91Tdi1I VEjWgXNoZWGs/noNm2dpR5VC5VQSJ931uxW8MjlHOL7aniLfIDRtacH2 aD90fsl7Mmrsw1fcwi3zpl3S1 WmVaX0pxisjmG6372Mp3XNxBujZD6TdgHi8ZnJ1 VG1kpAb0EH2Q7LmpQoMwhmU1Rx1hGcXvLBmD0MM0oN69HfN81DP97Hh9gFQjfkAWAIMVoAGuXPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
CCn7A5XU4CzHzqO2FLGKUbyHdY6ib4THrj6hFnsNC91Ppav9uwgbOdS5yiEmzFlfEH5q9BrghvkQ6h6yHnRIruDtXd0PDynXRapk stnOg8 lhBkVQtwqvwdx0YKwOYYMsiPSZ4ZkbJaN4jiHpyXxikeLdivpDPd3kWJRmdyiGNBGHR7k6brC0v2K6Y3bIHi9fPpJIlvoGzlKyqWKZbgyvMKhfRH126QPM9 L6lCgK7m kyrVJiXkjtcP5z8SS p1bK16PrKxlNudveDjR9IlqhNqTiNr78QXP75MTIzVeZrz7Tcfof3QNj6U8Gv/JIeibNpOmlNns8ti9RIhh5ZLKoegOBmlmtQM0rniYADF47h6Lj6dLteD9vdSqZJsQHIGvIuA7947pmnUaqpcjKY3LYgVF2x9RvnVSrLQy8Msk7qqSbG2 18wzMzkSRmcDGU4kVcMMLftEmJ4bIHoF2FAPgyGgCSkTVbqrdTGlgcsvH0t4XSpP7tIh8jClm75Ou3CQTpLfFzMKnc6mJjLxthWVUze9iMkM2lodm24a72Q1ASzBLcyyVm6x6p wLyuJ8qma8MBknHVMisVT7MVknJ3vZbF9aZPJFzAhcUG/Upzx5isNAuTL4hmXOtkhI4FBxi1Cr61qDUiy5RWmbWg/8TMwzig8QrKciaaO5bHzpmKpQRuFszWr6F2QvRC0xGO2xRrXXZTn49ttSc8nqBKCUSN6laRQzaqlvIrCdoco77cJleen7p24ksvps1/5wvQdV5p73LSkGnWh8GFNEdOXqf3TRAvapyq/MK6pb ZVfjUuInC7v/fEmNgxChvtF 890LhInkEqFRbS19fUQ73JqLlcJZ18pvOf B1mj934NofFTx9nwdpJn3HzNX6GtzFas2HnN7eYIWlMw3tSAkgiusQimrQVscKmqnJQaa0khTfdi5XiZXSmL7ACZazSHb7jCa5pBrfMwYFUZ Oe9X2VZ6dhPqOx2PyPLSlbCoRrnbVdgQc9kdsRb7WM48D1x9vGYOWbUIoaJ2NbT3tOBeqcE/na9gY4KSEUEvJMG50HRf7PsjDOG07bHSTMWDWFJVWnBzRw0gxGugVSXb4cCgMsdK2Iy9YStviYLxSJNWOxr2nqr8FNfrm06XldaCdxzl91l8dtI5KijeweUIMAc 0LmyfOCkcxKlzf2gY6nXrBF4fg6MfU ynlZ5fJTtDsKdae7ft4SvOcILp7yrtsvMaBFDhz/kpidQxUDWKTfEsAhZ7MhMg/R8u8obqeVxbgYyzFKdZphWp 3mH/TnHPBZ2bpK5RAJbyhG6mzXDdK6n5WZ/t1rHvZnkzur8Ous6C0l 6mfTNAJtodq3/Hb2IzSzr/6ZIosa9wKWNAQXUzxS5VWTm5c06VIslbl lyuVB lszHKcuTo/WnlyiEQnXsGi3J9 4H47Jrpn7bmi4RsezcNIla6/9NNp Epn 7O oCDCWVLPojN8GIGagtuSTGvIaxcxsOH8pqzLmgKPEreqCODspRsSJFIQnyvyslEnaaGmA/5d5W657R/7GHKCX8zjkAgoN1DMq635FP8oTdr3TDX hf1kQjE0rAYauyUMCvK7sISTcp0mNaVNlb41xJ34HMs9MsptRLJ/vG5CxUlphVr5/bN/ lRjw7G FQOZ3fsm7g9hEsKP0ZyGDAa2 /5 Pbtnv8v mC6IIuDvXfhBhabUQROZ4ivV/5UW8AsgAG8vFNkMo su96PU/1JKOUIzfoiKRRkHkCTi/C8SA7aS5nMPHBANimaCqFnwwbCYwrLOihSaspSnyNkNyY757bt/QjJqFmIlXivAZUArboo35ORbIPUs3A1Mg/HqNKgpip4qHE7/FU gePTIpH8EneENl5xDvbkU5blo0X7LtnsFYtEH2gfOvuuyH2EDvXRTSQlzd7pxvlAPEbHt5Bp9bNzydjcUxsDuHLwVhsIX9vKuSoOJsffrqB8/St36C6A9QwalMeyTKycOGU0L/luLgb3waTr/HBXnwTJ/0yFwe0N2KJ9w7 bApzfBHsD1KyxfZTkejTc/90A5o3sdGUb NFk1t03fmnrieYc1jflgmExl15IbG3l1yH dQjKe3EDQQtrtqKOqTCz4kxERSvvwxHZAkHdvbuEgyj83msbURUK9a6Hw/eBdF5bwkam7gjRVBVAMYtOEOWml2LUzIVd6ODW9lQQPyxPuYx9E6zhNdJ IQ39KC9fZmA xBjThjtzQoLqHJuPg5Jhn8pqjr5R IXLjpuI/haegOdKxRQ ZhcMwtfcPyprJx6fk1q4BtXXlfTcz5tv98emMEZNjO9zJYPxD9 OLzecjXvIUSABygCVvyxigsL10H48GLPOZDOeimJO 35B/ZiROLmnqAJbPSC3CjJtXa4bw3PIVvQu4v2ble00zg2mNcRqvshCttYLCwVva6pssj7LinNm6RQkUobMg1SxD8/Qp9l5ujarkGoJoSaU9IWMKb6wHF3M1fLhNHehrt68pQMgRZ9A/N/xcFtUyTsgKo3QcpX13BAm/BhDO7crmpT9hGjulfatrTEbg6DvYM3rxrVv9nxqwax4/jQEh4c8/YtCPS7AguqCjOnmRkU/Thhm7FwtCRhZMoI/rVhg61uCrT9sklJNI38nXVCn81Qb7jrhd0AJjGEbPCd4aeuQU2k84m8jAPNpKjfuIA8nCjRf9RckQS0Ux/MzxwVDm1ltMC4IVK7z/mVdAUpAHVo4aAF zL9Q3gRpzFUxP 9V VzgaKhmyV7fle 0IPiJ7KJjT bSVDWToc rZDrFPg0Gw65ApdlxA4zbgpYEIKi9Yuxx hb8l9kNoEEGmAgbKCU2GdqLvqN5iJfeR/ /gGmhsFRRu8DzIvBhlKnPU11fQOGqNWazlhsPOqBnIG8mgw3LLRhUBl /emKIMhIfverCwYNp9/zPEh9DgDxmyDvbFIEZ1i2WG1IMRnSw/cOd4C3vlN6oA8a/WCeg7kItTuzHOOJy7uXfETlBEp0OhGH LTh7FTwbz7/RpdmHgGCEPUzXsQJQDr3PuB20EB15oMwcttK1/HP zDTBpRbfVIeC1vCJFTN T82EyhcdH/C/UGMTfHXdVIaJKHESm7zjqRo2wO xFsoxz9hLTBffynGjseluWz2P5U1hdtnpUcd18qKerCsdi3yFV4ViNG4ZJCT2 c//SOKDQ3x9/eTzUt1sMdDV75zPpdQXgyJPlQM3qDOL/NQbS2gi7SSWj36Z3tldugH9N9QU6ngqRw ZJ8jMQbjUCISHdaAThG42agRZ3p8fw0I/41olFnPLJzgcr8IB0ef/VO00i4wFT9iYxdict93pZ0aHPMq/Nb TxwjaODg2Xq0zykwuDjBEr2s/yts4tOGdm9PPITBJMJuiV/umbAMv1WaUrwSAgZq/wfihwX9lv9DEBM3Dc8s3W1pyk4b8r73LczeM6XX9XnuKc7Vt8d31LDtotiPuH7HUuRmiF/1tNBHmzft1fa7RNb2sikTAi5tbl1gOQbzft/W3smSeLxZai8h9UOvtLXD81CWvTszrKH1v82hvwoRiTVb4SWRLnWtp0Kp8l97VytDNAo/YHJjSe/n0h0wUdUuMPQLhz2pgAd1ED3nq 1qqHm/ET01FrpAJJ4KHlc//9Mr4apao1SQG7Re4hhYhYsmFyEv8z tw4flwXQWw06mKFF05k8n0HqJ/e/O25czj8DpvaJuwkVS9z7POMb6cStGWhBnwZv9v4LkF3qpGnf9w1DldmV uQKIRQ643NBXqA0V9MrmhMryvcbPZzlQH/RjEVRjtWeAEEG9sgyh 1jIBv38jO2Z J2TpWRXCrGKygJNObmidxYPVBebfiTOjGmcuU x4WmiySt9VfaZ0EZySrBtzzfSY6O0yKrG9Sa9UPgmMwNwmIbP7Ln2pi9XKfJWVoJRx1TMKmy3AlbXqd/GTk4gvzX4Iv8tNlX8EXZT4QAJqwtNvwD2Imw5Ce5trufAUmkf8KGflS6SihrYMcbcE72OVpeabR9ihDZslQDaeyvirKLEPMlkhiOQjenGPs4oiKafxTSIFtRF0MFHZ0HmuNeXx2XCO58LxugBa5a/RJQWK9boEO K6MqXutZzfvexdbw8xMP8mmPb HMpHKv1ymTNZ CZets0ZctUQnil9gjqHl6P92L5YV6yVa5O0JAJVOZxgrwd6E//7LM6K5DljtpPiQLsCy8Ednj1vMSyl1LcD02KsVLokeRh7id4Zo/BRhnYPYJC7dagDwp/kxcYyyAujw3yiCjTuXBIqE4 wTmONRGVyvnX eeWri5BaShelRKWDHdUCG18zoNvgKqrDnDpkHldErz/z9b5lGACLF7afI4DJbHZcWle2xit4vkxoHZ2jbhkerZBSh373o8qkhX xgcG6ck25QmZZDlNAts3AARoMtMI8wFhcuDizk6SFIVZ fE5gsZzFqyaWND2K5i/PMHF4ph e8BO412QuhGSyeyyUKhM1IX3RTl71G9QJ9EUREasKaVoUsmQO3HpLyw4SeTXpi 18gDyxlkuOuMrYt1Dy8zBNm9f14yNhh1QJGj1mQhh7xl X1HuZz2aHRW12T4U37zK6jnhWuW9i FXF7qzHRUy0fk4PpHsKvkOb5m YjxcDoWncAOIqWX7ZdE09ECG7P4y4GSwdjPiOfdxT7yc5H/3dsZHWW9zO85a55zdzQ0bSaC 6hG7cPLwICJtUm2aJUxcNFHBiZ/zSOEWh5YogOKBemH870e19pWZxFoQ0y2IgH/HzsEGSMSlTIdOcVDKv3c8beQf0PaOCKYj9SptOEVyeL9 WMnQU3nYF8IICmtF7G4TcN9e4Xf7AS1sGxMkonu8g32/ukLss5ySFKkPkbmgTPqXqWv5KEqZSqT/1K0FqfIp0Yv6P/Vn5Yp9ASMB9V4TUgrWbcsDQd1denq6EprcN1ECXzLSWVOtQGVjn03TsrIul4vvx9MmFrrDHQZVcgLFI7vAofPMtJ8ZC9v899JN7n5buIh0mwJuitPS1y0vHvbJQpULvc7zK6zUuB8wcxtd5nRT1RPWb2ABDLnazBB9NBqN91Tdi1I VEjWgXNoZWGs/noNm2dpR5VC5VQSJ931uxW8MjlHOL7aniLfIDRtacH2 aD90fsl7Mmrsw1fcwi3zpl3S1 WmVaX0pxisjmG6372Mp3XNxBujZD6TdgHi8ZnJ1 VG1kpAb0EH2Q7LmpQoMwhmU1Rx1hGcXvLBmD0MM0oN69HfN81DP97Hh9gFQjfkAWAIMVoAGuXPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
CCn7A5XU4CzHzqO2FLGKUbyHdY6ib4THrj6hFnsNC91Ppav9uwgbOdS5yiEmzFlfEH5q9BrghvkQ6h6yHnRIruDtXd0PDynXRapk stnOg8 lhBkVQtwqvwdx0YKwOYYMsiPSZ4ZkbJaN4jiHpyXxikeLdivpDPd3kWJRmdyiGNBGHR7k6brC0v2K6Y3bIHi9fPpJIlvoGzlKyqWKZbgyvMKhfRH126QPM9 L6lCgK7m kyrVJiXkjtcP5z8SS p1bK16PrKxlNudveDjR9IlqhNqTiNr78QXP75MTIzVeZrz7Tcfof3QNj6U8Gv/JIeibNpOmlNns8ti9RIhh5ZLKoegOBmlmtQM0rniYADF47h6Lj6dLteD9vdSqZJsQHIGvIuA7947pmnUaqpcjKY3LYgVF2x9RvnVSrLQy8Msk7qqSbG2 18wzMzkSRmcDGU4kVcMMLftEmJ4bIHoF2FAPgyGgCSkTVbqrdTGlgcsvH0t4XSpP7tIh8jClm75Ou3CQTpLfFzMKnc6mJjLxthWVUze9iMkM2lodm24a72Q1ASzBLcyyVm6x6p wLyuJ8qma8MBknHVMisVT7MVknJ3vZbF9aZPJFzAhcUG/Upzx5isNAuTL4hmXOtkhI4FBxi1Cr61qDUiy5RWmbWg/8TMwzig8QrKciaaO5bHzpmKpQRuFszWr6F2QvRC0xGO2xRrXXZTn49ttSc8nqBKCUSN6laRQzaqlvIrCdoco77cJleen7p24ksvps1/5wvQdV5p73LSkGnWh8GFNEdOXqf3TRAvapyq/MK6pb ZVfjUuInC7v/fEmNgxChvtF 890LhInkEqFRbS19fUQ73JqLlcJZ18pvOf B1mj934NofFTx9nwdpJn3HzNX6GtzFas2HnN7eYIWlMw3tSAkgiusQimrQVscKmqnJQaa0khTfdi5XiZXSmL7ACZazSHb7jCa5pBrfMwYFUZ Oe9X2VZ6dhPqOx2PyPLSlbCoRrnbVdgQc9kdsRb7WM48D1x9vGYOWbUIoaJ2NbT3tOBeqcE/na9gY4KSEUEvJMG50HRf7PsjDOG07bHSTMWDWFJVWnBzRw0gxGugVSXb4cCgMsdK2Iy9YStviYLxSJNWOxr2nqr8FNfrm06XldaCdxzl91l8dtI5KijeweUIMAc 0LmyfOCkcxKlzf2gY6nXrBF4fg6MfU ynlZ5fJTtDsKdae7ft4SvOcILp7yrtsvMaBFDhz/kpidQxUDWKTfEsAhZ7MhMg/R8u8obqeVxbgYyzFKdZphWp 3mH/TnHPBZ2bpK5RAJbyhG6mzXDdK6n5WZ/t1rHvZnkzur8Ous6C0l 6mfTNAJtodq3/Hb2IzSzr/6ZIosa9wKWNAQXUzxS5VWTm5c06VIslbl lyuVB lszHKcuTo/WnlyiEQnXsGi3J9 4H47Jrpn7bmi4RsezcNIla6/9NNp Epn 7O oCDCWVLPojN8GIGagtuSTGvIaxcxsOH8pqzLmgKPEreqCODspRsSJFIQnyvyslEnaaGmA/5d5W657R/7GHKCX8zjkAgoN1DMq635FP8oTdr3TDX hf1kQjE0rAYauyUMCvK7sISTcp0mNaVNlb41xJ34HMs9MsptRLJ/vG5CxUlphVr5/bN/ lRjw7G FQOZ3fsm7g9hEsKP0ZyGDAa2 /5 Pbtnv8v mC6IIuDvXfhBhabUQROZ4ivV/5UW8AsgAG8vFNkMo su96PU/1JKOUIzfoiKRRkHkCTi/C8SA7aS5nMPHBANimaCqFnwwbCYwrLOihSaspSnyNkNyY757bt/QjJqFmIlXivAZUArboo35ORbIPUs3A1Mg/HqNKgpip4qHE7/FU gePTIpH8EneENl5xDvbkU5blo0X7LtnsFYtEH2gfOvuuyH2EDvXRTSQlzd7pxvlAPEbHt5Bp9bNzydjcUxsDuHLwVhsIX9vKuSoOJsffrqB8/St36C6A9QwalMeyTKycOGU0L/luLgb3waTr/HBXnwTJ/0yFwe0N2KJ9w7 bApzfBHsD1KyxfZTkejTc/90A5o3sdGUb NFk1t03fmnrieYc1jflgmExl15IbG3l1yH dQjKe3EDQQtrtqKOqTCz4kxERSvvwxHZAkHdvbuEgyj83msbURUK9a6Hw/eBdF5bwkam7gjRVBVAMYtOEOWml2LUzIVd6ODW9lQQPyxPuYx9E6zhNdJ IQ39KC9fZmA xBjThjtzQoLqHJuPg5Jhn8pqjr5R IXLjpuI/haegOdKxRQ ZhcMwtfcPyprJx6fk1q4BtXXlfTcz5tv98emMEZNjO9zJYPxD9 OLzecjXvIUSABygCVvyxigsL10H48GLPOZDOeimJO 35B/ZiROLmnqAJbPSC3CjJtXa4bw3PIVvQu4v2ble00zg2mNcRqvshCttYLCwVva6pssj7LinNm6RQkUobMg1SxD8/Qp9l5ujarkGoJoSaU9IWMKb6wHF3M1fLhNHehrt68pQMgRZ9A/N/xcFtUyTsgKo3QcpX13BAm/BhDO7crmpT9hGjulfatrTEbg6DvYM3rxrVv9nxqwax4/jQEh4c8/YtCPS7AguqCjOnmRkU/Thhm7FwtCRhZMoI/rVhg61uCrT9sklJNI38nXVCn81Qb7jrhd0AJjGEbPCd4aeuQU2k84m8jAPNpKjfuIA8nCjRf9RckQS0Ux/MzxwVDm1ltMC4IVK7z/mVdAUpAHVo4aAF zL9Q3gRpzFUxP 9V VzgaKhmyV7fle 0IPiJ7KJjT bSVDWToc rZDrFPg0Gw65ApdlxA4zbgpYEIKi9Yuxx hb8l9kNoEEGmAgbKCU2GdqLvqN5iJfeR/ /gGmhsFRRu8DzIvBhlKnPU11fQOGqNWazlhsPOqBnIG8mgw3LLRhUBl /emKIMhIfverCwYNp9/zPEh9DgDxmyDvbFIEZ1i2WG1IMRnSw/cOd4C3vlN6oA8a/WCeg7kItTuzHOOJy7uXfETlBEp0OhGH LTh7FTwbz7/RpdmHgGCEPUzXsQJQDr3PuB20EB15oMwcttK1/HP zDTBpRbfVIeC1vCJFTN T82EyhcdH/C/UGMTfHXdVIaJKHESm7zjqRo2wO xFsoxz9hLTBffynGjseluWz2P5U1hdtnpUcd18qKerCsdi3yFV4ViNG4ZJCT2 c//SOKDQ3x9/eTzUt1sMdDV75zPpdQXgyJPlQM3qDOL/NQbS2gi7SSWj36Z3tldugH9N9QU6ngqRw ZJ8jMQbjUCISHdaAThG42agRZ3p8fw0I/41olFnPLJzgcr8IB0ef/VO00i4wFT9iYxdict93pZ0aHPMq/Nb TxwjaODg2Xq0zykwuDjBEr2s/yts4tOGdm9PPITBJMJuiV/umbAMv1WaUrwSAgZq/wfihwX9lv9DEBM3Dc8s3W1pyk4b8r73LczeM6XX9XnuKc7Vt8d31LDtotiPuH7HUuRmiF/1tNBHmzft1fa7RNb2sikTAi5tbl1gOQbzft/W3smSeLxZai8h9UOvtLXD81CWvTszrKH1v82hvwoRiTVb4SWRLnWtp0Kp8l97VytDNAo/YHJjSe/n0h0wUdUuMPQLhz2pgAd1ED3nq 1qqHm/ET01FrpAJJ4KHlc//9Mr4apao1SQG7Re4hhYhYsmFyEv8z tw4flwXQWw06mKFF05k8n0HqJ/e/O25czj8DpvaJuwkVS9z7POMb6cStGWhBnwZv9v4LkF3qpGnf9w1DldmV uQKIRQ643NBXqA0V9MrmhMryvcbPZzlQH/RjEVRjtWeAEEG9sgyh 1jIBv38jO2Z J2TpWRXCrGKygJNObmidxYPVBebfiTOjGmcuU x4WmiySt9VfaZ0EZySrBtzzfSY6O0yKrG9Sa9UPgmMwNwmIbP7Ln2pi9XKfJWVoJRx1TMKmy3AlbXqd/GTk4gvzX4Iv8tNlX8EXZT4QAJqwtNvwD2Imw5Ce5trufAUmkf8KGflS6SihrYMcbcE72OVpeabR9ihDZslQDaeyvirKLEPMlkhiOQjenGPs4oiKafxTSIFtRF0MFHZ0HmuNeXx2XCO58LxugBa5a/RJQWK9boEO K6MqXutZzfvexdbw8xMP8mmPb HMpHKv1ymTNZ CZets0ZctUQnil9gjqHl6P92L5YV6yVa5O0JAJVOZxgrwd6E//7LM6K5DljtpPiQLsCy8Ednj1vMSyl1LcD02KsVLokeRh7id4Zo/BRhnYPYJC7dagDwp/kxcYyyAujw3yiCjTuXBIqE4 wTmONRGVyvnX eeWri5BaShelRKWDHdUCG18zoNvgKqrDnDpkHldErz/z9b5lGACLF7afI4DJbHZcWle2xit4vkxoHZ2jbhkerZBSh373o8qkhX xgcG6ck25QmZZDlNAts3AARoMtMI8wFhcuDizk6SFIVZ fE5gsZzFqyaWND2K5i/PMHF4ph e8BO412QuhGSyeyyUKhM1IX3RTl71G9QJ9EUREasKaVoUsmQO3HpLyw4SeTXpi 18gDyxlkuOuMrYt1Dy8zBNm9f14yNhh1QJGj1mQhh7xl X1HuZz2aHRW12T4U37zK6jnhWuW9i FXF7qzHRUy0fk4PpHsKvkOb5m YjxcDoWncAOIqWX7ZdE09ECG7P4y4GSwdjPiOfdxT7yc5H/3dsZHWW9zO85a55zdzQ0bSaC 6hG7cPLwICJtUm2aJUxcNFHBiZ/zSOEWh5YogOKBemH870e19pWZxFoQ0y2IgH/HzsEGSMSlTIdOcVDKv3c8beQf0PaOCKYj9SptOEVyeL9 WMnQU3nYF8IICmtF7G4TcN9e4Xf7AS1sGxMkonu8g32/ukLss5ySFKkPkbmgTPqXqWv5KEqZSqT/1K0FqfIp0Yv6P/Vn5Yp9ASMB9V4TUgrWbcsDQd1denq6EprcN1ECXzLSWVOtQGVjn03TsrIul4vvx9MmFrrDHQZVcgLFI7vAofPMtJ8ZC9v899JN7n5buIh0mwJuitPS1y0vHvbJQpULvc7zK6zUuB8wcxtd5nRT1RPWb2ABDLnazBB9NBqN91Tdi1I VEjWgXNoZWGs/noNm2dpR5VC5VQSJ931uxW8MjlHOL7aniLfIDRtacH2 aD90fsl7Mmrsw1fcwi3zpl3S1 WmVaX0pxisjmG6372Mp3XNxBujZD6TdgHi8ZnJ1 VG1kpAb0EH2Q7LmpQoMwhmU1Rx1hGcXvLBmD0MM0oN69HfN81DP97Hh9gFQjfkAWAIMVoAGuXPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADc
CCn7A5XU4CzHzqO2FLGKUbyHdY6ib4THrj6hFnsNC91Ppav9uwgbOdS5yiEmzFlfEH5q9BrghvkQ6h6yHnRIruDtXd0PDynXRapk stnOg8 lhBkVQtwqvwdx0YKwOYYMsiPSZ4ZkbJaN4jiHpyXxikeLdivpDPd3kWJRmdyiGNBGHR7k6brC0v2K6Y3bIHi9fPpJIlvoGzlKyqWKZbgyvMKhfRH126QPM9 L6lCgK7m kyrVJiXkjtcP5z8SS p1bK16PrKxlNudveDjR9IlqhNqTiNr78QXP75MTIzVeZrz7Tcfof3QNj6U8Gv/JIeibNpOmlNns8ti9RIhh5ZLKoegOBmlmtQM0rniYADF47h6Lj6dLteD9vdSqZJsQHIGvIuA7947pmnUaqpcjKY3LYgVF2x9RvnVSrLQy8Msk7qqSbG2 18wzMzkSRmcDGU4kVcMMLftEmJ4bIHoF2FAPgyGgCSkTVbqrdTGlgcsvH0t4XSpP7tIh8jClm75Ou3CQTpLfFzMKnc6mJjLxthWVUze9iMkM2lodm24a72Q1ASzBLcyyVm6x6p wLyuJ8qma8MBknHVMisVT7MVknJ3vZbF9aZPJFzAhcUG/Upzx5isNAuTL4hmXOtkhI4FBxi1Cr61qDUiy5RWmbWg/8TMwzig8QrKciaaO5bHzpmKpQRuFszWr6F2QvRC0xGO2xRrXXZTn49ttSc8nqBKCUSN6laRQzaqlvIrCdoco77cJleen7p24ksvps1/5wvQdV5p73LSkGnWh8GFNEdOXqf3TRAvapyq/MK6pb ZVfjUuInC7v/fEmNgxChvtF 890LhInkEqFRbS19fUQ73JqLlcJZ18pvOf B1mj934NofFTx9nwdpJn3HzNX6GtzFas2HnN7eYIWlMw3tSAkgiusQimrQVscKmqnJQaa0khTfdi5XiZXSmL7ACZazSHb7jCa5pBrfMwYFUZ Oe9X2VZ6dhPqOx2PyPLSlbCoRrnbVdgQc9kdsRb7WM48D1x9vGYOWbUIoaJ2NbT3tOBeqcE/na9gY4KSEUEvJMG50HRf7PsjDOG07bHSTMWDWFJVWnBzRw0gxGugVSXb4cCgMsdK2Iy9YStviYLxSJNWOxr2nqr8FNfrm06XldaCdxzl91l8dtI5KijeweUIMAc 0LmyfOCkcxKlzf2gY6nXrBF4fg6MfU ynlZ5fJTtDsKdae7ft4SvOcILp7yrtsvMaBFDhz/kpidQxUDWKTfEsAhZ7MhMg/R8u8obqeVxbgYyzFKdZphWp 3mH/TnHPBZ2bpK5RAJbyhG6mzXDdK6n5WZ/t1rHvZnkzur8Ous6C0l 6mfTNAJtodq3/Hb2IzSzr/6ZIosa9wKWNAQXUzxS5VWTm5c06VIslbl lyuVB lszHKcuTo/WnlyiEQnXsGi3J9 4H47Jrpn7bmi4RsezcNIla6/9NNp Epn 7O oCDCWVLPojN8GIGagtuSTGvIaxcxsOH8pqzLmgKPEreqCODspRsSJFIQnyvyslEnaaGmA/5d5W657R/7GHKCX8zjkAgoN1DMq635FP8oTdr3TDX hf1kQjE0rAYauyUMCvK7sISTcp0mNaVNlb41xJ34HMs9MsptRLJ/vG5CxUlphVr5/bN/ lRjw7G FQOZ3fsm7g9hEsKP0ZyGDAa2 /5 Pbtnv8v mC6IIuDvXfhBhabUQROZ4ivV/5UW8AsgAG8vFNkMo su96PU/1JKOUIzfoiKRRkHkCTi/C8SA7aS5nMPHBANimaCqFnwwbCYwrLOihSaspSnyNkNyY757bt/QjJqFmIlXivAZUArboo35ORbIPUs3A1Mg/HqNKgpip4qHE7/FU gePTIpH8EneENl5xDvbkU5blo0X7LtnsFYtEH2gfOvuuyH2EDvXRTSQlzd7pxvlAPEbHt5Bp9bNzydjcUxsDuHLwVhsIX9vKuSoOJsffrqB8/St36C6A9QwalMeyTKycOGU0L/luLgb3waTr/HBXnwTJ/0yFwe0N2KJ9w7 bApzfBHsD1KyxfZTkejTc/90A5o3sdGUb NFk1t03fmnrieYc1jflgmExl15IbG3l1yH dQjKe3EDQQtrtqKOqTCz4kxERSvvwxHZAkHdvbuEgyj83msbURUK9a6Hw/eBdF5bwkam7gjRVBVAMYtOEOWml2LUzIVd6ODW9lQQPyxPuYx9E6zhNdJ IQ39KC9fZmA xBjThjtzQoLqHJuPg5Jhn8pqjr5R IXLjpuI/haegOdKxRQ ZhcMwtfcPyprJx6fk1q4BtXXlfTcz5tv98emMEZNjO9zJYPxD9 OLzecjXvIUSABygCVvyxigsL10H48GLPOZDOeimJO 35B/ZiROLmnqAJbPSC3CjJtXa4bw3PIVvQu4v2ble00zg2mNcRqvshCttYLCwVva6pssj7LinNm6RQkUobMg1SxD8/Qp9l5ujarkGoJoSaU9IWMKb6wHF3M1fLhNHehrt68pQMgRZ9A/N/xcFtUyTsgKo3QcpX13BAm/BhDO7crmpT9hGjulfatrTEbg6DvYM3rxrVv9nxqwax4/jQEh4c8/YtCPS7AguqCjOnmRkU/Thhm7FwtCRhZMoI/rVhg61uCrT9sklJNI38nXVCn81Qb7jrhd0AJjGEbPCd4aeuQU2k84m8jAPNpKjfuIA8nCjRf9RckQS0Ux/MzxwVDm1ltMC4IVK7z/mVdAUpAHVo4aAF zL9Q3gRpzFUxP 9V VzgaKhmyV7fle 0IPiJ7KJjT bSVDWToc rZDrFPg0Gw65ApdlxA4zbgpYEIKi9Yuxx hb8l9kNoEEGmAgbKCU2GdqLvqN5iJfeR/ /gGmhsFRRu8DzIvBhlKnPU11fQOGqNWazlhsPOqBnIG8mgw3LLRhUBl /emKIMhIfverCwYNp9/zPEh9DgDxmyDvbFIEZ1i2WG1IMRnSw/cOd4C3vlN6oA8a/WCeg7kItTuzHOOJy7uXfETlBEp0OhGH LTh7FTwbz7/RpdmHgGCEPUzXsQJQDr3PuB20EB15oMwcttK1/HP zDTBpRbfVIeC1vCJFTN T82EyhcdH/C/UGMTfHXdVIaJKHESm7zjqRo2wO xFsoxz9hLTBffynGjseluWz2P5U1hdtnpUcd18qKerCsdi3yFV4ViNG4ZJCT2 c//SOKDQ3x9/eTzUt1sMdDV75zPpdQXgyJPlQM3qDOL/NQbS2gi7SSWj36Z3tldugH9N9QU6ngqRw ZJ8jMQbjUCISHdaAThG42agRZ3p8fw0I/41olFnPLJzgcr8IB0ef/VO00i4wFT9iYxdict93pZ0aHPMq/Nb TxwjaODg2Xq0zykwuDjBEr2s/yts4tOGdm9PPITBJMJuiV/umbAMv1WaUrwSAgZq/wfihwX9lv9DEBM3Dc8s3W1pyk4b8r73LczeM6XX9XnuKc7Vt8d31LDtotiPuH7HUuRmiF/1tNBHmzft1fa7RNb2sikTAi5tbl1gOQbzft/W3smSeLxZai8h9UOvtLXD81CWvTszrKH1v82hvwoRiTVb4SWRLnWtp0Kp8l97VytDNAo/YHJjSe/n0h0wUdUuMPQLhz2pgAd1ED3nq 1qqHm/ET01FrpAJJ4KHlc//9Mr4apao1SQG7Re4hhYhYsmFyEv8z tw4flwXQWw06mKFF05k8n0HqJ/e/O25czj8DpvaJuwkVS9z7POMb6cStGWhBnwZv9v4LkF3qpGnf9w1DldmV uQKIRQ643NBXqA0V9MrmhMryvcbPZzlQH/RjEVRjtWeAEEG9sgyh 1jIBv38jO2Z J2TpWRXCrGKygJNObmidxYPVBebfiTOjGmcuU x4WmiySt9VfaZ0EZySrBtzzfSY6O0yKrG9Sa9UPgmMwNwmIbP7Ln2pi9XKfJWVoJRx1TMKmy3AlbXqd/GTk4gvzX4Iv8tNlX8EXZT4QAJqwtNvwD2Imw5Ce5trufAUmkf8KGflS6SihrYMcbcE72OVpeabR9ihDZslQDaeyvirKLEPMlkhiOQjenGPs4oiKafxTSIFtRF0MFHZ0HmuNeXx2XCO58LxugBa5a/RJQWK9boEO K6MqXutZzfvexdbw8xMP8mmPb HMpHKv1ymTNZ CZets0ZctUQnil9gjqHl6P92L5YV6yVa5O0JAJVOZxgrwd6E//7LM6K5DljtpPiQLsCy8Ednj1vMSyl1LcD02KsVLokeRh7id4Zo/BRhnYPYJC7dagDwp/kxcYyyAujw3yiCjTuXBIqE4 wTmONRGVyvnX eeWri5BaShelRKWDHdUCG18zoNvgKqrDnDpkHldErz/z9b5lGACLF7afI4DJbHZcWle2xit4vkxoHZ2jbhkerZBSh373o8qkhX xgcG6ck25QmZZDlNAts3AARoMtMI8wFhcuDizk6SFIVZ fE5gsZzFqyaWND2K5i/PMHF4ph e8BO412QuhGSyeyyUKhM1IX3RTl71G9QJ9EUREasKaVoUsmQO3HpLyw4SeTXpi 18gDyxlkuOuMrYt1Dy8zBNm9f14yNhh1QJGj1mQhh7xl X1HuZz2aHRW12T4U37zK6jnhWuW9i FXF7qzHRUy0fk4PpHsKvkOb5m YjxcDoWncAOIqWX7ZdE09ECG7P4y4GSwdjPiOfdxT7yc5H/3dsZHWW9zO85a55zdzQ0bSaC 6hG7cPLwICJtUm2aJUxcNFHBiZ/zSOEWh5YogOKBemH870e19pWZxFoQ0y2IgH/HzsEGSMSlTIdOcVDKv3c8beQf0PaOCKYj9SptOEVyeL9 WMnQU3nYF8IICmtF7G4TcN9e4Xf7AS1sGxMkonu8g32/ukLss5ySFKkPkbmgTPqXqWv5KEqZSqT/1K0FqfIp0Yv6P/Vn5Yp9ASMB9V4TUgrWbcsDQd1denq6EprcN1ECXzLSWVOtQGVjn03TsrIul4vvx9MmFrrDHQZVcgLFI7vAofPMtJ8ZC9v899JN7n5buIh0mwJuitPS1y0vHvbJQpULvc7zK6zUuB8wcxtd5nRT1RPWb2ABDLnazBB9NBqN91Tdi1I VEjWgXNoZWGs/noNm2dpR5VC5VQSJ931uxW8MjlHOL7aniLfIDRtacH2 aD90fsl7Mmrsw1fcwi3zpl3S1 WmVaX0pxisjmG6372Mp3XNxBujZD6TdgHi8ZnJ1 VG1kpAb0EH2Q7LmpQoMwhmU1Rx1hGcXvLBmD0MM0oN69HfN81DP97Hh9gFQjfkAWAIMVoAGuXPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADc
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
66006666
.Method '%s' not supported by automation object/Variant does not reference an automation object
.Method '%s' not supported by automation object/Variant does not reference an automation object
External exception %x
External exception %x
Interface not supported
Interface not supported
%s (%s, line %d)
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
Invalid variant operation"Variant method calls not supported
I/O error %d
I/O error %d
Integer overflow Invalid floating point operation
Integer overflow Invalid floating point operation
c:\%original file name%.exe path>path inj_ffile>inj_ffile
c:\%original file name%.exe path>path inj_ffile>inj_ffile
svchost.exe_1392_rwx_01000000_00006000:
.text
.text
`.data
`.data
.rsrc
.rsrc
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
RPCRT4.dll
RPCRT4.dll
NETAPI32.dll
NETAPI32.dll
ole32.dll
ole32.dll
ntdll.dll
ntdll.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
GetProcessHeap
GetProcessHeap
NtOpenKey
NtOpenKey
svchost.pdb
svchost.pdb
\PIPE\
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
svchost.exe
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
svchost.exe_592:
.idata
.idata
.reloc
.reloc
P.rsrc
P.rsrc
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
kernel32.dll
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
wininet.dll
wininet.dll
user32.dll
user32.dll
ntdll.dll
ntdll.dll
URLMON.DLL
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Kernel32.dll
Kernel32.dll
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {jwplayer().play()} catch(e){}
try {jwplayer().play()} catch(e){}
PSAPI.dll
PSAPI.dll
HTTP/1.1
HTTP/1.1
.length;
.length;
=String.fromCharCode(parseInt(
=String.fromCharCode(parseInt(
.substr(
.substr(
,2),16));
,2),16));
=String.fromCharCode(
=String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt()^
,1).charCodeAt());
,1).charCodeAt());
.length-1)?
.length-1)?
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Environment("Process"))("
.Run("
.Run("
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.RegRead("
.RegRead("
psapi.dll
psapi.dll
"svchost.exe"
"svchost.exe"
svchost.exe
svchost.exe
ole32.dll
ole32.dll
\\.\LCD
\\.\LCD
1234567890
1234567890
Shell32.dll
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
hXXp://
hXXp://
0123456789
0123456789
Mozilla
Mozilla
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
.text
.text
`.rdata
`.rdata
@.pdata
@.pdata
KERNEL32.dll
KERNEL32.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
oleaut32.dll
oleaut32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyW
RegCreateKeyW
RegCreateKeyA
RegCreateKeyA
GetCPInfo
GetCPInfo
SetProcessWindowStation
SetProcessWindowStation
OpenWindowStationA
OpenWindowStationA
EnumChildWindows
EnumChildWindows
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
atl.dll
atl.dll
wsock32.dll
wsock32.dll
winmm.dll
winmm.dll
shell32.dll
shell32.dll
ShellExecuteExW
ShellExecuteExW
wtsapi32.dll
wtsapi32.dll
Wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
PSAPI.DLL
NtQueryValueKey
NtQueryValueKey
NtDeleteValueKey
NtDeleteValueKey
NtSetValueKey
NtSetValueKey
urlmon.dll
urlmon.dll
UrlMkSetSessionOption
UrlMkSetSessionOption
?"?&?*?.?
?"?&?*?.?
6!6&696>6|6
6!6&696>6|6
9!:':-:6:
9!:':-:6:
:&;-;7;_;
:&;-;7;_;
5(6-6;6|6
5(6-6;6|6
7)7=7[7}7
7)7=7[7}7
>#>(>9>_>
>#>(>9>_>
?,?1?[?`?
?,?1?[?`?
5]5S5c5k5q5
5]5S5c5k5q5
:!:?:]:{:
:!:?:]:{:
CCn7A5XU4CzHzqO2FLGKUbyHdY6ib4THrj6hFnsNC91Ppav9uwgbOdS5yiEmzFlfEH5q9BrghvkQ6h6yHnRIruDtXd0PDynXRapk stnOg8 lhBkVQtwqvwdx0YKwOYYMsiPSZ4ZkbJaN4jiHpyXxikeLdivpDPd3kWJRmdyiGNBGHR7k6brC0v2K6Y3bIHi9fPpJIlvoGzlKyqWKZbgyvMKhfRH126QPM9 L6lCgK7m kyrVJiXkjtcP5z8SS p1bK16PrKxlNudveDjR9IlqhNqTiNr78QXP75MTIzVeZrz7Tcfof3QNj6U8Gv/JIeibNpOmlNns8ti9RIhh5ZLKoegOBmlmtQM0rniYADF47h6Lj6dLteD9vdSqZJsQHIGvIuA7947pmnUaqpcjKY3LYgVF2x9RvnVSrLQy8Msk7qqSbG2 18wzMzkSRmcDGU4kVcMMLftEmJ4bIHoF2FAPgyGgCSkTVbqrdTGlgcsvH0t4XSpP7tIh8jClm75Ou3CQTpLfFzMKnc6mJjLxthWVUze9iMkM2lodm24a72Q1ASzBLcyyVm6x6p wLyuJ8qma8MBknHVMisVT7MVknJ3vZbF9aZPJFzAhcUG/Upzx5isNAuTL4hmXOtkhI4FBxi1Cr61qDUiy5RWmbWg/8TMwzig8QrKciaaO5bHzpmKpQRuFszWr6F2QvRC0xGO2xRrXXZTn49ttSc8nqBKCUSN6laRQzaqlvIrCdoco77cJleen7p24ksvps1/5wvQdV5p73LSkGnWh8GFNEdOXqf3TRAvapyq/MK6pb ZVfjUuInC7v/fEmNgxChvtF 890LhInkEqFRbS19fUQ73JqLlcJZ18pvOf B1mj934NofFTx9nwdpJn3HzNX6GtzFas2HnN7eYIWlMw3tSAkgiusQimrQVscKmqnJQaa0khTfdi5XiZXSmL7ACZazSHb7jCa5pBrfMwYFUZ Oe9X2VZ6dhPqOx2PyPLSlbCoRrnbVdgQc9kdsRb7WM48D1x9vGYOWbUIoaJ2NbT3tOBeqcE/na9gY4KSEUEvJMG50HRf7PsjDOG07bHSTMWDWFJVWnBzRw0gxGugVSXb4cCgMsdK2Iy9YStviYLxSJNWOxr2nqr8FNfrm06XldaCdxzl91l8dtI5KijeweUIMAc 0LmyfOCkcxKlzf2gY6nXrBF4fg6MfU ynlZ5fJTtDsKdae7ft4SvOcILp7yrtsvMaBFDhz/kpidQxUDWKTfEsAhZ7MhMg/R8u8obqeVxbgYyzFKdZphWp 3mH/TnHPBZ2bpK5RAJbyhG6mzXDdK6n5WZ/t1rHvZnkzur8Ous6C0l 6mfTNAJtodq3/Hb2IzSzr/6ZIosa9wKWNAQXUzxS5VWTm5c06VIslbl lyuVB lszHKcuTo/WnlyiEQnXsGi3J9 4H47Jrpn7bmi4RsezcNIla6/9NNp Epn 7O oCDCWVLPojN8GIGagtuSTGvIaxcxsOH8pqzLmgKPEreqCODspRsSJFIQnyvyslEnaaGmA/5d5W657R/7GHKCX8zjkAgoN1DMq635FP8oTdr3TDX hf1kQjE0rAYauyUMCvK7sISTcp0mNaVNlb41xJ34HMs9MsptRLJ/vG5CxUlphVr5/bN/ lRjw7G FQOZ3fsm7g9hEsKP0ZyGDAa2 /5 Pbtnv8v mC6IIuDvXfhBhabUQROZ4ivV/5UW8AsgAG8vFNkMo su96PU/1JKOUIzfoiKRRkHkCTi/C8SA7aS5nMPHBANimaCqFnwwbCYwrLOihSaspSnyNkNyY757bt/QjJqFmIlXivAZUArboo35ORbIPUs3A1Mg/HqNKgpip4qHE7/FU gePTIpH8EneENl5xDvbkU5blo0X7LtnsFYtEH2gfOvuuyH2EDvXRTSQlzd7pxvlAPEbHt5Bp9bNzydjcUxsDuHLwVhsIX9vKuSoOJsffrqB8/St36C6A9QwalMeyTKycOGU0L/luLgb3waTr/HBXnwTJ/0yFwe0N2KJ9w7 bApzfBHsD1KyxfZTkejTc/90A5o3sdGUb NFk1t03fmnrieYc1jflgmExl15IbG3l1yH dQjKe3EDQQtrtqKOqTCz4kxERSvvwxHZAkHdvbuEgyj83msbURUK9a6Hw/eBdF5bwkam7gjRVBVAMYtOEOWml2LUzIVd6ODW9lQQPyxPuYx9E6zhNdJ IQ39KC9fZmA xBjThjtzQoLqHJuPg5Jhn8pqjr5R IXLjpuI/haegOdKxRQ ZhcMwtfcPyprJx6fk1q4BtXXlfTcz5tv98emMEZNjO9zJYPxD9 OLzecjXvIUSABygCVvyxigsL10H48GLPOZDOeimJO 35B/ZiROLmnqAJbPSC3CjJtXa4bw3PIVvQu4v2ble00zg2mNcRqvshCttYLCwVva6pssj7LinNm6RQkUobMg1SxD8/Qp9l5ujarkGoJoSaU9IWMKb6wHF3M1fLhNHehrt68pQMgRZ9A/N/xcFtUyTsgKo3QcpX13BAm/BhDO7crmpT9hGjulfatrTEbg6DvYM3rxrVv9nxqwax4/jQEh4c8/YtCPS7AguqCjOnmRkU/Thhm7FwtCRhZMoI/rVhg61uCrT9sklJNI38nXVCn81Qb7jrhd0AJjGEbPCd4aeuQU2k84m8jAPNpKjfuIA8nCjRf9RckQS0Ux/MzxwVDm1ltMC4IVK7z/mVdAUpAHVo4aAF zL9Q3gRpzFUxP 9V VzgaKhmyV7fle 0IPiJ7KJjT bSVDWToc rZDrFPg0Gw65ApdlxA4zbgpYEIKi9Yuxx hb8l9kNoEEGmAgbKCU2GdqLvqN5iJfeR/ /gGmhsFRRu8DzIvBhlKnPU11fQOGqNWazlhsPOqBnIG8mgw3LLRhUBl /emKIMhIfverCwYNp9/zPEh9DgDxmyDvbFIEZ1i2WG1IMRnSw/cOd4C3vlN6oA8a/WCeg7kItTuzHOOJy7uXfETlBEp0OhGH LTh7FTwbz7/RpdmHgGCEPUzXsQJQDr3PuB20EB15oMwcttK1/HP zDTBpRbfVIeC1vCJFTN T82EyhcdH/C/UGMTfHXdVIaJKHESm7zjqRo2wO xFsoxz9hLTBffynGjseluWz2P5U1hdtnpUcd18qKerCsdi3yFV4ViNG4ZJCT2 c//SOKDQ3x9/eTzUt1sMdDV75zPpdQXgyJPlQM3qDOL/NQbS2gi7SSWj36Z3tldugH9N9QU6ngqRw ZJ8jMQbjUCISHdaAThG42agRZ3p8fw0I/41olFnPLJzgcr8IB0ef/VO00i4wFT9iYxdict93pZ0aHPMq/Nb TxwjaODg2Xq0zykwuDjBEr2s/yts4tOGdm9PPITBJMJuiV/umbAMv1WaUrwSAgZq/wfihwX9lv9DEBM3Dc8s3W1pyk4b8r73LczeM6XX9XnuKc7Vt8d31LDtotiPuH7HUuRmiF/1tNBHmzft1fa7RNb2sikTAi5tbl1gOQbzft/W3smSeLxZai8h9UOvtLXD81CWvTszrKH1v82hvwoRiTVb4SWRLnWtp0Kp8l97VytDNAo/YHJjSe/n0h0wUdUuMPQLhz2pgAd1ED3nq 1qqHm/ET01FrpAJJ4KHlc//9Mr4apao1SQG7Re4hhYhYsmFyEv8z tw4flwXQWw06mKFF05k8n0HqJ/e/O25czj8DpvaJuwkVS9z7POMb6cStGWhBnwZv9v4LkF3qpGnf9w1DldmV uQKIRQ643NBXqA0V9MrmhMryvcbPZzlQH/RjEVRjtWeAEEG9sgyh 1jIBv38jO2Z J2TpWRXCrGKygJNObmidxYPVBebfiTOjGmcuU x4WmiySt9VfaZ0EZySrBtzzfSY6O0yKrG9Sa9UPgmMwNwmIbP7Ln2pi9XKfJWVoJRx1TMKmy3AlbXqd/GTk4gvzX4Iv8tNlX8EXZT4QAJqwtNvwD2Imw5Ce5trufAUmkf8KGflS6SihrYMcbcE72OVpeabR9ihDZslQDaeyvirKLEPMlkhiOQjenGPs4oiKafxTSIFtRF0MFHZ0HmuNeXx2XCO58LxugBa5a/RJQWK9boEO K6MqXutZzfvexdbw8xMP8mmPb HMpHKv1ymTNZ CZets0ZctUQnil9gjqHl6P92L5YV6yVa5O0JAJVOZxgrwd6E//7LM6K5DljtpPiQLsCy8Ednj1vMSyl1LcD02KsVLokeRh7id4Zo/BRhnYPYJC7dagDwp/kxcYyyAujw3yiCjTuXBIqE4 wTmONRGVyvnX eeWri5BaShelRKWDHdUCG18zoNvgKqrDnDpkHldErz/z9b5lGACLF7afI4DJbHZcWle2xit4vkxoHZ2jbhkerZBSh373o8qkhX xgcG6ck25QmZZDlNAts3AARoMtMI8wFhcuDizk6SFIVZ fE5gsZzFqyaWND2K5i/PMHF4ph e8BO412QuhGSyeyyUKhM1IX3RTl71G9QJ9EUREasKaVoUsmQO3HpLyw4SeTXpi 18gDyxlkuOuMrYt1Dy8zBNm9f14yNhh1QJGj1mQhh7xl X1HuZz2aHRW12T4U37zK6jnhWuW9i FXF7qzHRUy0fk4PpHsKvkOb5m YjxcDoWncAOIqWX7ZdE09ECG7P4y4GSwdjPiOfdxT7yc5H/3dsZHWW9zO85a55zdzQ0bSaC 6hG7cPLwICJtUm2aJUxcNFHBiZ/zSOEWh5YogOKBemH870e19pWZxFoQ0y2IgH/HzsEGSMSlTIdOcVDKv3c8beQf0PaOCKYj9SptOEVyeL9 WMnQU3nYF8IICmtF7G4TcN9e4Xf7AS1sGxMkonu8g32/ukLss5ySFKkPkbmgTPqXqWv5KEqZSqT/1K0FqfIp0Yv6P/Vn5Yp9ASMB9V4TUgrWbcsDQd1denq6EprcN1ECXzLSWVOtQGVjn03TsrIul4vvx9MmFrrDHQZVcgLFI7vAofPMtJ8ZC9v899JN7n5buIh0mwJuitPS1y0vHvbJQpULvc7zK6zUuB8wcxtd5nRT1RPWb2ABDLnazBB9NBqN91Tdi1I VEjWgXNoZWGs/noNm2dpR5VC5VQSJ931uxW8MjlHOL7aniLfIDRtacH2 aD90fsl7Mmrsw1fcwi3zpl3S1 WmVaX0pxisjmG6372Mp3XNxBujZD6TdgHi8ZnJ1 VG1kpAb0EH2Q7LmpQoMwhmU1Rx1hGcXvLBmD0MM0oN69HfN81DP97Hh9gFQjfkAWAIMVoAGuXPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
CCn7A5XU4CzHzqO2FLGKUbyHdY6ib4THrj6hFnsNC91Ppav9uwgbOdS5yiEmzFlfEH5q9BrghvkQ6h6yHnRIruDtXd0PDynXRapk stnOg8 lhBkVQtwqvwdx0YKwOYYMsiPSZ4ZkbJaN4jiHpyXxikeLdivpDPd3kWJRmdyiGNBGHR7k6brC0v2K6Y3bIHi9fPpJIlvoGzlKyqWKZbgyvMKhfRH126QPM9 L6lCgK7m kyrVJiXkjtcP5z8SS p1bK16PrKxlNudveDjR9IlqhNqTiNr78QXP75MTIzVeZrz7Tcfof3QNj6U8Gv/JIeibNpOmlNns8ti9RIhh5ZLKoegOBmlmtQM0rniYADF47h6Lj6dLteD9vdSqZJsQHIGvIuA7947pmnUaqpcjKY3LYgVF2x9RvnVSrLQy8Msk7qqSbG2 18wzMzkSRmcDGU4kVcMMLftEmJ4bIHoF2FAPgyGgCSkTVbqrdTGlgcsvH0t4XSpP7tIh8jClm75Ou3CQTpLfFzMKnc6mJjLxthWVUze9iMkM2lodm24a72Q1ASzBLcyyVm6x6p wLyuJ8qma8MBknHVMisVT7MVknJ3vZbF9aZPJFzAhcUG/Upzx5isNAuTL4hmXOtkhI4FBxi1Cr61qDUiy5RWmbWg/8TMwzig8QrKciaaO5bHzpmKpQRuFszWr6F2QvRC0xGO2xRrXXZTn49ttSc8nqBKCUSN6laRQzaqlvIrCdoco77cJleen7p24ksvps1/5wvQdV5p73LSkGnWh8GFNEdOXqf3TRAvapyq/MK6pb ZVfjUuInC7v/fEmNgxChvtF 890LhInkEqFRbS19fUQ73JqLlcJZ18pvOf B1mj934NofFTx9nwdpJn3HzNX6GtzFas2HnN7eYIWlMw3tSAkgiusQimrQVscKmqnJQaa0khTfdi5XiZXSmL7ACZazSHb7jCa5pBrfMwYFUZ Oe9X2VZ6dhPqOx2PyPLSlbCoRrnbVdgQc9kdsRb7WM48D1x9vGYOWbUIoaJ2NbT3tOBeqcE/na9gY4KSEUEvJMG50HRf7PsjDOG07bHSTMWDWFJVWnBzRw0gxGugVSXb4cCgMsdK2Iy9YStviYLxSJNWOxr2nqr8FNfrm06XldaCdxzl91l8dtI5KijeweUIMAc 0LmyfOCkcxKlzf2gY6nXrBF4fg6MfU ynlZ5fJTtDsKdae7ft4SvOcILp7yrtsvMaBFDhz/kpidQxUDWKTfEsAhZ7MhMg/R8u8obqeVxbgYyzFKdZphWp 3mH/TnHPBZ2bpK5RAJbyhG6mzXDdK6n5WZ/t1rHvZnkzur8Ous6C0l 6mfTNAJtodq3/Hb2IzSzr/6ZIosa9wKWNAQXUzxS5VWTm5c06VIslbl lyuVB lszHKcuTo/WnlyiEQnXsGi3J9 4H47Jrpn7bmi4RsezcNIla6/9NNp Epn 7O oCDCWVLPojN8GIGagtuSTGvIaxcxsOH8pqzLmgKPEreqCODspRsSJFIQnyvyslEnaaGmA/5d5W657R/7GHKCX8zjkAgoN1DMq635FP8oTdr3TDX hf1kQjE0rAYauyUMCvK7sISTcp0mNaVNlb41xJ34HMs9MsptRLJ/vG5CxUlphVr5/bN/ lRjw7G FQOZ3fsm7g9hEsKP0ZyGDAa2 /5 Pbtnv8v mC6IIuDvXfhBhabUQROZ4ivV/5UW8AsgAG8vFNkMo su96PU/1JKOUIzfoiKRRkHkCTi/C8SA7aS5nMPHBANimaCqFnwwbCYwrLOihSaspSnyNkNyY757bt/QjJqFmIlXivAZUArboo35ORbIPUs3A1Mg/HqNKgpip4qHE7/FU gePTIpH8EneENl5xDvbkU5blo0X7LtnsFYtEH2gfOvuuyH2EDvXRTSQlzd7pxvlAPEbHt5Bp9bNzydjcUxsDuHLwVhsIX9vKuSoOJsffrqB8/St36C6A9QwalMeyTKycOGU0L/luLgb3waTr/HBXnwTJ/0yFwe0N2KJ9w7 bApzfBHsD1KyxfZTkejTc/90A5o3sdGUb NFk1t03fmnrieYc1jflgmExl15IbG3l1yH dQjKe3EDQQtrtqKOqTCz4kxERSvvwxHZAkHdvbuEgyj83msbURUK9a6Hw/eBdF5bwkam7gjRVBVAMYtOEOWml2LUzIVd6ODW9lQQPyxPuYx9E6zhNdJ IQ39KC9fZmA xBjThjtzQoLqHJuPg5Jhn8pqjr5R IXLjpuI/haegOdKxRQ ZhcMwtfcPyprJx6fk1q4BtXXlfTcz5tv98emMEZNjO9zJYPxD9 OLzecjXvIUSABygCVvyxigsL10H48GLPOZDOeimJO 35B/ZiROLmnqAJbPSC3CjJtXa4bw3PIVvQu4v2ble00zg2mNcRqvshCttYLCwVva6pssj7LinNm6RQkUobMg1SxD8/Qp9l5ujarkGoJoSaU9IWMKb6wHF3M1fLhNHehrt68pQMgRZ9A/N/xcFtUyTsgKo3QcpX13BAm/BhDO7crmpT9hGjulfatrTEbg6DvYM3rxrVv9nxqwax4/jQEh4c8/YtCPS7AguqCjOnmRkU/Thhm7FwtCRhZMoI/rVhg61uCrT9sklJNI38nXVCn81Qb7jrhd0AJjGEbPCd4aeuQU2k84m8jAPNpKjfuIA8nCjRf9RckQS0Ux/MzxwVDm1ltMC4IVK7z/mVdAUpAHVo4aAF zL9Q3gRpzFUxP 9V VzgaKhmyV7fle 0IPiJ7KJjT bSVDWToc rZDrFPg0Gw65ApdlxA4zbgpYEIKi9Yuxx hb8l9kNoEEGmAgbKCU2GdqLvqN5iJfeR/ /gGmhsFRRu8DzIvBhlKnPU11fQOGqNWazlhsPOqBnIG8mgw3LLRhUBl /emKIMhIfverCwYNp9/zPEh9DgDxmyDvbFIEZ1i2WG1IMRnSw/cOd4C3vlN6oA8a/WCeg7kItTuzHOOJy7uXfETlBEp0OhGH LTh7FTwbz7/RpdmHgGCEPUzXsQJQDr3PuB20EB15oMwcttK1/HP zDTBpRbfVIeC1vCJFTN T82EyhcdH/C/UGMTfHXdVIaJKHESm7zjqRo2wO xFsoxz9hLTBffynGjseluWz2P5U1hdtnpUcd18qKerCsdi3yFV4ViNG4ZJCT2 c//SOKDQ3x9/eTzUt1sMdDV75zPpdQXgyJPlQM3qDOL/NQbS2gi7SSWj36Z3tldugH9N9QU6ngqRw ZJ8jMQbjUCISHdaAThG42agRZ3p8fw0I/41olFnPLJzgcr8IB0ef/VO00i4wFT9iYxdict93pZ0aHPMq/Nb TxwjaODg2Xq0zykwuDjBEr2s/yts4tOGdm9PPITBJMJuiV/umbAMv1WaUrwSAgZq/wfihwX9lv9DEBM3Dc8s3W1pyk4b8r73LczeM6XX9XnuKc7Vt8d31LDtotiPuH7HUuRmiF/1tNBHmzft1fa7RNb2sikTAi5tbl1gOQbzft/W3smSeLxZai8h9UOvtLXD81CWvTszrKH1v82hvwoRiTVb4SWRLnWtp0Kp8l97VytDNAo/YHJjSe/n0h0wUdUuMPQLhz2pgAd1ED3nq 1qqHm/ET01FrpAJJ4KHlc//9Mr4apao1SQG7Re4hhYhYsmFyEv8z tw4flwXQWw06mKFF05k8n0HqJ/e/O25czj8DpvaJuwkVS9z7POMb6cStGWhBnwZv9v4LkF3qpGnf9w1DldmV uQKIRQ643NBXqA0V9MrmhMryvcbPZzlQH/RjEVRjtWeAEEG9sgyh 1jIBv38jO2Z J2TpWRXCrGKygJNObmidxYPVBebfiTOjGmcuU x4WmiySt9VfaZ0EZySrBtzzfSY6O0yKrG9Sa9UPgmMwNwmIbP7Ln2pi9XKfJWVoJRx1TMKmy3AlbXqd/GTk4gvzX4Iv8tNlX8EXZT4QAJqwtNvwD2Imw5Ce5trufAUmkf8KGflS6SihrYMcbcE72OVpeabR9ihDZslQDaeyvirKLEPMlkhiOQjenGPs4oiKafxTSIFtRF0MFHZ0HmuNeXx2XCO58LxugBa5a/RJQWK9boEO K6MqXutZzfvexdbw8xMP8mmPb HMpHKv1ymTNZ CZets0ZctUQnil9gjqHl6P92L5YV6yVa5O0JAJVOZxgrwd6E//7LM6K5DljtpPiQLsCy8Ednj1vMSyl1LcD02KsVLokeRh7id4Zo/BRhnYPYJC7dagDwp/kxcYyyAujw3yiCjTuXBIqE4 wTmONRGVyvnX eeWri5BaShelRKWDHdUCG18zoNvgKqrDnDpkHldErz/z9b5lGACLF7afI4DJbHZcWle2xit4vkxoHZ2jbhkerZBSh373o8qkhX xgcG6ck25QmZZDlNAts3AARoMtMI8wFhcuDizk6SFIVZ fE5gsZzFqyaWND2K5i/PMHF4ph e8BO412QuhGSyeyyUKhM1IX3RTl71G9QJ9EUREasKaVoUsmQO3HpLyw4SeTXpi 18gDyxlkuOuMrYt1Dy8zBNm9f14yNhh1QJGj1mQhh7xl X1HuZz2aHRW12T4U37zK6jnhWuW9i FXF7qzHRUy0fk4PpHsKvkOb5m YjxcDoWncAOIqWX7ZdE09ECG7P4y4GSwdjPiOfdxT7yc5H/3dsZHWW9zO85a55zdzQ0bSaC 6hG7cPLwICJtUm2aJUxcNFHBiZ/zSOEWh5YogOKBemH870e19pWZxFoQ0y2IgH/HzsEGSMSlTIdOcVDKv3c8beQf0PaOCKYj9SptOEVyeL9 WMnQU3nYF8IICmtF7G4TcN9e4Xf7AS1sGxMkonu8g32/ukLss5ySFKkPkbmgTPqXqWv5KEqZSqT/1K0FqfIp0Yv6P/Vn5Yp9ASMB9V4TUgrWbcsDQd1denq6EprcN1ECXzLSWVOtQGVjn03TsrIul4vvx9MmFrrDHQZVcgLFI7vAofPMtJ8ZC9v899JN7n5buIh0mwJuitPS1y0vHvbJQpULvc7zK6zUuB8wcxtd5nRT1RPWb2ABDLnazBB9NBqN91Tdi1I VEjWgXNoZWGs/noNm2dpR5VC5VQSJ931uxW8MjlHOL7aniLfIDRtacH2 aD90fsl7Mmrsw1fcwi3zpl3S1 WmVaX0pxisjmG6372Mp3XNxBujZD6TdgHi8ZnJ1 VG1kpAb0EH2Q7LmpQoMwhmU1Rx1hGcXvLBmD0MM0oN69HfN81DP97Hh9gFQjfkAWAIMVoAGuXPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
CCn7A5XU4CzHzqO2FLGKUbyHdY6ib4THrj6hFnsNC91Ppav9uwgbOdS5yiEmzFlfEH5q9BrghvkQ6h6yHnRIruDtXd0PDynXRapk stnOg8 lhBkVQtwqvwdx0YKwOYYMsiPSZ4ZkbJaN4jiHpyXxikeLdivpDPd3kWJRmdyiGNBGHR7k6brC0v2K6Y3bIHi9fPpJIlvoGzlKyqWKZbgyvMKhfRH126QPM9 L6lCgK7m kyrVJiXkjtcP5z8SS p1bK16PrKxlNudveDjR9IlqhNqTiNr78QXP75MTIzVeZrz7Tcfof3QNj6U8Gv/JIeibNpOmlNns8ti9RIhh5ZLKoegOBmlmtQM0rniYADF47h6Lj6dLteD9vdSqZJsQHIGvIuA7947pmnUaqpcjKY3LYgVF2x9RvnVSrLQy8Msk7qqSbG2 18wzMzkSRmcDGU4kVcMMLftEmJ4bIHoF2FAPgyGgCSkTVbqrdTGlgcsvH0t4XSpP7tIh8jClm75Ou3CQTpLfFzMKnc6mJjLxthWVUze9iMkM2lodm24a72Q1ASzBLcyyVm6x6p wLyuJ8qma8MBknHVMisVT7MVknJ3vZbF9aZPJFzAhcUG/Upzx5isNAuTL4hmXOtkhI4FBxi1Cr61qDUiy5RWmbWg/8TMwzig8QrKciaaO5bHzpmKpQRuFszWr6F2QvRC0xGO2xRrXXZTn49ttSc8nqBKCUSN6laRQzaqlvIrCdoco77cJleen7p24ksvps1/5wvQdV5p73LSkGnWh8GFNEdOXqf3TRAvapyq/MK6pb ZVfjUuInC7v/fEmNgxChvtF 890LhInkEqFRbS19fUQ73JqLlcJZ18pvOf B1mj934NofFTx9nwdpJn3HzNX6GtzFas2HnN7eYIWlMw3tSAkgiusQimrQVscKmqnJQaa0khTfdi5XiZXSmL7ACZazSHb7jCa5pBrfMwYFUZ Oe9X2VZ6dhPqOx2PyPLSlbCoRrnbVdgQc9kdsRb7WM48D1x9vGYOWbUIoaJ2NbT3tOBeqcE/na9gY4KSEUEvJMG50HRf7PsjDOG07bHSTMWDWFJVWnBzRw0gxGugVSXb4cCgMsdK2Iy9YStviYLxSJNWOxr2nqr8FNfrm06XldaCdxzl91l8dtI5KijeweUIMAc 0LmyfOCkcxKlzf2gY6nXrBF4fg6MfU ynlZ5fJTtDsKdae7ft4SvOcILp7yrtsvMaBFDhz/kpidQxUDWKTfEsAhZ7MhMg/R8u8obqeVxbgYyzFKdZphWp 3mH/TnHPBZ2bpK5RAJbyhG6mzXDdK6n5WZ/t1rHvZnkzur8Ous6C0l 6mfTNAJtodq3/Hb2IzSzr/6ZIosa9wKWNAQXUzxS5VWTm5c06VIslbl lyuVB lszHKcuTo/WnlyiEQnXsGi3J9 4H47Jrpn7bmi4RsezcNIla6/9NNp Epn 7O oCDCWVLPojN8GIGagtuSTGvIaxcxsOH8pqzLmgKPEreqCODspRsSJFIQnyvyslEnaaGmA/5d5W657R/7GHKCX8zjkAgoN1DMq635FP8oTdr3TDX hf1kQjE0rAYauyUMCvK7sISTcp0mNaVNlb41xJ34HMs9MsptRLJ/vG5CxUlphVr5/bN/ lRjw7G FQOZ3fsm7g9hEsKP0ZyGDAa2 /5 Pbtnv8v mC6IIuDvXfhBhabUQROZ4ivV/5UW8AsgAG8vFNkMo su96PU/1JKOUIzfoiKRRkHkCTi/C8SA7aS5nMPHBANimaCqFnwwbCYwrLOihSaspSnyNkNyY757bt/QjJqFmIlXivAZUArboo35ORbIPUs3A1Mg/HqNKgpip4qHE7/FU gePTIpH8EneENl5xDvbkU5blo0X7LtnsFYtEH2gfOvuuyH2EDvXRTSQlzd7pxvlAPEbHt5Bp9bNzydjcUxsDuHLwVhsIX9vKuSoOJsffrqB8/St36C6A9QwalMeyTKycOGU0L/luLgb3waTr/HBXnwTJ/0yFwe0N2KJ9w7 bApzfBHsD1KyxfZTkejTc/90A5o3sdGUb NFk1t03fmnrieYc1jflgmExl15IbG3l1yH dQjKe3EDQQtrtqKOqTCz4kxERSvvwxHZAkHdvbuEgyj83msbURUK9a6Hw/eBdF5bwkam7gjRVBVAMYtOEOWml2LUzIVd6ODW9lQQPyxPuYx9E6zhNdJ IQ39KC9fZmA xBjThjtzQoLqHJuPg5Jhn8pqjr5R IXLjpuI/haegOdKxRQ ZhcMwtfcPyprJx6fk1q4BtXXlfTcz5tv98emMEZNjO9zJYPxD9 OLzecjXvIUSABygCVvyxigsL10H48GLPOZDOeimJO 35B/ZiROLmnqAJbPSC3CjJtXa4bw3PIVvQu4v2ble00zg2mNcRqvshCttYLCwVva6pssj7LinNm6RQkUobMg1SxD8/Qp9l5ujarkGoJoSaU9IWMKb6wHF3M1fLhNHehrt68pQMgRZ9A/N/xcFtUyTsgKo3QcpX13BAm/BhDO7crmpT9hGjulfatrTEbg6DvYM3rxrVv9nxqwax4/jQEh4c8/YtCPS7AguqCjOnmRkU/Thhm7FwtCRhZMoI/rVhg61uCrT9sklJNI38nXVCn81Qb7jrhd0AJjGEbPCd4aeuQU2k84m8jAPNpKjfuIA8nCjRf9RckQS0Ux/MzxwVDm1ltMC4IVK7z/mVdAUpAHVo4aAF zL9Q3gRpzFUxP 9V VzgaKhmyV7fle 0IPiJ7KJjT bSVDWToc rZDrFPg0Gw65ApdlxA4zbgpYEIKi9Yuxx hb8l9kNoEEGmAgbKCU2GdqLvqN5iJfeR/ /gGmhsFRRu8DzIvBhlKnPU11fQOGqNWazlhsPOqBnIG8mgw3LLRhUBl /emKIMhIfverCwYNp9/zPEh9DgDxmyDvbFIEZ1i2WG1IMRnSw/cOd4C3vlN6oA8a/WCeg7kItTuzHOOJy7uXfETlBEp0OhGH LTh7FTwbz7/RpdmHgGCEPUzXsQJQDr3PuB20EB15oMwcttK1/HP zDTBpRbfVIeC1vCJFTN T82EyhcdH/C/UGMTfHXdVIaJKHESm7zjqRo2wO xFsoxz9hLTBffynGjseluWz2P5U1hdtnpUcd18qKerCsdi3yFV4ViNG4ZJCT2 c//SOKDQ3x9/eTzUt1sMdDV75zPpdQXgyJPlQM3qDOL/NQbS2gi7SSWj36Z3tldugH9N9QU6ngqRw ZJ8jMQbjUCISHdaAThG42agRZ3p8fw0I/41olFnPLJzgcr8IB0ef/VO00i4wFT9iYxdict93pZ0aHPMq/Nb TxwjaODg2Xq0zykwuDjBEr2s/yts4tOGdm9PPITBJMJuiV/umbAMv1WaUrwSAgZq/wfihwX9lv9DEBM3Dc8s3W1pyk4b8r73LczeM6XX9XnuKc7Vt8d31LDtotiPuH7HUuRmiF/1tNBHmzft1fa7RNb2sikTAi5tbl1gOQbzft/W3smSeLxZai8h9UOvtLXD81CWvTszrKH1v82hvwoRiTVb4SWRLnWtp0Kp8l97VytDNAo/YHJjSe/n0h0wUdUuMPQLhz2pgAd1ED3nq 1qqHm/ET01FrpAJJ4KHlc//9Mr4apao1SQG7Re4hhYhYsmFyEv8z tw4flwXQWw06mKFF05k8n0HqJ/e/O25czj8DpvaJuwkVS9z7POMb6cStGWhBnwZv9v4LkF3qpGnf9w1DldmV uQKIRQ643NBXqA0V9MrmhMryvcbPZzlQH/RjEVRjtWeAEEG9sgyh 1jIBv38jO2Z J2TpWRXCrGKygJNObmidxYPVBebfiTOjGmcuU x4WmiySt9VfaZ0EZySrBtzzfSY6O0yKrG9Sa9UPgmMwNwmIbP7Ln2pi9XKfJWVoJRx1TMKmy3AlbXqd/GTk4gvzX4Iv8tNlX8EXZT4QAJqwtNvwD2Imw5Ce5trufAUmkf8KGflS6SihrYMcbcE72OVpeabR9ihDZslQDaeyvirKLEPMlkhiOQjenGPs4oiKafxTSIFtRF0MFHZ0HmuNeXx2XCO58LxugBa5a/RJQWK9boEO K6MqXutZzfvexdbw8xMP8mmPb HMpHKv1ymTNZ CZets0ZctUQnil9gjqHl6P92L5YV6yVa5O0JAJVOZxgrwd6E//7LM6K5DljtpPiQLsCy8Ednj1vMSyl1LcD02KsVLokeRh7id4Zo/BRhnYPYJC7dagDwp/kxcYyyAujw3yiCjTuXBIqE4 wTmONRGVyvnX eeWri5BaShelRKWDHdUCG18zoNvgKqrDnDpkHldErz/z9b5lGACLF7afI4DJbHZcWle2xit4vkxoHZ2jbhkerZBSh373o8qkhX xgcG6ck25QmZZDlNAts3AARoMtMI8wFhcuDizk6SFIVZ fE5gsZzFqyaWND2K5i/PMHF4ph e8BO412QuhGSyeyyUKhM1IX3RTl71G9QJ9EUREasKaVoUsmQO3HpLyw4SeTXpi 18gDyxlkuOuMrYt1Dy8zBNm9f14yNhh1QJGj1mQhh7xl X1HuZz2aHRW12T4U37zK6jnhWuW9i FXF7qzHRUy0fk4PpHsKvkOb5m YjxcDoWncAOIqWX7ZdE09ECG7P4y4GSwdjPiOfdxT7yc5H/3dsZHWW9zO85a55zdzQ0bSaC 6hG7cPLwICJtUm2aJUxcNFHBiZ/zSOEWh5YogOKBemH870e19pWZxFoQ0y2IgH/HzsEGSMSlTIdOcVDKv3c8beQf0PaOCKYj9SptOEVyeL9 WMnQU3nYF8IICmtF7G4TcN9e4Xf7AS1sGxMkonu8g32/ukLss5ySFKkPkbmgTPqXqWv5KEqZSqT/1K0FqfIp0Yv6P/Vn5Yp9ASMB9V4TUgrWbcsDQd1denq6EprcN1ECXzLSWVOtQGVjn03TsrIul4vvx9MmFrrDHQZVcgLFI7vAofPMtJ8ZC9v899JN7n5buIh0mwJuitPS1y0vHvbJQpULvc7zK6zUuB8wcxtd5nRT1RPWb2ABDLnazBB9NBqN91Tdi1I VEjWgXNoZWGs/noNm2dpR5VC5VQSJ931uxW8MjlHOL7aniLfIDRtacH2 aD90fsl7Mmrsw1fcwi3zpl3S1 WmVaX0pxisjmG6372Mp3XNxBujZD6TdgHi8ZnJ1 VG1kpAb0EH2Q7LmpQoMwhmU1Rx1hGcXvLBmD0MM0oN69HfN81DP97Hh9gFQjfkAWAIMVoAGuXPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD2
CCn7A5XU4CzHzqO2FLGKUbyHdY6ib4THrj6hFnsNC91Ppav9uwgbOdS5yiEmzFlfEH5q9BrghvkQ6h6yHnRIruDtXd0PDynXRapk stnOg8 lhBkVQtwqvwdx0YKwOYYMsiPSZ4ZkbJaN4jiHpyXxikeLdivpDPd3kWJRmdyiGNBGHR7k6brC0v2K6Y3bIHi9fPpJIlvoGzlKyqWKZbgyvMKhfRH126QPM9 L6lCgK7m kyrVJiXkjtcP5z8SS p1bK16PrKxlNudveDjR9IlqhNqTiNr78QXP75MTIzVeZrz7Tcfof3QNj6U8Gv/JIeibNpOmlNns8ti9RIhh5ZLKoegOBmlmtQM0rniYADF47h6Lj6dLteD9vdSqZJsQHIGvIuA7947pmnUaqpcjKY3LYgVF2x9RvnVSrLQy8Msk7qqSbG2 18wzMzkSRmcDGU4kVcMMLftEmJ4bIHoF2FAPgyGgCSkTVbqrdTGlgcsvH0t4XSpP7tIh8jClm75Ou3CQTpLfFzMKnc6mJjLxthWVUze9iMkM2lodm24a72Q1ASzBLcyyVm6x6p wLyuJ8qma8MBknHVMisVT7MVknJ3vZbF9aZPJFzAhcUG/Upzx5isNAuTL4hmXOtkhI4FBxi1Cr61qDUiy5RWmbWg/8TMwzig8QrKciaaO5bHzpmKpQRuFszWr6F2QvRC0xGO2xRrXXZTn49ttSc8nqBKCUSN6laRQzaqlvIrCdoco77cJleen7p24ksvps1/5wvQdV5p73LSkGnWh8GFNEdOXqf3TRAvapyq/MK6pb ZVfjUuInC7v/fEmNgxChvtF 890LhInkEqFRbS19fUQ73JqLlcJZ18pvOf B1mj934NofFTx9nwdpJn3HzNX6GtzFas2HnN7eYIWlMw3tSAkgiusQimrQVscKmqnJQaa0khTfdi5XiZXSmL7ACZazSHb7jCa5pBrfMwYFUZ Oe9X2VZ6dhPqOx2PyPLSlbCoRrnbVdgQc9kdsRb7WM48D1x9vGYOWbUIoaJ2NbT3tOBeqcE/na9gY4KSEUEvJMG50HRf7PsjDOG07bHSTMWDWFJVWnBzRw0gxGugVSXb4cCgMsdK2Iy9YStviYLxSJNWOxr2nqr8FNfrm06XldaCdxzl91l8dtI5KijeweUIMAc 0LmyfOCkcxKlzf2gY6nXrBF4fg6MfU ynlZ5fJTtDsKdae7ft4SvOcILp7yrtsvMaBFDhz/kpidQxUDWKTfEsAhZ7MhMg/R8u8obqeVxbgYyzFKdZphWp 3mH/TnHPBZ2bpK5RAJbyhG6mzXDdK6n5WZ/t1rHvZnkzur8Ous6C0l 6mfTNAJtodq3/Hb2IzSzr/6ZIosa9wKWNAQXUzxS5VWTm5c06VIslbl lyuVB lszHKcuTo/WnlyiEQnXsGi3J9 4H47Jrpn7bmi4RsezcNIla6/9NNp Epn 7O oCDCWVLPojN8GIGagtuSTGvIaxcxsOH8pqzLmgKPEreqCODspRsSJFIQnyvyslEnaaGmA/5d5W657R/7GHKCX8zjkAgoN1DMq635FP8oTdr3TDX hf1kQjE0rAYauyUMCvK7sISTcp0mNaVNlb41xJ34HMs9MsptRLJ/vG5CxUlphVr5/bN/ lRjw7G FQOZ3fsm7g9hEsKP0ZyGDAa2 /5 Pbtnv8v mC6IIuDvXfhBhabUQROZ4ivV/5UW8AsgAG8vFNkMo su96PU/1JKOUIzfoiKRRkHkCTi/C8SA7aS5nMPHBANimaCqFnwwbCYwrLOihSaspSnyNkNyY757bt/QjJqFmIlXivAZUArboo35ORbIPUs3A1Mg/HqNKgpip4qHE7/FU gePTIpH8EneENl5xDvbkU5blo0X7LtnsFYtEH2gfOvuuyH2EDvXRTSQlzd7pxvlAPEbHt5Bp9bNzydjcUxsDuHLwVhsIX9vKuSoOJsffrqB8/St36C6A9QwalMeyTKycOGU0L/luLgb3waTr/HBXnwTJ/0yFwe0N2KJ9w7 bApzfBHsD1KyxfZTkejTc/90A5o3sdGUb NFk1t03fmnrieYc1jflgmExl15IbG3l1yH dQjKe3EDQQtrtqKOqTCz4kxERSvvwxHZAkHdvbuEgyj83msbURUK9a6Hw/eBdF5bwkam7gjRVBVAMYtOEOWml2LUzIVd6ODW9lQQPyxPuYx9E6zhNdJ IQ39KC9fZmA xBjThjtzQoLqHJuPg5Jhn8pqjr5R IXLjpuI/haegOdKxRQ ZhcMwtfcPyprJx6fk1q4BtXXlfTcz5tv98emMEZNjO9zJYPxD9 OLzecjXvIUSABygCVvyxigsL10H48GLPOZDOeimJO 35B/ZiROLmnqAJbPSC3CjJtXa4bw3PIVvQu4v2ble00zg2mNcRqvshCttYLCwVva6pssj7LinNm6RQkUobMg1SxD8/Qp9l5ujarkGoJoSaU9IWMKb6wHF3M1fLhNHehrt68pQMgRZ9A/N/xcFtUyTsgKo3QcpX13BAm/BhDO7crmpT9hGjulfatrTEbg6DvYM3rxrVv9nxqwax4/jQEh4c8/YtCPS7AguqCjOnmRkU/Thhm7FwtCRhZMoI/rVhg61uCrT9sklJNI38nXVCn81Qb7jrhd0AJjGEbPCd4aeuQU2k84m8jAPNpKjfuIA8nCjRf9RckQS0Ux/MzxwVDm1ltMC4IVK7z/mVdAUpAHVo4aAF zL9Q3gRpzFUxP 9V VzgaKhmyV7fle 0IPiJ7KJjT bSVDWToc rZDrFPg0Gw65ApdlxA4zbgpYEIKi9Yuxx hb8l9kNoEEGmAgbKCU2GdqLvqN5iJfeR/ /gGmhsFRRu8DzIvBhlKnPU11fQOGqNWazlhsPOqBnIG8mgw3LLRhUBl /emKIMhIfverCwYNp9/zPEh9DgDxmyDvbFIEZ1i2WG1IMRnSw/cOd4C3vlN6oA8a/WCeg7kItTuzHOOJy7uXfETlBEp0OhGH LTh7FTwbz7/RpdmHgGCEPUzXsQJQDr3PuB20EB15oMwcttK1/HP zDTBpRbfVIeC1vCJFTN T82EyhcdH/C/UGMTfHXdVIaJKHESm7zjqRo2wO xFsoxz9hLTBffynGjseluWz2P5U1hdtnpUcd18qKerCsdi3yFV4ViNG4ZJCT2 c//SOKDQ3x9/eTzUt1sMdDV75zPpdQXgyJPlQM3qDOL/NQbS2gi7SSWj36Z3tldugH9N9QU6ngqRw ZJ8jMQbjUCISHdaAThG42agRZ3p8fw0I/41olFnPLJzgcr8IB0ef/VO00i4wFT9iYxdict93pZ0aHPMq/Nb TxwjaODg2Xq0zykwuDjBEr2s/yts4tOGdm9PPITBJMJuiV/umbAMv1WaUrwSAgZq/wfihwX9lv9DEBM3Dc8s3W1pyk4b8r73LczeM6XX9XnuKc7Vt8d31LDtotiPuH7HUuRmiF/1tNBHmzft1fa7RNb2sikTAi5tbl1gOQbzft/W3smSeLxZai8h9UOvtLXD81CWvTszrKH1v82hvwoRiTVb4SWRLnWtp0Kp8l97VytDNAo/YHJjSe/n0h0wUdUuMPQLhz2pgAd1ED3nq 1qqHm/ET01FrpAJJ4KHlc//9Mr4apao1SQG7Re4hhYhYsmFyEv8z tw4flwXQWw06mKFF05k8n0HqJ/e/O25czj8DpvaJuwkVS9z7POMb6cStGWhBnwZv9v4LkF3qpGnf9w1DldmV uQKIRQ643NBXqA0V9MrmhMryvcbPZzlQH/RjEVRjtWeAEEG9sgyh 1jIBv38jO2Z J2TpWRXCrGKygJNObmidxYPVBebfiTOjGmcuU x4WmiySt9VfaZ0EZySrBtzzfSY6O0yKrG9Sa9UPgmMwNwmIbP7Ln2pi9XKfJWVoJRx1TMKmy3AlbXqd/GTk4gvzX4Iv8tNlX8EXZT4QAJqwtNvwD2Imw5Ce5trufAUmkf8KGflS6SihrYMcbcE72OVpeabR9ihDZslQDaeyvirKLEPMlkhiOQjenGPs4oiKafxTSIFtRF0MFHZ0HmuNeXx2XCO58LxugBa5a/RJQWK9boEO K6MqXutZzfvexdbw8xMP8mmPb HMpHKv1ymTNZ CZets0ZctUQnil9gjqHl6P92L5YV6yVa5O0JAJVOZxgrwd6E//7LM6K5DljtpPiQLsCy8Ednj1vMSyl1LcD02KsVLokeRh7id4Zo/BRhnYPYJC7dagDwp/kxcYyyAujw3yiCjTuXBIqE4 wTmONRGVyvnX eeWri5BaShelRKWDHdUCG18zoNvgKqrDnDpkHldErz/z9b5lGACLF7afI4DJbHZcWle2xit4vkxoHZ2jbhkerZBSh373o8qkhX xgcG6ck25QmZZDlNAts3AARoMtMI8wFhcuDizk6SFIVZ fE5gsZzFqyaWND2K5i/PMHF4ph e8BO412QuhGSyeyyUKhM1IX3RTl71G9QJ9EUREasKaVoUsmQO3HpLyw4SeTXpi 18gDyxlkuOuMrYt1Dy8zBNm9f14yNhh1QJGj1mQhh7xl X1HuZz2aHRW12T4U37zK6jnhWuW9i FXF7qzHRUy0fk4PpHsKvkOb5m YjxcDoWncAOIqWX7ZdE09ECG7P4y4GSwdjPiOfdxT7yc5H/3dsZHWW9zO85a55zdzQ0bSaC 6hG7cPLwICJtUm2aJUxcNFHBiZ/zSOEWh5YogOKBemH870e19pWZxFoQ0y2IgH/HzsEGSMSlTIdOcVDKv3c8beQf0PaOCKYj9SptOEVyeL9 WMnQU3nYF8IICmtF7G4TcN9e4Xf7AS1sGxMkonu8g32/ukLss5ySFKkPkbmgTPqXqWv5KEqZSqT/1K0FqfIp0Yv6P/Vn5Yp9ASMB9V4TUgrWbcsDQd1denq6EprcN1ECXzLSWVOtQGVjn03TsrIul4vvx9MmFrrDHQZVcgLFI7vAofPMtJ8ZC9v899JN7n5buIh0mwJuitPS1y0vHvbJQpULvc7zK6zUuB8wcxtd5nRT1RPWb2ABDLnazBB9NBqN91Tdi1I VEjWgXNoZWGs/noNm2dpR5VC5VQSJ931uxW8MjlHOL7aniLfIDRtacH2 aD90fsl7Mmrsw1fcwi3zpl3S1 WmVaX0pxisjmG6372Mp3XNxBujZD6TdgHi8ZnJ1 VG1kpAb0EH2Q7LmpQoMwhmU1Rx1hGcXvLBmD0MM0oN69HfN81DP97Hh9gFQjfkAWAIMVoAGuXPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD2
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
66006666
.Method '%s' not supported by automation object/Variant does not reference an automation object
.Method '%s' not supported by automation object/Variant does not reference an automation object
External exception %x
External exception %x
Interface not supported
Interface not supported
%s (%s, line %d)
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
Invalid variant operation"Variant method calls not supported
I/O error %d
I/O error %d
Integer overflow Invalid floating point operation
Integer overflow Invalid floating point operation
svchost.exe_592_rwx_00080000_000BE000:
.idata
.idata
.reloc
.reloc
P.rsrc
P.rsrc
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
kernel32.dll
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
wininet.dll
wininet.dll
user32.dll
user32.dll
ntdll.dll
ntdll.dll
URLMON.DLL
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Kernel32.dll
Kernel32.dll
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {jwplayer().play()} catch(e){}
try {jwplayer().play()} catch(e){}
PSAPI.dll
PSAPI.dll
HTTP/1.1
HTTP/1.1
.length;
.length;
=String.fromCharCode(parseInt(
=String.fromCharCode(parseInt(
.substr(
.substr(
,2),16));
,2),16));
=String.fromCharCode(
=String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt()^
,1).charCodeAt());
,1).charCodeAt());
.length-1)?
.length-1)?
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Environment("Process"))("
.Run("
.Run("
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.RegRead("
.RegRead("
psapi.dll
psapi.dll
"svchost.exe"
"svchost.exe"
svchost.exe
svchost.exe
ole32.dll
ole32.dll
\\.\LCD
\\.\LCD
1234567890
1234567890
Shell32.dll
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
hXXp://
hXXp://
0123456789
0123456789
Mozilla
Mozilla
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
.text
.text
`.rdata
`.rdata
@.pdata
@.pdata
KERNEL32.dll
KERNEL32.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
oleaut32.dll
oleaut32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyW
RegCreateKeyW
RegCreateKeyA
RegCreateKeyA
GetCPInfo
GetCPInfo
SetProcessWindowStation
SetProcessWindowStation
OpenWindowStationA
OpenWindowStationA
EnumChildWindows
EnumChildWindows
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
atl.dll
atl.dll
wsock32.dll
wsock32.dll
winmm.dll
winmm.dll
shell32.dll
shell32.dll
ShellExecuteExW
ShellExecuteExW
wtsapi32.dll
wtsapi32.dll
Wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
PSAPI.DLL
NtQueryValueKey
NtQueryValueKey
NtDeleteValueKey
NtDeleteValueKey
NtSetValueKey
NtSetValueKey
urlmon.dll
urlmon.dll
UrlMkSetSessionOption
UrlMkSetSessionOption
?"?&?*?.?
?"?&?*?.?
6!6&696>6|6
6!6&696>6|6
9!:':-:6:
9!:':-:6:
:&;-;7;_;
:&;-;7;_;
5(6-6;6|6
5(6-6;6|6
7)7=7[7}7
7)7=7[7}7
>#>(>9>_>
>#>(>9>_>
?,?1?[?`?
?,?1?[?`?
5]5S5c5k5q5
5]5S5c5k5q5
:!:?:]:{:
:!:?:]:{:
CCn7A5XU4CzHzqO2FLGKUbyHdY6ib4THrj6hFnsNC91Ppav9uwgbOdS5yiEmzFlfEH5q9BrghvkQ6h6yHnRIruDtXd0PDynXRapk stnOg8 lhBkVQtwqvwdx0YKwOYYMsiPSZ4ZkbJaN4jiHpyXxikeLdivpDPd3kWJRmdyiGNBGHR7k6brC0v2K6Y3bIHi9fPpJIlvoGzlKyqWKZbgyvMKhfRH126QPM9 L6lCgK7m kyrVJiXkjtcP5z8SS p1bK16PrKxlNudveDjR9IlqhNqTiNr78QXP75MTIzVeZrz7Tcfof3QNj6U8Gv/JIeibNpOmlNns8ti9RIhh5ZLKoegOBmlmtQM0rniYADF47h6Lj6dLteD9vdSqZJsQHIGvIuA7947pmnUaqpcjKY3LYgVF2x9RvnVSrLQy8Msk7qqSbG2 18wzMzkSRmcDGU4kVcMMLftEmJ4bIHoF2FAPgyGgCSkTVbqrdTGlgcsvH0t4XSpP7tIh8jClm75Ou3CQTpLfFzMKnc6mJjLxthWVUze9iMkM2lodm24a72Q1ASzBLcyyVm6x6p wLyuJ8qma8MBknHVMisVT7MVknJ3vZbF9aZPJFzAhcUG/Upzx5isNAuTL4hmXOtkhI4FBxi1Cr61qDUiy5RWmbWg/8TMwzig8QrKciaaO5bHzpmKpQRuFszWr6F2QvRC0xGO2xRrXXZTn49ttSc8nqBKCUSN6laRQzaqlvIrCdoco77cJleen7p24ksvps1/5wvQdV5p73LSkGnWh8GFNEdOXqf3TRAvapyq/MK6pb ZVfjUuInC7v/fEmNgxChvtF 890LhInkEqFRbS19fUQ73JqLlcJZ18pvOf B1mj934NofFTx9nwdpJn3HzNX6GtzFas2HnN7eYIWlMw3tSAkgiusQimrQVscKmqnJQaa0khTfdi5XiZXSmL7ACZazSHb7jCa5pBrfMwYFUZ Oe9X2VZ6dhPqOx2PyPLSlbCoRrnbVdgQc9kdsRb7WM48D1x9vGYOWbUIoaJ2NbT3tOBeqcE/na9gY4KSEUEvJMG50HRf7PsjDOG07bHSTMWDWFJVWnBzRw0gxGugVSXb4cCgMsdK2Iy9YStviYLxSJNWOxr2nqr8FNfrm06XldaCdxzl91l8dtI5KijeweUIMAc 0LmyfOCkcxKlzf2gY6nXrBF4fg6MfU ynlZ5fJTtDsKdae7ft4SvOcILp7yrtsvMaBFDhz/kpidQxUDWKTfEsAhZ7MhMg/R8u8obqeVxbgYyzFKdZphWp 3mH/TnHPBZ2bpK5RAJbyhG6mzXDdK6n5WZ/t1rHvZnkzur8Ous6C0l 6mfTNAJtodq3/Hb2IzSzr/6ZIosa9wKWNAQXUzxS5VWTm5c06VIslbl lyuVB lszHKcuTo/WnlyiEQnXsGi3J9 4H47Jrpn7bmi4RsezcNIla6/9NNp Epn 7O oCDCWVLPojN8GIGagtuSTGvIaxcxsOH8pqzLmgKPEreqCODspRsSJFIQnyvyslEnaaGmA/5d5W657R/7GHKCX8zjkAgoN1DMq635FP8oTdr3TDX hf1kQjE0rAYauyUMCvK7sISTcp0mNaVNlb41xJ34HMs9MsptRLJ/vG5CxUlphVr5/bN/ lRjw7G FQOZ3fsm7g9hEsKP0ZyGDAa2 /5 Pbtnv8v mC6IIuDvXfhBhabUQROZ4ivV/5UW8AsgAG8vFNkMo su96PU/1JKOUIzfoiKRRkHkCTi/C8SA7aS5nMPHBANimaCqFnwwbCYwrLOihSaspSnyNkNyY757bt/QjJqFmIlXivAZUArboo35ORbIPUs3A1Mg/HqNKgpip4qHE7/FU gePTIpH8EneENl5xDvbkU5blo0X7LtnsFYtEH2gfOvuuyH2EDvXRTSQlzd7pxvlAPEbHt5Bp9bNzydjcUxsDuHLwVhsIX9vKuSoOJsffrqB8/St36C6A9QwalMeyTKycOGU0L/luLgb3waTr/HBXnwTJ/0yFwe0N2KJ9w7 bApzfBHsD1KyxfZTkejTc/90A5o3sdGUb NFk1t03fmnrieYc1jflgmExl15IbG3l1yH dQjKe3EDQQtrtqKOqTCz4kxERSvvwxHZAkHdvbuEgyj83msbURUK9a6Hw/eBdF5bwkam7gjRVBVAMYtOEOWml2LUzIVd6ODW9lQQPyxPuYx9E6zhNdJ IQ39KC9fZmA xBjThjtzQoLqHJuPg5Jhn8pqjr5R IXLjpuI/haegOdKxRQ ZhcMwtfcPyprJx6fk1q4BtXXlfTcz5tv98emMEZNjO9zJYPxD9 OLzecjXvIUSABygCVvyxigsL10H48GLPOZDOeimJO 35B/ZiROLmnqAJbPSC3CjJtXa4bw3PIVvQu4v2ble00zg2mNcRqvshCttYLCwVva6pssj7LinNm6RQkUobMg1SxD8/Qp9l5ujarkGoJoSaU9IWMKb6wHF3M1fLhNHehrt68pQMgRZ9A/N/xcFtUyTsgKo3QcpX13BAm/BhDO7crmpT9hGjulfatrTEbg6DvYM3rxrVv9nxqwax4/jQEh4c8/YtCPS7AguqCjOnmRkU/Thhm7FwtCRhZMoI/rVhg61uCrT9sklJNI38nXVCn81Qb7jrhd0AJjGEbPCd4aeuQU2k84m8jAPNpKjfuIA8nCjRf9RckQS0Ux/MzxwVDm1ltMC4IVK7z/mVdAUpAHVo4aAF zL9Q3gRpzFUxP 9V VzgaKhmyV7fle 0IPiJ7KJjT bSVDWToc rZDrFPg0Gw65ApdlxA4zbgpYEIKi9Yuxx hb8l9kNoEEGmAgbKCU2GdqLvqN5iJfeR/ /gGmhsFRRu8DzIvBhlKnPU11fQOGqNWazlhsPOqBnIG8mgw3LLRhUBl /emKIMhIfverCwYNp9/zPEh9DgDxmyDvbFIEZ1i2WG1IMRnSw/cOd4C3vlN6oA8a/WCeg7kItTuzHOOJy7uXfETlBEp0OhGH LTh7FTwbz7/RpdmHgGCEPUzXsQJQDr3PuB20EB15oMwcttK1/HP zDTBpRbfVIeC1vCJFTN T82EyhcdH/C/UGMTfHXdVIaJKHESm7zjqRo2wO xFsoxz9hLTBffynGjseluWz2P5U1hdtnpUcd18qKerCsdi3yFV4ViNG4ZJCT2 c//SOKDQ3x9/eTzUt1sMdDV75zPpdQXgyJPlQM3qDOL/NQbS2gi7SSWj36Z3tldugH9N9QU6ngqRw ZJ8jMQbjUCISHdaAThG42agRZ3p8fw0I/41olFnPLJzgcr8IB0ef/VO00i4wFT9iYxdict93pZ0aHPMq/Nb TxwjaODg2Xq0zykwuDjBEr2s/yts4tOGdm9PPITBJMJuiV/umbAMv1WaUrwSAgZq/wfihwX9lv9DEBM3Dc8s3W1pyk4b8r73LczeM6XX9XnuKc7Vt8d31LDtotiPuH7HUuRmiF/1tNBHmzft1fa7RNb2sikTAi5tbl1gOQbzft/W3smSeLxZai8h9UOvtLXD81CWvTszrKH1v82hvwoRiTVb4SWRLnWtp0Kp8l97VytDNAo/YHJjSe/n0h0wUdUuMPQLhz2pgAd1ED3nq 1qqHm/ET01FrpAJJ4KHlc//9Mr4apao1SQG7Re4hhYhYsmFyEv8z tw4flwXQWw06mKFF05k8n0HqJ/e/O25czj8DpvaJuwkVS9z7POMb6cStGWhBnwZv9v4LkF3qpGnf9w1DldmV uQKIRQ643NBXqA0V9MrmhMryvcbPZzlQH/RjEVRjtWeAEEG9sgyh 1jIBv38jO2Z J2TpWRXCrGKygJNObmidxYPVBebfiTOjGmcuU x4WmiySt9VfaZ0EZySrBtzzfSY6O0yKrG9Sa9UPgmMwNwmIbP7Ln2pi9XKfJWVoJRx1TMKmy3AlbXqd/GTk4gvzX4Iv8tNlX8EXZT4QAJqwtNvwD2Imw5Ce5trufAUmkf8KGflS6SihrYMcbcE72OVpeabR9ihDZslQDaeyvirKLEPMlkhiOQjenGPs4oiKafxTSIFtRF0MFHZ0HmuNeXx2XCO58LxugBa5a/RJQWK9boEO K6MqXutZzfvexdbw8xMP8mmPb HMpHKv1ymTNZ CZets0ZctUQnil9gjqHl6P92L5YV6yVa5O0JAJVOZxgrwd6E//7LM6K5DljtpPiQLsCy8Ednj1vMSyl1LcD02KsVLokeRh7id4Zo/BRhnYPYJC7dagDwp/kxcYyyAujw3yiCjTuXBIqE4 wTmONRGVyvnX eeWri5BaShelRKWDHdUCG18zoNvgKqrDnDpkHldErz/z9b5lGACLF7afI4DJbHZcWle2xit4vkxoHZ2jbhkerZBSh373o8qkhX xgcG6ck25QmZZDlNAts3AARoMtMI8wFhcuDizk6SFIVZ fE5gsZzFqyaWND2K5i/PMHF4ph e8BO412QuhGSyeyyUKhM1IX3RTl71G9QJ9EUREasKaVoUsmQO3HpLyw4SeTXpi 18gDyxlkuOuMrYt1Dy8zBNm9f14yNhh1QJGj1mQhh7xl X1HuZz2aHRW12T4U37zK6jnhWuW9i FXF7qzHRUy0fk4PpHsKvkOb5m YjxcDoWncAOIqWX7ZdE09ECG7P4y4GSwdjPiOfdxT7yc5H/3dsZHWW9zO85a55zdzQ0bSaC 6hG7cPLwICJtUm2aJUxcNFHBiZ/zSOEWh5YogOKBemH870e19pWZxFoQ0y2IgH/HzsEGSMSlTIdOcVDKv3c8beQf0PaOCKYj9SptOEVyeL9 WMnQU3nYF8IICmtF7G4TcN9e4Xf7AS1sGxMkonu8g32/ukLss5ySFKkPkbmgTPqXqWv5KEqZSqT/1K0FqfIp0Yv6P/Vn5Yp9ASMB9V4TUgrWbcsDQd1denq6EprcN1ECXzLSWVOtQGVjn03TsrIul4vvx9MmFrrDHQZVcgLFI7vAofPMtJ8ZC9v899JN7n5buIh0mwJuitPS1y0vHvbJQpULvc7zK6zUuB8wcxtd5nRT1RPWb2ABDLnazBB9NBqN91Tdi1I VEjWgXNoZWGs/noNm2dpR5VC5VQSJ931uxW8MjlHOL7aniLfIDRtacH2 aD90fsl7Mmrsw1fcwi3zpl3S1 WmVaX0pxisjmG6372Mp3XNxBujZD6TdgHi8ZnJ1 VG1kpAb0EH2Q7LmpQoMwhmU1Rx1hGcXvLBmD0MM0oN69HfN81DP97Hh9gFQjfkAWAIMVoAGuXPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
CCn7A5XU4CzHzqO2FLGKUbyHdY6ib4THrj6hFnsNC91Ppav9uwgbOdS5yiEmzFlfEH5q9BrghvkQ6h6yHnRIruDtXd0PDynXRapk stnOg8 lhBkVQtwqvwdx0YKwOYYMsiPSZ4ZkbJaN4jiHpyXxikeLdivpDPd3kWJRmdyiGNBGHR7k6brC0v2K6Y3bIHi9fPpJIlvoGzlKyqWKZbgyvMKhfRH126QPM9 L6lCgK7m kyrVJiXkjtcP5z8SS p1bK16PrKxlNudveDjR9IlqhNqTiNr78QXP75MTIzVeZrz7Tcfof3QNj6U8Gv/JIeibNpOmlNns8ti9RIhh5ZLKoegOBmlmtQM0rniYADF47h6Lj6dLteD9vdSqZJsQHIGvIuA7947pmnUaqpcjKY3LYgVF2x9RvnVSrLQy8Msk7qqSbG2 18wzMzkSRmcDGU4kVcMMLftEmJ4bIHoF2FAPgyGgCSkTVbqrdTGlgcsvH0t4XSpP7tIh8jClm75Ou3CQTpLfFzMKnc6mJjLxthWVUze9iMkM2lodm24a72Q1ASzBLcyyVm6x6p wLyuJ8qma8MBknHVMisVT7MVknJ3vZbF9aZPJFzAhcUG/Upzx5isNAuTL4hmXOtkhI4FBxi1Cr61qDUiy5RWmbWg/8TMwzig8QrKciaaO5bHzpmKpQRuFszWr6F2QvRC0xGO2xRrXXZTn49ttSc8nqBKCUSN6laRQzaqlvIrCdoco77cJleen7p24ksvps1/5wvQdV5p73LSkGnWh8GFNEdOXqf3TRAvapyq/MK6pb ZVfjUuInC7v/fEmNgxChvtF 890LhInkEqFRbS19fUQ73JqLlcJZ18pvOf B1mj934NofFTx9nwdpJn3HzNX6GtzFas2HnN7eYIWlMw3tSAkgiusQimrQVscKmqnJQaa0khTfdi5XiZXSmL7ACZazSHb7jCa5pBrfMwYFUZ Oe9X2VZ6dhPqOx2PyPLSlbCoRrnbVdgQc9kdsRb7WM48D1x9vGYOWbUIoaJ2NbT3tOBeqcE/na9gY4KSEUEvJMG50HRf7PsjDOG07bHSTMWDWFJVWnBzRw0gxGugVSXb4cCgMsdK2Iy9YStviYLxSJNWOxr2nqr8FNfrm06XldaCdxzl91l8dtI5KijeweUIMAc 0LmyfOCkcxKlzf2gY6nXrBF4fg6MfU ynlZ5fJTtDsKdae7ft4SvOcILp7yrtsvMaBFDhz/kpidQxUDWKTfEsAhZ7MhMg/R8u8obqeVxbgYyzFKdZphWp 3mH/TnHPBZ2bpK5RAJbyhG6mzXDdK6n5WZ/t1rHvZnkzur8Ous6C0l 6mfTNAJtodq3/Hb2IzSzr/6ZIosa9wKWNAQXUzxS5VWTm5c06VIslbl lyuVB lszHKcuTo/WnlyiEQnXsGi3J9 4H47Jrpn7bmi4RsezcNIla6/9NNp Epn 7O oCDCWVLPojN8GIGagtuSTGvIaxcxsOH8pqzLmgKPEreqCODspRsSJFIQnyvyslEnaaGmA/5d5W657R/7GHKCX8zjkAgoN1DMq635FP8oTdr3TDX hf1kQjE0rAYauyUMCvK7sISTcp0mNaVNlb41xJ34HMs9MsptRLJ/vG5CxUlphVr5/bN/ lRjw7G FQOZ3fsm7g9hEsKP0ZyGDAa2 /5 Pbtnv8v mC6IIuDvXfhBhabUQROZ4ivV/5UW8AsgAG8vFNkMo su96PU/1JKOUIzfoiKRRkHkCTi/C8SA7aS5nMPHBANimaCqFnwwbCYwrLOihSaspSnyNkNyY757bt/QjJqFmIlXivAZUArboo35ORbIPUs3A1Mg/HqNKgpip4qHE7/FU gePTIpH8EneENl5xDvbkU5blo0X7LtnsFYtEH2gfOvuuyH2EDvXRTSQlzd7pxvlAPEbHt5Bp9bNzydjcUxsDuHLwVhsIX9vKuSoOJsffrqB8/St36C6A9QwalMeyTKycOGU0L/luLgb3waTr/HBXnwTJ/0yFwe0N2KJ9w7 bApzfBHsD1KyxfZTkejTc/90A5o3sdGUb NFk1t03fmnrieYc1jflgmExl15IbG3l1yH dQjKe3EDQQtrtqKOqTCz4kxERSvvwxHZAkHdvbuEgyj83msbURUK9a6Hw/eBdF5bwkam7gjRVBVAMYtOEOWml2LUzIVd6ODW9lQQPyxPuYx9E6zhNdJ IQ39KC9fZmA xBjThjtzQoLqHJuPg5Jhn8pqjr5R IXLjpuI/haegOdKxRQ ZhcMwtfcPyprJx6fk1q4BtXXlfTcz5tv98emMEZNjO9zJYPxD9 OLzecjXvIUSABygCVvyxigsL10H48GLPOZDOeimJO 35B/ZiROLmnqAJbPSC3CjJtXa4bw3PIVvQu4v2ble00zg2mNcRqvshCttYLCwVva6pssj7LinNm6RQkUobMg1SxD8/Qp9l5ujarkGoJoSaU9IWMKb6wHF3M1fLhNHehrt68pQMgRZ9A/N/xcFtUyTsgKo3QcpX13BAm/BhDO7crmpT9hGjulfatrTEbg6DvYM3rxrVv9nxqwax4/jQEh4c8/YtCPS7AguqCjOnmRkU/Thhm7FwtCRhZMoI/rVhg61uCrT9sklJNI38nXVCn81Qb7jrhd0AJjGEbPCd4aeuQU2k84m8jAPNpKjfuIA8nCjRf9RckQS0Ux/MzxwVDm1ltMC4IVK7z/mVdAUpAHVo4aAF zL9Q3gRpzFUxP 9V VzgaKhmyV7fle 0IPiJ7KJjT bSVDWToc rZDrFPg0Gw65ApdlxA4zbgpYEIKi9Yuxx hb8l9kNoEEGmAgbKCU2GdqLvqN5iJfeR/ /gGmhsFRRu8DzIvBhlKnPU11fQOGqNWazlhsPOqBnIG8mgw3LLRhUBl /emKIMhIfverCwYNp9/zPEh9DgDxmyDvbFIEZ1i2WG1IMRnSw/cOd4C3vlN6oA8a/WCeg7kItTuzHOOJy7uXfETlBEp0OhGH LTh7FTwbz7/RpdmHgGCEPUzXsQJQDr3PuB20EB15oMwcttK1/HP zDTBpRbfVIeC1vCJFTN T82EyhcdH/C/UGMTfHXdVIaJKHESm7zjqRo2wO xFsoxz9hLTBffynGjseluWz2P5U1hdtnpUcd18qKerCsdi3yFV4ViNG4ZJCT2 c//SOKDQ3x9/eTzUt1sMdDV75zPpdQXgyJPlQM3qDOL/NQbS2gi7SSWj36Z3tldugH9N9QU6ngqRw ZJ8jMQbjUCISHdaAThG42agRZ3p8fw0I/41olFnPLJzgcr8IB0ef/VO00i4wFT9iYxdict93pZ0aHPMq/Nb TxwjaODg2Xq0zykwuDjBEr2s/yts4tOGdm9PPITBJMJuiV/umbAMv1WaUrwSAgZq/wfihwX9lv9DEBM3Dc8s3W1pyk4b8r73LczeM6XX9XnuKc7Vt8d31LDtotiPuH7HUuRmiF/1tNBHmzft1fa7RNb2sikTAi5tbl1gOQbzft/W3smSeLxZai8h9UOvtLXD81CWvTszrKH1v82hvwoRiTVb4SWRLnWtp0Kp8l97VytDNAo/YHJjSe/n0h0wUdUuMPQLhz2pgAd1ED3nq 1qqHm/ET01FrpAJJ4KHlc//9Mr4apao1SQG7Re4hhYhYsmFyEv8z tw4flwXQWw06mKFF05k8n0HqJ/e/O25czj8DpvaJuwkVS9z7POMb6cStGWhBnwZv9v4LkF3qpGnf9w1DldmV uQKIRQ643NBXqA0V9MrmhMryvcbPZzlQH/RjEVRjtWeAEEG9sgyh 1jIBv38jO2Z J2TpWRXCrGKygJNObmidxYPVBebfiTOjGmcuU x4WmiySt9VfaZ0EZySrBtzzfSY6O0yKrG9Sa9UPgmMwNwmIbP7Ln2pi9XKfJWVoJRx1TMKmy3AlbXqd/GTk4gvzX4Iv8tNlX8EXZT4QAJqwtNvwD2Imw5Ce5trufAUmkf8KGflS6SihrYMcbcE72OVpeabR9ihDZslQDaeyvirKLEPMlkhiOQjenGPs4oiKafxTSIFtRF0MFHZ0HmuNeXx2XCO58LxugBa5a/RJQWK9boEO K6MqXutZzfvexdbw8xMP8mmPb HMpHKv1ymTNZ CZets0ZctUQnil9gjqHl6P92L5YV6yVa5O0JAJVOZxgrwd6E//7LM6K5DljtpPiQLsCy8Ednj1vMSyl1LcD02KsVLokeRh7id4Zo/BRhnYPYJC7dagDwp/kxcYyyAujw3yiCjTuXBIqE4 wTmONRGVyvnX eeWri5BaShelRKWDHdUCG18zoNvgKqrDnDpkHldErz/z9b5lGACLF7afI4DJbHZcWle2xit4vkxoHZ2jbhkerZBSh373o8qkhX xgcG6ck25QmZZDlNAts3AARoMtMI8wFhcuDizk6SFIVZ fE5gsZzFqyaWND2K5i/PMHF4ph e8BO412QuhGSyeyyUKhM1IX3RTl71G9QJ9EUREasKaVoUsmQO3HpLyw4SeTXpi 18gDyxlkuOuMrYt1Dy8zBNm9f14yNhh1QJGj1mQhh7xl X1HuZz2aHRW12T4U37zK6jnhWuW9i FXF7qzHRUy0fk4PpHsKvkOb5m YjxcDoWncAOIqWX7ZdE09ECG7P4y4GSwdjPiOfdxT7yc5H/3dsZHWW9zO85a55zdzQ0bSaC 6hG7cPLwICJtUm2aJUxcNFHBiZ/zSOEWh5YogOKBemH870e19pWZxFoQ0y2IgH/HzsEGSMSlTIdOcVDKv3c8beQf0PaOCKYj9SptOEVyeL9 WMnQU3nYF8IICmtF7G4TcN9e4Xf7AS1sGxMkonu8g32/ukLss5ySFKkPkbmgTPqXqWv5KEqZSqT/1K0FqfIp0Yv6P/Vn5Yp9ASMB9V4TUgrWbcsDQd1denq6EprcN1ECXzLSWVOtQGVjn03TsrIul4vvx9MmFrrDHQZVcgLFI7vAofPMtJ8ZC9v899JN7n5buIh0mwJuitPS1y0vHvbJQpULvc7zK6zUuB8wcxtd5nRT1RPWb2ABDLnazBB9NBqN91Tdi1I VEjWgXNoZWGs/noNm2dpR5VC5VQSJ931uxW8MjlHOL7aniLfIDRtacH2 aD90fsl7Mmrsw1fcwi3zpl3S1 WmVaX0pxisjmG6372Mp3XNxBujZD6TdgHi8ZnJ1 VG1kpAb0EH2Q7LmpQoMwhmU1Rx1hGcXvLBmD0MM0oN69HfN81DP97Hh9gFQjfkAWAIMVoAGuXPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
CCn7A5XU4CzHzqO2FLGKUbyHdY6ib4THrj6hFnsNC91Ppav9uwgbOdS5yiEmzFlfEH5q9BrghvkQ6h6yHnRIruDtXd0PDynXRapk stnOg8 lhBkVQtwqvwdx0YKwOYYMsiPSZ4ZkbJaN4jiHpyXxikeLdivpDPd3kWJRmdyiGNBGHR7k6brC0v2K6Y3bIHi9fPpJIlvoGzlKyqWKZbgyvMKhfRH126QPM9 L6lCgK7m kyrVJiXkjtcP5z8SS p1bK16PrKxlNudveDjR9IlqhNqTiNr78QXP75MTIzVeZrz7Tcfof3QNj6U8Gv/JIeibNpOmlNns8ti9RIhh5ZLKoegOBmlmtQM0rniYADF47h6Lj6dLteD9vdSqZJsQHIGvIuA7947pmnUaqpcjKY3LYgVF2x9RvnVSrLQy8Msk7qqSbG2 18wzMzkSRmcDGU4kVcMMLftEmJ4bIHoF2FAPgyGgCSkTVbqrdTGlgcsvH0t4XSpP7tIh8jClm75Ou3CQTpLfFzMKnc6mJjLxthWVUze9iMkM2lodm24a72Q1ASzBLcyyVm6x6p wLyuJ8qma8MBknHVMisVT7MVknJ3vZbF9aZPJFzAhcUG/Upzx5isNAuTL4hmXOtkhI4FBxi1Cr61qDUiy5RWmbWg/8TMwzig8QrKciaaO5bHzpmKpQRuFszWr6F2QvRC0xGO2xRrXXZTn49ttSc8nqBKCUSN6laRQzaqlvIrCdoco77cJleen7p24ksvps1/5wvQdV5p73LSkGnWh8GFNEdOXqf3TRAvapyq/MK6pb ZVfjUuInC7v/fEmNgxChvtF 890LhInkEqFRbS19fUQ73JqLlcJZ18pvOf B1mj934NofFTx9nwdpJn3HzNX6GtzFas2HnN7eYIWlMw3tSAkgiusQimrQVscKmqnJQaa0khTfdi5XiZXSmL7ACZazSHb7jCa5pBrfMwYFUZ Oe9X2VZ6dhPqOx2PyPLSlbCoRrnbVdgQc9kdsRb7WM48D1x9vGYOWbUIoaJ2NbT3tOBeqcE/na9gY4KSEUEvJMG50HRf7PsjDOG07bHSTMWDWFJVWnBzRw0gxGugVSXb4cCgMsdK2Iy9YStviYLxSJNWOxr2nqr8FNfrm06XldaCdxzl91l8dtI5KijeweUIMAc 0LmyfOCkcxKlzf2gY6nXrBF4fg6MfU ynlZ5fJTtDsKdae7ft4SvOcILp7yrtsvMaBFDhz/kpidQxUDWKTfEsAhZ7MhMg/R8u8obqeVxbgYyzFKdZphWp 3mH/TnHPBZ2bpK5RAJbyhG6mzXDdK6n5WZ/t1rHvZnkzur8Ous6C0l 6mfTNAJtodq3/Hb2IzSzr/6ZIosa9wKWNAQXUzxS5VWTm5c06VIslbl lyuVB lszHKcuTo/WnlyiEQnXsGi3J9 4H47Jrpn7bmi4RsezcNIla6/9NNp Epn 7O oCDCWVLPojN8GIGagtuSTGvIaxcxsOH8pqzLmgKPEreqCODspRsSJFIQnyvyslEnaaGmA/5d5W657R/7GHKCX8zjkAgoN1DMq635FP8oTdr3TDX hf1kQjE0rAYauyUMCvK7sISTcp0mNaVNlb41xJ34HMs9MsptRLJ/vG5CxUlphVr5/bN/ lRjw7G FQOZ3fsm7g9hEsKP0ZyGDAa2 /5 Pbtnv8v mC6IIuDvXfhBhabUQROZ4ivV/5UW8AsgAG8vFNkMo su96PU/1JKOUIzfoiKRRkHkCTi/C8SA7aS5nMPHBANimaCqFnwwbCYwrLOihSaspSnyNkNyY757bt/QjJqFmIlXivAZUArboo35ORbIPUs3A1Mg/HqNKgpip4qHE7/FU gePTIpH8EneENl5xDvbkU5blo0X7LtnsFYtEH2gfOvuuyH2EDvXRTSQlzd7pxvlAPEbHt5Bp9bNzydjcUxsDuHLwVhsIX9vKuSoOJsffrqB8/St36C6A9QwalMeyTKycOGU0L/luLgb3waTr/HBXnwTJ/0yFwe0N2KJ9w7 bApzfBHsD1KyxfZTkejTc/90A5o3sdGUb NFk1t03fmnrieYc1jflgmExl15IbG3l1yH dQjKe3EDQQtrtqKOqTCz4kxERSvvwxHZAkHdvbuEgyj83msbURUK9a6Hw/eBdF5bwkam7gjRVBVAMYtOEOWml2LUzIVd6ODW9lQQPyxPuYx9E6zhNdJ IQ39KC9fZmA xBjThjtzQoLqHJuPg5Jhn8pqjr5R IXLjpuI/haegOdKxRQ ZhcMwtfcPyprJx6fk1q4BtXXlfTcz5tv98emMEZNjO9zJYPxD9 OLzecjXvIUSABygCVvyxigsL10H48GLPOZDOeimJO 35B/ZiROLmnqAJbPSC3CjJtXa4bw3PIVvQu4v2ble00zg2mNcRqvshCttYLCwVva6pssj7LinNm6RQkUobMg1SxD8/Qp9l5ujarkGoJoSaU9IWMKb6wHF3M1fLhNHehrt68pQMgRZ9A/N/xcFtUyTsgKo3QcpX13BAm/BhDO7crmpT9hGjulfatrTEbg6DvYM3rxrVv9nxqwax4/jQEh4c8/YtCPS7AguqCjOnmRkU/Thhm7FwtCRhZMoI/rVhg61uCrT9sklJNI38nXVCn81Qb7jrhd0AJjGEbPCd4aeuQU2k84m8jAPNpKjfuIA8nCjRf9RckQS0Ux/MzxwVDm1ltMC4IVK7z/mVdAUpAHVo4aAF zL9Q3gRpzFUxP 9V VzgaKhmyV7fle 0IPiJ7KJjT bSVDWToc rZDrFPg0Gw65ApdlxA4zbgpYEIKi9Yuxx hb8l9kNoEEGmAgbKCU2GdqLvqN5iJfeR/ /gGmhsFRRu8DzIvBhlKnPU11fQOGqNWazlhsPOqBnIG8mgw3LLRhUBl /emKIMhIfverCwYNp9/zPEh9DgDxmyDvbFIEZ1i2WG1IMRnSw/cOd4C3vlN6oA8a/WCeg7kItTuzHOOJy7uXfETlBEp0OhGH LTh7FTwbz7/RpdmHgGCEPUzXsQJQDr3PuB20EB15oMwcttK1/HP zDTBpRbfVIeC1vCJFTN T82EyhcdH/C/UGMTfHXdVIaJKHESm7zjqRo2wO xFsoxz9hLTBffynGjseluWz2P5U1hdtnpUcd18qKerCsdi3yFV4ViNG4ZJCT2 c//SOKDQ3x9/eTzUt1sMdDV75zPpdQXgyJPlQM3qDOL/NQbS2gi7SSWj36Z3tldugH9N9QU6ngqRw ZJ8jMQbjUCISHdaAThG42agRZ3p8fw0I/41olFnPLJzgcr8IB0ef/VO00i4wFT9iYxdict93pZ0aHPMq/Nb TxwjaODg2Xq0zykwuDjBEr2s/yts4tOGdm9PPITBJMJuiV/umbAMv1WaUrwSAgZq/wfihwX9lv9DEBM3Dc8s3W1pyk4b8r73LczeM6XX9XnuKc7Vt8d31LDtotiPuH7HUuRmiF/1tNBHmzft1fa7RNb2sikTAi5tbl1gOQbzft/W3smSeLxZai8h9UOvtLXD81CWvTszrKH1v82hvwoRiTVb4SWRLnWtp0Kp8l97VytDNAo/YHJjSe/n0h0wUdUuMPQLhz2pgAd1ED3nq 1qqHm/ET01FrpAJJ4KHlc//9Mr4apao1SQG7Re4hhYhYsmFyEv8z tw4flwXQWw06mKFF05k8n0HqJ/e/O25czj8DpvaJuwkVS9z7POMb6cStGWhBnwZv9v4LkF3qpGnf9w1DldmV uQKIRQ643NBXqA0V9MrmhMryvcbPZzlQH/RjEVRjtWeAEEG9sgyh 1jIBv38jO2Z J2TpWRXCrGKygJNObmidxYPVBebfiTOjGmcuU x4WmiySt9VfaZ0EZySrBtzzfSY6O0yKrG9Sa9UPgmMwNwmIbP7Ln2pi9XKfJWVoJRx1TMKmy3AlbXqd/GTk4gvzX4Iv8tNlX8EXZT4QAJqwtNvwD2Imw5Ce5trufAUmkf8KGflS6SihrYMcbcE72OVpeabR9ihDZslQDaeyvirKLEPMlkhiOQjenGPs4oiKafxTSIFtRF0MFHZ0HmuNeXx2XCO58LxugBa5a/RJQWK9boEO K6MqXutZzfvexdbw8xMP8mmPb HMpHKv1ymTNZ CZets0ZctUQnil9gjqHl6P92L5YV6yVa5O0JAJVOZxgrwd6E//7LM6K5DljtpPiQLsCy8Ednj1vMSyl1LcD02KsVLokeRh7id4Zo/BRhnYPYJC7dagDwp/kxcYyyAujw3yiCjTuXBIqE4 wTmONRGVyvnX eeWri5BaShelRKWDHdUCG18zoNvgKqrDnDpkHldErz/z9b5lGACLF7afI4DJbHZcWle2xit4vkxoHZ2jbhkerZBSh373o8qkhX xgcG6ck25QmZZDlNAts3AARoMtMI8wFhcuDizk6SFIVZ fE5gsZzFqyaWND2K5i/PMHF4ph e8BO412QuhGSyeyyUKhM1IX3RTl71G9QJ9EUREasKaVoUsmQO3HpLyw4SeTXpi 18gDyxlkuOuMrYt1Dy8zBNm9f14yNhh1QJGj1mQhh7xl X1HuZz2aHRW12T4U37zK6jnhWuW9i FXF7qzHRUy0fk4PpHsKvkOb5m YjxcDoWncAOIqWX7ZdE09ECG7P4y4GSwdjPiOfdxT7yc5H/3dsZHWW9zO85a55zdzQ0bSaC 6hG7cPLwICJtUm2aJUxcNFHBiZ/zSOEWh5YogOKBemH870e19pWZxFoQ0y2IgH/HzsEGSMSlTIdOcVDKv3c8beQf0PaOCKYj9SptOEVyeL9 WMnQU3nYF8IICmtF7G4TcN9e4Xf7AS1sGxMkonu8g32/ukLss5ySFKkPkbmgTPqXqWv5KEqZSqT/1K0FqfIp0Yv6P/Vn5Yp9ASMB9V4TUgrWbcsDQd1denq6EprcN1ECXzLSWVOtQGVjn03TsrIul4vvx9MmFrrDHQZVcgLFI7vAofPMtJ8ZC9v899JN7n5buIh0mwJuitPS1y0vHvbJQpULvc7zK6zUuB8wcxtd5nRT1RPWb2ABDLnazBB9NBqN91Tdi1I VEjWgXNoZWGs/noNm2dpR5VC5VQSJ931uxW8MjlHOL7aniLfIDRtacH2 aD90fsl7Mmrsw1fcwi3zpl3S1 WmVaX0pxisjmG6372Mp3XNxBujZD6TdgHi8ZnJ1 VG1kpAb0EH2Q7LmpQoMwhmU1Rx1hGcXvLBmD0MM0oN69HfN81DP97Hh9gFQjfkAWAIMVoAGuXPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD2
CCn7A5XU4CzHzqO2FLGKUbyHdY6ib4THrj6hFnsNC91Ppav9uwgbOdS5yiEmzFlfEH5q9BrghvkQ6h6yHnRIruDtXd0PDynXRapk stnOg8 lhBkVQtwqvwdx0YKwOYYMsiPSZ4ZkbJaN4jiHpyXxikeLdivpDPd3kWJRmdyiGNBGHR7k6brC0v2K6Y3bIHi9fPpJIlvoGzlKyqWKZbgyvMKhfRH126QPM9 L6lCgK7m kyrVJiXkjtcP5z8SS p1bK16PrKxlNudveDjR9IlqhNqTiNr78QXP75MTIzVeZrz7Tcfof3QNj6U8Gv/JIeibNpOmlNns8ti9RIhh5ZLKoegOBmlmtQM0rniYADF47h6Lj6dLteD9vdSqZJsQHIGvIuA7947pmnUaqpcjKY3LYgVF2x9RvnVSrLQy8Msk7qqSbG2 18wzMzkSRmcDGU4kVcMMLftEmJ4bIHoF2FAPgyGgCSkTVbqrdTGlgcsvH0t4XSpP7tIh8jClm75Ou3CQTpLfFzMKnc6mJjLxthWVUze9iMkM2lodm24a72Q1ASzBLcyyVm6x6p wLyuJ8qma8MBknHVMisVT7MVknJ3vZbF9aZPJFzAhcUG/Upzx5isNAuTL4hmXOtkhI4FBxi1Cr61qDUiy5RWmbWg/8TMwzig8QrKciaaO5bHzpmKpQRuFszWr6F2QvRC0xGO2xRrXXZTn49ttSc8nqBKCUSN6laRQzaqlvIrCdoco77cJleen7p24ksvps1/5wvQdV5p73LSkGnWh8GFNEdOXqf3TRAvapyq/MK6pb ZVfjUuInC7v/fEmNgxChvtF 890LhInkEqFRbS19fUQ73JqLlcJZ18pvOf B1mj934NofFTx9nwdpJn3HzNX6GtzFas2HnN7eYIWlMw3tSAkgiusQimrQVscKmqnJQaa0khTfdi5XiZXSmL7ACZazSHb7jCa5pBrfMwYFUZ Oe9X2VZ6dhPqOx2PyPLSlbCoRrnbVdgQc9kdsRb7WM48D1x9vGYOWbUIoaJ2NbT3tOBeqcE/na9gY4KSEUEvJMG50HRf7PsjDOG07bHSTMWDWFJVWnBzRw0gxGugVSXb4cCgMsdK2Iy9YStviYLxSJNWOxr2nqr8FNfrm06XldaCdxzl91l8dtI5KijeweUIMAc 0LmyfOCkcxKlzf2gY6nXrBF4fg6MfU ynlZ5fJTtDsKdae7ft4SvOcILp7yrtsvMaBFDhz/kpidQxUDWKTfEsAhZ7MhMg/R8u8obqeVxbgYyzFKdZphWp 3mH/TnHPBZ2bpK5RAJbyhG6mzXDdK6n5WZ/t1rHvZnkzur8Ous6C0l 6mfTNAJtodq3/Hb2IzSzr/6ZIosa9wKWNAQXUzxS5VWTm5c06VIslbl lyuVB lszHKcuTo/WnlyiEQnXsGi3J9 4H47Jrpn7bmi4RsezcNIla6/9NNp Epn 7O oCDCWVLPojN8GIGagtuSTGvIaxcxsOH8pqzLmgKPEreqCODspRsSJFIQnyvyslEnaaGmA/5d5W657R/7GHKCX8zjkAgoN1DMq635FP8oTdr3TDX hf1kQjE0rAYauyUMCvK7sISTcp0mNaVNlb41xJ34HMs9MsptRLJ/vG5CxUlphVr5/bN/ lRjw7G FQOZ3fsm7g9hEsKP0ZyGDAa2 /5 Pbtnv8v mC6IIuDvXfhBhabUQROZ4ivV/5UW8AsgAG8vFNkMo su96PU/1JKOUIzfoiKRRkHkCTi/C8SA7aS5nMPHBANimaCqFnwwbCYwrLOihSaspSnyNkNyY757bt/QjJqFmIlXivAZUArboo35ORbIPUs3A1Mg/HqNKgpip4qHE7/FU gePTIpH8EneENl5xDvbkU5blo0X7LtnsFYtEH2gfOvuuyH2EDvXRTSQlzd7pxvlAPEbHt5Bp9bNzydjcUxsDuHLwVhsIX9vKuSoOJsffrqB8/St36C6A9QwalMeyTKycOGU0L/luLgb3waTr/HBXnwTJ/0yFwe0N2KJ9w7 bApzfBHsD1KyxfZTkejTc/90A5o3sdGUb NFk1t03fmnrieYc1jflgmExl15IbG3l1yH dQjKe3EDQQtrtqKOqTCz4kxERSvvwxHZAkHdvbuEgyj83msbURUK9a6Hw/eBdF5bwkam7gjRVBVAMYtOEOWml2LUzIVd6ODW9lQQPyxPuYx9E6zhNdJ IQ39KC9fZmA xBjThjtzQoLqHJuPg5Jhn8pqjr5R IXLjpuI/haegOdKxRQ ZhcMwtfcPyprJx6fk1q4BtXXlfTcz5tv98emMEZNjO9zJYPxD9 OLzecjXvIUSABygCVvyxigsL10H48GLPOZDOeimJO 35B/ZiROLmnqAJbPSC3CjJtXa4bw3PIVvQu4v2ble00zg2mNcRqvshCttYLCwVva6pssj7LinNm6RQkUobMg1SxD8/Qp9l5ujarkGoJoSaU9IWMKb6wHF3M1fLhNHehrt68pQMgRZ9A/N/xcFtUyTsgKo3QcpX13BAm/BhDO7crmpT9hGjulfatrTEbg6DvYM3rxrVv9nxqwax4/jQEh4c8/YtCPS7AguqCjOnmRkU/Thhm7FwtCRhZMoI/rVhg61uCrT9sklJNI38nXVCn81Qb7jrhd0AJjGEbPCd4aeuQU2k84m8jAPNpKjfuIA8nCjRf9RckQS0Ux/MzxwVDm1ltMC4IVK7z/mVdAUpAHVo4aAF zL9Q3gRpzFUxP 9V VzgaKhmyV7fle 0IPiJ7KJjT bSVDWToc rZDrFPg0Gw65ApdlxA4zbgpYEIKi9Yuxx hb8l9kNoEEGmAgbKCU2GdqLvqN5iJfeR/ /gGmhsFRRu8DzIvBhlKnPU11fQOGqNWazlhsPOqBnIG8mgw3LLRhUBl /emKIMhIfverCwYNp9/zPEh9DgDxmyDvbFIEZ1i2WG1IMRnSw/cOd4C3vlN6oA8a/WCeg7kItTuzHOOJy7uXfETlBEp0OhGH LTh7FTwbz7/RpdmHgGCEPUzXsQJQDr3PuB20EB15oMwcttK1/HP zDTBpRbfVIeC1vCJFTN T82EyhcdH/C/UGMTfHXdVIaJKHESm7zjqRo2wO xFsoxz9hLTBffynGjseluWz2P5U1hdtnpUcd18qKerCsdi3yFV4ViNG4ZJCT2 c//SOKDQ3x9/eTzUt1sMdDV75zPpdQXgyJPlQM3qDOL/NQbS2gi7SSWj36Z3tldugH9N9QU6ngqRw ZJ8jMQbjUCISHdaAThG42agRZ3p8fw0I/41olFnPLJzgcr8IB0ef/VO00i4wFT9iYxdict93pZ0aHPMq/Nb TxwjaODg2Xq0zykwuDjBEr2s/yts4tOGdm9PPITBJMJuiV/umbAMv1WaUrwSAgZq/wfihwX9lv9DEBM3Dc8s3W1pyk4b8r73LczeM6XX9XnuKc7Vt8d31LDtotiPuH7HUuRmiF/1tNBHmzft1fa7RNb2sikTAi5tbl1gOQbzft/W3smSeLxZai8h9UOvtLXD81CWvTszrKH1v82hvwoRiTVb4SWRLnWtp0Kp8l97VytDNAo/YHJjSe/n0h0wUdUuMPQLhz2pgAd1ED3nq 1qqHm/ET01FrpAJJ4KHlc//9Mr4apao1SQG7Re4hhYhYsmFyEv8z tw4flwXQWw06mKFF05k8n0HqJ/e/O25czj8DpvaJuwkVS9z7POMb6cStGWhBnwZv9v4LkF3qpGnf9w1DldmV uQKIRQ643NBXqA0V9MrmhMryvcbPZzlQH/RjEVRjtWeAEEG9sgyh 1jIBv38jO2Z J2TpWRXCrGKygJNObmidxYPVBebfiTOjGmcuU x4WmiySt9VfaZ0EZySrBtzzfSY6O0yKrG9Sa9UPgmMwNwmIbP7Ln2pi9XKfJWVoJRx1TMKmy3AlbXqd/GTk4gvzX4Iv8tNlX8EXZT4QAJqwtNvwD2Imw5Ce5trufAUmkf8KGflS6SihrYMcbcE72OVpeabR9ihDZslQDaeyvirKLEPMlkhiOQjenGPs4oiKafxTSIFtRF0MFHZ0HmuNeXx2XCO58LxugBa5a/RJQWK9boEO K6MqXutZzfvexdbw8xMP8mmPb HMpHKv1ymTNZ CZets0ZctUQnil9gjqHl6P92L5YV6yVa5O0JAJVOZxgrwd6E//7LM6K5DljtpPiQLsCy8Ednj1vMSyl1LcD02KsVLokeRh7id4Zo/BRhnYPYJC7dagDwp/kxcYyyAujw3yiCjTuXBIqE4 wTmONRGVyvnX eeWri5BaShelRKWDHdUCG18zoNvgKqrDnDpkHldErz/z9b5lGACLF7afI4DJbHZcWle2xit4vkxoHZ2jbhkerZBSh373o8qkhX xgcG6ck25QmZZDlNAts3AARoMtMI8wFhcuDizk6SFIVZ fE5gsZzFqyaWND2K5i/PMHF4ph e8BO412QuhGSyeyyUKhM1IX3RTl71G9QJ9EUREasKaVoUsmQO3HpLyw4SeTXpi 18gDyxlkuOuMrYt1Dy8zBNm9f14yNhh1QJGj1mQhh7xl X1HuZz2aHRW12T4U37zK6jnhWuW9i FXF7qzHRUy0fk4PpHsKvkOb5m YjxcDoWncAOIqWX7ZdE09ECG7P4y4GSwdjPiOfdxT7yc5H/3dsZHWW9zO85a55zdzQ0bSaC 6hG7cPLwICJtUm2aJUxcNFHBiZ/zSOEWh5YogOKBemH870e19pWZxFoQ0y2IgH/HzsEGSMSlTIdOcVDKv3c8beQf0PaOCKYj9SptOEVyeL9 WMnQU3nYF8IICmtF7G4TcN9e4Xf7AS1sGxMkonu8g32/ukLss5ySFKkPkbmgTPqXqWv5KEqZSqT/1K0FqfIp0Yv6P/Vn5Yp9ASMB9V4TUgrWbcsDQd1denq6EprcN1ECXzLSWVOtQGVjn03TsrIul4vvx9MmFrrDHQZVcgLFI7vAofPMtJ8ZC9v899JN7n5buIh0mwJuitPS1y0vHvbJQpULvc7zK6zUuB8wcxtd5nRT1RPWb2ABDLnazBB9NBqN91Tdi1I VEjWgXNoZWGs/noNm2dpR5VC5VQSJ931uxW8MjlHOL7aniLfIDRtacH2 aD90fsl7Mmrsw1fcwi3zpl3S1 WmVaX0pxisjmG6372Mp3XNxBujZD6TdgHi8ZnJ1 VG1kpAb0EH2Q7LmpQoMwhmU1Rx1hGcXvLBmD0MM0oN69HfN81DP97Hh9gFQjfkAWAIMVoAGuXPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD2
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
66006666
.Method '%s' not supported by automation object/Variant does not reference an automation object
.Method '%s' not supported by automation object/Variant does not reference an automation object
External exception %x
External exception %x
Interface not supported
Interface not supported
%s (%s, line %d)
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
Invalid variant operation"Variant method calls not supported
I/O error %d
I/O error %d
Integer overflow Invalid floating point operation
Integer overflow Invalid floating point operation
svchost.exe_592_rwx_01000000_00006000:
.text
.text
`.data
`.data
.rsrc
.rsrc
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
RPCRT4.dll
RPCRT4.dll
NETAPI32.dll
NETAPI32.dll
ole32.dll
ole32.dll
ntdll.dll
ntdll.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
GetProcessHeap
GetProcessHeap
NtOpenKey
NtOpenKey
svchost.pdb
svchost.pdb
\PIPE\
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
svchost.exe
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512